Information Technology Auditing 4th Edition Solution Manual by Ace Test Banks

Information Technology Auditing, 4th Edition Solution Manual

richard@qwconsultancy.com

1|Pa ge

CHAPTER 1 AUDITING AND INTERNAL CONTROL REVIEW QUESTIONS 1.

What is the purpose of an IT audit? Response: The purpose of an IT audit is to provide an independent assessment of some technology- or systems-related object, such as proper IT implementation, or controls over computer resources. Because most modern accounting information systems use IT, IT plays a significant role in a financial (external audit), where the purpose is to determine the fairness and accuracy of the financial statements.

Discuss the concept of independence within the context of a financial audit. How is independence different for internal auditors? Response: The auditor cannot be an advocate of the client, but must independently attest to whether GAAP and other appropriate guidelines have been adequately met. Independence for internal auditors is different because they are employed by the organization, and cannot be as independent as the external auditor. Thus internal auditors must use professional judgment and independent minds in performing IA activities.

What are the conceptual phases of an audit? How do they differ between general auditing and IT auditing? Response: The three conceptual phases of auditing are: i. Audit planning, ii. Tests of internal controls, and iii. Substantive tests. Conceptually, no difference exists between IT auditing and general auditing. IT auditing is typically a subset of the overall audit; the portion that involves computer technology is the subset.

Distinguish between the internal and external auditors. Response: External auditors represent the interests of third-party stakeholders in the organization, such as stockholders, creditors, and government agencies. External auditing is conducted by certified public accountants who are independent of the organization’s management. Internal auditors represent the interests of management. Internal auditing tasks include conducting financial audits, examining an operation’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits. External auditors also conduct IT audits as a subset of financial audits.

What are the four primary elements described in the definition of auditing? Response: a. auditing standards b. systematic process c. management assertions and audit objectives d. obtaining evidence

Explain the concept of materiality. Response: Materiality refers to the size of the effect of a transaction. From a cost-benefit point of view, a threshold is set above which the auditor is concerned with the correct recording and effects of transactions. Rather than using standard formulas, auditors use

their professional judgment to determine materiality. 7.

How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility for internal controls? Response: The Sarbanes-Oxley Act (S-OX) specifically holds management responsible for internal controls. S-OX requires an annual report on internal controls that is the responsibility of management; external auditors must attest to the integrity of the report. Management must assess the effectiveness of the internal control structure and procedures for financial reporting as of the end of the most recent fiscal year and identify any control weaknesses. An attestation by external auditors reports on management’s assessment statement.

What are the four broad objectives of internal control? Response: a. to safeguard the assets of the firm b. to ensure the accuracy and reliability of accounting records and information c. to promote efficiency in the firm’s operations d. to measure compliance with management’s prescribed policies and procedures

What are the four modifying assumptions that guide designers and auditors of internal control systems? Response: Management responsibility, reasonable assurance, methods of data processing, and limitations.

10.

Give an example of a preventive control. Response: Locked doors, passwords, and data-entry controls for each field (e.g., range checks).

11.

Give an example of a detective control. Response: A log of users, a comparison with computer totals and batch totals.

12.

Give an example of a corrective control. Response: Manual procedures to correct a batch that is not accepted because of an incorrect social security number. A clerical worker would need to investigate and determine either the correct hash total or the correct social security number that should be entered. A responsible party is then needed to read exception reports and follow up on anomalies.

13.

What are the five internal control components described in the COSO framework? Response: a. Control Environment b. Risk Assessment c. Information and Communication d. Monitoring e. Control Activities

14.

What are the six broad classes of control activities defined by COSO? Response: The six broad classes of control activities defined by COSO are: a. transaction authorization, b. segregation of duties, c. supervision,

d. accounting records, e. access control, and f. independent verification. 15.

Give an example of independent verification. Response: a. the reconciliation of batch totals at periodic points during transaction processing b. the comparison of physical assets with accounting records c. the reconciliation of subsidiary accounts with control accounts d. reviews by management of reports that summarize business activity e. periodic audits by independent external auditors f. periodic audits by internal auditors

16.

Differentiate between general and application controls. Give two examples of each. Response: General controls apply to a wide range of exposures that systematically threaten the integrity of all applications processed within the IT environment. Some examples of general controls would be controls against viruses and controls to protect the hardware from vandalism. Application controls are narrowly focused on risks within specific systems. Some examples of application controls would be a control to make sure that each employee receives only one paycheck per pay period and a control to ensure that each invoice gets paid only once.

17.

Distinguish between tests of controls and substantive testing. Response: The tests of controls phase involves determining whether internal controls are in place and whether they function properly. The substantive testing phase involves a detailed investigation of specific account balances and transactions.

18.

Define audit risk. Response: Audit risk is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated.

19.

Distinguish between errors and irregularities. Which do you think concern auditors the most? Response: Errors are unintentional mistakes whereas irregularities are intentional misrepresentations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. All processes that involve human actions are highly susceptible to some amount of human error. Computer processes should contain errors only if the programs are erroneous, if systems operating procedures are not being closely and competently followed, or if some unusual system malfunction has corrupted data. Errors are typically much easier to uncover than misrepresentations. Thus auditors typically are more concerned about whether they have uncovered any and all irregularities. Also, due to SAS No. 99 and Sarbanes-Oxley, auditors are much more concerned with fraud (irregularities) than before.

20.

Distinguish between inherent risk and control risk. How do internal controls affect inherent risk and control risk, if at all? What is the role of detection risk? Response: Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in declining industries are considered to have more inherent risk than firms in stable or thriving industries. Auditors cannot reduce inherent risk, which is not affected by internal controls. Even in a system protected by excellent controls,

financial data can be misstated. Control risk is the likelihood that the control structure is flawed because internal controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. Internal control does, however, directly impact control risk. The more effective the internal controls that are in place, the lower the level of assessed control risk. Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditors. Typically, detection risk will be lower for firms with higher inherent risk and control risk. 21.

What is the relationship between tests of controls and substantive tests? Response: The relationship between tests of controls and substantive tests is directly related to the auditor’s risk assessment. The stronger the internal controls, the less substantive testing the auditor must do.

22.

SOX contains many sections. Which sections does this chapter focus on? Response: This chapter concentrates on internal control and audit responsibilities pursuant to SOX Sections 302 and 404.

23.

What control framework does the PCAOB recommend? Response: The PCAOB recommends the use of COSO as the framework for control assessment.

24.

COSO identifies two broad groupings of information system controls. What are they? Response: The two broad groupings of information system controls identified by COSO are application controls and general controls.

25.

What are the objectives of application controls? Response: The objectives of application controls are to ensure the validity, completeness, and accuracy of financial transactions.

26.

Give three examples of application controls? Response: Examples include: a. A cash disbursements batch-balancing routing that verifies the total payments to vendors reconciles with the total postings to the accounts payable subsidiary ledger. b. An account receivable check digit procedure that validates customer account numbers on sales transactions. c. A payroll system limit check that identifies employee time card records with reported hours work in excess of the predetermined normal limit.

27.

Define general controls. Response: General controls apply to all systems. They are not application specific. General controls include controls over IT governance, the IT infrastructure, security and access to operation systems and databases, application acquisition and development, and program changes.

28.

What is the meaning of the term attest services? Response: The attest service is an engagement in which a practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).

29.

List four general control areas. Response: The following are examples of general control areas: a. It Governance controls, b. Security (data management controls), c. Security (operating system and network controls), d. Systems development and program change controls,

DISCUSSION QUESTIONS 1.

Discuss the differences between the attest function and advisory services. Response: The attest service is defined as an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. The following requirements apply to attestation services: • Attestation services require written assertions and a practitioner’s written report. • Attestation services require the formal establishment of measurement criteria or their description in the presentation. • The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures. Advisory services are professional services offered by public accounting firms to improve their client organizations’ operational efficiency and effectiveness. The domain of advisory services is intentionally unbounded so that it does not inhibit the growth of future services that are currently unforeseen. As examples, advisory services include actuarial advice, business advice, fraud investigation services, information system design and implementation, and internal control assessments for compliance with SOX.

A CPA firm has many clients. For some of its clients, it relies very heavily on the work of the internal auditors, while for others it does not. The amount of reliance affects the fees charged. How can the CPA firm justify the apparent inconsistency of fees charged in a competitive marketplace? Response: The CPA firm’s reliance on the work of the internal auditors depends on the structure of the organization and to whom the internal auditors report. If they do not report directly to the board of directors, then their positions may be compromised. Further, the quality and type of work conducted by the internal auditors will affect external auditors reliance.

3. Accounting firms are very concerned that their employees have excellent communication skills, both oral and written. Explain why this requirement is so important by giving examples of where these skills would be necessary in each of the three phases of an audit. Response: During the planning phase of an audit, oral communication skills are used in interviews. Written communication skills are needed for recording the results of interviews and during observation and systems documentation reviews. In the tests of controls and substantive testing phases, oral communication skills are important when working with the client’s employees. Written communication skills are then vital in summarizing the results of tests.

4. Explain the audit objectives of existence or occurrence, completeness, rights and obligations, valuation or allocation, and presentation and disclosure. Response: • The existence or occurrence assertion affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred. • The completeness assertion declares that no material assets, equities, or transactions have been omitted from the financial statements. • The rights and obligations assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations. • The valuation or allocation assertion states that assets and equities are valued in accordance with generally accepted accounting principles and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis. • The presentation and disclosure assertion alleges that financial statement items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements. 5.

How has the Foreign Corrupt Practices Act of 1977 had a significant impact on organization management? Response: The FCPA of 1977 requires that all companies registered with the Securities and Exchange Commission maintain an appropriate system of internal controls. Internal controls typically directly impact the organizational structure and segregation of functions.

Discuss the concept of exposure and explain why firms may tolerate some exposure. Response: An exposure is the absence or weakness of an internal control. Sometimes costbenefit analysis may indicate that the additional benefits of an internal control procedure may not exceed the costs. Thus, the firm may decide to tolerate some control risk associated with a particular exposure.

If detective controls signal errors, why shouldn’t they automatically make a correction to the identified error? Why are separate corrective controls necessary? Response: For any detected error, more than one feasible corrective solution may exist, and the best course of action may not always be obvious. Thus, linking an automatic response to a detective control may worsen a problem by applying an inappropriate corrective action.

Most accounting firms allow married employees to work for the firm. However, they do not allow an employee to remain working for them if he or she marries an employee of one of their auditing clients. Why do you think this policy exists? Response: The accounting firm must retain its independence from its clients. The auditor must not have the opportunity to collude, in any fashion, with any employees of its client. Having one spouse working for the client and the other working for the accounting firm would compromise the independence of the accounting firm.

Discuss whether a firm with fewer employees than there are incompatible tasks should rely more heavily on general authority then specific authority. Response: Small firms with fewer employees than there are incompatible tasks should rely more heavily on specific authority. More approvals of decision by management and increased supervision should be imposed in order to compensate some for the lack of separation of duties.

10.

An organization’s internal audit department is usually considered to be an effective control mechanism for evaluating the organization’s internal structure. The Birch Company’s internal auditing function reports directly to the controller. Comment on the effectiveness of this organizational structure. Response: Having the internal auditing function report to the controller is unacceptable. If the controller is aware of/or involved in a fraud or defalcation, then he/she may give false or inaccurate information to the auditors. The possibility that the auditors may lose their jobs if they do not keep certain matters quiet also exists. Further, the fraud may be occurring at a level higher than the controller, and the controller may fear losing his/her job if the matter is pursued. The best route is to have the internal auditing function report directly to the audit committee.

11.

According to COSO, the proper segregation of functions is an effective internal control procedure. Comment on the exposure (if any) caused by combining the tasks of paycheck preparation and distribution to employees. Response: If a payroll employee were to prepare a paycheck for a nonexistent employee (perhaps under an alias or in the name of a relative), which is known as “ghost employee” fraud, and this employee also has the task of distributing the checks, then no one would be the wiser. On the other hand, if the checks go directly to another person, who then distributes the paychecks, the extra check should be discovered.

12.

Discuss the key features of Section 302 of SOX. Response: Section 302 requires that corporate management (including the CEO) certify quarterly and annually their organization’s internal controls over financial reporting. The certifying officers are required to: a. have designed internal controls, and b. disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter.

13.

Discuss the key features of Section 404 of SOX. Response: Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting and provide an annual report addressing the following points: a. a statement of management’s responsibility for establishing and maintaining adequate internal control, b. an assessment of the effectiveness of the company’s internal controls over financial reporting, c. a statement that the organization’s external auditors has issued an attestation report on management’s assessment of the company’s internal controls, d. an explicit written conclusion as to the effectiveness of internal control over financial reporting, and e. a statement identifying the framework used by management to conduct their assessment of internal controls.

14.

Section 404 requires management to make a statement identifying the control framework used to conduct its assessment of internal controls. Discuss the options in selecting a control framework. Response: The SEC has made specific reference to the Committee of the Sponsoring Organizations of the Treadway Commission (COSO) as a recommended control framework. Furthermore, the PCAOB’s Auditing Standard No. 5 endorses the use of

COSO as the framework for control assessment. Although other suitable frameworks have been published, according to Standard No. 5, any framework used should encompass all of COSO’s general themes. 15.

Explain how general controls impact transaction integrity and the financial reporting process. Response: Consider an organization with poor database security controls. In such a situation, even data processed by systems with adequate built-in application controls may be at risk. An individual who can circumvent database security may then change, steal, or corrupt stored transaction data. Thus, general controls are needed to ensure accurate financial reporting.

16.

Prior to SOX, external auditors were required to be familiar with the client organization’s internal controls, but not test them. Explain. Response: Prior to SOX, auditors had the option of not relying on internal controls in the conduct of an audit and therefore did not need to test them. Instead, auditors could focus primarily on substantive tests. Under SOX, management is required to make specific assertions regarding the effectiveness of internal controls. To attest to the validity of these assertions, auditors are required to test the controls.

17.

Does a qualified opinion on management’s assessment of internal controls over the financial reporting system necessitate a qualified opinion on the financial statements? Explain. Response: No. Auditors are permitted to simultaneously render a qualified opinion on management’s assessment of internal controls and render an unqualified opinion on the financial statements. Therefore, it is technically possible for auditors to determine that internal controls over financial reporting are weak, but conclude through substantive tests that the weaknesses do not cause the financial statements to be materially misrepresented.

18.

The PCAOB Standard No. 5 specifically requires auditors to understand transaction flows in designing their tests of controls. What steps does this entail? Response: In order to be in compliance with PCAOB Standard No. 5 auditors must do the following: a. select the financial accounts that have material implications for financial reporting, b. identify the application controls related to those accounts, and c. identify the general controls that support the application controls.

19.

What fraud detection responsibilities (if any) does SOX impose on auditors? Response: Standard No. 2 places new responsibility on auditors to detect fraudulent activity. The standard emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. Management is responsibility for implementing such controls and auditors are expressly required to test them.

MULTIPLE CHOICE QUESTIONS 1. d 2. b 3. a 4. d 5. c 6. a 7. a 8. b 9. b 10. a

PROBLEMS 1.

Segregation of Functions Comment on the specific risks (if any) that are caused by the following combination of tasks. a. A sales manager, who works on commission based on gross sales, approves credit and has the authority to write off uncollectible accounts. b. The warehouse clerk, who has custodial responsibility over inventory in the warehouse, updates the inventory subsidiary ledger and prepares an inventory summary for the general ledger department. c. The billing clerk bills customers and records sales in the sales journal d. The shop foreman approves and submits time cards to timekeeping and distributes paychecks to employees. e. The accounting clerk posts to individual account receivable subsidiary accounts and performs the reconciliation of the subsidiary ledger and the general ledger control account. Response: a. This situation is in violation because the sales manager has the power of credit authorization as well as accounts receivable record keeping. The potential risk is that the manager may approve credit to a friend’s or relative’s business and then write off the account as bad. b.This situation is in violation because the warehouse clerk has custodial responsibility as well as record keeping responsibility. The potential risk is that the clerk may steal inventory and use his record keeping authority to adjust the inventory records to hide the theft. c. No risks due to combining these tasks. The billing clerk is responsible for recording sales in the sales journal after they have been shipped to the customer d. This situation is in violation because the foreman has authority to authorize time cards and also has asset custody (the employee pay check). The potential risk is

that the supervisor may submit a false time card for a terminated or non-existent employee and then keep the paycheck that results. e. This situation is in violation because the accounting clerk both records transactions and verifies the accuracy of the recording. The purpose of reconciliation is to verify that the two sets of records are equivalent. The risk is that the accounting clerk may conceal errors or cover up balances that do not equal because of embezzlement of funds.

Segregation of Duties Explain why each of the following combinations of tasks should, or should not, be separated to achieve adequate internal control. a. Recording cash receipts in the journal and posting to the account receivable subsidiary ledger. b. Preparation of accounts payable and distribution of payroll checks to employees (paymaster). c. Posting of amounts from both the cash receipts and the cash disbursements journals to the general ledger. d. Distribution of payroll checks to employees and approval of time cards. e. Approval of bad debt write-offs and the reconciliation of accounts payable subsidiary ledger and the general ledger control account. Response: a. These two tasks need to be separated because the individual has asset custody and recordkeeping responsibility. b. These two tasks do not need to be separated because they are independent of one another. AP clerks do not prepare payroll checks. c. In neither case does the employee have access to the assets; therefore no danger exists. d. These tasks should be separated. The potential risk is that the individual may submit a false time card for a terminated or non-existent employee and then keep the paycheck that results. e. These tasks need not be separated because they are independent tasks.

Role of Internal Audit Function Nano Circuits Inc., is a publicly traded company that produces electronic control circuits, which are used in many products. In an effort to comply with SOX, Nano is in the process of establishing an in-house internal audit function, which previously had been outsourced. The company began this process by hiring a Director of Internal Audits. Nano Circuits’ CEO recently called a planning meeting to discuss the roles of key corporate participants regarding the implementation and maintenance of internal controls. Central to this decision is the organizational placement of the future internal audit function and to whom the new Director of Internal Audit should report. In addition, Nano Circuits considered the need to reconstitute its Board of Directors Audit Committee. Participants at the meeting included the company president, the chief financial officer, a member of the audit committee, a partner from Nano Circuits external audit firm, and the Director of Internal Audits. Expectations and concerns presented by the meeting participants are summarized below.

CEO: The CEO expressed concern that Nano Circuits complies with SOX and PCAOB requirements and recommendations. The internal audit function should strengthen the organization’s internal control system by developing control policies and procedures and by detecting violations of policies and procedures. CFO: The CFO saw the role of the internal audit function as one that should be focused primarily on financial issues and therefore, the director of Internal Audits should report to the CFO. Audit committee member: The committee member felt strongly that the Audit Committee as currently constituted is appropriate and no changes need to be made. Although none of the committee members are trained accountants they all have extensive industry experience, they have all been associated with Nano Circuits in various capacities for many years, and are well qualified to fulfill their policy-oversight responsibilities. External audit partner: The external audit partner pointed out that the internal audit function should be organized such that it supports a close working relationship with the external auditors. This would include monitoring internal control systems on a continuing basis to provide a body of evidence on which the external auditor can rely. Director of Internal Audits: The Director of Internal Audits argued that the new IA function should focus more on operational auditing issues, but it also should play a role in the review of internal controls over financial reporting.

Required: a. Describe the role that each of the following areas has in the establishment, maintenance, and evaluation of internal control:

i. Management ii. External auditor iii. Internal audit b. To whom should the Director of Internal Audits report. Explain your answer. c. Comment on the audit committee member’s perspective as to the committee’s current composition. Response: a. i. SOX requires management of public companies to implement an adequate system of internal controls over their financial reporting process. This includes controls over transaction processing systems that feed data to the financial reporting systems. In addition, Section 404 of SOX requires the management of public companies to assess the effectiveness of their organization’s internal controls. This entails providing an annual report addressing the following points: 1. Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise. 2. Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts. 3. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud. 4. Evaluate and conclude on the adequacy of controls over the financial statement reporting process. 5. Evaluate entity-wide (general) controls that correspond to the components of the COSO framework.

ii. The external auditor reviews the organization’s control structure per the COSO internal control model. This includes the control environment, risk assessment, information and communications, monitoring, and control procedures. The auditor issues an opinion on control adequacy and identifies any material weaknesses in internal controls. iii. Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial audits, examining an operation’s compliance with organizational policies, reviewing the organization’s compliance with legal obligations, evaluating operational efficiency, and detecting and pursuing fraud within the firm. For cost reduction and efficiency purposes internal auditors often cooperate with and assist external auditors in performing aspects of financial audits including tests of controls. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor. b. The Director of Internal Audits should report to the Board of Directors Audit Committee. When an internal audit department reports directly to a department, the internal auditor’s independence is compromised, and the external auditor is prohibited by professional standards from relying on evidence provided by the internal auditors. In contrast, external auditors can rely in part on evidence gathered by internal audit departments that are organizationally independent and report to the board of directors’ audit committee. c. The audit committee probably needs to be reconstituted to be in compliance with SOX. The audit committee serves as an independent “check and balance” for the internal audit function and liaison with external auditors. The audit committee must be willing to challenge the internal auditors as well as management, when necessary. To be effective: • The audit committee should consist of people who outsiders (not associated with the families of executive management nor former officers, etc.). • With the advent of the Sarbanes-Oxley Act, at least one member of the audit committee must be a “financial expert.”

Internal Auditor Independence Technical Solutions, Inc. is expanding and reorganizing its Internal Audit (IA) function. Currently the Director of Internal Audit, Sharon Kalafut, reports to the corporate controller, who receives and reviews all internal audit reports. Kalafut forwards copies of the internal audit reports to the audit committee of the board of directors and to the manager directly responsible for the function being audited. An issue of contention among the management team pertains to which department or function the Director of Internal Audits should report. Martin Stevens the CEO wants to ensure that Technical Solutions complies with the SOX and that the internal audit department is structured such that it strengthens the company’s internal control system. Also, an overarching objective for the reorganized audit function is that the external auditors are able to rely on the work performed by the internal audit department to a substantial degree. Arguments put forth by interested parties as to where the IA department should be organizationally located are presented below: • Chief Operations Officer (COO). John Sweeney, the COO of Technical

Solutions, believes that the Director of IA should report to him. Under this arrangement the IA staff members would be involved in the preparation of policy statements on internal control regarding safeguarding of assets and in the design of business processes. • Chief Information Officer (CIO). Larry Rich, the CIO, has pushed hard to have the IA function report to him and take on an active role in the design, installation, and initial operation of a new computerized systems. IA staff will be primarily concerned with the design and implementation of internal accounting controls and conduct the evaluation of these controls during the test runs and audits. • Corporate Controller. The controller, Linda Johnson, believes the IA group should remain within her functional area. Currently the IA staff performs a number of controller related tasks. These include: • Internal auditors reconcile bank statements of the corporation each month. The controller believes this strengthens the internal control function because the internal auditor is not involved in either the receipt or the disbursement of cash. • Internal auditors review the annual budget each year for relevance and reasonableness before the budget is approved. At the end of each month, the controller’s staff analyzes the variances from budget and prepares explanations of these variances. These variances and explanations are then reviewed by the internal audit staff. • Finally, the internal auditors make accounting entries for complex transactions when employees of the accounting department are not adequately trained to handle such transactions. The controller believes this gives an added measure of assurance to the accurate recording of such transactions. Required:

a. b.

Define independence as it relates to the internal audit function. For each of the proposed tasks to be performed by the IA function, explain whether Technical Solutions’ internal audit independence will be materially impaired. Consider each manager’s arguments independently. To maintain independence, where should the Director of Internal Audits report? Explain your answer.

Response: a. Internal auditor independence implies no subordination of judgment to another and arises from an independent mental attitude that views events on a factual basis without influence from organizational units to which IA is subordinate. b.

i. The internal auditor’s independence is not impaired by the preparation of policy statements on internal control. The preparation of policy statements to guide others in the development and implementation of internal controls is a responsibility of the internal audit staff. ii. Auditor independence is impaired to the extent that the internal auditor is involved in the design and installation of computerized internal accounting controls being tested. Little confidence can be placed in audit findings issued by the individual who designed and installed the system being audited. iii. The internal auditor’s independence is impaired by reconciling bank statements.

To maintain independence, the auditor should not perform operational assignments that are included as part of the independent evaluation and verification of a proper system of internal control. Separation of duties must be maintained. iv. Objectivity is not impaired in the review of the budget for relevance and reasonableness if the internal auditor has no responsibility for establishing or implementing the budget. However, the review of variances and explanations would impair objectivity as this is an area that would normally be reviewed during an operational audit. v. The preparation of complex accounting transactions will materially impair the internal auditor’s objectivity by involving the auditor in day-to-day operations. c. The Director of Internal Audits should report to the Board of Directors Audit Committee. The independence and competence of the internal audit staff determine the extent to which external auditors may cooperate with and rely on work performed by internal auditors. When the internal audit department reports directly to a department, such as the controller, the internal auditor’s independence is compromised, and the external auditor is prohibited by professional standards from relying on evidence provided by the internal auditors. In contrast, external auditors can rely in part on evidence gathered by internal audit departments that are organizationally independent and report to the board of directors’ audit committee.

Assessing Internal Control The following describes the cash receipts procedures for a medium-sized online and catalogue-based retailer. Customer payments come directly to the general mail room along with other mail items. The customer payments mail constitutes about 20 percent of the total mail received each day. The mailroom clerks sort through the mail, open the customer payment envelopes, remove the customer checks and remittance advices, and reconcile the two documents. The mailroom supervisor then sends the reconciled checks and remittance advices to the Accounts Receivable clerk, who posts the amounts received to the customer AR subsidiary ledger and the cash receipts journal from her computer terminal. The AR clerk then manually prepares a remittance list of all checks received, endorses the checks “for deposit only” and sends the checks and remittance list to the Treasurer. Finally, the clerk files the remittance advices in the AR department. Once the checks and remittance list arrive at the Treasury department, the treasurer reconciles the documents, and manually prepares three hard copies of the deposit slip. Next, he sends the checks and two copies of the deposit slip to the bank. Finally, he files the third copy of the deposit slip and the remittance list in the department. Required: a) Identify the internal control weaknesses in the cash receipts process. b) For each weakness, describe the associated risks. c) For each weakness provide a possible control activity.

Response: 1. a) Weakness: Mailroom clerks have access to checks and remittance advices. b) Risk: The mailroom clerks who open the mail could steal the check and destroy the remittance advice and thus leave no record of the transaction. c) Control: Mixing general mail and cash receipts mail in this way creates a chaotic environment that is difficult to control. The company should require the cash receipts to be sent to a separate PO Box, which could be a separate room or location. This smaller amount of similar mail can be better controlled though supervision. 2. a) Weakness: The AR clerk receives checks and remittance advices from the mailroom supervisor. b) Risk: The AR clerk has access to both asset and records. The clerk could steal the check and destroy the remittance advice to eliminate any record of the cash receipt. (See skimming in chapter 12 for details). c) Control: A remittance list should be prepared in the mailroom to control the checks and remittance advices. Any loss or theft of checks after they are recorded on the remittance list would result in a discrepancy between the remittance list and the checks that are deposited in the bank. 3. a) Weakness: The AR clerk has responsibility for recording cash and updating the customer accounts. b) Risk: The clerk could engage in a lapping fraud. (See chapter 12 for details). c) Control: Segregations of duties is needed to separate the tasks of recording accounts receivable and receiving cash receipts.

Assessing Internal Control The following describes the cash disbursement procedures for a wholesale building supply company. When the accounts payable clerk receives the supplier’s invoice she records the purchase in the purchases journal, records the liability in the AP subsidiary ledger, and sets a due date based on the terms specified on the invoice. The clerk then updates the inventory control and accounts payable control accounts in the general ledger. The invoice is then filed in the department. Each day, the clerk visually searches the AP subsidiary ledger from her terminal for invoices that are due to be paid. From her computer terminal, the clerk prepares the check and records it in the check register. The negotiable portion of the check is mailed to the vendor and a check copy is filed. The clerk then closes the liability in the AP subsidiary ledger and updates the accounts payable control and cash accounts in the general ledger.

Required: a) Identify the internal control weaknesses in the cash receipts process. b) For each weakness, describe the associated risks. c) For each weakness provide a possible control activity. Response: 1. a) Weakness: Clerk sets up a liability based solely on the vendors invoice. b) Risk: The company may be paying for things it did not order, did not receive, or is paying too high a price. c) Control: The clerk should perform a three-way-match of the purchase order, receiving report, and invoice to verify that the liability is legitimate and correctly stated. 2. a) Weakness: AP clerk authorizes the liability and writes the check to pay it. b) Risk: The clerk could create a false vendor, set up a liability and disburse funds (see payments to fictitious vendors, chapter 12), c) Control: Segregation of duties between the tasks of authorizing a liability and check writing. 3. a) Weakness: AP clerk has access to both the AP subsidiary ledger and the general ledger. b) Risk: Balancing general ledger control accounts with corresponding subsidiary ledgers can help detect certain types of errors and irregularities. This ability is lost when the same individual is responsible for updating both accounts. c) Control: Segregation of duties between the general ledger function and other accounting functions.

Evaluation of Controls Gaurav Mirchandaniis is the warehouse manager for a large office supply wholesaler. Mirchandaniis receives two copies of the customer sales order from the sales department. He elects the goods from the shelves and sends them and one copy of the sales order to the shipping department. He then files the second copy in a temporary file.

Mirchandaniis retrieves the sales orders from the temporary file and updates the inventory subsidiary ledger from a terminal in his office. At that time, he identifies items that have fallen to low levels, selects a supplier, and prepares three copies of a purchase order. Once copy is sent to the supplier, one is sent to the accounts payable clerk, and one is files in the warehouse. When the goods arrive from the supplier, Mirchandaniis reviews the attached packing slip, counts and inspects the goods, places them on the shelves, and updates the inventory ledger to reflect the receipt. He then prepares a receiving report and sends it to the accounts payable department. Required: a. Prepare a systems flowchart of the procedures previously described. b. Identify any control problems in the system. c. What sorts of fraud are possible in this system? Responses: a.

See following flowchart

The following segregation of functions problems exist: 1. Mirchandaniis is the warehouse manager (asset custody) and is responsible for updating the inventory subsidiary ledger (record keeping). 2. Mirchandaniis determines what should be ordered (authorization) and the places the order (transaction processing). c.

The following frauds could result from these control weaknesses: i. Kickback fraud—Since Mirchandaniis selects the supplier and also places the order, he could order inventory that is not needed or that is above market price from a supplier with whom he has a personal fraudulent arrangement. In exchange, the supplier pays a kickback to the warehouse manager. ii. Vendor fraud—Mirchandaniis authorizes, orders, and receives the goods; he could establish himself as a vendor and process fraudulent transactions. iii. Theft of inventory—Mirchandaniis can simply remove the assets from the warehouse, sell them, and adjust the inventory records. A reconciliation between the physical inventory on hand and the records would indicate no discrepancies.

8. Evaluation of Controls Matt Demko is the loading dock supervisor for a dry cement packaging company. His work crew is composed of unskilled workers who load large transport trucks with bags of cement, gravel, and sand. The work is hard, and the employee turnover rate is high. Employees record their attendance on separate time cards. Demko authorizes payroll payments each week by signing the time cards and submitting them to the payroll department. Payroll then prepares the paychecks and gives them to Demko, who distributes them to his work crew. Required: a. Prepare a systems flowchart of the procedures described here. b. Identify any control problems in the system. c. What sorts of fraud are possible in the system?

The following segregation of functions problem exists: Demko authorizes the transaction (signs and submits timecards) and has asset custody (he distributes the checks to employees).

The following frauds could result from these control weaknesses: i. Kickback fraud—Demko permits employees to inflate the hours worked and approves payment. The employee then splits the excess pay with the supervisor as a kickback. ii. Nonexistent employee fraud—After an employee leaves the company, the supervisor continues to submit timecard for him. When the paychecks are distributed to Demko, he keeps the ones for the terminated employees and cashes them by forging their names.

CHAPTER 2 AUDITING IT GOVERNANCE CONTROLS REVIEW QUESTIONS 1.

What is IT governance? Response: IT governance is a relatively new subset of corporate governance that focuses on the management and assessment of strategic IT resources.

What are the objectives of IT governance? Response: The key objectives of IT governance are to reduce risk and ensure that investments in IT resources add value to the corporation.

What is distributed data processing? Response: Distributed data processing involves reorganizing the central IT function into small IT units that are placed under the control of end users. The IT units may be distributed according to business function, geographic location, or both. All or any of the IT functions may be distributed. The degree to which they are distributed will vary depending upon the philosophy and objectives of the organization’s management.

What are the advantages and disadvantages of distributed data processing? Response: The advantages of DDP are: a. cost reductions b. improved cost control responsibility c. improved user satisfaction d. back up flexibility The disadvantages (risks) are: a. inefficient use of resources b. destruction of audit trails c. inadequate segregation of duties d. difficulty acquiring qualified professionals e. lack of standards

What types of tasks become redundant in a distributed data processing system? Response: Autonomous systems development initiatives distributed throughout the firm can result in each user area reinventing the wheel rather than benefiting from the work of others. For example, application programs created by one user, which could be used with little or no change by others, will be redesigned from scratch rather than shared. Likewise, data common to many users may be recreated for each, resulting in a high level of data redundancy. This situation has implications for data accuracy and consistency.

. 6.

Explain why certain duties that are deemed incompatible in a manual system may be combined in a CBIS computer-based information system environment. Give an example. Response: The IT (CBIS) environment tends to consolidate activities. A single application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks

that computers now perform) to higher-level organizational relationships within the computer services function. 7.

What are the three primary CBIS functions that must be separated? Response: The three primary CBIS functions that must be separated are as follows: a. separate systems development from computer operations, b. separate the database administrator from other functions , and c. separate new systems development from maintenance.

What exposures do data consolidation in a CBIS environment pose? Response: In a CBIS environment, data consolidation exposes the data to losses from natural and man-made disasters. Consolidation creates a single point of failure. The only way to back up a central computer site against disasters is to provide a second computer facility.

What problems may occur as a result of combining applications programming and maintenance tasks into one position? Response: One problem that may occur is inadequate documentation. Documenting is not considered as interesting a task as designing, testing, and implementing a new system, thus a systems professional may move on to a new project rather than spend time documenting an almost complete project. Job security may be another reason a programmer may not fully document his or her work. Another problem that may occur is the increased potential for program fraud. If the original programmer generates fraudulent code during development, then this programmer, through maintenance procedures, may disable the code prior to audits. Thus, the programmer can continue to cover his or her tracks.

10.

Why is poor-quality systems documentation a prevalent problem? Response: Poor-quality systems documentation is a chronic IT problem and a significant challenge for many organizations seeking SOX compliance. At least two explanations are possible for this phenomenon. First, documenting systems is not as interesting as designing, testing, and implementing them. Systems professionals much prefer to move on to an exciting new project rather than document one just completed. The second possible reason for poor documentation is job security. When a system is poorly documented, it is difficult to interpret, test, and debug. Therefore, the programmer who understands the system (the one who coded it) maintains bargaining power and becomes relatively indispensable. When the programmer leaves the firm, however, a new programmer inherits maintenance responsibility for the undocumented system. Depending on its complexity, the transition period may be long and costly.

11.

What is RAID? Response: RAID (redundant arrays of independent disks) use parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks.

12.

What is the role of a data librarian? Response: A data librarian, who is responsible for the receipt, storage, retrieval, and custody of data files, controls access to the data library. The librarian issues data files to computer operators in accordance with program requests and takes custody of files when processing or backup procedures are completed. The trend in recent years toward real-

time processing and the increased use of direct-access files has reduced or even eliminated the role of the data librarian in many organizations. 13.

What is the role of a corporate computer services department? How does this differ from other configurations? Response: The role of a corporate computer services department (IT function) differs in that it is not a completely centralized model; rather, the group plays the role of provider of technical advice and expertise to distributed computer services. Thurs, it provides much more support than would be received in a completely distributed model. A corporate computer services department provides a means for central testing of commercial hardware and software in an efficient manner. Further, the corporate group can provide users with services such as installation of new software and troubleshooting hardware and software problems. The corporate group can establish systems development, programming, and documentation standards. The corporate group can aid the user groups in evaluating the technical credentials of prospective systems professionals.

14.

What are the five risks associated with distributed data processing? Response: The five risks associated with distributed data processing are as follows: a. inefficient use of resources, b. destruction of audit trails, c. inadequate segregation of duties, d. potential inability to hire qualified professionals, and e. lack of standards.

15.

List the control features that directly contribute to the security of the computer center environment. Response: a. physical location controls b. construction controls c. access controls d. air conditioning e. fire suppression f. fault tolerance

16.

What is data conversion? Response: The data conversion function transcribes transaction data from paper source documents into computer input. For example, data conversion could be keying sales orders into a sales order application in modern systems or transcribing data into magnetic media (tape or disk) suitable for computer processing in legacy-type systems.

17.

What may be contained in the data library? Response: The data library is a room adjacent to the computer center that provides safe storage for the off-line data files. Those files could be backups or current data files. For instance, the data library could store backups on DVDs, CD-ROMs, tapes, or other storage devices. It could also store live, current data files on magnetic tapes and removable disk packs. In addition, the data library could store the original copies of commercial software and their licenses for safekeeping.

18.

What is an ROC? Response: A recovery operations center (ROC) or hot site is a fully equipped backup data center that many companies share. In addition to hardware and backup facilities, ROC service providers offer a range of technical services to their clients, who pay an annual fee for access rights. In the event of a major disaster, a subscriber can occupy the premises and, within a few hours, resume processing critical applications.

19.

What is a cold site? Response: The empty shell or cold site plan is an arrangement wherein the company buys or leases a building that will serve as a data center. In the event of a disaster, the shell is available and ready to receive whatever hardware the temporary user requires to run its essential data processing systems.

20.

What is fault tolerance? Response: Fault tolerance is the ability of the system to continue operation when part of the system fails due to hardware failure, application program error, or operator error. Implementing fault tolerance control ensures that no single point of potential system failure exists. Total failure can occur only in the event of the failure of multiple components, or system-wide failure.

21.

What are the often-cited benefits of IT outsourcing? Response: Often-cited benefits of IT outsourcing include improved core business performance, improved IT performance (because of the vendor’s expertise), and reduced IT costs.

22.

Define commodity IT asset. Response: Commodity IT assets are those assets that are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things are network management, systems operations, server maintenance, and help-desk functions.

23.

Define specific asset. Response: Specific assets, in contrast to commodity assets, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside of their current use.

24.

List five risks associated with IT outsourcing. Response: a. failure to perform b. vendor exploitation c. outsourcing costs exceed benefits d. reduced security e. loss of strategic advantage

25.

What is virtualization? Response: Virtualization multiplies the effectiveness of the physical system by creating virtual (software) versions of the computer with separate operating systems that reside in the same physical equipment. In other words, virtualization is the concept of running more than one “virtual computer” on a single physical computer.

26.

What is network virtualization? Response: Network virtualization increases effective network bandwidth by dividing it into independent channels, which are then assigned to separate virtual computers. Network virtualization optimizes network speed, flexibility, and reliability; most importantly, it improves network scalability.

27.

What are the three classes of cloud computing services? Response: Cloud computing classes are: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

28.

What is Software as a Service (SaaS)? Response: Software as a Service (SaaS) is a software distribution model in which service providers host applications for client organizations over a private network or the Internet.

29.

Give two advantages of Infrastructure as a Service (IaaS). Response: One advantage is that the IaaS provider owns, houses, and maintains the equipment, and the client pays for it on a per-use basis. Another advantage is scalability, which is the ability to rapidly respond to usage changes.

DISCUSSION QUESTIONS 1.

How is pre-SOX IT governance different from post-SOX IT governance? Response: Prior to SOX, the common practice regarding IT investments was to defer all decisions to corporate IT professionals. Modern IT governance, however, follows the philosophy that all corporate stakeholders, including boards of directors, top management, and department users (i.e. accounting and finance) be active participants in key IT decisions. Such broad-based involvement reduces risk and increases the likelihood that IT decisions will be in compliance with user needs, corporate policies, strategic initiatives, and internal control requirements under SOX.

Although IT governance is a broad area, only three aspects of IT governance are discussed in the chapter. Name them and explain why these topics were chosen. Response: Although all IT governance issues are important to the organization, not all of them are matters of internal control under SOX that may potentially impact the financial reporting process. This chapter examined three IT governance issues that are addressed by SOX and the COSO internal control framework. These are: a. Organizational structure of the IT function, b. Computer center operations, and c. Disaster recovery planning.

What types of incompatible activities are prone to becoming consolidated in a distributed data processing system? How can this be prevented? Response: Achieving an adequate segregation of duties may not be possible in some distributed environments. The distribution of the IT services to users may result in the creation of small independent units that do not permit the desired separation of

incompatible functions. For example, within a single unit the same person may write application programs, perform program maintenance, enter transaction data into the computer, and operate the computer equipment. Such a situation would be a fundamental violation of internal control. Often, the control problems previously described can be addressed by implementing a corporate IT function. 4.

Why would an operational manager be willing to take on more work in the form of supervising an information system? Response: Managers are responsible for the success of their divisions. If the benefits to be reaped from a DDP are expected to be great enough, the manager may find it is worth her or his while to expend the extra effort. Some of the benefits the manager may hope will materialize within the divisions are more efficiently run operations, better decision making, and reduced processing costs. Increased customer satisfaction may also result if the DDP system is more accommodating.

How can data be centralized in a distributed data processing system? Response: The data is stored centrally, but updated or processed at the local (remote) site. Thus, data is retrieved from the centralized data store, processed locally, and then sent back to the centralized data store.

Should standards be centralized in a distributed data processing environment? Explain. Response: The relatively poor control environment imposed by the DDP model can be improved by establishing some central guidance. The corporate group can contribute to this goal by establishing and distributing to user areas appropriate standards for systems development, programming, and documentation.

How can human behavior be considered one of the biggest potential threats to operating system integrity? Response: The purpose of segregation of duties is to deal with the potential negative aspects of human behavior including errors and fraud. The relationship between systems development (both new systems development and maintenance) and computer operations activities poses a potential risk that can circumvent operating system integrity. These functions are inherently incompatible. With detailed knowledge of application logic and control parameters and access to the computer’s operating system and utilities, an individual could make unauthorized changes to the application during its execution.

A bank in California has thirteen branches spread throughout northern California, each with its own minicomputer where its data are stored. Another bank has 10 branches spread throughout California, with its data stored on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access? Excessive losses from disaster? Response: The bank that has the data for all of its branches stored on one mainframe computer is at greater risk of access control. All of the firm’s records are centrally housed. Once a perpetrator gains unauthorized access to the system, the data for all 10 branches are at risk. For the other bank the perpetrator would have to breach security for each of the thirteen branch computers. Thus, the bank with all of its data centrally stored on a mainframe is more vulnerable to access control. The primary disasters of concern in California are earthquakes and fires. The bank with a central mainframe in San Francisco is probably at the greatest risk of damage from both earthquakes and fires. If that system is destroyed, all of the branches lose their processing capability and, possibly, stored data.

End-user computing has become extremely popular in distributed data processing organizations. The end users like it because they feel they can more readily design and implement their own applications. Does this type of environment always foster more efficient development of applications? Explain your answer. Response: Distributed data processing, if not properly managed, may result in duplication of efforts. Two or more individual end users may develop similar applications while completely unaware of each other’s efforts. Such duplication is an inefficient use of human resources.

10.

Compare and contrast the following disaster recovery options: mutual aid pact, empty shell, recovery operations center, and internally provided backup. Rank them from most risky to least risky, as well as from most costly to least costly. Response: A mutual aid pact requires two or more organizations to agree to and trust each other to aid the other with data processing needs in the event of a disaster. This method is the lowest cost, but also somewhat risky. First, the host company must be trusted to scale back its own processing in order to process the transactions of the disaster-stricken company. Second, the firms must not be affected by the same disaster, or the plan fails. The next lowest cost method is internally provided backup. With this method, organizations with multiple data processing centers may invest in internal excess capacity and support themselves in the case of disaster in one data processing center. This method is not as risky as the mutual aid pact because reliance on another organization is not a factor. In terms of cost, the next highest method is the empty shell where two or more organizations buy or lease space for a data processing center. The space is made ready for computer installation; however, no computer equipment is installed. This method requires lease or mortgage payments as well as payment for air conditioning and raised floors. The risk in this method is that the hardware, software, and technicians may be difficult, if not impossible, to have available in the case of a natural disaster. Further, if multiple members’ systems crash simultaneously, an allocation problem exists. The method with lowest risk and also the highest cost is the recovery operations center. This method takes the empty shell concept one step further—the computer equipment is actually purchased and software may even be installed. Assuming that this site is far enough away from the disaster-stricken area not to be affected by the disaster, this method can be a very good safeguard.

11.

Who should determine and prioritize the critical applications? How is this done? How frequently is it done? Response: The critical applications should be identified and prioritized by the user departments, accountants, and auditors. The applications should be prioritized based upon the impact on the short-run survival of the firm. The frequency with which the priorities need to be assessed depends upon the amount and kinds of changes that are made to systems over time. Firms that make changes frequently should reassess priorities frequently.

12.

Why is it easier for programmers to perpetrate a fraud than operators? Response: It is much easier for programmers to perpetrate a fraud because they know the code. They know how to get around some, or most, of the embedded controls. Better yet, some programmers deliberately program code that gets them around controls and allows them to commit fraud.

13.

Why should an organization centralize the acquisition, testing, and implementation of software and hardware within the corporate IT function?

Response: The corporate IT group is better able to evaluate the merits of competing vendor software and hardware. A central, technically astute group such as this can evaluate systems features, controls, and compatibility with industry and organizational standards most efficiently. Test results can then be distributed to user areas as standards for guiding acquisition decisions. 14.

Organizations sometimes locate their computer centers in the basement of their buildings to avoid normal traffic flows. Comment on this practice. Response: Locating the computer center in the basement of a building can create an exposure to disaster risk such as floods. The Chicago Board of Trade computer center’s systems were located in the basement of a multi-storied office building in Chicago. When the century-old water pipelines burst, part of the first floor and the entire basement flooded. Trade was suspended for several days until system functionality could be restored, causing the loss of millions of dollars. This disaster would have been prevented if the computer center had simply been located on the top floor—still away from normal traffic flows, but also away from the risk of flood.

15.

The 2003 blackout that affected the U.S. northeast caused numerous computer failures. What can an organization do to protect itself from such uncontrollable power failures? Response: The decision regarding power controls can be an expensive one and usually requires the advice and analysis of experts. The following, however, are options that can be employed. Voltage regulators and surge protectors provide regulated electricity, related to the level of electricity (frequency), and “clean” electricity, related to spikes and other potential hazards. Power outages and brownouts can generally be controlled with a battery backup (known as an uninterruptible power supply).

16.

Discuss a potential problem with ROCs. Response: Because of the heavy investment involved, ROCs are typically shared among many companies. The firms either buy shares in or become subscribers to the ROC, paying monthly fees for rights to its use. That situation does provide some risk because a widespread natural disaster may affect numerous entities in the same general geographic area. If multiple entities share the same ROC, some firm or firms will end up queued in a waiting line.

17.

Discuss two potential problems associated with a cold site. Response: a. Recovery depends on the timely availability of the necessary computer hardware to restore the data processing function. Management must obtain assurances from hardware vendors that the vendor will give priority to meeting the organization’s needs in the event of a disaster. An unanticipated hardware supply problem at this critical juncture could be a fatal blow. b. With this approach there is the potential for competition among users for the shell resources, the same as for a hot site. For example, a widespread natural disaster, such as a flood or earthquake, may destroy the data processing capabilities of several shell members located in the same geographic area. Those affected by the disaster would be faced with a second major problem: how to allocate the limited facilities of the shell among them. The situation is analogous to a sinking ship that has an inadequate number of lifeboats.

18.

Discuss three techniques used to achieve fault tolerance. Response: a. Redundant arrays of inexpensive (or independent) disks (RAID). There are several types of RAID configurations. Essentially, each method involves the use of parallel disks that contain redundant elements of data and applications. If one disk fails, the lost data are automatically reconstructed from the redundant components stored on the other disks. b. Uninterruptible power supplies. In the event of a power outage, short-term backup power (i.e., battery power) is provided to allow the system to shut down in a controlled manner. This process will prevent the data loss and corruption that would otherwise result from an uncontrolled system crash.

19.

Explain the outsourcing risk of failure to perform. Response: Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor’s performance. The negative implications of such dependency are illustrated in the financial problems that have plagued the huge outsourcing vendor Electronic Data Systems Cop. (EDS). In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its ability to serve other clients. Following an eleven-year low in share prices, EDS stockholders filed a class-action lawsuit against the company. Clearly, vendors experiencing such serious financial and legal problems threaten the viability of their clients also.

20.

Explain vendor exploitation. Response: Once the client firm has divested itself of specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client’s IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. This dependency may threaten the client’s long-term flexibility, agility, and competitiveness and result in even greater vendor dependency.

21.

Explain why reduced security is an outsourcing risk. Response: Information outsourced to off-shore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data. When corporate financial systems are developed and hosted overseas, and program code is developed through interfaces with the host company’s network, US corporations are at risk of losing control of their information. To a large degree, US firms are reliant on the outsourcing vendor’s security measures, data-access policies, and the privacy laws of the host country.

22.

Explain how IT outsourcing can lead to loss of strategic advantage. Response: Alignment between IT strategy and business strategy requires a close working relationship between corporate management and IT management in the concurrent development of business and IT strategies. This, however, is difficult to accomplish when IT planning is geographically redeployed off-shore or even domestically. Further, since the financial justification for IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. This fundamental underpinning of IT outsourcing is inconsistent with the client’s pursuit of strategic advantage in the marketplace.

23.

Explain the role of Statement on Standards for Attestation Engagements No. 16 (SSAE 16) report in the review of internal controls Response: SSAE 16 is an internationally recognized third party attestation report designed for service organizations such as IT outsourcing vendors. SSAE 16, was promulgated by the Auditing Standards Board (ASB) of the AICPA and replaced Statement on Auditing Standards No. 70 (SAS 70). The SSAE 16 report, which is prepared by the service provider’s auditor, attests to the fucntionallity of the vendor’s system and the adequacy of its internal controls. This is the means by which an outsourcing vendor can obtain a single attest report that may be used by its clients’ auditors and thus preclude the need for each client firm auditor to conduct its own audit of the vendor organization’s facilities and internal controls.

24.

How do SSAE 16 Type 1 and Type 2 differ? Response: The Type I report is the less rigorous of the two and comments only on the suitability of the controls’ design. The Type II report goes further and assesses whether the controls are operating effectively based on tests conducted by the vendor organization’s auditor.

25.

How are the Carve-out and Inclusive methods of reporting on subservice organizations different? Response: Carve-out Method: When using the carve-out method, service provider management would exclude the subservice organization’s relevant control objectives and related controls from the description of its system. The service provider must have controls in place to monitor the effectiveness of the controls at the subservice organization. Inclusive Method: When using the inclusive method of subservice organization reporting the service provider’s description of its system will include the services performed by the subservice organization. In addition the report will include the relevant control objectives and related controls of the subservice organization.

26.

Give two differences between ASP and SaaS. Response: 1) ASPs typically host the software of third-party software vendors, which is configured to the unique needs of the client organization. SaaS vendors typically develop and manage their own web-based software, which is general purpose and designed to serve multiple businesses. 2) ASP contracts are typically fixed-period or one-time licensing agreements. SaaS vendors often employ a subscription model in which clients pay as they go based on usage.

27.

Why is cloud computing not the best option for all companies? Response: For smaller businesses, startup companies, and some new applications, the cloud concept is a promising alternative to in-house computing. The information needs of large companies, however, are often in conflict with the cloud solution. For example, large firms 1) have typically incurred massive investments in equipment, proprietary software, and human resources; 2) have mission-critical legacy system that cannot be migrated to the cloud; and 3) have esoteric information needs that are not served well by standardized solutions.

MULTIPLE CHOICE QUESTIONS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

b c e b e c c c b d

PROBLEMS 1.

Disaster Recovery Planning Controversy The relevance of a disaster recovery plan (DRP) to a financial statement audit is a matter of debate. Some argue that the existence of a DPR is irrelevant to the audit. Others argue that it is an important control that needs to be considered in the assessment of internal control. Required: Argue both side of this debate. 1) Provide a logical argument why a DRP should not be considered in the audit. 2) Argue why a DRP is an important control and should be reviewed within the conduct of a financial audit. Response: 1) The DRP plays no role in the day-to-day operations of transaction processing. Financial statement audits focus on past period events. If no disaster occurred in the period under review, then the presence or absence of the DRP is irrelevant. 2) This argument is related to the going concern principle. Investors invest in the future of an organization based in part on past financial performance. The absence of a DRP, or a poorly designed DRP, is similar to a contingency. How would investors respond to an organization that was vulnerable in some way, but had no contingency plan? How would they respond if a disaster struck, and they had not been informed in the audit report that the organization had no DRP in place?

Internal Control During its preliminary review of the financial statements of Barton, Inc., Simon and Associates, CPA discovered a lack of proper segregation of duties between the programming and operating functions in Barton’s data center. They discovered that some new systems development programmers also filled in as operators on occasion. Simon and Associates extended the internal control review and test of controls and concluded in its final report that sufficient compensating general controls provided reasonable

assurance that the internal control objectives were being met. Required: What compensating controls are most likely in place? Response: Compensating controls that Barton, Inc found may include: • mandatory vacations for all employees • operators are prohibited from running systems that they helped develop • end users review output reports and note any exceptions • adequate supervision of all IToperations • access log identifies the time and duration of all access to data center • no system documentation is stored in the data center • periodic comparison of program code to an archived copy • use of a computer activity log to identify which operators ran which programs, when they ran, and how long they ran. 3.

Physical Security Big Apple Financials, Inc., is a financial services firm located in New York City. The company keeps client investment and account information on a server at its Brooklyn data center. This information includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities. The company has recently upgraded its Web site to allow clients to access their investment information. The company’s data center is in the basement of a rented building. Company management believes that the location is secure enough to protect their data from physical threats. The servers are housed in a room that has smoke detectors and associated sprinklers. It is enclosed, with no windows, and has temperature-controlled air conditioning. The company’s auditors, however, have expressed concern that some of the measures at the current location are inadequate and that newer alternatives should be explored. Management has expressed counter concerns about the high cost of purchasing new equipment and relocating its data center. Required: 1. Why are Big Apple’s auditors stressing the need to have a better physical environment for the server? 2. Describe six control features that contribute to the physical security of the computer center. 3. Big Apple management is concerned about the cost of relocating the data center. Discuss some options open to them that could reduce their operating costs and provide the security the auditor’s seek. Response: 1. When talking of the physical environment, the auditors are not just talking of the potential threat of physical intruders and sabotage, but also of environmental hazards such as fires, floods, wind, earthquakes, or power outages. Though these occurrences are relatively rare, they still should be accounted for, as they can seriously hamper operations. The company would not only just lose the investment in servers and computer systems but also the data and ability to do business. Software checks cannot prevent such losses. Big Apple needs to have a workable disaster recovery plan in place.

2. a. Physical Location: The physical location of the computer center affects the risk of disaster directly. The computer center should be away from human-made and natural hazards, such as processing plants, gas and water mains, airports, high-crime areas, flood plains, and geological faults. b. Construction: Ideally, a computer center should be located in a single-store building of solid concrete with controlled access. Utility and communication lines should be underground. The building windows should not be open. An air filtration system should be in place that is capable of excluding dust, pollen, and dust mites. c. Access: Access should be limited to operators and other employees who work there. Programmers and analysts who need access to correct program errors should be required to sign in and out. The computer center should maintain accurate records of all such events to verify access control. The main entrance to the computer center should be through a single door, though fire exists with alarms are important. Lose circuit camera with video recording is also highly advisable. d. Air Conditioning: Mainframes and servers, as in the case with Avatar, have heavy processing volumes. These are designed to work at their optimal levels only within a narrow range of conditions, most importantly the temperature. Computers operate best in a temperature range of 70 to 75 degrees Fahrenheit and a relative humidity of 50 percent. Logic errors and static electricity risks can be mitigated by proper use of air conditioning. e. Fire Suppression: The major features should include automatic and manual alarms (placed in strategic locations connected to fire stations), an automatic fire extinguishing system (not water sprinklers, rather carbon dioxide or halon extinguishers should be used), a manual fire extinguisher, and clearly marked and illuminated fire exists. f. Fault Tolerance Controls: Commercially provided electrical power presents several problems that can disrupt the computer centers operations including total power failures, brownouts, and power fluctuation. The company should look into the use of surge protectors, generators, batteries, and voltage regulators in order to protect their computer system from the negative effects associated with these disruptions. 3. The company could look into the outsourcing option. This may involve either traditional outsourcing or the more flexible cloud computing approach, depending on the nature of the applications that Big Apple uses in its operations. SaaS and IaaS options are readily available for financial services firms. Outsourcing vendors that are SSAE 16 certified will have adequate disaster recovery and security features in place. Since outsourcing vendor can earn economies of scale, the cost of service and security can be provided at a lower cost that Big Apple could achieve independently.

Disaster Recovery Plans The headquarters of Hill Crest Corporation, a private company with $15.5 million in annual sales, is located in California. Hill Crest provides for its 150 clients an online legal software service that includes data storage and administrative activities for law offices. The company has grown rapidly since its inception 3 years ago, and its data processing department has expanded to accommodate this growth. Because Hill Crest’s president and sales personnel spend a great deal of time out of the office developing new clients, the planning of the IT facilities has been left to the data processing professionals. Hill Crest recently moved its headquarters into a remodeled warehouse on the outskirts of the city. While remodeling the warehouse, the architects retained much of the original structure, including the wooden-shingled exterior and exposed wooden beams throughout

the interior. The distributive processing computers and servers are situated in a large open area with high ceilings and skylights. The openness makes the data center accessible to the rest of the staff and promotes a team approach to problem solving. Before occupying the new facility, city inspectors declared the building safe; that is, it had adequate fire extinguishers, sufficient exits, and so on. In an effort to provide further protection for its large database of client information, Hill Crest instituted a tape backup procedure that automatically backs up the database every Sunday evening, avoiding interruption in the daily operations and procedures. All tapes are then labeled and carefully stored on shelves reserved for this purpose in the data processing department. The departmental operator’s manual has instructions on how to use these tapes to restore the database, should the need arise. A list of home phone numbers of the individuals in the data processing department is available in case of an emergency. Hill Crest has recently increased its liability insurance for data loss from $50,000 to $100,000. This past Saturday, the Hill Crest headquarters building was completely ruined by fire, and the company must now inform its clients that all of their information has been destroyed. Required: a. Describe the computer security weaknesses present at Hill Crest Corporation that made it possible for a disastrous data loss. b. List the components that should have been included in the disaster recovery plan at Hill Crest Corporation to ensure computer recovery within 72 hours. c. What factors, other than those included in the plan itself Response: a. The computer security weaknesses present at Hill Crest Corporation that made it possible for a disastrous data lost to occur include: • Not housing the data-processing facility in a building constructed of fire-retardant materials, and instead using one with exposed wooden beams and a wooden-shingled exterior. • The absence of a sprinkler (halon) system and a fire-suppression system under a raised floor; fire doors. • An on-line system with infrequent (weekly) tape backups. Backups, with checkpoints and restarts, should be performed at least daily. “Grandfather” and “Father” backup files should be retained at a secure off-site storage location. • Data and programs should have been kept in a library separate from the dataprocessing room, with the library area constructed of fire-retardant materials. • Lack of a written disaster recovery plan with arrangements in place to use an alternate off-site computer center in the event of a disaster or an extended service interruption. There was a phone list of DP personnel, but without assigned responsibilities as to actions to be taken when needed. • Lack of complete systems documentation kept outside the data-processing area. b. The components that should have been included in the disaster recovery plan at Hill Crest Corporation to ensure computer recovery within 72 hours include the following: • A written disaster recovery plan should be developed with review and approval by senior management, data-processing management, end-user management, and internal audit. • Backup data and programs should be stored at an off-site location that will quickly accessible in the event of an emergency.

•

The disaster recovery team should be organized. Select the disaster recovery manager, identify the tasks, segregate into teams, develop an organizational chart for disaster procedures, match personnel to team skills and functions, and assign duties and responsibilities to each member. The duties and responsibilities of the recovery team include: o Obtaining use of a previously arranged alternate data-processing facility; activating the backup system and network, and o Retrieving backup data files and programs, restoring programs and data, processing critical applications, and reconstructing data entered into the system subsequent to latest saved backup/ restart point.

c. Factors, other than those included in the disaster recovery plan itself, that should be considered when formulating the plan include: • Arranging business interruption insurance in addition to liability insurance. • Ensuring that all systems’ and operations’ documentation is kept up to date and is easily accessible for use in case of a disaster. • Performing a risk/ cost analysis to determine the level of expense that may be justified to obtain reasonable, as opposed to certain, assurance that recovery can be accomplished in 72 hours. 5.

Segregation of Duties Arcadia Plastics follows the philosophy of transferring people from job to job within the organization. Management believes that job rotation deters employees from feeling that they are stagnating in their jobs and promotes a better understanding of the company. A computer services employee typically works for six months as a data librarian, one year as a systems developer, six months as a database administrator, and one year in systems maintenance. At that point, he or she is assigned to a permanent position. Required: Discuss the importance of separation of duties within the information systems department. How can Arcadia Plastics have both job rotation and well-separated duties? Response: Because the employee will have performed several highly incompatible tasks, this company needs to employ strong password access controls and constantly require its employees to change their passwords. This is especially necessary because these employees have either designed or viewed authorization access tables. Strong controls over program maintenance, such as program modification reports, are also a necessity. The key is that when an employee transfers from one job to another, she or he should have no access to functions in previous positions.

DDP Risks Write an essay discussing the primary risks associated with the distributed processing environment. Response: Potential risks associated with DDP include the inefficient use of resources, the destruction of audit trails, inadequate segregation of duties, an increased potential for programming errors and systems failures, and the lack of standards.

a. Inefficient use of resources. Several risks are associated with inefficient use of organizational resources in the DDP environment. • First, is the risk of mismanagement of organization-wide resources, particularly by end users. Some argue that when organization-wide resources exceed a threshold amount, perhaps 5 percent of the total operations budget, they should be controlled and monitored centrally. • Second, is the risk of hardware and software incompatibility, again primarily by end users. Distributing the responsibility for hardware and software purchases to end-users may result in uncoordinated and poorly conceived decisions. For example, decision makers in different organizational units working independently may settle on dissimilar and incompatible operating systems, technology platforms, database programs and office suites. • Third, is the risk of redundant tasks associated with end-user activities and responsibilities. Autonomous systems development throughout the firm can result in each user area reinventing the wheel. For example, application programs created by one user, which could be used with little or no change by others, will be designed from scratch rather than shared. b. Destruction of audit trail. The use of DDP can adversely affect the audit trail. Because audit trails in modern systems tend to be electronic, it is not unusual for the electronic audit trail to exist in part, or in whole, on end-user computers. Should the end user inadvertently delete the audit trail, it could be lost and unrecoverable. Or if an end user inadvertently inserted uncontrolled errors into the audit log, the audit trail could effectively be destroyed. Numerous other risks are associated, including care of the hardware itself. c. Inadequate segregation of duties. The distribution of IT services to users may result in the creation of many small units that do not permit the necessary separation of incompatible functions. For example, within a single unit, the same person may write application programs, perform program maintenance, enter transaction data into the computer, and operate the computer equipment. This condition would be a fundamental violation of internal control. d. Hiring qualified professionals. End-user managers may lack the knowledge to evaluate the technical credentials and relevant experience of candidates applying for positions as computer professionals. Also, if the organizational unit into which a new employee is entering is small, the opportunity for personal growth, continuing education, and promotion may be limited. For these reasons, managers may experience difficulty attracting highly qualified personnel. The risk of programming errors and system failures increases directly with the level of employee incompetence. e. Lack of standards. Because of the distribution of responsibility in the DDP environment, standards for developing and documenting systems, choosing programming languages, acquiring hardware and software, and evaluating performance may be unevenly applied or nonexistent.

Cloud Based Recovery Service Provider Visit SunGard’s Web site, http://www.sungard.com, and research its Recovery2Cloud services offered. Write a report of your findings. Response: SunGard Recover2CloudSM Services are a suite of cloud based customizable solutions for recovery of an organization’s critical applications.

SunGard creats the a mix of services to support the recovery objectives of each customers applications. SunGard takes full responsibility for recovery SunGard claims to reduce recovery costs by 30-50% compared to recovery on physical systems. Recovery2Cloud features include: •

Contractual service-level agreements that guarantee specific recovery time and recovery point objectives

•

Fully managed recovery services with testing and recovery performed by SunGard experts

•

Multiple availability options built to fit customer needs and budget

•

Cloud deployment alternatives including public and private clouds

Recover2Cloud Options Include: Recover2Cloud for Server Replication • • •

Supports near-zero recovery point objectives (the amount of time data are lost) Recovery time objectives of less than four hours. Incorporates Continuous Data Protection to enable recovery to any point in time within several days prior to a failure.

Recover2Cloud Storage Replication • •

For large virtual environments, Supports less than four-hour recovery time objectives and near-zero recovery point objectives by replicating data to networked storage devices at a SunGard facility.

Recover2Cloud for Vaulting Vaulting is the process of sending data off-site, where it can be protected from hardware failures, theft, and other threats. Backup services compress, encrypt, and periodically transmit customer data to a remote vault. In most cases the vaults will feature auxiliary power supplies, powerful computers, and manned security • • •

SunGard Recover2Cloud for Vaulting supports recovery time objectives of less than 12 hours, Provides de-duplicated backup copies of data stored in a secure vault at a SunGard location, in close proximity to recovery infrastructure. Claim reduction in total cost by 35% or more when compared to an in-house solution.

Internal Control Responsibility for Outsourced IT Explain why managers who outsource their IT function may or may not also outsource responsibility for IT controls. What options are open to auditors regarding expressing an opinion on the adequacy of internal controls? Response: Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities under SOX for ensuring adequate IT internal controls. The PCAOB specifically states in its Auditing Standard No. 2, “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting. Rather, user management should evaluate controls at the service organization, as well as related controls at the user company, when making its assessment about internal control over financial reporting.” Therefore, if an audit client firm outsources its IT function to a vendor that processes its transactions, hosts key data, or performs other significant services, the auditor will need to conduct an evaluation of the vendor organization's controls, or alternatively obtain a SSAE 16 report from the service provider organization.

Competing Schools of Thought Regarding Outsourcing Explain the core competency argument for outsourcing and compare/ contrast it with TCE theory. Why does one theory tend to prevail over the other in making outsourcing decisions? Response: Core competency theory argues that an organization should focus exclusively on its core business competencies while allowing outsourcing vendors to efficiently manage the noncore areas such as the IT functions. This premise, however, ignores an important distinction between commodity and specific IT assets. Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Specific IT assets, in contrast, are unique to the organization and support its strategic objectives. Because of their idiosyncratic nature, specific assets have little value outside of their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples of specific assets include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organizationspecific software. Transaction Cost Economics (TCE) theory is in conflict with the core competency school by suggesting that firms should retain certain specific non-core IT assets in house. Because of their esoteric nature specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. Therefore, if the organization should decide to cancel its outsourcing contract with the vendor, it may not be able to return to its preoutsource state. On the other hand, TCE theory supports the outsourcing of commodity assets, which are easily replaced or obtained from alternative vendors.

Naturally, a CEO’s perception of what constitutes commodity IT assets plays an important role in IT outsourcing decisions. Often this comes down to a matter of definition and interpretation. For example, most CEOs would define their IT function as a non-core commodity, unless they are in the business of developing and selling IT applications. Consequently, a belief that all IT can, and should, be managed by large service organizations tends to prevail. Such misperception reflects, in part, both lack of executive education and dissemination of faulty information regarding the virtues and limitations of IT outsourcing g.

10.

Distributed Processing System The internal audit department of a manufacturing company conducted a routine examination of the company’s distributed computer facilities. The auditor’s report was critical of the lack of coordination in the purchase of PC systems and software that individual departments use. Several different hardware platforms, operating systems, spreadsheet packages, database systems, and networking applications were in use. In response to the internal audit report, and without consulting with department users regarding their current and future system needs, Marten, the Vice President of Information Services, issued a memorandum to all employees stating the following new policies: 1. The Micromanager Spreadsheet package has been selected to be the standard for the company, and all employees must switch to it within the month. 2. All future PC purchases must be Megasoft compatible. 3. All departments must convert to the Megasoft Entree database package. 4. The office of the Vice President of Information Services must approve all new hardware and software purchases. Several managers of other operating departments have complained about Marten’s memorandum. Apparently, before issuing this memo, Marten had not consulted with any of the users regarding their current and future software needs. Required a. When setting systems standards in a distributed processing environment, discuss the pertinent factors about: 1. Computer hardware and software considerations. 2. Controls considerations. b. Discuss the benefits of having standardized hardware and software across distributed departments in the firm. c. Discuss the concerns that the memorandum is likely to create for distributed users in the company. Response a. 1. Computer hardware factors that need to be considered include: understanding the primary applications for which the equipment will be used. the operating system for each type of hardware and whether appropriate software is available for the desired applications. file options such as hard disk drives, Zip drive, floppy diskettes, or CDROM, communication considerations such as interface between microcomputer(LANs), mainframe compatibility for downloading and uploadininformation, and technical specifications of communication protocol. 2. Controls considerations include:

clear, well-written, tested documentation for hardware and software; adequate maintenance contracts, and software support; adequate user training adequate security provisions for file protection, effective password policy, appropriate database access authority, backup procedures for internal record integrity, and off-site storage procedures for disaster recovery b. The benefits of having standardized hardware and software include: cost savings from quantity discounts and multiple use of software licensing agreements. technological growth capabilities such as network compatibility. standardized and centralized system backup procedures for both hardware and software and provisions for facility sharing in the event of breakdowns. improved standard operating procedures and software implementation through experience by a large user base with distributed knowledge. c. The memorandum is likely to create the following concerns: The memorandum suggests a lack of understanding of user needs that may inhibit their cooperation. The new policy does not provide for an adequate transition period for converting existing department applications to the prescribed ones.

11.

Describe the key features of cloud computing. Response: The key features of cloud computing are: •

Client firms acquire IT resources from vendors on demand and as needed. This is in contrast to the traditional IT outsourcing model in which resources are provided to client firms in strict accordance with long-term contracts that stipulate services and time frames. • Resources are provided over a network (private or Internet) and accessed through network terminals at the client location. • Acquisition of resources is rapid and infinitely scalable. A client can expand and contract the service demanded almost instantly and often automatically. Computing resources are pooled to meet the needs of multiple client firms. A consequence of this, however, is that an individual client has no control over, or knowledge of, the physical location of the service being provided. 12.

Service Provider Audit The Harvey Manufacturing Company is undergoing its annual financial statement audit. Last year the company purchased a SaaS application from Excel Systems (a cloud service provider) to run mission critical financial transactions. The SaaS application runs on an IaaS server, which Excel Systems outsourced to another service provider. Required: Explain how the Harvey Manufacturing auditors will assess the relevant internal controls related to these mission critical transactions. Response:

The auditor would either need to audit the controls at service provider and subservice provider locations, or rely on a SSAE 16 report from the primary service provider. Since a subservice organization is involved, its relevant controls over the mission critical application must also be assessed. Two reporting techniques for subservice providers are: Carve-out Method. When using the carve-out method, service provider management would exclude the subservice organization’s relevant control objectives and related controls from the description of its system. The description would, however, include the nature of the services performed by the subservice organization. Typically the service provider would obtain an SSAE 16 from the subservice organization, and must have controls in place to monitor the effectiveness of the controls at the subservice organization.

Inclusive Method. When using the inclusive method of subservice organization reporting the service provider’s description of its system will include the services performed by the subservice organization. In addition the report will include the relevant control objectives and related controls of the subservice organization.

CHAPTER 3 SECURITY PART I: AUDITING OPERATING SYSTEMS AND NETWORKS REVIEW QUESTIONS 1.

What are the five control objectives of an operating system? Response: a. The operating system must protect itself from users. b. The operating system must protect users from each other. c. The operating system must protect users from themselves. d. The operating system must be protected from itself. e. The operating system must be protected from its environment.

What are the three main tasks the operating system performs? Response: a. Translates high-level languages into the machine-level language the computer can execute. b. Allocates computer resources to users. c. Manages the tasks of job scheduling and multiprogramming.

What is the purpose of an access control list? Response: An access control list is assigned to each computer resource such as directories, files, programs, and printers. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.

What are the four techniques that a virus could use to infect a system? Response: The virus program can attach itself to a. an .EXE or .COM file, b. an OVL (overlay) program file, c. the boot sector of a disk, or d. a device driver program.

What is an access token? Response: At login, the operating system creates an access token that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The information in the access token is used to approve all actions attempted by the user during the session.

Explain discretionary access privileges. Response: In distributed systems, end users may control (own) resources. Resource owners in this setting may be granted discretionary access control, which allows them to grant access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. The accounts payable manager, however, may be granted both read and write permissions to the ledger. Any attempt the budgeting manager makes to add, delete, or change the general ledger will be denied. Discretionary access control needs to be closely supervised to prevent security breaches resulting from too liberal use.

What is event monitoring? Response: Event monitoring is an audit log that summarizes key activities related to users, applications, and system resources. Event logs typically record the IDs of all users accessing the system; the time and duration of a user’s session; programs that were executed during a session; and the files, databases, printers, and other resources accessed.

What is keystroke monitoring? Response: Keystroke monitoring is the computer equivalent of a telephone wiretap. It is a log that records both the user’s keystrokes and the system’s responses to them. This form of log may be used after the fact to reconstruct the details of an event or as a realtime control to monitor or prevent unauthorized intrusion.

What is a vaccine and what are its limitations? Response: A vaccine is an anti-virus program that detects and removes viruses from infected programs or data files. Most antiviral programs run in the background on the host computer and automatically test all files that are uploaded to the host. Its limitation is that it works only on known viruses and versions of the virus.

10.

What are the risks from subversive threats? Response: The risks from subversive threats include: a computer criminal intercepting a message transmitted between the sender and the receiver, a computer hacker gaining unauthorized access to the organization’s network, and a denial-of-service attack from a remote location of the Internet.

11.

What are the risks from equipment failure? Response: The risks from equipment failure include the fact that they can cause transmissions between senders and receivers can be disrupted, destroyed, or corrupted. Equipment failure can also result in the loss of databases and programs stored on the network server.

12.

What is a firewall? Response: A firewall is a system that enforces access control between two networks. Firewalls can be used to authenticate an outside user of the network, verify his or her level of access authority, and then direct the user to the program, data, or service requested. In addition to insulating the organization’s network from external networks, firewalls can also be used to insulate portions of the organization’s intranet from internal access.

13.

Distinguish between network-level and application-level firewalls. Response: A network-level firewall accepts or denies access requests based on filtering rules, and then directs the incoming calls to the correct internal receiving node. Networklevel firewalls are insecure because they are designed to facilitate the free flow of information rather than restrict it. A network level firewall does not explicitly authenticate outside users. An application-level firewalls provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks. Application-level firewalls also provide comprehensive transmission logging and auditing tools for reporting unauthorized activity.

14.

What are the most common forms of contra-security behavior? Response: Forgetting passwords and being locked out of the system. Failing to change passwords on a frequent basis. The Post-it syndrome, whereby passwords are written down and displayed for others to see. Simplistic passwords that a computer criminal easily anticipates.

15.

What can be done to defeat a DDos attack? Response: As a countermeasure to DDos attacks, many organizations have invested in intrusion prevention systems (IPS) that employ deep packet inspection (DPI) to determine when an attack is in progress. DPI uses a variety of analytical and statistical techniques to evaluate the contents of message packets. It searches the individual packets for protocol noncompliance and employs predefined criteria to decide if a packet can proceed to its destination. This is in contrast to the normal packet inspection that simply checks the header portion of a packet to determine its destination. By going deeper and examining the payload or body of the packet, DPI can identify and classify malicious packets based on a database of known attack signatures. Once classified as malicious, the packet can

16.

How does public key encryption work? Response: Public key encryption uses two different keys: one for encoding messages and the other for decoding them. Each recipient has a private key that is kept secret and a public key that is published. The sender of a message uses the receiver’s public key to encrypt the message. The receiver then uses his or her private key to decode the message. Users never need to share their private keys to decrypt messages, thus reducing the likelihood that they fall into the hands of a criminal.

17.

What is a digital envelope? Response: DES and RSA encryption are used together in what is called a digital envelope. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DESK key, which is then used to decode the message.

18.

What is a digital signature? Response: A digital signature is an electronic authentication that cannot be forged. It ensures that the message or document transmitted originated with the authorized sender and that it was not tampered with after the signature was applied. The digital signature is derived from the computed digest of the document that has been encrypted with the sender’s private key.

19.

Categorize each of the following as either an equipment failure control or an unauthorized access control: Response: a. message authentication: unauthorized access control b. parity check: equipment failure control c. call-back device: unauthorized access control d. echo check: equipment failure control e. line error: equipment failure control f. data encryption: unauthorized access control g. request response technique: unauthorized access control

20.

What is DPI? Response: DPI (deep packet inspection) is a technique that searches individual network packets for protocol non-compliance to decide if a packet can proceed to its destination. DPI can identify and classify malicious packets based on a database of known attack signatures.

21.

At what three points in an electronic data interchange transaction and validation process can authorization and validation be accomplished? Response: a. At the VAN level: The vendor logon is validated by comparing vendor passwords and IDs against a valid master file. b. Before being converted: The translation software validates the trading partner’s password and ID against a valid master file. c. Before processing: the trading partner’s application software references the valid customer and vendor files to validate the transaction.

22.

What is packet switching? Response: The Internet employs communications technologies based on packet switching, whereby messages are divided into small packets for transmission. Individual packets of the same message may take different routes to their destinations. Each packet contains address and sequencing codes so they can be reassembled into the original complete message at the receiving end. The choice of transmission path is determined according to criteria that achieve optimum utilization of the long-distance lines, including the degree of traffic congestion on the line, the shortest path between the end points

23.

What is a VPN? Response: A virtual private network (VPN) is a private network that exists within a public network. VPNs are private from the client’s perspective, but physically share backbone trunks with other users. Maintaining security and privacy in this setting, however, requires encryption and authentication controls.

24.

Name three types of addresses used on the Internet? Response: The Internet uses three types of addresses for communications: a. e-mail addresses, b. Web site (URL) addresses, and c. the addresses of individual computers attached to a network (IP addresses).

25.

Describe the elements of an e-mail address. Response: The format for an e-mail address is USER_NAME@DOMAIN_NAME. There are no spaces between any of the letters. A domain name is an organization’s unique name combined with a top-level domain name, i.e. “com”, “edu”, etc.

26.

Networks would be inoperable without protocols. Explain their importance and what functions they perform. Response: Network protocols are the rules and standards governing the design of hardware and software that permit users of networks manufactured by different vendors to communicate and share data. Without protocols, data transmission between two incompatible systems would be impossible. Protocols facilitate the physical connection between the network devices. Protocols also synchronize the transfer of data between physical devices. They provide a basis for error checking and measuring network

performance. They promote compatibility among network devices. Lastly, they promote network designs that are flexible, expandable, and cost-effective. 27.

What is the purpose of the TCP portion of TCP/IP? Response: Transfer Control Protocol (TCP) ensures that the total number of bytes transmitted is equal to the total number of bytes received.

28.

What does the HTTP do? Response: Hypertext Transfer Protocol (HTTP) controls Web browsers that access the Web. When the user clicks on a link to a Web page, a connection is established, the Web page is displayed, then the connection is broken.

29.

How do HTTP and HTTP-NG differ? Response: HTTP-NG is the new generation of the Hypertext Transfer Protocol. It is an enhanced version of the HTTP protocol that maintains the simplicity of HTTP while adding important features such as security and authentication.

30.

What is a digital certificate? How is it different from a digital signature? Response: A digital certificate is used to verify the sender’s identity. It is issued by a trusted third party called a certification authority (CA). A digital certificate is used in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. A digital signature proves that the message received was indeed sent by the sender, and was not tampered with during transmission. However, it does not prove that the sender is who he or she claims to be. The sender could be an impersonator. The digital certificate proves the identity of the sender.

31.

What is a CA (certification authority), and what are the implications for the accounting profession? Response: A certification authority is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. The question then becomes, who vouches for the CA? How does one know that the CA who awarded a seal of authenticity to an individual is itself reputable and was meticulous in establishing his or her identity? These questions hold specific implication for the accounting profession. Since they enjoy a high degree of public confidence, public accounting firms are natural candidates for certification authorities.

DISCUSSION QUESTIONS 1.

Why is human behavior considered one of the biggest potential threats to operating system integrity? Response: Unfortunately, some computer hackers enjoy the challenge of creating devices, such as viruses and logic bombs, to damage systems. They gain nothing of monetary or financial value; they just enjoy knowing they accomplished their goal of penetrating and affecting an operating system.

Why would a systems programmer create a back door if he or she has access to the program in his or her day-to-day tasks. Response: A back door is created so that the programmer may gain future access to the program without needing a user password (in other words after the programmer no longer has a valid password). The backdoor may be used legitimately to gain easy access to perform maintenance or it may be used by a programmer who has no legitimate reason to be accessing the system in that manner or at all.

Discuss the issues that need to be considered before implementing keystroke monitoring. Response: Keystroke monitoring is the computer equivalent of a telephone wiretap. Whereas some situations may justify this level of surveillance, keystroke monitoring may also be regarded as a violation of privacy. Before implementing this type of control, management and auditors should consider the possible legal, ethical, and behavioral implications.

Explain how an access token and an access control list are used to approve or deny access. Response: When a log-on attempt is successful, the operating system creates an access token that contains key information about the user, including user ID, password, user group, and privileges granted to the user. The information in the access token is used to approve all actions the user attempts during the session. An access control list is assigned to each IT resource (computer directory, data file, program, or printer), which controls access to the resources. These lists contain information that defines the access privileges for all valid users of the resource. When a user attempts to access a resource, the system compares his or her ID and privileges contained in the access token with those contained in the access control list. If there is a match, the user is granted access.

Explain how a Trojan horse may be used to penetrate a system. Response: A Trojan horse is a program whose purpose is to capture IDs and passwords from unsuspecting users. These programs are designed to mimic the normal log-on procedures of the operating system. When the user enters his or her ID and password, the Trojan horse stores a copy of them in a secret file. At some later date, the author of the Trojan horse uses these IDs and passwords to access the system and masquerade as an authorized user.

Discuss six ways in which threats from destructive programs can be substantially reduced through a combination of technology controls and administrative procedures. Response: The following examples controls and procedure that can reduce the threat from destructive programs: i. Purchase software only from reputable vendors and accept only those products that are in their original, factory-sealed packages. ii. Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted software. iii. Examine all upgrades to vendor software for viruses before they are implemented. iv. Inspect all public-domain software for virus infection before using.

v. Establish entity-wide procedures for making changes to production programs. vi. Establish an educational program to raise user awareness regarding threats from viruses and malicious programs. vii. Install all new applications on a standalone computer and thoroughly test them with antiviral software prior to implementing them on the mainframe or LAN server. vii. Routinely make backup copies of key files stored on mainframes, servers, and workstations. ix. Wherever possible, limit users to read and execute rights only. x. Require protocols that explicitly invoke the operating system’s logon procedures in order to bypass Trojan horses. Some operating systems allow the user to directly invoke the operating system logon procedure by entering a key sequence such as CTRL + ALT + DEL. The user then knows that the logon procedure on the screen is legitimate. xi. Use antiviral software (also called vaccines) to examine application and operating system programs for the presence of a virus and remove them from the affected program. 7.

Explain the three ways in which audit trails can be used to support security objectives. Response: Audit trails can be used to support security objectives in three ways: i. detecting unauthorized access to the system, ii. reconstructing events, and iii. promoting personal accountability. DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. RECONSTRUCTING EVENTS. Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future. PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individuals are less likely to violate an organization’s security policy if they know that their actions are recorded in an audit log. An audit log can also serve as a detective control to assign personal accountability for actions taken. Serious errors and the abuse of authority are of particular concern. 8. Explain how poorly designed audit trail logs can actually be dysfunctional. Response: Audit logs can generate data in overwhelming detail. Important information can easily get lost among the superfluous details of daily operation. Protecting exposures with the potential for material financial loss should drive management’s decision as to which users, applications, or operations to

monitor, and how much detail to log. As with all controls, the benefits of audit logs must be balanced against the costs of implementing them. 9.

Many authorities believe that the employer does not prosecute 90 percent of all computer fraud acts. What do you think accounts for this lack of prosecution? Discuss the importance of the establishment of a formal policy for taking disciplinary (or legal) action against security violations. Response: A common belief by management of publicly traded firms is that the public will perceive fraudulent acts that have taken place as a sign of control weaknesses. The management teams may prefer to handle the computer fraud by dismissal of the employee rather than have the stockholders and analysts lose faith in the internal control procedures of the firm. Unfortunately, this type of behavior by employers sends the wrong message to potential perpetrators. The message from top management needs to be clear regarding fraudulent acts-they will not be tolerated and any acts will be prosecuted. The message means absolutely nothing if the firm does not back up this policy with actions if such crimes are committed.

10.

How can passwords actually circumvent security? What actions can be taken to minimize this? Response: Users may share their passwords, write-down their passwords, or use easily guessed passwords. Protection against these security breaches includes software that allows only smart passwords and one-time passwords used in conjunction with smart cards.

11.

Explain how the (OTP) one-time password approach works. Response: Under this approach, the user’s password changes continuously. To access the operating system, the user must provide both a secret reusable personal identification number (PIN) and the current one-time only password for that point in time. One technology employs a credit-card-sized device (smart card) that contains a microprocessor programmed with an algorithm that generates, and visually displays, a new and unique password every 60 seconds. The card works in conjunction with special authentication software located on a mainframe host or network server computer. At any point in time both the smart card and the network software are generating the same password for the same user. To access the network, the user enters the PIN followed by the current password displayed on the card. The password can be used one time only.

12.

Explain how smurf attacks and SYN flood attacks can be controlled. Response: In the case of a smurf attack, the targeted organization can program their firewall to ignore all communication from the attacking site, once the attackers IP address is determined. In the case of SYN Flood, two things can be done: i. Internet hosts can program their firewalls to block outbound message packets that contain invalid internal IP addresses.

ii. Security software can scan for half-open connections that have not been followed by an ACK packet. The clogged ports can then be restored to allow legitimate connections to use them. 13.

Discuss the risks from equipment failure and how they can be controlled. Response: Risks: Transmissions between senders and receivers can be disrupted, destroyed, or corrupted by equipment failures in the communications system. Equipment failure can also result in the loss of databases and programs stored on the network server. The most common problem in data communications is data loss due to line error. The bit structure of the message can be corrupted through noise on the communications lines. Noise is comprised of random signals that can interfere with the message signal when they reach a certain level. Controls: i. Echo Check. The echo check involves the receiver of the message returning the message to the sender. The sender compares the returned message with a stored copy of the original. If there is a discrepancy between the returned message and the original, suggesting a transmission error, the message is retransmitted. ii. Parity Check. The parity check incorporates an extra bit (the parity bit) into the structure of a bit string when it is created or transmitted. The value of the parity bit (1 or 0) is determined by the bit value of the character being transmitted. Parity can be both vertical and horizontal (longitudinal). When the message is received, the parity is checked again. A discrepancy in the parity bit value that is recalculated at the receiving end indicates that a bit value in the character was changed during transmission. iii. Network Backup. Data backup in networks is accomplished in several different ways depending on the network’s complexity.

14.

Does every organization that has a LAN need a firewall? Response: Firewalls can provide protection against unauthorized access by both internal and external intruders depending on the type of firewall. An organization with a LAN with NO connections to ANY external networks may be safe without firewalls, but some sort of network security is necessary for multiple users.

15.

Describe three ways in which IPS can be used to protect against DDos attacks. Response: i. IPS can work inline with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks. ii. IPS may be used behind the firewall to protect specific network segments and servers. iii. IPS can be employed to protect an organization from becoming part of a botnet by inspecting outbound packets and blocking malicious traffic before it reaches the Internet.

16.

What problem is common to all private key encryption techniques? Response: The more individuals who need to know the private key, the greater the probability of it falling into the wrong hands. If a perpetrator discovers the key, he or she can intercept and decipher coded messages.

17.

What is RSA encryption? Response: RSA (Rivest-Shamir-Adleman) is a highly secure public key cryptography method. This method is, however, computationally intensive and much slower than standard DES encryption. Sometimes, both DES and RSA are used together in what is called a digital envelope. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message.

18.

Explain the triple-DES encryption techniques known as EEE3 and EDE3. Response: EEE3 uses three different keys to encrypt the message three times. EDE3 uses one key to encrypt the message. A second key is used to decode it. The resulting message is garbled because the key used for decoding is different from the one that encrypted it. Finally, a third key is used to encrypt the garbled message. The use of multiple keys greatly reduces the chances of breaking the cipher. Triple DES encryption is thought to be very secure and is used by major banks to transmit transactions. Unfortunately, it is also very slow.

19.

Distinguish between a digital signature and a digital certificate. Response: A digital signature is electronic authentication that cannot be forged. It ensures that the message or document transmitted originated with the authorized sender and that it was not tampered with after the signature was applied. The digital signature is a derived from the computed digest of the document that has been encrypted with the sender’s private key. This process proves that the message received was indeed sent by the sender and was not tampered with during transmission. However, it does not prove that the sender is who he or she claims to be. The sender could be an impersonator. A digital certificate, which is issued by a trusted third-party called a certification authority (CA). is used to verify the sender’s identity. A digital certificate is used in conjunction with a public key encryption system to authenticate the sender of a message. The process for certification varies depending on the level of certification desired. It involves establishing one’s identity with formal documents such as a driver’s license, notarization, and fingerprints and proving one’s ownership of the public key. After verifying the owner’s identity the CA creates the certification, which is the owner’s public key and other data that has been digitally signed by the CA.

20.

Describe a digest within the context of a digital signature. Response: A digest is a mathematical value calculated from the text content of a message. The sender uses a one-way hashing algorithm to calculate a digest of the text message. The digest is then encrypted using the sender’s private key to produce the digital signature.

21.

What is a digital envelope? Response: Sometimes DES and RSA are used together to create a digital envelope that is

both more secure and faster than using RSA encryption alone. The actual message is encrypted using DES to provide the fastest decoding. The DES private key needed to decrypt the message is encrypted using RSA and transmitted along with the message. The receiver first decodes the DES key, which is then used to decode the message. 22.

Why is inadequate segregation of duties a problem in the personal computer environment? Response: An employee may have access to multiple applications that process incompatible transactions. For example, a single individual may be responsible for entering all transaction data, including sales orders, cash receipts, invoices, and disbursements. This degree of authority would be similar, in a manual system, to assigning accounts receivable, accounts payable, cash receipts, cash disbursement, and general ledger responsibility to the same person. The exposure is compounded when the operator is also responsible for the development (programming) of the applications that he or she runs.

23.

Why is the request-response technique important? Discuss the reasons an intruder may wish to prevent or delay the receipt of a message. Response: This method is important in order to prevent intruders from preventing or delaying messages. An intruder might intercept data such as credit card numbers and expiration dates or bank debit cards and personal identification numbers in order to use this data to commit crimes. Another possibility is that sales orders could be intercepted and destroyed in a malicious attempt to sever customer-supplier relations.

24.

Discuss how the widespread use of laptop and notebook computers is making data encryption standards more easily penetrable. Response: Business travelers with laptop and notebook computers are just beginning to realize how carefully they should safeguard their computers while traveling on subways, planes, cars, and staying in hotels. Theft of these computers is becoming a serious problem. These computers are being stolen just as often for the information contained on the hard drives as they are for the resale values. Unfortunately, these stolen computers often have the DES keys contained on floppy diskettes, which are stored in the carrying cases. The carrying cases are usually also stolen, or the encryption keys may be on the hard drive. Thus, the thief gains access to the key and can decode messages.

25.

Discuss the unique control problems EDI creates. Response: One problem is ensuring that transactions are authorized and valid. Both the customer and supplier must establish that the transaction being processed is with a valid trading partner and is an authorized transaction. Another problem is that, in most situations, the trading partners must agree to give their trading partner access to files, which previously were entirely internal documents, such as inventory files. Prior to EDI, firms did not exchange inventory file data. Thus, the accuracy of these files AT ALL TIMES is crucial. Further, these files should not be allowed to be altered, in any fashion, by the trading partner’s computer. Only the organizations application programs should be allowed to process inventory records.

26.

“In and EDI system, only the customer needs to verify that the order being placed is from a valid supplier and not vice versa.” Do you agree with this statement? Why or why not? Response: No. The supplier needs to verify that the purchaser is a valid purchaser and has authorization to scan the inventory file.

27.

Discuss how EDI creates an environment in which sensitive information, such as inventory amounts and price data, is no longer private. What potential dangers exist if the proper controls are not in place? Give an example. Response: In an EDI environment, the selling firm opens up previously considered private files, such as inventory and in some cases the master production schedule, to the customer’s order system so that the inventory status can be checked. If the proper controls are not in place, a perpetrator could alter these records so that inventory is shown to be lower than it actually is, and the organization could lose orders as the customer contacts another vendor. If this situation went undetected for a length of time, the organization could have such a decline in sales and loss in customer base that it could be forced out of business.

28.

What purpose do protocols serve? Response: Protocols serve network functions in several ways. First, they facilitate the physical connection between the network devices. Through protocols, devices are able to identify themselves to other devices as legitimate network entities, and thus initiate (or terminate) a communications session. Second, protocols synchronize the transfer of data between physical devices. This involves defining the rules for initiating a message, determining the data transfer rate between devices, and acknowledging message receipt. Third, protocols provide a basis for error checking and measuring network performance. This is done by comparing measured results against expectations. For example, performance measures pertaining to storage device access times, data transmission rates, and modulation frequencies are critical to controlling the network’s function. The identification and correction of errors thus depends on protocol standards that define acceptable performance. Fourth, protocols promote compatibility among network devices. To successfully transmit and receive data, the various devices involved in a particular session must conform to a mutually acceptable mode of operation, such as synchronous or asynchronous and duplex or half-duplex. Without protocols to provide such conformity, messages sent between devices will be distorted and garbled. Finally, protocols promote network designs that are flexible, expandable, and costeffective. Users are free to change and enhance their systems by selecting from the best offerings of a variety of vendors. Manufacturers must, of course, construct these products in accordance with established protocols.

29.

Explain the purpose of the two elements of TCP/IP. Response: The TCP portion of the TCP/IP protocol supports the transport function of the

OSI model. This ensures that the total number of data bytes transmitted was received. The IP component provides the routing mechanism. Every server and computer in a TCP/IP network requires an IP address, which is either permanently assigned or dynamically assigned at startup. The IP part of the TCP/IP protocol supports the network layer of the OSI model. It contains a network address and is used to route messages to different networks. IP receives message packets from the transport protocol and delivers them to the data link layer. 30.

Distinguish between the FTP and TELNET protocols. Response: FTP (File Transfer Protocol) is used to transfer text files, programs, spreadsheets, and databases across the Internet. TELNET is a terminal emulation protocol used on TCP/IP-based networks. It allows users to run programs and review data from a remote terminal or computer. Telnet is an inherent part of the TCP/IP communications protocol. While both protocols deal with data transfer, FTP is useful for downloading entire files from the Internet; TELNET is useful for perusing a file of data as if the user were actually at the remote site.

31.

Distinguish between a network-level firewall and an application-level firewall. Response: Network-level firewalls provide efficient but low-security access control. This type of firewall consists of a screening router that examines the source and destination addresses that are attached to incoming message packets. The firewall accepts or denies access requests based on filtering rules that have been programmed into it. The firewall directs incoming calls to the correct internal receiving node. Network-level firewalls are insecure because they are designed to facilitate the free flow of information rather than restrict it. This method does not explicitly authenticate outside users. Application-level firewalls provide a higher level of customizable network security, but they add overhead to connectivity. These systems are configured to run security applications called proxies that permit routine services such as e-mail to pass through the firewall, but can perform sophisticated functions such as user authentication for specific tasks. Application-level firewalls also provide comprehensive transmission logging and auditing tools for reporting unauthorized activity.

32.

What is a certification authority, and what are the implications for the accounting profession? Response: A certification authority is an independent and trusted third party empowered with responsibility to vouch for the identity of organizations and individuals engaging in Internet commerce. The question then becomes, who vouches for the CA? How does one know that the CA who awarded a seal of authenticity to an individual is itself reputable and was meticulous in establishing his or her identity? These questions hold specific implication for the accounting profession. Since they enjoy a high degree of public confidence, public accounting firms are natural candidates for certification authorities.

33.

Discuss the key aspects of the following five seal-granting organizations: BBB, TRUSTe, Veri-Sign, Inc., ICSA, and AICPA/CICA WebTrust. Response: Better Business Bureau. The Better Business Bureau (BBB) is a non-profit organization that has been promoting ethical business practices through self-regulation since 1912. BBB has extended its mission to the Internet through a wholly owned subsidiary called BBBOnline, Inc. To qualify for the BBBOnline seal an organization must: • Become a member of BBB. • Provide information about the company’s ownership, management, address, and phone number. This is verified by a physical visit to the company’s premises. • Be in business for at least one year. • Promptly respond to customer complaints. • Agree to binding arbitration for unresolved disputes with customers. The assurance provided by BBBOnline relates primarily to concerns about business policies, ethical advertising, and consumer privacy. BBBOnline does not verify controls over transaction-processing integrity and data-security issues. TRUSTe. Founded in 1996, TRUSTe is a non-profit organization dedicated to improving consumer privacy practices among Internet businesses and Web sites. To qualify to display the TRUSTe seal the organization must: • Agree to follow TRUSTe privacy policies and disclosure standards. • Post a privacy statement on the Web site disclosing the type of information being collected, the purpose for collecting information, and with whom it is shared. • Promptly respond to customer complaints. • Agree to site-compliance reviews by TRUSTe or an independent third party. TRUSTe addresses consumer privacy concerns exclusively and provides a mechanism for posting consumer complaints against its members. If a member-organization is found to be out of compliance with TRUSTe standards, its right to display the trust seal may be revoked. Veri-Sign, Inc. Veri-Sign, Inc. was established as a for-profit organization in 1995. VeriSign, Inc. provides assurance regarding the security of transmitted data. The organization does not verify security of stored data or address concerns related to business policies, business processes, or privacy. Its mission is to “provide digital certificate solutions that enable trusted commerce and communications.” Its products allow customers to transmit encrypted data and verify the source and destination of transmissions. Veri-Sign, Inc. issues three classes of certificates to individuals, businesses, and organizations. To qualify for class-three certification the individual, business, or organization must provide a third-party confirmation of name, address, telephone number, and Web site domain name. ICSA. The International Computer Security Association (ICSA) established its Web Certification Program in 1996. ICSA certification addresses data security and privacy concerns. It does not deal with concerns about business policy and business processes. Organizations that qualify to display the ICSA seal have undergone an extensive review of firewall security from outside hackers. Organizations must be recertified on an annual basis and undergo at least two surprise checks each year. AICPA/CICA WebTrust. The AICPA and CICA established the WebTrust program in 1997. To display the AICPA/CICA WebTrust seal the organization must undergo an

examination according to the AICPA’s Standards for Attestation Engagements, No. 1, by a specially Web-certified CPA or CA. The examination focuses on the areas of business practices (policies), transaction integrity (business process), and information protection (data security). The seal must be renewed every 90 days. 34.

Differentiate between a LAN and a WAN. Do you have either or both at your university or college? Response: The primary difference between LANs and WANs is the geographic area coverage. LANs are typically confined to a single room, floor, or building. WANs are used to connect various LANs and computing centers that are geographically dispersed across distances that range from less than a mile to transcontinental.

MULTIPLE-CHOICE QUESTIONS 1.

10.

PROBLEMS 1.

Network Access Control Ajax Automotive services retail automotive centers the east coast by supplying them with quality car and truck parts such as brake pads, oil filters, water pumps, etc. The company’s 123 sales representatives work exclusively in the field visiting client company locations and submitting sales orders from laptop computers via an internet connection to the corporate offices in Delaware. All of Ajax’s sales orders are received in this manner. Customer account, sales history, inventory, and cash receipts records are stored on a central server at the corporate site. Customers are billed digitally from the corporate office on a net 30 basis. Required;

Outline the access controls that would be appropriate for this situation. Explain why these controls are necessary. Response: Data encryption techniques should be in place for the transmitting sales order and other sensitive sales data from customer locations to the corporate computer center. Since the organization has many sales representatives, a public key encryption approach would work best. To preserve the integrity of sales orders a digital signature control may be used. Any tampering with, or alterations to, the original sales order would be detected as a discrepancy in the digest. Confidential data stored at the corporate offices, particularly customer data, should also be encrypted to protect against intrusion attempts. A onetime password system would increase security by preventing a hacker from capturing the password and accessing the system Since the Ajax organization processes all is sales transactions via remote access, it is vulnerable to denial of sales attacks. These risks are reduced through firewalls, intrusion prevention software, and deep packet inspection of data entering the system. Virus Protection software should be installed on the lap tops of sales representatives. Policies should be in place to ensure that the software is kept current. Various other network control devises would preserve the integrity of transmitted data. These include: message sequence numbering, message transaction log, request-response techniques, and a call-back device. 2.

Network System Controls Three years ago the Triumph Manufacturing implemented a networked transaction processing system to link their various departments and allow data sharing. Prior to then, Triumph employed a system based on stand-alone PCs. When the new system was implemented each employee was given a user ID and assigned a four digit password to permit access to the system. Once in the system, they had the option of changing their passwords or keeping the one originally assigned. Since everyone in the organization was new to the system, the operating philosophy adopted by Triumph was to establish an open system that would facilitate efficient processing with minimal inconvenience. Towards this end, employee access privileges to data and processes were assigned based on functional affiliation. For example sales staff had access to all processes and data pertaining to sales transactions such as order entry procedures, inventory control, credit checking, customer credit files, sales invoices, inventory records, etc. Similarly, all accounting staff were granted access to such processes as updating accounts receivable, accounts payable, cash receipts and all journals, subsidiary ledgers, and general ledger accounts related to these tasks. Recently, the internal auditor identified material errors and possible irregularities in the financial statements. She is concerned about the lack of security and the potential for fraud and unauthorized access from internet hackers. Required:

Outline the control procedures and policies that would reduce these risks and explain your solution. Response: Implement as password control policy. •

To improve access control, management should require that passwords be changed regularly and disallow weak passwords.

•

Employ password software that automatically scans password files and notifies users that their passwords have expired and need to be changed.

Assign Network Access Privileges • Network access privileges are a digital segregation of duties. The network administrator needs to assign privileges in a manner that separate incompatible functions. • Assign access privileges consistent with job descriptions and verify that job descriptions are consistent with the task to be performed. The current method of assigning access privileges according to functional affiliation allows individuals to access data beyond their need to know and to possibly perpetrate a fraud. Security Clearance and Confidentiality Policy • If one does not already exist, establish a security clearance policy and ensure that all privileged employees undergo an adequately intensive security clearance check. • Ensure that all system users have formally acknowledged their responsibility to maintain the confidentiality of company data. Security Software • Virus Protection software should be installed on the system and policies should be in place to ensure that the software is kept current. • Internet risks are reduced through firewalls, intrusion prevention software, and deep packet inspection of data entering the system.

System Access Control and Fraud Charles Hart, an accounts payable clerk, is an hourly employee. He never works a minute past 5 P.M. unless the overtime has been approved. Charles has recently found himself faced with some severe financial difficulties. He has been accessing the system from his home during the evening and setting up an embezzlement scheme. As his boss, what control technique(s) discussed in this chapter could you use to help detect this type of fraud? Required: What control technique(s) discussed in this chapter could you use to help detect this type of fraud? Response: If the company uses a call back device, Charles Hart’s home phone should not be on the approved phone list. Since Charles is an hourly worker, he should not be expected to take work home with him. Further, a transaction log listing time of data input and user ID would be informative to Charles’ boss. If Charles has not been approved for overtime during the past month, and Charles’ supervisor notices that Charles has entered some transactions into the system late in the evening, then Charles’ supervisor should investigate these actions. A message transaction, which contains a log of users on the system by login time, would also be useful.

Internal Control and Fraud John Martin, a highly skilled computer technician with a masters degree in computer science took a low profile evening job as a janitor at Kent Manufacturing Company. Since the position was low level no security clearance or background check was necessary. While working at nights, John snooped through offices for confidential information regarding system operations, internal controls, and the financial thresholds for transaction that would trigger special reviews. He observed employees who were working late type in their passwords and managed to install a Trojan Horse virus onto the system to capture the IDs and passwords of other employees. During the course of several weeks John obtained the necessary IDs and passwords to set himself up in the system as a supplier, a customer, and systems administrator, which gave him access to most of the accounting system’s functions. As a customer, John ordered inventory which was shipped to a rented building and later sold. As system administrator he approved his credit sales orders and falsified his customer payment records to make it appear that the goods had been paid for. He also generated purchase orders to himself and created false receiving reports and supplier invoices as part of a vendor fraud scheme. He was thus able to fool the system into setting up accounts payable to himself and writing checks in payment of inventory items that the company never received. John was careful to ensure that all his transaction fell below the financial thresholds that triggered special reviews. Nevertheless, his fraud schemes cost Kent Manufacturing approximately $100,000 per month and went undetected for 1 ½ years. John, however, became over confident and careless in his life style. Working late one evening, the internal auditor observed John arriving for work in an expensive sports car that seemed out of place for a poorly paid janitor. The auditor initiated an investigation that exposed john’s activities. He was arrested and charged with computer fraud. Required:

a. What controls weaknesses allowed John to perpetrate these frauds? b. Explain the controls that should be in places to reduce the risk of fraud.

Weakness: Lack of Background Check. Kent manufacturing incorrectly assumed that low level positions in the organization pose no security threat and do not require background checks on employees filling such positions. While this may be generally true, janitors have unrestricted access to all many or all areas of the organization. •

Control: An appropriate level background check should be performed on all new employees. In the case of John, it would have revealed any previous criminal activity. Even if Alogna had a clean record, his masters in computer science would have been discovered, which should have raise a red flag in his application for a janitor position.

Weakness: Security Over Confidential Material. John was able to learn about the system’s key operational features, controls, and control trigger points by browsing information located in employee offices. •

Control: Confidential information should be secured in safes or other appropriate storage facilities.

•

A security policy should be implemented to ensure that all employees recognize potential security threats and comply with the security policy in place for confidential material.

Weakness: Lack of Adequate Password Control. Kent manufacturing uses a reusable password system. Once John obtained the necessary passwords he was able to access the system and play many roles to perpetrate his frauds. •

Control: Implement a password control system that requires passwords to be changed regularly and which disallows weak passwords.

•

Employ password software that automatically scans password files and notifies users that their passwords have expired and need to be changed.

•

The use of a one-time password system would have prevented John from obtaining employee passwords. Even if he observed a password being entered of captured it via a Trojan Horse, the password could not be reused to enter the system.

Weakness: Lack of Adequate Application Control. By keeping transactions under the thresholds that trigger additional reviews, John was able to perpetrate $100, 000 in frauds each month that went undetected for 1 ½ years.

•

Control: Review the appropriateness of financial materiality thresholds. Kent may have these set too high for adequate control.

•

Internal audit reviews of frequent and recurring transaction that fall just below the materiality level.

Weakness: Lack of Security Software. John was able to successfully install a Trojan Horse virus that went undetected. • •

Control: Install virus protection software on the system. Implement policies to ensure that the software is kept current.

Network Security Controls ISC is an international manufacturing company with over 100 subsidiaries worldwide. ISC prepares consolidated monthly financial statement based on data provided by the subsidiaries. Currently the subsidiaries send their monthly reports to the ISC Corporate offices in Phoenix as pdf or spreadsheet attachments to e-mail files. The financial data are then transcribed by data processing clerks and entered into the corporate database from which consolidated statements are prepared. Because the data need to be reentered manually into the corporate system the process takes three to four days to enter all the data into the database. Also, the process is prone to transcription errors and other forms of clerical errors. After the data are loaded into the system, verification programs check footings, cross-statement consistency, and dollar range limits. Any errors in the data are traced and corrected. The reporting subsidiaries are notified of all errors via e-mail.

The company has decided to upgrade its computer communications network with a new system that will support more timely receipt of data at corporate headquarters. The systems department at corporate headquarters is responsible for the overall design and implementation of the new system. The system will consist of a central server at the corporate offices connected to distributed terminals at each of the subsidiary sites. The new system will allow clerks at the subsidiary sites to send financial data to the corporate office via the Internet. The system will automatically load the financial data into the corporate database thus eliminating the error-prone data entry operation. The company’s controller is pleased with the prospects of the new system, which should shorten the reporting period by three days. He is, however, concerned about security and data integrity during the transmission. He has scheduled a meeting with key personnel from the systems department to discuss these concerns. Required: a. Describe the data security and integrity problems that could occur when transmitting data between the subsidiaries and the corporate office.

b. For each problem identified, describe a control procedure that could be employed to minimize or eliminate the problem. Problem Identification

Control Procedure and Explanation Establish access privileges based on need

Unauthorized access to the reporting system

Implement Password control and password management procedures to prevent weak passwords to ensure they are changed on a regular basis Encrypt password file Use one-time password technique for data transmissions

Unauthorized access to corporate reporting database

Establish database authority table based on need

System intrusion from the internet, including denial of service attack

Implement an application-level firewall

Encrypt financial data in the database

Encrypt financial data in the database Implement intrusion prevention system with deep packet inspection and security software to identify open connections that indicate a SYN flood attack Use security techniques such as request-response and call-back Employ antiviral software

Corruption of transmitted data due to line errors.

The system should have built-in controls including echo check and parity check to correct line errors. Use message sequence numbering

Interception and alteration of Transmitted Data

Use public key encryption Use digital signatures to identify any changes to the digest.

Preventive Controls Listed here are five scenarios. For each scenario, discuss the possible damages that can occur. Suggest a preventive control.

a. An intruder taps into a telecommunications device and retrieves the identifying codes and personal identification numbers for ATM cardholders. (The user subsequently codes this information onto a magnetic coding device and places this strip on a blank bank card.) b. Because of occasional noise on a transmission line, electronic messages received are extremely garbled. c. Because of occasional noise on a transmission line, data being transferred is lost or garbled. d. An intruder is temporarily delaying important strategic messages over the telecommunications lines. e. An intruder is altering electronic messages before the user receives them. Required: For each scenario, discuss the possible damages that can occur. Suggest a preventive control. Responses: a. The intruder can then withdraw money from the ATM cardholder accounts. (This actually happened in California; the intruder was a systems consultant who had helped to set up the communication system.) Digital encoding of data with the algorithm being changed periodically, especially after the systems consultants have completed their jobs, and the system is in use. b. Noise on the line may be causing line errors, which can result in data loss. Echo checks and parity checks can help to detect and correct such errors. c. If data is being lost, echo checks and parity checks should also help; however, the problem may be that an intruder is intercepting messages and tampering with them. Message sequence numbering will help to determine if messages are being lost, and if they are perhaps a request-response technique should be implemented that makes it difficult for intruders to circumvent. d. If messages are being delayed, an important customer order or other information could be missed. As in item c, message sequence numbering and request-response techniques should be used. e. Messages altered by intruders can have a very negative impact on customersupplier relations if orders are being altered. In this case, data encryption is necessary to prevent the intruder from reading and modifying the data. Also, a digital signature will reveal if the message has been altered.

Operating System Risks and Controls Listed here are four scenarios. For each scenario, discuss the potential consequences and give a prevention technique.

A) A company has recently installed a new computer network. The operating philosophy adopted by new network administrator was to establish an open system that would foster work group data sharing, flexible access, and minimal inconvenience to the network users. To accomplish this objective the data administrator assigned employee access privileges to data based on department and functional affiliation rather than specific tasks. B) Mary is a system programmer who was told she would be terminated in three weeks due to poor performance and was asked to conclude all of her projects during that three week period. Two weeks later Mary created a logic bomb designed to activate three months after her departure. Subsequently, the bomb destroyed hundreds of records in her previous employer’s accounts receivable invoice file. C. Robert discovered a new sensitivity analysis public-domain program on the Internet. He downloaded the software to his laptop at home, which he also used at his office when connecting to the company’s network. The program contained a virus that spread to the company’s mainframe. D. Murray, a trusted employee and a systems engineer, had access to both the network access control list and user passwords. The firm’s competitor recently hired him for a large increase in salary. After leaving, Murray continued to browse through his old employer’s data, such as price lists, customer lists, bids on jobs, and so on. He passed this information on to his new employer. Required: For each scenario, discuss the potential consequences and give a prevention technique. Responses: A. Network access privileges allow for proper segregation of duties in a shared data environment. The current method of assigning access privileges (according to functional affiliation) allows individuals to access data beyond their need to know. An individual who is granted access to data that are not related to his or her specific task may be in a position to perpetrate a fraud or cover up serious errors. The network administrator should, therefore, assign privileges in a manner that separates incompatible functions and is consistent with job descriptions. B. Employees with access to critical systems, data, or key processes who have been terminated should also have their access privileges terminated immediately and should not be allowed to continue working for the company. This policy should be followed even for employees who leave on good terms and of their own volition. They should receive their contractual severance pay, but not remain on the company’s premises. C. Personal laptop computers are a common source of network viruses, which can be destructive to corporate databases and applications. Because they are portable, laptops

are subject virus infections from outside of the secure corporate environment. Antivirus software should be in place on the network server to prevent any files from being uploaded before they are checked for viruses. Also, an antiviral program should routinely scan the network server for viruses. Many organizations have policies and controls in place to prevent personal computers from connecting to corporate networks. D. Upon Murray’s announcement that he is leaving, his access privileges should have been revoked and he should have been escorted from the premises. Further, since he had access to all other users’ passwords, a message should immediately be sent to all users requiring them to change their passwords immediately or have their account locked until they do make the change. 8.

Encryption

The coded message that follows is an encrypted message from Brutus to the Roman Senate. It was produced using the Caesar cipher method, in which each letter is shifted by a fixed number of places (determined by the key value). OHWV GR MXOLXV RQ PRQGDB PDUFK 48 GUHVV: WRJD FDVXDO (EBRG) Required: Determine the key used to produce the coded message and decode it. Response: Key = +3, Decoded message: LETS DO JULIUS ON MONDAY MARCH 15 DRESS: TOGA CASUAL (Bring Your Own Dagger) 9.

Encryption

a. Develop a Caesar cipher-type encryption algorithm with a little more complexity in it. For example, the algorithm could alternatively shift the cleartext letters positive and negative by the amount of the key value. Variations on this are limitless. b. Select a single-digit key. c. Code a short message using the algorithm and key. d. Give your instructor the algorithm, key, clear text, and cipher text.

Optional: Your instructor will randomly redistribute to the class the cipher text messages completed in part d. You are to decode the message you receive as an `additional assignment Response: Answers will vary among the class. This is a fun assignment that results in interesting coding schemes.

10-13. Problems 10 through 13 will result in varying answers.

CHAPTER 4 SECURITY PART II: AUDITING DATABASE SYSTEMS REVIEW QUESTIONS 1.

What is a legacy system? Response: Legacy systems are large mainframe systems that were implemented from the late 1960s through the 1980s. Organizations today still make extensive use of these systems.

What is the flat-file model? Response: Flat files are data files that contain records with no structured relationships to other files. The flat-file model describes an environment in which individual data files are not related to other files. End users in this environment own their data files rather than share them with other users. Data files are therefore structured, formatted, and arranged to suit the specific needs of the owner or primary user of the data. Such structuring, however, may exclude data attributes that are useful to other users, thus preventing successful integration of data across the organization.

What are the key elements of the database environment? Response: The database management system (DBMS), users, the database administrator, the physical database, and DBMS models..

What types of problems does data redundancy cause? Response: a. data storage problems b. data updating problems c. currency of information problems

What flat-file data management problems are solved as a result of using the database concept? Response: a. data storage problem b. data update problem c. currency problem d. task-data dependency problem

What is DML? Response: DML is the proprietary programming language that a particular DBMS

uses to retrieve, process, and store data. 7.

What is the purpose of the data definition language? Response: (DDL) is a programming language used to define the database to the DBMS. The DDL identifies the names and the relationship of all data elements, records, and files that constitute the database. This definition has three levels, called views: the physical internal view, the conceptual view (schema), and the user view (subschema).

What is the internal view of a database? Response: The internal view of a database is the physical arrangement of the records. It

describes the data structure, the linkages between files, and the physical arrangement of the records. 9.

What is SQL? Response: Structured Query Language (SQL) is a fourth-generation, nonprocedural language that allows users to easily input, retrieve, and modify data. It is the standard query language for both mainframe and microcomputer DBMSs.

10.

What is a data dictionary, and what purpose does it serve? Response: The data dictionary describes every data element in the database. It enables all users (and programmers) to share a common view of the data resource, thus greatly facilitating the analysis of user needs. The data dictionary may be in both paper form and online. Most DBMSs employ special software for managing the data dictionary.

11.

What are the two fundamental components of data structures? Response: Organization and access method.

12.

What are the criteria that influence the selection of the data structure? Response: a. rapid file access and data retrieval b. efficient use of disk storage space c. high throughput for transaction processing d. protection from data loss e. ease of recovery from system failure f. accommodation of file growth

13.

What is a data attribute? Response: A data attribute, or field, is a single item of data, such as customer name, account balance, or address.

14.

What is a record type? Responses: A Record Type is a physical database representation of an entity. Database designers group together into tables (files) the record types that pertain to specific entities. For example, records of sales to customers would form the sales order record type, which physically represents the Sales Order entity

15.

What is a record association? Response: Record types exist in relation to other record types. This is called a record association. There are three basic record associations: one-to-one, one-to-many, and many-to-many.

16.

What is a database? Response: A database is the set of record types that an organization needs to support its business processes.

17.

What is an enterprise database? Response: An enterprise database is a common set of data files or tables for the entire organization, or enterprise. The most recent application development systems, such as

Oracle’s latest package or Microsoft’s dot-net, focus on the ability to use an enterprise database as the foundation for applications that interface across the entire enterprise. The Enterprise Resource Planning (ERP) software so popular in the 1990s is also based on the principle of an enterprise database. 18.

What is time-stamping, and why is it useful? Response: The second part of the concurrency control process is to time-stamp each transaction. A system-wide clock is used to keep all sites, some of which may be in different time zones, on the same logical time. Each time stamp is made unique by incorporating the site’s ID number. Time-stamping is used in distributed data processing environments to help ensure the presence of complete and accurate data by avoiding the processing of conflicting transactions.

19.

Explain the grandfather-father-son backup technique. Is it used for sequential files or direct access techniques? Why? How many generations can be backed up? Response: This procedure is when the current master file (the father) is processed against the transaction file to produce a new master file (the son). With the next batch of transactions, the son becomes the current master file (the father), and the original father becomes the backup (the grandfather) file. The new master file that emerges from the update process is the son. This procedure is continued with each new batch of transactions, creating generations of backup files. When the desired number of backup copies is reached, the oldest backup file is erased (scratched). This process is used for sequential files and batch direct access systems. The updates for online, real-time, direct access systems occur continuously throughout the day. The master files are backed up at certain intervals. The number of backed up master files is a management and auditor decision.

20.

What are inference controls? Why are they needed? Response: Inference controls are implemented to preserve the confidentiality and integrity of the database from users who try to infer specific data values by using query features. The query feature might not allow certain types of direct questions to be asked, but a clever user may determine a way to ask multiple questions, which together give the desired answer to the question.

21.

What are the four basic backup and recovery features necessary in a DBMS? Briefly explain each. Response: a. Backup. This feature makes a periodic backup of the entire database. b. Transaction Log (Journal). This feature tracks all transactions in a transaction log. c. Checkpoint Feature. This feature suspends all data processing while the system reconciles the transaction log and the database change log against the database. d. Recovery Module. This feature uses the logs and backup files to restart the system after a failure.

22.

What is data encryption? Response: Data encryption uses an algorithm to scramble selected data, thus making them unreadable to an intruder browsing the database. In addition to protecting stored data, encryption is used for protecting data that are transmitted over communications lines.

23.

What are biometric devices? Response: Biometric devices measure various personal characteristics, such as fingerprints, voice prints, retina prints, or signature characteristics. These user characteristics are digitized and stored permanently in a database security file or on an identification card that the user carries. When an individual attempts to access the database, a special scanning device captures his or her biometric characteristics, which it compares with the profile data stored on file or the ID card. If the data do not match, access is denied.

24.

What is a user-defined procedure? Response: A user-defined procedure allows the user to create a personal security program or routine to provide more positive user identification than a single password. Thus, in addition to a password, the security procedure asks a series of personal questions (such as the user’s mother’s maiden name), which only the legitimate user should know.

Discussion Questions 1.

In the flat-file data management environment, users are said to own their data files. What is meant by this ownership concept? Response: In the traditional data management environment, applications are developed with data and program dependency. Typically, these programs are application specific. Thus, the users of the application data tend to be proprietary about the data in “their” applications and may not be amenable to sharing such data.

Why is a hierarchical data model considered to be a navigational database? Response: The hierarchical database model is considered to be a navigational database because traversing through it requires predefined linkages between related records that start at the root. A limitation of this model is that a parent record may own one or more child, but no child record may have more than one parent. If a child logically needs to be linked to one or more parents, duplication of files with different predefined linkages is required.

Discuss why control procedures over access to the database become more crucial under the database concept than in the flat-file data management environment. What role does the DBMS play in helping to control the database environment? Response: Under the database concept, the data is centrally stored with many different users accessing the database. However, each user should not have access to the whole database. Under the flat-file data management environment where the data and programs were linked, the user access problem was not as great a threat. The DBMS is a special software system that is programmed to know which data each user is authorized to access. This controlled authorization is crucial in centrally stored DBMSs.

What is the relationship between a schema and a subschema? Response: The schema represents the physical storage of the entire database. A subschema is a subset of the entire database; it represents a user’s view of the database. Numerous subschemas exist for every schema.

Discuss the two ways in which users can access the database files in a database environment. Response: The first way the user may access the database is through user programs prepared by systems professionals. These programs send data access requests to the DBMS. The DBMS then validates the requests and retrieves the data for processing. The presence of the DBMS is transparent to the user. The second method involves direct inquiry on the part of the user. DBMSs have built-in data inquiries that allow authorized users to retrieve and manipulate data without the assistance of the professional programmers.

Discuss the limitations of the hierarchical database model? Response: The primary limitation of this model is that a parent record may own one or more child, but no child record may have more than one parent. If a child logically needs to be linked to more than one parents, which is common in business applications, duplication of files with different predefined linkages is required.

What is a partitioned database and what are its advantages? Response: The partitioned database approach splits the central database into segments or partitions that are distributed to their primary users. The advantages of this approach follow: having data stored at local sites increases users’ control, transaction processing response time is improved by permitting local access to data and reducing the volume of data that must be transmitted between IT units. Also, partitioned databases can reduce the potential effects of a disaster. By locating data at several sites, the loss of a single IT unit does not eliminate all data processing by the organization.

SQL has been said to place power in the hands of the user. What is meant by this statement? Response: SQL allows users to retrieve data from many different files without the assistance of programming professionals. Thus, if the user has access to data files and knows the SQL, which is very user friendly, the user may retrieve the data instantaneously.

Discuss the importance of the role of the database administrator. Why wasn’t such a role necessary in the flat-file environment? What tasks are performed by the DBA? Response: In the flat-file environment, the data were not centrally stored for many different applications to use. Because the data are centrally stored and shared by many users in a database environment, the need for an independent individual to care for and control these files arose. The database administrator is responsible for database planning, developing the data requirements and data dictionary, database design and controls, database implementation and access controls, operation and maintenance, and establishing and reviewing the standards and procedures.

10.

As users determine new computer application needs, requests must be sent to both the system programmers and the DBA. Why is it important that these two groups perform separate functions, and what are these functions? Response: The system programmers program the manner in which the data will be retrieved, manipulated, reported, and stored. They do not need, and should not have, access to the data, except perhaps temporarily to test the programs. The database

administrator controls access to the data. If one person has the authority to write programs and access data, then control issues become a concern. The potential to commit fraud or embezzlement or destroy or alter the company’s records becomes too great. 11.

Discuss disadvantages of a partitioned database. Response: 1) The partitioned approach works best for organizations that require minimal data sharing among their distributed IT units. The primary user manages data requests from other sites. To minimize data access from remote users, the organization needs to carefully select the host location. Identifying the optimum host requires an in-depth analysis of user data needs. 2) In a portioned environment, it is possible for multiple sites to lock out each other from the database, thus preventing each from processing its transactions.

12.

In a distributed data processing system, why can temporary inconsistencies result in permanent damage to accounting records? Explain with an example. Response: In between the time a processing application (a) updates a subsidiary account and (b) updates the control account, a temporary inconsistency exists. Permanent damage may result between the time an account value is read and the time it is written or updated. Consider the following example where a payment for sub account 1 is received for $500 and a payment is received for sub account 2 for $800. Time 1:00:001 1:00:001 1:00:002 1:00:002 1:00:003 1:00:003 1:00:004 1:00:005

A B A B A B A B

Site Instruction Read sub acct 1 Read sub acct 2 Update sub acct 1 Update sub acct 2 Read control acct Read control acct Update control acct Update control acct

Sub Account 1 1,000

AR Control Sub Account 2 Account 3,000

500 2,200 20,000 20,000 19,500 19,200

Thus, the data never reflect the second to last instruction indicated. The AR control account should reflect payments received of $1,300 and have a value of $18,700, but reflect payments of only $800. Thus, the transaction of $500 is lost, and the control and subsidiary ledgers are out of balance. 13.

What is a replicated database, and what control issues exist? Response: Replicated databases are effective in companies where there exists a high degree of data sharing but no primary user. Since common data are replicated at each IT unit site, the data traffic between sites is reduced considerably. Figure 4.18 in the text illustrates the replicated database model. The primary justification for a replicated database is to support read-only queries. With data replicated at every site, data access for query purposes is ensured, and lockouts and delays due to data traffic are minimized. The problem with this approach is maintaining current versions of the database at each site. Since each IT unit processes only its transactions, common data replicated at each site are affected by different transactions and reflect different values.

14.

Which database method would be most appropriate for ticket sales at thirty different outlets to an assigned seating concert? Why? Response: Partitioned databases would not be appropriate because the seats received by the customer would be a function of the ticket outlet where the purchase is made. Replicated databases would not be appropriate because duplicate tickets would be sold. Centralized databases with local processing are the appropriate method. The seat data would be centrally stored. Only the data for the seat being purchased would be locked and sent to the appropriate node. Once the seat is sold, the record is processed locally and then the data are transmitted back to the central computer.

15.

Why is it risky to allow programmers to create user subschemas and assign access authority to users? Response: Such a subschema is a subset of the total database that defines the user’s access authority. The database administrator has primary responsibility for designing these authorization tables. The programmers should not perform this task because the concept of authorization could be circumvented. The tasks of programming and the creation of user authorization tables are incompatible tasks and should be performed by different individuals.

16.

Is access control of greater concern in the flat-file or database file environment? Response: In the flat-file environment, data and users linked and are separated through ownership. The physical data files are accessed only by the owner of the data. In the database environment, data are centrally stored and shared by many users. The assignment of user privileges via authorization tables determines who accesses the data and access control thus becomes a greater concern.

Discuss the relationship between attributes and entities. Response: Entities are defined by attributes. For example, an Employee entity may be defined by the following set of attributes: Name, Address, Job Skill, Years of Service, and Hourly Rate of Pay. Each occurrence in an entity consists of the same types of attributes, but values of each attribute type will vary among occurrences. Because attributes logically define a particular entity, they are unique to it and the same attribute type should not be used to define two different entities.

18.

In a database environment, individual users may be granted summary and statistical query access to confidential data to which they normally are denied direct access. Describe how security can be preserved through inference controls. Response: Inference controls are used to prevent users from inferring, through query features, specific data values that they otherwise are unauthorized to access. Inference controls attempt to prevent three types of compromises to the database. a. Positive compromise. The user determines the specific value of a data item. b. Negative compromise. The user determines that a data item does not have a specific value. c. Approximate compromise. The user is unable to determine the exact value of an item but is able to estimate it with sufficient accuracy to violate the confidentiality of the data.

19.

Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations. Response: A one-to-one association means that for every occurrence in record type X, either zero or one occurrence exists of record type Y. An example would be that for every student, only one social security number exists. A one-to-many association means that for every occurrence in record type X, either zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats. A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has multiple professors each semester, and each professor has multiple students each semester.

20.

Explain the deadlock phenomenon. Discuss how it could occur with a phone-in mail order system that locks the inventory records until the order is complete. Response: A deadlock occurs when multiple sites lock out each other from the data they need to process transactions. Phone-in mail-order Example. Customer 1 wants to order two items—Item A and Item B. The customer informs the phone clerk that he or she wants Item A, and the record for Item A is locked until the order is complete in case any changes are made. Customer 1 then requests Item B, but it is locked by another customer’s order. The phone clerk will apologize for the delay and say the system is slow today. Meanwhile, Customer 2 who has just ordered Item B and locked it requests Item A, which is locked because of Customer 1’s order. The phone clerk who is helping Customer 2 will apologize for the delay and say the system is slow today. Unfortunately, neither record can be unlocked until the competing orders are complete, which results in deadlock. This condition will require system intervention to resolve it.

MULTIPLE CHOICE QUESTIONS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

c a a c d d c c b c b e

PROBLEMS 1. Converting from Legacy System to DBMS The Johnson Manufacturing Corporation employs a legacy flat-file data processing system that does not support data sharing between key business processes including sales order processing, production planning, inventory management, procurement, payroll, and marketing. It has long been though that upgrading the system would be too disruptive to operations. Recently corporate management has changed its thinking on this matter and has hired your consulting firm to investigate the possibility of switching to a relational database management system. Prepare a memo to the top management at Johnson explaining the advantages of a DBMS. Comment in your memo on the necessity of hiring a database administrator and the role this person would play. Response: Responses to this problem will vary. The sample memo below covers the key issues that should be discussed: June 23, 20XX MEMO TO: Robert Johnson, CEO Ryan Lindquist, CFO Mike Alogna, COO Bee N. Counter, Controller Aaron York, CIO FROM: Technical Solutions, Inc. SUBJ: Conversion to a DBMS After examining Johnson Manufacturing operations our consulting team feels confident that your organization would benefit greatly from a relational database management system. Such a system will allow data sharing among all functional areas and thus greatly enhance communications between departments and improve business operations. An operational problem that has repeatedly come to light is the lack of intra-organizational communication. This has resulted in out-of –stock situations, over stock situations, shipping delays, and shipping errors. In addition to adding considerable cost to your operations, these problems have had an adverse effect on your customer and vendor relationships

A relational database management system will provide a central data source whereby all authorized users may gain access to the data they need for decisions and to support day-to-day operations. Also, a database system will greatly simplify you data processing burden. Currently, you are transcribing data multiple times as it is moved from one user’s system to another. This error-prone activity will be eliminated in a database environment. Once data are entered into the system, they are available to all legitimate users. We propose that you begin a conversion to a DBMS at your earliest convenience. The process will take approximately one year to complete, but you will begin to experience some of the benefits within six months as key systems are cut over to the central database. This conversion will require the permanent appointment of a database administrator. A centralized DBMS requires that the shared data be designed, managed, and maintained by an independent administrator. This individual would also be responsible for assigning user access privileges. The key responsibilities of a database administrator are summarized below:

Database Planning:

Implementation:

Develop organization’s database strategy

Determine access policy

Define database environment

Implement security controls

Define data requirements

Specify tests procedures

Develop data dictionary

Establish programming standards

Design

Operation and Maintenance:

Logical database (schema)

Evaluate database performance

External users’ views (subschemas)

Reorganize database as user needs demand Internal view of databases

Database controls

Review standards and procedures Change and Growth: Plan for change and growth Evaluate new technology

2. Database Authorization Some relevant database tables and attributes are presented in the figure designated Problem 4-2 in the chapter. Required: A) Create a database authorization table for an Accounts payable clerk. Structure your response similar to the example below:

Authority Level Read Insert Modify Delete

Table 1 Name

Table 2 Name

Table …..

Y Y Y

Y N

Indicate the name of each table the AP clerk may access and the degree of access privilege such as: Read data from the table Insert data into the table, Modify or edit data in the table Delete data (attribute values or entire records) from the table B) Explain your answers to part (A) above. Response: A) The table below illustrates the appropriate access privileges for the AP clerk whose job is to review the supplier’s invoice and set up a liability, which will later be paid.

Database Table

Purchase Order

Receiving Report

Vendor Invoice

Read

Insert

Modify

Delete

Authority Level

B) The process involves performing a three-way-match of the PO, receiving report, and the

Vendor Invoice. Before setting up an account payable the clerk will verify the items invoiced were ordered (PO), received in good condition (receiving report), and that the invoice charges are correct. To do this the clerk needs “Read” access to the PO and receiving report tables and “Read” and “Insert” access to the Vendor Invoice table. Once the three-way-match is complete, the clerk transcribes the details from the supplier’s hard copy invoice to the Vendor Invoice table and assigns a due date. This establishes the liability. The unpaid invoices at any point in time constitute the accounts payable. The AP clerk normally would not have “modify” or “delete” access to the Vendor Invoice table. Editing and deleting existing records in a table should be a supervisor function. Also, the clerk should not have insert, modify, or delete access to the PO and receiving report tables. Such access would allow the AP clerk to enter fraudulent PO and receiving report records. The clerk’s legitimate “insert” privileges would then allow him to create a fraudulent supplier’s invoice (on behalf of himself or a conspirator) and set up a false liability, which would later be paid.

3. Database Authorization Table Required: A) Using the database table and attribute structures presented in Problem 4-2 create a database authorization table for a Sales Clerk. Structure your response similar to the example provided in Problem 4-2. B) Explain your answer to (A) above. Response: The table below illustrates the appropriate access privileges for the sales clerk whose typical job is to review customer credit, check inventory availability, and create a sales invoice record.

Database Table

Customer Table

Inventory Table

Sales Invoice

Read

Insert

Modify

Delete

Authority Level

B) The clerk needs “Read” access to the Customer Table attributes (including “available credit”) and to the “Quantity on Hand” and “Sales Price” attributes in the Inventory Table. Once credit worthiness and inventory availability are established, the clerk transcribes the customer order details to the Sales Invoice table. The unpaid sales invoices at any point in time constitute the accounts receivable. The Sales clerk normally would not have “modify” or “delete” access to the Sales Invoice table. Editing and deleting existing records in a table should be a supervisor function. Also, the clerk should not have “insert”, “modify”, or “delete” access to the Customer Table or the Inventory Table. Such access would allow the sales clerk to alter a customer’s available credit and create a sales invoice for a customer who lacks adequate credit. It would also permit the sales clerk to modify the Sales Price attribute in the Inventory Table and thus discount the price of sales to certain customers.

4. Access Privileges Mary Johnson, the Ajax Construction Co. cash disbursement clerk, has the database access privileges presented in the table below. Required: Discuss the appropriateness of the access privileges assigned. What, if any, internal control problems may result. Database Table

Purchase Order

Receiving Report

Vendor Invoice

Cash Disbursements

Authority Level Read Insert Modify Delete

Y Y Y N

Y Y N N

Y Y Y Y

Response: The Cash disbursement clerk should have “read” only access to the PO, Receiving Report, and Vendor Invoice tables above. These documents provide evidence of a liability, which the clerk discharges by writing a check. As a final control prior to writing the check, Mary may review the PO, receiving report, and invoice. A problem lies in the degree of access Mary has. Her “Insert” capability would allow her to create a purchase order, receiving report, and supplier’s invoice (for herself or an associate) thus creating the illusion of a transaction. Mary’s role as CD clerk allows her to write a check to discharge the phony liability that she established. On the surface the transition looks valid because it has the necessary supporting documents. 5. Distributed Databases The XYZ Company is a geographically distributed organization with several sites around the country. Users at these sites need rapid access to common data for read-only purposes. Which distributed database method is best under these circumstances? Explain your reasoning. Response: The best distributed approach is a replicated database. Reasoning: • The users are distributed around the country and need rapid access to data. A centralized model may result in long delays because of network traffic and database lockout. • User data needs are common, not unique. Because there are no identifiable primary users, partitioning the database will accomplish nothing. • Because usage is read-only, changes will not occur and database concurrency is not a problem. 6. Distributed Databases The ABC Company is a geographically distributed organization with several sites around the country. Users at these sites need rapid access to data for transaction processing purposes. The sites are autonomous; they do not share the same customers, products, or suppliers. Which distributed database method is best under these circumstances? Explain your reasoning. Response: The best distributed approach is a partitioned database. Reasoning: • The users are distributed around the country and need rapid access to data. A centralized model may result in long delays because of network traffic and database lockout. • User data needs are unique with identifiable primary users. There is no need to replicate the entire database. • Because users are unique, changes to the database will not cause database concurrency problems.

7. Distributed Databases Mega wants to improve response time by distributing some parts of the corporate database while keeping other parts of it centralized. A) Develop a schema for distributing Mega Supply Corporation’s database. Add new tables and attributes as needed. B) Briefly explain how the new system will operate. Response:

Commercial Division Database Customer Table (Commercial customers only. Partitioned by Customer Class) Customer Number Billing Address Shipping Address Line of Credit Sales Invoice (Replicated at Corporate Office) Sales Invoice Number Customer Number Product Number Invoice Amount Invoice Date Inventory Table (Partitioned on Inventory Class) Product Number Quantity on hand Unit Cost Vendor Number Vendor Table (Partitioned based on products sold by division) Vendor Number Vendor Address Tel Number Purchase Order Table (Replicated at Corporate Office) PO Number Vendor Number Product Number Quantity

Order Date Receiving Report Table (Replicated at Corporate Office) PO Number Product Number Quantity Received Condition Code Received Date

Consumer Division Database Same structure as the Commercial Division, but for consumer customers

Corporate Division Database Sales Invoice (AR) (Replicated at Division) Sales Invoice Number Customer Number Product Number Invoice Amount Invoice Date Cash Receipts Table (Centralized at Corporate) Cash Receipts Number Customer Number Check Number Sales Invoice Number Check Amount Date Purchase Order Table (Replicated at Division) PO Number Vendor Number Product Number Quantity Order Date Receiving Report Table (Replicated at Division) PO Number Product Number

Quantity Received Condition Code Received Date Vendor Invoice Table (AP) (Centralized at Corporate Office) Vendor Invoice Num Vendor Number Product Number Invoice Amount Invoice Date Cash Disbursement Table (Centralized at Corporate Office) Check number Vendor Invoice Num Check Amount Date Description of New Process The revised system functions as follows: •

Commercial and Consumer divisions receive sales orders from customers

•

Clerks at divisions check credit using partitioned Customer table.

•

Clerks at divisions determine inventory availability from partitioned Inventory table and update Inventory records to reflect the sale.

•

Clerk at division prepares a customer invoice record.

•

At end of day Customer Invoice Table is replicated at the Corporate office

•

Corporate office bills customer, maintains AR accounts, and receives cash payments from customer.

•

When inventories falls to reorder point, division sends PO to vendor

•

When inventories arrive division prepares receiving report and updates Inventory table.

•

At end of day PO table and Receiving Report Table are replicated at Corporate office.

•

Corporate office receives Vendor Invoice and sets up AP to be paid.

•

Corporate office makes payment to vendor. This system of replicated, centralized and partitioned database tables allows Mega to process sales locally and quickly and manage billing, AR, Cash receipts, AP and Cash disbursements centrally, efficiently, and with adequate control.

CHAPTER 5 SYSTEM DEVELOPMENT AND PROGRAM CHANGE ACTIVITIES REVIEW QUESTIONS 1.

Distinguish between systems professionals, end users, and stakeholders. Response: Systems professionals are systems analysts, systems designers, and programmers; these individuals actually build the system. End users are the individuals for whom the system is built. End users are found throughout the organization. Stakeholders are individuals either within the organization or outside who have an interest in the system but are not the end users.

What is the role of the accountant in the SDLC? Why might accountants be called on for input into the development of a nonaccounting information system? Response: Accountants are users. All systems that process financial transactions impact the accounting function in some way. Like all users, accountants must provide a clear picture of their problems and needs to the systems professionals. Accountants participate in systems development as members of the development team. Their involvement often extends beyond the development of strictly AIS applications. Systems that do not process financial transactions directly may still draw from accounting data. The accountant may be consulted to provide advice or to determine if the proposed system constitutes an internal control risk.

Based upon what you have read in this chapter, what might be some of the problems that would account for system failures? Response: This is a thought provoking question and student answers will vary. Examples are: Poorly specified systems requirements, ineffective development techniques, lack of user involvement in systems development, lack of internal audit involvement in the SDLC.

Since information systems often involve advanced technologies that are beyond the knowledge level of typical users, should users play an active role in the SDLC? If so, how should they be involved? Response: Users must be actively involved in the systems development process. Their involvement should not be stifled because the proposed system is technically complex. Regardless of the technology involved, the user can and should provide a detailed written description of the logical needs that must be satisfied by the system. The creation of a user specification document often involves the joint efforts of the user and systems professionals. However, it is most important that this document remain a statement of user needs. It should describe the user’s view of the problem, not that of the systems professionals.

Who should sit on the systems steering committee? What are its typical responsibilities of the steering committee? Response: The composition of the steering committee may include the following: the chief executive officer, the chief financial officer, the chief information officer, senior management from user areas, the internal auditor, senior management from computer services, external consultants, and external auditors. The typical responsibilities of the steering committee include: a. resolving conflicts that arise from the new system. b. reviewing projects and assigning priorities.

c. budgeting funds for systems development. d. reviewing the status of individual projects under development. e. determining at various checkpoints throughout the SDLC whether to continue the project or terminate it. 6.

What is strategic systems planning, and why should it be done? Response: Strategic systems planning involves the allocation of systems resources at the macro level. It usually deals with a time frame of 3 to 5 years. This process is similar to budgeting resources for other strategic activities, such as product development, plant expansions, market research, and manufacturing technology. There are four justifications for strategic systems planning: 1. A plan that changes constantly is better than no plan at all. 2. Strategic planning reduces the crisis component in systems development. 3. Strategic systems planning provides authorization control for the SDLC. 4. Cost management.

What is the purpose of project planning, and what are the various steps? Response: The purpose of project planning is to allocate resources to individual applications within the framework of the strategic plan. This involves identifying areas of user needs, preparing proposals, evaluating each proposal’s feasibility and contribution to the business plan, prioritizing individual projects, and scheduling the work to be done. The basic purpose of project planning is to allocate scarce resources to specific projects. The product of this phase consists of two formal documents: the project proposal and the project schedule.

What is the object-oriented design (OOD) approach? Response: OOD builds systems from the bottom up through the assembly of reusable modules rather than create each system from scratch. OOD is most often associated with an iterative approach to SDLC where small chunks or modules, cycle through all of the SDLC phases rather rapidly, with a short time frame from beginning to end. Then additional modules or chunks are added in some appropriate fashion until the whole system has been developed.

What are the broad classes of facts that need to be gathered in the systems survey? Response: Data sources, users, data stores, processes, data flows, controls, transaction volumes, error rates, resource costs, and bottlenecks and redundant operations.

10.

What are the primary fact-gathering techniques? Response: Observation, task participation, personal interviews, and reviewing key documents

11.

What are the relative merits and disadvantages of a current systems survey? Response: An advantage of studying the current system is that it provides a way to identify what aspects of the old system are positive and should be kept. Further, the tasks, procedures, and data of the old system need to be understood so that the phase-in of the new system can handle any changes. Also, a survey of the current system may help the analyst determine the underlying cause of the reported symptoms. A disadvantage is that the analysis of the current system may be too time-consuming, especially if conducted at

too detailed a level. Further, the study of the current system may create tunnel vision and/or prohibit the analysts from thinking in an innovative fashion. 12.

Distinguish among data sources, data stores, and data flows. Response: Data sources include two types of entities: (a) external, such as customers or vendors, and (b internal, other departments in the organization. Data stores are the files, databases, accounts, and source documents used in the system. Data flows represent the movement of document or reports among the data sources, data stores, processing tasks, and users.

13.

What are some of the key documents that may be reviewed in a current systems survey? Response: Some of the key documents that may be reviewed are organization charts, job descriptions, accounting manuals, charts of accounts, policy statements, descriptions of procedures, financial statements, performance reports, system flowcharts, source documents, accounts, budgets, forecasts, and mission statements.

14.

What is the purpose of a systems analysis, and what type of information should be included in the systems analysis report? Response: The purpose of systems analysis is to understand both the actual and the desired states. The systems analysis report should contain the problems identified with the current system, the user’s needs, and the requirements of the new system.

15.

What is the primary objective of the conceptual systems design phase? Response: The purpose of the conceptual design phase is to produce several alternative conceptual systems that satisfy the system requirements identified during systems analysis. By presenting users with a number of plausible alternatives, the systems professional avoids imposing preconceived constraints on the new system. The user will evaluate these conceptual models and settle on the alternatives that appear most plausible and appealing. These alternative designs then go to the systems selection phase of SDLC, where their respective costs and benefits are compared and a single optimum design is chosen.

16.

What are two approaches to conceptual systems design? Response: The structured approach and the object-oriented approach.

17.

How much design detail is needed in the conceptual design phase? Response: The conceptual design phase should be general; however, it should possess sufficient detail to demonstrate how the alternative systems are conceptually different in their functions.

18.

What is an object? Provide a business example. Response: Answers will vary. The following is one example: Objects are real-world phenomena that possess two characteristics: They have state and they have behavior. The object’s state is represented by stored attributes (variables or fields). Object behavior is displayed through methods, which are functions or procedures that are performed on or by the object to change the state of its attributes. Inventory is an example of an object. It has state (quantity on hand, description, and reorder point). It has behavior (reduced by sales and increased by purchases).

19.

What is the internal auditor’s primary role in the conceptual design of the system? Response: The auditor is a stakeholder in all financial systems and, thus, has an interest in the conceptual design stage of the system. The audit ability of a system depends in part on its design characteristics. Some computer auditing techniques require systems to be designed with special audit features that are integral to the system. These audit features should be specified at the conceptual design stage.

20.

What is operational feasibility and what problems must management address to achieve it? Response: Operational feasibility shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system. Implementing the new system may require retraining operations personnel. Management must determine whether sufficient personnel can be retrained, and whether new skills can be obtained to make the system operationally feasible?

21.

What makes the cost-benefit analysis more difficult for information systems than for most other investments an organization may make? Response: The benefits of information systems are often very difficult to assess. Many times the benefits are intangible, such as improved decision-making capabilities. Also, maintenance costs may be difficult to predict. Most other investments that organizations make, for example, the purchase of a new piece of equipment, tend to have more tangible and estimable costs and benefits.

22.

Classify each of the following as either one-time or recurring costs: a. training personnel one-time b. initial programming and testing one-time c. systems design one-time d. hardware costs one-time e. software maintenance costs recurring f. site preparation one-time g. rent for facilities recurring h. data conversion from old system to new system one-time i. insurance costs recurring j. installation of original equipment one-time k. hardware upgrades recurring

23.

Distinguish between turnkey and backbone systems. Which is more flexible? Response: Turnkey systems are completely finished and tested systems that are ready for implementation. Backbone systems provide a basic system structure on which to build, and. come with the primary processing modules programmed. They are much more flexible than turnkey systems, but are also more expensive and time consuming.

24.

Discuss the relative merits of in-house development versus commercially obtained software. Response: Although in-house programs are very time consuming and expensive to develop, and require a lot of skilled systems personnel, their many advantages lead firms to develop in-house systems. In-house systems are not dependent upon an outside vendor for updates and maintenance; these aspects are controlled locally. The in-house programs are completely customized, whereas commercially developed software is not.

25.

Why is modular programming preferable to free coding? Response: Regardless of the programming language used, modern programs should follow a modular approach. This technique produces small programs that perform narrowly defined tasks. The following three benefits are associated with modular programming. 1. Programming efficiency. Modules can be coded and tested independently, which vastly reduces programming time. A firm can assign several programmers to a single system. Working in parallel, the programmers each design a few modules. These are then assembled into the completed system. 2. Maintenance efficiency. Small modules are easier to analyze and change, which reduces the start-up time during program maintenance. Extensive changes can be parceled out to several programmers simultaneously to shorten maintenance time. 3. Control. By keeping modules small, they are less likely to contain material errors of fraudulent logic. Since each

26.

Why should test data be saved after it has been used? Response: The saved data is called a base case and documents how the system performed at one point in time. At any point in the future, the base case should produce the same results. Therefore, it is saved to facilitate future testing.

27.

Explain the importance of documentation by the system’s programmers. Response: Systems programmers, as well as systems designers, will need the documentation themselves in order to debug the system and perform maintenance.

28.

What documents not typically needed by other stakeholders do accountants and auditors need for the new system? Response: Document flowcharts of manual procedures are needed by the accountants and auditors. These flowcharts describe the physical system by showing explicitly the flow of information between departments, the departments in which the tasks are actually performed, and the specific types and number of documents that carry information. Thus, this document provides a view of the segregation of functions, adequacy of source documents, and location of files.

DISCUSSION QUESTIONS 1.

Comment on the following statement: “The maintenance stage of the SDLC involves making trivial changes to accommodate changes in user needs.” Response: The systems maintenance period may last from five to ten years. During this period changes may need to be made to accommodate changes in user needs, but these changes, however small they might be, are extremely important in keeping the system functioning properly. Further, some major changes may be required.

Discuss how rushing the system’s requirements stage may delay or even result in the failure of a systems development process. Conversely, discuss how spending too long in this stage may result in “analysis paralysis.” Response: If the system’s requirements stage is rushed, the users’ needs may not be fully investigated or revealed. Thus, the system may be built prior to determining the appropriate and complete requirements. If the system is built with an inadequate set of requirements, it will not produce the desired results. Users will become frustrated and unhappy if the new

system does not meet their needs. On the other hand, too much analysis can prevent the firm from making any progress. Requirements and technology change over time. At some point, a decision must be made that the system will be based upon the requirements determined to date. Thus, the system’s requirements stage should not be rushed, but lingering and holding on to the phase too long should not be allowed either. 3.

Is a good strategic plan detail oriented? Response: A strategic plan should avoid excessive detail, and it should provide a plan for a general allocation of resources at a macro level. The plan should provide guidance to the systems specialists so that they can make the detailed decisions.

Distinguish between a problem and a symptom. Give an example. Are these usually noticed by upper-, middle-, or lower-level managers? Response: A symptom is the result of a problem. Unfortunately, firms often try to fix the symptom rather than the problem. Decreased output by workers is a symptom, not a problem. If management attempts to solve this situation by hiring more workers, the problem is not solved. The problem may be that the quality of the raw materials is so bad that more time must be spent on each unit. If the problem is appropriately addressed, better quality raw materials, not more workers will solve the problem. Hiring more workers merely has more workers working inefficiently. Symptoms are typically noticed and reported by operational level managers because they have the closest contact with the dayto-day operations.

What purposes does the systems project proposal serve? How are these evaluated and prioritized? Is the prioritizing process objective or subjective? Response: The systems project proposal provides management with a basis for deciding whether or not to proceed with the project. One of its purposes is to summarize the findings of the preliminary study into a general recommendation for either a new or a modified system. Another is to outline the links between the objectives of the proposed system and the firm’s business objectives. These projects are evaluated based upon their contribution to the strategic objectives of the firm. One factor that may be considered is the improved operational productivity, such as reduced processing costs and reduced inventory carrying costs. Another factor that may be considered is improved decision making by managers. Evaluating competing proposals can be difficult, especially where the expected benefit, such as improved decision making or increased customer satisfaction, is difficult to quantify. Further, weighting the criteria and determining which aspect of the system is most important and which is least important are subjective decisions. One method that exists for evaluating and prioritizing projects is to assign scores for different dimensions and calculate a composite score, which is then used to rank the projects.

Most firms underestimate the cost and time requirements of the SDLC by as much as 50 percent. Why do you think this occurs? In what stages do you think the underestimates are most dramatic? Response: Firms typically understate the implementation time. One reason is due to overly optimistic estimates of employee training time. Another reason is that hardware does not arrive on time. Debugging programs is another area where time is often underestimated. Data conversion from the old system to the new system often takes more time than expected. Further, systems that were rushed in the systems analysis stage may need more maintenance due to demands by unhappy users.

A lack of support by top management has led to the downfall of many new systems projects during the implementation phase. Why do you think management support is so important? Response: Top management must provide a clear message that the system is important and also support it with adequate financial resources. If top management does not send a signal that a system is important, employees (future users of the systems) who are already busy with their assigned duties may not understand the importance of their input into the new system. They may view the interviews and questions as a nuisance that disrupts their work. Top management needs to send the message that the systems requirements analysis is important and compensate for overtime if necessary. If the employees do not fully cooperate, the system may not be appropriately designed. Glitches in the system will become apparent in the implementation phase. Further, the implementation of systems typically employees’ work to increase temporarily as they learn the new system. Top management needs to be supportive (perhaps in terms of compensation).

Many new systems projects grossly underestimate transaction volumes simply because they do not take into account how the new, improved system can actually increase demand. Explain how this can happen, and give an example. Response: A system that is easier to access and provides information easily may generate more inquiries than the old system. Take for example the account balance inquiry systems offered by most credit card companies. The old method of account balance inquiry by a cardholder involved a conversation between the cardholder and an account representative. The account representative would ask the cardholder questions and then give the information to the cardholder. Many companies provided this service only during certain hours. The new systems allow account balance inquiries 24 hours a day, and no human representative is involved. The customer uses the telephone keypad as an input device and can obtain account balance information very rapidly and conveniently. The demand for this service has increased as a result of its greater convenience and greater privacy.

Compare and contrast the structured design approach and the object-oriented approach. Which do you believe is most beneficial? Why? Response: The structured approach develops each new system from scratch from the top down. Object-oriented design builds systems from the bottom up through the assembly of reusable modules. A top-down approach is advantageous in that the system is designed around the needs of top management; on the other hand, reusable modules are beneficial for quick development of new systems. A hybrid system where modules can be redesigned when necessary or used without redesign when appropriate combines the best of both approaches.

10.

Intangible benefits are usually extremely difficult to quantify accurately. Some designers argue that if you understate them, then conservative estimates are produced. Any excess benefits will be greatly welcomed but not required for the new system to be a success. What are the dangers of this viewpoint? Response: If intangible benefits are not carefully and diligently estimated and considered, then a suboptimal system may be chosen (i.e., one that does not provide as much customer satisfaction as another option). Because of their inherent nature, intangible benefits are easy targets for manipulation. These benefits should be included in the analysis and decisionmaking process in some form. Decision support systems exist that allow inclusion of both tangible and intangible decisions.

11.

If a firm decides early on to go with a special-purpose system, such as SAP, based on the recommendations of the external consulting firm, should the SDLC be bypassed? Response: The systems development life cycle should be conducted, albeit in a modified form. The firm should not decide on a final package until it has determined its needs requirements and considered alternatives.

12.

During a test data procedure, why should the developers bother testing with “bad” data? Response: If only “good” data is tested, then the control procedures for flagging “bad” data cannot be tested. Thus, bad data that can verify all error checking routines should be included, and testing it is just as important as testing good data.

13.

If the system is behind schedule and if each program module is tested and no problems are found, is it necessary to test all modules in conjunction with one another? Why or why not? Response: Yes, all modules must be tested in conjunction with another. This is necessary to ensure that modules interact together in the desired fashion. In other words, the data may be processed by multiple modules and tests are necessary to ensure that one module does not corrupt the data processed by another module.

14.

Run manuals for computer operators are similar in theory to the checklists that airplane pilots use for takeoffs and landings. Explain why these are important. Response: Run manuals list each system and the frequency with which it should be run. Further, the required hardware and file requirements are listed. These lists tend to be numerous, and even a seasoned computer operator may occasionally forget exactly which run should be performed on a given day. Pilots are trained and licensed to fly airplanes, yet they still have checklists to which they refer for pre-flight, take-offs, and landing just to ensure that one of the many procedures is not forgotten. Like pilots, computer operators should refer to run lists just to make sure they have not forgotten any runs on any particular day.

15.

Who conducts the post-implementation review? When should it be conducted? If an outside consulting firm were hired to design and implement the new system, or a canned software package were purchased, would a post-implementation review still be useful? Response: The systems personnel should conduct the post-implementation review regardless of whether the system was developed in-house or purchased. The end users should be interviewed as well as the accountants. The post-implementation review should occur a few months after the implementation phase so that the user can adjust to the system and processing occurs at a normal rate.

16.

Discuss the importance of involving accountants in the detailed design and implementation phases. What tasks should they perform? Response: The accountants should provide technical expertise during the detailed design phase. For AISs, the specifications must comply with GAAP, GAAS, SEC, and IRS regulations. Accounting choices, such as depreciation and inventory valuation methods, must be incorporated. The accountants should also participate in the implementation phase by specifying and reviewing system documentation because these documents play an important role in the audit process.

17.

Discuss the independence issue when audit firms also provide consulting input into the development and selection of new systems. Response: This is a violation of the Sarbanes-Oxley Act. Having a system audited by the consulting firm that initially proposed it may produce a bias on the consulting firm’s part to view the system in a positive light.

18.

Discuss the various feasibility measures that should be considered. Give an example of each. Response: There are several common feasibility measures. • One feasibility measure is technical feasibility, which is an assessment as to whether the system can be developed under existing technology or whether new technology is needed. An example might be a situation in which a firm wants to completely automate the sales process. A question would be: Is technology available that allows sales to be made without humans? • Another feasibility measure is economic feasibility, which is an assessment as to the availability of funds to complete the project. A question would be: Is it cost feasible to purchase equipment to automate sales? • Legal feasibility identifies any conflicts with the proposed system and the company’s ability to discharge its legal responsibilities. An example would be a firm that is proposing a new mail order sales processing system for selling wine. Is it legal to sell wine without identification? (The answer must be yes, because such systems exist.) • Another consideration is operational feasibility, which shows the degree of compatibility between the firm’s existing procedures and personnel skills and the operational requirements of the new system. The firm should ask: Do we have the right workforce to operate the system? If not, can employees be trained? If not, can they be hired? • Lastly, schedule feasibility is important, and the concern is whether the firm has the ability to implement the project within an acceptable time frame. An example would be a new ticket sales system for a sports team. The system would need to be implemented prior to the start of the new season. Discuss three benefits associated with modular programming. Response: The following three benefits are associated with modular programming. a. Programming Efficiency. Modules can be coded and tested independently, which vastly reduces programming time. A firm can assign several programmers to a single system. Working in parallel, the programmers each design a few modules. These are then assembled into the completed system. b. Maintenance Efficiency. Small modules are easier to analyze and change, which reduces the start-up time during program maintenance. Extensive changes can be parceled out to several programmers simultaneously to shorten maintenance time. c. Control. If modules are kept small, they are less likely to contain material errors or fraudulent logic. Because each module is independent of the others, errors are contained within the module.

19.

20. What is the purpose of polymorphism? Response: Polymorphism allows multiple and different objects to respond to the same message. Each object may contain the same method name, but act upon the method differently because the programming code behind it is different in each class. An example of polymorphism is the function of printing documents. 21.

How can encapsulation support internal control? Response: Encapsulation is the act of placing data and methods in the same class and thus restricting access to the object's components. In this way the internal representation of an object is hidden from outside view. This protects object integrity by preventing users from corrupting its internal data by accidentally or intentionally setting it to an invalid state. 22. Distinguish between object class and instance. Response: A class is a blueprint that defines the attributes and the methods common to all objects of a certain type. An instance is a single occurrence of an object within a class.

MULTIPLE CHOICE PROBLEMS 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

c a d a c b e d d a b c a a a b c c

PROBLEMS 1. Announcing a New Information System The AJAX Company is considering implementing a new accounting system, which will automate sales processing, cash receipts, accounts payable, and cash disbursement procedures. Roger Moore, AJAX’s CIO sent an announcement letter to the AJAX community. In the letter Moore said: “I have contracted with Spartan Consulting Group to do the needs analysis, system selection, and design work. The programming and implementation will be performed in-house using existing IT department staff. The development process will be unobtrusive to user departments because Spartan knows what needs to be done. They will work independently, in the background, and will not disrupt departmental and internal audit work flow with time consuming interviews, surveys, and questionnaires. This promises to be an efficient process that will produce a system that will be appreciated by all users.” Required; Draft a memo from George Jones, Director of Internal Audits in response to Moore’s letter. Response: Student responses will vary. The issues that should be addressed include the following: • The decision to exclude users from the development process is flawed. • During systems development, systems professionals should work with the primary users to obtain an understanding of the users’ problems and a clear statement of their needs. • A survey of the current system is essential. The consultants need to gather facts that describe key system features, situations, and relationships. These include facts about. Data sources, users, key Processes, controls points, transaction types and volumes, error rates, resource costs, bottlenecks and redundant operations. • Some of the above facts can be gathered independently through documentation, but many of them can be obtained only through user participation. This includes personal interviews, open-ended questions, and structured questionnaires. • The internal auditor should be involved in the development process. An internal audit group, astute in computer technology and with a solid grasp of the business problems of users serves in an essential liaison capacity. • The internal auditor must ensure the auditability of the system. Some computer auditing techniques such as the Embedded Audit Module (EAM) and the Integrated Test Facility (ITF) need to be designed into systems as integral components. The internal auditor is best qualified to determine if the system under consideration is a good candidate for an integrated audit features and, if so, which feature is best suited for the system. • The auditor should be involved in the final system selection to assess the economic feasibility of the proposed system.

2. Problems v Symptoms Being able to distinguish between a symptom and a problem is an important analysis skill. Classify each of the following as a problem or a symptom. If it is a symptom, give two examples of a possible underlying problem. If it is a problem, give two examples of a possible symptom that may be detected. .

a. declining profits b. defective production processes c. low-quality raw materials d. shortfall in cash balance e. declining market share f. shortage of employees in the accounts payable department g. shortage of raw material due to a drought in the market h. inadequately trained workers i. decreasing customer satisfaction Response: a. declining profits—symptom. Possible problems are a production process that is producing defective products and causing a decline in sales or increased costs due to high maintenance of outdated machinery. b. defective production process—problem. Possible symptoms are declining sales or increased COGS due to labor time for reworks. c. low-quality raw materials—problem. Possible symptoms are declining sales or increased COGS. d. shortfall in cash balance—symptom. Possible problems are loose accounts receivable collections or over-purchase of inventory. e. declining market share—symptom. Possible problems are producing the wrong product mix (i.e. producing unwanted items) or poor customer service. f. shortage of employees in the accounts payable department—problem. Possible symptoms are increased discounts lost or increased errors in processing tasks g. shortage of raw material due to a drought in the Midwest—problem. Symptoms are declining profits or unfilled customer orders. NOTE: It could also be viewed as a symptom of relying too heavily on one supplier. h. inadequately trained workers—problem. Possible symptoms are higher COGS or decreased sales. i. decreasing customer satisfaction—symptom. Possible problems are defective production process or mean of poor distribution. 3. Systems Development and Implementation Kruger Designs hired a consulting firm three months ago to redesign the information system used by the architects. The architects will be able to use state-of-the-art CAD programs to help in designing the products. Further, they will be able to store these designs on a network server where they and other architects may be able to call them back up for future designs with similar components. The consulting firm has been instructed to develop the system without disrupting the architects. In fact, top management believes that the best route is to develop the system and then to “introduce” it to the architects during a training session. Management does not want the architects to spend precious billable hours guessing about the new system or putting work off until the new system is working. Thus, the consultants are operating in a back room under a shroud of secrecy. Required: a. Do you think that management is taking the best course of action for the announcement of the new system? Why? b. Do you approve of the development process? Why? Response: a. Management should announce the plan and try to gain support from the very beginning.

The proposed plan will probably backfire and cause the architects to waste time trying to guess what is happening. (Secrets are not easily held in organizations. The consultants will be seen in meetings with management.) Anxiety may result, and as a worst-case scenario, some of the best and most marketable employees may seek employment elsewhere. b. The systems development process should include the end users. The day-to-day users of the CAD system will be the architects, and these architects should play a very active role in the development process. If they do not, their needs most probably will not be fully met. 4. Systems Analysis Consider the following dialogue between a systems professional, Joe Pugh, and a manager of a department targeted for a new information system, Lars Meyer: Pugh: The way to go about the analysis is to first examine the old system, such as reviewing key documents and observing the workers perform their tasks. Then we can determine which aspects are working well and which should be preserved. Meyer: We have been through these types of projects before and what always ends up happening is that we do not get the new system we are promised; we get a modified version of the old system. Pugh: Well, I can assure you that will not happen this time. We just want a thorough understanding of what is working well and what is not. Meyer: I would feel much more comfortable if we first started with a list of our requirements. We should spend some time up-front determining exactly what we want the system to do for my department. Then you systems people can come in and determine what portions to salvage if you wish. Just don’t constrain us to the old system! Required: a. Obviously, these two workers have different views on how the systems analysis phase should be conducted. Comment on whose position you sympathize with the most. b. What method would you propose they take? Why? Response: a. The systems professionals will be able to understand the needs of the new system if they fully understand the operations of the old system. This understanding of the old system will help them to assess and incorporate the users’ likes of the old system into the new system. The manager of the user department, however, has a legitimate concern that too much time will be spent studying “what is” rather than “what should be.” A clean slate often results in more innovative solutions. b. The old system needs to be understood at some level. I would propose that a very fundamental analysis of the current system be conducted within a given time frame, with the focus on the likes and dislikes. Then a new systems requirements analysis could begin with a prioritized users’ “wish list.” This wish list could be used as the starting point for the user requirements. 5. Systems Design Robin Alper, a manager of the credit collections department for ACME Building Supplies, is extremely unhappy with a new system that was installed three months ago. Her complaint is that the data flows from the billing and accounts receivable departments are not occurring in the manner originally requested. Further, the updates to the database files are not occurring as frequently as she had envisioned. Thus, the hope that the new system would provide more current and timely information has not materialized. She claims that the systems analysts spent three days interviewing her and other workers. During that time, she and the other workers thought they had

clearly conveyed their needs. She feels as if their needs were ignored and their time was wasted. Required: What went wrong during the systems design process? What suggestions would you make for future projects? Response: Some possible reasons the system is not meeting Ms. Alper’s needs are of the following: a. Ms. Alper and her co-workers did not clearly convey their requirements. b. The systems analysts did not clearly understand the requirements. c. The processing details and output details were not specified in enough detail. d. The specifications, once developed, were not reviewed by the end users, Ms. Alper and her co-workers, for accuracy and completeness. e. The system that was implemented does not meet all of the design specifications. In future: 1) The internal audit department should be involved to act a liaison between end users and the consultants. 2) User test and acceptance procedures should be performed before the system is implemented.

6. Conceptual Design Prepare two alternative conceptual designs for both an accounts payable system and an accounts receivable system. Discuss the differences in concept between the two designs. From a cost perspective, which is more economical? From a benefits perspective, which is more desirable? Which design would you prefer and why? Response: This is an open-ended question and student responses will vary. The instructor should direct students to apply the principles of conceptual alternative design and cost benefit analysis discussed in the chapter. 7. Systems Design Robert Hamilton was hired six months ago as the controller of a small oil and gas exploration and development company, Gusher, Inc., headquartered in Beaumont, Texas. Before working at Gusher, Hamilton was the controller of a larger petroleum company, Eureka Oil Company, based in Dallas. The joint interest billing and fixed asset accounting systems of Gusher are outdated, and many processing problems and errors have been occurring quite frequently. Hamilton immediately recognized these problems and informed the president, Mr. Barton, that it was crucial to install a new system. Barton concurred and met with Hamilton and Sally Jeffries, the information systems senior manager. Barton instructed Jeffries to make the new system that Hamilton wished to have a top priority in her department. Basically, he told Jeffries to deliver the system to meet Hamilton’s needs as soon as possible. Jeffries left the meeting feeling overwhelmed because the IS department is currently working on two other very big projects, one for the production department and the other for the geological department. The next day, Hamilton sent a memo to Jeffries indicating the name of a system he had 100 percent confidence in—Amarillo Software—and he also indicated that he would very much like this system to be purchased as soon as possible. He stated that the system had been used with much success during the past four years in his previous job. When commercial software is purchased, Jeffries typically sends out requests for proposals to at least six different vendors after conducting a careful analysis of the needed requirements. However, due to the air of urgency demonstrated in the meeting with the president and the over-

worked systems staff, she decided to go along with Hamilton’s wishes and sent only one RFP (request for proposal) out, which went to Amarillo Software. Amarillo promptly returned the completed questionnaire. The purchase price ($75,000) was within the budgeted amount. Jeffries contacted the four references provided and was satisfied with their comments. Further, she felt comfortable since the system was for Hamilton, and he had used the system for four years. The plan was to install the system during the month of July and try it for the August transaction cycle. Problems were encountered, however, during the installation phase. The system processed extremely slowly on the hardware platform owned by Gusher. When Jeffries asked Hamilton how the problem had been dealt with at Eureka, he replied that he did not remember having had such a problem. He called the systems manager from Eureka and discovered that Eureka had a much more powerful mainframe than Gusher. Further investigation revealed that Gusher has more applications running on its mainframe than Eureka did, since Eureka used a two-mainframe distributed processing platform. Further, the data transfer did not go smoothly. A few data elements being stored in the system were not available as an option in the Amarillo system. Jeffries found that the staff at Amarillo was very friendly when she called, but they could not always identify the problem over the phone. They really needed to come out to the site and investigate. Hamilton was surprised at the delays between requesting an Amarillo consultant to come out and the time in which he or she actually arrived. Amarillo explained that it had to fly a staff member from Dallas to Beaumont for each trip. The system finally began to work somewhat smoothly in January, after a grueling fiscal year-end close in October. Hamilton’s staff viewed the project as an unnecessary inconvenience. At one point, two staff accountants threatened to quit. The extra consulting fees amounted to $35,000. Further, the systems department at Gusher spent 500 more hours during the implementation process than it had expected. These additional hours caused other projects to fall behind schedule. Required: Discuss what could have been done differently during the design phase. Why were most of the problems encountered? How might a detailed feasibility study have helped? Response: The systems analysis and requirements phase was never conducted. Further, a conceptual design was never prepared. A crucial aspect, the feasibility study, was never carried out. Thus, no criteria were available to judge whether the vendor’s RFP was appropriate for Gusher. Due to time constraints, Gusher purchased the software hurriedly without conducting the proper analysis. The rush to put in a new project because the systems department was overworked caused more work, troubles, headaches, and cost outflows than would have occurred if the analysis had been appropriately conducted in the first place. Proper analysis would probably have addressed the major problems. The software purchased did not have data fields to capture some of the data captured by the old system. The mainframe, with all of the other processing, was not sufficiently powerful to process transactions using the new system. A benchmark test using Gusher’s mainframe and data would have discovered both problems. 8. Programming Languages Describe the basic features of the following three types of programming languages: procedural, event-driven, and object oriented. Give examples of each type of language. Response: a. Procedural Languages. A procedural language requires the programmer to specify the precise order in which the program logic is executed. Procedural languages are often called thirdgeneration languages (3GLs). Examples of 3GLs include COBOL, FORTRAN, C, and PL1. In business (particularly in accounting) applications, COBOL was the dominant language for years.

COBOL has great capability for performing highly detailed operations on individual data records and handles large files very efficiently. On the other hand, it is an extremely wordy language that makes programming a time-consuming task. COBOL has survived as a viable language because many of the legacy systems written in the 1970s and 1980s, which were coded in COBOL, are still in operation today. Major retrofits and routine maintenance to these systems need to be coded in COBOL. Upward of 12 billion lines of COBOL code are executed daily in the United States. b. Event-Driven Languages. Event-driven languages are no longer procedural. Under this model, the program’s code is not executed in a predefined sequence. Instead, external actions, or “events” that are initiated by the user dictate the control flow of the program. For example, when the user presses a key, or clicks on an icon on the computer screen, the program automatically executes code associated with that event. This is a fundamental shift from the 3GL era. Now, instead of designing applications that execute sequentially from top to bottom in accordance with the way the programmer thinks they should function, the user is in control. Microsoft’s Visual Basic is the most popular example of an event-driven language. The syntax of the language is simple yet powerful. Visual Basic is used to create real-time and batch applications that can manipulate flat files or relational databases. It has a screen-painting feature that greatly facilitates the creation of sophisticated graphical user interfaces (GUI). c. Object-Oriented Languages. Central to achieving the benefits of the object oriented approach is developing software in an object-oriented programming (OOP) language. The most popular true OOP languages are Java and Smalltalk. However, the learning curve of OOP languages is steep. The time and cost of retooling for OOP is the greatest impediment to the transition process. Most firms are not prepared to discard millions of lines of traditional COBOL code and retrain their programming staffs to implement object-oriented systems. Therefore, a compromise, intended to ease this transition, has been the development of hybrid languages, such as Object COBOL, Object Pascal, and C++. 9. Program Testing When program modules have been coded and tested, they must be brought together and tested as a whole. Comment on the importance of testing the entire system. Response: User personnel should direct system-wide testing as a prelude to the formal system cutover. The procedure involves using the system to process hypothetical data. The outputs of the system are then reconciled with predetermined results, and the test is documented to provide evidence of the system’s performance. Finally, when those conducting the tests are satisfied with the results, a formal acceptance document should be completed. This is an explicit acknowledgment by the user that the system in question meets stated requirements. The user acceptance document becomes important in reconciling differences and assigning responsibility during the post-implementation review of the system. 10. Database Conversion What is database conversion? Why is it a risky activity, and what precautions should be taken? Response: Database conversion is a critical step in the implementation phase. This is the transfer of data from its current form to the format or medium required by the new system. The degree of conversion depends on the technology leap from the old system to the new one. Some conversion activities are very labor intensive, requiring data to be entered into new databases manually. For example, the move from a manual system to a computer system will require converting files from paper to magnetic disk or tape. In other situations, companies can accomplish data transfer by writing special conversion programs. A case in point is changing the file structure of the databases from sequential direct access files. In any case, data conversion is risky and must be carefully controlled. The following precautions should be taken.

a. Validation. The old database must be validated before conversion. This requires analyzing each class of data to determine whether it should be reproduced in the new database. b. Reconciliation. After the conversion action, the new database must be reconciled against the original. Sometimes this must be done manually, record by record and field by field. In many instances, this process can be automated by writing a program that will compare the two sets of data. c. Backup. Copies of the original files must be kept as backup against discrepancies in the converted data. If the current files are already in magnetic form, they can be conveniently backed up and stored. However, paper documents can create storage problems. When the user feels confident about the accuracy and completeness of the new databases, the paper documents may be destroyed. 11. System Cutover Discuss three common approaches to system cutover. Comment on the advantages and disadvantages of each approach. Response: A system cutover will usually follow one of three approaches: cold turkey, phased, or parallel operation. a. Cold Turkey Cutover. Under the cold turkey cutover approach (also called the big bang approach), the firm switches to the new system and simultaneously terminates the old system. When implementing simple systems, this is often the easiest and least costly approach. With more complex systems, it is the riskiest. Cold turkey cut over is akin to skydiving without a reserve parachute. As long as the main parachute functions properly, there is no problem. But things don’t always work the way they are supposed to. System errors that were not detected during the walkthrough and testing steps may materialize unexpectedly. Without a backup system, an organization can find itself in serious trouble. b. Phased Cutover. Sometimes an entire system cannot, or need not, be cut over at once. The phased cutover begins by implementing the new system in modules. For example, one might implement the sales subsystem, followed by the inventory control subsystem, and finally the purchases subsystem. By phasing in the new system in modules, the risk of a devastating system failure is reduced. However, the phased approach can create incompatibilities between new subsystems and yet-tobe-replaced old subsystems. This problem may be alleviated by implementing special conversion systems that provide temporary interfaces during the cutover period. c. Parallel Operation Cutover. Parallel operation cutover involves running the old system and the new system simultaneously for a period of time. Running two systems in parallel essentially doubles resource consumption. During the cutover period, the two systems require twice the source documents, twice the processing time, twice the databases, and twice the output production. The advantage of parallel cutover is the reduction in risk. By running two systems, the user can reconcile outputs to identify errors and debug errors before running the new system solo. Parallel operation should usually extend for one business cycle, such as one month. This allows the user to reconcile the two outputs at the end of the cycle as a final test of the system’s functionality.

12. Audit of Systems Development The Balcar Company’s auditors are developing an audit plan to review the company’s systems development procedures. Their audit objectives are to ensure that 1. The system was judged necessary and justified at various checkpoints throughout the SDLC. 2. Systems development activities are applied consistently and in accordance with management’s policies to all systems development projects. 3. The system as originally implemented was free from material errors and fraud. 4. System documentation is sufficiently accurate and complete to facilitate audit and maintenance activities. The following six controllable activities have been identified as sources of audit evidence for meeting these objectives: systems authorization, user specification, technical design, internal audit participation, program testing, and user testing and acceptance. Required: a. Explain the importance of each of the six activities in promoting effective control. b. Outline the tests of controls that the auditor would perform in meeting audit objectives. Response: a. Systems Authorization Activities All systems should be properly authorized to ensure their economic justification and feasibility. This requires a formal environment in which users submit requests to systems professionals in written form. User Specification Activities Users need to be actively involved in the systems development process. User involvement should not be stifled by the technical complexity of the system. Regardless of the technology involved, the users should create detailed written descriptions of their needs. The creation of a user specification document often involves the joint efforts of the user and systems professionals. However, this document must remain a statement of user needs. It should describe the user’s view of the problem, not that of the systems professionals. Technical Design Activities The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and detailed systems design. The adequacy of these activities is reflected in the quality of the documentation that emerges from each phase. Internal Audit Participation To meet the governance-related expectations of management under SOX, an organization’s internal audit department needs to be independent, objective, and technically qualified. As such, the internal auditor can play an important role in the control of systems development activities. An internal audit group, astute in computer technology and possessing a solid grasp of the business problems to be solved, is invaluable to the organization during all phases of the SDLC. Program Testing All program modules must be thoroughly tested before they are implemented. The results of the tests are then compared against predetermined results to identify programming and logic errors. The auditor should verify that all braches of the application's logic has been tested. The task of creating meaningful test data is time consuming. The data should therefore be saved and will give the auditor a frame of reference for designing and evaluating future audit tests. For example, if a program has undergone no maintenance changes since its implementation, the test results from the audit should be identical to the original test results. Having a basis for comparison, the

auditor can thus quickly verify the integrity of the program code. User Test and Acceptance Procedures Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole. The test team should comprise of user personnel, systems professionals, and internal auditors. The details of the tests performed and their results need to be formally documented and analyzed. Once the test team is satisfied that the system meets its stated requirements, the system can be transferred to the user. b. In meeting the audit objectives the auditor would perform a combination of tests of application controls and substantive tests of transaction details and account balances. The auditors would examine the audit trail of program changes by reconciling program version numbers and confirming maintenance authorizations. The auditors identify application errors by reconciling the source code, reviewing test results, and re-testing the program. 13. Fact-Gathering Techniques Your company, Tractors, Inc., is employing the SDLC for its new information system. You have been chosen as a member of the development team because of your strong accounting background. This background includes a good understanding of both financial and managerial accounting concepts and required data. You also possess a great understanding of internal control activities. You do not, however, fully understand exactly what the internal auditors will need from the system in order to comply with Section 404 of the Sarbanes-Oxley Act. Lay out the factgathering techniques you might employ to increase your understanding of this important component of your new system. Response: Neither observation or task preparation will provide much help in learning how auditors comply with Section 404, instead personal interviews and review of key documents would be more helpful. Perhaps the review of two key documents might be a good starting point. The first might be the Sarbanes-Oxley Act itself. This document could provide the framework of compliance. Another document of which a review could be helpful is a previously prepared report on internal controls. Since this document is an end requirement of the Act, the information and content of the report should provide additional understanding of the information the system must be able to produce. Conducting a personal interview of members of the internal audit department who are responsible for compliance will also be helpful. These auditors can provide answers to such questions as what data must come from the system and which controls must be programmed in order to comply. 14. Systems Selection Your company, Kitchen Works, is employing the SDLC for its new information system. The company is currently performing a number of feasibility studies, including the economic feasibility study. A draft of the economic feasibility study has been presented to you for your review. You have been charged with determining whether only escapable costs have been used, the present value of cash flows is accurate, the one-time and recurring costs are correct, realistic useful lives have been used, and the intangible benefits listed in the study are reasonable. Although you are a member of the development team because of your strong accounting background, you have questions about whether some costs are escapable, the interest rates used to perform present value analysis, and the estimated useful lives that have been used. How might you resolve your questions?

Response: Information about escapable costs may be found in a review of contracts. It may be that some costs included include clauses to alter the contract. It may also be that routine costs (like future orders and leases) are not escapable and have not been included in the computations. Several sources exist that tie interest rates to risks and industries. A search for such sources must be taken and the cited rates compared to those used in the present value analysis. Estimates of useful life may best be examined by interviewing those responsible for their preparation. Care should be taken to understand whether estimates are biased due to a preference in the part of the preparer. 15. Cost-Benefit Analysis Listed in the diagram for Problem are some probability estimates of the costs and benefits associated with two competing projects. a. Compute the net present value of each alternative. Round the cost projections to the nearest month. Explain what happens to the answer if the probabilities of the recurring costs are incorrect and a more accurate estimate is as follows: A B .10 $ 75,000 .4 $ 85,000 .55 95,000 .4 100,000 .35 105,000 .2 110,000 b. Repeat step (a) for the payback method. c. Which method do you think provides the best source of information? Why? Response: Weighted Average Recurring Benefits: Project A: (.10*75,000)+(.55*95,000)+(.35*105,000)=$96,500 Project B: (.4*85,000)+(.4*100.000)+(.2*110,000)=$96,000 These numbers are the weighted average of the recurring costs only, and do not take into consideration the benefit. NPV = Benefits – Costs: Project A: (.3*220,000)+(.5*233,000)+(.2*240,000) - (.10*75,000)+(.55*95,000)+(.35*105,000) = $134,000 Project B: (.25*215,000)+(.5*225,000)+(.25*235,000) - (.4*85,000)+(.4*100.000)+(.2*110,000) = $ 129,000 Present Value of an Annuity of 1 over 5 years at 10% = 3.79079 Present Value

Project A

Project B

$134,000 * 3.79079 = $507,966

$129,000 * 3.79079 = $489,012

Presume that only the 10% factor for A was incorrectly determined. Further presume a more accurate rate would be 08%. This is only a 2% difference, but this difference results in a weighted average for A of $95,000 and a present value of $360,125. A minor misestimate will result in a different decision

The second part of this question is confusing because the ‘accurate estimates’ given in part a of this question are exactly the same as the ‘incorrect’ estimates in the table for problem 7.

16. SPL Risks and Controls Orben Manufacturing Company has an in-house IT department that incurs a high volume of new development and program maintenance projects. To efficiently manage the work load the director of IT has combined the systems development and maintenance functions into a single department. This allows the programmers of new applications to also maintain those applications. The immediate effect has been an increase work flow by reducing the startup time needed by programmers to become familiar with the systems being modified. It also reduces the time spent on system documentation. Since the designer and the maintenance programmer are the same person, highly detailed and standardized documentation is not needed. To achieve cross training, programmers also maintain applications programmed by other IT personnel. This has resulted in an “open” library policy that allows programmers to access any program stored in the SPL, Programmers download the application undergoing maintenance to their personal computers, perform the necessary maintenance, and then restore the application to the SPL under its original name. Required; 1) Comment on the trade-off between efficiency and control as it pertains in this situation. 2) Discuss the risk potential related to Orben Manufacturing’s program change procedures. 3) Discuss the controls that would reduce the risks described in (2) above.

Response: 1) Control is always in conflict with operational flexibility and efficiency. For these reasons, systems professionals who must work daily within this environment sometimes oppose controlling the SPL. To achieve a acceptable control-efficiency trade-off management must be aware of the risks that are created when control features are not employed or are routinely circumvented. In spite of the risk, the no-controls approach is sometimes the choice (perhaps inadvertently) that management make. 2) The risks associated with Orben’s approach are: • The opportunity for program fraud is increased when applications are developed and tested by the same individual. Also, unfettered access to all programs in the SPL increases the potential for fraud. • Documentation suffers in this situation. If the design / maintenance programmer leaves the organization he/she leaves behind an application that is poorly documented and which will be difficult to understand by the maintenance programmer who inherits it. • The maintenance approach employed by Orben provides no audit trail of program changes. Each application change should be documented and revised program should be formally installed as the current version of the application. • For the reasons mentioned, external auditor are concerned about the adequacy of systems development and program change procedures. The process followed by Orben will likely result increased application control tests and substantive tests. 3) Orben manufacturing should implement SPL controls that include the following features:

• • • • •

Password control over access to the SPL. Separates test libraries when program changes can be thoroughly tested before being implemented Audit trail reports that describe the details of all changes to applications Version numbers that uniquely identify each version of the application and permit a reconciliation between the current version and all authorized changes to it during the period under review. Controlled access to powerful maintenance commands that could be used to destroy audit trail data that are critical to the audit.

CHAPTER 6 TRANSACTION PROCESSING AND FINANCIAL REPORTING SYSTEMS OVERVIEW REVIEW QUESTIONS 1.

What three transaction cycles exist in all businesses? Response: The expenditure cycle, conversion cycle, and revenue cycle.

Name the major subsystems of the expenditure cycle. Response: Purchases/accounts payable, cash disbursements, payroll, and fixed asset systems

Identify and distinguish between the physical and financial components of the expenditure cycle. Response: The physical component includes the acquisition of goods, while the financial component includes the recognition of a liability owed to the supplier and the transfer of the payment to the supplier.

Name the major subsystems of the conversion cycle. Response: production system and cost accounting system

Name the major subsystems of the revenue cycle. Response: sales order processing system and cash receipts system

Name the three types of documents. Response: source documents, product documents, and turnaround documents

Name the two types of journals. Response: special journals and the general journal

Distinguish between a general journal and journal vouchers. Response: A general journal is used to record nonrecurring and infrequent transactions. Often, general journals are replaced with a journal voucher system. The journal voucher is used to record a single nonrecurring and infrequent transaction, and it is used as a special source document for the transaction. The total of journal vouchers processed is equivalent to the general journal.

Name the two types of ledgers. Response: general ledger and subsidiary ledger

10.

What is an audit trail? Response: A trail that allows the auditor to begin with a summary total found on the financial statements and track it back to the individual transactions that make up this total. Conversely, an auditor should be able to track transactions from their source documents to their final impact on the financial statements.

11.

What is the confirmation process? Response: The confirmation process entails selecting customers and contacting them to determine whether the transactions recorded in the financial statements actually took place and are valid.

12.

Computer-based systems employ four types of files. Name them. Response: Master file, transaction file, reference file, and archive file

13.

Give an example of a record that might comprise each of the four file types found in a computer-based system. Response: Master files correspond to general ledger accounts and subsidiary ledgers. Examples include accounts receivable and customer subsidiary accounts, accounts payable and vendor subsidiary accounts, inventory, etc. Transaction files correspond to general and special journals. Examples include the general journal, sales journals, cash receipts journals, payroll journals, etc. Reference files include lists of vendors, delinquent customers, tax tables, sales tax rates, discount rates, lists of customers granted specific discounts, etc. Archive files are typically composed of records that have been processed but are retained for their history. Examples include payroll transactions, sales transactions, etc.

14.

What is the purpose of a digital audit trail? Response: The digital audit trail, like the paper trail, allows us to trace transactions from the financial statement balance back to the actual transaction so we may: compare balances, perform reconciliations, select and trace samples of entries, and identify, pull, and verify specific transactions.

15.

Give an example of how cardinality relates to business policy. Response: Cardinality reflects normal business rules as well as organizational policy. For instance, the 1:1 cardinality in the first example in Figure 6-14 suggests that each salesperson in the organization is assigned one automobile. If instead the organization’s policy were to assign a single automobile to one or more salespeople that share it, this policy would be reflected by a 1: M relationship.

16.

Distinguish between entity relationship diagrams, data flow diagrams, and system flowcharts. Response: Entity relationship diagrams represent the relationship between entities (resources, events, and agents) in a system, i.e. it models the data used in or affected by the system. Dataflow diagrams represent the logical elements (i.e. what is being done) of a system by illustrating processes, data sources, data flows, and entities, i.e. it models the business processes. System flowcharts graphically represent the physical elements being used (i.e., how the tasks are being conducted) by illustrating the relationship between input sources, program, and output products. System flowcharts can also represent both the logical and physical elements of manual systems and also illustrate the preparation and handling of documents.

17.

What is meant by cardinality in entity relationship diagrams? Response: Cardinality refers to the numerical mapping between entity instances, and it is a matter of organizational policy. The relationship can be one-to-one, one-to-many, or many-to-many.

18.

For what purpose are entity relationship diagrams used? Response: An entity relationship (ER) diagram is a documentation technique used to represent the relationship between entities. One common use for ER diagrams is to model an organization’s database, which we examine in detail in Chapter 8.

19.

What is an entity? Response: Entities are physical resources (automobiles, cash, or inventory), events (ordering inventory, receiving cash, shipping goods), and agents (salesperson, customer, or vendor) about which the organization wishes to capture data.

20.

Distinguish between batch and real-time processing. Response: Batch processing occurs when similar transactions are accumulated over time and processed together. Real-time processing captures each event or transaction and processes it before engaging in another transaction. If transactions are independent of one another, such as the processing of daily cash receipts, then batch processing is appropriate. If transactions are dependent on one another, such as credit sales, ticket sales, etc., then real-time processing is more appropriate.

21.

Distinguish between the sequential file and database approaches to data backup. Response: During the file update process, sequential master files are completely reproduced in the form of a physically new file, thus creating a backup copy automatically. Databases use destructive update procedures and require separate backup procedures.

22.

Is a data flow diagram an effective documentation technique for identifying who or what performs a particular task? Explain. Response: No. A DFD shows the tasks being performed, but not who performs them. It depicts the logical system only.

23.

Is a flowchart an effective documentation technique for identifying who or what performs a particular task? Explain. Response: Yes. A flowchart depicts the physical system and illustrates the type of task performed, the location of the performed task, and the person performing the task.

24.

How may batch processing be used to improve operational efficiency? Response: A single transaction may affect several different accounts. Some of these accounts, however, may not need to be updated in real time. In fact, the task of doing so takes time which, when multiplied by hundreds or thousands of transactions, can cause significant processing delays. Batch processing of non-critical accounts, however, improves operational efficiency by eliminating unnecessary activities at critical points in the process.

25.

Why might an auditor use a program flowchart? Response: When testing an application program, the auditor needs details about its internal logic to design the audit tests. This information can be provided by the program flowchart.

26.

How are system flowcharts and program flowcharts related? Response: The system flowchart shows the relationship between two computer programs, the files that they use, and the outputs that they produce. However, this level of documentation does not provide the operational details that are sometimes needed. An auditor wishing to assess the correctness of a program’s logic cannot do so from the system flowchart. A program flowchart provides this detail. Every program represented in a system flowchart should have a supporting program flowchart that describes its logic.

27.

What are the distinguishing features of a legacy system? Response: Legacy systems tend to have the following distinguishing features: they are mainframe-based applications, they tend to be batch-oriented, and early legacy systems use flat files for data storage. However, hierarchical and network databases are often associated with later-era legacy systems. These highly structured and inflexible storage systems promote a single-user environment that discourages information integration within business organizations.

28.

What are the two data processing approaches used in modern systems? Response: batch processing and real-time processing

29.

How is backup of database files accomplished? Response: Prior to each batch update or periodically (every few minutes), the master file being updated is copied to create a backup version of the original file. Should the current master be destroyed after the update process, reconstruction is possible in two stages. First, a special recovery program uses the backup file to create a pre-update version of the master file. Second, the file update process is repeated using the previous batch of transactions to restore the master to its current condition.

30.

What information is provided by a record layout diagram? Response: Record layout diagrams are used to reveal the internal structure of the records that constitute a file or database table. The layout diagram usually shows the name, data type, and length of each attribute (or field) in the record.

31.

In one sentence, what does updating a master file record involve? Response: Updating a master file record involves changing the value of one or more of its variable fields to reflect the effects of a transaction.

32.

Comment on the following statement: “Legacy systems always use flat-file structures.” Response: A flat-file structure is a single-view model that characterizes legacy systems in which data files are structured, formatted, and arranged to suit the specific needs of the owner or primary user of the system. Such structuring, however, may omit or corrupt data attributes that are essential to other users, thus preventing successful integration of systems across the organization. Legacy systems do not always use this flat-file structure. Some later-era legacy systems use hierarchical and network databases.

33.

Explain the technique known as destructive update. Response: Destructive update involves replacing an old data value with a new value and thus destroying the original.

34.

What factor influences the decision to employ real-time data collection with batch updating rather that purely real-time processing? Explain. Response: Transaction volume is the key factor. Large-scale systems that process high volumes of transactions often use real-time data collection and batch updating. Master file records that are unique to a transaction such as customer accounts and individual inventory records can be updated in real time without causing operational delays. Common accounts should be updated in batch mode. Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records.

35.

What are the advantages of real-time data processing? Response: In a real-time processing environment, the master files are updated as soon as the transaction is submitted and accepted into the system. Thus, reports are more accurate in the sense that the information is as current as possible. Faster operational response time to customer requests such as the shipping of an order is another very important benefit. Finally, the reduction of paper and storage space of physical source documents is another benefit.

36.

What are the advantages of real-time data collection? Response: By collecting data in real-time, certain transaction errors can be prevented, or detected and corrected at their source.

37.

What are some of the more common uses of data codes in accounting information systems? Response: Some of the more common uses are data codes in accounting information systems are: a. block codes for the general ledger accounts, b. sequential codes for documents, and c. group codes for coding transactions.

38.

Compare and contrast the relative advantages and disadvantages of sequential, block, group, alphabetic, and mnemonic codes. Response: a. Sequential codes are appropriate for items in either an ascending or descending sequence, such as the numbering of checks or source documents. An advantage of sequential coding is that any gap detected in the sequence signals that a transaction may be missing. A disadvantage is that the codes carry little, if any, information other than the sequence order. Another disadvantage is that sequential codes are difficult to manage when items need to be added; the sequence needs either to be reordered or the items must be added to the end of the list. b. Block codes provide some remedies to sequential codes by restricting each class to a pre-specified range. The first digit typically represents a class, whereas the following digits are sequential items which may be spaced in intervals in case of future additions. An example of block coding is a chart of accounts. A disadvantage of block coding is that the information content does not provide much meaning, i.e. an account number only means something if the chart of accounts is known. c. Group codes may be used to represent complex items or events involving two or more pieces of related data. The code is comprised of fields, which possess specific meaning. The advantages of group codes over sequential and block codes are: 1. facilitating the representation of large amounts of diverse data, 2. allowing complex data structures to be represented in a hierarchical form that is logical (and therefore easier to remember), and 3. permitting detailed analysis and reporting within an item class and across different classes of items. A disadvantage of group codes is that the codes may be overused to link classes, which do not need to be linked, and thus create an unnecessarily complex coding system. d. Alphabetic codes may be used sequentially, in block codes, or in group codes. An advantage of alphabetic codes is that a system using alphabetic codes can represent far more situations than a system with numeric codes (where each code has a specified field size). A disadvantage of alphabetic codes includes the fact that sequentially assigned

codes have little meaning. Also, people typically find alphabetic data more difficult to sort than numeric data. e. Mnemonic codes are alphabetic characters in the form of acronyms, abbreviations or other combinations that convey meaning. The advantage of mnemonic codes is inherent in the meaning of the code. A disadvantage of mnemonic codes is that they are limited in their ability to represents items within a class (i.e. names of all of American Express’s customers). 39.

What information is contained in a journal voucher? Response: A journal voucher is used to make entries into the general ledger accounts. The information may be a summary of many transactions or a single, unique transaction. A journal voucher identifies the financial amounts and affected general ledger accounts.

40.

How are journal vouchers used as a control mechanism? Response: Journal vouchers must be approved by an authorized person, and thus provide an effective control against errors and unauthorized general ledger entries.

41.

What information is contained in the general ledger master file? Response: The general ledger master file is ordered by the chart of accounts. The account number, the account description, the asset class, the normal balance, beginning balance, total debits and total credits for the period, and the current balance are the typical pieces of information found in each record of a general ledger master file.

42.

What is the purpose of the general ledger history file? Response: The purpose is to present comparative financial reports on a historic basis.

43.

What is the purpose of a responsibility center file? Response: The responsibility center file is used to collect data regarding the revenues, expenditures and relevant resources of each responsibility center. Managers of responsibility centers are held accountable for the operations of their centers and the information found in these files helps to assess performance. List the primary users of the FRS and discuss their information needs. Response: The primary users of financial statement information are external users such as stockholders, creditors, and government agencies such as the IRS and the SEC. These users need information that allows them to assess performance over time and to compare performance with other organizations. The IRS needs financial information to determine whether the corporation is paying the appropriate amount of taxes, while the SEC requires the information of publicly traded organizations to ensure that the market place is fair to the average investor.

44.

45.

Name in order the eleven steps of the financial reporting process? Response: i. capture the transaction ii. record in special journal iii. post to subsidiary ledger iv. post to the general ledger v. prepare the unadjusted trial balance vi. make adjusting entries vii. journalize and post adjusting entries viii. prepare the adjusted trial balance ix. prepare the financial statements

x. journalize and post the closing entries xi. prepare the post-closing trial balance 46.

What assumption is made regarding the external users of financial statements? Response: The financial statements are prepared based upon the assumption that the users of financial reports understand the conventions and accounting principles that are applied, and that the financial statements have information content that is useful.

47.

When are adjusting entries made to the worksheet and what is their purpose? When are the corresponding voucher entries made? Response: Adjusting entries are made after the regular accounting entries have been made and posted to the general ledger and any corresponding subsidiary ledgers. After an unadjusted trial balance of the general ledger has been prepared, the adjusting entries are made to correct any errors and to record any unrecorded transactions (i.e. accruals) during the period. The vouchers are prepared after the adjusting entries have been identified and made to the worksheet.

48.

What tasks should the general ledger clerk not be allowed to do? Response: The general ledger clerks should not: a. have record keeping responsibility for special journals or subsidiary ledgers, nor b. prepare journal vouchers, or have custody of physical assets.

49.

What does XML stand for? Response: XML stands for: eXtensible Markup Language; it is a meta-language for describing markup languages. The term extensible means that any markup language can be created using XML. This includes the creation of markup languages capable of storing data in relational form, where tags (formatting commands) are mapped to data values.

50.

What does XBRL stand for? Response: XBRL stands for: eXtensible Business Reporting Language; it is an XMLbased language that was designed to provide the financial community with a standardized method for preparing, publishing, and automatically exchanging financial information, including financial statements of publicly held companies.

51.

What is an XBRL taxonomy? Response: Taxonomies are classification schemes that are compliant with XBRL specifications to accomplish a specific information exchange or reporting objective such as filing with the SEC. Taxonomies specify the data to be included in an exchange or report.

52.

What is an XBRL instance document? Response: An XBRL instance document is created by a computer by interpreting the embedded tags in the database. The XBRL instance document is the actual financial report.

53.

What is an XBRL tag? Response: An XBRL tag is a formatting command that is mapped to data values to facilitate the generation of reports using XBRL.

DISCUSSION QUESTIONS 1.

Discuss the flow of cash through the transaction cycles. Include in your discussion the relevant subsystems and any time lags that may occur. Response: Cash flows into the firm from sales made to customers. The sales order processing subsystem of the revenue cycle captures the intent of customers to exchange cash for services or goods manufactured. Typically sales are made on credit. The cash receipts subsystem of the revenue cycle captures the actual receipt of cash. Depending on the credit terms and promptness of payment by the customer, the lag between the sales order processing subsystem and the cash receipts subsystem may be days, weeks, or months. The cash inflow allows the organization to purchase raw materials, pay workers, and buy capital assets necessary to manufacture the product (or to provide services). The raw `materials requirements are determined by the production planning subsystem of the conversion cycle. These requirements trigger orders being placed through the purchases/accounts payable subsystem of the expenditure cycle. For credit sales, the cash is ultimately released once the goods are received (or services are performed) and an invoice has been received. The lag between receiving goods and disbursement of cash may be days or weeks. Cash is also disbursed to employees, typically after services are rendered by the employees. The lag is usually no more than one-half a month for salaried employees and as short as one-half a week for hourly wage earners. The payroll subsystem of the expenditure system captures these disbursements to employees.

Explain whether the cost accounting system primarily supports internal or external reporting. Response: Initially, the cost accounting system was used for the valuation of inventory and cost of goods sold reported to external users; however, the valuable use of cost accounting data for budgeting, cost control, performance reporting, and management decision making have proved to be crucial internal support.

Discuss the role of the conversion cycle for service and retailing entities. Response: The conversion cycle activities for service and retailing entities include: planning the items to purchase or the services to produce, planning the workforce to accomplish the necessary tasks (extremely crucial in service entities), and directing the workforce in performing the service or selling the good.

Can a turnaround document contain information that is subsequently used as a source document? Why or why not? Response: Yes. For example, the remittance advice of a bill that is returned with the payment serves as a source document for the cash receipts transaction processing system. Thus, the product document becomes a source document.

Would the writing down of obsolete inventory be recorded in a special journal or the general journal? Why? Response: This type of transaction is recorded in the general journal since it is nonrecurring, infrequent, and not similar to other types of transactions.

Are both registers and special journals necessary? Response: Sometimes the terms are used interchangeably, for example, the sales journal is sometimes called the sales register. The term journal is appropriate when the

information needs to be ultimately posted to the general ledger. Registers may be used to keep logs of information that may support, but do not specifically get posted to the general ledger, such as a raw materials receipts register or a shipping log. 7.

Discuss the relationship between the balance in the accounts payable general ledger control account and what is found in the accounts payable subsidiary ledger. Response: The balance in the general ledger is considered a control account. This amount is an aggregated number representing the total amount owed to creditors listed in the accounts payable journal. The accounts payable subsidiary ledger details the exact amount owed to each creditor. The sum of the amounts owed to each creditor listed in the accounts payable journal should equal the corresponding total in the general ledger control account. Thus, the accounts payable subsidiary ledger is a detailed breakdown of the summary of accounts payable in the general ledger control account.

What role does the audit trail play in the task of confirmation? Response: Confirmation is most typically used for confirming the accounts receivable account as reported on the balance sheet. The audit trail is used to trace from the general ledger accounts receivable control account to the subsidiary account, and then to specific customer accounts. A sample of the customer accounts is then selected for confirmation.

Explain how the digital audit trail functions. Response: In theory, the digital audit trail functions the same as a manual audit trail. In practice, the steps are slightly different. The archive file that consists solely of valid transactions is the file to which the accounts receivable subsidiary account balances and transactions are traced. The customers still need to be contacted for confirmation.

10.

Are large batch sizes preferable to small batch sizes? Explain. Response: Small batches have the advantage of fewer transactions to sort through for error detection, but they are not processed as efficiently. Further, computing facilities and constraints might dictate whether multiple small batches may be processed throughout the day or whether a single large batch is processed at night when the computing facilities have excess capacity. (Multiple small batches may still be processed in the evening.)

11.

Discuss why an understanding of legacy system technologies is of some importance to auditors. Response: Not all modern organizations use entirely modern information systems. Some firms employ legacy systems for certain aspects of their data processing. When legacy systems are used to process financially significant transactions, auditors need to know how to evaluate and test them.

12.

If an organization processes large numbers of transactions that use common data records, what type of system would work best (all else being equal)? Response: Large-scale systems that process high volumes of transactions often use realtime data collection and batch updating. Master file records that are unique to a transaction, such as customer accounts and individual inventory records, can be updated in real time without causing operational delays. Common accounts should be updated in batch mode. Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records.

13.

If an organization processes transactions that have independent (unique) data needs, what type of system would work best (all else being equal)? Response: Real-time processing is better suited to systems that process lower transaction volumes and those that do not share common records.

14.

Should an auditor wishing to assess the adequacy of separation of functions examine a data flow diagram or a system flowchart? Why? Response: The auditor should examine the system flowchart since it clearly depicts the separation of functions and illustrates who is responsible for performing specific processing steps. The dataflow diagram illustrates the logical system and is too general because many different physical designs may be applicable.

15.

Discuss some of the problems associated with general ledger systems that do not have data coding schemes. Response: Un-coded data takes a great deal of recording space, is time-consuming to record and is prone to many types of errors. Consider a firm that manufactures bicycles and carries reflector lights in its inventory. The lights come in six sizes, two colors, and four different grades of material. Thus, 48 different varieties of reflector lights are held (6x2x4). Every time lights are purchased, the description would need to be included rather than a code. For example if 100 units of one type of reflector light were purchased, and 200 units of another were purchased from Collins Manufacturer in Roanoke, Virginia, the journal entry would be: Inventory-2”, yellow, metal reflector light 75 Inventory-3”, orange, plastic reflector light 120 A/P-Collins Mnf-Roanoke, VA 195 Some problems this approach may produce are: i. the sales staff will have a more tedious job in writing up orders, and more errors may occur (i.e. what if they forget to write the color or material type?), ii. the warehouse personnel will have a more difficult time locating and picking the goods for shipment, and again more errors may occur, and iii. the accounting personnel will also have a more tedious job posting to the subsidiary ledgers, which may prompt additional errors.

16.

For each of the following items, indicate whether a sequential, block, group, alphabetic, or mnemonic code would be most appropriate (you may list multiple methods; give an example and explain why each method is appropriate): Response: a. state codes—alphabetic code, i.e. PA, this method is appropriate because it corresponds with the postal services abbreviation and is meaningful to humans. b. check number—numeric, sequential. This method allows the checks to be examined to determine if any are missing. c. chart of accounts—block coding since this method allows a whole class of items to be restricted to a specific range. i.e. assets 100-199, liabilities 200-299, equity accounts, 300-399. d. inventory item number—alpha-numeric. The numeric portion allows the items to be easily sorted and found. The alphabetic portion allows more combinations to be made with fewer digits or characters. i.e. 2000A, 2000B, 2000C could represent virtually the same inventory item but in three different sizes. e. bin number (inventory warehouse location)—group codes since certain digits may be used to represent which warehouse, certain digits may be used to represent floor, certain

digits may be used to represent rows, certain digits may be used to represent bins. i.e. 211225 could represent warehouse 2, floor 1, row 12, and bin #25. f. sales order number—numeric, sequential. This method allows the sales orders to be examined to determine if any are missing. g. vendor code—alpha-numeric. The alphabetic portion allows more meaningful codes to be used and found. The numeric portion allows different firms with similar names to be distinguished. i.e. ALPH01, ALPH02 where ALPH01 is the vendor code for Alphahydraulics and ALPH02 is the vendor code for Alpha Trucking Services. Once the name of the company is known, finding the vendor code is much easier than if only numbers are used. h.invoice number—numeric, sequential. This method allows the invoices to be examined sequentially. Gaps in the sequence may signify missing invoices. i. customer number—same as for vendor code. 17.

Discuss any separation of duties necessary to control against unauthorized entries to the general ledger. What other control procedures regarding the general ledger should be employed? Response: Since general ledger clerks have access to the general ledger, they should not have access to the journal vouchers in the source departments. If these journal vouchers were acquired by the general ledger clerks, or anyone else with authorization to enter the general ledger, these vouchers may be used to make unauthorized entries. Pre-numbering and logging these documents at their source provides a means of accountability.

18.

Discuss the various sources of data for the financial reporting system output and how these data are processed into information (output) for the different external users. Response: The data comes from the various transaction processing departments. Specifically, the cash receipts journal, sales journal, purchases journal, and any another miscellaneous transactions are the various sources of data which are input into the system. Once this data is input into the system, the general ledger, as well as subsidiary ledgers, are updated. After inspection of a trial balance of the general ledger accounts, any necessary adjustments and error corrections are made. Finally, the financial statements are prepared and distributed to the appropriate user groups.

19.

Explain how erroneous journal vouchers may lead to litigation and significant financial losses for a firm. Response: If journal vouchers are missing, fabricated, or erroneous, and information is misrepresented in the financial statements, then any decisions made by investors and governmental agencies are based upon bad data. If an investor provides capital to a firm based upon its financial statements and these financial statements are incorrect, if the investor loses money once the corrections are made, the external user which suffered a loss may claim the firm was either fraudulent or negligent and sue for the lost amount. Governmental agencies, such as the IRS, may impose severe penalties for inaccurate reporting of data.

20.

Ultimately, is the purpose of an audit trail to follow a transaction from its input through its processing and finally to the financial statements or vice versa? Explain your answer. Response: Ultimately, the purpose is to be able to take any account on the financial statement and trace back to the source documents which comprise the number. However, the audit trail must also be examined from the other direction to ensure that all

transactions end up being reflected in the financial statements. In other words, if the financial statement balance for an account is traced back to the originating documents, then accuracy and verifiability is present, but completeness is not necessarily present. Tracing a sample of source documents through to their effect on the financial statements allows the property of completeness to be verified. 21.

Discuss the benefits that may be realized in switching from a computerized batch processing system to a direct access storage system. Also, discuss any additional control implications. Response: This system does not recreate the general ledger database each time it is updated. Thus processing efficiency results. Updates may be performed more frequently, which results in a general ledger with more current information which internal users should find beneficial. Also, errors may be noticed and corrected in a more timely fashion. A control issue which needs to be considered when switching from a computerized batch processing system to a direct access storage system is proper segregation of functions. The fundamental separation between authorizations and transaction processing no longer exists. Detailed report listings are provided for added control over transactions, which are processed. Another control issue is the accessibility of accounting records when they are stored on magnetic disks, which may be accessed by many different user groups. Access controls over the accounting files must be implemented.

22.

Controls are only as good as the predetermined standard on which they are based. Discuss the preceding comment and give an example. Response: If the standards are unrealistic or outdated, then variances will be reported constantly and probably ignored. For example, if 5 ounces of a raw material is set as the standard based upon past data, but the most realistic amount to be used for each unit is actually 5.25 ounces (the unit specifications have changed slightly), then the exception reports will constantly show a variance since the standard is not realistic given the design change. The manager will get used to seeing an unfavorable variance. If a machine begins to have problems and starts to require 5.5 ounces, then the unfavorable variance will increase, but the manager may not see the difference as readily since he/she is used to seeing an unfavorable variance in every report.

23.

Discuss three audit implications of XBRL. Response: Audit implications include the following: i. Taxonomy Creation. Taxonomy may be generated incorrectly, resulting in an incorrect mapping between data and taxonomy elements that could result in material misrepresentation of financial data. Controls must be designed and in place to ensure the correct generation of XBRL taxonomies. ii. Validation of Instance Documents. As noted, once the mapping is complete and tags have been stored in the internal database, XBRL instance documents (reports) can be generated. Independent verification procedures need to be established to validate the instance documents to ensure that appropriate taxonomy and tags have been applied before posting to Web server. iii. Audit Scope and Timeframe. Currently, auditors are responsible for printed financial statements and other materials associated with the statements. What will be the impact on the scope of auditor responsibility as a consequence of real-time distribution of financial statements across the Internet? Should auditors also be responsible for the accuracy of other related data that accompany XBRL financial statements, such as textual reports?

24.

Although HTML and XML documents look very similar, and both use tags, explain how they differ significantly as a financial reporting medium. Response: Although both use tags (words that are bracketed by the symbols < and >) and attributes such as Doe, John, the way in which these tags and attributes are used differs. In HTML the tags have predefined meaning that describes how the attributes will be presented in a document. In the case of the XML the tags are customized to the user, and the user’s application can read and interpret the tagged data.

MULTIPLE CHOICE QUESTIONS: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21.

c a e b a d d c a c b b c b d c d c a c a

PROBLEMS: 1. TRANSACTION CYCLE IDENTIFICATION Required: Categorize each of the following activities into the expenditure, conversion, or revenue cycles and identify the applicable subsystem. Response: a. Expenditure cycle-payroll subsystem. b. Conversion cycle-production planning and control subsystem. c. Revenue cycle-cash receipts subsystem. d. Revenue cycle-sales order processing subsystem. e. Expenditure cycle-purchases subsystem. f. Conversion cycle-production planning and control subsystem.

2. TYPES OF FILES Required: For each of the following records, indicate the appropriate related file structure: master file, transaction file, reference file, or archive file. Response: a. master file b. transaction file c. reference file d. archive file e. master file f. transaction file g. reference file h. archive file

3. SYSTEM FLOWCHART Required: Develop a similar flowchart for the process of paying hourly employees. Response:

Employee Employee Time Sheets

Cost Center Managers

Data Validation

Data Collection

Cost Center Reports

Discrepancy / Acceptance Reports

Employee Time Sheets

Payroll System

4. ENTITY RELATIONSHIP DIAGRAM Required: Describe the business rules represented by the cardinalities in the diagram. Response: The receiving department is a department that prepares many purchase requisitions, which are sent to the purchasing department. The purchasing department prepares many purchase orders, which are sent to suppliers. The many different suppliers each may ship many different inventory items to the receiving department of the customer, although each purchase order will be for only one inventory item. The receiving clerk receives the many different inventory items and prepares a receiving report for each shipment that will relate to one purchase order.

5. ENTITY RELATIONSHIP DIAGRAM Required: Modify the diagram in problem 4 to deal with payments of merchandise purchased. Explain the business rules represented by the cardinalities in the diagram. Response: The drawing for Problem 4 would be modified to add the supplier’s invoice. Each purchase order would correspond to an individual supplier’s invoice, and there could be many invoices from each supplier. One payment disbursement would be associated with each of the many possible invoices.

6. ENTITY RELATIONSHIP DIAGRAM Required: Prepare an entity relationship diagram, in good form, for the expenditure cycle, which consists of both purchasing and cash disbursements. Describe the business rules represented by the cardinalities in the diagrams. Response: Business Rules:

An inventory item may be ordered many times from many suppliers. A purchase order may list many items and a supplier may supply many items. A purchase order may be sent to only one vendor. A vendor may receive more than one purchase order. An invoice comes from only one vendor, but a vendor may send more than one invoice.

7. SYSTEM FLOWCHART Required: Use the diagram for Problem 7 to answer the following questions: a. Symbol 1 is a terminal showing the source or destination of a document or report; symbol 2 is a course document or report. b. Symbols 3 and 4 depict the entry of data in real time into a system from a computer terminal. c. Symbols 4 and 5 depict the storage/ retrieval of data to/ from a computer disk. d. Symbols 6, 7, 8, and 9 depict the manual processing of source documents and its placement into a file.

8. SYSTEM FLOWCHART Required: Analyze the system flowchart on for Problem and describe in detail the processes that are occurring. Response: Time sheets are collected in a batch, and the information is manually keyed into the system. This data is now stored on a magnetic disk. An editing program is run, which verifies whether the employee number is valid by checking it against an employee master file. The validity of the cost center assigned is also verified against a master file. Logical and clerical errors should also be tested, such as an employee working an unreasonable number of hours in a day/week. Records that are found to be in error are sent to an error file. These errors need to be investigated and corrected. The good records are stored in a data file. The next program takes the edited transaction records, one at a time, and updates any corresponding fields in the master files. Finally, a report program generates paychecks and management reports. 9. SYSEM FLOWCHARTS AND PROGRAM FLOWCHART Required: From the diagram in Problem 8, identify three types of errors that may cause a payroll record to be placed in the error file. Use a program flowchart to illustrate the edit program. Response: Any of the following types of errors may cause a payroll record to be placed in the error file: a. invalid employee number b. invalid cost center c. incorrect batch/ control total that does not equal the totals computed by the program A program flowchart is presented below:

10. DATA FLOW DIAGRAM Required: What are the four symbols used in a DFD, and what does each symbol represent? Response: A rectangle is used to represent an entity. An entity might be the source of a document or activity, or the destination of a document. A rectangle with rounded corners represents and a process. A rectangle without the right most line represents a data store, i.e. a transaction file, a master file, or a reference file. Arrows represent the flow and direction of information within the diagram.

11. TRANSACTION CYCLE RELATIONSHIP Required: Modify Figure 6-1 to reflect the transaction cycles you might find at a dentist’s office. Response:

12. SYSTEM DOCUMENTATION—EXPENDITURE CYCLE (MANUAL PROCEDURES) Required: Prepare a data flow diagram and a system flowchart of the expenditure cycle procedures previously described.

Response:

13. RECORD STRUCTURES FOR RECEIPT OF ITEMS ORDERED Required: Prepare a diagram (similar to Figure 6-28) that presents the record structure for the receipt (receiving report) of inventory items ordered. Receiving Report File (PK) (SK)

(SK)

Receiving

Purchase

Inventory

Vendor

Quantity

Report

Order

Number

Received

Number

Purchase Order File Purchase

Condition

Inventory

Vendor

Quantity

Number

Ordered

Order Number

Vendor Master File Vendor

Name

Address

Balance

Terms

Number

Inventory Master File Inventory Description

Quantity

Reorder

Number

On Hand

Point

EOQ

Unit Cost

14. SYSTEM DOCUMENTATION—PAYROLL Required: Prepare a data flow diagram and a system flowchart of the payroll procedures previously described. Response:

15. SYSTEM DOCUMENTATION—PAYROLL Required: Assuming the payroll system described in Problem 14 uses database files and computer processing procedures, prepare a data flow diagram, an entity relationship diagram, and a systems flowchart. Response:

is the

\ 16. SYSTEM DOCUMENTATION—REVENUE CYCLE MANUAL AND COMPUTER PROCESSES Required: Prepare a data flow diagram and a system flowchart of the revenue cycle procedures previously described.

Sales Department

Customer

Shipping Department

Billing Department

SO Customer Order

SOSO SO

Prepare Sales Order

Pick Goods and Ship

Add Prices and Taxes

SO SO

SO SOSO

Record Sale

SO SO

Sales Journal

SO SOSO SO

Customer A

Problem 6-16 Flowchart Page 1

Inventory Control

Accounts receivable

Post to Accoun ts

Receive and Distribute

Receiv e and Distri bute

Cash rec Journal

Check

Invent ory

Ac ct

Check

RA Check

Post to Accoun ts

Cash receipts

Custome r

Mail Room

Dep Slip

Check

Dep Slip

Bank

Problem 6-16, Flowchart Page 2

SO1

Problem 6-16, DFD

Customer Order Customer SO1, SO2,

Prepare SO

SO4, SO5,

SO6

SO4

File

S O Bill Customer

Sale s

Update AR

SO5

SO6

Update Inventory

RA Check

File

Dep

Slip

Temp File

SO6

Receive Mail

SO6

File

SO5

SO4, SO5,

SO4, SO5, SO6

File

Check, RA

SO3

Ship Goods

SO3

Prep Dep Slip

CR Jour

Inventory

Dep Slip, Check

Bank

17. SYSTEM DOCUMENTATION—EXPENDITURE CYCLE (MANUAL AND COMPUTER PROCEDURES) Required: Prepare a data flow diagram and a system flowchart of the expenditure cycle procedures previously described.

Purchasing Department

Data Processing Center

Receiving Department

Inspect Good and Review PO

PO Inventory Purchasing System

Rec Rept

Review and Sign PO

PO File Rec Rept PO Rec Rept

Stores

SO SO Check

Purchases Journal

Check AP Sub

Supplier B

CD Journal

Problem 6-17 Flowchart Page 1

Accounts Payable

Cash Disbursements Dept B

Supplier Check Invoice

Check

Review and Sign Checks

Review and Reconcile

Check

Supplier

Problem 6-17 Flowchart Page 2

Check Copy

PO 1 Review Inventory and prepare PO

PO 1, 2

Review and sigh PO

File PO2 Supplier

Stores Inventory Check Rec Rept PO File

Post to AP and record in Purch Journal

Receive and inspect Goods Update Inventory

Rec Rept Record

File

Rec Rept

CD Journal

File

Review AP for Item Due and prepare Check

Check 1,2

Review, Sign, Distribute Check

AP Ledger Purch Journal

Invoice

Supplier

Problem 6-17 DFD

18. CODING SCHEME Required: Devise a coding scheme using block and sequential codes for the chart of accounts for Jensen Camera Distributors. Response: 101.0 102.0 103.0 104.0 105.0 121.0 131.0 131.5 132.0 132.5 133.0

Cash Accounts Receivable Office Supplies Inventory Prepaid Insurance Inventory Investments in Marketable Securities Delivery Truck Accumulated Depreciation – Delivery Truck Equipment Accumulated Depreciation – Equipment Furniture and Fixtures

133.5 134.0 134.5 135.0 201.0 202.0 203.0 221.0 222.0 301.0 302.0 311.0 390.0 401.0 401.5 420.0 501.0 501.0 521.0 522.0 531.0 541.0 551.0 561.0 571.0

Accumulated Depreciation – Furniture and Fixtures Building Accumulated Depreciation – Building Land Accounts Payable Wages Payable Taxes Payable Notes Payable (Long-term) Bonds Payable Common Stock Paid in Capital in Excess of Par Treasury Stock Retained Earnings Sales Sales Returns and Allowances Dividend Income Cost of Goods Sold Wages Expense Utility Expense Office Supplies Expense Insurance Expense Depreciation Expense Advertising Expense Fuel Expense Interest Expense

19. CODING SCHEME Required: Devise a coding scheme for the warehouse layout shown in Problem 19. Response: The following scheme uses group codes with alphabetic and numeric data since they can be used to categorize information in a hierarchical form.

Warehouse 1

Aisle C

Left or right Side of Aisle L

Shelf 5

Bin 08

Thus, code 1CL08 represents the above. 2AR415 represents inventory in warehouse #2, aisle A, right side of aisle, shelf 4, bin #15. 20. BACKUP AND RECOVERY PROCEDURES FOR DATABASE FILES Required: a. Which, if any, files contain noncorrupted data (transaction file, accounts receivable master file, sales master file, or backup master files)? b. Will a clerk have to reenter any data? If so, what data will have to be reentered?

What steps will the company have to take to obtain noncorrupted master files that contain the previous day’s sales data?

Responses: a. Only the backup files can be presumed to be uncorrupted. b. The clerk will have to reenter the data for the previous day’s sales. c. The company will first have to restore the backed-up data to the computer. Once the clerk has reentered the sales data, this new transaction file will have to go through the edit process. Finally, an updated master file(s) may be generated and then a new backup file created. 21. GENERAL LEDGER SYSTEM OVERVIEW Required: Draw a diagram depicting the relationship between the general ledger master file, control accounts, subsidiary files, and financial statements. Response:

22. FINANCIAL REPORTING PROCESS Required: Place steps in the proper order and indicate whether each step is a function of the TPS, GLS, or FRS. Response 2 Record transaction in special journal TPS 6 Make adjusting entries FRS 1 Capture the transaction TPS 11 Prepare the post-closing trial balance FRS 8 Prepare the adjusted trial balance FRS 9 Prepare the financial statements FRS 7 Journal and post adjusting entries GLS 3 Post to the subsidiary ledger TPS 4 Post to the general ledger GLS 10 Journalize and post the closing entries GLS 5 Prepare the unadjusted trial balance FRS 23. XBRL Required: a. Research the current state of XBRL and determine if this technology is appropriate for internal reporting projects such as this. b. Identify the enhancements to current information and reporting that the company could realize by using XBRL. c. Discuss any data integrity, internal control, and reporting concerns associated with XBRL. Responses: a. Yes it is appropriate. XBRL is typically used for reporting aggregated financial data but can also be applied to communicating information pertaining to individual transactions and internal business units. To make the data useful to others they need to be organized, labeled, and reported in a manner that is generally accepted. This involves mapping the organization’s internal data to XBRL taxonomy elements to produce an XBRL instance document. Companies that use native-XBRL database technology internally as their primary information storage platform can speed the process of reporting. Users can import XBRL documents into internal databases and analysis tools to greatly facilitate decision making. b. i. Can provide the financial community with a standardized method for preparing, publishing, and automatically exchanging financial information, including financial statements of publicly held companies. ii. XBRL documents can be placed on an intranet server for internal use. iii. They can be placed on an extranet for dissemination to customers or trading partners. c. Controls must be designed and in place to ensure the correct generation of XBRL taxonomies. Independent verification procedures need to be established to validate the instance documents to ensure that appropriate taxonomy and tags have been applied before posting to Web server. Additionally, audit scope and responsibility needs to be assessed and implemented with respect to these documents.

24. INTERNAL CONTROL Required: Discuss any potential control weaknesses and problems in this scenario. Responses: If Leslie is preparing the journal vouchers and/or posting to the subsidiary ledgers, she should not be entering the information into the general ledger. Performing these two functions is not in conformance with segregation of functions. A separate general ledger clerk should post the entries to the general ledger and reconcile the control accounts in the general ledger to the corresponding subsidiary ledger. Having source documents, such as journal vouchers, without pre-assigned numbers is very risky. If a separate general ledger clerk did exist as mentioned above, this person could visit Leslie’s office and inconspicuously take a couple of journal vouchers without anyone knowing (since the forms are not numbered). The general ledger clerk could then enter unauthorized entries into the general ledger. Further, the possibility that Leslie makes an error in recording journal voucher numbers incorrectly is highly possible.

25. DATABASE GL SYSTEM Required: Redraw figure to reflect this change in the financial reporting process. Response: See drawing on the following page. The only change made is that the daily sales transactions are used to immediately update the sales file. The daily applications create cumulative totals of each day’s transactions on disk. The totals are merged with the other applications’ totals prior to updating the general ledger and other database files.

26. DATABASE GL SYSTEM Required: Adjust figure to accommodate this request by top management, assuming that the nightly updates to the general ledger are sufficient. Response:

27. INTERNAL CONTROL Required: Expand figure to incorporate the journal voucher listing and general ledger change report as control mechanisms. Also discuss the specific controls they impose on the system. Response: The journal voucher listing and general ledger change reports allow the transactions to be analyzed for accuracy and completeness. Any errors noted can be changed and input into the system prior to preparing the financial statements. For Figure 8-10, the update general ledger procedure would include a listing of the journal voucher listing and general ledger change report. Again, any noted errors can be corrected prior to the generation of financial statements.

CHAPTER 7 COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES REVIEW QUESTIONS

What are the broad classes of input controls? Response: Field interrogation Record interrogation File interrogation

What types of errors do check digits detect? Response: Transcription errors Single transposition errors Multiple transposition errors

Give one example of an error that could be detected by a check digit control. Response: An accounts receivable clerk incorrectly posts a$1,000 remittance advice to customer account number 674534. The payment should have been posted to customer account number 674543. This transposition error resulted in the payment being posted to a legitimate, but incorrect account. A check digit routine could detected this error

What are the primary objectives of a batch control? Response: The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that: a. All records in the batch are processed. b. No records are processed more than once. c. An audit trail of transactions is created from input through processing to the output stage of the system.

Classify each of the following as a field, record, or file interrogation: a. Limit check b. Validity check c. Version check d. Missing data check e. Sign checks f. Expiration date check g. Numeric-alphabetic data check h. Sequence check i. Zero-value check j. Header label check k. Range check l. Reasonableness check Response a. field

b. field c. file d. field e. record f. file g. field h. record i. field j. file k. field l. record 6.

What are the three common error-handling techniques discussed in the text. Response: Three common error handling techniques are (1) correct immediately, (2) create an error file, and (3) reject the entire batch.

What are the white box audit techniques? Response: Tests Data method Base case approach Tracing Integrated Test Facility (ITF) Parallel Simulation

What are the three categories of processing controls? Response: a. run-to-run controls b. operator intervention controls c. audit trail controls

If all of the inputs have been validated before processing, then what purpose do run-to-run controls serve? Response: The run-to-run control is a control device to ensure that no records are lost, unprocessed, or processed more than once for each of the computer runs (processes) that the records must flow through.

10.

What is the objective of a transaction log? Response: One of the objectives of a transaction log is to create a separate, permanent record of all transactions that have changed account balances.

11.

How can spooling present an added exposure? Response: The creation of an output file as an intermediate step in the printing process presents an added exposure. A computer criminal may access the file and change it, copy it, delete or use the information in it, or destroy it.

12.

What is ITF? Response: The integrated test facility (ITF) approach is an automated technique that enables the auditor to test an application’s logic and controls during its normal operation. ITF is one or more audit modules designed into the application during the systems development process. In addition, ITF databases contain “dummy” or test master file records integrated with legitimate records. During normal operations, the auditor can insert test transactions, which are merged into the input stream with regular (production) transactions and are processed against the dummy files

13.

What is the purpose of a range check? Response: Many times, data have upper and lower limits to their acceptable values. For example, if the range of pay rates for hourly employees in a firm is between $18 and $30, this control can examine the pay rate field of all payroll records to ensure that they fall within this range. It would not detect an error where a correct pay rate of, say, $19 is incorrectly entered as $29.

14.

What is a reasonableness test? Response: A reasonableness test determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with other data fields in the record. For example, an employee’s pay rate of 18 dollars per hour falls within an acceptable range. However, this rate is excessive when compared to the employee’s job skill code of 693; employees in this skill class never earn more than 12 dollars per hour.

15.

What is the purpose of a redundancy test? Response: Redundancy tests determine that an application processes each record only once. Redundancy tests include reviewing record counts and recalculation of hash totals and financial control totals.

16.

What is a validity test? Response: Validity tests ensure that the system processes only data values that conform to specified tolerances. Audit tests would include designing data for range tests, field tests, limit tests, and reasonableness tests. Validity tests also apply to transaction approvals, such as verifying that credit checks and AP three-way-matches are properly performed by the application.

17.

What is tracing? Response: Tracing is an audit technique that performs an electronic walk-through of the application’s internal logic. It shows the instructions that are executed and the order of their execution.

18.

What is the purpose of a completeness test? Response: Completeness tests identify missing data within a single record and/or entire records missing from a batch. The types of tests performed are field tests, record sequence tests, and recalculation of hash totals and financial control totals.

19.

What is the white Box approach to application testing? Response: The white-box approach requires the auditor to obtain an in-depth

understanding of the internal logic of the application being tested so that he or she may test the internal controls directly. White box techniques use small numbers of specially created test transactions to verify specific aspects of an application’s logic and controls. In this way, auditors are able to conduct precise tests, with known variables, and obtain results that they can compare against objectively calculated results. 20.

What is the primary disadvantage of ITF? Response: The primary disadvantage of ITF is the potential for corrupting the data files of the organization with test data. Steps must be taken to ensure that ITF test transactions do not materially affect financial statements by being improperly aggregated with legitimate transactions.

DISCUSSION QUESTIONS 1.

The field calls for an “M” for married or an “S” for single. The entry is a “2.” What control will detect this error? Response: Numeric/alphabetic data checks or validity check

The firm allows no more than 10 hours of overtime a week. An employee entered “15” in the field. Which control will detect this error? Response: Limit check

The password was “CANARY”; the employee entered “CAANARY.” Which control will detect this error? Response: Validity check

The inventory item number was omitted on the purchase order. Which control will detect this error? Response: Missing data check

The order entry system will allow a 10 percent variation in list price. For example, an item with a list price of $1 could be sold for 90 cents or $1.10 without any system interference. The cost of the item is $3, but the cashier entered $2. Which control would detect this error? Response: Range check

How does privacy relate to output control? Response: If the privacy of certain types of output is violated, for example, sensitive information about clients or customers, a firm could be legally exposed.

Compare the three common error-handling techniques discussed in the text. Response: Three common error handling techniques are (1) correct immediately, (2) create an error file, and (3) reject the entire batch. (1) Correct Immediately. If the system is using the direct data validation approach, error detection and correction can take place during data entry. Upon detecting a keystroke error or an illogical relationship, the system should halt the data entry procedure until the user corrects the error.

(2) Create an Error File. When delayed validation is being used, such as in batch systems with sequential files, individual errors should be flagged to prevent them from being processed. At the end of the validation procedure, the records flagged as errors are removed from the batch and placed in a temporary error holding file until the errors can be investigated. (3) Reject the Batch. Some forms of errors are associated with the entire batch and are not clearly attributable to individual records. The most effective solution in this case is to cease processing and return the entire batch to data control to evaluate, correct, and resubmit. 8.

Output controls ensure that output is not lost, misdirected, or corrupted and that privacy is not violated. What are some output exposures, or situations where output is at risk? Response: Output is removed from the printer by the computer operator, separated into sheets and separated from other reports, reviewed for correctness by the data control clerk, and then sent through interoffice mail to the end user. Each stage in this process is a point of potential exposure where the output could be reviewed, stolen, copied, or misdirected. An additional exposure exists when processing or printing goes wrong and produces output that is unacceptable to the end user. These corrupted or partially damaged reports are often discarded in waste cans. Computer criminals have successfully used such waste to achieve their illicit objectives.

Input validation includes field interrogation that examines the data in individual fields. List four validation tests and indicate what is checked in each. Response: Numeric-alphabetic checks look for the correct content in a field, numbers, or letters; zero-value checks determine if necessary zeros are present; limit checks verify that values are within preset limits; range checks verify the values fall within an acceptable range. Other acceptable responses include missing data checks that look for blank spaces, validity checks that compare actual values in a field against known acceptable values, and check digit controls that identify keystroke errors in key fields.

10.

What is record interrogation? Give two examples. Response: Record interrogation examines the combination of fields in a record to determine consistency. Record interrogation tests include reasonableness checks, sign checks, sequence checks. Examples of record interrogation include: checking that pay rate and job class agree, and checking that the balance in accounts payable is a credit, etc.

11.

Explain how parallel simulation works. Response: Parallel simulation involves creating a program that simulates key features or processes of the application under review. The simulated application is then used to reprocess the same transactions that the production application previously processed. The results obtained from the simulation are reconciled with the results of the original production run to determine if application processes and controls are functioning correctly.

12.

What are rounding error routines, and why are they used? Response: Financial systems that calculate interest payments on bank accounts or charges on mortgages and other loans employ special rounding error applications. Rounding errors occur when the level of precision used in a calculation is greater than that used for reporting. For example, interest calculations on bank account balances may

have a precision of five decimal places, whereas only two decimal places are reported on balances. If the remaining three decimal places are simply truncated, the total interest reported for the total number of accounts will not equal the sum of the individual calculations. The routine uses an accumulator to keep track of the rounding differences between calculated and reported balances. When the accumulator exceeds one cent positive or negative, the penny is added or subtracted from the current account. 13.

How does the salami fraud get its name, and how does it work? Response: The fraud scheme takes its name from the analogy of slicing large salami (the total fraud) into many thin pieces. Each victim gets one of these small pieces and is unaware of being defrauded. For example, a programmer, or someone with access to the rounding program, can modify the rounding logic to perpetrating a salami fraud as follows: at the point in the process where the algorithm should increase the current customer’s account (that is, the accumulator value is > +.01), the program instead adds one cent to the perpetrator’s account. Although the absolute amount of each fraud transaction is small, given the hundreds of thousands of accounts processed, the total amount of the fraud becomes significant over time

14.

Discuss the black box approach, and explain how it is different from white box approaches to testing application controls. Response: The black box approach does not require the auditor to create test files or to obtain a detailed knowledge of the application’s internal logic. Instead, auditors analyze flowcharts and interview knowledgeable personnel in the client’s organization to understand the functional characteristics of the application. With an understanding of what the application is supposed to do, the auditor tests the application by reconciling actual production transactions processed with output results. The output results are analyzed to verify the application’s compliance with its functional requirements. White box techniques require a detailed understanding of the application’s logic and involve creating test data to verify the logic directly.

MULTIPLE CHOICE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16.

d c a d c a c d c c d d d c b c

17. 18. 19. 20.

b a c c

PROBLEMS 1. Input Validation Identify the types of input validation techniques for the following inputs to the payroll system. Briefly explain the control provided by each of these techniques. a. The payroll system accessed the payroll file. b. New employee c. Employee name d. Employee number e. Social Security number f. Rate per hour or salary g. Marital status h. Number of dependents i. Cost center j. Regular hours worked k. Overtime hours worked

Response: a. File Interrogation. Verify internal label to ensure the correct file is being accessed. b. Record Interrogation. Reasonableness and sequence checks to verify the entire record. Field checks on pay rate and personal information to be entered: Validity check, missing data check, sign checks, numeric-alphabetic data check. c. Alphabetic check validates that letters are entered where only letters are required to be entered, e.g., employee name. d., Check digit to verify that the number is correct. e. Missing data check, numeric check, validity check. f. Range check, reasonableness check g. Missing data check ensures that no blank fields are entered where data should be present, e.g., marital status, validity check h. Reasonableness check, limit check. Missing data check. i, Validity check. j. limit check, missing data check k. Reasonableness checks validate that only data within a pre-specified range is entered, e.g., number of hours worked greater than zero and less than 70.

2. IT Application Controls IT application controls are classified as (a) input controls, (b) processing controls, and (c) output controls. Required: For each of the three application control categories listed, provide two specific controls and explain how each control contributes to ensuring the reliability of data. Use the following format for your answer. Control Specific Contribution to Category Controls Data Reliability

Response: Student answers will vary. Presented below are the three application control categories, with examples of specific controls, and how they contribute to ensuring data reliability. Control Category

Specific Controls

Input Controls

Check digit

Internal label check

Processing Controls

Run-to-run controls

Transaction logs

Output Controls

Output spooling

Waste control

Contribution to Data Reliability Helps prevent transactions from being to incorrect accounts because of transcription and transposition errors by data entry personnel Prevents access to the wrong file that would destroy or corrupt data. These controls validate the overall integrity of a batch of transactions as it passes through various processing stages. Provides a permanent record of all transactions processed. In an IT environment the transaction log is the journal. To reduce processing bottle necks and limit access to data by unauthorized persons large and sensitive data files are directed to spooling disks while they awaiting available printer resources. Computer output waste represents a potential risk. Aborted reports and the carbon copies from multipart paper should be removed and shredded

3. Input Controls and Data Processing You have been hired by a catalog company to computerize its sales order entry forms. Approximately 60 percent of all orders are received over the telephone, with the remainder either mailed or faxed in. The company wants the phone orders to be input as they are received. The mail and fax orders can be batched together in groups of fifty and submitted for data entry as they become ready. The following information is collected for each order: • Customer number (if a customer does not have one, one needs to be assigned) • Customer name • Address • Payment method (credit card or money order) • Credit card number and expiration date (if necessary) • Items ordered and quantity

• Unit price Required: Determine control techniques to make sure that all orders are entered accurately into the system. Also, discuss any differences in control measures between the batch and the real-time processing. Response: For the phone orders, if a customer has a customer number, it should be verified against a master file. If a customer needs to establish a customer number, one should be assigned, and the customer’s name should be entered. A missing data check should be used to verify that a first name, last name, and street address have been entered. If the firm has a U.S. zip code database, the zip code can be entered and the city and town should appear. The payment method should be a menu choice of credit cards that are accepted. The credit card number should be entered into an alpha-numeric field as well as the expiration date—a numeric field. Once the order is totaled, authorization with the credit card company will be provided online. The item ordered should be entered and verified against an inventory master file. The description should appear and be read to the customer and verified as accurate. The unit price should automatically appear. The quantity should be entered, and a range check performed to see if the order is reasonable. For the batch processed data, customers without customer numbers should be placed into a batch for adding and receiving customer numbers before the order can be processed. For those orders with customer numbers, the data will be grouped into batches. Check digits will be calculated for the customer numbers and the inventory items. Any records that have an invalid customer number, invalid inventory item, check digits that do not match, or an unreasonable quantity ordered will be written to an error file, and the rest of the orders will be processed. The clean transactions should be sorted according to charge type and the credit card numbers verified. Any rejected transactions will be sent to a special file from which letters will be sent to the customer. The doubly-clean transactions will then be processed. The real-time processing technique is more efficient because any errors can be resolved easily and immediately. 4. Write an essay explaining the following three methods of correcting errors in data entry: immediate correction, creation of an error file, and rejection of the batch Response: Key Points a. Immediate Correction: In the direct data validation approach, error detection and correction take place during data entry. When an error or illogical relationship is entered, the system should halt the data entry procedure until the error is corrected. b. Creation of an Error File: In the delayed data validation approach, errors are flagged and placed in an error file. Records with errors will not be processed until the error is investigated and corrected. c. Rejection of the Batch: Some errors are associated with the entire batch and are not attributable to individual records. An example of this is a control total that does not balance. The entire batch is placed in the error file and will be reprocessed when the error is corrected.

5. Many techniques can be used to control the input effort. Write a one-page essay discussing three techniques. Response: Key Points a. Source document controls are designed to control the documents used to initiate transactions with pre-numbered source documents, used in sequence, and periodically accounted for. b. Data coding controls are designed to check on the integrity of data by preventing transcription errors and transposition errors. c. Batch controls are designed to manage large volumes of data by repeatedly verifying totals of specific fields, some financial and others nonfinancial. 6. The presence of an audit trail is critical to the integrity of the accounting information system. Write a one-page essay discussing three of the techniques used to preserve the audit trail. Response: Key Points a. Transaction logs list all transactions successfully processed by the system and serve as journals, and permanent records. Transactions that were not processed successfully should be recorded in an error file. b. After processing transactions, a paper transaction listing should be produced and used by appropriate users to reconcile input. c. Logs and listings of automatic transactions should be produced for transactions initiated internally by the system. d. Error listing should document all errors and be sent to appropriate users to support error correction. 7. Write an essay comparing and contrasting the following audit techniques based on costs and benefits: • test data method • base case system evaluation • tracing • integrated test facility • parallel simulation Response: Key Points The test data method is used to establish application integrity by processing specially prepared sets of input data through production applications that are under review. The results of the test are compared with the expected results. The base case system evaluation tests extend the test data method; the test data set constrains all possible transaction types. Tracing is an electronic walkthrough of the application’s internal logic and analysis of the execution of each program command line for a specific transaction. An integrated test facility is an automated technique that enables the auditor to test an application’s logic and controls during its normal operations by creating dummy transactions and files. This method promotes ongoing application auditing. Parallel simulation involves creating a simulation of the transaction processing system and then using actual transactions to determine if the results of processing reconcile with the organization’s transaction processing system.

Chapter 8 Data Structures and CAATTs for Data Extraction Review Questions 1. What are the two fundamental components of data structures? Response: Organization and access method. 2. What are the criteria that influence the selection of the data structure? Response: The selection criteria derive from the relative importance of one or more file processing operations below in a particular application and the efficiency with which a particular file structure performs the operations. a. rapid file access and data retrieval b. efficient use of disk storage space c. high throughput for transaction processing d. protection from data loss e. ease of recovery from system failure f. accommodation of file growth 3. What are the advantages and disadvantages of using a sequential data structure? Give an example of each. Response: An advantage is that sequential data structures are simple and easy to process. Each record is processed in sequence. When a large portion of the file is to be processed in one operation such as payroll, this method is efficient for record updating. A disadvantage is that a file that has only a small portion updated, e.g. purchases by 20 of 1,000 customers, will not be efficiently updated because all records will have to be read and rewritten. 4. What are the advantages and disadvantages of using an indexed random file structure? An indexed sequential file structure? Response: Random indexes are easier to maintain, in terms of adding records, because new key records are simply added to the end of the index without regard to their sequence. The principal advantage of indexed random files is in operations involving the processing of individual records. Another advantage is their efficient use of disk storage. Records may be placed wherever there is space without concern for maintaining contiguous storage locations. However, random files are not efficient structures for operations that involve processing a large portion of a file. A great deal of access time may be required to access an entire file of records that are randomly dispersed throughout the storage device. Sequential files are more efficient for processing a large portion of a file. One advantage of a sequential index is that it can be searched rapidly. Because of its logical arrangement, algorithms can be used to speed the search through the index to find a key value. This advantage becomes particularly important for large data files with corresponding large indexes. However, indexes in sequential order are more difficult to maintain because new record keys must be inserted between existing keys. An advantage of using an indexed random file structure is that records are easily added and deleted. The addition or deletion of one record does not require that any other records be read or rewritten as in sequential file structures. Also, the indexes are easier to maintain in terms of adding records because new records are simply added to the end of the index without regard to their key value sequence. A further advantage of indexed random files is their efficient use of

Commented [aab1]: This is not apparent from the chapter, I think? The “criteria” are mentioned in the text as being in table 8.1 but that table doesn’t look like criteria that influence the selection of the data structure to me.

disk storage. Records may be placed wherever space is available without concern for maintaining contiguous storage locations. The disadvantage is that random files are not efficient structures for data processing operations involving a large portion of the file. The time required to access an entire file of records that are randomly dispersed may be great. An advantage of indexed sequential files is that they can accommodate both batch processing, which involves updating a large portion of the file, and a moderate degree of individual record processing. A major disadvantage with this structure is that it does not perform record insertion operations efficiently. 5. What are the three physical components of an ISAM VSAM file? Explain how a record is searched through these components. Response: The three components are the indexes, the prime data storage area, and the overflow area. The access method first goes to the overall file index, which determine the approximate location of the record, i.e. the cylinder or disk track. From this approximate location in the prime data storage area, the files are searched sequentially for the record. If the records are in an overflow area, a pointer where the record should reside indicates where the record actually is residing. Thus, accessing a record may involve searching the indexes, searching the track in the prime data area, and finally searching the overflow area. This slows data access time for both direct access and batch processing.

Commented [aab2]: This is an error in the question in the solutions but not in the text book. Commented [J3]: VSAM is correct

6. What is a pointer? Discuss the three commonly used types of pointers and their relative merits. Response: A pointer is used in those instances where records are spread over the entire disk and tied together with a linked-list file. A field that gives the address of the next related data record is created. One type of pointer is a physical address pointer, which contains the actual disk storage location. This method has the advantage of speed because the address allows the system to access the record directly without obtaining further information. Two disadvantages are that the record pointers must be changed every time a record is relocated and the physical pointers bear no logical relationship with the records they link. Thus, if a pointer is lost or destroyed and cannot be recovered, the record to which it is linked is also lost. A second type of pointer is a relative address pointer, which contains the relative position of a record in the file. Once the relative position is known, the actual physical address must be calculated. This calculation slows down the data retrieval. A third type of pointer is the logical key pointer, which contains a key value that is used to compute the actual record location using a hashing algorithm. The hashing algorithm slows down the retrieval process, but as long as the key value is known, the record can always be found. 7. What are some limitations of the hierarchical database model? Response: The hierarchical database model forces users to navigate between data elements using predefined structured paths. Hierarchical database models also limit the degree of process integration and data sharing that can be achieved. 8. Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations. Response: A one-to-one association means that for every occurrence in record type X, either zero or one occurrence exists of record type Y. An example would be that, for every student, only one social security number exists. A one-to-many association means that for every occurrence in record type X, zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats. A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has

Commented [J4]: This is intentional. I make a distinction between the file systems and database systems discussed in chapter 4 and the file structures and database structures used by those systems, which is discussed in chapter 8. A certain amount of redundant coverage is necessary in dealing with these two related, but separate (from an audit perspective) topics. Commented [aab5]: Is this actually mentioned in the chapter? Only mention of hierarchical database is on page 226-7 and limitations are not discussed. DIFFERENCES are discussed but not limitations. Chapter 4 material?

multiple professors each semester, and each professor has multiple students each semester. 9. Why is a hierarchical database model considered to be a navigational database? What are some limitations of the hierarchical database model? Response: The hierarchical database model is considered to be a navigational database because traversing through it requires predefined linkages between related records that start at the root. A limitation of this model is that a parent record may own one or more child record, but no child record may have more than one parent. If a child needs to be linked to one or more parents, duplication of files with different predefined linkages may be required. 10. Explain how a separate linking file works in a network model. Response: A network model allows parents to have multiple children and vice versa. A separate linking file works by creating a file that contains pointer records in linked-list structure. This file contains the addresses of multiple predefined links. 11. What is an embedded audit module? Response: EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. The auditor’s substantive testing task is thus made easier because they do not have to identify significant transactions for substantive testing. 12. Explain what GAS is and why it is so popular with larger public accounting firms. Discuss the independence issue relating to GAS. Response: GAS allows auditors to access electronically coded data files of their clients, both simple and complex structures, and to perform various operations on their contents. GAS is popular for the following reasons: a. The languages are easy to use and require little EDP background on the part of the user. b. It may be used on any form of computer because it is hardware-independent. c. Auditors can perform their tests on data independent of a computer services professional. d. It can be used to audit the data files of many different applications. 13. Discuss and give an example of the following types of associations: (1:0,1), (1:1), (1:M), and (M:M). Response: • (1:0,1) Every occurrence (record) is for one entity (Employee), there is a possibility of zero or one occurrence in the related entity (Company Car). •

(1:1) Describes a situation in which each record in one entity is always associated with one (and only one) record in the associated entity. For example, a company laptop computer is assigned to only one manager, and every manager is assigned only one laptop.

•

(1:M) An example of this situation is that each item of Inventory (entity) is supplied by one and only one Vendor (related entity), but each Vendor supplies one or many different Inventory items to the company.

•

(M:M) A company with a policy of purchasing the same types of inventory from multiple suppliers would have a M:M association between the Vendor and Inventory entities.

14. Distinguish between association and cardinality. Response: The term association pertains to the nature of the relationship between two entities. This is represented by a verb such as shipped, requests, or receives. Cardinality is the

Commented [aab6]: This is in chapter 4 on page 141…? Not chapter 8. It is review question 19 in chapter 4.

Commented [aab7]: This is a question relevant to Chapter 4, not chapter 8? It is, in fact, review question 20 in chapter 4.

Commented [aab8]: I’m not sure this is related to the network model in this chapter? Looks like Chapter 4 material. Commented [J9]: See previous comment

degree of association between two entities. Simply stated, cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table. 15. Explain how a separate linking table works in a many-to-many association. Response: In a many-to-many association, a link table with a combined (composite) key consisting of the primary keys of the two related tables is created in order to link the related tables. 16. What are the four characteristics of properly designed relational database tables? Response: 1. The value of at least one attribute in each occurrence (row) must be unique. This attribute is the primary key. The values of the other (nonkey) attributes in the row need not be unique. 2. All attribute values in any column must be of the same class. 3. Each column in a given table must be uniquely named. However, different tables may contain columns with the same name. 4. Tables must conform to the rules of normalization. This means they must be free from structural dependencies including repeating groups, partial dependencies, and transitive dependencies (see this chapter’s appendix for a complete discussion). a. All occurrences at the intersection of a row and column are a single value. No multiple values (repeating groups), partial dependencies, or transitive dependencies are allowed. b. The attribute values in any column must all be of the same class. c. Each column in a given table must be uniquely named. d. Each row in the table must be unique in at least one attribute that is considered to be the primary key. 17. What do the relational features restrict, project, and join mean? Response: a. Restrict—Extracts specified rows from a specified table.rows that satisfy the given condition from a specified table and places these rows into a new table. b. Project—Extracts specified attributes (columns) from a table to create a virtual table.columns from a specified table and places these attributes (columns) into a new table. c. Join—Builds a new physical table from two tables consisting of all concatenated pairs of rows, one from each table. 18. What are the conditions for third normal form (3NF)? Response: A table normalized to 3NF meets the following conditions: 1. All nonkey attributes in the table are dependent on the primary key. 2. All nonkey attributes are independent of the other nonkey attributes. In other words, the primary key of a table wholly and uniquely defines each attribute in the table, and none of the table attributes are defined by an attribute other than the primary key.

19. Explain how the SELECT and WHERE commands help a user to view the necessary data from multiple database files (tables). Response: The SELECT command identifies all of the attributes to be contained in the view. The WHERE command specifies how rows in the tables are to be matched to create the view.The user may restrict the fields of data to view with the SELECT command. Further, the user may restrict the rows or records of data to be viewed with the WHERE command. The WHERE command allows the user to view only those records that have values which fall within a certain range for one or more fields of data. 20. What is a data model? Response: A data model is the blueprint for creating the physical database. Database designers identify system entities and prepare a model of them using a graphical representation technique called an entity relationship (ER) diagram. 21. How can a poorly designed database result in unintentional loss of critical records? Response: The deletion anomaly may cause records to be deleted unintentionally and may occur for some time before the problem is noticed. A deletion anomaly occurs when an item in one file is legitimately deleted. The problem occurs when this file is linked to another file, which may also have a record deleted, due to its link. If the second record should not be deleted, then an update anomaly has occurred. 22. What is a user view? Response: A user view is the set of data that a particular user sees. Examples of user views are computer screens for entering or viewing data, management reports, or source documents, such as an invoice. 23. Does a user view always require multiple tables to support it? Explain. Response: User views derive from underlying database tables. Simple views may be constructed from a single table, while more complex views may require several tables. Furthermore, a single table may contribute data to many different views. 24. What two conditions must valid entities meet? Response: Valid entities meet the two conditions below: Condition 1: An entity must have two or more occurrences. Condition 2: An entity must contribute at least one attribute that is not provided through other entities. 25. Can two different entities have the same defining attributes? Explain. Response: Because attributes are the logical and relevant characteristics of an entity, they are unique to it. Therefore, the same attributes should not be used to define two different entities. Discussion Questions: 1. Explain how a hashing structure works and why it is quicker than using an index. Give an example. If it so much faster, why isn’t it used exclusively? Response: A hashing structure typically works by taking a key value and using it to divide a prime number. The result is a unique number almost all of the time if enough decimal places are

used. The resulting numbers are used to find the unique location of the record. Calculating a record’s address is faster than searching for it through an index. It is not used exclusively because it does not use the storage disk efficiently. Some disk locations will never be selected because they do not correspond to legitimate key values. Also, different record keys may sometimes translate to the same address and data collision could occur. Using pointers is a way around this but the additional pointers slow down the system. 2. Explain how an embedded audit module works and why auditors may choose not to use it. Response: EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. It may not be used because it is not operationally efficient, and it may be difficult to use in systems that undergo a good deal of maintenance. 3. Explain the term navigational data models. Contrast the hierarchical model and the network model. Response: Navigational data models possess explicit links or paths between data elements. The only way to access data at a lower level is via pointers down the navigational path to the desired records. In the hierarchical model no member (child) record can have more than one owner (parent) record. This severely restricts the usefulness of the model because firms often need to view data relations with multiple owner (parent) records. In contrast, the network model permits a member (child) record to have multiple owners (parents). The simple network model permits only one-tomany relations, and the complex network model permits many-to-many relations.

Commented [aab10]: This word “navigational” is only used once in the chapter, in the intro on page 327. The answer to the first part of this question is found in Chapter 4 on page 129 or 141, not chapter 8. Commented [J11]: See my comment

Commented [aab12]: Chapter 4, page 146

4. Explain the three types of anomalies associated with database tables that have not been normalized. Response: a. The update anomaly is the result of data redundancy. If a data element is stored in more than one place, it must be updated in all places. If this does not happen, the data are inconsistent. b. The insertion anomaly occurs when too much data are stored together—when vendor information is stored only with specific inventory items. Until items are purchased from a given vendor, the vendor cannot be added to the database. c. The deletion anomaly is the opposite of the insertion anomaly—if a vendor supplies only one item and the firm discontinues that item, all information on the vendor is lost. 5. Contrast embedded audit modules with generalized audit software. Response: Embedded audit modules are designed to extract data from specific applications in real time as the applications are processing the transactions. EAMs are programmed into the application when it is designed. EAMs are very structured in terms of what data the auditor can call for. Generalized audit software (GAS) packages are designed to access data from files after processing is completed. They can extract data from the files of any system and require no additional programming. They are extremely flexible in their ability to access, manipulate, and report data to the auditor. 6. Describe a specific accounting application that could make use of an ISAMVSAM file. Response: ISAM VSAM structures are used for very large files that require minimum direct access to individual records. On the other hand, a portion of the file needs to be processed in batch mode on a regular basis. An example of an ISAM VSAM application is a public utility billing system. Most processing of the file is in batch mode when each billing day (20 times a month) large numbers of records (but only 5 percent of the file) need to be processed. ISAM

Commented [aab13]: One wonders how all the VSAMs in this solutions file got turned into ISAMs. The textbook PDF does not have this typo. Commented [J14]: Earlier editions focused on ISAM, now VSAM is the more prevalent model. The text was changed but these old questions were not properly updated

VSAM files are associated with legacy systems. While they are still in use and maintained, new systems can make better use of modern database technology. 7. Explain why auditors should be familiar with the principle of data normalization. Response: Database normalization is a technical matter that is usually the responsibility of systems professionals. However, the subject has implications for internal control that make it the concern of auditors also. For example, the update anomaly can generate conflicting and obsolete data values; the insertion anomaly can result in unrecorded transactions and incomplete audit trails; and the deletion anomaly can cause the loss of accounting records and the destruction of audit trails. Although most auditors will never be responsible for normalizing an organization’s databases, they should have an understanding of the process and be able to determine whether a table is properly normalized. 8. How is a user view different from a database table? Response: User views are derived database tables. A single table may contribute data to several different views. On the other hand, simple views may be constructed from a single table. 9. Explain what the term third normal form (3NF) means. Response: When the data attributes of the table are defined entirely by the primary key and are independent of the other (non-key) attributes, the table is in third normal form (3NF). In third normal form the table is free from the following structural dependences: repeating groups, partial dependencies, and transitive dependencies. 10. Why is a separate link table required when an M:M association exits between related tables? Response: Neither table can donate an embedded key to the other, because both are on the “many” side. The only solution, therefore, is to create a new link table containing the key fields of both tables. 11. In a relational database environment, certain accounting records (for example, journals, subsidiary ledgers, and event general ledger accounts) may not exist. How is this possible? Response: Database accounting systems are transaction-based rather than account-based. The focus is on capturing important details of transactions that may be lost when they are forced into the structure of traditional accounting records. The transaction tables are then to be used to reconstruct traditional accounting records, such as Accounts Receivable and Accounts Payable. 12. Explain how to link tables in a 1:1 association. Why may this be different in a 1:0,1 association? Response: Where a true 1:1 association exists between tables, either (or both) primary keys may be embedded as foreign keys in the related table. On the other hand, when the lower cardinality value is zero (1:0,1), a more efficient table structure can be achieved by placing the 1-side (1:) table’s primary key in the zero-or-one (:0,1) table as a foreign key. Assume that a company has 1000 employees, but only 100 of them are sales staff. Also assume that each sales person is assigned a company car. Therefore, every occurrence in the Employee entity is associated with either zero or one occurrence in the Company Car entity. If we assigned the Company Car (:0,1) side primary to the Employee (:1) table as a foreign key, then most of the foreign keys will have null (blank) values. While this approach would work, it could cause some technical problems during table searches. Correctly applying the keyassignment rule solves this problem, because all Company Car records will have an employee assigned, and no null values will occur.

Commented [J15]: So what? Lots of conceptually similar questions are worded differently to come at them from a different perspective. Commented [aab16]: This question is virtually the same (in concept, not in wording) as Review Question 18.

13. Discuss the accounting implications of the update, insertion, and deletion anomalies associated with improperly normalized tables. Response: The insertion and update anomalies would create record keeping and operational problems for the firm. However, flawed databases design that prevents the insertion of records, or requires the user to perform excessive updates, would attract attention quickly. The presence of the deletion anomaly is less conspicuous, but potentially more serious from an accounting perspective. Because the deletion anomaly may go undetected, the user may be unaware of the loss of important data until it is too late. This anomaly can result in the unintentional loss of critical accounting records and the destruction of the audit trail. 14. Give three examples that illustrate how cardinality reflects an organization’s underlying business rules. Response: The organization’s business rules directly impact the structure of the database tables. If the database is to function properly, its designers need to understand the organization’s business rules, as well as the specific needs of individual users. For example: 1. When an organization decides to purchase the same items of inventory from different suppliers, the cardinality between the Supplier and Inventory tables is M:M. 2. When a the company purchases all items of a certain type from only one supplier, the cardinality between Supplier and Inventory tables is 1:M respectively. 3. A policy that a separate receiving report is prepared for the receipt of goods specified on a single purchase order will result in a 1:1 cardinality between the receiving report and purchase order tables. If, however, multiple purchase orders are combined on a single receiving report, then the cardinality between these tables will be 1: M respectively. 15. Discuss the key factors to consider in determining how to partition a corporate database. Response: The partitioned approach works best for organizations that require minimal data sharing among users at remote sites. To the extent that remote users share common data, the problems associated with the centralized approach will apply. The primary user must now manage requests for data from other sites. Selecting the optimum host location for the partitions, to minimize data access problems, requires an in-depth analysis of end-user data needs. 165. Explain the following three types of pointers: physical address pointer, relative address pointer, and logical key pointer. Response: A physical address pointer contains the actual disk storage location (cylinder, surface, and record number) needed by the disk controller. This physical address allows the system to access the record directly without obtaining further information. This method has the advantage of speed, because it does not need to be manipulated further to determine a record’s location. However, it also has two disadvantages: First, if the related record is moved from one disk location to another, the pointer must be changed. This is a problem when disks are periodically reorganized or copied. Second, the physical pointers bear no logical relationship to the records they identify. If a pointer is lost or destroyed and cannot be recovered, the record it references is also lost. A relative address pointer contains the relative position of a record in the file. For example, the pointer could specify the 120th record in the file. This must be further manipulated to convert it to the actual physical address. The conversion software calculates this by using the physical address of the beginning of the file, the length of each record in the file, and the relative address of the record being sought. A logical key pointer contains the primary key of the related record. This key value is then

Commented [aab17]: This question does not exist in the textbook PDF of this chapter.

converted into the record’s physical address by a hashing algorithm. 176. Explain why GAS technology is popular with most auditors. Response: The widespread popularity of GAS is due to four factors: (a) GAS languages are easy to use and require little computer background on the part of the auditor; (b) Many GAS products can be used on both mainframe and PC systems; (c) auditors can perform their tests independent of the client’s computer service staff; and (d) GAS can be used to audit the data stored in most file structures and formats. 187. Explain the risk associated with using GAS to access complex file structures. Response: The auditor must sometimes rely on computer services personnel to produce a flat file from the complex file structures. There is a risk that data integrity will be compromised by the procedures used to create the flat file. For example, if the auditor’s objective is to confirm accounts receivable, certain fraudulent accounts in the complex structure may be intentionally omitted from the flat-file copy that is created. The sample of confirmations drawn from the flat file may therefore be unreliable. Auditors skilled in programming languages may avoid this potential pitfall by writing their own data extraction routines. 198. Explain the purpose of the input file definition feature of ACL. Response: ACLs input file definition feature allows the system to access data stored in almost any format. To create a file definition, the auditor needs to know both where the file physically resides and its field structure layout. 1920. Assume that an auditor is reviewing a file containing twenty-five fields of data, only five of which are relevant to the auditor’s objective. Explain how ACL can help in this situation. Response: Auditors seldom need to use all the data contained in the file. ACL allows the auditor to customize the original view created during file definition to one that better meets his or her audit objectives. New views can be created and reformatted without changing or deleting the data in the underling file. Only the presentation of the data is affected. The auditor can simply select the five data fields he or she needs for the audit and exclude the rest from the view. 210. Explain the purpose of ACL’s filter capability. Response: Filters are expressions that search for records that meet the filter criteria. ACL’s expression builder allows the auditor to use logical operators such as AND, OR, <, >, NOT and others to define and test conditions of any complexity and to process only those records that match specific conditions. For example, the auditor can search an accounts receivable file for customers with negative balances or whose credit limits are excessive. 212. Distinguish between record sampling and monetary unit sampling (MUS). Response: ACL offers many sampling methods for statistical analysis. Two of the most frequently used are record sampling and monetary unit sampling (MUS). Each method allows random and interval sampling. The choice of methods will depend on the auditor’s strategy and the composition of the file being audited. When records in a file are fairly evenly distributed across strata, the auditor may want an unbiased sample and will thus choose the record sample approach. Using inventory to illustrate, each record, regardless of the dollar amount of the inventory value field, has an equal chance of being included in the sample. On the other hand, if the file is heavily skewed with large value items, the auditor may select MUS, which will produce a sample that includes all the larger dollar amounts. Multiple Choice

Commented [J18]: See above comment Commented [aab19]: This question is virtually the same (in concept, not in wording) as Review Question 12.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

A DC B CB CE CD AC CB AD A DA BD DB

14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.

CB C A DC BA AB CA B DB CA DC C DB C

Problems 1. Access Methods For each of the following file processing operations, indicate whether a sequential file, indexed random file, indexed sequential access method (ISAM), hashing, or pointer structure works the best. You may choose as many as you wish for each step. Also indicate which would perform the least optimally. a. Retrieve a record from the file based on its primary key value. b. Update a record in the file. c. Read a complete file of records. d. Find the next record in a file. e. Insert a record into a file. f. Delete a record from a file. g. Scan a file for records with secondary keys. Response: a. indexed sequential access method or indexed random; least optimal: sequential b. indexed random or hashing; least optimal: sequential c. sequential; least optimal: indexed random d. sequential or pointer; least optimal: indexed random e. indexed random or hashing; least optimal: sequential f. indexed random or hashing; least optimal: sequential g. indexed random; least optimal: hashing 2. File Organization For the following situations, indicate the most appropriate type of file organization. Explain your choice. a. A local utility company has 80,000 residential customers and 10,000 commercial customers. The monthly billings are staggered throughout the month and, as a result, the cash receipts are fairly uniform throughout the month. For 99 percent of all accounts, one check per month is received. These receipts are recorded in a batch file, and the customer account records are updated biweekly. In a typical month, customer inquiries are received at the rate of about twenty per day. b. A national credit card agency has 12 million customer accounts. On average, 30 million purchases and 700,000 receipts of payments are processed per day. Additionally, the customer

support hot line provides information to approximately 150,000 credit card holders and 30,000 merchants per day. c. An airline reservation system assumes that the traveler knows the departing city. From that point, fares and flight times are examined based upon the destination. Once a flight is identified as being acceptable to the traveler, then the availability is checked, and if necessary, a seat is reserved. The volume of transactions exceeds one-half million per day. d. A library system stocks more than 2 million books and has 30,000 patrons. Each patron is allowed to check out five books. On average, there are 1.3 copies of each title in the library. Over 3,000 books are checked out each day, with approximately the same amount being returned daily. The check-outs are posted immediately, as well as any returns of overdue books by patrons who wish to pay their fines. Response: a. A sequential file could be used, but with only 8 updates per month, roughly one-eighth of the files will be updated each run. That means for each run the other seven-eighths of the file must be read and rewritten. Random access will aid the customer inquiry response time. A hierarchical database would be appropriate because this is a one-to- one relationship—each address has one resident in charge of utilities. b. Random access for customer balances and payment information is crucial. A network or relational database is necessary because this is a many-to-many relationship: many purchases per customer, many merchants per customer, many customers per merchant. c. Random access will be necessary for flight inquiries and updates throughout the day. A navigational database would be appropriate. Only one direction needs to be investigated. Most customers start with a departure city and then flights to the destination city can be investigated. Many different destinations will exist for a given departure city. Rarely will a customer wish to book a flight based on a destination if he does not know from which city he will depart. d. A random access storage device is necessary to access the patrons’ records quickly when they check out books. A network or relational database will be necessary because the data should be bidirectional. An investigation may need to be conducted to determine what books a patron has checked out or who has a certain book checked out that has been recalled. 3. Structured Query Language The vice president of finance has noticed in the aging of the accounts receivable that the amount of overdue accounts is substantially higher than anticipated. He wants to investigate this problem. To do so, he requires a report of overdue accounts containing the attributes shown in the top half of the table (presented in the chapter problem and on the next page). The bottom half of the table contains the data fields and relevant files in the relational database system. Further, he wants to alert the salespeople of any customers not paying their bills on time. Using the SQL commands given in this chapter, write the code necessary to generate a report of overdue accounts that are greater than $5,000 and more than 30 days overdue. Each customer has an assigned salesperson. Response: CREATE VIEW collect AS SELECT salesperson_name, branch, customer_number, customer_name, overdue_balance, order_date, delivery_date, amount, amount_of_last_payment, date_of_last_payment FROM salesperson, customer, sales_order WHERE overdue_balance>5000 AND date_of_last_payment < mm/dd/yyyy

REPORT ATTRIBUTES Salesperson Name, Salesperson Branch Office, Customer Number, Customer Name, Amount Overdue, Last Purchase Date, Goods Delivered?, Amount of Last Sales Order, Amount of Last Payment, Date of Last Payment FILES AVAILABLE: Salesperson Table Salesperson Name Salesperson Number Commission Rate Rank Branch Date of Hire

Customer Table Customer Number Customer Name Customer Address 1 Customer Address 2 Salesperson Number Last Sales Order Number Year to Date Purchases Account Balance Overdue Balance Amount of Last Payment Date of Last Payment

Sales Order Table Sales Order Number Customer Number Order Date Amount Delivery Date

4. Indexed Virtual Storageequential Access Method Using the index provided below explain, step-by-step, how the Key 12987 would be found using the indexed sequential access method. Once a surface on a cylinder is located, what is the average number of records that must be searched? CYLINDER INDEX Key Cylinder Range Number 2,000 44 4,000 45 6,000 46 8,000 47 10,000 48 12,000 49 14,000 50 16,000 51 18,000 52 20,000 53

SURFACE INDEX CYLINDER Key Surface Range Number 12,250 0 12,500 1 12,750 2 13,000 3 13,250 4 13,500 5 14,750 6 15,000 7

Response: The access method goes first to the overall file index and determines that record 12987 is on cylinder 49. The cylinder index reveals that record 12987 is on surface 2 of cylinder 49. The last step is to search the actual data sequentially to find the record with key value 12987; 237 records will have to be searched. On average, 125 records will have to be searched when a record needs to be located. 5. Hashing Algorithm The systems programmer uses a hashing algorithm to determine storage addresses. The hashing

Commented [J20]: VSAM is correct Commented [aab21]: This is the weirdest continuing typo. ISAM where VSAM belongs. In this case, they were even spelled out.

structure is 9,997/key. The resulting number is then used to locate the record. The first two digits after the decimal point represent the cylinder number, while the second two digits represent the surface number. The fifth, sixth, and seventh digits after the decimal point represent the record number. This algorithm results in a unique address 99 percent of the time. What happens the remainder of the time when the results of the algorithm are not unique? Explain in detail the storage process when Key=3 is processed first, Key=2307 at a later date, and shortly thereafter Key=39. Response: 9997/3=3332.33333333333 9997/2307=4.33333333333 9997/39=256.33333333333 These numbers are identical with respect to location. The record with Key=3 will be stored in cylinder 33, surface 33, record number 3333. The record with Key=2307 will be randomly store elsewhere and a pointer will be attached from the record with Key=3 to the location of the record with Key=2307. The record with Key=39 will be stored at yet another random location and another pointer will be attached to the record with Key=3 giving the location of the record with Key=39. 6. Normalization of Data A view for a library system is provide in the chapter. Normalize this view into third normal form tables. The library’s computer system is programmed to compute the due date to be 14 days after the check-out date. Document the steps necessary to normalize the view similar to the procedures found in the chapter and chapter appendix. Add foreign keys and show how the databases are related. Use the table for a library (provided in the chapter). Normalize this data into the third normal form, preparing it for use in a relational database environment. The library’s computer is programmed to compute the due date to be 14 days after the check-out date. Document the steps necessary to normalize the data similar to the procedures found in the chapter. Index any fields necessary and show how the databases are related. Response: The first step is to remove repeating groups. The removal of repeating groups results in the following two tables. Due Date has been removed since it is a calculated field.

Assumptions: 1. More than one copy of each book title may exist 2. Book Call Number, not the book title, defines a specific copy of the book

File A: Student Record (PK) Student ID Student First Number Name File B: Library Record (PK) (PK) Student ID Book Call No. Number

Student Last Name

No. of Books Out

Book Title

Date Out

The second step is to remove partial dependencies. Book Title is partially dependent on Book Call No. Date Out is defined by the combined key of Student ID Number + Book Call No.

Resolving this dependency produces the following tables.

File A: Student Record –remains the same (PK) Student ID Student First Student Last Number Name Name

No. of Books Out

Library Record is reduced to two new record types: Checkout Record and Title Record

File B: Checkout Record (PK) Student ID Number

(PK) Book Call No.

File B: Title Record (PK) Book Call No.

Book Title

7. Normalization of Data Prepare the third normal form tables necessary to produce the user view for a veterinary practice presented in the chapter. Indicate the primary keys and embedded foreign keys. Use the table for a veterinary practice (provided in the chapter). Normalize this data into the third normal form, preparing it for use in a relational database environment. Indicate the primary keys and embedded foreign keys in the tables. Response:

Formatted: Highlight

SAME IMAGES AS IN CHAPTER 8, 2e.

Commented [J22]: Yes, these should have been added Commented [aab23]: Someone needs to put these images in ! Commented [J24]: Fixed

Formatted: Font: (Default) Times, 11 pt

8. Normalization of Data

Prepare the third normal form tables needed to produce the user view presented for problem 8 in the chapter. Prepare the base tables, in third normal form, needed to produce the user view presented in the chapteron page 389. Response:

Inventory Table

Part # Description QOH Reorder Point EOQ Unit Cost Vendor #

Vendor Table

Vendor # Vendor Name Vendor Address Telephone

9. Normalization of Data Prepare the third normal form tables needed to produce the user view presented for problem 9. Prepare the base tables, in third normal form, needed to produce the user view presented in problem 8-9 in the chapteron page 389. Response:

Inventory Table

Part # Description QOH Reorder Point EOQ

Part # Vendor # Unit cost

Vendor # Vendor Name Vendor Address Telephone

Note: This is an example of a many-to-many relation between the inventory and vendor tables. The solution requires a link table, which also contains Unit Cost data. A composite key of Part # and Vendor # is needed to define the Unit Cost attribute, because there are many prices for each item carried, depending on which vendor supplies the part.

10. Exposure Risk Identification and Plan of Action As the manager of the external audit team, you realize that the embedded audit module writes only material invoices to the audit file for the accounts receivable confirmation process. You are immediately concerned that the accounts receivable account may be substantially overstated this year and for the prior years in which this EAM was used.

Formatted: Font: (Default) Times New Roman, 11 pt

Required: Explain why you are concerned since all material invoices are candidates for confirmation by the customer. Outline a plan for determining if the accounts receivable are overstated. Response: The concern is that many “immaterial” invoices may add up to a material amount. If an organized, carefully planned scheme to embezzle numerous small payments from customers is in effect, then the confirmation process will not catch the scheme since small invoice amounts will not be subjected to the confirmation process. An elaborate lapping of accounts receivable can escape detection if no further detection techniques are employed. The auditors should first investigate the current year’s accounts receivable balance. A sample of immaterial invoices should be investigated and subjected to the confirmation process. Only if discrepancies are found should the prior year’s accounts receivable be considered for investigation.

11 Formatted: Font: 11 pt

Solution to Problem 8-11

. 12. Exposure Identification and Plan of Action Risk Identification and Plan of Action Baker Manufacturing uses Embedded Audit Modules in several of its financial systems to capture material transactions. During this year’s annual financial audit, the external auditors noticed

unusually large gaps in dates of the captured transactions being copied to the audit file. Baker Manufacturing management informed the auditors that the increased transaction processing times caused by the EAMs had forced computer operators to turn off the EAMs to allow the processing of important transactions in a timely fashion. In addition, much maintenance had been performed on key applications during the past year. Required: Outline any potential risks and determine the courses of action the external auditors should follow. Two years ago an external auditing firm supervised the programming of embedded audit modules for Previts Office Equipment Company. During the audit process this year, the external auditors requested that a transaction log of all transactions be copied to the audit file. The external auditors noticed large gaps in dates and times for transactions being copied to the audit file. When they inquired about this, they were informed that increased processing of transactions had been burdening the mainframe system and that operators frequently had to turn off the EAM to allow the processing of important transactions in a timely fashion. In addition, much maintenance had been performed during the past year on the application programs. Required: Outline any potential exposures and determine the courses of action the external auditors should use to proceed. Response: The risk is that material transactions are missing from the audit file and it does not accurately reflect the financial events of the period because the EAMs had been turned off periodically. Also, changes to application programs may have modified them to the extent that the EAMs are ineffective in capturing material transactions. The potential exposure is that unauthorized changes to the application programs have been made, and that the EAMs have been turned off while the unauthorized application programs were being run. The external auditors should make sure thatTo satifiy their concern, the auditors may do the following:

Formatted: Not Highlight

Formatted: Indent: Left: 0.38"

a. strict control procedures are in place regarding program changes; all such changes should be authorized and documented. The program version numbers should reconcile to the number of changes made. b1) . Obtain the programmers have access only to source code, not the running copy or the compilersa copy of the actual transaction files related to their audit objectives. c2) . Controls are built-in regarding the documentation of program changes if CASE tools are being used.Using ACL or another GAS tool the auditors can filter out records from the transaction files that are below the materiality level programmed into the EAMs leaving only material transactions in the file.

Formatted: Indent: Left: 0.38", Tab stops: 0.56", Left + Not at 0.39"

3) The auditors can then compare the audit file with the ACL file for material differences in terms of numbers of records and financial balances.

Formatted: Indent: Left: 0.38"

4) If material differences exist, the auditors may need to reconsider their assessment of internal controls, particularly controls over program changes, and possibly extend the scope

of the audit. [Note to Editor. Problems 13 through 21 were taken from AIS 7th ed, Chapter 9 pages 451 through 457. Please pick up the figures from the answer key that correspond to the problem numbers, where noted].

Commented [aab25]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [J26]: Yes, need to be deleted

13. NORMALIZATION OF DATA Prepare the 3NF base tables needed to produce the sales report view shown in the diagram for Problem 13. Response:

Customer Table Customer # Customer Name Address * Customer Total

Invoice Table Invoice # Date *Invoice Total Customer #

Line Item Table Invoice # Part # Quantity *Extended Price

Inventory Table Part Number Unit Price

* Could be a calculated field

14. NORMALIZATION OF DATA––PURCHASE ORDER Acme Plywood Company uses the purchase order shown in the diagram for Problem 14<textAcme business rules: 1. Each vendor may supply many items; an item is supplied by only one vendor. 2. A purchase order may list many items; an item may be listed on many purchase orders. 3. An employee may complete several purchase orders, but only one employee may fill out

an individual PO. Prepare the 3FN base tables needed to produce this purchase order. Response:

Table Employee Employee #

Name

Address

Date Hired

Exemptions Marital

(PK)

Status

Table PO PO # (PK)

Date

Employee # Vendor # (FK) (FK)

Table PO/Item PO # (PK)

Item # (PK) Quantity

Table Item Item # (PK)

Description On Hand

Cost

Price

Vendor # (FK)

Table Vendor Vendor # (PK) Name

Address

Contact

Terms

Balance

15. TABLE LINKING Solve this problem per the text within the diagram for Problem 15 Response: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-15. IMAGE NEEDS TO BE RELABED.

Commented [J27]: fixed Commented [aab28]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [J29]: Need to be relabeled Commented [aab30]: Relabel as 8-15

Solution to Problem 8-15

16.

DEFINING ENTITIES AND DATA MODELING––PAYROLL

file. This involves adding a new record for each employee in the pay period that reflects the employee’s gross pay, tax deductions, and other withholdings for the period. The clerk then prepares a paycheck for each employee and records them in the check register. The check register and corresponding paychecks reflect each employee’s net earnings for the period. Based on these records, the clerk prepares a payroll summary, which is sent with the paychecks to the cash disbursements clerk. The clerk reviews the payroll summary, updates the cash disbursements journal to record the total payroll, and prepares a check for the total payroll, which is deposited into the payroll imprest account. The clerk then signs the paychecks and distributes them to the employees. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Assume that this manual system is to be automated using a relational database system. Perform the following tasks. You may need to make assumptions about how certain automated activities will be performed. a. List all candidate entities in the procedures described. b. Identify the valid entities and explain why the rejected entities should not be modeled. c. Create a data model of the process showing entity associations. Response: Parts a and b:

Rejected Entities Payroll clerk

(a) Reason

cash disbursements clerk

Violates rule 1 and 2 – Wording suggests only one clerk (rule 1) and no evidence of attributes unique to this entity (rule 2) Violates Rule 1 – the company is a single occurrence Violates rule 1 and 2

supervisor check for the total payroll paycheck payroll summary

Violates rule 1 and 2 This is a view - Violates rule 2 This is a view - Violates rule 2 This is a view - Violates rule 2

Sagerod manufacturing company

Valid entities Employee Paycheck register Cash disbursement journal Time card Employee earnings File Part c: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-16. IMAGE NEEDS TO

BE RELABED.

Commented [J31]: Fixed Commented [aab32]: Presumably, these comments need to be removed in the final version of the solutions manual.

Dave, This solution needs to be revised NOTE to me. Add attributes keys, use Visio. Submits Employee

Time Card

Receives

Contains

Paycheck Register

Earnings Record Derived from

Contains

Cash Disbursement Journal

Problem 8-16, Entity Level ERD for Payroll

Commented [aab33]: Relabel for this text as this isn’t problem 9-16 (it’s 8-16)

17. DEFINING ENTITIES AND DATA MODELING––PURCHASES PROCEDURES The business rules that constitute the purchases system for the Safe Buy Grocery Stores chain are similar at all the store locations. The purchase manager at each location is responsible for selecting his or her local suppliers. If the manager needs a product, he or she chooses a supplier. Each store follows the steps described here. 1. The purchasing function begins with sales representatives from suppliers periodically observing the shelves and displays at each location and recognizing the need to restock inventory. Inventory declines by direct sales to the customers or by spoilage of perishable goods. In addition, the supplier’s sales representatives review obsolescence reports that the purchase manager prepares. These reports identify slow-moving and dated products that are deemed unsalable at a particular location. These products are returned to the supplier and replaced with more successful products. The sales representatives prepare a hard-copy purchase requisition and meet with the purchase managers of the individual store locations. Together, the sales representative and the purchase manager create a purchase order defining the products, the quantity, and the delivery date. 2. At the intended delivery date, Safe Buy Grocery Stores receive the goods from the suppliers. Goods received are unloaded from the delivery trucks and stocked on the shelves and displays by part-time employees. 3. The unloading personnel create a receiving report. Each day a receiving report summary is prepared and sent to the purchase managers for review. 4. The supplier subsequently submits an invoice to the AP department clerk, who creates an invoice record. The clerk reconciles the invoice against the receiving report and purchase order and then creates a payment obligation to be paid at a future date, depending on the terms of trade. 5. On the due date, a check is automatically prepared and sent to the supplier, and the payment is recorded in the check register. At the end of each day, a payment summary is sent to the purchase managers for review. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Assume that the manual system described is to be automated using a relational database system. Perform the following tasks. You may need to make assumptions about how certain automated activities will be performed. a. List all candidate entities in the procedures described. b. Identify the valid entities and explain why the rejected entities should not be modeled. c. Create a data model of the process showing entity associations. d. Create a fully attributed model by adding primary keys, foreign keys, and data attributes. Normalize the model.

Response: Dave, Labels on the ERDs need to be revised Note to me: remove ref to part c and d Parts a and b: Rejected Entities

Reason

Accounts Payable

Violates rule 1 and 2––Wording suggests only one clerk

Department Clerk

(rule 1) and no evidence of attributes unique to this entity (rule 2)

Safe Buy Grocery Stores

Violates Rule 1––The company is a single occurrence

Receiving Report

This is a view––It derives entirely from receiving report

Summary

and thus violates rule 2

Part-Time Employees

Violates rule 2––Assumption: no employee specific data need to be captured by this system

Unloading Personnel

Violates rule 2––Assumption: no employee specific data need to be captured by this system

Sales Representatives

Violates rule 2––Assumption: The company does not capture Sales Rep data unique to each transaction.

Obsolescence Reports

This is a view––Derived from inventory records Violates rule 2

Invoice (physical)

This is a view––Used to create Invoice Record Violates rule 2

Check (physical)

This is a view––Derived from Check register records. Violates rule 2

Payment Summary

This is a view––Derived from Check register records Violates rule 2

Purchase Requisition

This is a view––Used to create Purchase Order Violates rule 2

Customers

Not relevant to this system

Valid Entities

Reason

Purchase Manager

Assumption: all store purchase managers will use the system. This entity will consist of multiple occurrences and provide manager/store-specific data not contained in other entities.

Supplier

Meets conditions of Rules 1 and 2

Inventory

Meets conditions of Rules 1 and 2

Purchase Order

Meets conditions of Rules 1 and 2

Receiving Report

Meets conditions of Rules 1 and 2

Invoice (record)

Meets conditions of Rules 1 and 2

Payment Obligation

Meets conditions of Rules 1 and 2

Check (register)

Meets conditions of Rules 1 and 2

Commented [aab34]: Needs relabeling to fit this textbook.

Problem 8-17, part c Data Model of Purchases Procedures

Part d:

18. DEFINING ENTITIES AND DATA MODELING––FIXED ASSET PROCEDURES The business rules that constitute the fixed asset procedures for the Safe Buy Grocery Stores chain are similar at all the store locations. The store manager at each location is responsible for identifying needed fixed assets and for selecting the vendor. Freezers, refrigerators, delivery vans, and store shelving are examples of fixed asset purchases. Once the need has been identified, each store follows the procedures described next. The manager creates a purchase order, which is sent to the supplier. The supplier delivers the asset to the receiving clerk, who prepares a receiving report. Each week the fixed asset department clerk reviews the fixed asset receiving report summary and creates a fixed asset inventory record for each receipt. The fixed asset clerk maintains the inventory records and depreciation schedules. The vendor subsequently submits an invoice to the AP department clerk,

who creates an invoice record. The clerk reconciles the invoice against the receiving report and purchase order and then creates a payment obligation to be paid at a future date, depending on the terms of trade. On the due date, a check is automatically prepared and sent to the vendor, and the payment is recorded in the check register. At the end of each day, a payment summary is sent to the AP manager for review. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Response: NOTE to me: Remove ref to part c and d in labels Assume that the manual system described is to be automated using a relational database system. Perform the following tasks. You may need to make assumptions about how certain automated activities will be performed. a. List all candidate entities in the procedures described. b. Identify the valid entities and explain why the rejected entities should not be modeled. c. Create a data model of the process showing entity associations. d. Create a fully attributed model by adding primary keys, foreign keys, and data attributes. Normalize the model. Parts a and b: Rejected Entities Accounts Payable Department Clerk Safe Buy Grocery Stores FA Receiving Report Summary Receiving Clerk Accounts Payable Manager Depreciation Schedule Invoice (physical) Check (physical) Payment Summary Purchase Requisition Store Manager

Reason Violates rule 1 and 2—Wording suggests only one clerk (rule 1) and no evidence of attributes unique to this entity (rule 2) Violates Rule 1—the company is a single occurrence This is a view—It derives entirely from receiving report and thus violates rule 2 Violates rule 2—Assumption: no employee specific data need to be captured by this system Violates rule 2—Assumption: no employee specific data need to be captured by this system Assumption: This is a view—Derived from data in inventory records Violates rule 2 This is a view—Used to create Invoice Record Violates rule 2 This is a view—Derived from Check register records. Violates rule 2 This is a view—Derived from Check register records. Violates rule 2 This is a view—Used to create Purchase Order. Violates rule 2 Assumption: manager/store-specific data will be contained in other entities i.e. Purchase Order

Valid Entities Supplier Fixed Assets Inventory Purchase Order Receiving Report Invoice (record) Payment Obligation Check (register)

Reason Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2

Part c: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-18. IMAGE NEEDS TO BE ADDED. Part d: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-18. IMAGE NEEDS TO BE RELABED.

Commented [aab35]: Add missing image from part C! Commented [aab36]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [aab37]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [J38]: Fixed

Problem 8-18, Part c – Data model of Fixed Assets Procedures

Problem 8-18, part d – Fully Attributed Data model

Commented [aab39]: Relabel as 8-18

19. DEFINING ENTITIES AND DATA MODELING––SALES ORDER PROCEDURES Sales Procedures Customer Lotus Tea Importer Company places an order with a sales representative by phone or fax. The sales department employee then transcribes the customer order into a standard sales order format and produces the following documents: three copies of sales orders, a stock release document, a shipping notice, and a packing slip. The accounting department receives a copy of the sales order, the warehouse receives the stock release and a copy of the sales order, and the shipping department receives a shipping notice and packing slip. The sales clerk files a copy of the sales order in the department. Upon receipt of the sales order, the accounting department clerk prepares a customer invoice by adding prices to the sales order, which she obtains from the official price list. She then sends the invoice to the customer. Using data from the sales order the clerk then records the sale in the sales journal and in the AR subsidiary ledger. At the end of the day the clerk prepares a sales journal voucher, which she sends to the general ledger department for posting to the sales and AR control accounts. The warehouse receives a copy of the sales order and stock release document. A warehouse employee picks the product and sends it to the shipping department along with the stock release document. A warehouse clerk then updates the inventory records to reflect the reduction of inventory on hand. At the end of the day the clerk prepares a hard-copy inventory account summary and sends it to the general ledger department for posting to the inventory control and cost of goods sold accounts. Upon receipt of the stock release document from the warehouse, the shipping clerk prepares the two copies of a bill of lading. The BOLs and the packing slip are sent with the product to the carrier. The clerk then files the stock release in the department. Cash Receipts Procedure The mail room has five employees who open mail and sort the checks from the remittance advices. The remittance advices are sent to the accounting department where the accounting clerk updates the customer AR subsidiary ledger to reflect the reduction in accounts receivable. At the end of the day the clerk prepares an account summery and sends it to the general ledger department for posting. The mail room clerk sends the checks to the cash receipts department, where a clerk endorses each check with the words “For Deposit Only.” Next, the clerk records the cash receipts in the cash receipts journal. Finally, the clerk prepares a deposit slip and sends it and the checks to the bank. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Assume that the manual system described is to be automated using a relational database system. Perform the following tasks. You may need to make assumptions about how certain automated activities will be performed. a. List all candidate entities in the procedures described. b. Identify the valid entities and explain why the rejected entities should not be modeled. c. Create a data model of the process showing entity associations. d. Create a fully attributed model by adding primary keys, foreign keys, and data attributes. Normalize the model. Response:

NOTE to me: Remove refs to parts c and d

Parts a and b: Rejected Entities Lotus Tea Importer Company and all departments such as Sales, warehouse, shipping department, general ledger department, etc. Various clerks such as Sales representative, accounting department clerk, AR Clerk, etc. stock release document Mail room employees packing slip. Invoice (physical) Customer Check (physical) inventory account summary remittance advices AR account summery price list

(a) . Reason Violates Rule 1 – the company and these departments are single occurrences

Violates rule 1 and 2 – Wording suggests only one clerk (rule 1) and no evidence of attributes unique to this entity (rule 2) This is a view – It derives entirely from sales order and thus violates rule 2 Violates rule 2 – Assumption: no employee specific data need to be captured by this system This is a view – Derived from sales order. Violates rule 2 This is a view – derived from sales order Violates rule 2 This is a view – used to create record in cash receipts journal Violates rule 2 This is a view – Derived from inventory records. Violates rule 2 This is a view that is derived from the sales order and sent to the customer to facilitate posting payments to the correct customer account This a view – derived from the AR subsidiary ledger or the total of all unpaid sales orders Given the limited information in the problem, this entity may be represented as either a separate table or more simply as a field in the inventory record. We assume the latter in this solution.

Valid entities

Reason

Customer Sales order inventory (product)

Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2

Cash receipts record (CR journal) bill of lading carrier

Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2

deposit slip Shipping Notice

Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2 Meets conditions of Rules 1 and 2

The ER diagrams in the student solutions probably contain the accounting-record entities in the table below. Technically, however, these entities are not necessary in a modern database system. This issue is an aspect of REA modeling that is examined in detail in chapter 10 of the text. The table below illustrates how each of these accounting records can be derived from other transactional database tables. The solutions to parts C and D of this problem do not include these unnecessary entities Unnecessary Accounting Records

May be derived as follows

Sales Journal

This is equivalent to sales order records

AR Subsidiary ledger

This is the sum of all sales order records organized by customer that are still open (unpaid) at period end. This is the sum total of all sales order records that are still open (unpaid) at the period end. Calculated as the quantity sold (sales Order) X the cost of the item taken from the inventory record Sum of all inventory records

AR control accounts (GL) cost of goods sold account (GL) inventory control (GL) sales account (GL) journal voucher

This is sum total sales order records This is the sum of the transaction detail captured by the cash receipts records and/or the c

Part c: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-19. IMAGE NEEDS TO BE RELABED.

Commented [J40]: Fixed Commented [aab41]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [J42]: Commented [J43]: Formatted: Normal, Line spacing: single, No widow/orphan control, Don't adjust space between Latin and Asian text, Don't adjust space between Asian text and numbers, Tab stops: 0.39", Left + 0.78", Left + 1.17", Left + 1.56", Left + 1.94", Left + 2.33", Left + 2.72", Left + 3.11", Left + 3.5", Left + 3.89", Left + 4.28", Left + 4.67", Left

Commented [aab44]: Relabel as 8-19

Problem 8-19 Entity Level ER Diagram

Part d: SOLUTION IS THE SAME AS IN HALL AIS, 7e, Problem 9-19. IMAGE NEEDS TO BE RELABED.

Commented [J45]: fixed Commented [aab46]: Presumably, these comments need to be removed in the final version of the solutions manual. Commented [aab47]: 8-19 not 9-19. Fix label. Formatted: Normal, Line spacing: single, No widow/orphan control, Don't adjust space between Latin and Asian text, Don't adjust space between Asian text and numbers, Tab stops: 0.39", Left + 0.78", Left + 1.17", Left + 1.56", Left + 1.94", Left + 2.33", Left + 2.72", Left + 3.11", Left + 3.5", Left + 3.89", Left + 4.28", Left + 4.67", Left

Problem 8-19 Fully Attributed and Normalized ER Diagram

20. DEFINING ENTITIES AND DATA MODELING—BUSINESS RULES Given the following business rules, construct an ER diagram so each rule is captured for the database. Presume each rule is to be treated individually. Construct an ER diagram for each rule. a. A retail sales company prepares sales orders for its customers’ purchases. A customer can make many purchases, but a sales order is written for a single customer. b. A retail sales company orders inventory using a purchase order. An inventory item may be ordered many times, and a purchase order may be created for more than one inventory item. c. A company that sells antique cars prepares a sales order for each car sold. The inventory for this company consists of unique automobiles, and only one of these automobiles may be listed on a sales order. d. A grocery store identifies returning customers via a plastic card that the clerk scans at the time of each purchase. The purpose of this card is to track inventory and to maintain a database of customers and their purchases. Obviously, a customer may purchase an unlimited number of items from the grocery store. Items are unique only by a UPC code, and each UPC code may be associated with many different customers. e. A video rental store uniquely identifies each of its inventory items so customers can rent a movie and return the movie via a drop box, and the store can identify which copy of the movie was rented and returned. A customer is allowed to rent up to six movies at a time, but a copy of a movie can only be rented by one customer at a time. Response:

21.

Database Design

Formatted: Font: Bold

Required: Design a partial relational database needed to support those aspects of PGP’s process that are outlined above. Label the database tables and assign meaningful attributes to each. Assign primary keys and foreign keys as needed. Assume that invoices, purchase orders and receiving reports may contain many items. Response: Below are the database table needed for the PGP system. Student responses will vary based upon assumptions made. Sales Invoice SI Number (PK) Order Date Invoice Amount Payment Customer Number (FK)

Cash Receipt CR Number (PK) Customer Number (FK) Amount Payment Reference Date

SI Line Item SI Number (PK) Product Number (PK)

Customer Customer Number (PK) Last Name First Name Customer Class Address2 City State Zip Code Available Credit

Supplier Supplier Number (PK) Company Name Address1 City State Zip Code

Quantity

Inventory Product Number (PK) Description Quantity On Hand Reorder Point Order Quantity Supplier Number (FK)

Purchase Order PO Number (PK) Order Date PO Amount

Supplier Invoice Invoice Number (PK) Invoice Date Amount PO Number (FK) Paid Reference Supplier Number (FK)

PO Line Item PO Number (PK) Product Number Quantity

Invoice Line Item InvoiceNumber (PK) Product Number (PK)

Cash Disbursement CD Check Number (PK) Amount Payment Date

Quantity

Formatted: Not Highlight

Receiving Report RR Number (PK) Date PO Number (FK)

RR Line Item RR Number (PK) Product Number (PK) Quantity Received

Condition Code

Formatted: Not Highlight

3) The Customer Invoice, Supplier Invoice, Receiving Report, and Purchase Order tables are associated with line item tables in a 1:M relation. The Line item tables contain the details of the transactions and have a composite key linking them to the Inventory table and to their respective invoice, PO or RR report table.

22. COMPREHENSIVE CASE (Prepared by Katie Daley and Gail Freeston, Lehigh University) D&F is a distributor of CDs and cassettes that offers benefits such as discount prices and an introductory offer of ten CDs or cassettes for a penny (not including the shipping and handling costs). Its primary target customers are college students; its main marketing strategy is constant deals to club members. The company’s main competitors in the industry are BMG and Columbia House; both offer similar promotions. D&F started in 1993 with an office in Harrisburg, Pennsylvania, initially targeting college students in the surrounding area. The company realized there was a high demand for discounted music merchandise and the convenience of mail delivery within universities. After its second year, with a constant increase in customer orders, D&F relocated to Philadelphia, where it was located near more colleges and universities. The move has had a positive effect on net profits and demand, supporting the decision to continue the growth of the company. D&F recently expanded its facility to be able to fulfill a higher demand for its services. Its customer base ranges from areas as close as Villanova University to as far as Boston College. As of 2007, there were 103 employees. Their prior year’s gross sales were $125 million. D&F’s market share is on the rise, but is not yet comparable to the magnitude of BMG and Columbia House. However, the corporation’s goals for the upcoming years include establishing itself as an industry player through increased customer satisfaction and loyalty. D&F is also considering the installation of a new information-processing system. This system will reengineer their current business functions by reducing loopholes in their internal control problems. D&F receives CDs and cassettes from various wholesale suppliers and music store chains, totaling 32 suppliers nationwide. The office has its own warehouse, stores its own merchandise, and is responsible for replenishing the inventory. D&F has had no substantial problems in the past with their suppliers. On the other hand, it has encountered problems with excess inventory, stockouts, and discrepancies with inventory records. Revenue Cycle Becoming a member of D&F Music Club involves calling the toll-free number and speaking with a sales representative, who establishes a new customer account. A customer’s account record contains his or her name, address, phone number, previous orders he or she made with the company, and a sequentially assigned unique customer account number. Customers place orders by phone with a sales representative, who prepares a sales order record. John, in the billing department, reviews the sales orders, adds prices and shipping charges, and prints a copy (invoice) that is sent to the customer. John then adds a record to the sales journal to record the sale. Chris, a warehouse employee, verifies the information on the sales order, picks the goods, prints the packing slip, and updates the inventory subsidiary ledger. Chris prepares the bill of lading for

the carrier. The goods are then shipped. Sandy in AR updates the customer accounts and general ledger control accounts. When customers make a payment on account, they send both the remittance advice (that was attached to the invoice) and a check with their account number on it. Scott, a mail room clerk, opens all the cash receipts. He separates the check and remittance advice and prepares a remittance list, which, along with the checks, is sent to the cash receipts department. Laura, the cash receipts clerk, reconciles the checks with the remittance, updates the customer’s account and the general ledger, and then deposits the checks in the bank. She sends the deposit slip to Sandy in the accounting department. Upon receiving the bank receipt, Sandy files it and updates the cash receipts journal to record the amount deposited. Upon the receipt of the CDs or cassettes ordered, the customer has a 15-day trial period. If, at the end of that period, he or she sends a payment, it is understood that the goods have been accepted. If, on the other hand, the customer is dissatisfied with the product for any reason, he or she can return it to D&F Music Club at no charge. However, to return the CD or cassette, the customer must call the company to obtain an authorization number. When the goods arrive, Chris prepares the return record and updates the inventory subsidiary ledger. Printed copies of the return record are sent to John and Sandy. John reviews the return record and updates the sales journal. Sandy credits the customer’s account and updates the general ledger to reverse the transaction. Expenditure Cycle The purchases system and the cash disbursements system comprise D&F Music Club’s expenditure cycle. The three departments within the purchasing system are the warehouse, purchasing, and accounting. The purchasing function begins in the warehouse, which stores the inventory of CDs and cassettes. Jim, the warehouse manager, compares inventory records with the various demand forecasts of each week, which the market research analyst teams provide, to determine the necessary orders to make. At the end of the week, Jim prepares the purchase requisition record. Sara, the purchasing clerk, reviews the purchase requisitions, selects the suppliers, and prepares the purchase orders. Copies of the purchase orders are sent to the supplier and accounting. When the shipment arrives, Chris, the warehouse clerk, working from a blind copy of the purchase order, counts and inspects the goods for damage. He then prepares a receiving report and updates the inventory records. Upon receipt of the supplier’s invoice, Diana, the accounting clerk, compares it to the respective purchase order and receiving report. If the invoice is accurate, Diana creates an AP record, sets a due date to be paid, and updates general ledger accounts. On the due date, Evan, the cash disbursements clerk, closes the AP record, cuts a check, and sends it sent to the supplier. He then updates the check register and the general ledger. Required:

Assume that the manual system described is to be automated using a relational database system. a) Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. b).

Prepare a data flow diagram of the system showing the data stores.

Formatted: Font: 12 pt

You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Assume that the manual system described is to be automated using a relational database system. Perform the following tasks. You may need to make assumptions about how certain automated activities will be performed. a. List all candidate entities in the procedures described. b. Identify the valid entities and explain why the rejected entities should not be modeled. c. Create a data model of the processes showing entity associations. d. Create a fully attributed model by adding primary keys, foreign keys, and data attributes. Normalize the model. e. Prepare a data flow diagram of the system showing the data stores.

Response: NOTE to me: Revise the labels in the DFD and ERD to reflect new requirements and problem number 8-22 Parts a and b:

Rejected Entities

Reason

Sales Representative

Assumption: Sales representative specific data will be contained in customer record. Violates rule 2

D&F Music Club

Violates Rule 1—the company is a single occurrence

John, Billing Clerk

Violates rule 2—Assumption: no employee specific data need to be captured by this system

Rejected Entities

Reason

Chris, Warehouse

Violates rule 2—Assumption: no employee specific

Clerk

data need to be captured by this system

Sandy, AR Clerk

Violates rule 2—Assumption: no employee specific data need to be captured by this system

Scott, Mailroom Clerk

Violates rule 2—Assumption: no employee specific data need to be captured by this system

Customer Invoice

This is a view—created from Customer Invoice

(physical)

record. Violates rule 2

Customer Check

This is a view—Derived from Check register

(physical)

records. Violates rule 2

Remittance Advise

This is a view—Derived from Customer Invoice record at time of billing. Violates rule 2

Remittance List

This is a view—Used to create Cash Receipt record. Violates rule 2

Laura, Cash Receipts

Violates rule 2—Assumption: no employee specific

Clerk

data need to be captured by this system.

Deposit Slip

This is a view—Created from Cash Receipt record. Violates rule 2

Warehouse Manager

Violates rule 2—Assumption: no employee specific data need to be captured by this system.

Demand Forecast

View derived from marketing system

Rejected Entities

Reason

Purchase Requisition

Assumption: This is a View derived from Inventory records.

Sara, Purchasing

Violates rule 2—Assumption: no employee specific

Clerk

data need to be captured by this system.

PO Blind Copy

This is a view—derived from Purchase Order record. Violates rule 2

Cash Disbursement

Violates rule 2—Assumption: no employee specific

Clerk

data need to be captured by this system.

Payment Check

This is a view—Created from Check Register

(Physical)

record. Violates rule 2

Packing Slip

This is a view—Created from Sales Order record. Violates rule 2

Valid entities

Reason

Customer

Meets conditions of Rules 1 and 2

Sales Order

Meets conditions of Rules 1 and 2

Sales Journal

Meets conditions of Rules 1 and 2

Inventory Sub Ledger

Meets conditions of Rules 1 and 2

Bill of Lading

Meets conditions of Rules 1 and 2

General Ledger

Meets conditions of Rules 1 and 2

Cash Receipts Journal

Meets conditions of Rules 1 and 2

Return Record

Meets conditions of Rules 1 and 2

Purchase Order

Meets conditions of Rules 1 and 2

Supplier

Meets conditions of Rules 1 and 2

Account Payable

Meets conditions of Rules 1 and 2

Receiving Report

Meets conditions of Rules 1 and 2

Supplier Invoice (record) Meets conditions of Rules 1 and 2 Check (register)

Meets conditions of Rules 1 and 2

Parts c,d, and e: See Following pages.

Commented [aab48]: Relabel as 8-21

Problem 8-21

Commented [aab49]: Relabel as 8-21

Problem 8-21

Commented [aab50]: Change 9-20 to 8-21

Problem 8-21

Commented [aab51]: 8-21 not 9-20

Commented [aab52]: 8-21 not 9-20

Problem 8-21 22. ACL Exercise—Overview of ACL Load the ACL student edition onto your computer and download the ACL Getting Started manual. Read the manual and complete the exercises.

CHAPTER 8 DATA STRUCTURES AND CAATTS FOR DATA EXTRACTION REVIEW QUESTIONS 1.

What are the two fundamental components of data structures? Response: Organization and access method.

What are the criteria that influence the selection of the data structure? Response: The selection criteria derive from the relative importance of one or more file processing operations below in a particular application and the efficiency with which a particular file structure performs the operations. a. rapid file access and data retrieval b. efficient use of disk storage space c. high throughput for transaction processing d. protection from data loss e. ease of recovery from system failure f. accommodation of file growth

What are the advantages and disadvantages of using a sequential data structure? Give an example of each. Response: An advantage is that sequential data structures are simple and easy to process. Each record is processed in sequence. When a large portion of the file is to be processed in one operation such as payroll, this method is efficient for record updating. A disadvantage is that a file that has only a small portion updated, e.g. purchases by 20 of 1,000 customers, will not be efficiently updated because all records will have to be read and rewritten.

What are the advantages and disadvantages of using an indexed random file structure? An indexed sequential file structure? Response: Random indexes are easier to maintain, in terms of adding records, because new key records are simply added to the end of the index without regard to their sequence. The principal advantage of indexed random files is in operations involving the processing of individual records. Another advantage is their efficient use of disk storage. Records may be placed wherever there is space without concern for maintaining contiguous storage locations. However, random files are not efficient structures for operations that involve processing a large portion of a file. A great deal of access time may be required to access an entire file of records that are randomly dispersed throughout the storage device. Sequential files are more efficient for processing a large portion of a file. One advantage of a sequential index is that it can be searched rapidly. Because of its logical arrangement, algorithms can be used to speed the search through the index to find a key value. This advantage becomes particularly important for large data files with corresponding large indexes. However, indexes in sequential order are more difficult to maintain because new record keys must be inserted between existing keys.

What are the three physical components of an VSAM file? Explain how a record is searched through these components. Response: The three components are the indexes, the prime data storage area, and the

overflow area. The access method first goes to the overall file index, which determine the approximate location of the record, i.e. the cylinder or disk track. From this approximate location in the prime data storage area, the files are searched sequentially for the record. If the records are in an overflow area, a pointer where the record should reside indicates where the record actually is residing. Thus, accessing a record may involve searching the indexes, searching the track in the prime data area, and finally searching the overflow area. This slows data access time for both direct access and batch processing. 6.

What is a pointer? Discuss the three commonly used types of pointers and their relative merits. Response: A pointer is used in those instances where records are spread over the entire disk and tied together with a linked-list file. A field that gives the address of the next related data record is created. One type of pointer is a physical address pointer, which contains the actual disk storage location. This method has the advantage of speed because the address allows the system to access the record directly without obtaining further information. Two disadvantages are that the record pointers must be changed every time a record is relocated and the physical pointers bear no logical relationship with the records they link. Thus, if a pointer is lost or destroyed and cannot be recovered, the record to which it is linked is also lost. A second type of pointer is a relative address pointer, which contains the relative position of a record in the file. Once the relative position is known, the actual physical address must be calculated. This calculation slows down the data retrieval. A third type of pointer is the logical key pointer, which contains a key value that is used to compute the actual record location using a hashing algorithm. The hashing algorithm slows down the retrieval process, but as long as the key value is known, the record can always be found.

What are some limitations of the hierarchical database model? Response: The hierarchical database model forces users to navigate between data elements using predefined structured paths. Hierarchical database models also limit the degree of process integration and data sharing that can be achieved.

Discuss and give an example of one-to-one, one-to-many, and many-to-many record associations. Response: A one-to-one association means that for every occurrence in record type X, either zero or one occurrence exists of record type Y. An example would be that, for every student, only one social security number exists. A one-to-many association means that for every occurrence in record type X, zero, one, or many occurrences exist of record type Y. An example would be buyers of assigned seating at concerts. Each potential buyer would leave the sales box office with zero, one, or many seats. A many-to-many association is a two-way relationship. For each occurrence of record types X and Y, zero, one, or many occurrences exist of record type Y and X, respectively. An example would be a student-professor relationship. Each student has multiple professors each semester, and each professor has multiple students each semester.

Why is a hierarchical database model considered to be a navigational database? What are some limitations of the hierarchical database model? Response: The hierarchical database model is considered to be a navigational database because traversing through it requires predefined linkages between related records that start at the root. A limitation of this model is that a parent record may own one or more child record, but no child record may have more than one parent. If a child needs to be linked to one or more parents, duplication of files with different predefined linkages may

be required. 10.

Explain how a separate linking file works in a network model. Response: A network model allows parents to have multiple children and vice versa. A separate linking file works by creating a file that contains pointer records in linked-list structure. This file contains the addresses of multiple predefined links.

11.

What is an embedded audit module? Response: EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. The auditor’s substantive testing task is thus made easier because they do not have to identify significant transactions for substantive testing.

12.

Explain what GAS is and why it is so popular with larger public accounting firms. Discuss the independence issue relating to GAS. Response: GAS allows auditors to access electronically coded data files of their clients, both simple and complex structures, and to perform various operations on their contents. GAS is popular for the following reasons: a. The languages are easy to use and require little EDP background on the part of the user. b. It may be used on any form of computer because it is hardware-independent. c. Auditors can perform their tests on data independent of a computer services professional. d. It can be used to audit the data files of many different applications.

13.

Discuss and give an example of the following types of associations: (1:0,1), (1:1), (1:M), and (M:M). Response: • (1:0,1) Every occurrence (record) is for one entity (Employee), there is a possibility of zero or one occurrence in the related entity (Company Car).

14.

•

(M:M) A company with a policy of purchasing the same types of inventory from multiple suppliers would have a M:M association between the Vendor and Inventory entities.

Distinguish between association and cardinality. Response: The term association pertains to the nature of the relationship between two entities. This is represented by a verb such as shipped, requests, or receives. Cardinality is the degree of association between two entities. Simply stated, cardinality describes the number of possible occurrences in one table that are associated with a single occurrence in a related table.

15. Explain how a separate linking table works in a many-to-many association. Response: In a many-to-many association, a link table with a combined (composite) key consisting of the primary keys of the two related tables is created in order to link the related tables. 16.

What are the four characteristics of properly designed relational database tables? Response: 1. The value of at least one attribute in each occurrence (row) must be unique. This attribute is the primary key. The values of the other (nonkey) attributes in the row need not be unique. 2. All attribute values in any column must be of the same class. 3. Each column in a given table must be uniquely named. However, different tables may contain columns with the same name. 4. Tables must conform to the rules of normalization. This means they must be free from structural dependencies including repeating groups, partial dependencies, and transitive dependencies (see this chapter’s appendix for a complete discussion).

17.

What do the relational features restrict, project, and join mean? Response: a. Restrict—Extracts specified rows from a specified table.. b. Project—Extracts specified attributes (columns) from a table to create a virtual table. c. Join—Builds a new physical table from two tables consisting of all concatenated pairs of rows, one from each table.

18.

What are the conditions for third normal form (3NF)? Response: A table normalized to 3NF meets the following conditions: 1. All nonkey attributes in the table are dependent on the primary key. 2. All nonkey attributes are independent of the other nonkey attributes. In other words, the primary key of a table wholly and uniquely defines each attribute in the table, and none of the table attributes are defined by an attribute other than the primary key.

19.

Explain how the SELECT and WHERE commands help a user to view the necessary data from multiple database files (tables). Response: The SELECT command identifies all of the attributes to be contained in the view. The WHERE command specifies how rows in the tables are to be matched to create the view.

20.

What is a data model? Response: A data model is the blueprint for creating the physical database. Database designers identify system entities and prepare a model of them using a graphical representation technique called an entity relationship (ER) diagram.

21.

How can a poorly designed database result in unintentional loss of critical records? Response: The deletion anomaly may cause records to be deleted unintentionally and may occur for some time before the problem is noticed. A deletion anomaly occurs when an item in one file is legitimately deleted. The problem occurs when this file is linked to another file, which may also have a record deleted, due to its link. If the second record should not be deleted, then an update anomaly has occurred.

22.

What is a user view? Response: A user view is the set of data that a particular user sees. Examples of user views are computer screens for entering or viewing data, management reports, or source documents, such as an invoice.

23.

Does a user view always require multiple tables to support it? Explain. Response: User views derive from underlying database tables. Simple views may be constructed from a single table, while more complex views may require several tables. Furthermore, a single table may contribute data to many different views.

24.

What two conditions must valid entities meet? Response: Valid entities meet the two conditions below: Condition 1: An entity must have two or more occurrences. Condition 2: An entity must contribute at least one attribute that is not provided through other entities.

25.

Can two different entities have the same defining attributes? Explain. Response: Because attributes are the logical and relevant characteristics of an entity, they are unique to it. Therefore, the same attributes should not be used to define two different entities.

DISCUSSION QUESTIONS 1.

Explain how a hashing structure works and why it is quicker than using an index. Give an example. If it so much faster, why isn’t it used exclusively? Response: A hashing structure typically works by taking a key value and using it to divide a prime number. The result is a unique number almost all of the time if enough decimal places are used. The resulting numbers are used to find the unique location of the record. Calculating a record’s address is faster than searching for it through an index. It is not used exclusively because it does not use the storage disk efficiently. Some disk locations will never be selected because they do not correspond to legitimate key values. Also, different record keys may sometimes translate to the same address and data collision could occur. Using pointers is a way around this but the additional pointers slow down the system.

Explain how an embedded audit module works and why auditors may choose not to use it. Response: EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. It may not be used because it is not operationally efficient, and it may be difficult to use in systems that undergo a good deal of maintenance.

Explain the term navigational data models. Contrast the hierarchical model and the network model. Response: Navigational data models possess explicit links or paths between data elements. The only way to access data at a lower level is via pointers down the navigational path to the desired records. In the hierarchical model no member (child) record can have more than one owner (parent) record. This severely restricts the usefulness of the model because firms often need to view data relations with multiple owner (parent) records. In contrast, the network model permits a member (child) record to have multiple owners (parents). The simple network model permits only one-to-many relations, and the complex network model permits many-to-many relations.

Explain the three types of anomalies associated with database tables that have not been normalized. Response: a. The update anomaly is the result of data redundancy. If a data element is stored in more than one place, it must be updated in all places. If this does not happen, the data are inconsistent. b. The insertion anomaly occurs when too much data are stored together—when vendor information is stored only with specific inventory items. Until items are purchased from a given vendor, the vendor cannot be added to the database. c. The deletion anomaly is the opposite of the insertion anomaly—if a vendor supplies only one item and the firm discontinues that item, all information on the vendor is lost.

Contrast embedded audit modules with generalized audit software. Response: Embedded audit modules are designed to extract data from specific applications in real time as the applications are processing the transactions. EAMs are programmed into the application when it is designed. EAMs are very structured in terms of what data the auditor can call for. Generalized audit software (GAS) packages are designed to access data from files after processing is completed. They can extract data from the files of any system and require no additional programming. They are extremely flexible in their ability to access, manipulate, and report data to the auditor.

Describe a specific accounting application that could make use of a VSAM file. Response: VSAM structures are used for very large files that require minimum direct access to individual records. On the other hand, a portion of the file needs to be processed in batch mode on a regular basis. An example of a VSAM application is a public utility billing system. Most processing of the file is in batch mode when each billing day (20 times a month) large numbers of records (but only 5 percent of the file) need to be processed. VSAM files are associated with legacy systems. While they are still in use and maintained, new systems can make better use of modern database technology.

Explain why auditors should be familiar with the principle of data normalization. Response: Database normalization is a technical matter that is usually the responsibility of systems professionals. However, the subject has implications for internal control that make it the concern of auditors also. For example, the update anomaly can generate conflicting and obsolete data values; the insertion anomaly can result in unrecorded transactions and incomplete audit trails; and the deletion anomaly can cause the loss of accounting records and the destruction of audit trails. Although most auditors will never

be responsible for normalizing an organization’s databases, they should have an understanding of the process and be able to determine whether a table is properly normalized. 8.

How is a user view different from a database table? Response: User views are derived database tables. A single table may contribute data to several different views. On the other hand, simple views may be constructed from a single table.

Explain what the term third normal form (3NF) means. Response: When the data attributes of the table are defined entirely by the primary key and are independent of the other (non-key) attributes, the table is in third normal form (3NF). In third normal form the table is free from the following structural dependences: repeating groups, partial dependencies, and transitive dependencies.

10.

Why is a separate link table required when an M:M association exits between related tables? Response: Neither table can donate an embedded key to the other, because both are on the “many” side. The only solution, therefore, is to create a new link table containing the key fields of both tables.

11.

In a relational database environment, certain accounting records (for example, journals, subsidiary ledgers, and event general ledger accounts) may not exist. How is this possible? Response: Database accounting systems are transaction-based rather than account-based. The focus is on capturing important details of transactions that may be lost when they are forced into the structure of traditional accounting records. The transaction tables are then to be used to reconstruct traditional accounting records, such as Accounts Receivable and Accounts Payable.

12.

Explain how to link tables in a 1:1 association. Why may this be different in a 1:0,1 association? Response: Where a true 1:1 association exists between tables, either (or both) primary keys may be embedded as foreign keys in the related table. On the other hand, when the lower cardinality value is zero (1:0,1), a more efficient table structure can be achieved by placing the 1-side (1:) table’s primary key in the zero-or-one (:0,1) table as a foreign key. Assume that a company has 1000 employees, but only 100 of them are sales staff. Also assume that each sales person is assigned a company car. Therefore, every occurrence in the Employee entity is associated with either zero or one occurrence in the Company Car entity. If we assigned the Company Car (:0,1) side primary to the Employee (:1) table as a foreign key, then most of the foreign keys will have null (blank) values. While this approach would work, it could cause some technical problems during table searches. Correctly applying the key-assignment rule solves this problem, because all Company Car records will have an employee assigned, and no null values will occur.

13.

Discuss the accounting implications of the update, insertion, and deletion anomalies associated with improperly normalized tables. Response: The insertion and update anomalies would create record keeping and operational problems for the firm. However, flawed databases design that prevents the

insertion of records, or requires the user to perform excessive updates, would attract attention quickly. The presence of the deletion anomaly is less conspicuous, but potentially more serious from an accounting perspective. Because the deletion anomaly may go undetected, the user may be unaware of the loss of important data until it is too late. This anomaly can result in the unintentional loss of critical accounting records and the destruction of the audit trail. 14.

Give three examples that illustrate how cardinality reflects an organization’s underlying business rules. Response: The organization’s business rules directly impact the structure of the database tables. If the database is to function properly, its designers need to understand the organization’s business rules, as well as the specific needs of individual users. For example: 1. When an organization decides to purchase the same items of inventory from different suppliers, the cardinality between the Supplier and Inventory tables is M:M. 2. When a the company purchases all items of a certain type from only one supplier, the cardinality between Supplier and Inventory tables is 1:M respectively. 3. A policy that a separate receiving report is prepared for the receipt of goods specified on a single purchase order will result in a 1:1 cardinality between the receiving report and purchase order tables. If, however, multiple purchase orders are combined on a single receiving report, then the cardinality between these tables will be 1: M respectively.

15.

Explain the following three types of pointers: physical address pointer, relative address pointer, and logical key pointer. Response: A physical address pointer contains the actual disk storage location (cylinder, surface, and record number) needed by the disk controller. This physical address allows the system to access the record directly without obtaining further information. This method has the advantage of speed, because it does not need to be manipulated further to determine a record’s location. However, it also has two disadvantages: First, if the related record is moved from one disk location to another, the pointer must be changed. This is a problem when disks are periodically reorganized or copied. Second, the physical pointers bear no logical relationship to the records they identify. If a pointer is lost or destroyed and cannot be recovered, the record it references is also lost. A relative address pointer contains the relative position of a record in the file. For example, the pointer could specify the 120th record in the file. This must be further manipulated to convert it to the actual physical address. The conversion software calculates this by using the physical address of the beginning of the file, the length of each record in the file, and the relative address of the record being sought. A logical key pointer contains the primary key of the related record. This key value is then converted into the record’s physical address by a hashing algorithm.

16.

Explain why GAS technology is popular with most auditors. Response: The widespread popularity of GAS is due to four factors: (a) GAS languages are easy to use and require little computer background on the part of the auditor; (b) Many GAS products can be used on both mainframe and PC systems; (c) auditors can perform their tests independent of the client’s computer service staff; and (d) GAS can be used to audit the data stored in most file structures and formats.

17.

Explain the risk associated with using GAS to access complex file structures. Response: The auditor must sometimes rely on computer services personnel to produce a flat file from the complex file structures. There is a risk that data integrity will be compromised by the procedures used to create the flat file. For example, if the auditor’s objective is to confirm accounts receivable, certain fraudulent accounts in the complex structure may be intentionally omitted from the flat-file copy that is created. The sample of confirmations drawn from the flat file may therefore be unreliable. Auditors skilled in programming languages may avoid this potential pitfall by writing their own data extraction routines.

18.

Explain the purpose of the input file definition feature of ACL. Response: ACLs input file definition feature allows the system to access data stored in almost any format. To create a file definition, the auditor needs to know both where the file physically resides and its field structure layout.

19.

Assume that an auditor is reviewing a file containing twenty-five fields of data, only five of which are relevant to the auditor’s objective. Explain how ACL can help in this situation. Response: Auditors seldom need to use all the data contained in the file. ACL allows the auditor to customize the original view created during file definition to one that better meets his or her audit objectives. New views can be created and reformatted without changing or deleting the data in the underling file. Only the presentation of the data is affected. The auditor can simply select the five data fields he or she needs for the audit and exclude the rest from the view.

20.

Explain the purpose of ACL’s filter capability. Response: Filters are expressions that search for records that meet the filter criteria. ACL’s expression builder allows the auditor to use logical operators such as AND, OR, <, >, NOT and others to define and test conditions of any complexity and to process only those records that match specific conditions. For example, the auditor can search an accounts receivable file for customers with negative balances or whose credit limits are excessive.

21.

Distinguish between record sampling and monetary unit sampling (MUS). Response: ACL offers many sampling methods for statistical analysis. Two of the most frequently used are record sampling and monetary unit sampling (MUS). Each method allows random and interval sampling. The choice of methods will depend on the auditor’s strategy and the composition of the file being audited. When records in a file are fairly evenly distributed across strata, the auditor may want an unbiased sample and will thus choose the record sample approach. Using inventory to illustrate, each record, regardless of the dollar amount of the inventory value field, has an equal chance of being included in the sample. On the other hand, if the file is heavily skewed with large value items, the auditor may select MUS, which will produce a sample that includes all the larger dollar amounts.

MULTIPLE CHOICE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

a c b b e d c b d a a d b

14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

b a c a b a b b a c d b

PROBLEMS 1. Access Methods For each of the following file processing operations, indicate whether a sequential file, indexed random file, indexed sequential access method (ISAM), hashing, or pointer structure works the best. You may choose as many as you wish for each step. Also indicate which would perform the least optimally. a. Retrieve a record from the file based on its primary key value. b. Update a record in the file. c. Read a complete file of records. d. Find the next record in a file. e. Insert a record into a file. f. Delete a record from a file. g. Scan a file for records with secondary keys. Response: a. indexed sequential access method or indexed random; least optimal: sequential b. indexed random or hashing; least optimal: sequential c. sequential; least optimal: indexed random d. sequential or pointer; least optimal: indexed random e. indexed random or hashing; least optimal: sequential f. indexed random or hashing; least optimal: sequential g. indexed random; least optimal: hashing 2. File Organization For the following situations, indicate the most appropriate type of file organization. Explain your choice. a. A local utility company has 80,000 residential customers and 10,000 commercial customers. The monthly billings are staggered throughout the month and, as a result, the cash receipts are fairly uniform throughout the month. For 99 percent of all accounts, one check per month is received. These receipts are recorded in a batch file, and the customer account records are updated biweekly. In a typical month, customer inquiries are received at the rate of about twenty per day.

b. A national credit card agency has 12 million customer accounts. On average, 30 million purchases and 700,000 receipts of payments are processed per day. Additionally, the customer support hot line provides information to approximately 150,000 credit card holders and 30,000 merchants per day. c. An airline reservation system assumes that the traveler knows the departing city. From that point, fares and flight times are examined based upon the destination. Once a flight is identified as being acceptable to the traveler, then the availability is checked, and if necessary, a seat is reserved. The volume of transactions exceeds one-half million per day. d. A library system stocks more than 2 million books and has 30,000 patrons. Each patron is allowed to check out five books. On average, there are 1.3 copies of each title in the library. Over 3,000 books are checked out each day, with approximately the same amount being returned daily. The check-outs are posted immediately, as well as any returns of overdue books by patrons who wish to pay their fines. Response: a. A sequential file could be used, but with only 8 updates per month, roughly one-eighth of the files will be updated each run. That means for each run the other seven-eighths of the file must be read and rewritten. Random access will aid the customer inquiry response time. A hierarchical database would be appropriate because this is a one-to- one relationship—each address has one resident in charge of utilities. b. Random access for customer balances and payment information is crucial. A network or relational database is necessary because this is a many-to-many relationship: many purchases per customer, many merchants per customer, many customers per merchant. c. Random access will be necessary for flight inquiries and updates throughout the day. A navigational database would be appropriate. Only one direction needs to be investigated. Most customers start with a departure city and then flights to the destination city can be investigated. Many different destinations will exist for a given departure city. Rarely will a customer wish to book a flight based on a destination if he does not know from which city he will depart. d. A random access storage device is necessary to access the patrons’ records quickly when they check out books. A network or relational database will be necessary because the data should be bidirectional. An investigation may need to be conducted to determine what books a patron has checked out or who has a certain book checked out that has been recalled. 3. Structured Query Language The vice president of finance has noticed in the aging of the accounts receivable that the amount of overdue accounts is substantially higher than anticipated. He wants to investigate this problem. To do so, he requires a report of overdue accounts containing the attributes shown in the top half of the table (presented in the chapter problem and on the next page). The bottom half of the table contains the data fields and relevant files in the relational database system. Further, he wants to alert the salespeople of any customers not paying their bills on time. Using the SQL commands given in this chapter, write the code necessary to generate a report of overdue accounts that are greater than $5,000 and more than 30 days overdue. Each customer has an assigned salesperson. Response: CREATE VIEW collect AS SELECT salesperson_name, branch, customer_number, customer_name, overdue_balance, order_date, delivery_date, amount, amount_of_last_payment, date_of_last_payment FROM salesperson, customer, sales_order

WHERE overdue_balance>5000 AND date_of_last_payment < mm/dd/yyyy

Sales Order Table Sales Order Number Customer Number Order Date Amount Delivery Date

4. Virtual Storage Access Method Using the index provided below explain, step-by-step, how the Key 12987 would be found using the indexed sequential access method. Once a surface on a cylinder is located, what is the average number of records that must be searched? CYLINDER INDEX Key Cylinder Range Number 2,000 44 4,000 45 6,000 46 8,000 47 10,000 48 12,000 49 14,000 50 16,000 51 18,000 52 20,000 53

SURFACE INDEX CYLINDER Key Surface Range Number 12,250 0 12,500 1 12,750 2 13,000 3 13,250 4 13,500 5 14,750 6 15,000 7

5. Hashing Algorithm The systems programmer uses a hashing algorithm to determine storage addresses. The hashing structure is 9,997/key. The resulting number is then used to locate the record. The first two digits after the decimal point represent the cylinder number, while the second two digits represent the surface number. The fifth, sixth, and seventh digits after the decimal point represent the record number. This algorithm results in a unique address 99 percent of the time. What happens the remainder of the time when the results of the algorithm are not unique? Explain in detail the storage process when Key=3 is processed first, Key=2307 at a later date, and shortly thereafter Key=39. Response: 9997/3=3332.33333333333 9997/2307=4.33333333333 9997/39=256.33333333333 These numbers are identical with respect to location. The record with Key=3 will be stored in cylinder 33, surface 33, record number 3333. The record with Key=2307 will be randomly store elsewhere and a pointer will be attached from the record with Key=3 to the location of the record with Key=2307. The record with Key=39 will be stored at yet another random location and another pointer will be attached to the record with Key=3 giving the location of the record with Key=39. 6. Normalization of Data A view for a library system is provided in the chapter. Normalize this view into third normal form tables. The library’s computer system is programmed to compute the due date to be 14 days after the check-out date. Document the steps necessary to normalize the view similar to the procedures found in the chapter and chapter appendix. Add foreign keys and show how the databases are related. . Response: The first step is to remove repeating groups. The removal of repeating groups results in the following two tables. Due Date has been removed since it is a calculated field.

Assumptions: 1. More than one copy of each book title may exist 2. Book Call Number, not the book title, defines a specific copy of the book

File A: Student Record (PK) Student ID Number

Student First Name

File B: Library Record (PK) (PK) Student ID Number Book Call No.

Student Last Name

No. of Books Out

Book Title

Date Out

The second step is to remove partial dependencies. Book Title is partially dependent on Book Call No. Date Out is defined by the combined key of Student ID Number + Book Call No. Resolving this dependency produces the following tables.

File A: Student Record –remains the same (PK) Student ID Number

Student First Name

Student Last Name

No. of Books Out

Library Record is reduced to two new record types: Checkout Record and Title Record

File B: Checkout Record (PK) Student ID Number

(PK) Book Call No.

Book Title

File B: Title Record (PK) Book Call No.

Book Title

8. Normalization of Data

Prepare the third normal form tables needed to produce the user view presented for problem 8 in the chapter. Response: PK

Inventory Table

Part # Description QOH Reorder Point EOQ Unit Cost Vendor #

Vendor Table

Vendor # Vendor Name Vendor Address Telephone

9. Normalization of Data Prepare the third normal form tables needed to produce the user view presented for problem 9. Response: PK

Inventory Table

Part # Description QOH Reorder Point EOQ

Part # Vendor # Unit cost

Vendor # Vendor Name Vendor Address Telephone

10. Risk Identification and Plan of Action As the manager of the external audit team, you realize that the embedded audit module writes only material invoices to the audit file for the accounts receivable confirmation process. You are immediately concerned that the accounts receivable account may be substantially overstated this year and for the prior years in which this EAM was used. Required: Explain why you are concerned since all material invoices are candidates for confirmation by the customer. Outline a plan for determining if the accounts receivable are overstated. Response: The concern is that many “immaterial” invoices may add up to a material amount. If an organized, carefully planned scheme to embezzle numerous small payments from customers is in effect, then the confirmation process will not catch the scheme since small invoice amounts will not be subjected to the confirmation process. An elaborate lapping of accounts receivable can escape detection if no further detection techniques are employed. The auditors should first investigate the current year’s accounts receivable balance. A sample of immaterial invoices should be investigated and subjected to the confirmation process. Only if discrepancies are found should the prior year’s accounts receivable be considered for investigation.

11. Defining Entities and Data Modeling—General Ledger Required: Prepare an ER diagram that illustrates a normalized data model for a general ledger update process. Base the model on a sales order system that updates sales transactions to the GL in real time from sales invoices. The model should allow an audit trail that links the summary accounts in the GL to specific transaction records. Show all attributes, primary keys, and secondary key.

Solution to Problem 8-11

12. Risk Identification and Plan of Action Baker Manufacturing uses Embedded Audit Modules in several of its financial systems to capture material transactions. During this year’s annual financial audit, the external auditors noticed unusually large gaps in dates of the captured transactions being copied to the audit file. Baker Manufacturing management informed the auditors that the increased transaction processing times caused by the EAMs had forced computer operators to turn off the EAMs to allow the processing of important transactions in a timely fashion. In addition, much maintenance had been performed on key applications during the past year. Required: Outline any potential risks and determine the courses of action the external auditors should follow. Response: The risk is that material transactions are missing from the audit file and it does not accurately reflect the financial events of the period because the EAMs had been turned off periodically. Also, changes to application programs may have modified them to the extent that the EAMs are ineffective in capturing material transactions. To satisfy their concern, the auditors may do the following: 1). Obtain a copy of the actual transaction files related to their audit objectives 2) Using ACL or another GAS tool the auditors can filter out records from the transaction files that are below the materiality level programmed into the EAMs leaving only material transactions in the file. 3) The auditors can then compare the audit file with the ACL file for material differences in terms of numbers of records and financial balances. 4) If material differences exist, the auditors may need to reconsider their assessment of internal controls, particularly controls over program changes, and possibly extend the scope of the audit.

13. Normalization of Data Prepare the 3NF base tables needed to produce the sales report view shown in the diagram for Problem 13. Response: Customer Table Customer # Customer Name Address * Customer Total

Invoice Table Invoice # Date *Invoice Total Customer #

Line Item Table Invoice # Part # Quantity *Extended Price

Inventory Table Part Number Unit Price

* Could be a calculated field

14. Normalization of Data-Purchase Order Acme Plywood Company uses the purchase order shown in the diagram for Problem 14<textAcme business rules: 1. Each vendor may supply many items; an item is supplied by only one vendor. 2. A purchase order may list many items; an item may be listed on many purchase orders. 3. An employee may complete several purchase orders, but only one employee may fill out an individual PO. Prepare the 3FN base tables needed to produce this purchase order. Response: Table Employee Employee # (PK) Name

Address

Date Hired

Exemptions

Marital Status

Table PO PO # (PK)

Date

Employee #

Vendor # (FK)

(FK) Table PO/Item PO # (PK)

Item # (PK)

Quantity

Description

On Hand

Table Item Item # (PK)

Cost

Price

Vendor # (FK)

Table Vendor Vendor # (PK)

Name

Address

Contact

Terms

Balance

15. Table Linking Solve this problem per the text within the diagram for Problem 15 Response:

Solution to Problem 8-15

16.

Defining Entities and Data Modeling-Payroll

Employees at the Sagerod Manufacturing Company record their hours worked on paper time cards that are inserted into a time clock machine at the beginning and end of each shift. On Fridays, the supervisor collects the time cards, reviews and signs them, and sends them to the payroll clerk. The clerk calculates the pay for each employee and updates the employee earnings file. This involves adding a new record for each employee in the pay period that reflects the employee’s gross pay, tax deductions, and other withholdings for the period. The clerk then prepares a paycheck for each employee and records them in the check register. The check register and corresponding paychecks reflect each employee’s net earnings for the period. Based on these records, the clerk prepares a payroll summary, which is sent with the paychecks to the cash disbursements clerk. The clerk reviews the payroll summary, updates the cash disbursements journal to record the total payroll, and prepares a check for the total payroll, which is deposited into the payroll imprest account. The clerk then signs the paychecks and distributes them to the employees. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Response:

17. Defining Entities and Data Modeling – Purchase Procedures The business rules that constitute the purchases system for the Safe Buy Grocery Stores chain are similar at all the store locations. The purchase manager at each location is responsible for selecting his or her local suppliers. If the manager needs a product, he or she chooses a supplier. Each store follows the steps described here. 1. The purchasing function begins with sales representatives from suppliers periodically observing the shelves and displays at each location and recognizing the need to restock inventory. Inventory declines by direct sales to the customers or by spoilage of perishable goods. In addition, the supplier’s sales representatives review obsolescence reports that the purchase manager prepares. These reports identify slow-moving and dated products that are deemed unsalable at a particular location. These products are returned to the supplier and replaced with more successful products. The sales representatives prepare a hard-copy purchase requisition and meet with the purchase managers of the individual store locations. Together, the sales representative and the purchase manager create a purchase order defining the products, the quantity, and the delivery date. 2. At the intended delivery date, Safe Buy Grocery Stores receive the goods from the suppliers. Goods received are unloaded from the delivery trucks and stocked on the shelves and displays by part-time employees. 3. The unloading personnel create a receiving report. Each day a receiving report summary is prepared and sent to the purchase managers for review. 4. The supplier subsequently submits an invoice to the AP department clerk, who creates an invoice record. The clerk reconciles the invoice against the receiving report and purchase order and then creates a payment obligation to be paid at a future date, depending on the terms of trade. 5. On the due date, a check is automatically prepared and sent to the supplier, and the payment is recorded in the check register. At the end of each day, a payment summary is sent to the purchase managers for review. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model.

Problem 8-17 Data model for Purchases Process

18. Defining Entities and Data Modeling-Fixed Asset The business rules that constitute the fixed asset procedures for the Safe Buy Grocery Stores chain are similar at all the store locations. The store manager at each location is responsible for identifying needed fixed assets and for selecting the vendor. Freezers, refrigerators, delivery vans, and store shelving are examples of fixed asset purchases. Once the need has been identified, each store follows the procedures described next. The manager creates a purchase order, which is sent to the supplier. The supplier delivers the asset to the receiving clerk, who prepares a receiving report. Each week the fixed asset department clerk reviews the fixed asset receiving report summary and creates a fixed asset inventory record for each receipt. The fixed asset clerk maintains the inventory records and depreciation schedules. The vendor subsequently submits an invoice to the AP department clerk, who creates an invoice record. The clerk reconciles the invoice against the receiving report and purchase order and then creates a payment obligation to be paid at a future date, depending on the terms of trade. On the due date, a check is automatically prepared and sent to the vendor, and the payment is recorded in the check register. At the end of each day, a payment summary is sent to the AP manager for review. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Response:

Problem 8-18 – Data model of Fixed Assets Procedures

Problem 8-18 – Fully Attributed Data model

19. Defining Entities and Data Modeling-Sales Order Procedures Sales Procedures Customer Lotus Tea Importer Company places an order with a sales representative by phone or fax. The sales department employee then transcribes the customer order into a standard sales order format and produces the following documents: three copies of sales orders, a stock release document, a shipping notice, and a packing slip. The accounting department receives a copy of the sales order, the warehouse receives the stock release and a copy of the sales order, and the shipping department receives a shipping notice and packing slip. The sales clerk files a copy of the sales order in the department. Upon receipt of the sales order, the accounting department clerk prepares a customer invoice by adding prices to the sales order, which she obtains from the official price list. She then sends the invoice to the customer. Using data from the sales order the clerk then records the sale in the sales journal and in the AR subsidiary ledger. At the end of the day the clerk prepares a sales journal voucher, which she sends to the general ledger department for posting to the sales and AR control accounts. The warehouse receives a copy of the sales order and stock release document. A warehouse employee picks the product and sends it to the shipping department along with the stock release document. A warehouse clerk then updates the inventory records to reflect the reduction of inventory on hand. At the end of the day the clerk prepares a hard-copy inventory account summary and sends it to the general ledger department for posting to the inventory control and cost of goods sold accounts. Upon receipt of the stock release document from the warehouse, the shipping clerk prepares the two copies of a bill of lading. The BOLs and the packing slip are sent with the product to the carrier. The clerk then files the stock release in the department. Cash Receipts Procedure The mail room has five employees who open mail and sort the checks from the remittance advices. The remittance advices are sent to the accounting department where the accounting clerk updates the customer AR subsidiary ledger to reflect the reduction in accounts receivable. At the end of the day the clerk prepares an account summery and sends it to the general ledger department for posting. The mail room clerk sends the checks to the cash receipts department, where a clerk endorses each check with the words “For Deposit Only.” Next, the clerk records the cash receipts in the cash receipts journal. Finally, the clerk prepares a deposit slip and sends it and the checks to the bank. Required: Assume that the manual system described is to be automated using a relational database system. Create a data model for the system including primary keys, foreign keys, and data attributes that will support the tasks and user views. You may need to make assumptions about how certain automated activities will be performed. Normalize the model. Response:

Problem 8-19 Entity Level ER Diagram

Problem 8-19 Fully Attributed and Normalized ER Diagram

20. Defining Entities and Data Modeling-Business Rules Given the following business rules, construct an ER diagram so each rule is captured for the database. Presume each rule is to be treated individually. Construct an ER diagram for each rule. a. A retail sales company prepares sales orders for its customers’ purchases. A customer can make many purchases, but a sales order is written for a single customer. b. A retail sales company orders inventory using a purchase order. An inventory item may be ordered many times, and a purchase order may be created for more than one inventory item. c. A company that sells antique cars prepares a sales order for each car sold. The inventory for this company consists of unique automobiles, and only one of these automobiles may be listed on a sales order. d. A grocery store identifies returning customers via a plastic card that the clerk scans at the time of each purchase. The purpose of this card is to track inventory and to maintain a database of customers and their purchases. Obviously, a customer may purchase an unlimited number of items from the grocery store. Items are unique only by a UPC code, and each UPC code may be associated with many different customers. e. A video rental store uniquely identifies each of its inventory items so customers can rent a movie and return the movie via a drop box, and the store can identify which copy of the movie was rented and returned. A customer is allowed to rent up to six movies at a time, but a copy of a movie can only be rented by one customer at a time. Response:

21.

Database Design

Premium Garden Products (PGP) supplies gardening enthusiasts and commercial garden centers throughout the northeast with a wide range of gardening equipment and products. Their wide range of inventory includes such items as tank sprayers, wheel barrows, fertilizers, plants, insecticides, etc. Sales to commercial customers (garden centers) are on credit whereas consumer sales are cash transactions (bank credit/debit cards). Sales orders are received via e-mail or phone at the Scranton PA home office. In the case of commercial customers sales the PGP sales clerk verifies customer credit worthiness by checking their available credit in the Customer table. The clerk then checks availability of the product from the Inventory table and creates a record in the Sales Invoice table to record the sale. The clerk then sends a stock release notice to the distribution center nearest to the customer’s location, from where the product is shipped. Shipments are made from two distribution centers: one in Scranton and one in Maryland. Commercial customers are given net 30 terms. They make payment by check, and the open Sales Invoice is then marked paid by placing the customers check number in the “payment” field of the invoice. Sales to consumer customers are processed similarly except no credit check is performed and the Sales Invoice record is marked paid at the time of sale by placing the last four digits of the customer’s credit card number in the payment field. PGP obtains its inventories from over 100 nurseries and producers of garden products throughout the United States. When inventory levels fall to their predetermined reorder points the computer system automatically creates a record in the Purchase Order table and sends a hard copy PO to the supplier. When products arrive at the distribution centers the receiving clerks log onto the main office computer and create a record in the Receiving Report table. Suppliers send their invoices to the AP clerk who adds a record to the Supplier Invoice table. On the due date the cash disbursement clerk writes a check in payment of the AP, marks the supplier invoice paid by placing the check number in the “paid” field. Required: Design a partial relational database needed to support those aspects of PGP’s process that are outlined above. Label the database tables and assign meaningful attributes to each. Assign primary keys and foreign keys as needed. Assume that invoices, purchase orders and receiving reports may contain many items. Response: Below are the database table needed for the PGP system. Student responses will vary based upon assumptions made. Sales Invoice SI Number (PK) Order Date Invoice Amount Payment Customer Number (FK) SI Line Item SI Number (PK) Product Number (PK)

Cash Receipt CR Number (PK) Customer Number (FK) Amount Payment Reference Date

Customer Customer Number (PK) Last Name First Name Customer Class Address2 City State Zip Code Available Credit

Supplier Supplier Number (PK) Company Name Address1 City State Zip Code

Quantity

Inventory Product Number (PK) Description Quantity On Hand Reorder Point Order Quantity Supplier Number (FK)

Purchase Order PO Number (PK) Order Date PO Amount

Supplier Invoice Invoice Number (PK) Invoice Date Amount PO Number (FK) Paid Reference Supplier Number (FK)

PO Line Item PO Number (PK) Product Number Quantity

Invoice Line Item Invoice Number (PK) Product Number (PK)

Cash Disbursement CD Check Number (PK) Amount Payment Date

Quantity

Receiving Report RR Number (PK) Date PO Number (FK)

RR Line Item RR Number (PK) Product Number (PK) Quantity Received

Condition Code

Explanation of tables and attributes; 1) The Payment Reference attribute in the Cash Receipts table contains either the last four digits of the consumer customer’s credit card or the commercial customer’s check number. 2) The Paid Reference attribute in the Supplier Invoice table contains the Cash Disbursement Check Number to show that the obligation has been paid. 3) The Customer Invoice, Supplier Invoice, Receiving Report, and Purchase Order tables are associated with line item tables in a 1:M relation. The Line item tables contain the details of the transactions and have a composite key linking them to the Inventory table and to their respective invoice, PO or RR report table.

22. Database Design Lester’s Rentals is located in Cincinnati, Ohio. The company rents party equipment such as tents, tables, chairs, linens, and china for small occasions and large weddings. They also rent a variety of home-improvement tools and contractor equipment including generators, grinders, power hammers, and drills. The company serves approximately 5,000 repeat customers and has more than 1,200 different inventory items for rent in stock. Lester’s purchases replacement stock from 45 different vendors. Each vendor supplies different items, but Lester’s may purchase the same item from different vendors. Other business rules include: (1) each inventory type has multiple quantities on hand (2) customers use their telephone numbers to uniquely identify themselves for rentals; and (3) customers may rent more than one item of the same type. Required: Create a normalized data model for Lester’s Rentals. Include the primary keys, data attributes, and foreign keys.

Problem 8-22, Lester’s Rentals Data Model model

CHAPTER 9 AUDITING THE REVENUE CYCLE REVIEW QUESTIONS 1. What document initiates the sales process? Response: A customer order, usually in the form of a purchase order, initiates the sales process. 2. Distinguish among a packing slip, a shipping notice, and a bill of lading. Response: The packing slip travels with the goods to the customer, and it describes the contents on the order. Upon filling the order, the shipping department sends the shipping notice to the billing department to notify it that the order has been filled and shipped. The shipping notice contains additional information that the packing slip may not contain, such as shipment date, carrier, and freight charges. The bill of lading is a formal contract between the seller and the transportation carrier; it shows legal ownership and responsibility for assets in transit. 3. What are three input controls? Response: • Authorization procedures • Credit check procedures • Validation controls • Batch controls 4. What are the three rules that ensure that no single employee or department processes a transaction in its entirety? Response: The three rules that ensure segregation of functions are as follows: a. Transaction authorization should be separate from transaction processing. b. Asset custody should be separate from asset record keeping. c. The organization structure should be such that the perpetration of a fraud requires collusion between 2 or more individuals. 5. What is automation, and why is it used? Response: Automation involves using technology to improve the efficiency and effectiveness of a task. Automation of the revenue cycle is typically used to reduce overhead costs, make better credit granting decisions, and collect outstanding accounts receivable better. 6. What is the objective of integration? Response: The objective of integration is to improve operational performance and reduce costs by identifying and eliminating nonvalue-added tasks. 7. Distinguish among an edit run, sort run, and update run. Response: An edit run is the first run; it detects most data entry errors. Only clear data progresses to the sort run. The sort run sequences the transaction records according to its primary key field and possibly a secondary key field. Once the data are sorted, the update program posts the transactions to the appropriate corresponding records in the master file. During a sequential update, each record is copied from the original master file to the new master file, regardless of the effect on the balance. 8. How is the record’s primary key critical in preserving the audit trail? Response: The primary key provides the link between the magnetic records stored on a computer

disk and the physical source documents and business events that they represent. In database systems the primary key of one table’s record is the embedded foreign key in related table records. For example, the invoice primary key (Invoice Number) is a foreign key in the related line item detail records, thus forming an audit trail. 9. What are the advantages of real-time processing? Response: Real-time processing greatly shortens the cash cycle of the firm. Lags inherent in traditional systems can cause delays of several days between taking an order and billing the customer. Real-time processing can give a firm a competitive advantage in the marketplace. Manual procedures tend to produce clerical errors, such as incorrect account numbers, invalid inventory numbers, and price–quantity extension miscalculations. Real-time processing reduces the amount of paper documents in a system. 10. Why does billing receive a copy of the sales order when the order is approved but does not bill until the goods are shipped? Response: The billing department’s receipt of the sales order occurs in most instances before the goods are actually shipped; thus, the economic event is not complete. Since credit checks need to result include credit already extended for orders not yet shipped, the billing department (and other departments) receive copies of the sales order once credit is approved. Of course, some of the goods may not be available to ship; thus, the customer is not billed until the shipping department sends the shipping notice to the billing department. 11. How do tests of controls relate to substantive tests? Response: Tests of controls and substantive tests are auditing techniques used for reducing total audit risk. Substantive tests traditionally follow tests of controls because the results of tests of controls are used to determine the nature, timing, and extent of the substantive tests. 12. After which event in the sales process should the customer be billed? Response: Billing occurs after the product is shipped to the customer (and the shipping department sends a shipping notice to the billing department). 13. What is a bill of lading? Response: A bill of lading is a formal contract between the seller and the shipping company (carrier) to transport the goods to the customer. The bill of lading establishes legal ownership and responsibility for assets in transit. 14. What document initiates the billing process? Response: The billing process is initiated by the shipping notice, which signals the shipment of the goods to the buyer. 15. Where in the cash receipts process does supervision play an important role? Response: Supervision plays an important role in the mail room where both the check (asset) and remittance advice (accounting record) are in the hands of one person. Mail room fraud can result, which involves stealing the check and destroying the remittance advice to cover the theft. 16. List the revenue cycle audit objectives derived from the “existence or occurrence” management assertion. Response: • Verify that the accounts receivable balance represents amounts actually owed to the organization at the balance sheet data. • Establish that revenue from sales transactions represent goods shipped and services

rendered during the period covered by the financial statements. 17. List the revenue cycle audit objectives derived from the “completeness” management assertion. Response: • Determine that all amounts owed to the organization at the balance sheet date are reflected in accounts receivable. • Verify that all sales for shipped goods, all services rendered, and all returns and allowances for the period are reflected in the final statements. 18. List the revenue cycle audit objectives derived from the “accuracy” management assertion. Response: • Verify that revenue transactions are accurately computed and based on current prices and correct quantities. • Ensure that AR subsidiary ledger, the Sales Invoice file, and the Remittance file are mathematically correct and agree with the general ledger accounts.

DISCUSSION QUESTIONS 1. Distinguish among the sales, billing, and accounts receivable departments. Why can’t the sales or accounts receivable departments prepare the bills? Response: The principles of segregation of duties apply to these departments. The sales order department (included in the sales department in the text) is responsible for taking the customer order and placing it into a standard format. This department records information such as the customer’s name, address, account number, quantities and units of each item, discounts, freight preferences, etc. The sales order processing may, in some instances, play a role in verifying or determining the promised shipping date. The billing department receives a copy of the sales order from the sales department. Upon receipt of the shipping notice and the stock release documents, the billing department prepares the sales invoice, which is the customer’s bill reflecting charges for items shipped, which may be different from items ordered, taxes and freight and any discounts offered. The sales order department should not prepare the bills because the salespeople may bill their favorite clients less than they should be billed. The salespeople place the order and thus start the wheels in motion for inventory to be shipped. Further, the salespeople should not be allowed to determine how much the customers pay for their inventory, because they may be tempted to charge lower prices and receive kickbacks. The accounts receivable department receives the sales orders and posts them to the accounts receivable subsidiary ledger. As remittance advices are received, they are posted to the customer’s account in the accounts receivable subsidiary ledger. The accounts receivable department should not be allowed to prepare the bills because this department has custody over the accounts receivable assets. It records customer payments and tracks customers’ unpaid bills. If it was allowed to prepare the bills, it might not bill certain customers and receive a kickback from the customers for the free goods. 2. Explain the risks associated with mailroom procedures. Response: The checks received in payment for accounts receivable are a crucial asset for the firm. The mailroom is a point of exposure for any firm. The individual who opens the mail has access both to cash (the asset) and to the remittance advice (the record of the transaction). A

dishonest employee may use this opportunity to steal the check, cash it, and destroy the remittance advice, thus leaving no evidence of the transaction. Ultimately, this sort of fraud will come to light when the customer receives another bill and, in response, produces the canceled check. However, by the time the firm gets to the bottom of this problem, the perpetrator may have committed the crime many times over and left the organization. Detecting crimes after the fact accomplishes little. Prevention is the best solution. The deterrent effect of supervision can provide an effective preventive control. 3. How could an employee embezzle funds by issuing an unauthorized sales credit memo if the appropriate segregation of duties and authorization controls were not in place? Response: An employee who has access to incoming payments, either cash or check, as well as the authorization to issue credit memos may pocket the cash or check of a payment for goods received. The employee could then issue a credit memo to the customer’s account so that the account does not show a balance due. 4. What task can the accounts receivable department engage in to verify that all checks sent by the customers have been appropriately deposited and recorded? Response: The company should periodically, perhaps monthly, send an account summary to each customer listing invoices and amounts paid by check number and date. This form allows the customer to verify the accuracy of the records. If any payments are not recorded, the customer can notify the company of the discrepancy. These reports should not be handled by the accounts receivable clerk or the cashier. 5. Why is access control over revenue cycle documents just as important as the physical control devices over cash and inventory? Response: Access control to the billing and accounts receivable records that are part of the revenue cycle is just as important as the physical control devices over cash and inventory because these records affect the collectability of an asset—accounts receivable—that should eventually be converted into cash. If these records are not adequately controlled, inventory may not be ultimately converted into the cash amount the firm deserves. 6. For a batch processing system using sequential files, describe the intermediate and permanent files that are created after the edit run has successfully been completed when processing the sales order file and updating the accounts receivable and inventory master files. Response: After the edit program tests each record for clerical or logical errors, it writes the correct records to a clean transaction file and the records with errors to an error file. Both of these files are considered intermediate or temporary files. The error file is considered to be a temporary file because the records will be resubmitted after they have been reviewed and corrected. The clean transaction file is considered to be an intermediate file because it will be sorted and written to a new tape. The old, unsorted transaction file will not be used in further processing once a sorted transaction file is made. 7. Why has the use of magnetic tapes as a storage medium declined in recent years? What are their primary uses currently? Response: Both tapes and disks can be used as the physical storage medium for such systems. However, the use of tapes has declined considerably in recent years. For day-to-day operations, tapes are inefficient because they must be physically mounted on a tape drive and then dismounted when the job ends. This approach is labor intensive and expensive. The constant decline in the cost of disk storage in recent years has eliminated the economic advantage once associated with tapes. Most organizations that still use sequential files store them on disks that are

permanently connected (online) to the computer system and require no human intervention. The operational features of sequential files described earlier are the same for both tape and disk media. Today, tapes are used primarily as backup devices and for storing archive data. For these purposes, they provide an efficient and effective storage medium for a large system. 8. Discuss both the tangible and intangible benefits of real-time processing. Response: Real-time processing yields the following tangible benefits. Real-time processing greatly shortens the cash cycle of the firm. Lags inherent in traditional systems can cause delays of several days between taking an order and billing the customer. Real-time processing can give a firm a competitive advantage in the marketplace. Manual procedures tend to produce clerical errors, such as incorrect account numbers, invalid inventory numbers, and price–quantity extension miscalculations. Real-time processing reduces the amount of paper documents in a system. Further, real-time processing may also achieve the following intangible benefits. It may increase customer satisfaction through faster operation response time to requests and inquiries, decreased lag time between order date and shipment date, and more accurate records with fewer corrections requested. 9. Distinguish between positive and negative confirmations. Response: Positive confirmations ask recipients to respond whether their records agree or disagree with the amount stated. Positive confirmations are particularly useful when the auditor suspects that a large number of accounts may be in dispute. They are also used when confirming unusual or large balances or when a large proportion of total accounts receivable arises from a small number of significant customers. A problem with positive confirmations is poor response rate. Customers who do not dispute the amount shown in the confirmation letter may not respond. The auditor cannot assume, however, that lack of response means agreement. To obtain the highest response rate possible, second and even third requests may need to be sent to nonrespondents. Negative confirmations request the recipients to respond only if they disagree with the amount shown in the letter. This technique is used primarily when accounts receivable consist of a large number of low-value balances and the control risk of misstatement is considered to be low. The sample size for this type of test is typically large and may include the entire population. Evidence from non-returned negative confirmations selected from a large population provides indirect evidence to support the auditor’s expectation that accounts receivable are not materially misstated. Responses to negative confirmations, particularly if they are widespread in a large population, may indicate a potential problem. Since the negative confirmations approach does not prove that the intended recipients actually received and reviewed the confirmation letters, evidence of individual misstatements provided by returned responses cannot be projected to the entire population. In other words, responses to negative confirmations cannot be used as a basis for determining the total dollar amount of the misstatement in the account. Such evidence can be used, however, to reinforce the auditor’s prior expectation that the account balance may be materially misstated and that additional testing of details is needed to determine the nature and amount of the misstatement. 10. What is the purpose of analytical reviews in the audit of revenue cycle accounts? Response: Auditors often precede substantive tests of details with an analytical review of account balances. In the case of the revenue cycle, an analytical review will provide the auditor with an overall perspective for trends in sales, cash receipts, sales returns, and accounts receivable. In addition, analytical procedures can provide assurance that transactions and accounts are reasonably stated and complete and may thus permit the auditor to reduce substantive tests of details on these accounts.

11. Explain the open-invoice system. What effect might it have on confirmation responses? Response: Under this approach, invoices are recorded individually rather than summarized or grouped by creditor. In this environment, no accounts payable subsidiary ledger exists. Each invoice is paid (closed) as it comes due. For financial reporting purposes, total accounts payable is calculated simply by summing the open (unpaid) invoices. Determining the liability due to a particular creditor, which may consist of multiple open invoices, is not such a simple task. The auditor should not assume that an organization that uses this approach would invest the time needed to respond to the confirmation request. The confirmation process may thus be ineffective. 12. What financial statement misrepresentations may result from an inconsistently applied credit policy? Be specific. Response: • Accounts receivable may be overstated because allowance for doubtful accounts is understated due to poor credit policy. • Bad debt expense may be understated. 13. Give three examples of access control in a POS system. Response: The following are examples: • Steel cables to secure expensive leather coats to the clothing rack. • Locked showcases to display jewelry and costly electronic equipment. • Magnetic tags attached to merchandise, which will sound an alarm when removed from the store. • Password log-in to cash registers. Note to Instructor: Some physical security devices could also be classified as supervision. 14. What makes POS systems different from revenue cycles of manufacturing firms? Response: In point-of-sale systems, the customer literally has possession of the items purchased, thus the inventory is in-hand. Typically, for manufacturing firms, the order is placed and then the good is shipped to the customer at some later time period. Thus, updating inventory at the time of sale is necessary in point-of-sale systems since the inventory is changing hands, while it is not necessary in manufacturing firms until the goods are actually shipped to the customer. 15. Is a POS system that uses bar coding and a laser light scanner foolproof against inaccurate updates? Discuss. Response: No, the bar-codes are not read with 100% accuracy. Another potential error can occur if the wrong bar-coded stickers are attached to the merchandise, which can occur in some discount retail stores that do not update the database; they just print out bar-coded stickers and attach them to the merchandise. Devious customers may switch stickers on price tags. In addition, an error can be made when entering the bar-codes into the system, thus the wrong item rings up when the tag is scanned.

MULTIPLE CHOICE 1.

10.

PROBLEMS 1. Systems Description and Internal Controls Customer checks and remittance advices are received in the mailroom each morning along with the general mail. Mail volume is typically high requiring a mailroom staff of 40 clerks and one supervisor. The clerks share equally in the task of sorting the mail and directing it to the appropriate recipient. In the case of cash receipts the clerks open the envelopes to verify that the checks are signed and are constant in amount with the remittance advice. The checks and remittance advices are collected into batches and sent to the Accounts receivable department where the AR clerk reviews them for correctness, posts to the AR-Sub ledger. The clerk then prepares two copies of a remittance list. One of these is filed in the department along with the remittance advice and the other is sent to the cash receipts department with the checks. Finally the clerk summarizes the batch of cash receipts transaction and post to the general ledger AR-Control account and the Cash account. Upon receipt of the checks and remittance list, the Cash Receipts clerk reconciles the documents and post the checks to the Cash Receipts journal. At the end of the day the clerk prepares a deposit slip and sends it along with the checks to the bank. Required: a. Prepare a flowchart of the cash receipts procedures described b. Describe the risks, if any, that are inherent in the current system configuration. c. Describe the controls, if any, that are needed to reduce or eliminate the risks identified in (b) above. Response: a) See flowchart on the next page b. Describe the risks, if any, that are inherent in the current system configuration. 1) Risk of Cash misappropriation in mailroom fraud (skimming)

2) Risk of cash misappropriation by skimming, lapping, or other forms of larceny in the AR department 3) Risk of incorrect record keeping in the AR Department c. Describe the controls, if any, that are needed to reduce or eliminate the risks identified in (b) above. 1) Supervision in the Mailroom is inadequate with one supervisor overseeing 40 clerks. This span of control can be reduced by having customers submit their payment to a separate POX address. The US mail service will then pre-sort and separate cash receipts from the general mail. The smaller number of cash receipts can then be processed in a smaller mailroom area where fewer clerks who work exclusively with cash receipts can be more effectively supervised. 2) A remittance list should be prepared under supervision in the mailroom. Remittance Checks should be separated from remittance advices in the mailroom and not go to the AR department. 3) The AR department should not have access to general ledger accounts

2. Internal Controls and Flowchart Analysis Required: a. Identify the physical control weaknesses depicted in the flowchart for Problem 2. b. Describe the IT controls that should be in place in this system.

Response: • No credit check is performed. Billing clerk should not record sales in the Sales Journal before the economic event (shipping the goods) has occurred. • Billing department bills customer before the goods are shipped and without confirmation of shipment and quantity shipped. A shipping notice should trigger the billing process. • Warehouse clerk, who controls the physical inventory, should not also maintain the inventory subsidiary records. • Warehouse clerk updates the Inventory subsidiary ledger and the GL Inventory Control. • Accounting clerk updates AR subsidiary, and various GL accounts. IT Controls for a centralized integrated system should include:

3. Flowchart Analysis Use the flowchart for Problem 3 to answer these questions: a. What accounting document is represented by symbol A? b. What is an appropriate name for the department labeled B? c. What would be an appropriate description for process C? d. What is the location represented by symbol D? e. What accounting record is represented by symbol E? f. What is an appropriate name for the department labeled H? g. What device is represented by symbol F? h. What device is represented by symbol G? i. What accounting record is represented by symbol G? Response: a. b.

Cash prelist or remittance list Cash Receipts department

c. d. e. f. g. h. i.

Post to Cash Receipts Journal and deposit checks or Process Cash Receipt Bank Cash Receipts Journal Accounts Receivable Department Computer terminal Computer disk Accounts Receivable file

4. Internal Control Evaluation Identify the control weaknesses depicted in the flowchart for Problem 4. Response: • Sales clerk should not record sales in the Sales Journal before the economic event (shipping the goods) has occurred, and the Billing Department should perform this role. • No credit check is performed. • Billing department bills customer before the goods are shipped and without confirmation of shipment and quantity shipped. A shipping notice should trigger the billing process. • Accounts Receivable should not process cash receipts and maintain the AR subsidiary records. • Warehouse clerk, who controls the physical inventory, should not also maintain the inventory subsidiary records. • The general ledger department should receive journal vouchers and account summaries from AR, Cash Receipts, Billing, and Inventory control. Instead they inappropriately use source documents to update GL accounts.

5. Risks and Internal Controls Following describes the credit sales procedures for clothing wholesaler that sells name-brand clothing to department stores and boutique dress shops. The company sells to both one-time and recurring customers. A flowchart of the system is provided in the figure labeled Problem 5: Internal Control. Customer orders are received by fax and e-mail in the sales department. The sales clerk, who works on commission, approves the credit sale, calculates commissions and discounts, and records the sale in the sales journal from the PC in the sales department. The clerk then prepares a sales order, a customer invoice, and a packing slip, which are sent to the accounting department for processing. The accounting clerk updates the AR Subsidiary ledger and sends an invoice to the customer. The clerk then forwards the sales order and packing slip to the Warehouse-Shipping Department. The warehouse-shipping clerk picks the items from inventory and sends them and the packing slip to the carrier for shipment to the customer. Finally the clerk updates the inventory subsidiary ledger and files the sales order in the department. Cash receipts from customers go to the mailroom, which has one supervisor overseeing 32 employees performing similar tasks: a clerk opens the envelope containing the customer check and remittance advice, inspects the check for completeness, reconciles it with the remittance advice, and sends the remittance advice and check to the accounting department. The accounting department clerk reviews the remittance advice and the checks, updates the AR subsidiary ledger and records the cash receipt in the cash receipts journal. At the end of the day, the clerk updates the AR Control, Cash, and Sales accounts in the general ledger to reflect the day’s sales and cash receipts.

Required a.

Describe the uncontrolled risks associated with this system as it is currently designed.

For each risk describe the specific internal control weakness(s) in the system that causes or contributes to the risk. RISKS Sales to un-creditworthy customers

CONTROL WEAKNESSES Sales clerk approves credit

Inaccurately recording the sales transactions in Sale is recorded when the sales clerk takes journals the order rather than after it is shipped.

Misappropriation of cash

Accounting department clerk has access to the cash, the remittance advice, the AR sub – ledger, and the General ledger. Opportunity for embezzlement such as lapping Mailroom span of control is wide (32 employees) for a single supervisor. This inhibits close supervision. The mailroom clerks, with access to the cash and remittance advices, have an opportunity to commit mailroom fraud.

Shipping customers the wrong items

Warehouse / shipping are combined allowing for no reconciliation between what is picked and what is ordered and shipped.

Misappropriation of inventory

Warehouse clerk has custody of inventory and the inventory sub - Ledger

6. Segregation of Functions Which, if any, of the following situations represent improper segregation of functions? a. The billing department prepares the customers’ invoices, and the AR department posts to the customers’ accounts. b. The sales department approves sales credit memos as the result of product returns, and subsequent adjustments to the customer accounts are performed by the AR department. c. The shipping department ships goods that have been retrieved from stock by warehouse personnel. d. The general accounting department posts to the general ledger accounts after receiving journal vouchers that are prepared by the billing department. Response: All are proper segregation of functions except b. The sales department should not be allowed to approve credit memos since it could potentially overstate sales in one period to meet quotas and boost bonuses and reverse them in a subsequent period. The receiving report indicating that goods have been received by the receiving department should be the source document for credit memos and it should be authorized by someone independent of the sales department.

7. Stewardship Identify which department has stewardship over the following journals, ledgers, and files: a. Customer open order file b. Sales journal c. Journal voucher file d. Cash receipts journal e. Inventory subsidiary ledger f. AR subsidiary ledger g. Sales history file h. Shipping report file i. Credit memo file j. Sales order file k. Closed sales order file Response: a. Sales b. Billing c. General ledger d. Cash receipts e. Warehouse/Inventory control f. Accounts receivable g. Sales h. Shipping i. Sales j. Sales k. Sales

8. Control Weaknesses For the past 11 years, Elaine Wright has been an employee of the Star-Bright Electrical Supply store. Elaine is a very diligent employee who rarely calls in sick and takes her vacation days staggered throughout the year so that no one else gets bogged down with her tasks for more than one day. Star-Bright is a small store that employs only four people other than the owner. The owner and one of the employees help customers with their electrical needs. One of the employees handles all receiving, stocking, and shipping of merchandise. Another employee handles the purchasing, payroll, general ledger, inventory, and accounts payable functions. Elaine handles all of the point-of-sale cash receipts and prepares the daily deposits for the business. Furthermore, Elaine opens the mail and deposits all cash receipts (about 30 percent of the total daily cash receipts). Elaine also keeps the AR records and bills the customers who purchase on credit. Required: a. Point out any control weaknesses you see in the above scenario. b. List some recommendations to remedy any weaknesses you have found working under the constraint that no additional employees can be hired. Response: a. Elaine performs many incompatible tasks. She opens the mail, deposits all cash and check receipts, and keeps the accounts receivable records. She could easily keep checks and alter the accounts receivable to cover her theft. Furthermore, she records the bills, so she could potentially bill a customer, not record it in the books, and keep the money when the check is received. Even more troublesome is the fact that she handles the point-of- sale receipts and prepares the daily deposits, which are a substantial amount of sales (30 percent). Elaine never takes enough vacation time so that anyone else can perform her duties long enough to check the books. The employee who handles the inventory and accounts payable function also has incompatible tasks. This employee could be making payments to a family or friend for inventory not received. The employee who handles all receipts, stocking, and shipping of inventory is also performing incompatible tasks and could be pilfering some inventory as it comes in and shipping it to himself or herself. b. Close supervision is needed for the employee working in the receiving, stocking, and shipping department. This employee needs to be kept from stealing inventory. Close supervision should help reduce this risk. Pre-numbered shipping forms that must be accounted for may deter this employee from shipping any goods to himself or herself or friends. The accounting function should be redistributed among the remaining two employees and close supervision should be exercised. One possible reallocation of tasks would be: Employee 1 Employee 2 • record point-of-sale receipts • prepare the daily cash deposits and • update the accounts receivable reconcile to daily cash sales account records open the mail and make a list of all • prepare the bills for accounts incoming checks—prepare deposit receivable accounts payable • inventory • general ledger purchasing • payroll This system is not perfect and close supervision is important.

9. Internal Control Iris Plant owns and operates three floral shops in Magnolia, Texas. The accounting functions have been performed manually. Each of the shops has a manager who oversees the cash receipts and purchasing functions for the shop. All bills are sent to the central shop and are paid by a clerk who also prepares payroll checks and maintains the general journal. Iris is seriously considering switching to a computerized system. With so many information systems packages on the market, Iris is overwhelmed. Required: a. Advise Iris as to which business modules you think her organization could find beneficial. b. Discuss advantages, disadvantages, and internal control issues. Response: Iris needs to consider whether she wishes to purchase one microcomputer system or three. Assuming that she wishes to purchase only one microcomputer for the central shop, she should definitely consider an accounting software package that has an accounts payable and general ledger module. The purchase of a payroll module will depend upon the number of employees paid each period. Iris will need to determine if the time saved is worth the cost. The payroll module may also help with year-end forms such as W-2’s and 1099’s. Iris may also wish to consider centralizing the purchasing function in order to obtain quantity discounts by placing larger orders. If she wishes to do this, then an inventory control module may be appropriate. As the system is currently designed, Iris has no good way to determine whether the managers are purchasing the right mix of inventory items, or if items are being used efficiently. Floral shops, because of the perishability of inventory and need to respond to unexpected orders, may not lend themselves to centralized purchasing and/or centralized inventory control. If Iris wishes to purchase a computer for each store, she should consider purchasing software that can process point-of-sale transactions and balance the cash receipts at the end of the day. Inventory control software might be considered as it helps track the profitability and spoilage of certain items as well as aids the managers in their purchasing decisions. The system could then provide summary reports for Iris so that she may examine the inventory purchasing and usage decisions of the managers. The cash receipts system should provide better management over cash receipts errors than the manual system, and if the correct controls are included, control may increase. For example, a notice might be placed over the cash register saying “If you do not get a receipt from the computer, your order is free.” The information system then will limit the possibility that a customer pays cash and the employee or manager keeps the money by not ringing up the sale. Iris may be able to find software packages specifically designed for florists. She should examine them to see if they will suit her partially decentralized management. With the correct system, Iris should see increased control over cash receipts and maybe even over inventory purchases and usage. A disadvantage is that the managers may feel that they are being watched more closely and this may cause some resentment. 10. Internal Control You are investing your money and opening a fast-food Mexican restaurant that accepts only cash for payments. You plan on periodically issuing coupons through the mail and in local newspapers. You are particularly interested in access controls over inventory and cash. Required: a. Design a carefully controlled system and draw a document flowchart to represent it. b. Identify and discuss the key control issues.

Response: The document flowchart is illustrated on the following page. One key control issue is that all sales are recorded. Merchandise should not be given to a customer and the sale not entered into the system: an employee could pocket the money received for the sale. Another issue is reconciling physical coupons with the number of coupons entered into the system. Again, an employee should not be able to ring up a sale at the lower price for a customer without a coupon, charge the customer full price, and keep the difference. Another concern is that employees will steal inventory by giving away free food to their friends and relatives. The system should track all food items prepared and related waste. The flowchart presented provides checks and balances for ensuring that employee theft of cash received from customers is prevented.

11. Data Processing The computer processing portion of a sales order system is represented by the Problem 11 flowchart presented in the text. Answer the following questions: Required: a. What type of data processing system is this? Explain, and be specific. b. The auditor suggests that this system can be greatly simplified by changing to direct access files. Explain the major operational changes that would occur in the system if this were done. c. The auditor warns of control implications from this change that must be considered. Explain the nature of the control implications. d. Sketch a flowchart (the computerized portion only) of the proposed new system. Use correct symbols and label the diagram. Response: a. This is a batch processing system that uses direct access storage devices rather than sequential

tapes, but the records are stored in sequential files. The transactions are keyed in, and the batch totals are calculated. The batch totals accompany the sales order file through all the data processing runs that follow. The edit run is used to test each record for the existence of clerical or logical errors. Any records with errors are removed and written to an error file to be corrected later by an authorized person. The batch totals are recalculated for the clean transactions. The edited file is then sorted based on the primary customer account number. The batch totals are used to verify the integrity of the sorted database file. The sorted file is used to update the accounts receivable file. The original accounts receivable file remains intact and is used for backup. The newly created accounts receivable becomes the new master file. The customers’ invoices are processed during the update and billing run. The sales order file is sorted on the inventory number so that the inventory master file can be updated. The original inventory file remains intact and is used for backup. The newly created inventory file becomes the new master file. The batch totals are still used to verify the completeness and accuracy of the transaction file. At the end of the day, the batch totals are sorted and used to update the general ledger. The original general ledger remains intact and is used for backup. The newly created general ledger becomes the new master file. b. If the sequentially stored data files are not used and real-time processing of data using indexed direct access files are used instead, the editing and sort runs are no longer necessary. Transactions will be immediately checked for input errors, and the accounts receivable file and inventory files will automatically be updated as each transaction is processed. Thus, batch totals will no longer be used. Accumulators may be used to accumulate values that are periodically posted to the general ledger. The accounts affected by each transaction in the master file will be overwritten with each transaction that is processed. c. Because the computers will be performing tasks that individuals used to perform, such as inventory controls, the control procedures over program code need to be secured from unauthorized access. The master files are overwritten each time a record is processed. Controls should be put into place for periodically making a backup copy of the master file, so that the records may be covered in case the current working copy of a master file is destroyed or incorrectly overwritten. d. See the following diagram.

12. System Configuration The flowchart for Problem 12 represents the computer processing portion of a sales order system. Answer the following questions. a. What type of data processing system is this? Explain, and be specific. b. The marketing manager suggests that this system can be greatly improved by processing all files in real time. Explain the major operational changes that would occur in the system if this were done. c. The auditor warns of operational efficiency implications from this change that must be considered. Explain the nature of these implications. d. Sketch a flowchart of the proposed new system. Use correct symbols and label the diagram. Response: a. This system uses real-time data collection and real-time updating of critical records (subsidiary accounts that are unique to the transaction). General ledger accounts that are common to all transactions are processed in batch mode. b. As each transaction is received, all records associated with it will need to be updated immediately. This would eliminate the batch-processing step and the sales order transaction file from the current system. A new real-time update program will be required. Sales summaries, currently prepared periodically, can now be extracted on demand by the marketing manager directly from his/her terminal. c. Updating all general ledger accounts in real-time may cause operational delays. Each customer will need to wait until the previous customer’s transaction is completely processed, including general ledger accounts that are common to all customers. The extent of the delays will depend in part on transaction volume and the number of simultaneous transactions executed. d. Please refer to the diagram on the following page.

Solution to problem 9-12

INTERNAL CONTROL PROBLEMS 1. Smith’s Market (Small Business POS Accounting System) Required: a. Create a data flow diagram (DFD) of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. Model your response according to the six categories of physical control activities specified in the COSO internal control model. d. Describe the IT controls that should be in place in this system. a), b) See diagrams on the following pages. c) Internal Control Weaknesses 1) Access to the cash drawers by sales clerks requires more accountability. Each drawer is accessed by various clerks throughout the day and cash may be withdrawn by any of them. 2)

The internal cash register tape should be used as a control to determine how much cash (including checks, and credit card vouchers) should be in the register drawer.

The shift supervisor does not sign for the specific amount of cash received or returned at the end of the day. He simply logs the drawers in and out.

The treasury clerk is unsupervised in the counting of cash.

The treasury clerk has asset custody and responsibility for recording sales and cash in the journal and General Ledger.

d) IT Controls

Customer

Credit Card

Check Credit Sales Approval

Cash or Check

Process Sale

Cash Receipt, Credit Card Receipt

Signature Cash In/Out

Bank

Smith’s Market Sales Order DFD

Cash, Check, Credit Card Receipt Log, Count, Total Record Sales Amount

Cash, Check, Credit Card Receipt and Deposit Slip

Deposit Slip

Sales Journal

General Ledger File

Customer

Sales and Check Out

Credi t Rece ipt

Shift Supervisor

Bank Card

Cash /Credit Card

Treasury Clerk

Proce ss

3 Signs Cash In

Cash / Credi

and

Cash /Credi

Cash In/

t 2

Shift Supervisor

Smith’s Market Sales System Flowchart

Deposit Slip

Count, Record, and Deposit cash 5

Sales Jour

Cash Gene / Credi ral t Depo sit Bank

2. Discount Tools, Inc. (Networked Computer System with Manual Procedures) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. Describe the IT controls that should be in place in this system. e. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution. Solution to Discount Tools

a), b), d) See diagrams on the following pages. c) Internal Control Weaknesses 1) Transaction is recorded in Sales Journal before goods are shipped. 2) Warehouse and Shipping functions are combined. This removes control over picking and shipping the wrong products. 3) Mail room clerk should prepare a remittance list to control remittance advices and checks d) IT Controls

Invoice

File Sales Order

Sales Journal

Receive Customer Order

Pick Goods

Approval /Rejection

Sales Order

Prepare Sales Order

Check Credit

Ship Notice

Sales Order

Customer Order

File

Batch Totals Sales Order

Approval/ Rejection

Reconcile and Bill Customer

Customer Sales Order

Batch Totals Check

Post to Cash Rec Journal

File

Update General Ledger

Check Remit Advice Batch Totals

Receive Customer Payment

Bank Check Invoice Copy

Remit Advice

Update Accts Receivable

Premier Sports Revenue Cycle DFD

Discount Tool DFD

e) Student solutions to this part of the case will vary. The solution should address the control issues identified in part C.

3. ABE Plumbing (Centralized Small Business Accounting System) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution.

a), b) See diagrams on the following pages. c) Internal Control Weaknesses 1) No Credit check is performed. 2) The sales clerk closes the open sales order causing the sale to be recorded before the goods are actually shipped. 3) The warehouse clerk has asset custody and should not also update the inventory records. 4) The shipping clerk does not reconcile the stock release with the original order. This allows for the wrong items and or quantities to be shipped. 5) Customer is billed before the goods are shipped. Billing should be triggered by shipping notice. Instead, the customer invoice is printed from the closed sales order, which was prepared before the goods were shipped.

Invoice 1 Customer

File Customer

Sales Order

Bill Customer

Closed Order

Custome r Data Item, quanti ty, Custo mer

Prepare Order

Invoice 2

Open/Cl osedOrd

Stock Release 1

GL File

Close SO

Inventory

Sub File

Stock Release 2

ABE Plumbing DFD

Ship Goods

B O L

Invoic e File

Accou

Item Picked

Pick Goods

AR Sub

Update GL

Open Order

Item and Quantity

Charg es

BOL, Stock Release

Carrier

Dept File

d) Flowchart of revised system Student responses will vary for this part of the assignment. The following issues, however, need to be addressed. • The internal control problems already covered that need to be corrected in the new system. • A system configuration similar to figure 4-18 would be appropriate.

4. TRV Classics (Manual and Stand Alone Computer Processing) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution. Solution to TVR Classics. a) and b) See diagrams on the following pages. c) Internal Control Weaknesses 1) No credit check is performed before placing the order 2) The Sales Journal is updated before the goods are shipped. This can result in sales being incorrectly matched to the period. 3) The warehouse clerk has access to inventory and also updates the inventory ledger. The clerk may be capable of stealing inventory and covering up the theft by adjusting the inventory records. 4) Mailroom clerk has access to both the remittance advice and the checks, no remittance list is prepared. This weakness can result in mailroom fraud through skimming cash and destroying the remittance advice. 5) AR clerk has access to both the checks and the remittance advices. This can result in theft of cash through skimming or lapping.

d) Student responses will vary for this part of the assignment, but should address the internal control issues identified above.

5. Tight Lines Fishing and Camping Supplies (Networked Computer System and Manual Procedures) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Describe internal control weaknesses in the system and discuss the risks associated with these weaknesses. d. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution. Solution to Tight Lines Fishing and Camping a, b, and d, see pages that follow c) Internal Control Weaknesses. The following tie to the numbered circles on the flowchart. 1) The sales clerk performs the credit check this is a segregation of duties and transaction authorization problem. Risk: Clerk may grant credit to non-creditworthy customers 2) Warehouse should not update the inventory subsidiary and General ledger control accounts. Multilevel security controls are needed to provide a separation of duties. Risk: Clerk could steal inventory, adjust the subsidiary ledger, and adjust the GL control account to cover the theft. 3) and 7) AR Clerk should not update the general ledger. Risk: The ability to reconciliation the AR Sub Ledger and the AR Control account is diminished when both are updated by the same person. 4) Billing and AR are combined. Risk: This structure will mask discrepancies between what was billed and what was recorded as a sale. 5) Supervision is needed in the mailroom. Risk: Employees who open the mail have access to both cash and the remittance advice. This increases the risk of mailroom fraud through skimming. 6) The cash receipts clerk has access to the assets (cash) and is responsible for updating the general ledger. Risk: The clerk could steal cash and adjust the cash account to cover the theft.

6. Green Products Garden Supply (Stand-Alone PC-Based Accounting System) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution. Solution to Green Products Garden Supply a), b), See diagrams on the following pages. c) Internal Control Weaknesses 1) No credit check 2) Inventory control function is performed by warehouse clerk. 3) Accounting department bills customer, updates the AR account, and records sales in the Sales Journal thus reducing the opportunity to detect discrepancies between total sales and AR postings. 4) Customer is billed before order is actually shipped 5) Remittance List should be prepared in the mailroom 6) No journal voucher prepared by cash receipts clerk.

d) Flowchart of revised system Student responses will vary for this part of the assignment. The following issues, however, need to be addressed. •

Upgrade stand-alone computers to a networked environment

•

The internal control problems already covered that need to be corrected in the new system.

7. Performance Water Pumps (Centralized System with Distributed Terminals) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. Describe the IT controls that should be in place in this system. e. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution. Solution to Performance Water Pumps a), b) See diagrams on the following pages. c) Internal Control Weaknesses 1) The sales clerk who processes the orders also performed the credit check. This creates internal control problems as sales staff pay is sometimes linked to sales levels. 2) The shipping function does not notify the billing function that goods are shipped. Without this necessary transaction authorization, customers could be billed before items are shipped which leads to inaccurate record keeping. 3) The billing department records the accounts receivable and also prepares and sends the AR summary to the general ledger function. The problem here is that the billing department also prepares and sends to the general ledger function the sales journal voucher. This approach eliminates the GL reconciliation function. 4) The inventory warehouse clerk updates the inventory records. This can lead to inventory theft and concealment by adjusting the inventory records.

IT Controls

e) Student solutions will vary, but should address the internal control issues identified above

8. Custom Fabrications (Stand-Alone PC Based Accounting System Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. Describe the risks associated with these control weaknesses e. (Optional) Prepare a system flowchart of a redesigned computer-based system that resolves the control weaknesses that you identified. Explain your solution Solution to Custom Fabrications a), b) and e) See diagrams on the following pages. c) Internal Control Weaknesses 1. The customer should not be billed until the goods are shipped. The billing process, however, is triggered in this system by the sales order, rather than the shipping notice. Risk: Billing before shipment occurs leads inaccurate record keeping and the possibility of recording sales in the wrong period. This activity can also damage customer relationships. 2. The billing process includes updating accounts receivable. Risk: This prevents a meaningful independent verification between sales and AR by the general ledger because both numbers are created in the same function. 3. Asset custody should be kept separate from record keeping. In this system, however, the warehouse clerk has custody of inventory and also updates the inventory records. Risk: The Warehouse clerk could steal inventory and cover the theft by adjusting the inventory records. 4. The shipping department fails to reconcile the stock release with a sales order copy or the packing slip. Risk: The wrong product or quantities could be shipped to the customer. The shipping function serves as an important independent verification checkpoint and is the last control point to determine if the order is correct before the goods change hands. 5. The General ledger function updates the cash account and AR control account from a remittance list. It should receive a journal voucher from the cash receipts function and a summary of the AR subsidiary. The journal voucher plays an important audit trail role. Risk: The GL accounts may be corrupted with unauthorized transactions.

Customer

Invoice

Sales Details

Sales Journal

Customer Order Copy Customer Order Sales Order Copy 1

Receive Order

Bill Customer

Invoice Copy

Update Accounts Receivable

Amount, Date

AR Subsidiary

Sales Order Copy 3 Summary of Sales Journal and AR Subsidiary

Update Accounts Receivable

Sales Order Copy 2 Production Order 1

Schedule Production

Production Order 2 Materials Requisition

Open Production File

Open Sales Order File

Voucher Production Order 2 Materials Requisition

Produce Goods

Revenue Cycle DFD CUSTOM FABRICATIONS

Materials Used

Production Order 2

Update Inventory

Item, Quantity

Store Goods

Inventory Subsidiary Stock Release

Ship Goods

Bill of Lading Copy 3

Carrier

Bill of Ladings 1 & 2, Packing Slip

Shipping Details

Shipping Log

Cash Amount

Customer

Check, Remittance Advice

Open Mail, Prepare Remittance Advice

Remittance List 3

Update General Ledger

Posting Details

Check, Remittance List 1

Record and Deposit Checks

Remittance List 2 Remit Advice

Reconcile and Update AR Check, Deposit Slips 1 & 2

Bank

Cash Receipts DFD CUSTOM FABRICATIONS

Payment Amount

General Ledger

Cash Receipts System Flowchart Mail Room

Cash Receipts

Billing

General Ledger

Remit List 1

Customer

Check

Remit List 3 Remit List 2

Remit Advice

Update AR Subsidiary

Prepare Remittanc e List

Remit Advice

Cash Subsidiary

Update AR Subsidiary

Update General Ledger

AR Subsidiary

General Ledger

Deposit Slip Remit List 1

Deposit Slip Check

Check Remit List 2 Remit Advice Remit List 3

Will Richens

Bank

Revised Cash Receipts System Flowchart Mail Room

Cash Receipts

Remit List 1

Customer

Accounts Receivable

Data Processing

Check

Check Remit List 2 Remit Advice Update AR Subsidiary, Prepare Deposit Slips

Sales Order System

Remit Advice

Prepare Remittance List

Cash Subsidiary Update AR Subsidiary

General Ledger Remit List 1 Deposit Slip Check

Deposit Slip

Remit List 2

Check

Remit Advice Remit List 3

Bank

Will Richens

Temporary Production File

AR Subsidiary

SOLUTIONS TO ACL ASSIGNMENTS The AR and Customer files used for the following assignments are located in the sampleproject.acl that accompanies ACL. The AR file is actually an invoice file that contains several related records as designated by the Trans Type field: IN = Sales invoice PM = Payment from customer CN = Credit note (Credit memo) TR = Transfer (write off) Sales invoices should be represented by positive Trans Amount values, while the other transaction types are negative. Some of the following assignments employ the ACL’s Relation and Join features. For detailed information on the use of these and other commands, consult ACL’s online Help. 1. Open the AR file, Profile the data, and Stratify on the Trans Amount field. Print the Last Results window and write an analysis providing possible explanations for the results obtained. As of: 02/21/2010 12:42:41 Command: PROFILE FIELDS Amount Table: Ar

Field Name

Total Value Absolute Value Minimum Maximum

Trans Amount

468,880.69

585,674.41 -3,582.98

5,549.19

2. Open the AR file, stratify the file on the Trans Amount field, and use the expression builder to create filters that limit the strata to a. sales invoice transactions only b. credit note (memo) transactions only c. payment transactions only d. transfer (write off) transactions As of: 02/21/2010 12:53:59 Command: STRATIFY ON Amount INTERVALS 10 IF Type = "IN" TO SCREEN Table: Ar

If Condition: Type = "IN" (588 records matched)

Minimum encountered was 6.66 Maximum encountered was 5,549.19

Trans Amount

Count Percent of Count Percent of Field Trans Amount

-3,582.98 - -2,669.77

0.00

-2,669.76 - -1,756.55

0.00

-1,756.54 - -843.33

0.00

-843.32 - 69.88

6.46%

0.25%

1,324.49

69.89 - 983.10

354

60.2%

38%

199,579.57

983.11 - 1,896.32

149

25.34%

37.42%

196,557.17

1,896.33 - 2,809.53

4.93%

12.14%

63,742.37

2,809.54 - 3,722.75

2.38%

8.62%

45,268.71

3,722.76 - 4,635.97

0.34%

1.58%

8,283.02

4,635.98 - 5,549.19

0.34%

10,503.83

588

100%

525,259.16

Totals

As of: 02/21/2010 13:15:45 Command: STRATIFY ON Amount INTERVALS 10 IF Type = "CN" TO SCREEN Table: Ar

If Condition: Type = "CN" (108 records matched) Minimum encountered was -663.54 Maximum encountered was 0.00

Trans Amount

Count Percent of Count Percent of Field Trans Amount

-3,582.98 - -2,669.77

0.00

-2,669.76 - -1,756.55

0.00

-1,756.54 - -843.33

0.00

-843.32 - 69.88

108

100%

-9,025.02

69.89 - 983.10

0.00

983.11 - 1,896.32

0.00

1,896.33 - 2,809.53

0.00

2,809.54 - 3,722.75

0.00

3,722.76 - 4,635.97

0.00

4,635.98 - 5,549.19

0.00

108

100%

-9,025.02

Totals

As of: 02/21/2010 13:17:25 Command: STRATIFY ON Amount INTERVALS 10 IF Type = "PM" TO SCREEN Table: Ar

If Condition: Type = "PM" (71 records matched) Minimum encountered was -3,582.98 Maximum encountered was 539.97

Trans Amount

Count Percent of Count Percent of Field Trans Amount

-3,582.98 - -2,669.77

1.41%

7.91%

-3,582.98

-2,669.76 - -1,756.55

7.04%

22.27%

-10,085.74

-1,756.54 - -843.33

23.94%

45.45%

-20,578.75

-843.32 - 69.88

56.34%

27.87%

-12,618.56

69.89 - 983.10

11.27%

-3.5%

1,584.65

983.11 - 1,896.32

0.00

1,896.33 - 2,809.53

0.00

2,809.54 - 3,722.75

0.00

3,722.76 - 4,635.97

0.00

4,635.98 - 5,549.19

0.00

Totals

100%

-45,281.38

As of: 02/21/2010 13:18:53

Command: STRATIFY ON Amount INTERVALS 10 IF Type = "TR" TO SCREEN Table: Ar

If Condition: Type = "TR" (4 records matched) Minimum encountered was -1,298.43 Maximum encountered was 66.06

Trans Amount

Count Percent of Count Percent of Field Trans Amount

-3,582.98 - -2,669.77

0.00

-2,669.76 - -1,756.55

0.00

-1,756.54 - -843.33

25%

84.4%

-1,298.43

-843.32 - 69.88

75%

15.6%

-240.05

69.89 - 983.10

0.00

983.11 - 1,896.32

0.00

1,896.33 - 2,809.53

0.00

2,809.54 - 3,722.75

0.00

3,722.76 - 4,635.97

0.00

4,635.98 - 5,549.19

0.00

Totals

100%

-1,538.48

Open the AR file and use the expression builder to create a filter that screens for invalid transaction types. Print the results and comment.

Command: SET FILTER TO Type <> "CN" AND Type <> "PM" AND Type <> "TR" AND Type <> "IN" The filter reveals one invalid transaction type “AA” reproduced below: Cust Num Invoice date

Due Date

Ref No Trans Type

Trans Amount

301037

10/29/2000

213666

(533.59)

09/30/2000

Using the Relation feature create a view from data in both the AR and Customer files that shows customer details (name and street address) for payment transactions with abnormal (positive) amount values. Print the view and comment on the results.

The filter to return the results is: Type = "PM" AND Amount > 0 The abnormal results from the related tables are below:

Invoice Date

Due date

Ref No

Cust No

Trans

Amount

Street address

Name

12/04/2000

12/09/2000

214088

065003

13.08

7000 S WABASH AVE

UNIVERSITY ELECTRONICS

12/04/2000

12/12/2000

214114

065003

9.76

7000 S WABASH AVE

UNIVERSITY ELECTRONICS

12/04/2000

12/16/2000

214129

065003

116.72

7000 S WABASH AVE

UNIVERSITY ELECTRONICS

12/04/2000

12/12/2000

214121

065003

29.40

7000 S WABASH AVE

UNIVERSITY ELECTRONICS

12/04/2000

12/23/2000

214185

065003

9.17

7000 S WABASH AVE

UNIVERSITY ELECTRONICS

07/17/2000

01/01/2000

43614X

222006

539.97

951 WEST STREET

DYNAMIX INDUSTRIES

12/04/2000

11/21/2000

213914

262001

18.58

8 WEST STREET

BULLY INDUSTRIES

12/02/2000

11/05/2000

213755

501657

18.58

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/02/2000

11/07/2000

213799

501657

4.64

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

11/18/2000

213881

501657

60.94

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

11/18/2000

213882

501657

109.96

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

10/10/2000

213423

501657

146.80

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

10/10/2000

213424

501657

146.80

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

10/10/2000

213425

501657

92.18

377 SAN MARINA DR

FAXON NATURAL RESOURCES

12/04/2000

10/21/2000

213572

501657

54.66

377 SAN MARINA DR

FAXON NATURAL RESOURCES

10/29/2000

01/01/2000

13065X

516372

303.81

71130 SUNRISE VALLEY DR

SECOND POWER CORP

11/25/2000

10/29/2000

213672

516372

58.35

71130 SUNRISE VALLEY DR

SECOND POWER CORP

11/25/2000

10/29/2000

213672

516372

24.46

71130 SUNRISE VALLEY DR

SECOND POWER CORP

11/25/2000

01/01/2000

13452X

516372

66.06

71130 SUNRISE VALLEY DR

SECOND POWER CORP

11/25/2000

11/05/2000

213753

516372

128.41

71130 SUNRISE VALLEY DR

SECOND POWER CORP

5. Using the Join feature create a view from data in both the AR and Customer files that show customer details (name and address) for payment transactions with abnormal (positive) amount values. Print the view and comment on the results. The filter to return the results is: Type = "PM" AND Amount > 0 The abnormal results from the joined table are the same as problem 4 above.

The following Assignments are located in the ACL Tutorial folder in the Student Resources section of this textbooks website. 6. Tutorial 2 relates to the following commands: TOTAL, PROFILE, STATISTICS, SAMPLE, SEQUENCE, SORT, DUPLICATES, GAPS 7. Tutorial 5 relates to the following commands: AGE, JOIN, MERGE 8. Tutorial 6 relates to the following commands: TOTAL, COUNT, EXTRACT, EXPORT, SORT, INDEX 9. Bradmark Comprehensive Case Required: Access the Bradmark ACL Case in the Student Resource section of textbook’s web site. Your instructor will tell you which questions to answer.

CHAPTER 10 AUDITING THE EXPENDITURE CYCLE REVIEW QUESTIONS 1. Differentiate between a purchase requisition and a purchase order. Response: A purchase requisition is completed by the inventory control department when a need for inventory items is detected. Purchase requisitions for office supplies and other materials may also be completed by staff departments, such as marketing, finance, accounting, and personnel. The purchasing department receives the purchase requisitions and, if necessary, determines the appropriate vendor. If various departments have requisitioned the same order, the purchasing department may consolidate all requests into one order so that any quantity discounts and lower freight charges may be taken. In any case, the purchasing department prepares the purchase order, which is sent to the vendor, accounts payable department, and the receiving department (blind copy). 2. What purpose does a purchasing department serve? Response: A purchasing department is able to research the quality and pricing of various vendors. Its job is to monitor various supply sources and choose the highest quality good for a given price, with reliable delivery. The purchasing department may also take advantage of quantity discounts, especially when two or more manufacturing facilities are involved. 3. Distinguish between an accounts payable file and a vouchers payable file. Response: An accounts payable file contains all source documents, including invoices, organized by payment date. As the due dates come close to the current date, the invoices are pulled from the file and paid. Under the voucher system, the accounts payable clerk prepares a cash disbursements voucher upon receipt of all source documents. Each cash disbursements voucher represents payment to one vendor. Multiple invoices may be paid with one voucher. The voucher system allows better control over cash disbursements because cash vouchers are assigned and tracked. 4. What are the logical steps of the cash disbursements system? Response: The three logical steps of the cash disbursements system are 1. Identify liabilities due 2. Prepare cash disbursement 3. Update accounts payable record 5. What general ledger journal entries are triggered by the purchases system? Response: Accounts Payable: Inventory Control Debit Accounts Payable Credit Cash Disbursements: Accounts Payable Cash

Debit Credit

6. What two types of exposure can close supervision of the receiving department reduce? Response: Large quantities of valuable assets flow through the receiving department on their way to the warehouse. Close supervision here reduces the chances of two types of exposure: failure to properly inspect the assets and the theft of assets.

7. What steps of independent verification does the general ledger department perform? Response: The general ledger department receives journal vouchers from inventory control, accounts payable, and cash disbursements. With these summary figures, the general ledger clerk verifies that a. total obligations recorded equal total inventories received. b. total reductions in accounts payable equal total disbursements of cash. 8. What is (are) the purpose(s) of maintaining a valid vendor file? Response: As a control against unauthorized payments, comparing the vendor number on the voucher with a valid vendor file validates all entries in the voucher file. If the vendor number is not on file, the record is presumed to be invalid and is diverted to an error file for management review. 9. What is the purpose of the blind copy of the purchase order? Response: A blind purchase order has all the relevant information about the goods being received except for the quantities and prices. To obtain the information on quantities, which is needed for the receiving report, the receiving personnel are forced to physically count and inspect the goods. If receiving clerks were provided with quantity information through formal documentation (i.e., the purchase order), they may be tempted to transfer this information to the receiving report without performing a physical count. 10. Give one advantage of using a vouchers payable system? Response: Vouchers provide improved control over cash disbursement, and they allow firms to consolidate several payments to the same supplier on a single voucher, thus reducing the number of checks written. 11. How do computerized purchasing systems help to reduce the risk of purchasing bottlenecks? Response: Routine purchases can be automated, reducing the time lag between order, arrival and recording of inventory. By freeing purchasing agents from routine work, such as preparing purchase orders and mailing them to the vendors, attention can be focused on problem orders (such as special items or those in short supply). 12. Which document is used by cost accounting to allocate direct labor charges to work-inprocess? Response: Job tickets capture the time spent on each job during the day and are used to allocate the labor charges to the work-in-process accounts. 13. Which department authorizes changes in employee pay rates? Response: The personnel department, through the personnel action form authorizes changes to employee pay rates. 14. Why should the employee’s supervisor not distribute paychecks? Response: A form of payroll fraud involves a supervisor submitting fraudulent time cards for nonexistent employees. The resulting paychecks, when given to the supervisor are then cashed by the supervisor. This type of fraud can be reduced or eliminated by using a paymaster to distribute paychecks to employees in person. Any uncollected paychecks are then returned to payroll. 15. Why should employee paychecks be drawn against a special checking account? Response: A separate imprest account is established for the exact amount of the payroll based on

the payroll summary. When the paychecks are cashed, this account should clear leaving a zero balance. Any errors in checks (additional checks or abnormal amounts) would result in a non-zero balance in the imprest account and/or some paycheck would not clear. This will alert management to the problem so corrective action can be taken. 16. Why should employees clocking on and off the job be supervised? Response: A form of payroll fraud involves employees clocking the time cards of absent employees. By supervising the clocking in and out process, this fraud can be reduced or eliminated. 17. What is a personnel action form? Response: The Personnel Action Form is prepared by the Personnel Department for the authorization of new employees and changes in job class and pay rates. It enables the Payroll Department to prepare a list of currently active employees. Any submission of time cards by supervisors for fictitious or ex-employees should thus be detected 18. What tasks does a payroll clerk perform upon receipt of hours-worked data from the production department? Response: The payroll clerk then performs the following tasks. 1. Prepares the payroll register showing gross pay, deductions, overtime pay, and net pay. 2. Enters the above information into the employee payroll records. 3. Prepares employee paychecks. 4. Sends the paychecks to the paymaster or other distribute-paycheck function. 5. Files the time cards, personnel action form, and copy of the payroll register (not shown). 19. What documents constitute the audit trail for payroll? Response: Timecards, personnel action forms, job tickets, labor distribution summary. DISCUSSION QUESTIONS 1. What is the importance of the job ticket? Illustrate the flow of this document and its information from inception to impact on the financial statements. Response: The job ticket is used to allocate each labor hour of work to specific WIP accounts. These job tickets are very important for cost accounting. The job tickets are completed by production workers as they capture the total amount of time that they spend on each production job. Upon completion, these are routed to the cost accountants who use them to post the labor costs to specific WIP accounts such as direct labor, indirect labor, and overhead. The cost accountant prepares a labor distribution summary that contains the information for the general ledger clerk to make the necessary entries to the general ledger accounts. 2. What documents support the payment of an invoice? Discuss where these documents originate and the resulting control implications. Response: The payment of an invoice may be supported by the purchase requisition, purchase order, and receiving report (in addition to the invoice itself). The purchase requisition originates from inventory control and represents the inventory requirements. The purchase order originates from the purchasing department and represents an order placed. The receiving report originates from the receiving department and represents the quantity and types of goods received. Thus, the accounts payable must determine (a) that the goods ordered were requested by some department (i.e., inventory control) other than purchasing, (b) that purchasing ordered the goods from a valid

vendor, and (c) that the goods were actually received. If all three of the conditions are met, then and only then should the invoice be paid. Further, payments should be made for only those goods received in good shape. 3. Discuss the time lags between realizing and recognizing economic events in the purchase and payroll systems. What is the accounting profession’s view on this matter as it pertains to these two systems? Response: For accounts payable, a time lag exists between the time the good that is purchased is received and the recording of the liability to the vendor. The receipt of an invoice is the event that usually causes the liability to the vendor to be recorded. The time lag may range from virtually nothing for fully integrated EDI systems to a few days. Thus, during this slight lag in the recording process, liabilities are understated. For payroll costs, wages to workers accrue each minute, hour, or day that they work. However, these costs are not recorded as a liability during the time between when the workers earn their wages and when they are paid. These time lags typically average from half a week to a week. Neither of these time lags are of concern unless the firm is closing its books or preparing interim financial statements. At these points, however, estimates or accruals of the amounts owed should be made and the books adjusted. 4. Discuss the importance of supervision controls in the receiving department and the reasons behind blind fields on the receiving report, such as quantity and price. Response: The receiving clerks have access to many of the firm’s assets: its inventory. Two exposures potentially exist: (a) the clerk failing to perform his or her duty and (b) the clerk pilfering or stealing the inventory. Thus, the copy of the purchase order used for this inspection should have the quantities and amounts covered so that they may not be read. If the quantity is printed on the receiving clerk’s copy of the purchase order, he or she may be tempted to skip the physical inspection and the company may pay for inventory it did not receive or that is damaged. A supervisor must remove the packing slip that contains quantity information to make sure the receiving clerk actually inspects the goods. If the value of the inventory is listed, the employee may be tempted to steal some of the inventory. Close supervision should deter employees from stealing. 5. How does the procedure for determining inventory requirements differ between a basic batch processing system and batch processing with real-time data input of sales and receipts of inventory? Response: A system that employs real-time data entry of sales will have the inventory levels updated more frequently. Thus, when a sale depletes the inventory level to the reorder point, the system will flag it for reorder more quickly than if it had to wait for a batch update of the inventory records. The sooner the item is ordered, the sooner it will be received. With respect to the real-time receipt of inventory, the inventory will be updated immediately to show the accurate amount that is on hand. A customer wishing to know how soon an item will be shipped will receive more accurate information regarding the status of the firm’s inventory levels. Thus, the customer benefits from better stocking of inventory and better information regarding the inventory levels. 6. What advantages are achieved in choosing? a. a basic batch computer system over a manual system? b. a batch system with real-time data input over a basic batch system? Response: a. The basic batch system provides the following benefits over a manual system: improved

inventory control, better cash management, reduction in time lag of inventory entries, increases in the efficiency of the purchasing department, and a reduction in paper documentation. b. The real-time data input system provides the following benefits over a batch system: reduction in the time lag in record keeping, elimination of routine manual procedures, and an even greater reduction in paper documentation. 7. Discuss the major control implications of batch systems with real-time data input. What compensating procedures are available? Response: The first control implication is that a fundamental separation between authorization and transaction processing no longer exists. The computer programs both authorize and process the orders and issue checks to the vendors. The compensating control is to provide transaction listings and summary reports that describe the automated activities taken by the system to management. In order for these controls to work, the managers must take the time to carefully review these reports. The second control implication is that the accounting records as well as the computer programs reside on magnetic disks. These disks should not be accessed by any individuals not authorized to access them in any fashion. The compensating control is to employ hardware, software, and procedural controls over the data stores. 8. Discuss some specific examples of how information systems can reduce time lags that positively affect an organization. Response: One example is by reducing the time it takes to record the receipt of inventory into the inventory records that are used to inform customers whether or not their requested item is available. Also, the inventory levels are also reduced more quickly for those inventories that are being shipped. With a reduced time lag, the risk of promising to ship an item to another customer when it is not available is greatly reduced. Further, the automated system will be less likely to pay an invoice too early, while at the same time not missing the discount period. Thus, cash management is improved. 9. Discuss some service industries that may require their workers to use job tickets. Response: Law firms require their employees to log the amount of time spent on each client for billing purposes. Accounting firms also require their employees to keep job tickets for the time they spend on each client. Car repair shops are another example. The mechanic must keep track of how much time she or he spends working on each automobile. 10. Payroll is often used as a good example of batch processing using sequential files. Explain why. Response: Sequential files are appropriate because most if not all payroll records on the master payroll file are updated during the payroll processing run.

MULTIPLE CHOICE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.

b e c b d c e e d c a b a a b

PROBLEMS 1. Inventory Ordering Alternatives The flowchart for Problem 1 illustrates two alternative inventory ordering methods. Required a. Distinguish between a purchase requisition and a purchase order. b. Discuss the primary advantage of alternative two over alternative one. Be specific. c. Under what circumstances can you envision management using alternative one rather than alternative two? Response: a. A purchase requisition is created when an item of inventory is needed (e.g., fallen below the reorder point) and authorizes its purchase. A purchase order is created from requisitions to the same vendor. Thus, one purchase order may contain many purchase requisitions. b. The system shown in alternative two expedites the ordering process by distributing the purchase orders directly to the vendors and internal users, thus bypassing the purchasing department completely. This shortens the time between recognizing the need for inventory and mailing the PO to the vendor. Consequently, inventory safety stock levels can be reduced, thus reducing inventory carrying costs. c. Alternative one provides additional control over the ordering process. For example, the purchasing agent could manually detect unusual order quantities or frequency caused by a computer error. Managers whose systems lack reliable computer controls, and who wish to compensate with human independent verification, may prefer this alternative. The price of this added control is excessive inventory carrying costs. 2. Payroll Controls Refer to the Problem 2 flowchart in the text. Required: a. What risks are associated with the payroll procedures depicted in the flowchart? b. Discuss two control techniques that will reduce or eliminate the risks.

Response: a. The payroll department has no independent information as to changes in an employee’s status. For example, the foreman may continue to submit timecards for terminated employees. Because the foreman also distributes paychecks, he could steal and forge the uncollected checks. b. i. An employee action report from the personnel department should list all current employees. Timecards for terminated or nonexistent employees should be identified when reconciled with the personnel report. ii. An independent paymaster should distribute the paychecks to the employees. If an employee is not present to receive the paycheck, it will be returned to the payroll department. 3. System Flowchart Analysis Using the Flowchart labeled Problem 3, answer the following questions: a) What are the names of Departments X and Y? b) What are the names of the documents that are identified by letters in the system? Use the following format: Doc A = (Name of document here), etc. c) What are the processes that are represented by letters in the system? d) What are the files that are represented by letters in the system? e) What is represented by the terminal labeled “Z”? Response: a)

Department X is Cash Disbursements, Department Y is General Ledger

Doc A = Purchase Order Doc D = Journal Voucher Doc H = Vendor Check Doc K= Check Copy Doc G = Journal Voucher

Process B = Set Up Liability (Post to AP) Process E = Disburse cash (discharge liability) Process I = Post to GL

File C = AP Sub ledger (vendor Invoice file) File F = Check register (Cash Disbursements Journal) File J = General Ledger

Terminal Z = Vendor (Supplier)

4. System Flowchart Analysis Refer to the system flowchart labeled Problem 4. Required: a. Discuss the uncontrolled risks associated with the systems as currently configured. b. Describe the controls that need to be implemented into the system to mitigate the risks in the given scenario.

Response: Part a. and b. below: 1) Risk: Unnecessary purchases of inventory may occur and the potential for kick-back fraud exists under the current system. Control: A purchase requisition should originate from the inventory control function to authorize the creation of a purchase order. 2) Risk: The organization may receive and accept incorrect item types and /or quantities of items. Control: Use of a blind copy of the PO will force the receiving clerk to count and inspect receipts. The clerk should not have access to the packing slip, which contains details. 3) Risk: The organization may pay for items that it did not order. The liability is set up based only on the Invoice and the Rec Rept. Control: Perform a three-way-match (PO, Rec Report, and Invoice). 4) Risk: The potential for vendor fraud exists because the AP department sets up the liability and also pays it. Control: AP should authorize Cash Disbursements to may payment on the due date. 5. Payroll Fraud John Smith worked in the stockyard of a large building supply company. One day he unexpectedly and without notice left for California never to return. His foreman seized the opportunity to continue to submit timecards for John to the payroll department. Each week, as part of his normal duties, the foreman received the employee paychecks from payroll and distributed them to the workers on his shift. Because John Smith was not present to collect his paycheck, the foreman forged John’s name and cashed it. Required: Describe two control techniques to prevent or detect this fraud scheme. Response: a. An employee action report from the personnel department should list all current employees. Time cards for terminated or nonexistent employees should be identified when reconciled with the personnel report. b. An independent paymaster should distribute the paychecks to the employees. If an employee is not present to receive the paycheck, it should be returned to the payroll department. 6. Source Documents Identification Refer to the Problem 6 figure presented in the text, which shows typical expenditure cycle files and attributes. Explain, in detail, the process by which these data are obtained and used in the requisition, purchase, and payment to inventory. Response: First, the Inventory Master file is searched to determine if the Quantity on Hand is less than or equal to the Reorder Point, which is a predetermined point at which the firm orders more inventory. If it is less than or equal to the reorder point and the Quantity on Order is not flagged as true, then the EOQ (a predetermined optimal order amount) is used to order the

Inventory Number item, which is an assigned number and described by the Description field. The item is ordered from a specified Vendor in the Vendor file, and this information is stored in the Inventory Master file. A purchase requisition is filled out and a Purchase Requisition Number is assigned to the requisition. The Inventory Number, Quantity on Order, Vendor Number, and Unit Standard Cost are recorded. The vendor Address, Terms of Trade, and Lead Time are obtained from the Vendor file. If the Lead Time is too long, a different vendor may need to be chosen or the price paid may be higher than the predetermined Standard Cost for the item. At this point, the Date of Last Order field in the vendor file is updated. The purchasing department then completes a purchase order and places it into the Open Purchase Order file until the order is completed. First, the purchasing clerk assigns a Purchase Order Number and fills in the corresponding Purchase Order Number. The following information is also copied to the purchase order file from the above-mentioned records: Purchase Requisition Number, Inventory Number, Quantity on Order, Vendor Number, Vendor Address, and Standard Cost. The Expected Invoice Amount is determined by multiplying the expected price times the quantity ordered. When the inventory is received, the Inventory Master File is updated: the Quantity on Hand is increased by the number of units received, and the Total Inventory Cost is updated. In the Open Purchase Order file, the field Rec Flag is checked to indicate that the goods have been received. When the vendor’s invoice is received, the Invoice Flag field in the Open Purchase Order file is checked to indicate that the invoice has been received. Further, the accounts payable department adds a new record to the Voucher Register. This voucher register record is assigned a Voucher Number, and the following information is recorded in it: Purchase Order Number, Purchase Requisition Number, Inventory Number, Quantity on Order, Vendor Number, Address, Standard Cost, and Expected Invoice Amount. The invoice Due Date is also noted so that the disbursement may be made as close to the due date as possible without missing any discounts offered. 7. IT Controls Using the flowchart for Problem 7, describe the IT application controls that would apply to the system. Be specific as to the role each control plays. Response: IT APPLICATION CONTROLS: a. Automated Purchase Approval. Computer logic, not a human being, decides when to purchase, what to purchase, and from which vendor. The key attributes needed to execute this logic come from the purchase requisition file and the valid vendor file. The objective is to prevent unauthorized purchases from unapproved vendors. b. Automated Three-Way Match and Payment Approval. When the AP clerk receives the supplier’s invoice, the clerk accesses the system and adds a record to the vendor invoice file. This act prompts the system to automatically create a virtual AP packet by linking the vendor invoice to the associated purchase order and receiving report records, using the PO number as a common attribute. The application then reconciles the supporting documents, using programmed criteria for assessing discrepancies. Discrepancies in excess of the threshold are submitted to management for review and manual approval. c. Multilevel Security. Multilevel security is a means of achieving segregation of duties in an integrated data processing environment where multiple users simultaneously access a common central application. Two methods for achieving multilevel security are the access control list (ACL) and role-based access control (RBAC). Through these techniques, purchasing, receiving, accounts payable, cash disbursements, and general ledger personnel

are limited in their access based on the privileges assigned to them. d. Automated Posting to Subsidiary and GL Accounts. All of the record keeping functions are automated in the advanced technology system. In the advanced technology system, a computer application, which is not subject to human failings such as yielding to situational pressures and/or lacking ethical standards, decides which accounts to update and by how much. By eliminating the human element from accounting activities, the potential for errors and opportunities for fraud are significantly reduced. Also, since these are labor intensive activities, automating them greatly improves efficiency of operations.

8. Physical Controls Using the flowchart of a purchases system for Problem 8, identify six major physical control weaknesses in the system. Discuss and classify each weakness in accordance with the COSO internal control framework. Response: Transaction Authorization. Purchases are not authorized by inventory control. Accounting Records. Inventory records are updated based on the purchase order rather than the Receiving Report or Invoice. Accounting Records. The Accounts Payable Subsidiary ledger is updated based only on the Invoice. There is no reconciliation with supporting documents (purchase order and receiving report). Accounting Records. There is no Cash Disbursements Journal or Check Register in use. Accounting Records/Segregation of Functions. The receiving department prepares the Receiving Report directly from the Packing Slip. A blind copy of the Purchase Order should go to the receiving clerk to control this activity. A supervisor should take possession of the packing slip that contains relevant data and oversee the inspection process. Accounting Records/Independent Verification. The General Ledger department should receive Journal vouchers or batch totals from Inventory Control, Cash Disbursements, and Accounts Payable. These are used to keep the General Ledger Control accounts current and to verify the overall accounting accuracy of the process.

9. IT Controls Using the flowchart for Problem 9, describe the IT application controls that would apply to the system. Be specific as to the role each control plays. a. Automated Purchase Approval. Computer logic, not a human being, decides when to purchase, what to purchase, and from which vendor. The key attributes needed to execute this logic come from the purchase requisition file and the valid vendor file. The objective is to prevent unauthorized purchases from unapproved vendors. b. Automated Three-Way Match and Payment Approval. When the AP clerk receives the supplier’s invoice, the clerk accesses the system and adds a record to the vendor invoice file. This act prompts the system to automatically create a virtual AP packet by linking the vendor invoice

to the associated purchase order and receiving report records, using the PO number as a common attribute. The application then reconciles the supporting documents, using programmed criteria for assessing discrepancies. Discrepancies in excess of the threshold are submitted to management for review and manual approval. c. Automated Posting to Subsidiary and GL Accounts. All of the record keeping functions are automated in the advanced technology system. In the advanced technology system, a computer application, which is not subject to human failings such as yielding to situational pressures and/or lacking ethical standards, decides which accounts to update and by how much. By eliminating the human element from accounting activities, the potential for errors and opportunities for fraud are significantly reduced. Also, since these are labor intensive activities, automating them greatly improves efficiency of operations. 10. Payroll Controls Sherman Company employs 400 production, maintenance, and janitorial workers in eight separate departments. In addition to supervising operations, the supervisors of the departments are responsible for recruiting, hiring, and firing workers within their areas of responsibility. The organization attracts casual labor and experiences a 20 to 30 per-cent turnover rate in employees per year. Employees clock on and off the job each day to record their attendance on time cards. Each department has its own clock machine located in an unattended room away from the main production area. Each week, the supervisors gather the time cards, review them for accuracy, and sign and submit them to the payroll department for processing. In addition, the supervisors submit personnel action forms to reflect newly hired and terminated employees. From these documents, the payroll clerk prepares payroll checks and updates the employee records. The supervisor of the payroll department signs the paychecks, which are drawn on the general cash account, and sends them to the department supervisors for distribution to the employees. A payroll register is sent to the cash disbursements department where it is filed. Required 1) Prepare a flowchart of the Sherman’s payroll system. 2) Discuss the risks for payroll fraud in the Sherman Company payroll system. 3) What controls would you implement to reduce the risks? Response: 1. (Flowchart on the following page) 2. Risks • Department supervisors have too much control over human resources. They are responsible for recruiting, hiring, and firing. • The high degree of casual labor creates an environment that lends itself to abuse. • High employee turnover rate makes identifying absent or nonexistent employees difficult. • Clock machines are unsupervised and located in non-prominent areas. • Department supervisors submit personnel action forms. • Department supervisors distribute the paychecks to the employees; checks written for nonexistent employees could be kept and cashed by the supervisors. 3. Controls • Authorization: A separated personnel function should be established to account for employees and to authorize their payment • Segregation of Duties: The department supervisors should not distribute the paychecks to employees. This should be the task of a paymaster. • Supervision: The clocking in and out process should be supervised.

11. Flowchart Analysis Discuss any control weaknesses found in the flowchart for Problem 11. Recommend any necessary changes. Control problem: Payroll checks appear to be drawn on the general cash account. This can result in undetected payroll errors and payroll fraud. Recommendations: The payroll register should be reviewed by AP who then authorizes the cash disbursements department to issue a check for the entire payroll, which is deposited into a payroll Impress (clearing) account. 12. Separation of Duties Human resource management systems necessitate that employees from both the payroll and personnel departments have access to confidential employee data. 1) List the tasks that personnel and payroll department employees respectively should and should not be able to perform. 2) Describe the data types in such a system that are sensitive and confidential. 3) What IT controls will provide the necessary separation of duties to limit access to functions and data. Response: Part 1) and 2). The tasks to be performed by Personnel and Payroll employees and the data they may or may not access include: Personnel Employees: Should be able to activate new employees and change the status of existing employees including rank, pay rates (salary), full time, part-time, active, and terminated. Should not be able to submit time and attendance data for employees. Payroll Employees: Should be able to verify that an employee is an active valid employee. Should initiate the payroll process from time and attendance data Should not be able to change employee status. Should not be able to view or edit performance evaluation data, health records, pension plan balances or contributions, injury claims, etc. Part 3) The central storage of sensitive data requires multilevel security that ensure privacy and accuracy of data by limiting access to certain processes and data to authorized personnel. 13. Unrecorded Liabilities You are auditing the financial statements of a New York City company that buys a product from a manufacturer in Los Angeles. The buyer closes its books on June 30. Assume the following details: Terms of trade: FOB shipping point June 10, buyer sends purchase order to seller June 15, seller ships goods July 5, buyer receives goods

July 10, buyer receives seller’s invoice Required: a. Could this transaction have resulted in an unrecorded liability in the buyer’s financial statements? b. If yes, what documents provide audit trail evidence of the liability? c. On what date did the buyer realize the liability? d. On what date did the buyer recognize the liability? New assumption: Terms of trade: free on board destination e. Could this transaction have resulted in an unrecorded liability in the buyer’s financial statements? f. If yes, what documents provide audit trail evidence of the liability? g. On what date did the buyer realize the liability? h. On what date did the buyer recognize the liability? Response: Term FOB shipping point: a. Yes b. The best evidence is provided by the Purchase Order and Bill of Lading Purchase Order—is evidence that the item was ordered, but does not indicate when it was shipped. Bill of Lading—reviewed post-period; will indicate when the goods were shipped Receiving Report—prepared post-period; establishes possession but may not indicate when goods were shipped c. June 15 d. July 10 Term FOB destination: e. No f. N/A g. July 5 h. July 15 14. Payroll Flowchart Analysis Discuss the risks depicted by the payroll system flowchart for Problem 14. Describe the internal control improvements to the system that are needed to reduce these risks. Response: Risks: Supervisor submits the personnel action form and time cards. This allows him/her to create nonexistent employees. Supervisor distributes the paychecks to the employees. Checks written for nonexistent employees can be kept and cashed by the supervisor. Cash disbursements is authorizing funds transfer into the bank account and is also writing the funds transfer check. This is a segregation of duties problem. Controls: Authorization: A separated personnel function should be established to prepare personnel action forms and manage the human resource.

Segregation of Duties. The supervisor should not distribute the paychecks to employees. This should task should be performed by an independent paymaster. Accounts Payable should approve the register and authorized payment by Cash Disbursements.

15. Comprehensive Flowchart Analysis Discuss the internal control weaknesses in the expenditure cycle flowchart for Problem 14. Structure your answer in terms of the control activities within the COSO control model. Transaction authorization Payroll clerk prepares paychecks without authorization from a personnel action form. Cash disbursements department prepares vendor payments based solely on the Invoice. No supporting documents are used. Segregation of duties Cash disbursements department prepares the paychecks; this should be done by payroll. Cash disbursements department maintains the AP ledger and approves and writes checks. Payroll checks and vendor check are paid through the general cash account. An imprest account should be used to clear the payroll checks. The supervisor should not distribute the paychecks to employees. This should task should be performed by an independent paymaster. Accounting records No journal vouchers are prepared. The general ledger is being updated from source documents.

INTERNAL CONTROL CASES 1. Smith’s Market (Small Business Cash Sales Accounting System) Required: a. Create a data flow diagram of the current system. b. Create a system flowchart of the current system. c. Analyze the internal control weaknesses in the system. Model your response according to the six categories of physical control activities specified in the COSO internal control model. d. What financial statement misrepresentations may result from the control weaknesses? e. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution a), b) See diagrams on the following pages. c) Internal Control Weaknesses 1) Warehouse clerk has transaction authorization and purchasing responsibility. 2) Warehouse clerk has asset custody and recordkeeping responsibility. Blind PO is not used to verify received inventory.

3) Accounting clerk approves invoice for payment without the benefit of a receiving report or a purchase order. No three way match control. 4) Accounting clerk has account payable and cash disbursement responsibility. d) Financial statement misrepresentations Inventory value is misstated Liabilities are misstated Cash account is incorrect e) Substantive tests: Purchases Search for Unrecorded Liabilities Review for Accurate Invoice Prices Review Disbursement Vouchers for Unusual Trends and Exceptions Search for Unauthorized Disbursement Vouchers Review for Multiple Checks to Vendors

2. Tight Lines Fishing and Camping Supplies (Networked Computer System and Manual Procedures) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Describe internal control weaknesses in the system and discuss the risks associated with these weaknesses. d. What financial statement misrepresentations may result from the control weaknesses? e. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution: a), b), See diagrams on the following pages. c) Internal Control Weaknesses and Risks 1) Purchasing clerk should not authorize purchases; this is an inventory control function. Risk. Purchasing clerk could purchase items not needed. This could result in inefficient inventory management. It could also allow fraud such as a kick-back from vendors who are unloading items. 2) The receiving department clerk should receive a ‘blind copy’ of the purchase order and should not have access to the packing slip. Risk: This situation would allow the receiving clerk to complete a receiving report without actually counting and inspecting the items. 3) Inventory clerk updates the inventory subsidiary ledger. Risk: This is a segregation of duties issue – asset custody and recordkeeping. Clerk could steal inventory and adjust inventory records to conceal the theft. 4) The AP Clerk should not update the general ledger AP Control account. Risk: With access to both the sub ledger and control account, discrepancies caused by errors and fraud can be concealed. 5) Cash Disbursement clerk should not update the AP subsidiary ledger or the AP Control account in the GL. Risk: Clerk prepares check and updates the AP subsidiary and GL accounts. The clerk could set up a fraudulent AP and pay it (vendor fraud). d) Financial statement misrepresentations •

Inventory value is misstated

•

Liabilities are misstated

•

Cash account is incorrect

e) Substantive tests: •

Search for Unrecorded Liabilities

•

Review for Accurate Invoice Prices

•

Review Disbursement Vouchers for Unusual Trends and Exceptions

•

Search for Unauthorized Disbursement Vouchers

•

Review for Multiple Checks to Vendors

3. TVR Classics (Manual and Stand-Alone Computer Processing) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. What financial statement misrepresentations may result from the control weaknesses? e. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution: a), b), See diagrams on the following pages. c) Internal Control Weaknesses 1) The inventory clerk in the warehouse department has asset custody and transaction authorization to order inventory. 2) The receiving clerk prepares the receiving report from the packing slip information. The receiving department clerk should receive a ‘blind copy’ of the purchase order to force the receiving clerk to count and inspect the items before preparing the receiving report. 3) The inventory clerk in the warehouse department has asset custody and record keeping responsibility. 4) Accounts Payable does not verify that the good have been received via a formal receiving report. Payment approval is based on a PO and invoice only. Cash Disbursements Procedures 5) The company may be paying for items not received. The cash disbursement voucher is based on a flawed process to set up the AP. A proper 3-way match needs to be performed prior to establishing the liability. 6) No valid vendor file is used to approve payment. 7) No formal Journal vouchers are used to update the General Ledger. d) Financial statement misrepresentations Inventory value is misstated Liabilities are misstated Cash account is incorrect e) Substantive tests: Search for Unrecorded Liabilities Review for Accurate Invoice Prices Review Disbursement Vouchers for Unusual Trends and Exceptions Search for Unauthorized Disbursement Vouchers Review for Multiple Checks to Vendors

4. Discount Tools Inc. (Networked Computer System with Manual Procedures Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. Describe the IT controls that should be in place in this system. e. What financial statement misrepresentations may result from the control weaknesses? f. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution: a), b) see the following pages c) Internal Control Weaknesses 1) Purchasing clerk should not authorize inventory purchases. 2) Receiving clerk should receive a blind copy of the PO and not have access to the packing slip 3) Warehouse clerk should not update inventory sub ledger. 4) AP Clerk does not perform a three way match. The clerk sets up a liability based only on a PO and the vendor’s invoice, but no receiving report. d) Relevant IT Controls are below:

e) Financial statement misrepresentations Inventory value is misstated Liabilities are misstated Cash account is incorrect f) Substantive tests: Purchases Search for Unrecorded Liabilities

Review for Accurate Invoice Prices Review Disbursement Vouchers for Unusual Trends and Exceptions Search for Unauthorized Disbursement Vouchers Review for Multiple Checks to Vendors

5. ABE Plumbing, Inc. (Centralized Small Business Accounting System) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. What financial statement misrepresentations may result from the control weaknesses? e. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution: a), b) see the following pages c) Internal Control Weaknesses 1) Purchasing agent authorizes and executes the purchase transaction. 2) Receiving clerk prepares receiving report from the packing slip. He should receive a “blind” copy of the PO. 3) Warehouse clerk should not be updating the inventory subsidiary ledger. The clerk has asset custody and record keeping responsibility. 4) Accounts Payable clerk should not be writing checks. The clerk has asset custody and record keeping responsibility. d) Financial statement misrepresentations Inventory value is misstated Liabilities are misstated Cash account is incorrect e) Substantive tests: Search for Unrecorded Liabilities Review for Accurate Invoice Prices Review Disbursement Vouchers for Unusual Trends and Exceptions Search for Unauthorized Disbursement Vouchers Review for Multiple Checks to Vendors

ABE Plumbing, Inc. DFD Expenditure Cycle Purchase Order Inventory Requirements

Vendor

Inventory

Review Inventory Records Packing Slip PO

Order Data

Payment Data

PO File Update AP

Receive Inventory

Receiving Data

Quantity and Condition

Hard Copy RR

CD Voucher Due Date

Receiving Report

Post Update AP

Post Update Inventory

General ledger

Post Quantity

Check Number

Inventory Check

Check Amount

Check Register

Vendor

Purchasing Department

Data Processing

PO PO

Packing Slip

B Monitor / Prepare PO

Purchases / AP System

Warehouse

Packing Slip Rec Report Prepare Rec Report

Accounts Pay

Invoice

PO File

Reconcile and Post 4 Review and Write Checks

Rec Report

Inventory Sub Ledger

Invoice

Check

Receiving Department

Rec Report File GL

Open/Closed Cash Disb Check Reg

ABE Plumbing Purchases / Cash Disbursements System

3 Update Inventory Rec Report

7. Custom Fabrications, Inc. (Stand-Alone PC-based Accounting System) Required a. Create a data flow diagram of the current system. b. Create a system flowchart of the existing system. c. Analyze the physical internal control weaknesses in the system. d. What financial statement misrepresentations may result from the control weaknesses? e. Describe the substantive tests that an auditor would perform to identify material misrepresentations. Solution: a), b), see the diagrams on the following pages. C and d) Internal Control Weaknesses and Risks: 1) Purchasing clerk should not authorize purchases; this is an inventory control function. Risk. Purchasing clerk could purchase items not needed. This could result in inefficient inventory management. It could also allow fraud such as a kick-back from vendors who are unloading items. 2) The accounts payable department creates a liability in their records with only the receiving report and vendor’s invoice. No three way match. Risk: Company may be paying for items that were never officially ordered. 3) The warehouse receives the goods and prepares the receiving report. No formal and separate receiving function. Risk: This is a poor organization structure. By separating warehousing from receiving, errors in the receiving function may be detected by the warehousing function. This independent review is lost when the functions are combined. 4) The receiving report is prepared based on packing slip. No blind Copy of the PO. Risk: This situation allows the receiving clerk to complete a receiving report without actually counting and inspecting the items. 5) The general ledger updates the inventory control account from the receiving report. No journal voucher. Risk: Erroneous data may be entered into GL accounts. To reduce this risk, journal vouchers are used to formally post to the GL. d) Financial statement misrepresentations Inventory value is misstated Liabilities are misstated Cash account is incorrect e) Substantive tests: Search for Unrecorded Liabilities Review for Accurate Invoice Prices Review Disbursement Vouchers for Unusual Trends and Exceptions Search for Unauthorized Disbursement Vouchers Review for Multiple Checks to Vendors

8. Patriot Generators, Inc.—Payroll System (Manual and Stand-Alone PC Procedures) Required a. Prepare a data flow diagram of the current payroll system. b. Prepare system flowcharts for the payroll system. c. Describe the uncontrolled risks associated with the system currently designed. d. Describe the physical and IT controls needed to reduce the risks identified in “C” above. Explain your solution. Solution: Part A and B see following Pages.

C. Uncontrolled Risks 1) Payroll fraud by submitting false timesheets 2) Cash asset misappropriation by AP clerk 3) Accounting errors in the General Ledger Physical Controls 1) Transaction Authorization – Employ personnel action report to validate employees 2) Segregation of duties – Paymaster to distribute paychecks. Supervisors should not submit and review time cards and also distribute paychecks. 3) Segregation of duties – Cash disbursement function. The AP department should not be writing checks. They should authorize cash disbursements to do so. 4) Independent Verification/Accounting records – The general ledger department should receive a journal voucher from cash disbursements and an account summary from the AP department. IT Controls Limit tests, Validation controls, Password control over access to computers Error Messages File backup Automated posting to accounts

9. Turner Patio Furniture (Manual and Stand-Alone PC System) Required a. Prepare a data flow diagram of the current payroll system. b. Prepare system flowcharts for the payroll system. c. Describe the uncontrolled risks associated with the systems as currently designed. d. Describe the physical and IT controls needed to reduce the risks identified in “C” above. Solution: a), b) see diagrams on the following pages. c) Uncontrolled Risks. 1. Payroll Fraud is possible because supervisor approve time cards and distributes paychecks 2. Absence of personnel action forms allows invalid time cards to be submitted. 3. GL records may be inaccurately prepared because of current accounting procedures. d. Controls to Reduce Risks Physical Controls 1. Use personnel action form to validate employees and pay rates. 2. Employ paymaster to distribute checks to employees. 3. General Ledger should not Update GL from a CD disbursement voucher. It should receive formal Journal vouchers IT Controls 1. Limit tests, 2. Validation controls, 3. Password control over access to computers 4. Error Messages 5. File backup 6. Automated posting to accounts

10. Holly Company—Payroll Systems (Small Company Uses Manual Procedures with PC Support) Required a. Prepare a data flow diagram of the current system. b. Prepare a system flowchart of the existing system. c. Describe the uncontrolled risks associated with this system as it is currently designed. d. Describe the physical and IT controls needed to reduce the risks identified in “C” above.

Solution to Holly Company Payroll System

Part a) Payroll DFD

Employee Information Record Hours Worked

Time Cards

Review Time Cards

Reviewed Time Cards

Employee Records

Prepare Payroll

Time Cards , Payroll Register Copy

File

Hours Worked Payroll Register Print checks and Update Accounts

Employees

Payroll Register

Signed Paychecks Paychecks

Signed Paychecks Distribute Checks

Holly Company Payroll System DFD

Sign Checks

File

Part b) Payroll System Flowchart

Part c. Uncontrolled Risks: 1) 2) 3)

4) 5)

Timekeeping process is unsupervised allowing for fraudulent time and attendance records. Accounting Department approves, prepares, and signs paychecks, which allows payroll fraud by altering paychecks or issuing fraudulent paychecks. Accounting errors and fraudulent transaction may go undetected when the accounting department is responsible for maintain both subsidiary and control accounts. Payroll drawn on general cash account rather than a clearing account. This enables payroll errors and fraudulent transaction to go undetected. Payroll clerk prepares paychecks without authorization from a personnel action form. This runs the risk of processing unauthorized paychecks. Foremen authorize time cards and distribute paychecks. This permits the foremen to submit fraudulent time cards and receive the paychecks.

Part d Physical Controls 1) Provide supervision over timekeeping Process 2) Paychecks should be prepared by Payroll Department 3) Create separate GL function or provide access control to GL and maintain an audit trail. 4) Establish separate cash disbursement department 5) Establish an Impress account for payroll 6) Employ a paymaster to distribute paychecks to employees 7) Use payroll action form to verify the status of employees before preparing paychecks. IT Controls 1) Limit tests, 2) Validation controls, 3) Direct deposit of checks 4) Password control over access to the system 5) Error Messages 6) File backup 7) Automated posting to accounts

ACL Assignments The files used for the following assignments are located in the sampleproject. acl that accompanies the ACL educational site license. Some of the assignments employ the ACL’s Relation and Join features. For detailed information on the use of these and other commands, consult ACL’s online Help. 1. Open the AP_Trans (purchases) file and stratify it on the Quantity field. Print the last results window and comment on the action to be taken by the auditor. 2. Using the Relation feature, create a view from data in both the AP_Trans (purchases) and Inventory files that shows product details (product description and quantity onhand). Print the view and comment on the results. 3. Open the EMPMAST (employee master file) and test for duplicate employee records. Prepare a last-results report that identifies anomalies or potential errors. Print the report and comment on the results. 4. Using the Relation feature, create a view of data from both the Empmast and Payroll files that test for paychecks to non-existent employees. 5. Using the Join feature, create a view of data from both the Empmast and Payroll files that tests for paychecks to nonexistent employees. 6. Bradmark Comprehensive Case. Required: Access the Bradmark ACL Case in the Student Resource section of textbook’s Web site. Your instructor will tell you which questions to answer.

CHAPTER 11 ENTERPRISE RESOURCE PLANNING SYSTEMS REVIEW QUESTIONS 1. Define ERP. Response: ERP systems are multiple module software packages that evolved primarily from traditional manufacturing resource planning (MRP) systems. The objective of ERP is to integrate key processes of the organization such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources. By doing so, a single computer system can serve the unique needs of each functional area. 2. What is the closed database architecture? Response: The closed database architecture is similar in concept to the basic flat-file model. Under this approach, a database management system is used to provide minimal technological advantage over flat-file systems. The DBMS is little more than a private, but powerful, file system. Each function has a private database. 3. Define core applications and give some examples. Response: Core applications are those applications that operationally support the day-to-day activities of the business. If these applications fail, so does the business. Typical core applications would include, but are not limited to, sales and distribution, business planning, production planning, shop floor control, and logistics. 4. Define OLAP and give some examples. Response: Online analytical processing (OLAP) can be characterized as online transactions that: • Access very large amounts of data (e.g., several years of sales data). • Analyze the relationships among many types of business elements such as sales, products, geographic regions, and marketing channels. • Involve aggregated data such as sales volumes, budgeted dollars, and dollars spent. • Compare aggregated data over hierarchical time periods (e.g., monthly, quarterly, yearly). • Present data in different perspectives such as sales by region, by distribution channel, or by product. • Involve complex calculations among data elements such as expected profit as a function of sales revenue for each type of sales channel in a particular region. • Respond quickly to user requests so they can pursue an analytical thought process without being stymied by system delays. An example of an OLAP transaction is the aggregation of sales data by region, product type, and sales channel. The OLAP query may need to access vast amounts of sales data over a multiyear period to find sales for each product type within each region. 5. What is the client-server model? Response: The client-server model is a form of network topology in which the user’s computer or terminal (the client) accesses the ERPs programs and data, via a host computer called the server. While the servers may be centralized, the clients are usually located at multiple locations throughout the enterprise.

6. Describe the two-tier client-server model. Response: In a two-tier architecture, the server handles both application and database duties. Some ERP vendors use this approach for local area network (LAN) applications. Client computers are responsible for presenting data to the user and passing user input back to the server. 7. Describe the three-tier client-server model. Response: The database and application functions are separated in the three-tier model. This architecture is typical of large production ERP systems which use wide area networks (WANs) for connectivity. Satisfying a client request requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. 8. What is bolt-on software? Response: Bolt-on software refers to special purpose software provided by third party vendors. These packages are used for purposes the ERP software alone does not address. 9. What is SCM software? Response: Supply Chain Management systems are a class of application software that support supply chain management. The supply chain is the set of activities associated with moving goods from the raw-materials stage on to the consumer. This includes procurement, production scheduling, order processing, inventory management, transportation, warehousing, customer service and forecasting the demand for goods. SCM systems are a class of application software that supports this task. Successful SCM coordinates and integrates these activities into a seamless process. In addition to the key functional areas within the organization, SCM links all of the partners in the chain, including vendors, carriers, third-party logistics companies, and information systems providers. Organizations can achieve competitive advantage by linking the activities in its supply chain more efficiently and effectively than its competitors. 10. What is changed data capture? Response: Changed data capture is a technique that can dramatically reduce the extraction time needed to extract data from operational databases by capturing only newly modified data. The extraction software compares a current operational database with an image of the data taken at the last transfer of data to the warehouse. Only the data that have changed in the interim are captured. 11. What is a data warehouse? Response: A data warehouse is a relational or multi-dimensional database that may consume hundreds of gigabytes, or even terabytes, of disk storage. The warehouse consists of historic data that is used for business analysis. A data warehouse is a database constructed for quick searching, retrieval, ad hoc queries, and ease of use. The data are normally extracted periodically from an operational database or from a public information service 12. What is data mining? Response: Data mining is the process of selecting, exploring, and modeling large amounts of data to uncover relationships and global patterns that exist in large databases but are hidden among the vast number of facts. This involves sophisticated techniques that use database queries and artificial intelligence to model real-world phenomena from data collected from the warehouse.

13. What does data cleansing mean? Response: Data cleansing involves filtering out or repairing invalid data prior to being stored in the warehouse. Operational data are dirty for many reasons. Clerical, data entry, and computer program error can create illogical data such as negative inventory quantities, misspelled names and blank fields. Data cleansing also involves transforming data into standard business terms with standard data values. 14. Why are denormalized tables used in data warehouses? Response: Because of the vast size of a data warehouse, inefficiency caused by joining normalized data can be very detrimental to the performance of the system. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. Because historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links. 15. What is the drill-down approach? Response: Drill down analysis begins with the summary views of data described above. When anomalies or interesting trends are observed, the user drills down to lower level views and ultimately into the underlying detail data. 16. What is the big bang approach? Response: The big bang is an ambitious method of implementing an ERP system. Organizations taking this approach in an attempt to switch operations from their old legacy systems to the new system in a single event which implements the ERP system across the entire company. While this method has certain advantages, it has been associated with numerous system failures. 17. What is scalability? Response: Scalability is the system’s ability to grow smoothly and economically as user requirements increase. The term system in this context refers to the technology platform, application software, network configuration, or database. Smooth and economical growth is the ability to increase system capacity at an acceptable, incremental cost per unit of capacity without encountering limits that would demand a system upgrade or replacement. User requirements pertain to volume-related activities such as transaction processing volume, data entry volume, data output volume, data storage volume, or increases in the user population. 18. What is a role? Response: A role is a formal technique for grouping together users according to the system resources they need to perform their assigned tasks. 19. What is an access control list? Response: An access control list (or access token) is used to achieve access control within the user’s application.6 The access control list specifies the user ID, the resources available to the user, and the level of permission granted such as read-only, edit, or create. 20. How is the access control list approach different from RBAC? Response: The access control list approach assigns access directly to the individual. RBAC assigns permissions to a role and then the individual is assigned to the role. It is a way of dealing efficiently with the many-to-many relationship between individuals and permissions.

21. What is the OLAP operation called consolidation? Response: Consolidation is the aggregation or roll-up of data. For example, sales offices data can be rolled-up to districts and districts rolled-up to regions. 22. What is the OLAP operation of drill-down? Response: Drill-down allows the user to display the detail that underlies consolidated data. 23. What is meant by the term slicing and dicing? Response: Slicing and dicing enables the user to examine data from different viewpoints. One slice of data might show sales within each region. Another slice presents sales by product across regions. Slicing and dicing is often performed along a time axis to depict trends and patterns.

DISCUSSION QUESTIONS: 1. How are OLTP and OLAP different? Provide some examples. Response: On-line Transaction Processing (OLTP) applications support mission-critical tasks through simple queries of operational databases. On-line Analytical Processing (OLAP) applications support management-critical tasks through analytical investigation of complex data associations that are captured in data warehouses. 2. Distinguish between the two-tier and three-tier client-server models. Describe when each would be used. Response: In a two-tier architecture, the server handles both application and database duties. Some ERP vendors use this approach for local area network (LAN) applications. Client computers are responsible for presenting data to the user and passing user input back to the server. In the three-tier model the database and application functions are separated. This architecture is typical of large production ERP systems, which use wide area networks (WANs) for connectivity. Satisfying a client request requires two or more network connections. Initially, the client establishes communications with the application server. The application server then initiates a second connection to the database server. 3. Why do ERP systems need bolt-on software? Give an example of bolt-on software. Response: Many organizations have found that ERP software alone cannot drive all the processes of the company. These firms use a variety of bolt-on software provided by third party vendors. At present, most electronic commerce supported ERP systems use bolt-on packages that upload product information files from the ERP database and present them on the web page for customers. The bolt-on system collects the Internet orders and creates a transaction batch file, which is periodically downloaded to the ERP system for processing. This situation is changing rapidly. With increased demand from customers for real-time commitments from their manufacturers regarding price, manufacturing schedule, and delivery date, leading ERP suppliers are being forced to make their systems web-enabled. 4. Your organization is considering acquiring bolt-on software for your ERP system. What approaches are open to you? Response: The decision to use bolt-on software requires careful consideration. Most of the leading ERP vendors have entered into partnership arrangements with third party vendors to provide specialized functionality. The least risky approach is to choose the bolt-on that is endorsed by the ERP vendor. Some organizations, however, take a more independent approach. This sometime requires changing the core function code to interface with the bolt-on software.

5. Explain why the data warehouse needs to be separate from the operational database. Response: One reason for a separate data warehouse is that the structural and operational requirements of transaction processing and data mining systems are fundamentally different, making it impractical to keep both operational (current) and archive data in the same database. Transaction processing systems need a data structure that supports performance, whereas data mining systems need data organized in a manner that permits broad examination and the detection of underlying trends. 6. Data in a data warehouse are in a stable state. Explain how this can hamper data mining analysis. What can an organization do to alleviate this problem? Response: Typically transaction data are loaded into the warehouse only when the activity on them has been completed e.g., they are stable. Potentially important relationships between entities may, however, be absent from data that are captured in its stable state. For example, information about cancelled sales orders probably will not be reflected among the sales orders that have been shipped and paid for, before they are placed in the warehouse. One way to reflect these dynamics is to extract the operations data in slices of time. These slices provide snapshots of business activity. 7. Why is it important to denormalize data in a data warehouse? Response: Wherever possible, normalized tables pertaining to selected events should be consolidated into denormalized tables. Because of the vast size of a data warehouse, inefficiency caused by joining normalized data can be very detrimental to the performance of the system. A three-way join between tables in a large data warehouse may take an unacceptably long time to complete and may be unnecessary. Since historical data are static in nature, nothing is gained by constructing normalized tables with dynamic links. 8. What problems does the data cleansing step attempt to resolve? Response: Clerical, data entry, and computer program error can create illogical data values such as negative inventory quantities, misspelled names, and blank fields. Also, data in the data warehouse are often comprised of output from multiple systems that use slightly different spellings to represent common terms such as “cust,” “cust_id,” or “cust_no.” Data cleansing involves correcting errors and transforming data into standard business terms with standard data values. 9. How are the summary views in a data warehouse different from views in an operational database? Response: To improve operational efficiency, certain data are transformed into summary views before they are loaded into the warehouse. For example, a decision maker may need to see product sales figures summarized for a week, a month, a quarter, or annually. It may not be practical to summarize information from detail data every time the user needs it. A data warehouse can contain the most frequently requested summary views of data and reduce the amount of processing time during analysis. These are typically created around business entities such as Customers, Products, and Suppliers. Unlike views in an operational database, which are virtual in nature with underlying base tables, data warehouse views are denormalized physical tables. 10. Would drill-down be an effective audit tool for identifying an unusual business relationship between a purchasing agent and suppliers in a large organization with several hundred suppliers? Explain.

Response: Yes. The auditor may use drill-down techniques to identify unusually high levels of business activity for a particular supplier. Excessive purchases from a single supplier could represent an abnormal business dependency that may prove harmful to the firm if the supplier raises prices or cannot deliver on schedule. It may also signify a fraudulent relationship involving kickbacks to purchasing agents or other management. 11. Disruptions to operations are a common side effect of implanting an ERP. Explain the primary reason for this. Response: The reengineering of business processes that often accompanies ERP implementation is the most commonly attributed cause of performance problems. Operationally speaking, when business begins under the ERP system, everything looks and works differently from the way it did with the legacy system. An adjustment period is needed for everyone to reach a comfortable point on the learning curve. Depending on the culture of the organization and attitudes towards change within the firm, adjustment may take longer in some firms than in others. 12. ERP systems use the best-practices approach in designing their applications, yet goodness of fit is considered to be an important issue when selecting an ERP. Shouldn’t the client just be able to use whatever applications the ERP system provides? Response: When a business’ processes are truly unique, the ERP system must be modified to accommodate industry specific (bolt-on) software or to work with custom-built legacy systems. Some organizations, such as telecommunications service providers, have unique billing operations that cannot be satisfied by off-the-shelf ERP systems. Before embarking on the ERP journey, organization management needs to assess whether they can and should reengineer their business practices around a standardized model. 13. Explain the issues of size, speed, workload, and transaction as they relate to scalability. Response: Size. With no other changes to the system, if database size increases by a factor of x, then query response time will increase by no more than a factor of x in a scalable system. For example, if business growth causes the database to increase from 100GB to 500GB, then transactions and queries that previously took one second will now take no more than five seconds. Speed. An increase in hardware capacity by a factor of x will decrease query response time by no less than a factor of x in a scalable system. For example, by increasing the number of input terminals (nodes) from one to twenty, transaction processing time will decrease proportionately. Transactions that previously took twenty seconds will, because of more terminals, now take no more than one second in a system with linear scaling. Workload. If workload in a scalable system is increased by a factor of x, then response time or throughput can be maintained by increasing hardware capacity by a factor of no more than x. For example, if transaction volume increased from 400 per hour to 4000 per hour, the previous response time can be achieved time by increasing the number of processors by a factor of ten in a system that is linearly scalable. Transaction cost. In a scalable system, increases in workload do not increase transaction cost. Therefore, an organization should not need to increase system capacity faster than demand. For example, if the cost of processing a transaction in a system with one processor is ten cents, then it should still cost no more that ten cents when the number of processors is increased to handle larger volumes of transactions. 14. Explain how SAP uses roles as a way to improve internal control. Response: Roles support the objectives of segregation of duties. Each role is associated with a specific set of activities, which are assigned to an authorized user of the ERP System. SAP currently provides over 150 predefined user roles, which limit a user’s access to only certain functions and associated data. The system administrator assigns roles to users of the system when

it is configured. These can be customized as needed. When the user logs on to the system, a rolebased menu appears, which limits the user to the specified tasks. Auditors should ensure that roles are assigned in accordance with job responsibilities on a “need-to-know” basis. 15. How would you deal with the problem of file-server backup in a highly centralized organization? Response: Centralized organizations with highly integrated business units may need a single global ERP system that is accessed via the Internet or private lines from around the world, to consolidate data from subsidiary systems. A server failure under this model could leave the entire organization unable to process transactions. To control against this, two linked servers can be connected in redundant backup mode. All production processing is done on one server. If it fails, processing is automatically transferred to the other. Organizations that want more security and resilience may arrange servers in a cluster of three or more that dynamically share the workload. Processing can be redistributed if one or more of the servers in the cluster fail. 16. How would you deal with the problem of file-server backup in a decentralized organization with autonomous divisions that do not share common operational data? Response: Companies whose organizational units are autonomous and do not share common customers, suppliers, or product lines often choose to install regional servers. This approach permits independent processing and spreads the risk associated with server failure. For example, BP Amoco implemented SAP’s R/3 into 17 separate business groups. 17. Distinguish between the OLAP operations of consolidation and drill-down. Response: Consolidation is the aggregation or roll-up of data. For example, sales offices data can be rolled-up to districts and districts rolled-up to regions. Drill-down allows the user to go in the other direction and display the detail that underlies consolidated data. 18. When would slicing and dicing be an appropriate OLAP tool? Give an example. Response: Slicing and dicing enables the user to examine data from different viewpoints. One slice of data might show sales within each region. Another slice presents sales by product across regions. Slicing and dicing is often performed along a time axis to depict trends and patterns. 19. Explain the risks associated with the creation of unnecessary roles and why it can happen. Response: Managers in ERP environments have significant discretion in creating new roles for individuals. This may be done for employees who need access to resources for special and/or onetime projects. Such access granting authority needs to be tempered with judgment to prevent the number of roles from multiplying to the point of becoming dysfunctional and thus creating a control risk. Indeed, an oft cited problem in ERP environments is that roles tend to proliferate to a point where their numbers actually exceed the number of employees in the organization. Policies need to be in place to prevent the creation of unnecessary new roles and to ensure that temporary role assignments are deleted when the reason for them terminates. 20. What is the fundamental concept behind the rule of least access? Explain why this is a potential problem in an ERP environment. Response: The fundamental concept behind the rule of least access is that access privileges (permissions) should be granted on a need to know basis only. Nevertheless, ERP users tend to accumulate unneeded permissions over time. This is often due to two problems: Managers fail to exercise adequate care in assigning permissions as part of their role granting authority. Since, managers are not always experts in internal controls they may not recognize when excessive permissions are awarded to an individual.

Managers tend to be better at issuing privileges than removing them. As a result, an individual may retain unneeded access privileges from a previous job assignment that creates a segregation of duties violation when combined with a newly assigned role 21. What is the purpose of role-based governance software? Response: Role-based governance software monitors role creation and permission granting to ensure compliance with internal control objectives. It verifies role compliance across all applications and users in an ERP environment.

MULTIPLE CHOICE 1. b 2. e 3. d 4. e 5. e 6. c 7. c 8. d 9. c 10. b

PROBLEMS 1. DATA WAREHOUSE ACCESS CONTROL You are the CEO of a large organization that implemented a data warehouse for internal analysis of corporate data. The operations manager has written you a memo advocating opening the data warehouse to your suppliers and customers. Explain any merit to this proposal. What are the control issues, if any? Response: Merit: The primary reason for a data warehousing is to optimize the business. Many organizations’ management personnel feel that more strategic benefit can be gained by sharing data externally. By providing customers and suppliers with the information they need when they need it, the company can improve its relationships and provide better service. The potential gain to the giving organization is seen in a more responsive and efficient supply chain. Using Internet technologies and OLAP applications, an organization can share its data warehouse with its trading partners and, in effect, treat them like divisions of the firm. Control: Access control is a vital feature of a data warehouse that is shared with customers and suppliers. The following control issues need to be considered: • The organization should establish procedures to oversee the authorization of individuals at customer and supplier sites which will be granted access to their data warehouses. • Access privileges should be specified for each outside user and controlled by the use of passwords. • User views need to be created that will limit outsider access to only approved data. • Internet sessions should be managed by means of a firewall and use encryption and digital signatures to maintain confidentiality. • Firewalls, which are a combination of hardware and software that protect resources of a

• •

private network, help to secure data from unauthorized internal and external users. Auditing tools for intrusion detection are available to assist in mitigating security risks. Periodic audits should include a risk assessment and review of access levels granted to both internal and external users, based on their job descriptions.

2. PROJECT IMPLEMENTATION Your organization is planning to implement an ERP system. Some managers in the organization favor the big bang approach. Others are advocating a phased-in approach. The CEO has asked you, as project leader, to write a memo summarizing the advantages and disadvantages of each approach and to make a recommendation. This is a traditional organization with a strong internal hierarchy. The company was acquired in a merger 2 years ago, and the ERP project is an effort on the part of the parent company to standardize business processes and reporting across the organization. Prior to this, the organization had been using a general ledger package that it acquired in 1979. Most of the transaction processing is a combination of manual and batch processing. Most employees think that the legacy system works well. At this point, the implementation project is behind schedule. Response: While the big bang method has certain advantages, it has been associated with numerous system failures. Since the new ERP system means new ways of conducting business, getting the entire organization on-board and in sync can be a problem. On day one of the implementation, no one within the organization will have had any experience with the new system. In a sense, everyone in the company is a trainee learning a new job. The new ERP will initially meet with opposition, because using it involves compromise. The legacy systems, with which everyone in the organization was familiar, had been honed over the years to meet exact needs. In most cases, ERP systems have neither the range of functionality, nor the familiarity of the legacy systems which they replace. Also, because a single system is now serving the entire organization, individuals at data input points often find themselves entering considerably more data than they did previously with the more narrowly focused legacy system. As a result, the speed of the new system often suffers, causing disruptions to daily operations. These problems are typically experienced whenever any new system is implemented. The magnitude of the problem is the issue under the big-bang approach where everyone in the company is affected. Once the initial adjustment period has passed and the new culture emerges, however, the ERP system becomes an effective operational and strategic tool that provides competitive advantage to the firm. Because of the disruptions associated with the big bang, the phased-in approach has emerged as a popular alternative. It is particularly suited to diversified organizations with units that do not share common processes and data. In these types of companies, independent ERP systems can be installed in each business unit over time, to accommodate the adjustment periods needed for assimilation. Common processes and data (such as the general ledger function) can be integrated across the organization without disrupting operations throughout the firm. To be successful, all functional areas of the organization need to be involved in determining the culture of the firm and in defining the new system’s requirements. The firm’s willingness and ability to undertake a change of the magnitude of an ERP implementation is an important consideration. If the corporate culture is such that change is not tolerated or desired, then an ERP implementation will not be successful.

The technological culture must also be assessed. Organizations that lack technical support staff for the new system, or have a user base that is unfamiliar with computer technology, face a steeper learning curve and a potentially greater barrier to acceptance of the system by its employees. All things considered, a phased-in approach is more likely to be successful with this organization culture. 3. OLTP VERSUS OLAP SEVERS For each of the following processes, state whether OLTP or OLAP is appropriate and why: a. An order entry system that retrieves customer information, invoice information, and inventory information for local sales. b. An order entry system that retrieves customer information, invoice information, inventory information, and several years of sales information about both the customer and the inventory items. c. An order entry system that retrieves customer information, invoice information, inventory information, and information to compare the current sale to sales across several geographic regions. d. An order entry system that retrieves customer information, invoice information, inventory information, and accounts receivable information for sales within one marketing region. e. An insurance company requires a system that will allow it to determine total claims by region, determine whether a relationship exists between claims and meteorological phenomenon, and why one region seems to be more profitable than another. f. A manufacturing company has only one factory, but that factory employs several thousand people and has nearly $1 billion in revenue each year. The company has seen no reason to make comparisons about its operations from year to year or from process to process. Its information needs focus primarily on operations, but it has maintained backup of prior-year operations activities. Examination of prior-year financial reports have shown that the company, while profitable, is not growing and return on investment is decreasing. The owners are not satisfied with this situation. Response: a. On-line transaction (OLTP) processing is appropriate because the amount of data accessed is limited, few business elements are analyzed, the data is not aggregated, and the time frame is finite. b. On-line analytical processing (OLAP) is appropriate because analysis of data over several years is required. c. OLAP because that data being analyzed spans several regions. d. OLAP. While this system will analyze simple transactions, the volume of activity and the analytical procedures may require greater resources than OLTP can provide. e.. OLAP. OLAP supports consolidation of data, drill-down analysis, and slicing and dicing. f. OLAP. While OLTP has been sufficient to provide the information requirements to date, the company is not meeting its goals, and an understanding of the business processes, related phenomena, and comparisons among processes is indicated. Analyses in these areas may help the company determine better business practices. OLAP will provide the company with the analytic tools that may help management find better ways to operate.

4. SELECTING A CONSULTANT You are the chief information officer for a midsized organization that has decided to implement an ERP system. The CEO has met with a consulting ERP firm based on a recommendation from a personal friend at his club. At the interview, the president of the consulting firm introduced the chief consultant, who was charming, personable, and seemed very knowledgeable. The CEO’s first instinct was to sign a contract with the consultant, but he decided to hold off until he had received your input. Required: Write a memo to the CEO presenting the issues and the risks associated with consultants. Also, outline a set of procedures that could be used as a guide in selecting a consultant. Response: Consulting firms, particularly the big four with large ERP practices, are desperately short of human resources at times. We saw this in the mid-to-late 1990s when thousands of clients were rushing to implement ERP systems before the new millennium, and thus avoid Y2K problems. As demand for ERP implementations grew beyond the supply of qualified consultants, more and more stories of botched projects materialized. A common complaint is that consulting firms promise experienced professionals but deliver incompetent trainees. They have been accused of employing a bait-and-switch maneuver to get contracts. At the initial engagement interview, the consulting firm introduces their top consultants who are sophisticated, talented, and persuasive. The client agrees to the deal, incorrectly assuming that these individuals, or others with similar qualifications, will actually implement the system. The problem has been equated to the airline industry’s common practice of overbooking flights. Consulting firms, not wanting to turn away business, are perhaps guilty of overbooking their consulting staff. However, the consequences are far graver than the inconvenience of missing a flight. Currently a number of lawsuits have been filed against the consultants of failed ERP projects. We can avoid these pitfalls by selecting the right consultant. Therefore, before turning the problem over to just any outside consultant, we need to do the following: Interview the staff proposed for the project and draft a detailed contract specifying which members of the consulting team will be assigned to which tasks. Obtain an agreement in writing as to how staff changes will be handled. Conduct reference checks of the proposed staff members. Align the consultants’ interests with those of the organization by negotiating a pay-forperformance scheme, based on achieving certain milestones in the project. For example, the actual amount paid to the consultant may be between 85 to 115 percent of the contracted fee, based on whether a successful project implementation comes in under, or over, schedule. Set a firm termination date for the consultant. There is a lot of evidence that consulting arrangements can become interminable, resulting in dependency and an endless stream of fees. 5. AUDITING ERP DATABASES You are an independent auditor attending an engagement interview with the client. The client’s organization has recently implemented a data warehouse. Management is concerned that the audit tests that you perform will disrupt operations. Management suggests that instead of running tests against the live operational database, you draw the data for your analytical reviews and substantive tests of details from the data warehouse. Management points out that operational data are copied weekly into the warehouse and everything you need will be contained there. This will enable you to perform your tests without disrupting routine operations. You agree to give this some thought and get back to the client with your answer.

Required: Draft a memo to the client outlining your response to their proposal. Mention any concerns you might have. Response: While organization’s data warehouse is an excellent resource for performing analytical reviews, I will need to gain an understanding of the procedures used to populate the warehouse. I am concerned that your data cleansing procedures may be sanitizing the warehouse, which could create a false picture of your financial position. To be useful as an OLAP tool, the data warehouse needs to be free of contamination. Erroneous data (such as negative inventory values, missing fields, and other clerical errors) that are a natural part of operational databases are identified and repaired (or rejected) in the cleansing process prior to their entering the data warehouse. Since the data warehouse exists in an artificially pristine state, it may not be a suitable substitute for the operational database when assessing tests of process controls and performing substantive tests. I must, therefore, perform tests of your cleansing procedures before I can place reliance on the data warehouse as a resource for substantive testing. 6. BIG BANG VERSUS PHASED-IN APPROACH The any state Department of Motor Vehicles (DMV) is the agency responsible for licensing both drivers and vehicles in the state. Until recently, legacy systems were used for both licensing needs. The legacy system for driver’s licenses maintained the following information about each licensed driver: name, age, address, violation, license classification, organ donation, and restrictions. The vehicle licensing system maintained information about each vehicle, including cost, taxes, vehicle identification number (VIN), weight, insurance, and ownership. In the summer of this year, over a 3-day weekend, information from the two legacy systems was transferred to a new ERP. The ERP and all new hardware were installed in every DMV across the state, and when employees returned from their long weekend, an entirely new system was in place. The DMV employees were not well trained on the new system, and the system itself presented a few bugs. As a result of these obstacles, customers at the DMV faced excessively long lines and extended waiting times, and several of the employees simply quit their jobs because of frustrations with the system and difficulty dealing with irate customers. Knowing that the waiting times were so long, many drivers simply refused to renew licenses or obtain new licenses. Required Assume that the ERP the DMV management selected was correctly configured and was capable of meeting all requirements of the DMV; consider data warehousing implications, business culture implications, and disruption to operations; and discuss the advantages and disadvantages associated with the decision to implement the new system using the big bang approach versus the phased-in approach. Response: Either approach would require transformation of data from the legacy systems to a common data warehouse. A phased-in approach has an advantage of uncovering discrepancies among data at a single site. Once the discrepancies are found, the resulting bugs can be corrected, so relatively error-free systems can be placed in other sites. Presuming the goals of a DMV are to correctly tax and license drivers and vehicles, and to do so expediently, the fact that customers were waiting too long and that many chose not to comply

with the law requiring they become properly licensed, organizational goals were not met with the big bang approach. Again, a phased-in approach might have uncovered these problems and found corrections on a local rather than state-wide basis. The employees seemed to lack adequate training and seemed not to support the new system. Phasing-in a new system does not require as many technicians, as the instruction process can take place over time and across geography. With an increased number of required technicians, there is a decreased the chance that all technicians will be familiar with the system and the requirements. Therefore, a phased-in approach might have supplied the DMV with better instruction. The big bang approach also seemed to catch the employees off guard. It is possible that if a phased-in approach had been used, the process might have gone more smoothly, and word-of-mouth about the system (and its probable improvement over the legacy systems) might have lessened the resistance to change on the part of employees anticipating their own phasing-in. If customers were satisfied with the service they received, and if employees were adequately trained and accepting of the new system, (probable consequences of a phase-in), the DMV could have avoided loss of revenue resulting from customer reluctance to register vehicles and obtain licenses.

7. ERP FAILURE When an ERP implementation fails, who is to blame? Response: Student responses will vary. Some key points are listed below: In most ERP failures the blame is laid at the feet of the organization for failure to: - Insure executives are educated, on board and understand their roles. - Understand the business case and drivers for the change. - Clearly define and communicate project objectives. - Implement internal measurements systems to support the desired changes. - Remove the people barriers and naysayers that get in the way. - Tackle project business issues and decisions in a timely fashion. - Take end-user training seriously and require employees attend. - Make necessary changes in business policies, practices, and procedures to take advantage of the software. - Limit the scope of the project. - Require the cooperation of employees at all levels of the organization. - Assign the best internal employees to the project team. - Free-up the required time for those assigned to participate. - Expect (not hope) the internal team and IT support eventually become software experts. - Hire as internal employees people with the right skills and knowledge when necessary. - Plan and utilize outside project management, application consultants, technical consultants, and programmers correctly. - Hold functional (middle) managers, the project manager, the project team, and IT staff accountable for doing what they are suppose to do. - Limit software modifications through business justification or changing business processes.

8. ERP MARKET GROWTH What is the future direction of the ERP market? Required: Research this issue and write a brief paper outlining the key issues. Response: Responses will vary. Some key points are listed below: •ERP continues to dominate back Office Practices •The demand for innovative applications like E-Commerce, SCM, and HR/Customer selfservices continues •Vendors are supplementing their direct sales force with reseller channels •Vendors are lowering entry price of the software to make it financially viable for small and medium sized firms •Smaller systems will have reduced Functionality • Improved Implementation methodologies for faster deployment are essential •Systems must become more open for easier Integration •Must increase the quantity and improve the quality of “skilled” consultants. •Movement from Client/Server to Browser/Server web enabled architecture •No one wants “Just ERP” anymore •Emerging trend is Integration with cutting edge technologies such as SFA, CRM, ECommerce 9. ERP CONSULTANTS Do research on complaints about ERP consultants. Write a report about the most common complaints and cite examples. Response: Student responses will vary. List below are some common complaints: • • • • • •

Consultants are not independent and tend to recommend the product that they consult on. Therefore, when management chooses a consultant, they are essentially picking the product. Consultants make unnecessary needs evaluations to drive up consulting fees. Clients are locked into high priced consultants to do needs analysis. Vendors won’t provide the client with the information needed to properly evaluate the product in an in-house needs analysis. ERP consulting firms push customizing the ERP product. This adds cost to the implantation and locks the client into a long term contact with the consultant for maintenance and future upgrades to non-standard ERP system. ERP consulting firms staff their engagements with inexperienced college graduates. ERP consultants sometimes overprice the software.

10. ERP BOLT-ON SOFTWARE Go to ten Web sites of companies that supply bolt-on software. Write a report containing URLs that briefly describe the software features and its compatibility with specific ERP systems. Response: Responses may vary.

CHAPTER 12 BUSINESS ETHICS, FRAUD, AND FRAUD DETECTION REVIEW QUESTIONS 1. What is ethics? Response: Ethics pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. 2. What is business ethics? Response: Business ethics involves finding the answers to two questions: (1) How do managers decide what is right in conducting their business? and (2) Once managers have recognized what is right, how do they achieve it? 3. What are the four areas of ethical business issues? Response: equity, rights, honesty, and the exercise of corporate power 4. What are the main issues to be addressed in a business code of ethics required by the Securities and Exchange Commission? Response: conflicts of interest, full and fair disclosures, legal compliance, internal reporting of code violations, and accountability 5. What are three ethical principles that may provide some guidance for ethical responsibility? Response: proportionality, justice, and minimization of risk 6. What is computer ethics? Response: Computer ethics is “the analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology…. [This includes] concerns about software as well as hardware and concerns about networks connecting computers as well as computers themselves.” 7. How do the three levels of computer ethics—pop, para, and theoretical—differ? Response: The lowest level of computer ethics—pop—merely reflects the exposure to stories and reports regarding the ramifications of computer technology, such as computer viruses (bad ramifications) and educational enhancements for handicapped individuals (good ramifications). The next level—para—requires a little more involvement in learning about computer ethics cases and acquiring some skill and knowledge in ethics issues. The third level—theoretical—involves application of the theories of philosophy, sociology, and psychology to computer science with the hope that new understanding in the field can be achieved. 8. Are computer ethical issues new problems, or just a new twist on old problems? Response: Computer ethical issues are considered to be new problems by those groups that feel that intellectual property is not the same as real property. However, other groups feel that the same generic principles should apply. No agreement between these two groups has been reached. 9. What are the computer ethical issues regarding privacy? Response: People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available. This is the issue of privacy. The creation and maintenance of huge, shared databases make it necessary to protect people from the potential misuse of data. This raises the issue of ownership in the personal information industry.

Should the privacy of individuals be protected through policies and systems? What information about oneself does the individual own? Should firms that are unrelated to individuals buy and sell information about these individuals without their permission? 10. What are the computer ethical issues regarding security? Response: Computer security is an attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Security systems attempt to prevent fraud and other misuse of computer systems; they act to protect and further the legitimate interests of the system’s constituencies. The ethical issues involving security arise from the emergence of shared, computerized databases that have the potential to cause irreparable harm to individuals by disseminating inaccurate information to authorized users, such as through incorrect credit reporting. There is a similar danger in disseminating accurate information to persons unauthorized to receive it. However, increasing security can actually cause other problems. For example, security can be used both to protect personal property and to undermine freedom of access to data, which may have an injurious effect on some individuals. 11. What are the computer ethical issues regarding ownership of property? Response: Laws designed to preserve real property rights have been extended to cover what is referred to as intellectual property, that is, software. The question here becomes what can an individual (or organization) own? Ideas? Media? Source code? Object code? A related question is whether or not owners and users should be constrained in their use of or access to software. This includes making copies or placing software on a network to permit multiple access. Some believe that copyright laws can cause more harm than good. For example, the League for Programming Freedom argues that copyrights for software fly in the face of the original intent of the law. It feels that the best interests of computer users are served when industry standards emerge; copyright laws work to disallow this. Part of the problem arises out of the uniqueness of software, its ease of dissemination, and the possibility of exact replication. Does software fit with the current categories and conventions regarding ownership? 12. What are the computer ethical issues regarding equity in access? Response: Some barriers to access (security systems) are intrinsic to the technology of information systems, but some are avoidable through careful system design. Factors that can limit access to computing technology include: financial cost, cultural barriers, and physical limitations (blindness, paralysis, and pregnancy). How can hardware and software be designed with consideration for differences in physical and cognitive skills? What is the cost involved with providing equity in access? To what groups of society should equity in access become a priority? 13. What are the computer ethical issues regarding the environment? Response: Increased computing and the low cost of fast-speed printers have caused many users to print out more hard copies of documents than is really necessary. Because paper is not usually considered a high-cost item, most firms have not looked at this as a cost/benefit issue; however, perhaps they should from an environmental viewpoint. Also, of growing importance is the issue that disposal of obsolete computer hardware creates environmental risks and concerns. 14. What are the computer ethical issues regarding artificial intelligence? Response: One issue is the responsibility for the completeness and accuracy of a knowledge base, as well as its maintenance to reflect changes. Further, where does the knowledge come from? This issue becomes of particular importance when expert systems replace the tasks of middle managers, many of whom may have been used during the knowledge acquisition phase. Thus, an important issue is who owns the coded expertise. Also, what are the legal ramifications

if an expert system makes an error or if a decision made by an expert system is not followed? 15. What are the computer ethical issues regarding unemployment and displacement? Response: The nature of most jobs is changing as a result of computer technology. In many cases, certain occupations are becoming rare. The issue is whether employers should assume the responsibility of retraining employees. 16. What are the computer ethical issues regarding misuse of computers? Response: The computer ethical issues regarding misuse of computers are the copying of proprietary software, using a company’s computer for personal benefit, and snooping through other people’s files. Should employees be allowed to do personal work on the company computer after work hours? Does this additional use impinge on the rights of the software company? If the employee does not have to buy hardware and/or software for him or herself, then an ethical issue arises regarding potential lost profits to the industries selling these products. 17. What is the objective of Statement on Auditing Standards No. 99? Response: The objective of SAS 99 is to seamlessly blend the auditor’s consideration of fraud into all phases of the audit process. In addition, SAS 99 requires the auditor to perform new steps such as a brainstorming during audit planning to assess the potential risk of material misstatement of the financial statements from fraud schemes. 18. What are the five conditions that constitute fraud under common law? Response: a. false representation b. material fact c. intent d. justifiable reliance e. injury or loss 19. Name the three fraud-motivating forces. Response: a. situational pressure b. opportunities c. ethics 20. What is employee fraud? Response: Employee fraud is an act committed by non-management employees. It is generally designed to directly convert cash or other assets to the employee’s personal benefit. Employee fraud usually involves three steps: (1) stealing something of value (an asset), (2) converting the asset to a usable form (cash), and (3) concealing the crime to avoid detection. 21. What is management fraud? Response: Management fraud is committed by managers who are not subject to the same controls as employees. This fraud more insidious than employee fraud because it often escapes detection until the organization has suffered irreparable damage or loss. Management fraud typically contains three special characteristics: 1. The fraud is perpetrated at levels of management above the one to which internal control structures generally relate. 2. The fraud frequently involves using the financial statements to create an illusion that an entity is healthier and more prosperous than, in fact, it is. 3. If the fraud involves misappropriation of assets, it frequently is shrouded in a maze of

complex business transactions, often involving related third parties. 22. What three forces constitute the triangle of fraud? Response: a. situational pressures b. available opportunities c. ethics (personal characteristics) 23. How can external auditors attempt to uncover motivations for committing fraud? Response: Research by forensic experts and academics has shown that the auditor’s evaluation of fraud is enhanced when the fraud triangle factors are considered. Obviously, matters of ethics and personal stress do not lend themselves to easy observation and analysis. To provide insight into these factors, auditors often use a red-flag checklist consisting of the following types of questions: • Do key executives have unusually high personal debt? • Do key executives appear to be living beyond their means? • Do key executives engage in habitual gambling? • Do key executives appear to abuse alcohol or drugs? • Do any of the key executives appear to lack personal codes of ethics? • Are economic conditions unfavorable within the company’s industry? • Does the company use several different banks, none of which sees the company’s entire financial picture? • Do any key executives have close associations with suppliers? • Is the company experiencing a rapid turnover of key employees, either through resignation or termination? • Do one or two individuals dominate the company? 24. What is lapping? Response: Lapping involves a cash receipts clerk stealing customer payments that are in the form of checks, by cashing the check him/ herself. Many employees view this as borrowing, since they plan to repay it some day. Lapping of accounts receivable works as follows: Period 1: Cashier receives $1000 from ABC Company and keeps it. Period 2: Cashier receives $1000 from XYZ Company and credits ABC Company’s accounts receivable account. Period 3: Cashier receives $1000 from JKL Company and credits XYZ Company’s accounts receivable account. At any given time, accounts receivable is overstated by $1000, as well as cash. The employee keeps “lapping” the accounts, so a customer will not receive a delinquent bill notice.25. 25. What is collusion? Response: Collusion involves two or more employees working together to perpetrate a fraudulent act that internal controls would have otherwise prevented. For example, the inventory control clerk and the warehouse clerk could collude to steal inventory and then adjust the inventory records to cover-up the act. 26. What is bribery? Response: Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. Officials may be employed by government (or regulatory) agencies or by private organizations. Bribery defrauds the entity (business organization or government agency) of the right to honest and loyal services from those employed by it.

27. What is economic extortion? Response: Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. The item of value could be a financial or economic asset, information, or cooperation to obtain a favorable decision on some matter under review. 28. What is conflict of interest? Response: A conflict of interest occurs when an employee acts on behalf of a third party during the discharge of his or her duties or has self-interest in the activity being performed. When the employee’s conflict of interest is unknown to the employer and results in financial loss, then fraud has occurred. 29. What is computer fraud, and what types of activities does it include? Response: Computer fraud refers to using hardware and software to divert or acquire the assets of the firm. Its activities include: • Theft, misuse, or misappropriation of assets by altering computer-readable records and files, • Theft, misuse, or misappropriation of assets by altering the logic of computer software, • The theft of illegal use of computer-readable information, • The theft, corruption, illegal copying, or intentional destruction of computer software, • The theft, misuse, or misappropriation of computer hardware. 30. At which stage of the general accounting model is it easiest to commit computer fraud? Response: It is easiest to commit computer fraud at the data-collection or data-entry stage. Frauds of this type require little or no computer skills. At this point, the perpetrator only needs to understand how the system works to enter data that it will process. 31. Define check tampering. Response: Check tampering involves forging or changing in some material way a check that the organization has written to a legitimate payee. 32. What is billing schemes or vendor fraud? Response: Billing schemes, also known as vendor fraud, are perpetrated by employees who cause their employer to issue a payment to a false supplier or vendor. This is accomplished by submitting invoices for fictitious goods or services, inflated invoices, or invoices for personal purchases. 33. Define cash larceny. Response: Cash larceny involves schemes in which cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. 34. What is skimming? Response: Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records.

DISCUSSION QUESTIONS 1. Distinguish between ethical issues and legal issues. Response: Some acts may not be against the law, but may be considered unethical. For example, it may not be illegal to simultaneously accept two job offers verbally while trying to decide between the two companies. However, ethically, this type of behavior is considered to be undesirable. 2. Some argue against corporate involvement in socially responsible behavior because the costs incurred by such behavior place the organization at a disadvantage in a competitive market. Discuss the merits and flaws of this argument. Response: The costs of socially responsible behavior include those associated with environmental protection, improving worker safety, and affirmative action. In the short run, when one firm incurs these costs and its competitor does not, the latter has a competitive advantage over the former. However, the socially responsive firm can maximize its profitability in the long run by accruing goodwill in society and avoiding the negative effects of government regulations. 3. Although top management’s attitude toward ethics sets the tone for business practice, sometimes it is up to lower-level managers to uphold a firm’s ethical standards. John, an operations-level manager, discovers that the company is illegally dumping toxic materials in violation of environmental regulations. John’s immediate supervisor is involved in the dumping. What action should John take? Response: Normally, the resolution of an ethical problem on the job would involve consultation between the subordinate and the immediate supervisor. When the supervisor is part of the problem, the matter should be taken to the next higher level in the organization structure. 4. When a company has a strong internal control structure, stockholders can expect the elimination of fraud. Comment on the soundness of this statement. Response: A strong internal control structure provides a very good shield against fraud. However, these shields are not 100 percent bulletproof, especially when employees collude and/or top management is involved. A strong internal control structure coupled with good employee morals and ethics is the best deterrence against fraud. 5. Distinguish between employee fraud and management fraud. Response: Employee fraud is committed by non-management employees and is generally designed to directly convert cash and other assets to the employee’s personal benefit. Weak internal controls are usually present. Management fraud, however, is usually committed at a level above internal controls. These frauds are typically shrouded in a nexus of transactions and are difficult to disentangle. 6. The estimates of losses annually due to computer fraud vary widely. Why do you think obtaining a good estimate of this figure is difficult? Response: The top management of publicly traded companies is oftentimes reluctant to admit publicly that it has been the victim of computer crime because of fear of public opinion regarding the internal control structure. Also, many organizations may not be fully aware of the extent of their damages due to computer fraud. 7. How has the Sarbanes-Oxley Act had a significant impact on corporate government? Response: The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit committee to hire and oversee the external auditors. This provision is consistent

with many investors who consider the board composition to be a critical investment factor. For example, a Thomson Financial survey revealed that most institutional investors want corporate boards to be composed of at least 75 percent independent directors. 8. Discuss the concept of exposure and explain why firms may tolerate some exposure. Response: An exposure is the absence or weakness of an internal control. Sometimes cost-benefit analysis may indicate that the additional benefits of an internal control procedure may not exceed the costs. Thus, the firm may decide to tolerate some control risk. 9. If detective controls signal error flags, why shouldn’t these types of controls automatically make a correction in the identified error? Why are corrective controls necessary? Response: For any detected error, more than one feasible corrective solution may exist, and the best course of action may not always be obvious. Thus, linking an automatic response to a detective control may worsen a problem by applying an incorrect corrective action. 10. Discuss the non-accounting services that external auditors are no longer permitted to render to audit clients. Response: The act addresses auditor independence by creating more separation between a firm’s attestation and non-auditing activities. This is intended to specify categories of services that a public accounting firm cannot perform for its client. These include the following functions: • bookkeeping or other services related to the accounting records or financial statements; • financial information systems design and implementation; • appraisal or valuation services, fairness opinions, or contribution-in-kind reports; • actuarial services; • internal audit outsourcing services; • management functions or human resources; • broker or dealer, investment advisor, or investment banking services; • legal services and expert services unrelated to the audit; and • any other service that PCAOB determines is impermissible. While the Sarbanes-Oxley Act prohibits auditors from providing the above services to their audit clients, they are not prohibited from performing such services for non-audit clients or privately held companies. 11. Discuss whether a firm with fewer employees than there are incompatible tasks should rely more heavily on general authority than specific authority. Response: Small firms with fewer employees than there are incompatible tasks should rely more heavily on specific authorizations. More approvals of decision by management and increased supervision should be imposed in order to somewhat compensate for the lack of separation of duties. 12. An organization’s internal audit department is usually considered an effective control mechanism for evaluating the organization’s internal control structure. The Birch Company’s internal auditing function reports directly to the controller. Comment on the effectiveness of this organizational structure. Response: Having the internal auditing function report to the controller is unacceptable. If the controller is aware of or involved in a fraud or defalcation, then he/she may give false or inaccurate information to the auditors. The possibility that the auditors may lose their jobs if they do not keep certain matters quiet also exists. Further, the fraud may be occurring at a level higher than the controller, and the controller may fear losing his/her job if the matter is pursued. The best

route is to have the internal auditing function report directly to the board of directors. 13. Comment on the exposure (if any) caused by combining the tasks of paycheck preparation and distribution to employees. Response: If a payroll employee were to prepare a paycheck for a nonexistent employee (perhaps under an alias, or in the name of a relative), and this employee also has the task of distributing the checks, then no one would be the wiser. On the other hand, if the checks go directly to another person, who then distributes the paychecks, then the extra check should be discovered. 14. Explain the five conditions necessary for an act to be considered fraudulent. Response: Fraud denotes a false representation of a material fact made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his or her detriment. According to common law, a fraudulent act must meet the following five conditions: a. False representation: There must be a false statement or a nondisclosure. b. Material fact: A fact must be a substantial factor in inducing someone to act. c. Intent: There must be the intent to deceive or the knowledge that one’s statement is false. d. Justifiable reliance: The misrepresentation must have been a substantial factor on which the injured party relied. e. Injury or loss: The deception must have caused injury or loss to the victim of the fraud. 15. Distinguish between exposure and risk. Response: Exposures are weaknesses in the internal control system. For example, assigning the same clerk responsibility for receiving and booking cash and also updating accounts receivable is an exposure. Risks relate to the potential consequences of exposures. The risk associated with this exposure is that the clerk will perpetrate a fraud such as lapping. 16. Explain the characteristics of management fraud. Response: Management fraud typically occurs at levels above where the internal control system is effective. Financial statements are frequently modified to make the firm appear healthier that it actually is. If any misappropriation of assets occurs, it is usually well hidden. 17. The text discusses many questions about personal traits of employees that might help uncover fraudulent activity. Discuss three. Response: Executives with high personal debt, living beyond their means, engaging in habitual gambling, appearing to abuse alcohol or drugs, appearing to lack personal codes of ethics, and appearing to be unstable. 18. Give two examples of employee fraud and explain how the thefts might occur. Response: Employee fraud or frauds by non-management employees are generally designed to directly convert cash or other assets to the employee’s personal benefit. Employee fraud usually involves three steps: (1) stealing something of value (an asset), (2) converting the asset to a usable form (cash), and (3) concealing the crime to avoid detection. Examples: CHARGES TO EXPENSE ACCOUNTS. The theft of $50,000 cash could be charged to a miscellaneous operating expense account. The loss of the cash reduces the firm’s assets by $50,000. To offset this, equity is reduced by $50,000 when the miscellaneous expense account is closed to retained earnings, thus keeping the accounting equation in balance. LAPPING. The employee first steals and cashes a check for $5000 sent by Customer A. To conceal the accounting imbalance caused by the loss of the asset, Customer A’s account is not

credited. Later (the next billing period), the employee uses a $5000 check received from Customer B and applies this to Customer A’s account. Funds received in the next period from Customer C are then applied to the account of Customer B, and so on. 19. Discuss the fraud schemes of bribery, illegal gratuities, and economic extortion. Response: Bribery involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. Officials may be employed by government (or regulatory) agencies or by private organizations. Bribery defrauds the entity (business organization or government agency) of the right to honest and loyal services from those employed by it. An illegal gratuity is similar to a bribe, but it occurs after the fact. It involves giving, receiving, offering, or soliciting something of value because of an official act that has already been taken. Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. The item of value could be a financial or economic asset, information, or cooperation to obtain a favorable decision on some matter under review. 20. Explain at least three forms of computer fraud. Response: a. Payment fraud includes the following techniques: i. Creating illegal programs that can access data files to alter, delete, or insert values into accounting records, ii. Destroying or corrupting a program’s logic using a computer virus, or iii. Altering program logic to cause the application to process data incorrectly. b. Operations fraud is the misuse or theft of the firm’s computer resources. This often involves using the computer to conduct personal business. c. Database management fraud includes altering, deleting, corrupting, destroying, or stealing an organization’s data. d. Scavenging involves searching through the trash of the computer center for discarded output. e. Eavesdropping involves listening to output transmissions over telecommunication lines. 21. Distinguish between skimming and cash larceny. Response: Skimming involves stealing cash from an organization before it is recorded on the organization’s books and records, as opposed to larceny, where cash receipts are stolen from an organization after they have been recorded in the organization’s books and records. 22. Distinguish between a shell company fraud and a pass through fraud. Response: A shell company fraud first requires that the perpetrator establish a false supplier on the books of the victim company. The fraudster then manufactures false purchase orders, receiving reports, and invoices in the name of the vendor and submits them to the accounting system, which creates the allusion of a legitimate transaction. A pass through fraud is similar to the shell company fraud with the exception that a transaction actually takes place. Again, the perpetrator creates a false vendor and issues purchase orders to it for inventory or supplies. The false vendor then purchases the needed inventory from a legitimate vendor. The false vendor charges the victim company a much higher than market price for the items, but pays only the market price to the legitimate vendor. The difference is the profit that the perpetrator pockets. 23. Why are the computer ethics issues of privacy, security, and property ownership of interest to accountants? Response: Privacy is the degree of restricted access to personal data. The creation and

maintenance of huge, shared databases makes it necessary to protect individuals (and organizations) from the potential misuse of such data. This raises the issue of ownership in the personal information industry. Why can client firms that are unrelated to individuals buy and sell information about those individuals without their permission? Should privacy be protected through policies and systems of internal controls within the firms that hold the data? If so, the auditors of the firms may need to develop standards for assessing such controls in their client’s systems. Computer security is an attempt to avoid undesirable events such as illegal access to systems that result in loss of confidentiality or data integrity. However, security can be used both to protect personal property and to undermine freedom of legitimate access to data. Automated monitoring can be used both to detect intruders and to spy on legitimate users, thus diminishing their privacy. Auditors are in position to determine where this line is to be drawn and to assess the effectiveness and appropriateness of security measures in place. Laws designed to preserve real property ownership rights have been extended to cover what is referred to as intellectual property, such as computer software. The question here becomes, what can an individual (or organization) own? Ideas? Media? Source code? Object code? Copyright laws have been invoked in an attempt to protect those who develop software from having it copied. However, many believe the copyright laws can cause more harm than good. For example, should the “look and feel” of a software package be granted copyright protection? The League for Programming Freedom argues that the best interest of computer users is served when industry standards emerge; copyright laws work to disallow this. Issues relating to ownership and valuation of digital property are currently under review by the accounting profession. Legal resolution may have potentially profound implications for both accounting firms and their clients. For example, since patent searches are expensive and unreliable, programmers (and their organizations) may be sued for inadvertently using a computer process on which someone else holds the patent. Such an environment increases business risk and associated audit risk. 24. A profile of fraud perpetrators prepared by the Association of Certified Fraud Examiners revealed that adult males with advanced degrees commit a disproportionate amount of fraud. Explain these findings. Response: The study suggests that notwithstanding the importance of personal ethics, situational pressures and opportunity contribute greatly to fraud. SITUATIONAL PRESSURES. As people age, they tend to marry and assume greater responsibilities and are influenced by significant situational pressures. The heads of households tend to feel situational pressures more severely other family members. Since heads of households (in the economic sense) are more often men than women, some of the variance due to gender is explained. OPPORTUNITY. The real culprit responsible for explaining the loss variance presented in the study is opportunity. Opportunity can be redefined as control over assets or access to assets. Indeed, control and access are essential elements of opportunity. The financial loss differences associated with most of the classifications above are explained by the opportunity factor. Gender. While the demographic picture is changing, more men than women occupy positions of authority in business organizations, which provide them greater access to assets. Position. Those in the highest positions have the greatest access to company funds and assets. Age. Older employees tend to occupy higher-ranking positions and therefore generally have greater access to company assets Education. Generally, those with more education occupy higher positions in their organizations and therefore have greater access to company funds and other assets.

25. Explain why collusion between employees and management in the commission of a fraud is difficult to both prevent and detect. Response: Collusion among employees in the commission of a fraud is difficult to both prevent and detect. This is particularly true when the collusion is between managers and their subordinate employees. Management plays a key role in the internal control structure of an organization. They are relied upon to prevent and detect fraud among their subordinates. When they participate in fraud with the employees over whom they are supposed to provide oversight, the organization’s control structure is weakened, or completely circumvented, and the company becomes more vulnerable to losses. 26. Because all fraud involves some form of financial misstatement, how is fraudulent statement fraud different? Response: Fraudulent statements are associated with management fraud. While all fraud involves some form of financial misstatement, to meet the definition under this class of fraud scheme, the statement itself must bring direct or indirect financial benefit to the perpetrator. In other words, the statement is not simply a vehicle for obscuring or covering a fraudulent act. For example, misstating the cash account balance to cover the theft of cash does not fall under this class of fraud scheme. On the other hand, understating liabilities to present a more favorable financial picture of the organization to drive up stock prices does qualify. 27. Explain the problems associated with lack of auditor independence. Response: Auditing firms who are also engaged by their clients to perform non-accounting activities such as actuarial services, internal audit outsourcing services, and consulting lack independence. They are essentially auditing their own work. This risk is that as auditors they will not bring to management’s attention detected problems that may adversely affect their consulting fees. For example, Enron’s auditors, Arthur Andersen, were also its internal auditors and its management consultants. 28. Explain the problems associated with lack of director independence. Response: Many boards of directors are composed of individuals who are not independent. Examples of lack of independence are directors who have a personal relationship by serving on other companies’ boards of directors; have a business trading relationship as key customers or suppliers of the company; have a financial relationship as primary stockholders or have received personal loans from the company; and have an operational relationship as employees of the company. With a lack of director independence, in addition to an increased risk of fraud, there also exists a decreased ability for objective decision making. 29. Explain the problems associated with questionable compensation schemes. Response: A survey by Thompson Financial revealed the strong belief that executives have abused stock-based compensation. The consensus is that fewer stock options should be offered than currently is the practice. Excessive use of short-term stock options to compensate directors and executives may result in short-term thinking and strategies aimed at driving up stock prices at the expense of the firm’s long-term health. In extreme cases, financial statement misrepresentation has been the vehicle to achieve the stock price needed to exercise the option. 30. Explain the problems associated with inappropriate accounting practices. Response: The use of inappropriate accounting techniques is a characteristic common to many financial statement fraud schemes. Enron made elaborate use of Special Purpose Entities (SPE) to hide liabilities through off balance-sheet accounting. WorldCom management transferred transmission line costs from current expense accounts to capital accounts. This allowed them to defer some operating expenses and report higher earnings. Also, they reduced the book value of

hard assets of MCI by $3.4 billion and increased goodwill by the same amount. Had the assets been left at book value, they would have been charged against earnings over four years. Goodwill, on the other hand, was amortized over much longer period. 31. Explain the purpose of the Public Company Accounting Oversight Board. Response: The Sarbanes-Oxley Act created a Public Company Accounting Oversight Board (PCAOB). The PCAOB is empowered to set auditing, quality control, and ethics standards, to inspect registered accounting firms, to conduct investigations, and to take disciplinary actions. 32. Why is an independent audit committee important to a company? Response: The Sarbanes-Oxley Act requires all audit committee members to be independent and requires the audit committee to hire and oversee the external auditors. This provision is consistent with many investors who consider the board composition to be a critical investment factor. For example, a Thompson Financial survey revealed that most institutional investors want corporate boards to be composed of at least 75 percent of independent directors 33. What are the key points of the “Issuer and Management Disclosure” of the SarbanesOxley Act? Response: 1. Public companies must report all off balance-sheet transactions. 2. Annual reports filed with the SEC must include a statement by management asserting that it is responsible for creating and maintaining adequate internal controls and asserting to the effectiveness of those controls. 3. Officers must certify that the company’s accounts “fairly present” the firm’s financial condition and results of operations. 4. Knowingly filing a false certification is a criminal offence. 34. In this age of high technology and computer-based information systems, why are accountants concerned about physical (human) controls? Response: This class of controls relates primarily to the human activities employed in accounting systems. These activities may be purely manual, such as the physical custody of assets, or they may involve the use of computers to record transactions or update accounts. Physical controls do not relate to the computer logic that actually performs these accounting tasks. This is the subject matter of Chapter 16. Rather, they relate to the human activities that initiate such computer logic. In other words, physical controls do not suggest an environment in which clerks update paper accounts with pen and ink. Virtually all systems, regardless of their sophistication, employ human activities that need to be controlled.

MULTIPLE CHOICE 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.

c c b a c e e c a b a c d c d c a b e b

PROBLEMS

1. Mary Jane Smith has been a highly regarded employee of the Brier Corporation for almost 20 years. Her loyalty to the company is reflected in her dedication to her job as general accounting clerk from which she has not taken a vacation in almost 12 years. Because of her dedication and long tenure, she has acquired many related responsibilities, which has allowed the Brier Corp to reduce its work force through attrition, control salary expenses and become more efficient and competitive. The following describes Mary Jane’s responsibilities. Mary Jane receives copies of credit sales orders from the sales department. From these documents she accesses the AR subsidiary ledger from her office computer and records the AR. She then records the sale in the sales journal and posts the transactions to the general ledger accounts. Cash receipts in payment of customer accounts receivable come directly to her office. She records the cash receipts in the GL cash and AR accounts and updates the AR subsidiary ledger. She then endorses the checks “for deposit only” and deposits them in the bank at the end of each day. Required:

a. Identify any control problems in the procedures described above. b. What sorts of fraud are possible in this system? c. What controls are needed to reduce the risk of fraud?

a) Mary Jane’s dedication to her job from which she has not taken a vacation in many years is a red flag that she may be engaged in something illegal. This concern is reinforced by her job description, which combines several incompatible tasks: • Segregation of Duties: Mary Jane is responsible for recording both accounts receivable and cash receipts. • Segregation of Duties / Accounting Records: Mary Jane has access to both the AR subsidiary ledger and the general ledger accounts. b) The following possible fraud could be committed: • Skimming: Mary Jane could steal check and write off customer account receivable as a bad debt. • Cash Larceny: Mary Jane could implement a lapping scheme because she has access to both cash receipts and AR records. The complex accounting procedures needed to manage such a scheme would require her to not take a vacation for fear that a replacement clerk would uncover the fraud. c) Controls need to reduce the risk of fraud are: • Implement a policy that all employees must take a vacation each year. • Separate the task of AR record keeping and cash receipts processing • Separate the tasks of posting to the general ledger from the tasks of updating subsidiary ledgers,

2. Assessing Internal Control

The following describes the cash receipts procedures for a medium-sized online and catalogue-based retailer. Customer payments come directly to the general mail room along with other mail items. The customer payments mail constitutes about 20 percent of the total mail received each day. The mailroom clerks sort through the mail, open the customer payment envelopes, remove the customer checks and remittance advices, and reconcile the two documents. The mailroom supervisor then sends the reconciled checks and remittance advices to the Accounts Receivable clerk, who posts the amounts received to the customer AR subsidiary ledger and the cash receipts journal from her computer terminal. The AR clerk then manually prepares a remittance list of all checks received, endorses the checks “for deposit only” and sends the checks and remittance list to the Treasurer. Finally, the clerk files the remittance advices in the AR department. Once the checks and remittance list arrive at the Treasury department, the treasurer reconciles the documents, and manually prepares three hard copies of the deposit slip. Next, he sends the checks and two copies of the deposit slip to the bank. Finally, he files the third copy of the deposit slip and the remittance in the department. Required: a) Identify the internal control weaknesses in the cash receipts process. b) For each weakness, describe the associated risks. c) For each weakness provide a possible control activity.

1) a) Weakness: Mailroom clerks have access to checks and remittance advices. b) Risk: The mailroom clerks could steal the check and destroy the remittance advice -- no record of transaction c) Control: Require the cash receipts to be sent to a separate PO box a separate room. This smaller amount of similar mail can be better controlled though supervision. 2. a) Weakness: The AR clerk receives checks and remittance advices from the mailroom supervisor. b) Risk: The AR clerk has access to both asset and records. The clerk could steal the check and destroy the remittance advice to eliminate any record of the cash receipt. c) Control: Prepare remittance list in the mailroom. Any loss or theft of checks after they are recorded on the remittance list would result in a discrepancy between the remittance list and the checks that are deposited in the bank. 3. a) Weakness: The AR clerk has responsibility for recording cash and updating the customer accounts from the checks (asset). b) Risk: The clerk could engage in a lapping fraud. c) Control: Segregations of duties is needed to separate the tasks of recording accounts receivable and receiving cash receipts. 3. Kickback Fraud The kickback is a form of fraud often associated with purchasing. Most organizations expect their purchasing agents to select the vendor that provides the best products at the lowest price. To influence the purchasing agent in his or her decision, vendors may grant the agent financial favors (cash, presents, football tickets, and so on). This activity can result in orders being placed with vendors that supply inferior products or charge excessive prices. Required: Describe the controls that an organization can employ to deal with kickbacks. Classify each control as preventive, detective, or corrective. Response: a. Preventive Controls i. Implement an organizational policy prohibiting kickbacks. ii. Establish a code of ethics within the organization that outlines the boundaries of unethical behavior. Require all employees to sign the code. iii. Establish a list of valid vendors from whom the agent must place orders for merchandise. Orders from vendors not on the list must be formally approved by the agent’s supervisor. b. Detective Controls i. Prior to making payment to the vendor, the amount to be paid should compared to the amount expected (based on historic data) to determine its reasonableness. ii. Prior to making payment, the authenticity of the vendor should be verified against the valid vendor file. c. Corrective Controls i. Discrepancies detected in the other two controls should be evaluated by an independent manager before payment to the vendor is authorized. ii. If it is found that the purchasing agent violated the code of ethics or company policy,

appropriate disciplinary action should follow. This may include censure, suspension, dismissal, or even criminal charges. 4. BOD Composition A recent survey of institutional investors reveals that most of them want corporate boards to be comprised of at least 75 percent independent directors. Required: Write an essay explaining why director independence has become such a high profile issue and one of great importance. Response: Responses to this question will vary. 5. Auditor Independence The Sarbanes-Oxley Act addresses auditor independence by creating more separation between a firm’s attestation and non-auditing activities. Required: Write an essay outlining the services that a public accounting firm cannot perform for its client. Conduct research to explain the rationale behind each of these prohibitions. Response: Responses to this question will vary.

6. Fraud Motivating Factors Research has shown that situational pressures and opportunity are factors that contribute to fraudulent behavior. Required a. Identify two situational pressures in a public company that would increase the likelihood of fraud. b. Identify three opportunities that would increase the likelihood of fraud. Response: a. Examples of situational pressures in a public company that would increase the likelihood of fraud include: • Competitive pressures. • Excessive expectations for financial targets. • Penalties for not meeting budget targets. • Sudden decreases in revenue or market share. • Payment with stock options or other bonus programs that depend on short-term economic performance b. Opportunity situations that would increase the likelihood of fraud include: • Weak or nonexistent internal accounting controls. • Accounting estimates requiring significant judgment by company management.

• Poor segregation of duties. • Absence of policies that limit collusion, such as nepotism rules. 7. Predictors of Fraud A number of factors have been used to characterize the perpetrators of frauds, including position within the organization, collusion with others, gender, age, and education. Required: Write an essay summarizing the usefulness of these factors as predictors of fraud within an organization. Response: Responses to this question will vary. 8. Fraud Scheme A purchasing agent for a large hardware retailer has sole discretion in selecting vendors for the parts and supplies sold by the company. The agent directs a disproportionate number of purchase orders to a supply company owned by the agent’s brother in law, which charges above-market prices for its products. The agent’s relationship with the supplier is unknown to his employer. Required What type of fraud is this, and what controls can be implemented to prevent or detect the fraud? Response: This is an example of undisclosed conflict of interest. Controls used to prevent or detect this fraud include: • The home improvements company should establish a formal policy stating its position on business transactions with employees. If such transactions are to be permitted, they should be formally and explicitly declared by the employees and approved by management prior to any transactions. • The organization should establish a valid vendor file, which is a list of approved suppliers. No transactions (particularly disbursements of cash) should be permitted with suppliers that are not on the list without formal management approval. • Independent verification of transactions through management reports could be used to identify unusual business patterns and material changes in accounts. For example, a report could summarize transaction volumes to vendors and analyze relevant financial ratios such as cost-of-sales to sales across periods. 9. Fraud Scheme A procurement agent for a large metropolitan building authority threatens to blacklist a building contractor if he does not make a financial payment to the agent. If the contractor does not cooperate, the contractor will be denied future work. Faced with a threat of economic loss, the contractor makes the payment. Required: What type of fraud is this, and what controls can be implemented to prevent or detect the fraud?

Response: This is an example of economic extortion. Frauds of this sort are difficult to detect because of the absence of records. • Management and auditors need to take a proactive approach to uncover such activity. The following techniques may be used: • The building authority should have a publicized policy of equal opportunity in the bidding process. • An independent audit function should be in place that formally investigates any accusations of extortion. • Internal and external auditors should conduct periodic analysis of bid proposals and acceptances to identify unusual trends. For example, are jobs frequently awarded to the same contractors? Are the bid prices reasonable? Do certain contractors appear to be absent or excluded from the bid process? • Contractors that appear to be excluded from the process should be contacted to determine why they did not bid on jobs. • If auditors suspect that economic extortion may exist, hard evidence can be obtained through sting operations.

10. Mailroom Fraud and Internal Control Sarat Sethi, a professional criminal, took a job as a mailroom clerk for a large department store called “Benson & Abernathy and Company.” The mailroom was an extremely hectic work environment consisting of 45 clerks and one supervisor. The clerks were responsible for handling promotional mailings, catalogs, and interoffice mail, as well as receiving and distributing a wide range of outside correspondence to various internal departments. One of Sethi’s jobs was to open cash receipts envelopes from customers making payments on their credit-card balances. He separated the remittance advices (the bills) and the checks into two piles. He then sent remittance advices to the Accounts Receivable department where the customer accounts were updated to reflect the payment. He sent the checks to the Cash Receipts department, where they were recorded in the cash journal and then deposited into the bank. Batch totals of cash received and accounts receivable updated were reconciled each night to ensure that everything was accounted for. Nevertheless, over a one-month period Sethi managed to steal $100,000 dollars in customer payments and then left the state without warning. The fraud occurred as follows: Because the name of the company was rather long, some people had adopted the habit of making out checks simply to “Benson.” Sethi had a false ID prepared in the name of John Benson. Whenever he came across a check made out to “Benson,” he would steal it along with the remittance advice. Sometimes people would even leave the payee section on the check blank. These checks he also stole. He would then modify the checks to make them payable to “J. Benson” and cash them. Since the accounts receivable department received no remittance advice, the end-of-day reconciliation with cash received disclosed no discrepancies. Required: a. This seems like a foolproof scheme. Why did Sethi limit himself to only one month’s activity before leaving town? b. What controls could Benson & Abernathy implement to prevent this from happening again? Response: a. After a month the customers whose accounts were not updated will be complaining when they receive their bills. b. i. Supervision, i.e. cut down on the span of control of the supervisor, ii. Set up a separate, smaller mailroom responsible only for collecting cash,

iii. Perform background checks on all employees. iv. Have payments sent directly to bank. 11. Segregation of Duties Explain why each of the following combinations of tasks should, or should not, be separated to achieve adequate internal control. a. Approval of bad debt write-offs and the reconciliation of the accounts receivable subsidiary ledger and the general ledger control account b. Distribution of payroll checks to employees and approval of employee timecards c. Posting of amounts from both the cash receipts and the cash disbursements journals to the general ledger d. Writing checks to vendors and posting to the cash account e. Recording cash receipts in the journal and preparing the bank reconciliation Response: a. These two tasks do not need to be separated because no conflict exists between writing off bad debts (asset accounts receivable) and reconciling accounts payable (liability). b. These two tasks need to be separated because they are independent of one another. c. In neither case does the employee have access to the assets; therefore, no danger exists. d. These two tasks do not need to be separated because there is control both over the outflow of cash and posting to the cash account. e. These tasks should be separated. The employee records the transactions and has access to assets. To allow the employee to verify the accuracy of the records would allow him or her to cover up any money embezzled by doctoring the bank reconciliation.

12. Expense Account Fraud While auditing the financial statements of the Petty Corporation, the certified public accounting firm of Trueblue and Smith discovered that its client’s legal expense account was abnormally high. Further investigation of the records indicated the following: • Since the beginning of the year, several disbursements totaling $15,000 had been made to the law firm of Swindle, Fox, and Kreip. • Swindle, Fox, and Kreip were not the Petty Corporation’s attorneys. • A review of the cancelled checks showed that they had been written and approved by Mary Boghas, the cash disbursements clerk. • Boghas’s other duties included performing the end-of-month bank reconciliation. • Subsequent investigation revealed that Swindle, Fox, and Kreip are representing Mary Boghas in an unrelated embezzlement case in which she is the defendant. The checks had been written in payment of her personal legal fees.

Required: a. What control procedures could Petty Corporation have employed to prevent this unauthorized use of cash? Classify each control procedure in accordance with the COSO framework (authorization, segregation of functions, supervision, and so on). b. Comment on the ethical issues in this case.

Response: a. Control Procedures: • All checks should require the treasurer’s signature. • A bonding agency can be used to verify employee integrity through background checks. • The internal auditors should perform a periodic review of expense accounts, which are frequently used to offset fraudulent transactions. b. Ethical Issues: Apart from the obvious lack of ethical standards by Mary Boghas, the ethical behavior of Swindle, Fox, and Kreip also comes into question. It received numerous checks drawn upon the bank account of the Petty Corporation in payment of Mary Boghas’ legal fees. 13. Assessing Internal Control The following describes the cash disbursement procedures for a wholesale building supply company. When the accounts payable clerk receives the supplier’s invoice she records the purchase in the purchases journal, records the liability in the AP subsidiary ledger, and sets a due date based on the terms specified on the invoice. The clerk then updates the inventory control and accounts payable control accounts in the general ledger. The invoice is then filed in the department. Each day, the clerk visually searches the AP subsidiary ledger from her terminal for invoices that are due to be paid. From her computer terminal, the clerk prepares the check and records it in the check register. The negotiable portion of the check is mailed to the vendor and a check copy is filed. The clerk then closes the liability in the AP subsidiary ledger and updates the accounts payable control and cash accounts in the general ledger. Required: a) Identify the internal control weaknesses in the cash disbursement process. b) For each weakness, describe the associated risks. c) For each weakness provide a possible control activity. 1. a) Weakness: Clerk sets up a liability based solely on the vendors invoice. b) Risk: The company may be paying for things it did not order, did not receive, or is paying too high a price. c) Control: The clerk should perform a three-way-match of the purchase order, receiving report, and invoice to verify that the liability is legitimate and correctly stated. 2. a) Weakness: AP clerk authorizes the liability and writes the check to pay it. b) Risk: The clerk could create a false vendor, set up a liability and disburse funds (see payments to fictitious vendors, chapter 12), c) Control: Segregation of duties between the tasks of authorizing a liability and check writing. 3. a) Weakness: AP clerk has access to both the AP subsidiary ledger and the general ledger. b) Risk: Balancing general ledger control accounts with corresponding subsidiary ledgers, can

help detect certain types of errors and irregularities. This control is lost when the same individual is responsible for updating both accounts. c) Control: Segregation of duties between the general ledger function and other accounting functions. 14. Financial Aid Fraud Harold Jones, the financial aid officer at a small university, manages all aspects of the financial aid program for needy students. Jones receives requests for aid from students, determines whether the students meet the aid criteria, authorizes aid payments, notifies the applicants that their request has been either approved or denied, writes the financial aid checks on the account he controls, and requires that the students come to his office to receive the check in person. For years, Jones has used his position of authority to perpetrate the following fraud: Jones encourages students who clearly will not qualify to apply for financial aid. Although the students do not expect aid, they apply on the off chance that it will be awarded. Jones modifies the financial information in the students’ applications so that it falls within the established guidelines for aid. He then approves aid and writes aid checks payable to the students. The students, however, are informed that aid was denied. Since the students expect no aid, the checks in Jones’s office are never collected. Jones forges the students’ signatures and cashes the checks. Required: Identify the internal control procedures (classified per COSO) that could prevent or detect this fraud. Response: a. Segregation of Functions Control: The tasks in the financial aid process are performed entirely by Mr. Jones. As a minimum, the following tasks should be performed by separate individuals: • Receipt of applications • Approval of applications • Check processing • Distribution of check to recipient (by mail or direct deposit) b. Independent Verification Control: • Financial information presented in financial aid applications should be verified through credit agencies. • Prior to awarding any grants, the financial aid department should verify that the student is still enrolled and in good standing. • The internal auditor should periodically confirm the receipt of cash awards with the financial aid recipients.

15. Evaluation of Controls Gaurav Mirchandaniis is the warehouse manager for a large office supply wholesaler. Mr. Mirchandaniis receives two copies of the customer sales order from the Sales Department. He picks the goods from the shelves and sends them and one copy of the sales order to the shipping department. He then files the second copy in a temporary file. At the end of the day, Mirchandaniis retrieves the sales orders from the temporary file and updates the Inventory subsidiary ledger from a terminal in his office. At that time he identifies items that have fallen to low levels, selects a supplier, and prepares three copies of a purchase order. One copy is sent to

the supplier, one goes to the Account Payable clerk, and one is filed in the warehouse. When the goods arrive from the supplier, Mr. Mirchandaniis reviews the attached packing slip, counts and inspects the goods, places them on the shelves, and updates the inventory ledger to reflect the receipt. He then prepares a receiving report and sends it to the Accounts Payable department. Required: a. Prepare a systems flowchart of the procedures just described. b. Identify any control problems in the system. c. What sort of frauds are possible in this system? Response: a. See flowchart 12-15.

Solution to Problem 12-15

b. The following segregation of functions problems exist: i. Mirchandaniis is the warehouse manager (asset custody) and is responsible for updating the inventory subsidiary ledger (record keeping). ii. Mirchandaniis determines what should be ordered (authorization) and the places the order (transaction processing). c. The following frauds could result from these control weaknesses: i. Kickback fraud: Because Mirchandaniis selects the supplier and also places the order, he could order inventory that is not needed or that is above market price from a supplier with whom he has a personal fraudulent arrangement. In exchange, the supplier would pay a kickback to the warehouse manager. ii. Vendor fraud: Mirchandaniis authorizes, orders, and receives the goods. He could establish himself as a vendor and process fraudulent transactions. iii. Theft of inventory: Mirchandaniis can simply remove the assets from the warehouse, sell them, and adjust the inventory records. A reconciliation between the physical inventory on hand and the records would indicate no discrepancies. 16. Evaluation of Controls Matt Demko is the loading dock supervisor for a dry cement packaging company. His work crew is comprised of unskilled workers who load large transport trucks with bags of cement, gravel, and sand. The work is hard, and the employee turnover rate is high. Employees record their attendance on separate timecards. Demko authorizes payroll payments each week by signing the timecards and submitting them to the payroll department. The paychecks are then prepared by payroll and distributed to Demko, who distributes them to his work crew. Required: a. Prepare a systems flowchart of the procedures described above. b. Identify any control problems in the system. c. What sort of frauds are possible in this system. Response: a. See flowchart 12-16. b. The following segregation of functions problem exists: Demko authorizes the transaction (signs and submits timecards) and has asset custody (distributes the checks to employees). c. The following frauds could result from these control weaknesses: • Kickback fraud: Demko permits employees to inflate the hours worked and approves payment. The employee then splits the excess pay with the supervisor as a kickback. • Nonexistent employee fraud: After an employee leaves the company, the supervisor continues to submit a timecard for him. When the paychecks are distributed to Demko, he keeps the ones for the terminated employees and cashes them by forging their names.

Solution to Problem 12-16

17. Evaluation of Internal Controls The Never Sink Canoe (NSC) Company is a small manufacturer of high-quality canoes, pontoons, and fishing craft. It sells its products to sporting goods stores throughout the northeast United States and parts of Canada. NSC began as a small family owned company that served a local market. Over the years it expanded its market through the use of seasonal sales force employees. The sales staff work on straight commission and travel extensively while taking orders from customers at sporting outlets and trade shows during the water sports and fishing season. All sales are on credit and payment is due within 30 days after being billed. In late fall when the season ends the temporary sales personnel are laid off until the following spring. Employee turnover is high with approximately 50 percent of the laid-off sales staff returning the following year. NSC’s revenue and expense procedures associated with their sales force activities are as follows: The salesperson takes an order, reviews the customer’s credit worthiness, and submits the

approved order to the accounting clerk at the main office who calculates the sales commission to be remitted and promptly writes a check to the salesperson. The clerk then sets up an account receivable for the customer. The clerk also receives cash in payment of customer accounts and updates the related customer AR records. The order is then sent to the billing department, where the sale is recorded and the customer is billed. Finally, the order is sent to the warehouse where the items are selected, packaged and shipped to the customer. The warehouse clerk then updates the inventory subsidiary ledger to reflect the shipment. Sales staff periodically submit travel expense reimbursement claims on hard copy forms to the accounting clerk. NSC policy requires sales staff to keep receipts, but they are not required to submit them with the reimbursement forms. The clerk prepares an account payable for each salesperson based on their reimbursement form and twice each month writes checks them for the amount indicated in their individual AP account. After the end of the past season, and after the temporary employees had been laid off, NSC financials showed a substantial rise in sales compared to previous years. These increases were, however, offset to a great extent by a high rate of product returns. Furthermore, travel expenses were disproportionately high compared with previous years. Required a) Using the COSO internal control model for control activities (e.g., transaction authorization, segregation of duties) identify any potential internal control weaknesses in the NSC system. b)

For each weakness discuss the potential for fraud in the system

c) Make recommendations for correcting each identified control weakness. Segregations of Duties Issues Control Weakness 1: Transaction authorization should be separated from transaction processing. The sales person both authorizes the sale by approving the credit worthiness of the customer and processes it. Response: Fraud Potential: Sales person can approve sales to customers with poor credit to increase his/her commission. Recommendation: NSC should implement a formal credit approval process that is independent of the sales person. Control Weakness 2: Asset custody should be separate from record keeping responsibility. The accounting clerk has cash receipts and check writing responsibility and also sets up AP and AR accounts and updates those accounts. Fraud Potential: 1) The clerk could create a false (or overstated) AP account for a sales person or for the clerk and then write the check. 2) The clerk could establish a lapping fraud with accounts receivable payments. Recommendation: NSC should separate the cash receipts and disbursements from the recording of AR and AP functions. Control Weakness 3: Asset custody should be separate from record keeping responsibility. The warehouse clerk has custody of inventory and record keeping responsibility for the inventory subsidiary ledger. Fraud Potential: The clerk could remove inventory from the warehouse, sell it, and cover the

theft by adjusting the inventory records. Recommendation: NSC should separate the task of updating the inventory records from the warehouse function. Accounting Records Issues Control Weakness: Adequate source documents, journals, and ledgers need to be in place to form an audit trail. Sales staff should submit receipts for travel expense reimbursements. Fraud Potential: Sales staff need only submit a form to claim reimbursement but no proof of the actual expense. They can thus “pad” their expenses. Recommendation: NSC should require the submission of receipts for all expenses above a pre-specified dollar amount. (e.g. $25.00) Independent Verification Issues Control Weakness: Verification procedures are checks on the accounting system to identify errors and misrepresentations. No verification procedures exist at NSC to review sales commissions or expense reimbursements. Fraud Potential: The fraud potential has been previously discussed regarding commissions and expense padding. Knowing that these activities are not reviewed my management would only embolden someone with the intent to commit fraud. Recommendation: NSC should implement procedures to review commissions and expenses transaction for reasonableness. 18. Documenting System and Evaluating Controls. The following describes the warehouse and shipping procedures for a company: The warehouse clerk receives two copies of a stock release document from the sales department. The stock release document describes the items that were sold, the quantities to be picked from the shelves, and the warehouse locations of the items. The clerk then picks the items and sends them with one copy of the stock release document to the shipping department. Using the second copy of the stock release, the clerk accesses the inventory subsidiary ledger from the PC in the warehouse and updates the inventory to reflect the items shipped. The clerk also looks for Items that have fallen below their reorder points, selects a vendor, prepares a purchase order, and sends it to the vendor. Upon receipt of the goods and a copy of the stock release document the shipping clerk prepares the items for shipment, records the shipment in the hard copy shipping log, and sends the items sold along with the stock release document to the carrier. Required: a. Prepare a systems flowchart of the procedures described. b. Identify any control problems in the system. c. What sorts of fraud are possible in this system? Response: a) See Flowchart on following page b. The following segregation of functions problems exist: 1. The warehouse clerk has (asset custody) and is responsible for updating the inventory subsidiary ledger (record keeping). 2. The clerk determines what should be ordered (authorization) and the places the order (transaction processing).

The following frauds could result from these control weaknesses: 1. Kickback fraud— The clerk selects the supplier and also places the order. He is thus in position to order inventory that is not needed or that is above market price from a supplier with whom he has a personal fraudulent arrangement. In exchange, the supplier pays a kickback to the warehouse clerk. 2. Vendor fraud—the clerk authorizes, orders, and receives the goods; he could establish himself as a vendor and process fraudulent transactions. 3. Theft of inventory—the clerk can remove inventory from the warehouse, sell it, and adjust the inventory records. A reconciliation between the physical inventory on hand and the records would indicate no discrepancies.

19. Analysis of Flowchart, Internal controls: Required: a. Identify any control problems in the system. b. What sorts of fraud are possible in this system? Response: a) Control Problems:

• Segregation of Duties: The clerk is responsible for cash receipts and recording accounts receivable. • Segregation of Duties / Accounting Records: The clerk has access to both the subsidiary ledger and the general ledger. • Independent Verification. The clerk deposits funds in the bank and also preforms the bank reconciliation function. b) The following possible fraud could be committed: • Skimming: The clerk steals the check and destroys the deposit slip to remove any trace of the transaction. • Cash Larceny: The clerk can implement a lapping scheme because she has access to both cash receipts and AR records. • Cash Larceny: Clerk can write off customer account receivable as a bad debt and keep the customer checks. 20. Evaluation of Payroll Controls A Forman of a construction company is responsible for a construction crew comprised of many unskilled workers. Their tasks consist of mixing cement, digging foundations, and loading onto trucks. The work is hard, and employee turnover rate is high and individuals often leave without notice. Throughout the work week employees record their attendance on separate time cards, which the foreman approves and submits to the payroll department at the end of week. Based on the time cards the payroll department prepares the paychecks, sends them to the foreman who then distributes the checks to his work crew. Required a. Prepare a systems flowchart of the procedures described here. b. Identify any control problems in the system. c. What sorts of fraud are possible in this system? Response: a) See Flowchart on the next page b.

The following segregation of functions problem exists: Foreman authorizes the transaction (signs and submits timecards) and has asset custody (he distributes the checks to employees).

The following frauds could result from these control weaknesses: i. Kickback fraud—the foreman permits employees to inflate the hours worked and approves payment. The employee then splits the excess pay with the supervisor as a kickback. ii.Nonexistent employee fraud—After an employee leaves the company, the foreman continues to submit timecards for him. When the paychecks are distributed by the foreman, he keeps the ones for the terminated employees and cashes them by forging their name.

ACL Cases Refer to the Instructor’s Resource section of the Web pages for this text for solutions to ACL assignments.

ACL 9 Tutorial 1 Solution COMMANDS: ANALYZE -> TOTAL ANALYZE -> PROFILE ANALYZE -> STATISTICS SAMPLING -> SAMPLE ANALYZE -> SEQUENCE DATA -> SORT ANALYZE -> DUPLICATES ANALYZE -> GAPS AP_TRANS 1. Using the TOTAL command, develop a hash control total and an amount control total for AP-TRANS. What recommendation would you make to develop a field for hash control total? Ans: TOTAL command: Invoice Amount plus one of the other number fields. The total of Invoice_Amount is: $278,641.33 The total of Quantity is: 37,107 The total of Unit_Cost is: 1,522.29 Yes. Change Invoice Number to a number field (vs. string) if possible. 2. Run PROFILE on the file, Invoice Amount. Can you determine if there are any negative transactions? Explain. Ans: There are none because total = absolute total ($278,641.33) 3. Run STATISTICS on each of the four available fields with the Std Dev box checked. Describe your audit direction to specific invoices based on the results of STATISTICS. Ans: The statistics on Invoice_Amount reveal the following data of interest to the auditor: As of: 06/25/2010 12:23:54 Command: STATISTICS ON Invoice_Amount STD TO SCREEN NUMBER 5 Table: Ap_Trans. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Invoice Amount

Number

Range Positive

Total

Average

56,752.32

102 278,641.33 2,731.78

Negative

0.00

Zeros

Totals

102 278,641.33 2,731.78

Abs Value

- 278,641.33

Std. Dev.

6,609.23

Highest Lowest 56,767.20 14.88 20,386.19 21.12 18,883.34 31.68 16,642.56 46.08 15,444.80 49.68

There are no zeros or negative invoices, quantity, or cost. This minimizes the need to look for that kind of error. Using a 95% confidence interval, 1.96 standard deviations from the mean (in both directions) is about $13k from mean: $16k-$14.88. That means one transaction is an outlier - $56,767.20. This item needs to be audited thoroughly. Other than that, a reasonable statistical (random selection) approach to the other 101 transactions is required. This result gives an auditor the necessary input to calculate the number of samples to take. 4. Run SAMPLE (Sampling -> Sample) for the AP_TRANS file, using the data from step 3. Sample Invoice Amount, Interval of $6,609, Begin $14.88 (minimum invoice) and Cutoff $56,767.20. Save results as AP_Trans_Sample. Ans: © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

35 records of 102 selected for the sample and placed in the output file. Log provides some data about sample. AR 5. Run SEQUENCE on AR, using Invoice Number (Ref_No). Make sure to use only Invoice Type Transactions (“IN”); use Expression Builder to filter out other transaction types. What do you notice about the invoice numbers? Ans: As of: 06/27/2010 10:51:15 Command: DUPLICATES ON Ref TO SCREEN Table: Ar

Filter: Type = "IN" (588 records matched) 10 sequence errors detected 0 gaps and/or duplicates detected

Sequence: Record Ref No Number 22 213184 26 213248 32 213277 35 213264 40 213327 41 213326 42 213325 43 213318 44 213317 48 213354

6. Re-run SEQUENCE on the same file but this time check “Duplicates” and “Gaps” (filter Invoice type transactions only). © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

What information is provided the auditor about testing invoices? Ans: a. There are 162 gaps and 0 duplicates in the list in the LOG. 162 total problem invoice numbers. b. The LOG / SEQUENCE provides auditors with key information about missing invoice numbers, something that must be investigated.

7. SORT AR by Invoice Amount in descending order. Use Sort On to specify descending order. Specify TYPE “IN”. Use Output File name AR_SortAmount. What sort of anomalies is the auditor looking for? Ans: The auditor is looking for redundant amounts, large amounts, or other abnormal amounts.

ACL-9 Tutorial 2 Solution

COMMANDS: ANALYZE -> DUPLICATES ANALYZE -> GAPS TOOLS-> COMMENT PAYROLL 1. Run Look for Duplicates option from the ANALYZE menu tab. Click the Duplicates On.. button and select “Employee Number” as the field to verify and check Presort. Go to the OUTPUT tab and set output to SCREEN. Click OK. a. Explain the results you get. ANS: As of: 03/14/2010 16:42:10 Command: DUPLICATES ON EmpNo PRESORT TO SCREEN Table: Payroll 1 duplicate detected

Duplicates: Record Number 32

Employee Number 000320

There is one duplicate (#000320)

b. What would you do with the results? ANS: Investigate the duplicate employee number with the HR department. It is an anomaly (ERROR or FRAUD). c. What other field would you check for DUPLICATES or GAPS? Run the DUPLICATES command again. ANS: © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Cheque_No. Run it. No duplicates.

2. Run the Look for Gaps option from the Analyze tab. Click the Gaps On.. button and select “Employee Number” as the field to verify. Choose the List Gap Ranges option and check Presort. Go to the OUTPUT tab and set output to SCREEN. Click OK.

ANS: As of: 03/14/2010 17:10:23 Command: GAPS ON EmpNo PRESORT TO SCREEN Table: Payroll

40 gap ranges detected 200288 missing items

Gaps Found Between: Gap Start Gap End Number of (Exclusive) (Exclusive) Missing Items 10

100

108

110

120

130

140

150

160

170

180

190

200

210

220

230

240

250

260

270

280

290

300

310

320

330

340

200,010

199,669

200,010

200,120

109

200,120

200,140

200,170

200,220

200,240

200,280

200,310

200,330

200,340

d. How do you interpret the results? ANS: Employee numbers are assigned according to company policy and may not be sequential. The gaps identified may very well be legitimate.

3. Use COMMENT to insert a comment into the LOG file that notes your concerns. Use TOOLS-> Add Comment. ANS: Responses will vary.

ACL 9 Tutorial 3 Solution COMMANDS: ANALYZE -> CLASSIFY ANALYZE -> SUMMARIZE DATA -> SORT DATA -> REPORT ANALYZE -> PROFILE ANALYZE -> STRATIFY

AP_Trans) 1. CLASSIFY the data in AP_Trans by Vendor_No and accumulate on Invoice_Amount. ANS: As of: 07/28/2010 15:30:22 Command: CLASSIFY ON Vendor_No SUBTOTAL Invoice_Amount TO SCREEN Table: Ap_Trans Vendor Number Count Percent of Count Percent of Field Invoice Amount 10025

4.9%

21.3%

59,347.59

10101

2.94%

0.25%

691.04

10134

4.9%

8.12%

22,618.62

10448

2.94%

0.28%

782.04

10534

1.96%

1.61%

4,482.60

10559

1.96%

0.25%

708.99

10720

1.96%

0.17%

471.60

10721

3.92%

0.79%

2,212.86

10787

3.92%

1.6%

4,464.90

10879

0.98%

0.52%

1,440.00

11009

0.98%

0.03%

92.16

11247

1.96%

1.14%

3,162.78

11435

2.94%

0.53%

1,469.13

11475

6.86%

12.91%

35,968.34

11663

3.92%

2.39%

6,666.39

11837

2.94%

4.47%

12,454.88

11922

2.94%

6.41%

17,868.84

12130

3.92%

11.07%

30,858.17

12230

0.98%

0.29%

809.20

12248

1.96%

0.68%

1,885.60

12289

0.98%

0.12%

328.60

12433

5.88%

5.32%

14,835.74

12576

1.96%

0.28%

790.72

12636

1.96%

0.9%

2,501.82

12701

4.9%

2.2%

6,143.39

13136

1.96%

0.05%

127.18

13373

0.98%

0.28%

784.40

13411

4.9%

4.37%

12,176.20

13440

0.98%

3.97%

11,068.20

13808

0.98%

2.41%

6,705.12

13864

1.96%

0.31%

861.29

13928

2.94%

0.44%

1,218.89

14090

0.98%

0.47%

1,312.74

14299

0.98%

0.04%

115.74

14438

5.88%

2.89%

8,052.76

14599

0.98%

0.33%

932.40

14913

0.98%

0.8%

2,230.41

Totals

102

100%

278,641.33

How would an auditor use this data in an audit? This report provides the auditor with a breakdown of the percentage of purchases and the dollar amount purchases placed with each vendor. The auditor can thus focus on the most material transactions.

2. The SUMMARIZE command generates a record count and accumulates totals of character or date key fields. It is most effective for large input files, because it can report on a limitless number of unique key fields. Summarize is similar to Classify except: (1) it requires a sorted file, (2) you can include additional character or numeric fields that are not accumulated in the summary file, and (3) it can create a comprehensive report.

a. Summarize AP TRANS on Vendor_No and subtotal on all numeric fields. Check PRESORT, and save as SUMVEN.

Ans: ANALYZE -> SUMMARIZE -> SUMMARIZE ON: Below SUMMARIZE ON button, from drop-down list, click Vendor_No -> Subtotal Fields: Below SUBTOTAL FIELDS button, click Invoice_Amount, Quantity, Unit_Cost -> Check PRESORT box -> Output {tab} -> File -> In the text box, enter “SUMVEN” OK The SUMVEN file will open to the screen with 37 records and summaries by vendor number for Invoice_Amount, Quantity, Unit_Cost, and Count fields. <see below for log results>

Command: SUMMARIZE ON Vendor_No SUBTOTAL Invoice_Amount TO "SUMVEN.FIL" OPEN PRESORT 14:34:16 - 03/14/2010 Presorting data 37 records produced Output to C:\ACL Data\Sample Data Files\SUMVEN.FIL is done Opening file "SUMVEN"

View the types of the fields in SUMVEN. What type are they? Ans: To examine the table structure: Edit -> Table Layout view the file types of the five fields; Count, Quantity, Unit_Cost and Invoice_Amount, are numeric. Vendor No is ASCII. b. Sort the file on Ivvoice_Amount and save it to a new file called SUMVENsort. Using the FILTER command eliminate vendors with total invoices below a materiality threashold of $2000. Ans: Data > Sort records Click Sort on button > select Invoice_ Amount > click OK In Filter box, enter the expression “Invoice_Amount >= 2000” Enter the output file name (SUMVENsort) in the box next to the “To” button Click OK. 19 vendor records are returned to the screen <see below for log results> Command: SORT ON Invoice_Amount IF Invoice_Amount >= 2000 TO "SUMVENsort" OPEN

14:54:42 - 03/14/2010 19 of 37 met the test: Invoice_Amount >= 2000 19 records produced Output to C:\ACL Data\Sample Data Files\SUMVENsort.FIL is done Opening file "SUMVENsort"

(c)

EXPORT the resulting file as an Excel spreadsheet, name it AuditSumVen Ans: Export File: Data -> Export To Other Applications ->

Select Fields option Click Export Fields bitton Export Fields: 1. Vendor No, 2. Invoice Amount, 3. Count, 4 Quantity, 5. Unit_Cost Export As: Drop-down List, click EXCEL 2.1 Enter AuditSumVen in the box next to the “To” button Click OK

Results: Command: EXPORT FIELDS COUNT Invoice_Amount Quantity Unit_Cost Vendor_No XLS21 TO "AuditSumVen"

15:27:39 - 03/14/2010 19 records produced Output to C:\ACL Data\Sample Data Files\AuditSumVen.XLS is done

(d)

Open the AuditSumVen Speadsheet ANS:

REPORT the results in the LOG using the REPORT function. Give the report a heading, and print it to screen (you will use the LOG to retrieve the REPORT when needed).

Ans: 11:04:31 - 09/26/2004 Page ... 1

03/14/10 15:41:30

Produced with ACL by: Lehigh University Vendors to Investigate Vendor Number

Invoice Amount

Quantity

Unit Cost

COUNT

10721 14913 12636 11247 10787 10534 12701 11663 13808 14438 13440 13411 11837 12433 11922 10134 12130 11475 10025

2,212.86 2,230.41 2,501.82 3,162.78 4,464.90 4,482.60 6,143.39 6,666.39 6,705.12 8,052.76 11,068.20 12,176.20 12,454.88 14,835.74 17,868.84 22,618.62 30,858.17 35,968.34 59,347.59

373 559 334 179 1,350 590 1,111 1,436 976 827 286 1,094 824 2,123 4,455 954 3,107 9,731 3,917

69 3 44 41 19 10 27 18 6 60 38 67 172 68 17 217 62 241 46

4 1 2 2 4 2 5 4 1 6 1 5 3 6 3 5 4 7 5

263,819.61

34,226

3. AP_TRANS STRATIFYING DATA Before stratifying data, you need to obtain the maximum and minimum limits of the data using the PROFILE command. (a) Run the PROFILE command on the Invoice_Amount in preparation of running the STRATIFY command. Analyze -> Statistical -> © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Profile -> Profile Fields -> click Invoice_Amount -> OK -> Results: As of: 03/14/2010 16:11:48 Command: PROFILE FIELDS Invoice_Amount Table: Ap_Trans Field Name Invoice Amount

Total Value Absolute Value Minimum Maximum 278,641.33

278,641.33

14.88

56,767.20

(b) Run the STRATIFY command on the Invoice_Amount. Accumulate on Quantity and Unit_Cost. Analyze -> Stratify -> [notice that the minimum and maximum amounts were picked up from the command log and Profile data] Stratify On -> double click Invoice_Amount -> OK -> Subtotal Fields -> click Quantity, Click Unit_Cost, then -> to move them to the Selected Fields -> OK -> <see results below>

As of: 03/14/2010 16:16:53 Command: STRATIFY ON Invoice_Amount SUBTOTAL Quantity Unit_Cost INTERVALS 10 TO SCREEN Table: Ap_Trans

Minimum encountered was 14.88 Maximum encountered was 56,767.20

Invoice Amount

Count Percent of Count Percent of Field Quantity Unit Cost

14.88 - 5,690.11

87.25%

40.68%

15,096

1,100

5,690.12 - 11,365.34

7.84%

13.74%

5,099

317

11,365.35 - 17,040.57

1.96%

12.44%

4,616

17,040.58 - 22,715.80

1.96%

24.03%

8,917

22,715.81 - 28,391.03

28,391.04 - 34,066.27

34,066.28 - 39,741.50

39,741.51 - 45,416.73

45,416.74 - 51,091.96

51,091.97 - 56,767.20

0.98%

9.11%

3,379

102

100%

37,107

1,522

Totals

c. Re-run STRATIFY but eliminate the outlier. [HINT: Run STATISTICS first to find value of 2nd highest invoice amount] (See results below) As of: 07/26/2010 11:40:12 Command: STATISTICS ON Invoice_Amount TO SCREEN NUMBER 5 Table: Ap_Trans

Invoice Amount Range Positive

Number -

Total

Average

56,752.32

102 278,641.33 2,731.78

Negative

0.00

Zeros

Totals

102 278,641.33 2,731.78

Abs Value

- 278,641.33

Highest

Lowest 14.88

56,767.20 This is the second highest invoice

20,386.19

21.12

18,883.34

31.68

16,642.56

46.08

15,444.80

49.68

As of: 07/26/2010 16:24:11 Command: STRATIFY ON Invoice_Amount MAXIMUM 20387 INTERVALS 10 TO SCREEN Table: Ap_Trans Minimum encountered was 14.88 Maximum encountered was 56,767.20

Invoice Amount

Count Percent of Count Percent of Field Invoice Amount

14.88 - 2,052.09

73.53%

16.2%

45,128.15

2,052.10 - 4,089.30

10.78%

10.3%

28,688.33

4,089.31 - 6,126.51

4.9%

9.17%

25,552.43

6,126.52 - 8,163.72

3.92%

10.6%

29,548.42

8,163.73 - 10,200.93

0.00

10,200.94 - 12,238.15

1.96%

7.75%

21,599.91

12,238.16 - 14,275.36

0.00

14,275.37 - 16,312.57

0.98%

5.54%

15,444.80

16,312.58 - 18,349.78

0.98%

5.97%

16,642.56

18,349.79 - 20,387.00

1.96%

14.09%

39,269.53

>20,387.00

0.98%

20.37%

56,767.20

102

100%

278,641.33

Totals

(d) How would you use the 2nd highest invoice? ANS: By eliminating the highest outlier, we get a better view of the distribution of remaining records for analysis.

(e) View the data as a bar chart. ANS:

4. INVENTORY STRATIFYING DATA (a) Run the PROFILE command on all of the amount fields in preparation of running the STRATIFY command. ANS: As of: 03/14/2010 16:31:15 Command: PROFILE FIELDS MinQty MktVal QtyOH QtyOO SalePr UnCst Value Table: Inventory

Field Name

Total Value Absolute Value Minimum Maximum

Re-Order Point

58,805

Market Value

4,600

1,029,061.61 1,031,588.81

-839.76

143,880.00

Quantity On Hand

169,285

169,325

-12

71,000

Quantity On Order

117,145

40,000

Sale Price

3,748.66

0.04

499.98

Unit Cost

2,625.47

2,659.23

-6.87

381.20

708,243.94

-10,167.60 100,800.00

Inventory Value at Cost 680,479.94

58,805

(b) Run the STRATIFY command on VALUE. Subtotal on VALUE. ANS: As of: 03/14/2010 16:34:25

Command: STRATIFY ON Value SUBTOTAL Value INTERVALS 10 TO SCREEN Table: Inventory

Minimum encountered was -10,167.60 Maximum encountered was 100,800.00 Inventory Value at Cost

Count

Percent of Count

Percent of Field

Inventory Value at Cost

-10,167.60 - 929.15

34.21%

1.23%

8,401.87

929.16 - 12,025.91

57.24%

48.84%

332,323.97

12,025.92 - 23,122.67

5.26%

18.87%

128,431.50

23,122.68 - 34,219.43

1.97%

10.79%

73,422.60

34,219.44 - 45,316.19

0.66%

5.45%

37,100.00

45,316.20 - 56,412.95

0.00

56,412.96 - 67,509.71

0.00

67,509.72 - 78,606.47

0.00

78,606.48 - 89,703.23

0.00

89,703.24 - 100,800.00

0.66%

14.81%

100,800.00

Totals

152

100%

680,479.94

(c) Which of the numbers would be of interest to an auditor? ANS: Negative MARKET VALUE. Negative QTY.OH. Negative VALUE. OUTLIER of the one item ($100,800).

ACL Tutorial 4 Solution

COMMANDS: ANALYZE -> AGE DATA -> JOIN DATA -> MERGE

AR 1. The Aging of Accounts Receivable is a frequently used audit technique that is supported by the AGE command in ACL: (a) Using AGE, develop an aging report of current, 30, 60, 90, 120, and above 120 days past due accounts. Set the cutoff date at December 31, 2000. Age on the DUE date field. Create a filter to include only Invoice type [IN] in the report. ANS: As of: 03/14/2010 07:53:15 Command: AGE ON Due CUTOFF 20001231 INTERVAL 0,30,60,90,120,10000 TO SCREEN Table: Ar

Filter: Type = "IN" (588 records matched) Minimum encountered was 0 Maximum encountered was 365 Days

Count Percent of Count

0 - 29

216

36.73%

30 - 59

113

19.22%

60 - 89

5.1%

90 - 119

1.19%

120 - 10,000

222

37.76%

Totals

588

100%

EMPMAST 2. JOINING, RELATING, AND MERGING DATA The JOIN command will combine the fields of two files with different structures to produce a third file. In ACL, this task requires one file to be designated the PRIMARY file and the other the SECONDARY file. If you JOIN a transaction file with a master file, the transaction file would be the PRIMARY file and the master file would be the SECONDARY file. You obtain a different result if the files are reversed. The PRIMARY file is the first file to be opened, and the SECONDARY file is the second file opened. You MUST sort the SECONDARY file in ascending sequence on the key character field before using JOIN. It is a good idea to also sort the PRIMARY file in ascending sequence on the key character fields. Instead of SORTing the PRIMARY file, you may INDEX it.

ACL permits several options for joining. The table below outlines the records included with each option Option Button MATCHED Primary (default) MATCHED Primary include all Primary MATCHED Primary include all secondary UNMATCHED primary Many to Many Matched

(a)

PRIMARY File Only matched records All records Only matched records Only unmatched records All matched records

SECONDARY File Only matched records Only Matching records All records None All matched records

Join all matched records in the PAYROLL file with records from EMPMAST on EmpNo. Make PAYROLL the primary file. Name the resulting file PRJOIN. ANS: Command: JOIN PKEY EmpNo FIELDS Cheque_No EmpNo Gross_Pay Net_Pay Pay_Date Tax_Amount WorkDept SKEY Empno WITH WorkDept State_Province Sex Salary PhoneNo Pay_Per_Period Last Job HireDate First Empno EdLevel Country Comm Code City Bonus Birthdate Address TO "PRJOIN" OPEN PRESORT

08:01:57 - 03/14/2010 Field 'WorkDept' renamed 'WorkDept2' to remove name conflict Field 'Empno' renamed 'Empno2' to remove name conflict Presorting data 42 records produced 2 records bypassed Extraction to table C:\ACL8 Data\Sample Data Files\PRJOIN.FIL is complete Opening file "PRJOIN" © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Closing file: Empmast.fil

(b)

Review the Command Log for unmatched records. What do the bypassed (unmatched) records mean to you as an auditor? ANS: Two payroll records exist on the payroll file for which there are no corresponding employee records. This could be an error or a form of employee fraud.

(c)

Execute a command that will identify payroll records for which no employee exists. Join all unmatched records in the EMPMAST file with records from PAYROLL. Open PAYROLL file first. Check all fields in transaction file and the master file. Name the file PR2JOIN.

ANS: Command: JOIN PKEY EmpNo FIELDS EmpNo Pay_Date WorkDept Cheque_No SKEY Empno UNMATCHED TO "PR2Join" OPEN PRESORT 08:07:45 - 03/14/2010 Presorting data 2 records produced 42 records bypassed Extraction to table C:\ACL8 Data\Sample Data Files\PR2Join.FIL is complete Opening file "PR2Join" Closing file: Empmast.fil

Results: PR2JOIN: EmpNo 000108 000109

Check 12353 12354

Pay_Date 09/15/2000 09/15/2000

Gross Pay 2,179.17 2,179.17

Net Pay 1,743.34 1,743.34

What would you do with this information as an auditor? ANS: Consult with management regarding these anomalies

2. The MERGE command will combine the fields of two files with identical structures to produce a third file. Both files MUST be sorted in ascending sequence on the key character field before MERGE is executed. © 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Required: Describe a situation when an auditor would use MERGE (include the audit objective). ANS: Audit Objective: Verify that all obligations are included in the period under review. Audit Test: Use Merge to combine purchase order, receiving report, and supplier invoice tables from different time periods and/or different company branches to identify items received but not recorded as a liability in the period.

ACL Tutorial 5 Solution COMMANDS: CONTROL TOTALS: TOTAL ANALYZE -> COUNT ANALYZE -> TOTAL DATA -> EXTRACT DATA -> EXPORT DATA -> SORT DATA -> INDEX

INVENTORY 1. Audit OBJECTIVE: Reconcile inventory amounts with physical inventory counts {observation of inventory}. Obtain pre-test batch control totals by running the TOTAL and COUNT commands before the extraction, using a filter [IF] for records from Location “05”. Create a filter to choose specific records to EXTRACT [only items in location 05]. Extract the records to a new input file – Inventory_05. Run the TOTAL and COUNT commands on the new file to compare with the control totals of the pre-test.

(a) What types of control totals would be useful in this situation. Answer: Count Records, Total a financial field, and develops a hash total for a non-financial field.

(b) What are your control totals values? Answer: Command: COUNT Table: Inventory

Filter: Location = "05" (13 records matched) 13 records counted

Command: TOTAL FIELDS MinQty MktVal QtyOH QtyOO SalePr UnCst Value Table: Inventory

Filter: Location = "05" (13 records matched) MinQty

5,915

MktVal 52,752.62 QtyOH

89,466

QtyOO

80,530

SalePr

160.04

UnCst

129.83

Value

42,479.36

(c) Use EXTRACT to export the specific records to a new input file Inventory_05 and print the command log for this operation. Answer: Command: EXTRACT RECORD IF Location = "05" TO "Inventory_05" OPEN 12:42:11 - 03/13/2010 13 of 152 met the test: Location = "05" 13 records produced Extraction to table C:\ACL Data\Sample Data Files\Inventory_05.FIL is complete Opening file "Inventory_05"

(d) Confirm Control Totals in the new file. Why perform this step? Answer:

Command: TOTAL FIELDS MinQty MktVal QtyOH QtyOO SalePr UnCst Value Table: Inventory_05 MinQty

5,915

MktVal 52,752.62 QtyOH

89,466

QtyOO

80,530

SalePr

160.04

UnCst

129.83

Value

42,479.36

Testing control totals before and after the extraction shows that no records were lost or added to the new input file.

AR 2. Audit OBJECTIVE: Confirm accounts receivable amounts with customers. EXTRACT transactions in the AR file that have a due date prior to January 2, 2000. Create a new input file called AR_02. (a) How many records meet the criterion? Answer: Command: EXTRACT RECORD IF Due < `000102` TO "AR_02" OPEN 14:23:56 - 03/13/2010 7 of 772 met the test: Due < `000102` 7 records produced Extraction to table C:\ACL Data\Sample Data Files\AR_02.FIL is complete Opening file "AR_02"

(b) How does the EXPORT function differ from EXTRACT? Answer: Export creates a file that can be used directly by other software programs for further processing. (c) For what purpose might an auditor use the EXPORT function?

Answer: Export is used create an input file for a separate CAATT, to export to a spreadsheet for reporting or manipulation, or to place test results into audit work papers.

(d) Use the EXPORT command to create an Excel spreadsheet called AR_02 and print the command log for this operation. Include all the fields from the ACL source file. Answer: Command: EXPORT FIELDS Amount Date Due No Ref Type EXCEL TO "AR_02" 14:27:57 - 03/13/2010 7 records produced Output to C:\ACL Data\Sample Data Files\AR_02.XLS is done

AP TRANS 3. Sorting is a helpful tool in reviewing and analyzing files. Load the AP Trans file. (a) For what reason might you NOT use the SORT command? Answer: Sorting large files is not efficient and consumes both memory and disk space.

(b) SORT the file by Vendor Number, and name the sorted file SORTVEND. How many records are there in the sorted file? Answer: Command: SORT ON Vendor_No TO "SORTVEND" OPEN 14:30:55 - 03/13/2010 102 records produced Output to C:\ACL Data\Sample Data Files\SORTVEND.FIL is done Opening file "SORTVEND"

(c) How can you verify that the sorted file contains all of the records from the original file? What function(s) could you perform to increase the reliability of the data in the sorted file? Answer:

Create standard control totals for both the original file and the sorted file. These could include Count Records, a total of a financial fields and a hash total of a nonfinancial field. For example:

As of: 03/13/2010 14:33:55 Command: COUNT Table: SORTVEND 102 records counted

Command: TOTAL FIELDS Invoice_Amount Quantity Unit_Cost Table: SORTVEND Invoice_Amount 278,641.33 Quantity

37,107

Unit_Cost

1,522.29

(d) SORT the original AP Trans now to produce a report listing all vendors by Vendor Number and by Invoice Amount in descending order. The new file will thus show the largest amount for each vendor displayed first. Name the sorted file SORTVIP. Move the Invoice Amount column to the right of Vendor Number. Answer Command: SORT ON Vendor_No Invoice_Amount D TO "SORTVIP" OPEN 18:21:07 - 06/24/2010 102 records produced Output to C:\ACL Data\Sample Data Files\SORTVIP.FIL is done Opening file "SORTVIP"

AP TRANS 4. Use the INDEX command to perform tasks similar to those in part 3 above. (a) When might you use the INDEX command instead of the SORT command?

Answer: INDEX is similar to SORT in organizing records in a specified order. Regarding speed of operation and computer resource consumption, the two techniques differ. The table below summarizes these differences.

SORT vs. INDEX ITEM Execution speed Required disk space Subsequent processing the entire file Subsequent searching for one or a few records

SORT Slower More Much faster Much slower

INDEX Faster Less Much slower Much faster

(b) INDEX AP Trans to produce a report listing all vendors by Vendor Number. Name the indexed file INDVIP. Answer: Command: INDEX ON Vendor_No TO "INDVIP" OPEN 14:43:37 - 03/13/2010 102 records produced Output to C:\ACL Data\Sample Data Files\INDVIP.INX is done Opening file "INDVIP"

Answer: DATA-> SEARCH -> SEEK EXPRESSION -> type in box “12701” -> OK. Note the screen shifts down to this record so that it is the first to be displayed in the active window. (d) Create a Conditional INDEX for vendor number “12433”. Name the Index VEN12433.

Answer: DATA -> Crerate Index -> Index On, Double-Click Vendor_No -> OK -> IF -> Vendor_no, =, “12433” -> OK -> TO: Vend12433 -> OK.

Command: INDEX ON Vendor_No IF Vendor_No = "12433" TO "VEND12433" OPEN 19:35:41 - 03/13/2010 6 of 102 met the test: Vendor_No = "12433" 6 records produced Output to C:\ACL Data\Sample Data Files\VEND12433.INX is done Opening file "VEND12433"

ACL-9 Fraud Tutorial1

PAYROLL FRAUD 1

For each of the following tutorials prepare a report demonstrating your response: 1. Red Flags-Missing Address: Load EMPMAST file, which contains the addresses of employees. Use a FILTER to create a search for no ADDRESS: ADDRESS = “ “. We are looking for blank ADDRESS fields. Stings must be enclosed by quotes. Thus “ “ means a blank value. Click OK. (a) How many blank addresses are there in the database? Response: No addresses are blank

2. Red Flags-Address is a Post Office Box: Use a FILTER, and the FIND Function (in the drop-down list under “Function”). Double-click the FIND command in the box. Expression Builder puts the command and syntax into the Expression Box. Double-click “string” and replace it with “box” (case is not important). We are looking for ADDRESSes that contain “Box” somewhere in the value. Click <,field_to_search_in> and replace it with “,ADDRESS” by doubleclicking the field under “Available Fields”; be sure to use the comma between the two criteria). Click OK.

(a) How many addresses appear to be post office boxes? Three records contain “Box” in the address field.

(c) What do you do with these records? This is a red flag but necessarily fraudulent. The auditor should confirm the existence of the employees.

3. Save the Filter. Redo (2) above, but before clicking OK, go to “Save As” box and type “AddressBox” to name of the FILTER. Then click OK. Go to EDIT -> FILTERS, and a dialogue box will open with all filters listed. Click on Address-Box in the Filters list, and click OK. Expression Builder will open with the previous criteria. Response: Same as 2 above

4. Red Flags-Duplicate Checks, Same Pay Period: Load PAYROLL. (a) Use a FILTER to locate any checks that might be an anomaly; i.e., duplicated. Response: Use the duplicate command to search the Employee Number field for multiple records indicating that an employee has been paid more than once. The command returns two records for employee 000320. See below: As of: 09/12/2010 09:40:46 Command: DUPLICATES ON EmpNo OTHER Cheque_No EmpNo Gross_Pay Net_Pay Pay_Date Tax_Amount WorkDept PRESORT TO SCREEN Table: Payroll

1 duplicates detected

Duplicates: Employee Number

Cheque Number

Gross Pay

Net Pay Pay Date

Taxable Amount

Work Dept.

000320

12376

1,662.50 1,330.00 09/15/2000

332.50 E21

000320

12377

1,662.50 1,330.00 09/15/2000

332.50 E83

(b) Explain the results you get. Employees may receive duplicated checks under certain circumstance such as additional compensation for special projects. Normally the amounts on such checks would differ. Since the amounts for employee 000320 are the same for each check, it appears that the employee has been paid twice. Since the check numbers are different, this does not appear to be a clerical error in which the same transaction was recorded twice in the payroll file. Further, the employee is assigned to two different work departments, suggesting that he is being paid by both. One possible explanation is that employee is indeed employed equally (50% each) by both work departments and is compensated equally by both.

(c) What should the auditor do with these results? The auditor should investigate this anomaly with personnel and the supervisors of the two work departments.

ACL-9 Fraud Tutorial2

Payroll FRAUD

For each of the following tutorials prepare a report demonstrating your response: PAYROLL: Overpayment 1. Red Flags-Payroll Gross Pay <> Salary: Because part of the data for this tutorial resides in EMPMAST and part is in PAYROLL, you first need to do a JOIN the two files: Load the PAYROLL file, which contains the Gross Pay. JOIN the EMPMAST file to it, on Employee Number and call the new file PR_GrossToSalary. Then create a FILTER to locate any check that might be an anomaly. (a) Create a filter to identify payments that appear to be anomalies. Response: Gross_Pay <> Pay_Per_Period This filter compares the actual gross pay for the period in the PAYROLL file with the stated Pay Per Period in the EMPMAST file.

(b) How many employees appear to have been paid an amount than is different from the pay per period amount? The expression returned five records where gross pay and pay per period do not match.

(c) Explain the results you get. Two records (employees 20 and 120) are minor discrepancies that may be due to clerical errors in either the payroll or empmast records.

The discrepancy for employee 90 is because the employee did not receive a check. This may be due to a normal situation (he did not work during the period) or because of a more serious situation in which he/she has left the organization but is still being carried on the Empmast file. Employees 108 and 109 have received checks, but are not listed on the Empmast file. This may be because they are new employees who have not yet been added to the Empmast file. More seriously, they may be ex-employees (terminated) who are still receiving paychecks.

(d) What should the auditor do with this information? Each of these situations needs to be reviewed and reconciled with appropriate management in the personnel, payroll, and work departments.

PURCHASING FRAUD

PURCHASING: Employee Theft 2. Red Flags-Paying Same Invoice Twice-Part 1: Load AP_TRANS file, which contains paid vendor invoices. Use a command to search for DUPLICATE records indicating that a particular invoice was paid twice.

Results: The following command searches the file for duplicate invoice numbers that indicates duplicate payments. As of: 09/11/2010 09:27:14 Command: DUPLICATES ON Invoice_No OTHER Invoice_Amount Invoice_Date Invoice_No Prodno Quantity Unit_Cost Vendor_No PRESORT TO SCREEN Table: Ap_Trans

0 duplicates detected

3. Red Flags-Paying Same Invoice Twice-Part 2: Use a command to search for DUPLICATE invoice payments where the invoice number might have been falsified / altered. Results: The following command searches for payment amounts that are the same, but associated with different (falsified) invoice numbers. As of: 09/11/2010 09:32:18 Command: DUPLICATES ON Invoice_Amount OTHER Invoice_Amount Invoice_Date Invoice_No Prodno Quantity Unit_Cost Vendor_No PRESORT TO SCREEN Table: Ap_Trans

0 duplicates detected

PURCHASING: Fictitious Vendors 4. Red Flags-Address is a Post Office Box: Load the VENDOR file. Use a FILTER, and the FIND Function to look for post office box data in the street address field. Click OK. How many addresses appear to be post office boxes No addresses contained the word “Box”.

5. Red Flags-Duplicate Vendors-Part 1: Create a search that identifies different vendors with the same address. (a) Display and explain your results. As of: 09/12/2010 11:14:44 Command: DUPLICATES ON Vendor_Street OTHER Vendor_City Vendor_Name Vendor_No Vendor_State Vendor_Street Vendor_ZIP PRESORT TO SCREEN Table: Vendor

3 duplicates detected

Duplicates: Vendor City

Vendor Name

100 Main Street Gibsland

Herbie's Hardware

Vendor Street

100 Main Street Washington Great Western Limited

Vendor Number

Vendor State

Vendor Zip Code

10787

71028

13440

20426

605 Third Avenue

Des Moines

NOVATECH Wholesale 13808

50319

605 Third Avenue

Des Moines

Steel Case Manufacturing

14299

50319

805 3rd Avenue Austin

DIDA Limited

11922

78701

805 3rd Avenue Orange

Bloom County Construction

14438

06477

The search examined only street addresses and returned five records. Four of these vendors share an address that is similar to another vendor, but in different towns and states. Two of the vendors have exactly the same addresses. This may be a legitimate company that operates under two different names for different lines of business, or it may indicate form of vendor fraud.

(b) What do you do with a duplicate vendor addresses? The auditor will need to investigate and reconcile these findings with purchasing management.

6. Red Flags-Duplicate Vendors-Part 2: Sometimes a fictitious vendor scheme takes advantage of a legitimate vendor by using a slightly different name to set up a dummy vendor. The SOUNDSLIKE() function may be used to discover such attempts at fraud. Build a filter and click on SOUNDSLIKE() function. Replace “name” with Vendor_name, and sound_like_name with “Larsen Supplies”. Click OK. Display your results.

ACL Fraud Tutorial3

BENFORD ANALYSIS

BENFORD’S LAW: 1. Red Flags-Unusual Leading Digits in Amounts: Load AR file. Benford’s Law is based on the probabilities of the occurrences of each number as a leading digit (or digits). It is a statistical look at the data to see if it is “NORMAL”, in this respect. Go to ANALYZE -> Perform Benford Analysis, and run BENFORD on the Amount field. Set the number of leading digits to “1”. From the More tab select “ALL” and from the Output Tab select “Screen”. (a) Explain the results you get. Results: As of: 09/11/2010 08:19:20 Command: BENFORD ON Amount LEADING 1 TO SCREEN Table: Ar

2 zero amounts bypassed Actual Count Expected Count Zstat Ratio Leading Digits 1

231

232

0.023

136

5.685

1.167

0.502

2.740

5.184

0.332

1.818

1.771

The larger the resulting Z-statistic, the more unlikely the occurrence. For example, a Z-statistic of 1.96 has a significance of 0.05, representing the likelihood of a one time in 20 occurrence, whereas a Z-statistic of 2.57 has a significance of 0.01, representing

the likelihood of a one time in 100 occurrence. The Zstat for the leading digit values of 2, 5, and 6 indicate a very low probability that these values occurred by chance. (b) When would you use BENFORD analysis to look for possibly fraudulent amounts? Benford’s law has applications within fraud detection. Those who commit fraud may create fake payment amounts that “look” real. However, unless the perpetrator knows of the Benford’s law distribution, the made-up numbers will not follow the proper curve, making the potential fraud easy to spot when the predicted and actual distributions are compared. A Benford’s law test may also identify user-manipulated data that are not necessarily fraudulent. For instance, the analysis may reveal an larger than predicted number of $24 payments because employees are avoiding the trouble of obtaining supervisor sign-offs for expenses of $25 or more. The following are examples of accounting data sets that are candidates for Benford analysys: 1) When a data set is comprised of a mathematical combination of numbers such as price * Quantity (eg. AP and AR) 2) Transaction Data such as cash disbursements, expense items, and sales. 3) Large data sets Benford Analysis is not useful on data sets that are comprised of assigned numbers such as account numbers, employee numbers, zip codes, etc.)