WILKINSON - Accounting Information System 4e solution manual by Ace Test Banks

Accounting Information System 4e

BY WILKINSON

CHAPTER

The Study of Accounting Information Systems

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

4, 11

4. EVALUATION

1, 6, [9], 12

4, 5, 6

3. APPLICATION

2, 7

7, [9]

2. COMPREHENSION

3, [5], 8, 10

1, 2, 3, 8

1. CONCEPTUALIZATION 22,26

[ ] Infoage

PROBLEMS

CHAPTER 1 THE STUDY OF ACCOUNTING INFORMATION SYSTEMS DISCUSSION QUESTIONS DQ 1-1. The influence of accountants has both decreased and increased since the advent of computers. Several factors account for the decrease in influence. Although accountants often play a role in the information system design, maintenance, and operation, other professionals (systems analysts and data base administrators, for example) take on a much greater role. Since computers permit integration of data and applications, AIS has increasingly been absorbed as a subsystem within the MIS. On the other hand, the accountants’ influence has increased due to their ability to use computers, which provide more processing power and greater flexibility and thus permit considerable support in the development of more complex accounting systems that aid decision making and provide timely information (for example, in the review of budgeted and actual expenses). Auditors now use computer-assisted audit techniques and procedures that make the audit engagement more efficient and comprehensive. Paperless audit environments have also become feasible. In summary, accountants have gained more computing and communication support from the entry of computers, but the systems aspects of the computer-based systems are now a domain of non-accountants. DQ 1-2. While the formal information system can provide much of the information needed by the typical manager, the manager must also rely on judgment, intuition, and informal sources from both inside and outside the firm. The formal information system is best equipped to provide quantitative information that is based on transaction flows and routine nontransactional data from external sources. It is less equipped to provide qualitative information. Also, the firm cannot justify the expense of storing rarely needed information within the formal information system. The level within the organizational structure at which the manager is located has a bearing on the extent of information provided by the formal information system. Managers at the highest level tend to require more qualitative information and to need considerable ad hoc information, often drawn from external sources. Managers at the lower levels, on the other hand, mostly need quantitative and routine information, usually drawn from internal sources. Thus, the managers at the lower levels will make more use of the formal information system than managers at the highest levels. The type of decision likewise affects the extent to which the formal information system is used. Information for strategic decision making is drawn less from the formal information system than information needed for operational control decisions. Generally, decisions subject to high uncertainty, longer time frame, and less structure require more qualitative input. DQ 1-3. In order to acquire a common body of knowledge, accountant should study a broad spectrum of topics. These include: Basic understanding of dimensions of a system: hardware, software, communications, etc. Basic understanding of data management concepts and applications. Data base management systems and file oriented data management.

1-2

Basic understanding of the role of the Internet in transaction processing, and related security and control concerns. Information systems stages, in both manual and computer-based systems: data capture, coding, input, processing, output, data storage (files, databases), processing approaches, general controls, audit trails, outputs Typical transaction processing subsystems, both manual and computer-based, document flows, application controls. System development life cycle. Threats, exposures, and risks involved, internal control structure. Computer-assisted audit techniques. Note: Given the fast changing technology, it is important to not only have the knowledge, but also keep current with changes in technology and how they impact each of the above areas. DQ 1-4. Several scenarios can be drawn. Here is one possibility: AIS and MIS are designed as an integrated information system with a client-server configuration. The system has an external interface with customers and suppliers through the Internet. In fact, 90 percent of sales orders are received and 95 percent of purchase orders are placed using the Internet connection. Half of the sales in terms of US dollars are from South Africa. Almost all of the transaction processing is done on a realtime basis, that is, as soon as the transaction arrives it is processed and the existing stored data are updated to reflect the effects of the transaction. The system’s data management function uses object oriented data bases. Most of the information users seek is processed through programmed and ad hoc queries to the data base; only a few reports are generated. Most regulatory reports and returns are filed electronically. The external auditors have continuous read-only access to the system (from their offices) to capture and analyze exception transactions. Unaudited financial statements are provided electronically to the top management within three working days following the year-end. Audited statements are expected within three weeks following the year-end. Off-premise use of the information system is common. Only the core staff comes to the office; everyone else works from the field or his/her home. DQ 1-5. Strategic decisions of Infoage, Inc. include the following: (1) How to stay with the frontiers of technology. For example, as LANs and client-server technology become more prevalent, should the firm focus on selling networks instead of microcomputers as stand-alone machines? (2) Since prices of computing and communications products are declining and at the same time, more processing power and greater flexibility is available with each new generation, what should be the pricing and inventory policy? What innovative arrangements with suppliers should be made? (3) Should the services department expand into newer technologies, as they become available? (4) Would be worthwhile for the firm to consider expanding into the training and development arena? For example, should the firm offer training courses in specific software packages? DQ 1-6. The two AISs are different to the extent that they process different transactions and have different transaction cycles. For example, at a university, student registration results in tuition billing,

1-3

which in turn results in cash receipts. For a manufacturing firm, the sale of finished goods results in accounts receivables, which are then collected as cash. Also, the financial statements of a nonprofit organization are in the form of fund accounting, instead of income statement and balance sheet. The two AISs are similar in many ways. Each has several transaction cycles. In each case, AIS is interfaced with MIS. AISs, regardless of nature of organization, have similar characteristics, such as internal controls. For managerial decision making, the ultimate purpose of providing relevant information remains the same, although data, information, and the responsibility reporting structure may be different. DQ 1-7. The AIS at Infoage can add value to the firm in many ways. The system can identify inventory for which new versions are soon to appear in the market. This will permit identification of products which can be placed “on sale,” to avoid obsolescence and severe price reductions later. The AIS can also produce information on weekly (budgeted and actual) contribution margins by products, employees, or profit centers (outlets). This will help management to proactively work toward profit goals. Customer profiles may be maintained to determine products or services that a customer might need, and to market such services in a timely manner. DQ 1-8. There may be situations where highly relevant information may be available only in a qualitative form. For example, a story heard on a golf course, although non-quantifiable, may impact the firm to a far greater extent than an in-depth financial analysis of the firm’s past. Also, there may be a trade off between accuracy and relevance; qualitative information may be less accurate (reliable and precise) and not verifiable, but highly relevant. DQ 1-9. In the case of Infoage, for instance, the information system can help to ensure that merchandise is shipped to the outlets as soon as needed, so that no sales are lost. It can help to reduce the inventory of merchandise carried in the warehouse. This has the effect of increasing the efficiency of the operations, reducing working capital needed, and reducing obsolescence due to short cycle time for development of new computers and peripherals. At the same time, having the right inventory on hand permits Infoage to serve the customer well, thus enhancing customer satisfaction with the firm’s products and services. Additionally, the AIS can increase the accuracy and up-to-datedness of the records, which helps management provide better customer service (e.g., latest customer account balance, or information on the last purchase). The law firm’s AIS may have features and benefits similar to the consulting and service division of Infoage. Both have clients and engagements (or projects, or cases), and each engagement needs to be managed and controlled. For example, since human resource effectiveness is a key success factor in this case, it would be essential to generate information regarding each employee’s productivity, billable hours produced, and actual and estimated contribution margin (current period and year-to-date) for each project. This has the effect of enhancing the quality of planning and control. In addition to managing the engagements on hand, there is a need to continually solicit work. This means that the marketing function should be supported by the information system. A bidding process (or responses to requests for proposals) needs to be maintained to develop proposals for services expected to be rendered.

1-4

Overall, in each case, relevant information should be efficiently generated, keeping in mind the primary functions of the organization. In Infoage, one of the primary functions is inventory management and control; at a law firm, it would be human resource management. DQ 1-10. The new system added value in several ways: • • • •

The sales representatives were able to put together customized multimedia presentation. This may result in increase in sales for Sebastiani. Customer-focused detailed business analysis became possible. New information helped in assisting wine merchants make purchase decisions. Improved decision making may mean fewer sales returns for Sebastiani and fewer stockouts for wine merchants. It was possible to use data in a flexible manner to produce relevant information on site. This characteristic of the new system strengthened the marketing efforts and made Sebastiani more competitive. Wine merchants’ effectiveness in making purchase decisions was improved. Sebastiani thus improved customer satisfaction, and thus impacted customer loyalty.

DQ 1-11. Since the new system focused on marketing and sales of wine, it seems that the specific subsystem within the AIS that had most impact would be the revenue cycle. Sales orders are captured on-line. It is reasonable to expect that a wine merchant placing an order would like a confirmation of the order placed even before the salesperson concludes the visit. Consequently, the AIS will have to perform on-line edit of the incoming sales order, check the customer’s credit, and approve the order for further processing. The system may also need to verify prices and sales tax (if applicable), shipping charges (if applicable) and extended amounts, so that the customer can be informed of the amount to be billed upon shipment of the ordered wine. DQ 1-12. Since external users make different decisions than internal users, they generally need information having somewhat different qualities and content. For instance, investors, potential investors, creditors, and suppliers need information that is quite broad, long-range, and concise. They are concerned with the overall condition and prospects relating to the firm, rather than with a detailed picture of its respective segments and activities. They need to know how well the firm will perform against its competitors in the coming years, and whether it will have the ability to repay its debts on time. Managers, on the other hand, need information to help them plan and control the various operations and organizational units within the firm. Of course, both groups have information needs in common, since managers also forecast revenues and earnings and must monitor performance through such indicators as return on sales, return on assets, and the debtequity ratio.

1-5

PROBLEMS 1-1. (a) I (b) III (c ) I (d) II (e) II (f) I (g) I (h) III (i ) I (j) II (k) I (l) I (m) II (n) II (o) III. Although the specific response to each item may vary somewhat, the general understanding is that the accountant must be quite familiar with the transaction cycles, internal controls, and the audit process. Familiarity with the system requires a moderate level of understanding of system features, such as documentation and design requirements (flowcharting and forms design, for example). Accountants involved in management advisory services or consulting may need more depth in some areas than the auditors or financial accountants. 1-2. (c) and (f) are internal users; all others are external users.

a. A creditor bank would be able to perform ratio analysis (liquidity ratios, times interest

b. c.

d. e. f. g. h.

earned, and other relevant ratios) and to some degree, trend analysis. The Statement of Cash Flow would also be useful. The bank may also evaluate qualitative input such as management’s reports. The Securities and Exchange Commission (SEC) would have access to the annual report as well as SEC filings, if the firm were required to make such filings. This information would be helpful in evaluating issues related to management control, for example. The general ledger accountant would be able to reconcile controlling account balances with the combined balances in the related subsidiary ledger (for example, Accounts Receivable Subsidiary Ledger), to review account balances, and to analyze activity in a specific account (Prepaid Expenses, for example). A shareholder would like to assess the earnings potential of the firm, future prospects of earnings growth, and quality of the management team. The employees’ labor union would analyze data to study income trends, cash availability, earnings prospects, dividend growth, and management’s expectations for the future. The Vice President of Finance would be interested in cash flow projections and earnings forecasts, financing requirements in light of future activities (such as business acquisitions or expansion), and debt extinguishment plans and projections. A prospective investor would like to predict earnings potential of the firm, future prospects of earnings growth, risks involved, and quality of the management team. A customer would like to know more about the current and future product offerings, long term viability of the firm, and the management’s perspectives on the markets and customers they serve.

In each case, some of the needs may be met by the annual report; however, additional information may be necessary for the user to make decisions. For the internal users, detailed financial transactions data (in the case of the general ledger accountant) or projections (in the case of Vice President of Finance) will have to be found from sources other than the annual report. 1-3. a. Primarily decision-making. Annual budgets provide information about plans that provide input for replanning, determining and evaluating variances, and initiating corrective actions, where necessary. Detailed budget figures for shorter periods (e.g., a month or week) would help support day-to-day operations. Finally, the budget process also conveys to some degree that stewardship obligations are being met. b. Primarily operations. Helps meet legal and financial obligations.

1-6

c. Primarily operations. Sales transactions, like other transactions, provide data to be captured d. e.

f. g.

h. i. j.

k. l.

(within revenue cycle) to generate reports for managing operations. Stewardship obligations. Annual Reports are used to report results of operations to stakeholders. Day-to-day operations. Variances provide feedback on differences between actual and expected results (budgeted amounts). This feedback results in investigations of variances and follow up corrective actions where necessary. To maintain and control effective day-to-day operations, variances may be computed in quantitative but non-financial terms, such as units of output, yield on batches of production, or amount of raw materials consumed. It is likely that certain variances would indicate the need for revising the budget itself. Day-to-day operations. Purchase orders are source documents that convey decisions to purchase goods or services. They provide data to be captured (within the expenditure cycle), from which information is generated for reports that aid in managing operations. Primarily decision-making. Cash flow projections assist in determining expected surpluses or shortfalls in the funds required. Thus, such forecasts support financing decisions. Also, such projections may trigger revisions in other budgets; for example, estimated production levels or discretionary cost budgets (items such as advertising) may be changed based on cash flow projections. Financial statements as published in the quarterly and annual reports help meet stewardship obligations. Financial statements prepared for internal purposes, and designed with cost and revenue behavior in mind, provide decision support. Day-to-day operations. Shipping registers permit tracking of orders shipped and may provide useful operational information such as on-time shipments, delayed shipments, and backlogs. Day-to-day operations. Bank reconciliations provide assurance that records, subject to certain expected differences due to time lag, match with the transactions that are conducted by a firm. A bank reconciliation hence also assures that deposits have been accounted for and all withdrawals were made as authorized. Decision-making. New product evaluation models are a non-routine decision model, and thus support the management’s decision concerning whether to produce new products as are, modify them, or not to produce the new products. Stewardship obligations. Income tax returns help meet legal and financial obligations.

1-4. a. As an auditor in the public accounting firm, your role would be as a member of the team assigned to the audit engagement. It is likely that, as a newcomer, you will be doing more of the detailed work; for example, you may verify inventory records or check for the physical existence of selected plant and equipment. You are likely to use more, and therefore understand in depth, the client’s AIS rather than the public accounting firm’s AIS. At the firm, you may retrieve information on audit standards and accounting principles relevant to the audit; you may also retrieve past year’s audit files, if this is a continuing engagement. Such information is likely to exist outside of the firm’s AIS.

b. As an entry-level member of the internal auditing department of the manufacturer, you are likely to conduct well-identified small audits within the firm under supervision. You may also play the role of a junior member of an internal audit team assigned to a major project. Depending on the area and scope of work, you are likely to interact heavily with the firm’s AIS. In contrast, as an external auditor, you would have very focused responsibilities geared to an effective completion of the audit while keeping the costs to a minimum. If you were the systems development consultant from the public accounting firm, your focus will be the designated project. Depending on the system development stage your role would vary. For

1-7

example, you may be heavily involved in the systems analysis and (logical) design, but have limited or no involvement in the physical design. 1-5. a. (1) The roles of a financial accountant are to prepare financial statements that are in full accord with the financial accounting model and generally accepted accounting principles, to perform financial statement analysis, and to recommend changes in accounting methods that affect the financial statements. The roles of an internal auditor are to examine and evaluate the AIS and such products of the AIS as the financial statements and to recommend design changes to the AIS. Financial accountants and internal auditors are similar in that they are employees of a firm and they are particularly concerned with the financial statements of the firm. Differences between them relate mainly to their roles, since financial accountants prepare the financial statements while internal auditors evaluate the statements. Also, internal auditors are at least as concerned with the AIS as with the statements; in fact, certain of their assignments may not involve the financial statements at all.

(2) The roles of a managerial accountant are to prepare information for the use of managers in fulfilling their responsibilities and to recommend improvements in the information outputs and related decision models. The roles of a system developer are to analyze and design the various modules comprising an AIS or other information system (such as an MXS). Managerial accountants and system developers, like financial accountants and internal auditors, are generally employees of the firm in which the AIS in question resides. (However, system developers may alternatively be members of outside consulting firms.) They both are concerned with the outputs of the AIS, including the various reports needed by the firm's managers. Differences between them relate chiefly to their respective roles, since managerial accountants focus on needed information whi1e system developers focus on the AIS itse1f. Furthermore, system developers are concerned with all aspects of the AIS, rather than just its information outputs. b. With respect to the relationships of the pairs to the AIS, (1) the financial accountant is primarily a user while the internal auditor is primarily an evaluator.

(2) the managerial accountant is primarily a user while the system developer is (as the name implies) primarily a developer or bui1der. The first pair focuses primarily on financial accounting model, while the second pair focuses on management accounting model. 1-6. The steps that you, an inventory c1erk for an appliance dealer, shou1d perform in processing inventory transactions are as follows: a. Sort the day's batch of documents according to merchandise code numbers. b. When more than one item of merchandise appears on a single document, transcribe the code numbers of the additional merchandise items and the related quantities onto separate documents. c. By referring to the reference file, transcribe the unit prices onto the source documents for each merchandise item. d. Calculate the dollar amount of each receipt and sales transaction by multiplying the unit price times the quantity received or sold.

1-8

e. During the referencing process described in (c) above, or in a separate step, transcribe the descriptive title of each merchandise item onto the daily report form. (If the reference file also contains status information concerning the balance on hand of each merchandise item, update the file by transcribing the quantities received and sold from the source documents, together with the related dollar amounts, and calculate the new balance on hand.) f. Transcribe the dollar amounts pertaining to receipts and sales of each inventory item opposite the descriptive title on the daily report. (If more than one document pertains to receipts of the same merchandise item during that day, add the dollar amounts to summarize total receipts for that item. Perform the same step if more than one document pertains to sales of the same merchandise item during the day.) g. Reduce (summarize) receipts of all merchandise items for that day to a total. Reduce (summarize) sales of all merchandise items for that day to a total. h. Communicate the daily report to the appropriate user. 1-7. See the following pages for the diagrams.

1-9

1-7 a. Purchases procedure for a campus bookstore.

Supplier reference file

Measure quantities of merchandise needed to replenish stocks and record on requisitions (source documents).

Classify and sort

Transmit requisition data to owner-manager (or to person assigned to reorder merchandise).

requisitions according to suppliers who provide the store's respective items of merchandise; add expected prices to requisitions from file.

Supplier (accounts payable) master file

Purchase data file

Summarize Communicate

quantities to be purchased to totals and store, together with copies of purchase orders.

purchase data to suppliers via postal service.

Merchandise inventory master file

Receive invoices (bills) from suppliers and update supplier master file to show amounts owed.

1-10

Transcribe data from requisitions onto purchase orders addressed to identified suppliers, and update inventory master file to show ordered quantities.

Purchase order data

At end of month, retrieve data from files and prepare reports concering quantities purchased and outstanding payables.

Supplier master file

Communicate monthly reports to managers

1-7 b. Credit-sales procedure for a service station. Note: Many variations are possible in the procedures shown in the procedures shown below, depending upon assumptions made by students. Capture data concerning each customer by embossing a name and number from credit card onto sales slip "flimsy" (source document).

Batch all sales slips at end of day and calculate total of amounts.

Transmit sales slips to credit sales processing center via postal service

Measure data by reading gasoline usage and dollar amount from dials on gas pump and recording data by pen onto sales slip.

Transcribe total onto daily sales summary sheet, together with totals from cash sales and other sales for the day.

Provide control by obtaining signature of customer on sales slip.

Store copies of sales slips for future reference.

Sales slip file

At credit sales processing center, sort sales slips and update each customer's master record to show new balance due. At end of month prepare monthly statements and communicate to customers via postal service; also prepare monthly report for service stations and transmit via postal service.

Customer master file

At service station validate data in monthly report by comparing amounts credited to service station with amounts shown on daily sales summaries.

1-11

Analyze monthly sales by comparing total sales shown on this month's report with totals on previous reports.

1-7 c. Cash disbursements procedure for a shoe store.

Supplier invoice file

Measure gross amounts due from suppliers' invoices; calculate any allowed discount and determine net amount due.

Supplier master file

Batch all invoices due and payable and summarize amounts to single total.

For each amount due, transcribe data onto check and update supplier master record to show new balance.

Payment data file

Communicate payment amounts by mailing checks to suppliers via postal service.

Store total of payments for day in file, together with copies of checks.

Payment data file

At end of month, retrieve daily payment totals and prepare a report of disbursements.

Communicate monthly report of cash disbursements to managers.

1-8.

a. Sherry compromised her integrity by making a statement that was clearly untrue; she was aware that it was untrue and that the statement would have a significant impact on the hiring decision. b. Jack did not exercise due professional care and compromised his integrity. By accepting the gift, Jack was knowingly, although perhaps passively, participating in the cover up. c. All communication—written and oral, direct or indirect—within the firm, needs to be treated with a degree of confidentiality. The statement Jane heard was not supported by evidence

1-12

available to her (it could be a tentative statement or even rumor), and the subject matter was highly confidential. By revealing the news to others who were not supposed to be told (and Jane should know that), Jane failed to exercise due professional care. d. Mark knowing violated generally accepted accounting principles for a personal gain. Thus, he failed to exercise due professional care and compromised his integrity. e. Doretta failed to understand and respect the responsibilities of all parties involved in the decision. Her role was to implement the decision, not to sidestep or distort it. She should know that only proper avenues must be followed to raise and address disagreements. Doretta compromised her integrity. 1-9.

1. Major organizational functions: Microcomputer sales, Systems selection and installation, Marketing, Treasurer and Controller, Operations and inventory management.

2. Internal users include employees of Infoage. External users include customers, prospective 3. 4. 5. 6.

customers, regulatory agencies, banks, and prospective employees. Major types of accounting transactions: Purchase of hardware, software, and services; sale of services and products; cash receipts related to sales and cash disbursements related to purchases; payment to employees for services (payroll). Components of AIS/MIS: These include peer-to-peer LAN at the main office, standalone microcomputers at the stores, printers, computer-based files and data, system and applications software, historical records and correspondence files. Marketing (Sales analyses and forecasts by each of the two principal activities). Finance (Cash flow projections, payment analysis, accounts receivable aging analysis). Human resources (Payroll analysis, personnel productivity analysis). Since the information technology is changing rapidly, one decision support system that the firm could use would provide information regarding upcoming versions of heavily sold software at Infoage. The system would track the new version, announced release date, new or additional features, compatibilities with other software and also with its earlier versions, and estimated price. This system would help answer many questions from customers and may also be used to market new versions to those customers who have purchased an earlier version of the software.

1-13

CHAPTER

The Business Environment of AIS

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

PROBLEMS

6, 9

4. EVALUATION

5, 7, 11, 12, 14

4, 10

3. APPLICATION

1, 3, 4, 9, 10, 13

2, 3, 5, 8, 11

2. COMPREHENSION

2, 6

1, 7, 12, 13

1. CONCEPTUALIZATION 8

[ ] Infoage

CHAPTER 2 THE BUSINESS ENVIRONMENT AND THE AIS DISCUSSION QUESTIONS DQ 2-1. a. An electric utility has the primary purpose of serving consumers with electricity. If the utility is privately owned, this service is provided at a price per kilowatt-hour to insure a profit and return on investment. Its inputs consist of employees and managers, facilities such as generating plants and transmission lines, materials and supplies such as poles and insulators and work order forms, finances such as funds from bond issues and payments by consumers, and data such as readings from consumers’ meters. The process consists of converting such inputs into outputs as electricity for consumers and information for consumers as well as the public utility commissions, managers, stockholders, and others. The environment of a utility consists of the market area served by the utility (and its consumers) and other surrounding areas, governmental agencies such as the Federal Power Commission and state public utility commissions, creditors such as bondholders and banks, stockholders or other owners, labor unions, and so on. Subsystems include such functions as generating and transmission operations, engineering, construction, personnel, and accounting; such entities as employees, trucks and other equipment, furniture, and generating plants; and such major structures as the organizational structure, the operational system, and the information systems. Many interfaces are formed at the boundaries of such subsystems. Constraints include physical size of the utility facilities and market served, budgets, and regulations established by such bodies as the Federal Power Commission. Controls include those provided by the budget (to control costs), by managerial supervision (to maintain employee productivity and to prevent fraud), and by engineering (to construct and maintain facilities). b. A primary purpose of a paper-products manufacturer is to provide its customers, including wholesale and retail chains, paper products with a view to make profits. The inputs include lumber, saw dust, wood chips, paper products to be recycled, etc. The process permits the receipt of materials at the manufacturing site (e.g., lumber is moved from forests to the manufacturing plant using rivers), converting into a fine paste, pressing and drying it into paper rolls, which are cut according to predetermined sizes, packed, and shipped. Primary outputs consist of different types of paper products (rolls, sheets, etc.). The environment consists of the market the firm serves, governmental agencies, labor unions, and so on. Environmental consciousness of consumers and consumer groups (reduce, recycle, and reuse efforts), and new information technology (making paperless information systems possible) are major variables. Subsystems include lumber transportation, manufacturing, engineering, personnel and accounting. The organizational structure, the operational system, and the information system are closely related. Constraints include the availability of lumber and environmental protection regulation. Controls include cost controls (through budgets), operational controls (through supervision) and engineering controls (through plans, standards, and benchmarks). c. A bank has the primary purpose of providing financial services at a profit. Its inputs consist of employees and managers, materials and supplies such as currency wrappers and deposit slips, facilities such as tellers’ windows and safe deposit boxes, funds derived from such sources as interest charges, and data such as amounts of deposits and withdrawals. The bank’s process consists of converting these inputs into such outputs as demand deposits and loan services and information for managers, depositors, stockholders, and others. For example, a bank might receive data in the form of a loan application; it will process this application, drawing upon such other data as the applicant’s credit ratings, to generate an approved loan. The environment of a bank includes the market area, competing banks and 2-2

the Federal Reserve banks. Within the boundary of a bank are a variety of subsystems, including such departments as loan, demand deposits, and general accounting; such entities as tellers and bank officers; and such major structures as the organizational structure, the operational system, and the information system. Many interfaces are formed at the boundaries of these subsystems. Constraints include the physical size of the bank’s facilities, budgets, governmental banking regulations, actions of competitors, and industry codes of ethics. Controls include those provided by the budget (to control costs), by managerial supervision (to control productivity), and by bank inspectors and the vault (to control and secure deposited cash). d. A wholesale grocer is an intermediary between the manufacturers and the retailers, transferring merchandise across the (value) chain for profit. Its inputs include employees and managers, merchandise received from producers, warehouses, transportation fleet, etc. The process involves receipts of merchandise from the suppliers and the distribution of such merchandise, perhaps in different quantities, to the retailers. The output is in the form of the redistribution service rendered for the benefit of both the producer and the retailer. The value added lies in providing the physical and informational network that permits efficient and timely transfer of merchandise. The environment includes producers, retailers, labor unions, and creditors. Subsystems involved are such functions as personnel and accounting; transportation and inventory management; such entities as employees; and such structures as the organization, transportation and warehousing network, and the information system. Constraints include the physical capacity of the warehouses, and characteristics of the merchandise (e.g., perishable goods). Controls are provided by the budgeting system (to control costs), by managerial supervision (for employee productivity), and by engineering (to maintain warehouses and transportation fleets, if owned by the firm). e. If owned by a for-profit entity, the bookstore’s primary purpose would be to earn a return on its investments. A college-owned store may want to break even, allowing for common costs allocations and perhaps some imputed interest on the assets tied up. In either case, the store’s mission would be to serve its customers well, providing timely service in offering textbooks and other supplies at the best possible prices. The store’s inputs consist of the inventory of books and supplies, t-shirts carrying the college logo, employees and managers, and facilities. The process involves procurement of books and other merchandise, and their sales. The output is the service to students, which in turn generates funds for the store. The environment consists of the college and its faculty, students, and administrators, the academic programs offered by the college, curriculum changes, and the degree of technology emphasis at the college. Subsystems include such functions as personnel, accounting, and inventory management. Constraints include the physical size of the store, types of curricula offered by the college, the extent of reuse of the same textbooks, etc. Controls include those provided by the budget (to control costs and achieve profits), by managerial supervision (to maintain employee productivity), and inventory controls (e.g., to maintain identification and sale of used books separately, to monitor textbook returns for classes dropped by students, to manage ordering of a textbook when its next edition is due for publication soon). f. A purpose of the brokerage house would be to earn a desired rate of return in providing investment services. The firm’s inputs include a knowledge base of the employees, literature on individual stock analysis (and recommendations to buy, hold, or sell), systems that help retrieve information about the market, industry, stocks and bonds, and news that affects the market. The process involves research and analysis of the market, and client portfolios. The output is in terms of investment advice to clients, and the transactions resulting from such interaction with clients (buying or selling stocks, bonds, or options). This in turn results in funds flows. The environment of the firm is dynamic, since the market constantly absorbs new information (economic and political, local as well as global), resulting in price changes. Present and prospective investors, institutional investors, regulatory agencies (e.g., Securities 2-3

and Exchange Commission), and laws (e.g., tax laws providing for IRAs) make up the environment. Subsystems include service operations and employees that perform client services. Constraints include the size of the firm, and regulatory requirements (such as the timeframe to close a transaction, cash requirements for purchases). Controls include those provided by the budget (to control costs and manage commissions on transactions), and by managerial supervision (to maintain employee productivity). DQ 2-2. An organization, by itself, is a system, which consists of three subsystems: the organizational structure, the operational system, and the information system. These subsystems are interdependent to a considerable degree. Consequently, the design of an effective AIS requires a clear understanding of the firm, its organization and its operations. Since the firm and its environment interact and the environmental changes influence the behavior of the firm, it is necessary to understand the firm’s environment in the process of designing its AIS. Infoage deals in computer systems. The environment of the firm is quite dynamic. Product development is fast-paced, and each new product (or version of the product) is likely to be more flexible, faster, and less costly. The operational system of Infoage, at least in part, requires considerable investment in computers and related products, which could get obsolete very fast. Consequently, inventory management and control is one of the key success factors. An AIS designed for Infoage must support the management of inventory at Infoage. In designing the specific subsystem to manage inventory, it would be necessary to pay attention to the firm’s environment (e.g., short product cycles which require just-in-time inventory management) and the specific characteristics of the operations at Infoage (e.g. need for outlets to know updated inventory levels and consequently, the need for immediate processing of transactions). DQ 2-3. a. The operations of a grocery chain require considerable emphasis on the inventory management function. Planning for purchases, ensuring receipts of merchandise, distribution and redistribution of goods, managing inventory levels: these are all crucial dimensions of a grocery chain. The design of its information system should reflect this need. On the other hand, an integrated steel mill is a very complex organization and operation. Its predominant functions include manufacturing, engineering, inventory management (raw materials, work in process, and finished), and marketing, sales, and distribution. The design of its information system should give proper consideration to all of these functions and relationships between them. Consequently, the steel producer’s information system will be quite complex. b. Both a retail jeweler and a passenger airline manage inventory. The jeweler’s retail operations would require careful management of inventory. Each item may be of high value, resulting in high levels of working capital. The turnover of this inventory, which often might be just one unit of each item, is critical for generating profits. In achieving this, customer loyalty and the recognition of its name within the community are important environmental variables. A passenger airline must manage its inventory of seats available in each flight. Since airline industry is capital intensive, capacity utilization is one of the key success factors. Competitive airfares, customer service, flight schedules that are relevant to customers, and reliability of operations are among the many variables that must be managed well. Compared to a retail jeweler, the airline has a complex environment. In the deregulated airline industry, the firm must respond to competitive pressures, and to do this, must scan the environment constantly. An information system designed for the airline must provide support to achieve these requirements.

2-4

c. An oil refiner as well as a bank is process-dependent. In oil refining, a highly automated process is used, and scores of different products are produced and distributed. In banking, most of the processes are well defined, although the operations are designed to provide services rather than make products. In managing an oil refinery, ensuring the supply of crude, monitoring global volatility in prices, and maintaining the highly complex production function are important considerations in designing an information system. For the bank, the deregulated environment presents stiffer competition, not just locally but also from regional and national banks. Interest rate fluctuations warrant careful management of the margin, or the spread between the lending rate and the borrowing rate. The bank’s information system should be designed after careful consideration of all these variables. d. The differences in outputs of the two firms are significant. A toy manufacturer produces toys that are subject to different life cycles, tastes, and appeal. Research and development is an important factor in the success of the manufacturer. Creativity in the design and seasonality in marketing and distribution are important considerations. Safety of toys has an impact on the potential for a specific toy and generally, on the firm’s image as a socially responsible toy maker. Keeping toy production synchronized with consumers’ tastes and managing inventory levels, especially for obsolescence, are important variables. A public utility produces the same output continuously (e.g., gas or electricity). The generation of gas or electricity is a capital-intensive operation, requiring front-end investment and engineering support. Seasonality may exist in the demand for gas or electricity. Also, a public utility must meet with the requirements of the commission charged with the regulatory responsibility. Information generated should support the utility’s responses to this environment. e. Both governmental agency and a public accounting firm render services. To offer services, they depend on people and processes. Human resource management in both cases is the key to successful operations. The governmental agency is likely to have to follow considerable regulations and standardized procedures imposed from outside the agency as well as developed within the agency. For the public accounting firm, marketing of its services, customer focus, employee productivity and continuing education, and focus on adding value to the client’s business are important considerations. These days, governmental agencies are also accountable for customer focus. The accounting system requirements would also be different between the two entities. DQ 2-4. An accounting information system has the objective of capturing and recording financial transactions, and reporting the effects of such transactions. The overriding model followed is the accounting equation, which governs the recording of assets (resources), liabilities, and owner equity in a certain manner. A resource, when received, is recorded as an asset (e.g., merchandise inventory). Internally generated assets are recorded at cost incurred to create the asset; in such cases, costs are traced to the development of the asset. Whether an asset is acquired or internally created, there needs to be an authorization to do so (e.g., purchase requisition followed by the purchase order). Over a series of actions taken in the acquisition and use of assets, a trail of documents and related entries takes place within the AIS. This facilitates the determination of when the asset (e.g., an automobile) was acquired, what did it cost, which department has the custody of the automobile, and so on. Similarly, hiring and placement of personnel is also documented, time cards or sheets provide evidence of work, payroll provides the basis for funds outflow, and labor distribution summary provides information as to whether the cost incurred was an expense (e.g., selling expense) or an asset (e.g., work in process inventory). Once transaction data concerning the acquisition and use of resources are captured, the determination of account

2-5

balances, analyses of transaction information (e.g., to prepare a statement of cash flow), and preparation of reports becomes possible. DQ 2-5. Business events, also called transactions, are the steps within the physical and financial processes of the firms. Examples of business events are ordering merchandise, receiving merchandise, storing merchandise, and paying for merchandise. These events or transactions combine a series of documents (e.g., purchase order) with the related movements of resources (e.g., shipment of merchandise). Both documents and physical resources move in a harmonious fashion, each supporting the other. For example, the inventory of an item at or below reorder level triggers a purchase requisition, which in turn results in a purchase order, which is followed by a shipment from the supplier. The shipment accompanies a shipping note; when the shipment is received, a receiving report is prepared as an evidence of materials received. Thus, decisions trigger documents which in turn trigger actions, which result in physical flow of resources. Every document does not necessarily create physical movement of resources (e.g., purchase requisition). Generally, one or more documents precede inflow or outflow of materials. However, only a few documents actually travel with the physical movement of resources (e.g., shipping note). Overall, accounting and control of the resource movement is guided by documents, but not all paperwork implies physical flow of resources. DQ 2-6. The operational system of a firm is its collection of primary physical processes, which form a chain through which resources are transformed into the products and/or services that a firm provides. These primary processes are subdivided into sub-processes that are interdependent and integrated. Only the primary processes are discussed below for each of the requirements. a. Submission of bids, which may be followed by award of contracts. Acquisition of materials for on-site delivery and scheduling of other resources (e.g. equipment, workers), according to the phases of the project. Construction (This will have many sub-processes). Final inspection and delivery of the constructed site. b. Receiving and reviewing requests for proposal; attending informational meetings. Submission of proposals. If the proposal results into an award of the work to be done, the next process would be to plan the project schedule. Project implementation (This will have several sub-processes). Project testing and delivery. c. Patient referral (or direct approach by the patient). Examination and initial diagnosis. Initial treatment and further testing (if necessary). Hospitalization (if necessary). Follow up (if necessary). DQ 2-7. a. The addition of a new territory will not change the system’s logic, nor would it directly affect the existing territories, products, or information generation and use. A code for the new territory will be added to the list of territories. A record for the new territory will be added to the records of the existing territories. Transactions emerging due to the new territory (e.g., employee payroll) would be processed by the current system that serves the existing territories. b. The addition of a new product line will require the addition of new records containing data (Name, product number, unit, etc.) relating to the added products. Inventory records will also be added to the existing inventory file(s). However, the processing logic is unlikely to be affected by the addition of the new products. Throughout the firm, the operations, document flow, data processing, and reporting structure will handle the new products (along with the 2-6

existing products). For example, sales reports to each sales territory manager will simply include the new product line. DQ 2-8. Business events, also called transactions, are the steps within the physical and financial processes of firms. Examples of business events are ordering merchandise, receiving merchandise, storing merchandise, and paying for merchandise. External events, such as a sale event, take place between the firm and external parties. Internal events, such as assembling a product on a production line, take place entirely within the firm. Data regarding these transactions, both internal and external, need to be captured, transcribed (if necessary), and processed to generate information regarding the effects of the physical and financial processes undertaken by the firm. These transactions, most of which are likely to follow a predefined pattern (cycle), comprise a very large majority of data of a firm. Information generated by processing these transactions is used to plan, direct, and control the firm’s operations. Consequently, business events can be considered to be the foundation of a firm’s data base. DQ 2-9. Note: Data elements listed may not comprise a single record or table. a. Client name; Client address; Date of engagement (initiation); Expected completion date; Engagement code (Type of engagement); Amount of the fees; Primary contact point at the client’s, Phone number, Fax number, E-mail address of the primary contact; Person primarily responsible for the engagement at the consulting firm’s office. b. Customer number; Shipping address; Purchase order number; Country of origin; Country of destination; Amount in foreign currency; Amount in domestic currency; Amount of letter of credit; Letter of credit reference number, Bank name, and Phone number; Carrier’s name, Address, Phone number. c. Name of patient; Social Security Number; Date of birth; Insurance Company (if any); Type of coverage (if any); Primary care physician; Home address, Phone number; Work address, Phone number; Name of person to contact in case of emergency, Phone number at work, Phone number at home; Symptoms of illness; Allergies (if any). DQ 2-10. A detailed ledger is desirable to support any general ledger account for which there is sufficient volume, either in terms of the number of underlying entities or number of transactions affecting the account during a specified period. The particular accounts likely to require detailed ledgers will usually be determined by the type of business firm and its specific operating conditions. A medium-sized merchandising firm will normally acquire merchandise from numerous suppliers and sell a variety of merchandise in numerous transactions. Thus, the firm will almost surely include detailed ledgers to support the accounts payable and merchandise inventory accounts in the general ledger. If the firm sells on credit, the accounts receivable account will become a control account over the accounts receivable detailed subsidiary ledger. In addition, the firm will maintain employee earnings records, which can be viewed as a detailed ledger supporting the payroll clearing account. Other accounts of a merchandising firm that may serve to control detailed ledgers, depending on the firm's specific conditions, include the various plant asset accounts, notes receivable, and notes payable. DQ 2-11. The advantages gained by students in beginning their study of transaction processing systems with those that are manual include the following:

2-7

a. Simplification. Transaction processing systems involve inherently complex relationships. Computerized systems tend to increase the complexity, due to the variety of hardware devices and the integrated nature of the software routines. By focusing upon manual systems, students can observe the relationships more clearly. They are able to concentrate upon individual processing steps performed by clerks within the various organizational units.

b. Tangibility. Computerized systems involve the storage of data in invisible form on magnetic tapes arid disks. Manual systems, on the other hand, employ tangible source documents, journals, ledgers, and hard-copy reports. Students can therefore trace the flows of data through a manual transaction processing system more easily. They can also better understand the vital audit trail.

c. Familiarity. Many students have worked, either full-time or part-time, in firms during their high school and college years. Most such work experiences have involved small business firms such as fast-food restaurants and service stations. These firms have generally utilized manual systems, especially during the pre-microcomputer era. Because of their familiarity with manual systems during their work experiences, students are better able to understand the descriptions of transaction processing systems when cast in such environments.

d. Appreciation. Where transaction-processing systems are first presented in their manual modes, and then later presented in computerized modes, students have a basis for comparison. They are therefore better able to appreciate the numerous benefits provided by computerized transaction processing systems—such as the efficient processing of transaction batches, the automatic editing of individual transaction data items, and the effortless generation of numerous analyses from coded input data. DQ 2-12. Specific sets of transaction cycles and types of transactions differ from firm to firm, mainly because firms differ with respect to objectives, internal operating conditions, and external environments:

a. Objectives have a significant impact upon the transactions, since they vary according to the types of industries within which the firms are located. A bank, for instance, has the objective of providing financial services to depositors and lenders. Thus, it requires transactions that involve demand deposits and loan activities. A hospital, on the other hand, has the objective of providing health care services to patients. It therefore requires transactions that relate to patient care activities – such as nursing, diagnostics, food preparation, and surgical operations.

b. Internal operating conditions have significant impacts; they can and often do vary between firms of the same type and within the same industry, as well as between firms of different industries. For instance, a merchandising firm, such as a discounter, that sells only for cash will have a combined sales-cash receipt (revenue) transaction cycle that differs from the revenue transaction cycle for a merchandiser (e.g., a department store) that sells on credit. A manufacturing firm having several product-line divisions may require transactions involving inter-company sales, whereas another manufacturer not organized according to product-line divisions would not. It is even more apparent, as noted in the chapter, that a manufacturing firm, which produces goods for sale, will require production or product conversion transactions, whereas a non-manufacturing firm would not.

2-8

c. External environments, also important determinants of the transactions processed by a firm, differ widely among firms. A university, for instance, requires registration transactions in order to service students, the key entity in its environment. A hospital, on the other hand, employs admission transactions in order to accommodate incoming patients. To take another example, many firms undertake projects that impact their environment, such as constructing new plants or other buildings. Certain of these projects, however, require more types of transactions than do others. For instance, those firms whose projects are expected to affect adversely the environment of nearby residents, such as nuclear power plants, require transactions related to "environmental impact studies." DQ 2-13. a. Merchandising firm: Purchases, Sales, Human resource, Facilities. A primary purpose is to buy and sell merchandise with a view to earn a return on investment. Inputs include human resources and merchandise; process involves the management of inventory and sale of merchandise. Outputs are mainly in the form of cash flows generated by sales. Environment is made of competition, present and prospective customers, and the market dynamics. The major structures are the organizational structure, the operational system, and the information system. Constraints include physical size of the facilities, market served, budgets, and applicable local, state, and federal regulations.

b. A bank: Deposit and checking accounts, ATMs; Loans, Mortgages; Investments; Safe and Vault, Safety deposit boxes; Foreign currency and international business; Electronic fund transfer; Human resource; Facilities. A bank’s predominant purpose would be to provide banking and related financial services to customers with a view to earn a return on its investment. Inputs are in the form of funds deposited by customers, checks and other supplies, ATM cards, credit cards, etc. Processes are many and often complex. These include services in connection with the customer accounts (deposits, withdrawals, access to safe deposit box, etc.), financial lending transactions (loans and mortgages), and investment oriented services (e.g., IRAs). Outputs are in the form of transfers of funds, investments, mortgages, etc. Environment consists of the competitive financial markets, other banks competing for the same customers, and regulatory agencies. Major structures include the organizational structure, the service operations, and the information system. Constraints are imposed by the facilities, the physical size, budgets, regulations, etc.

c. A public accounting firm: Consulting (auditing, tax, and systems); Human resource. A predominant purpose of a public accounting firm would be to offer accounting, auditing, and related services to earn a return on its investment. Inputs are provided by human resources and their know-how, facilities, and equipment. Processes include services in connection with the customer needs, for example, auditing, tax planning, or any other kind of assessment service related to financial aspects or information systems. In the case of each service, the process can be different. Examples of outputs are reports to management, auditors’ report on financial statements, and other reports. Outputs also include any systems and procedures designed or modified for clients. Competing public accounting firms, the present and prospective client pool, and professional associations are included in the environment. Structures include the organization structure, the service operations, and the information system. Constraints are imposed by the human resource available, facilities, and professional and regulatory requirements.

2-9

d. A university: Admissions, financial aid, enrollment and registration; Academic departments, curriculum design, and instruction; Student services (dorms, student organizations, bookstore, recreational facilities, food services, career services); Facilities. A university is typically a not-for-profit organization serving the higher education needs of traditional and non-traditional students. Private universities, including corporate-owned universities, have also emerged. Inputs include students, faculty, and curricula. Processes are many and varied. The primary process is that of teaching—which involves enrollment of students, instruction, curriculum design and redesign—and research. Outputs include grades, certificates and diplomas, research outputs and most importantly, the dispensing of knowledge, skills and attitudes. Environment comprises of alumni, other universities, accrediting agencies, regulations, etc. Primary structures are the organizational structure, the operations, and the information system. Constraints are imposed by the funding available, facilities, regulatory requirements, and budgets. DQ 2-14. AISs of the future are likely to have the following characteristics: •

• •

•

AISs may be integrated with MISs to a much greater extent. This will permit integrated data bases, which permit access to every imaginable data and relationships among data. Lower cost of hardware, software, and communication, need to produce value through unifying views of data into relevant information, and the assurance that data will be secured will be the primary forces in this development. Transaction processing will be more on-line and less in a batch mode. Efficiency may remain as a concern; however, more powerful technology at more affordable prices will continue to improve versatility of future systems without increasing costs. Relationships between data would be of great interest to users. Businesses are likely to move away from hierarchic structures and toward more fluid, highly responsive project-oriented networks. This will cause the information systems to produce information views of interest to varied members of the project team. Responsibility center definitions would be dynamically managed. Membership to a responsibility center and corresponding accountability would change over time as current projects are completed and new ones are undertaken, and as existing project teams are disbanded and new ones are created.

Differences between today’s management accounting and future management accounting will lie not so much in concepts and foundations, but in terms of level of sophistication possible due to available information technology and technology resources, including the Internet. Some of the differences may emerge along the following lines: 1. 2. 3. 4.

Dynamically defined and monitored responsibility centers, as discussed earlier. Activity based management would be facilitated by information technology. Considerable degree of feed-forward (proactive) management would be possible. Recognition that accounting numbers will have to be balanced by adding other measures to present a balanced scorecard will become even more graphic. Movement in this direction will be technologically supported. 5. More sophisticated measurement and evaluation systems will be necessary to control the service sector, which will become predominant.

2-10

2-11

PROBLEMS 2-1. a. and b. See diagrams included on following pages. In each case, the diagram accommodates both requirements. b. These diagrams represent value systems because the links across firms create a virtual environment for the benefit of everyone. For example, the suppliers can have a better understanding of the customer’s needs. The cycle time involved in ordering is reduced, paperwork is minimized (almost eliminated), and the cycle time for payment of invoices is reduced to benefit the supplier. For the customer, costs would be lower (which may mean lower prices), waiting time on orders is reduced, and overall level of customer service is improved.

2-12

a. and b. Integrated oil company

Facilities construction and management

Facilities

Materials from suppliers

Purchasing

Maintenance

Oil exploration

Drilling and production

Research and development

Production planning and control

Quality control

Credit checking

Shipping and transportation

Refining

Storage

Marketing

Manpower

Funds

Personnel

Data

Finance/ accounting

Advertising and sales promotion

2-13

Sales order entry

Shipping

Order from customer

Oil products to customers

a. and b. Electric utility

Facilities

Construction materials from suppliers

Raw materials from suppliers (e,g., coal, oil)

Facilities construction

Facilities management

Engineering design

Purchasing

Receiving

Raw materials stores keeping

Maintenance

Operations scheduling

Transportation of raw materials

Electrical generation

Safety control

Credit checking

Electrical transmission

Manpower

Funds

Personnel

Data

Finance/ accounting

Advertising and customer relations

2-14

Customer service

Order from customer for service

Electrical distribution

Electrical power to customer

2-2. a. Tax preparer Electronic filing No refund Accept Return rejected

Edit return

Process return

Taxpayer

Refund

Taxpayer data base Credit toward future taxes

Taxpayer's bank

Tax return Taxpayer

Process return

b. The addition of the electronic links adds value in many ways. The cycle time for filing is reduced considerably. Since the electronically filed returns are machine-readable, the returned can be “audited” for numerical and procedural accuracy soon after its receipt. This saves additional cycle time, improves efficiency and accuracy, and reduces labor costs. Refund checks are issued quickly, reducing the waiting time for the taxpayer. Finally, the physical paper copies are not required and this saves filing time, storage space, and the environment. 2-3. The Brown Company is currently experiencing profitability and cash flow problems. Information such as the following, if reasonably accurate and timely, could have helped avert these problems:

a. Profit plans, showing planned levels of profits with respect to merchandise lines sold by the firm and with respect to sales territories within the region.

b. Profit variance reports, showing variances of actual profits from planned profits for the past month and year.

c. Comparisons of prices charged by competitors with prices charged by Brown Company. d. Trends of overall variable costs and also fixed costs compared with trends of prices charged by Brown Company for the merchandise it sells.

e. Separate trends of costs for merchandise, labor, shipping, warehousing, and other key items. f. Estimates of price elasticity with respect to the various products sold by Brown Company. g. Cash flow projections (budgets) for the coming months of each year. h. Expected inventory carrying costs—including costs for insurance, taxes, warehouse labor, and financing—in the area where the present warehouse is built.

i. Comparative inventory carrying costs and transportation costs for the location of the present warehouse versus similar types of costs for warehouses in other feasible locations within the region served by Brown Company. 2-15

j. Forecasted interest rates at the time the warehouse was built. k. Payment due dates on invoices from suppliers. l. Terms by which payments on suppliers’ invoices may be deferred (e.g., signing short-term interest bearing notes). m. Terms available from alternative suppliers.

2-4. (Adapted from the Certificate in Management Accounting Examination, June 1981, Part IV, Question No. 3) a. Strategic and tactical decisions that must be made periodically by Marval include the following: 1. What are the projected future travel needs (e.g., social, business) and how are these likely to change (e.g., less business travel due to telecommuting, or shorter durations of stay for business-related visits)? How would these affect the product lines of Marval? 2. Which product lines should Marval drop? Which ones should it continue or modify? 3. How might Marval improve its market share? 4. Marval manufactures luggage for large retail firms, in accordance with each firm’s unique specifications. What might be additional opportunities in this market? Should Marval seek business from airlines or travel agencies? 5. Should Marval consider opening factory outlet stores? If so, how many stores and where should stores be located? 6. Is Marval utilizing all of its capacity? How could Marval improve its capacity utilization? Is there a need for capacity expansion? b. Specific factors which Marval Products needs to consider in its annual review of long- term product strategy include the following:

(1) The current state of the economy and its expected future status, and the current and future availability of resources, such as manpower, plant and equipment, and capital. (2) Consumer attitudes with regard to product appeal, changing travel modes and patterns, and changing life styles and affluency. (3) The level of industry sales, Marval's current and projected market share, and Marval's degree of influence or dominance in the industry. (4) The product lines with respect to the nature of the production process, length of time the product has been established, and utilization of resources and plant capacity. c. Information which Marval Products needs to consider when reviewing its sales forecast for the annual budget include the pricing strategy, size of Marval's market share and the relationship to its competitors, sales mix of products such that contribution can be maximized, available production capacity, effect of advertising on sales volume, and national and international economic conditions. The sales forecast of Marval products is derived from the industry sales projections. An estimated share of luggage by broad categories (soft-sided luggage, for example) can be computed based on the industry-wide projections by a category. The market share percent in each category can be estimated on the basis of past sales, popular product lines, trends in travel industry, commissions and discounts given on the sales, and the advertising budget. The sales projections for the industry are likely to have been derived from future travel costs (gasoline prices and airfares, for example); disposable income or discretionary spending

2-16

levels; estimated traffic due to conventions, conferences, and special events (such as the Olympic games); and reduced travel needs due to teleconferencing and telecommuting. d. Marval can use a product line structure, which is effective when the firm plans to expand product lines or open new markets. However, the product line structure does not permit the top management to effectively coordinate new activities or control their development. The matrix organizational structure creates a grid between the functional and product oriented structures. Consequently, each project has access to all of the needed functional skills without duplication. However, because each attached employee reports to two or more superiors, it is possible that confusion will result. In contrast to the existing centralized structure, Marval can adopt a decentralized structure, which permits high degree of delegation of authority to middle-level and lower-level managers. Decentralization can powerfully motivate the managers throughout an organization, especially if appropriate evaluative measures are devised. A decentralized structure seems to work well with productline or other arrangements based on segments (for example, independent operating companies (IOCs) at ConAgra). Finally, Marval could change from hierarchical, functional structure to a networked structure, which permits more flexibility and swift responses to changes in the environment. e. Most of the information related to product strategy and sales forecasts can be expected to flow from external sources, such as industry organizations, applied economics research centers, and trade associations. Estimates will have to be developed internally for data such as projected contribution margins by product lines, plant capacity, and supply of raw materials. Marketing, manufacturing, product development and accounting functions are among those that are likely to interact in developing the product strategy and sales forecast. 2-5. Keepwell Association can be considered to be a system, since it is an interacting assemblage of parts working as a whole to serve a common purpose. One basic purpose, or objective, of this system is to provide general medical care in a timely fashion and at a reasonable cost to its subscribers. Other purposes are to provide preventive health care (such as dental and eye examinations), to maintain good subscriber-physician relations, and to earn a profit. Its system boundary encompasses all of the general medical, dental, optical, diagnostic (laboratory and xray), and pharmaceutical services it provides, together with the managerial and clerical functions that accompany these services. Keepwell is a part of a greater system of health care providers; that is, it is a subsystem within a health care system that includes suppliers, local hospitals, other health care providers, and medical specialists. The constraints within which Keepwell must operate include (1) limitations based on the organization’s staff and its ability to provide services (e.g., no hospital on the premises); (2) limitations related to financial resources; (3) regulations imposed by governmental agencies; and (4) limitations caused by both demography and geography. The environment within which Keepwell functions includes (1) its suppliers – the companies and individuals who provide goods and services for Keepwell, including but not limited to suppliers of equipment, office supplies, drugs and medical supplies, and such services as provided by the allergists and surgeons; (2) its subscribers, or potential subscribers who will utilize the health care services; (3) the local, state, and federal regulatory agencies that will influence how the company operates; (4) the American Medical Association; and (5) its competitors, the other health care providers.

2-17

The basic inputs into the Keepwell system include resources such as staff employees, funds from patients, materials and medical supplies, equipment, patients, varied data (such as subscriber contracts), and medical and technological information. These inputs undergo processes consisting of medical care and treatment, diagnostic procedures, preventive dental services, eye examinations, and accounting procedures. Outputs generated by these processes include convalescent and healing patients, referrals to outside specialists, examined subscribers, medical information, billings, and financial statements. The system relies on controls provided through constant feedback, which takes the forms of (1) patient health status information (provided through telephone calls or return visits), (2) records prepared by the staff physicians and dentists, (3) reports from outside specialists and hospitals, (4) results from laboratory tests, and (5) bills from the accounting procedure. Within the system known as Keepwell, any such subsystems interact to provide comprehensive medical care for its subscribers. These subsystems include: (1) general medical services; (2) diagnostic services, such as X-rays and laboratory tests; (3) pharmacy services; (4) dental services; (5) eye examinations; (6) record keeping relating to the maintenance of patient files concerning general medical, dental, and eye care; (7) billing procedures; (8) appointment scheduling; (9) general management; (10) general accounting; and (11) financial planning. Although each of these subsystems employs a unique procedure and has its own subobjective, each is an interdependent and integral part of the Keepwell system. Therefore, each subsystem attempts to further the organization’s overall objectives. A number of interactions take place among the above subsystems, as the following typical patient process illustrates: Keepwell receives a telephone call from a male subscriber for an appointment. When the patient (subscriber) checks in, his file is retrieved, and he is assigned to an available physician. Once he is seen, four alternatives are possible. First, he can be treated and released. Second, he can be treated and given a prescription. Third, he can be given written authorization for diagnostic measures. Fourth, he can be referred, with written authorization, to a specialist. The prescription forms and written authorization serve as key interfaces between subsystems. They enhance communication and assure that the services requested are performed. All of the information regarding the visit is noted in the patient’s file; ultimately, all of the information regarding the services rendered and charges incurred are forwarded to the billing department. The charges incurred are compared with the coverage available, and monthly charges are mailed to the subscriber. Although these interactions among the various subsystems require coordination and cooperation, they are essential to the smooth functioning of the Keepwell Association.

2-6. The following revised organization chart is based upon sound organizational structure precepts. Major changes from the current organization chart are discussed in the paragraphs below. Alternative revisions are feasible. For instance (1) the controller and treasurer could be grouped under a vice president of finance, (2) the information systems director, the personnel manager, and the purchasing agent could be grouped under a vice president of administration, or (3) the personnel manager, the information systems director, and the purchasing agent could be included at the second managerial level, together with the sales manager, distribution manager, controller and treasurer. Also, additional organizational units could be shown, such as the shipping and receiving departments. The rationale for the incorporated changes is as follows:

2-18

a. The high credit losses being experienced could be the result of having the Credit Manager

report directly to the Sales Manager. Since the Sales Manager is interested in generating a high volume of sales, the credit policy is probably very lax. To alleviate this situation and to institute stricter credit guidelines, the Credit Manager now reports to the chief financial officer, a new position designated as Treasurer. The present merchandising problems have been created because the Distribution Manager attempts to minimize costs through purchasing methods that emphasize ease of handling and accessibility to the various warehouses. To correct this situation, the Purchasing Agent should be independent of the Distribution Manager. Thus, both positions have been placed (1) on the same managerial level and (2) under the authority of Marketing. As a separate responsibility center within the marketing function, the purchasing activity should emphasize marketability of the products as well as purchasing economies. The lateness of the accounting reports could be the result of inattention to users’ needs. One solution is to add an organizational unit headed by a Reports Manager. This manager would logically report to the Controller, the manager having the prime responsibility for disseminating information. (Another solution would be to reduce the span of management for the Controller, perhaps by assigning the budget and general ledger responsibilities to the subordinate manager and the remaining accounting activities to another subordinate manager. This division of responsibilities would enable the controller to have more time to devote to the reporting needs of the key managers.) Currently the Billing Manager reports to both the Controller and Sales Manager; thus, the unity of command is impaired. Since the controller is responsible for the billing and posting activities, the Billing Manager should be assigned solely as a part of the accounting function. If the Sales Manager must approve all prices, the procedure can be established whereby the sales orders are routed to the Sales Manager before they are sent to the billing department for preparing invoices. Currently the persons who handle cash are assigned to the same organizational function as the persons who maintain the accounting records concerning cash. Thus, opportunities for embezzlement exist, since the same person has access to cash as well as to related accounting records. (Apparently someone has abstracted cash; probably he or she has believed that the thefts could be hidden by manipulations of the records, but the thefts have been detected in some manner.) To lessen the opportunity for embezzlement, the Cashier (who handles cash) is removed from the accounting function and placed under the Treasurer. Currently the Personnel Manager reports to the Controller. This situation could be one cause of the personnel problems, since the Controller is primarily responsible for financial matters. He is not likely to be knowledgeable concerning personnel policies, needs, and benefits. To give the personnel policies more prominence, the Personnel Manager has been given a higher managerial level and independence from the Controller. Also, a payroll department has been established under the Controller, so that paycheck processing will be given due attention. As a final change, the Information Systems Manager has been moved to a higher managerial level. Thus, the information system function is given greater prominence and accorded greater respect. Presumably it will thereby be able to provide better service to all functions within the Smithers Merchandising Corporation.

Revised organization chart for Smithers Merchandising Company:

2-19

President

Personnel manager

Informaiton Systems Manager

Director of Marketing

Purchasing agent

Sales manager

Branch managers

Distribution manager

Advertising manager

Treasurer

Cashier

Controller

Credit manager

Payroll manager

Warehouse managers

2-20

Budget manager

Billing manager

Reports manager

Accounts receivable manager

Accounts payable manager

General ledger manager

P2-8.

Name:Larry's Supply Mart 39873 South Plymouth Ave. Cleveland, Ohio 44101

Date

No: 37285 Terms: 2/10, n30

Document number

Explanation

Oct

Purchase

Nov

Disbursement

Purchase

3374

Return

CM 638

P2-8.

Debits

2191 CD 5832

Credits

Balance

2000.00

0.00 3400.00

3400.00

1600.00

1800.00

Note that discounts taken would be reflected through the journal. Raw Materials Inventory Ledger Record Item No: M2389

Description: Connecting Rod

Reorder point: 100 units

Receipts

Date Mar

Reference Units 1

Issues Unit Price

Unit Price

Balance forward

3 10

Reference Units

Balance on hand

RQ/432 RR3462

200

$10

Units

Unit Price

Amount

170

$10

$1700

$10

900

290

$10

2900

RQ/476

100

$10

190

$10

1900

RQ/497

$10

100

$10

1000

300

$10

3000

150

$10

1500

27 28

RR3503

200

$10 RQ/525

2-21

150

$10

2-9. (Adapted from the Certified Internal Auditor Examination, November 1989, Part III Question No. 51) The following answers relate to the organizational structure for AIMS:

a. The advantages of a functional organization are as follows: (1) It provides for a logical breakdown of the organization’s tasks. (2) It permits those employees with similar technical expertise to work in a coordinated subunit. (3) It reduces duplication of effort. That is, it allows various product lines to share resources that neither may be able to justify alone (for instance, marketing research). (4) It facilitates centralized, top management control. In the case of AIMS, the President is the only manager who has an overall view of the firm’s operations. The disadvantages of a functional organization are as follows:

(1) It may foster suboptimization. That is, the goals of a department may become more important than the goals of the organization.

(2) It is difficult to train general-management personnel since few managers have responsibilities spanning multiple functions.

(3) It increases the requirement for coordination and communication between functional departments.

(4) It is difficult to determine the contribution to profits and to accurately assign overhead costs to various products.

b. The most appropriate type of organizational structure for AIMS is a product-type structure for the following reasons:

(1) The firm has two distinctly different product lines. (2) The two products are produced in separate production facilities independent of each other.

(3) The products are sold to different customers through different distribution channels. (4) The relevant functional areas (sales, production engineering, production planning and control, shipping and receiving, and so on) can be easily segmented.

c. The general rule of thumb for deciding which functions should be centralized and which should be decentralized is: “decentralize those functions which are unique or relate directly to each product and centralize those that make synergistic use of resources.” The following functions should probably be decentralized to each of the two products divisions: sales, those engineering functions which relate to each product, shipping and receiving, production planning and control, and quality control. The functions, which should probably be retained at corporate level (centralized are: marketing and advertising, market research, data processing, purchasing, personnel, and accounting.

2-22

2-10. (Adapted from Certified Management Accountant Examination, December 1991, Part I, Question 3) a. In a matrix organization, personnel from various functional organization units are assigned to one or more projects to work together as a team. The matrix structure integrates the activities of different specialists while at the same time maintaining functional organization units. Such an organizational structure establishes dual channels of authority, performance, responsibility, evaluation, and control. People can be accountable at the same time to both the project manager and the manager of the functional department to which they are assigned. The matrix organization would apply to the situation described at Grayson Corporation for several reasons including • diverse products with frequent technological changes. • the capability to organize by product and assign different functions to the product. Being a defense contractor, many projects are carried out in a technological atmosphere with a contract that does not specify in detail what will be done; hence a great need for both functional specialists and overall coordinators or project managers exists. • answering the complaints that certain products are not receiving the attention they deserve from one or another department. b.

The matrix organization structure has both strengths and weaknesses. 1. Three of the benefits that Grayson Corporation could realize include • better planning, coordination, and control of scarce resources. • concentrating on a narrow but strategically important product or market. • focusing on employee knowledge rather than an employee’s rank within a function. 2. Three of the weaknesses that Grayson Corporation may have to overcome include • • •

increased demands on management time to coordinate activities. lack of stability as projects have finite lives. stress from dual reporting responsibilities and lack of clear permanent lines of authority.

c. At Grayson Corporation, the sales department has complained that some of the products are not receiving the attention they deserve from the production and research departments. This can be addressed by introducing the networked structure at Grayson. Crossfunctional teams can be formed, with representation of sales, production, and research departments on such teams. This type of structure will facilitate several ongoing projects and tasks, each being performed by a team of employees, headed by a manager. In a networked structure, information can be shared and decisions made quickly. d. A networked structure represents an interconnected but nonhierarchical structure that is both flexible and fluid. Ongoing projects and tasks are linked via communication networks, so that information can be shared and decisions made quickly. Members can be assigned to more than one project or task, since communication is so easy. Networked structures enable projects and tasks to be completed faster and more economically, while new projects can quickly be established to meet arising challenges. Functional structures limit communication, which inhibits progress and proactive response to change. Cross-functional communication or teamwork is difficult if not impossible. Flexibility in the organization’s response to

2-23

internal and external changes is constrained. Whereas matrix structures overcome this inertia to change, responsibility relationships still need to be maintained, and the organization’s ability to adapt to change is limited. Several difficulties can be anticipated, and perhaps overcome, in applying the networked structure. The firm would need communication systems that permit dynamic interchange among team members, without constraints of time and space. The employees would have to be more effective communicators. The task of planning and coordination of projects, setting project priorities, managing scarce human expertise within the organization, and deploying employees fully and effectively are among the major challenges of networked structures. Dynamic deployment of employees increases responsibility on their part, and could cause greater stress on the job. Project successes and failures, project redefinition, and projects with sudden changes in the pace of work can cause considerable difficulties in human resource management.

2-24

2-11

Start

Document

Includes code numbers and quantities of each item received or sold

Receipts

Sort by transaction type (receipt or sale)

Sales File of item code numbers, descriptions, unit costs, and unit prices

Analyze receipts. List each item and at the end, compute total purchases for the date.

Figure out total quantity of each item, multiply by unit cost. Using item code, find item description, and list on the worksheet.

Analysis of receipts Includes item description and total cost, sorted by item number. Shows total cost of receipts.

Analyze sales. List each item and at the end, compute total sales for the date.

Analysis of receipts and sales

Figure out total quantity of each item, multiply by unit price. Using item code, find item description, and list on the worksheet.

Prepare daily report

The daily report

2-25

Include report title, date of report, preparer, the date for which transactions are analyzed.

2-12. Segments of system flowcharts are as follows:

Order and pricing data

Prepare invoice

Sales invoice

p.o. file

Purchases orders (batch)

Sorted p.o.'s (batch)

Sort by p.o. numbers

Purchase order (PO)

Supplier's invoice

Receiving report (RR)

Compare and approve invoice

Supplier's invoice Open-to-pay file PO RR

2-26

Check vouchers (batch)

Post

Check vouchers (batch)

Supplier file Resort by suppliers' names A

Sorted by customer account numbers

Accounts receivable subsidiary ledger

From customers

Cash payments (batch)

Record payment data

Prepare deposit slip and compare with listing

Cash payments (batch)

Remittance listing

Deposit slip

Deposit slip Remittance listing Cash payments

Listings Bank C

2-27

Cust. orders

From shipping dept.

A Shipping notices (batch)

Shipping notices (batch)

Sales invoices (batch)

2 3 4

Cust. orders Performed by billing department

Compares documents Invoice

Shipping notices (batch)

Cust. orders

Prepare sales invoices g.

Accounts receivable

Customers

From suppliers A

Suppliers' invoices (batch)

Enter data and compute batch total

Batch total

Suppliers' invoices (batch)

Batch total

Post, compute total and compare

2-28

Invoice register

Accounts payable subledger

2-13. (Adapted from the Certified Public Accountants Examination, May 1979, Auditing Section, Question No. 2) Procedures (operations) or internal documents in the flowchart of Bottom Manufacturing Corporation’s charge sales system are as follows: a. Prepare sales order in six copies. b. File in sales order department. c. Approve credit terms. d. Pick ordered goods and deliver to shipping department. e. File in finished goods department. f. File temporarily until goods arrive from finished goods department. g. Prepare bill of lading in three copies. h. Mail copy to customer when goods are shipped. i. Attach copy of bill of lading to copy of sales order. j. File in shipping department. k. Customer purchase order and copy of sales order. l. File temporarily until shipping copy of sales order arrives. m. Prepare sales invoice in three copies from supporting documents. n. Mail copy of sales invoice to customer. o. Enter sales transaction in sales journal. p. Account for numerical sequence of sales invoices. q. Post sales amount from each sales invoice to customer’s account (as a debit). r. File in accounts receivable department.

2-29

CHAPTER

AIS Enhancements through Information Technology and Networks

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

PROBLEMS

4, 16

4. EVALUATION

5, 6, 7, 8, 15, [16], 18

2, 9, 10, 13

3. APPLICATION

1, [2], 4, 9, 11, [20], [21]

1, 3, 5, 6, 8, 12, 15

2. COMPREHENSION

3, 10, 12, 13, 14, 17, 19, [22], 23

7, 11, 14

1. CONCEPTUALIZATION

[ ] Infoage

CHAPTER 3 AIS ENHANCEMENTS THROUGH INFORMATION TECHNOLOGY AND NETWORKS DISCUSSION QUESTIONS DQ 3-1. During the last few decades, organizations of all types have been moving toward the use of more computerized information systems. Accountants are unavoidably affected by this trend. While it is not necessary for accountants to understand completely the complexities of computer hardware, they should have sufficient knowledge to enable them to (1) be aware of the basic elements and operations of a computer, (2) feel comfortable in the presence of computerized information systems, (3) understand the relative capabilities of alternative computerized information systems, and (4) operate user-oriented equipment such as terminals. Accountants must be even more knowledgeable concerning computer software. They should be aware of the variety of software available, and also be able to write end-user level programs and prepare program flowcharts. Although they may not be called upon to perform much tasks as a part of their responsibilities, they will likely need to review programs and flowcharts prepared by others during assignments involving the evaluation of internal controls and other aspects of computerized information systems. In the future, as more and more firms of all sizes make increasing use of computerized information systems, accountants who do not understand computer hardware and software will find their effectiveness diminished. They will be less able to provide maximum or even satisfactory levels of assistance to management, owners, and others that they serve. DQ 3-2. A system is essentially an allocation of tasks between humans and machines. Such allocation is generally driven by the principle of comparative advantage. If humans have an edge over machines in performing a task, that task is assigned to humans, and vice versa. Figure 3 provides a classification of tasks typically performed by humans and by computers. It would be a rare situation where there is no comparative advantage left to the humans, that is, the system is completely computerized. A vast majority of systems will have human involvement, although more and more tasks can now be performed by computers. Even in cases where a decision or task is assigned to humans, the computer-based system may provide considerable support in making decisions or performing the task. Infoage’s AIS is not completely automated; there exist areas where computers can provide considerable comparative advantage. The outlets can be networked with the warehouse and the main office, resulting in effective communication and decision support. Financial and nonfinancial data can be fully integrated to provide managers with comprehensive information that impacts their decision making. Finally, the business processes and accounting procedures can be improved. This can be followed by an implementation of a client–server system for critical functions, such as inventory management. Also, such a system can be further extended to form an electronic data interchange (EDI) network with suppliers. DQ 3-3. The first part of the question relates to the cost-effectiveness of computer-based systems in a small business. Microcomputers are increasingly becoming more powerful, highly flexible, and less costly. The availability of software for microcomputers has been improving over time. Software you could use only on a mainframe a few years ago is now likely to be available in a microcomputer version. Increasingly, such software has been improving in user-friendliness.

3-2

Thus, the amount of technical expertise necessary to use a microcomputer-based system can be expected to be rather low. Overall, a small business can afford to invest in resources necessary to automate its system(s). Whereas the costs are decreasing, the versatility of computer-based systems is increasing. For example, with appropriate applications, a small business can track its inventory, monitor sales to specific customers or in specific regions, and track and analyze data related to its environment. Thus the value of having a computer-based system can be expected to be much greater than that of a manual system. To summarize, if properly implemented and operated, a computer-based system could be cost-effective for a large majority of small businesses. The second part of the question concerns the possible loss of control of the owner of the business. With all or most data concentrated in a single automated system, the possibility of loss of data is very real. Also, only one or two people who know the system could gain significant influence over the operations of the firm and may even use such influence to their advantage at the cost of the business. With a rather small system, it becomes very difficult to maintain separation of duties. Consequently, the question of control needs to be carefully analyzed and evaluated prior to implementing a computer-based system in a small business. DQ 3-4. A list of main articles in the May 1999 issue of Datamation: • • • •

A Mixed Bag of Readiness The Invasion of the Handhelds Hired Guns Warming up to Wireless Networks

“A Mixed Bag of Readiness” is relevant to accounting, for it discusses the extent to which different industries are ready for Year 2000, that is, have complied with the Y2K requirements. Y2K compliance is important to accountants for the following reasons: • It is a risk that needs to be managed. • Non-compliance may have an impact on financial accounting and reporting system. • Non-compliance or potential of lack of readiness in critical business areas may suggest violation of the going concern assumption, which has implications in terms of accounting, financial reporting, and audit opinions. The remaining articles also prompt several accounting implications, although only indirectly. “The invasion of the handhelds” is an article that discusses how personal digital assistants (PDAs) have matured from mere calendars, contacts, and notes to a resource that does more: accessing corporate data, and operating e-mail. Risk exposures and control implications of PDAs would be an important topic for accountants. “Hired guns” talks about hiring contract workers in the information technology area, which implies additional risk exposures. “Warming up to Wireless Networks” discusses how mainstream companies are slow to adopt wireless networks. Wireless networks, as they grow in popularity, will bring additional and new risk exposures for accountants and auditors to assess and help management control such exposures. Datamation also includes various columns on current information technology topics. Other types of information include IS Managers’ Workbench (includes a variety of topics important to information systems managers, including applications development, databases, data warehouses, and middleware), Expert search facility, Discussions, Browse facility, and Letters.

3-3

DQ 3-5. When a computer becomes a part of an information system, several improvements are achieved in the firm’s reports.

a. Reports can be prepared more quickly. b. Since a wide variety of data can be collected and stored in an integrated data base, more comprehensive and tailored reports and analyses can be prepared.

c. Assuming that the data inputs are accurate, accurate reports can be consistently prepared.

d. Reports that highlight exceptions and key areas can easily be prepared. e. Added reports can be prepared at less added cost, i.e., the marginal cost of preparing reports is relatively low. DQ 3-6. Information technology is advancing rapidly. More complex and highly integrated features are introduced using very short cycle times. Consequently, even for a person well trained in computing and communications technology, it is a challenge to keep up. Although the hardware and software vendors are trying to provide seamless interface with products of other vendors, the outcome is not perfect. Consequently, the behavior of computers may seem unfriendly, too complicated to understand, and confusing. Additionally, the help commands and other documentation, although improved over time, still lacks clarity for end users. All these conditions lead to the perception that computers are unfriendly. This unfriendliness is decreasing over time. As more people come out of schools and colleges with significant exposure to computers, they are able to deal with the technology more comfortably. Graphical user interface allows end users to do complicated things with a click of a mouse or a keystroke. End users are increasingly protected from errors and omissions through reminders and warnings or by the system automatically taking over the recovery in the event of failure. The object technology has produced visual means of dealing with information. Finally, the system documentation is improving in clarity and is easy to use. All these changes, despite rapid pace of change in technology, ease the pain of the end user and make the experience worthwhile. Put differently, while improving in versatility and increasing in complexity, the information technology is also trying hard to become more user friendly. And the changing demographics certainly help along the way!

DQ 3-7. A communication network for a university having a single campus, if fully integrated, would in effect comprise a local area network. While a campus consists of multiple buildings, these buildings are clustered within the confines of a few square miles. Note, however, that a single network would likely not be the most satisfactory arrangement for the users. Since a university campus consists essentially of two major and dissimilar functions—academics and administration—the campus community of users would generally be best served by having a

3-4

local computer network that serves the administrative activities and another local computer network that serves the academic needs. Furthermore, since the academic “side” can be split into teaching and research mission, it will likely be desirable to provide at least two separate networks that serve these differing missions. A communications network for an automobile insurance firm having regional offices and agents should be a wide area network, since the various offices and agents are separated geographically. Just as in the case of the university, however, this basic architecture might need to be modified to accommodate particular circumstances. For instance, local area networks being linked through gateways to the principal wide area network. Furthermore, the agents within an area (such as a city) might be grouped to form a small wide area network, which would be connected (perhaps via multiplexed lines), to the broader wide area network. DQ 3-8. The configuration of a communications-based system may possibly affect the type of decision making practiced by a firm. Thus, a centralized network may employ centralized decision making, whereas a distributed network may employ decentralized decision making. While there is no necessary correspondence (e.g., a centralized network can facilitate decentralized as well as centralized decision making), compatibilities do exist (1) between the user orientation of a distributed network and the decentralized decision making approach and (2) between the corporate (high level) orientation of a centralized network and the centralized decision making approach. DQ 3-9. Among the difficulties likely to be encountered during the lengthy period required to design and implement a centralized network include the following: a. Difficulty in incorporating the most recent hardware and software technology. (This can be minimized by delaying the selection of specific hardware and software as long as possible and by selecting hardware and software that emphasize the attributes of modularity and flexibility.) b. Difficulty in coordinating the design and implementation activities. (This can be minimized by establishing a steering committee, assigning a firm project leader to head the actual work team, and documenting all design and implementation steps thoroughly.) c. Difficulty in controlling the time and costs related to the developmental effort. (This can be minimized by maintaining sound project controls, including frequent reviews by the steering committee.) d. Difficulty in avoiding the dissatisfaction and resistance of affected managers and employees. (This can be minimized by early and continuous communication with those affected, plus the encouragement of participation, to the extent feasible, in the design and implementation steps.)

DQ 3-10. Summary of article titled, “Cut Costs with Client/Server Computing? Here’s How!” Most common cost advantage of moving from mainframes to client/servers comes from buy offthe–shelf applications versus writing and maintaining you own code. It could be advantageous to share cost-analysis data with other corporations in your industry. A Company could learn a lot from its peers and competitors. Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages. In order to determine if a company will spend less on client/server systems than mainframes, an organization

3-5

must determine where the savings are actually coming from. For example, Sun Microsystems saved costs relating to their information systems department from migrating to the client/server environment. The cost savings were attributed to their decision to move their decision support system off the mainframe onto their client/server systems. Other cost savings came from shifting to an automated software distribution and license management, along with their decision to go with “dataless” workstations. This included disk drives but no permanent data storage. This is what knowing where the cost savings are actually coming from means. Some researchers believe that the cost savings from migrating from mainframes to client/servers are not dramatic. In addition, it is believed that the costs of computing work shifts from information systems to end-users. The apparent cost savings are actually cost transfers that the company is not able to track. This article is relevant to internal auditors. Internal auditing is an independent appraisal function established within an organization to examine and evaluate the adequacy and effectiveness of the organization's internal control system and its overall quality of performance. Internal audits encompass financial activities and operations including systems, production, engineering, marketing, and human resources. Internal auditing is changing from a reactive control-based form to one that is risk-based and proactive. Evaluating risk in a rapidly changing world means auditors have to stay abreast of global and workplace issues such as mergers and acquisitions, new computer systems, and electronic commerce. The migration from mainframes to client/servers should be of special interest to internal auditors for the reasons stated above.

DQ 3-11. A variety of information can be captured during the operations of computer networks involving credit-card verification and automated ticket selling. The basic information relates to the transactions—their volume, the names of the participants, the dates, the amounts, and so on. This transactional information can be analyzed. With respect to ticket selling, the quantities of tickets sold can be converted into the expected revenues for the various events to which the tickets apply. Also, the volume of tickets sold at each outlet can indicate which outlets are the most productive and which should perhaps be dropped. With respect to credit-card verification, the average time duration per transaction can be computed. For instance, the percentage of credit-card verifications in which the credit lines have been exceeded (and hence the transactions are rejected) can be easily ascertained.

DQ 3-12. Developing a client–server platform can be a very complex undertaking. The project can be quite costly and time consuming. Certain costs may be difficult to estimate accurately, such as those related to testing, network and systems maintenance, end-user retraining, and security. Other hidden costs and difficulties may also arise. Because LAN-based hardware and software tend to be less reliable than mainframe hardware and software, client–server systems tend to crash frequently, sometimes for extended periods. On the end-user side, managers may block the flows of information throughout the organization, preferring to hoard the information for their exclusive use. It is likely that employees may not understand how to use the information flow or share it on a peer-to-peer basis to aid in making cross-functional decisions.

3-6

If the firm is implementing the client–server system worldwide, regulatory constraints may be severe, or the enabling technologies, such as a fiber optics network for better telecommunications may not have been installed currently. Finally, the question of cost versus value of installing client–server systems is hard to tackle. Existing systems may be working fine, the desire for change may be quite weak, and incremental value of the new system may not be quantifiable. The leadership of the firm and its vision may be the determining factor in the final decision. DQ 3-13. For most purposes client/server accounting software packages are more effective in developing financial reporting systems than traditional mainframe accounting software packages. AISs designed using client/server platforms permit more efficient on-line data entry, and also immediate processing of queries and reports for end users. Distribution of data bases is feasible, thus allowing local data to be stored locally (with client) and shared data to be stored centrally (with server). Distribution of processing is also feasible, thus allowing local applications to run on the client and shared applications to run on the server. The allocation of tasks among client and server make the system versatile all around – in data capture, data maintenance, and report generation. Mainframe based AIS applications may have advantage where masses of transactions are processed in a batch mode. It is important to recognize that these are not mutually exclusive options, in that some of the tasks can still be left to the legacy systems with proper interfaces between them and the C/S AIS. DQ 3-14. Moving from a mainframe AIS to a client–server environment is a major undertaking, for there are significant differences between the two in terms of the system environment, end-user interface, and technology know-how required. The AIS may encounter several challenges. First, the changeover needs to be carefully managed so that no data are lost or contaminated. Second, the system must be tested and signed off by appropriate personnel, including the accountant. Third, it is important to ensure that proper documentation is prepared and distributed to those responsible for the new system. Fourth, back up and recovery procedures must be established and tested so that the system can be recovered if it fails. Fifth, audit trails in the new system must be verified for adequacy, and procedures for testing the new system (such as integrated test facility) must be designed and evaluated. Finally, end-user training and support must be provided so that user acceptance of the system occurs, and the system is properly used. If not carefully addressed, these challenges could become problems for the firm.

DQ 3-15. The elimination of many paper documents and reports affect the work of accountants in several ways. They would be concerned about security of accounting information. Only authorized individuals should receive information for which they have an access authorization. Managing access in a client–server environment is a complex task. The accountants will also be concerned about the audit trail in the increasingly paperless environment caused by client–server systems. If reported information is inaccurate or inconsistent, an audit trail could help locate the discrepancy. On the other hand, the accounting reports can be well-designed, displayed according to the userview of the information, and distributed over the network in a timely manner. Since many paper accounting documents are eliminated, productivity of the accounting staff would improve. The availability of a graphical interface enables the accounting staff to learn the system easily, resulting in less required training and support. Costs will decrease due to less paper and reduced

3-7

time to generate and distribute financial reports and analyses, and the risk of carelessly scattered sensitive paper reports getting in wrong hands would be reduced. DQ 3-16. Although just about all applications can be implemented on the client–server network, those that are critical to Infoage’s success should be considered first. One of the first applications to design on the network would probably be the procurement and payable system. Workflow in this cycle should be analyzed and, with the help of document imaging technology, all documents and procedures should be placed on the network. Thus, purchase requisitions would be placed on the network, authorization of the purchase can be completed by a supervisor upon review of the electronic copy of the purchase requisition and any other data (e.g., inventory balance and reorder level of the item) that may be necessary to make the decision. Using authorized purchase requisition and other information (e.g., vendors who carry the item), an electronic copy of the purchase order is prepared. When materials are received, an electronic copy of the receiving report is made. When an invoice is received, it is imaged into the system and processed for payment. All inventory records are stored on the network, and are updated immediately upon receiving or selling products. Thus, everyone involved in the operations gets the same information in a timely manner, and using this information, would make effective decisions. This application can also be extended outside the firm. For example, an electronic data interchange network can be used to link up with the suppliers. In this case, all communication, including purchase orders and invoices will be managed through the electronic network. This saves time and cost, and makes both organizations more efficient. DQ 3-17. Note: At the time of writing a response to this question, the URL http://www.peWebopaedia.com/datamart.htm did not work. Consequently, this answer was based on another source: http://www.datamation.com. Data Warehouse: An implementation of an informational database used to store sharable data sourced from an operational database-of-record. It is typically a subject database that allows users to tap into a company's vast store of operational data to track and respond to business trends and facilitate forecasting and planning efforts. The data warehouse is the center of the DSS (Decision Support System) universe. The data warehouse contains integrated, historical data that is common to the entire corporation. The data warehouse contains both summarized and detailed information. The data warehouse contains metadata that describes the contents and source of data that flows into the data warehouse. Data Mart: From the data warehouse, data flows to various departments from the customized DSS usage. These departmental DSS databases are called data marts. A data mart is a specialized system that brings together the data needed for a department or related applications. A data mart is a body of DSS data for a department that has an architectural foundation of a data warehouse. The data that resides in the data warehouse is at a very granular level and the data in the data mart is at a refined level. The different data marts contain different combinations and selections of the same detailed data found at the data warehouse. Summary of article titled, “Datamarts: Coming to an IT Mall Near You!” Datamarts are not a replacement for the data warehouse. It’s a partitioning of the data that sets aside summary information related to a specific subject area or even a group of users. The ultimate goal of datamarts is to give users fast access to the data they need to analyze. Datamarts are not dependent on Data Warehouses and can actually be set up on their own. In fact, if a company deals with a smaller or less complex subset of data, it might be more advantageous to

3-8

set up a datamart instead of a full-blown data warehouse. One big advantage with setting up a datamart is that a company can install them one at a time and clean up the data as it goes. They are also cheaper and easier to implement than data warehousing. Datamarts are filled with summary data and allow users to retrieve both multidimensional and traditional relational queries. One of the drawbacks of datamarts is the future need for cross-functional integration between separate business units. These departmental datamarts won’t be set up for linking. There might not be a logical way to link the data stores together to access enterprise data. For this reason, the data warehouse concept will remain important. Datamarts and data warehousing are relevant to accountants. Accounting is largely a product of its environment. The environment of accounting consists of legal, political, economical, social, and technological conditions. It is a well-known fact that technology is vastly changing the way we think and work in the business world. The competitive advantages related to datamarts and data warehousing include the timely and relevant information that end users are allowed to retrieve. Corporations will more and more rely on this system to compete in their respective industries. As this knowledge capital becomes more prevalent, regulatory bodies such as the American Institute of Certified Public Accountants (AICPA) and the Securities and Exchange Commission (SEC) will have to respond to these technological advancements by mandating how to account and value this intangible asset known as knowledge capital. In addition, as more and more companies are based on surviving by the knowledge of their key employees, regulatory bodies will have to respond on how to account for this knowledge that the company is doomed to fail without. DQ 3-18. Data warehouse projects have failed miserably in the past for many reasons. One of the problems is that organizations are not ready to deal with the unexpected hidden costs associated with maintaining and analyzing electronic data. As data base-marketing capabilities increase, organizations must add more to the training budget in order to take full advantage of the emerging technologies. In addition, losing specialized experts can be extremely expensive. Knowledge capital is an extremely valuable asset in the business environment today and organizations must deal with the retention of these key employees. Planning has a great impact on the success of a data warehousing project. In fact, the lack of a solid business plan is probably the biggest reason that projects fail to get off the ground. It is a difficult task to predict the savings of a data warehousing project ahead of time. Organizations sometimes rush to implement a system after discovering that a direct competitor has implemented a similar system. An organization must make sure that the organization has a real problem and that the solution is to develop a data warehousing model. Data warehousing projects often fall short of expectations from the lack of pursuing a long-term support commitment from a vendor. The expensive costs associated with attaining consulting services from a vendor should actually be looked upon as an investment. Utilizing the services from a vendor will allow the evaluation process of business needs and modeling a data warehouse architecture to deliver the best analytical information to the organization’s executives. This prevents companies from making drastic mistakes in the data modeling process. Vendors also provide customers with a help desk in case customers run into costly uncertainties and are offered best-practice experience. Data warehouses combine data stored in various forms within diverse information systems into a unified source for enterprise-wide use. Even a modest data warehousing project could be very complex in nature, demanding unique skills in combining data. The process can be time

3-9

consuming. Since data, and data structures underneath them, continue to grow or change, the data warehouse would require corresponding adjustments. Combining data alone does not really do the job, the creativity lies in users being able to develop new insights using the data warehouse. This technology being new, the users need to be trained in its use, otherwise the fruits of hard work may never materialize. All of these risks collectively increase the probability of failure of data warehousing projects.

DQ 3-19. A major problem with data in most organizations is that they are scattered and unintegrated (Spotlight on page 120 discusses data issues in a typical company). Even when business uses data bases to store data, several separate and independent data bases may exist, and the task to merge and slice these data across data bases to create new views can be overwhelming. Reengineering of the legacy systems of a firm can be expected to result in an enterprise-wide sharing of data. A variety of new models may appear upon reengineering, such as a data warehouse, client–server computing systems, and ERP. All of these lead to a meaningful use of enterprise-wide data by users across the entire organization. DQ 3-20. 1. Discuss the consulting engagement and confirm the top management’s commitment to the goal of becoming a world class organization. 2. Review with the management Infoage’s mission, goals and objectives, SWOT (strengths, weaknesses, opportunities, and threats), strategic plan. 3. Identify, discuss with management, and obtain their approval of the process to be used, time line, management participation requirements, and estimated costs. 4. Understand products and services. Survey customers and/or conduct focus group meetings of customers. 5. Educate the management on the characteristics of world class organizations, and what it would take to get there. 6. Identify the extent to which technology would work as an enabler of change. Reengineer processes, where appropriate. 7. Begin the process. With participative style, assist the management in forming empowered teams. Train the teams. Train the supervisors. 8. Identify needed changes in the financial and non-financial reporting systems required to support the new structure. 9. Implement the new structure. Monitor initial results. Provide feedback to work teams, their supervisors, and managers. Make adjustments, where appropriate. Steps 7 and 8 are to be completed concurrently. Considerable reorganization will be necessary at Infoage. Rightsizing of the structure may cause de-employment of some employees. DQ 3-21. The empowered work teams at the two retail outlet stores would be responsible to decide on the actions to be taken to improve results and would be accountable for their actions. These selfmanaged teams would develop multiple competencies and increase productivity. The work teams should get both financial and non-financial information in a timely manner (and often directly). Based on such information, teams would make decisions and implement them fairly quickly. Also, the financial information may need to be more detailed and without arbitrary allocations, at the operations level, so that it is useful in making decisions.

3-10

The firm’s managers and other workers would be affected by these empowered teams. The teams would regard managers as motivators, teachers, and coaches. Minimal supervision would be required. Financial and non-financial information would flow directly to the teams, bypassing the formal reporting systems. DQ 3-22. In accessing sites on the Internet, there are two steps involved. First, you need access to the Internet, which is provided by ISPs (Internet Service Providers), such as America Online. Next, you need to use a “search engine” or what is often called a browser that would facilitate your navigation and search across the Web. The Web sites mentioned in the question represent some of the most useful ones for students of Accounting Information Systems. Sites such as nytimes, inc, and computerworld offer a vast amount of news in the arena of information technology and its applications, including accounting applications. Forrester, arthurandersen, and gartner are sites offered by business consulting firms that heavily deal with technology in their research and consulting. Whatis is a place where you can search quickly for a word or term, and learn new words in information technology, while lptc (Law Practice Technology Center) is a forum for sharing information on legal implications of information technology. Productreview is a site much like Consumer Reports, where reviews from hundreds of sources are indexed and summarized. Worldbank shares information and research using its site, and the Securities and Exchange Commission informs its stakeholders of filing requirements and maintains an electronic filing site, called EDGAR (Electronic Data Gathering and Retrieval). EDGAR is available to interested individuals and organizations for use over the Internet. Finally, mercantec and lingo, each is a site maintained by a business dealing with electronic commerce. Mercantec offers its software product, called Softcart, to facilitate Web based business extensions without massive overhaul of existing systems of the firm. Lingo does consulting in the development of Web-based businesses using highly skilled technology and business consultants. This cross-section of Web sites permit accounting students to capture various content areas from different sources, ranging from understanding terms to comprehending how businesses apply technology, including the Internet. Many of these sites can also be considered rich sources of information for research on cutting-edge technology applications, including financial and managerial accounting applications. DQ 3-23. Since the Internet provides a very rich infrastructure to move just about any kind of information (film, slides, forms, data, or text, for example) across organizations, it is an infrastructure that provides tremendous potential for consulting services in several areas. Generally, the CPA can offer services on how to do business using the Internet. For example, she can propose to design Web pages for her clients. These Web pages may include descriptions of client’s products and services, prices/fees, and even an order form. Prospective customers may fill out the order form and, over the Internet, transmit the order to the client’s site. Public accountants have begun to offer assurance services on Web sites, call the Web Trust. The certification of a Web site assures its users that the site is secure and that any data transmitted, including sensitive information such as credit card numbers, will be protected. In addition to assurance services, a popular consulting opportunity these days lies in benchmarking client Web sites, in terms of their effectiveness in achieving desired objectives.

3-11

If she acquires additional expertise regarding Internet and client/server computing, she can also offer to set up virtual connections across organizations. Such virtual networks will permit electronic data interchange among businesses that transact with the client. For example, John Deere, the tractor equipment and parts supplier, may be linked to Federal Express. If a Deere tractor repairs firm in Rio de Janeiro needs a part, the order arrives on the Internet to a John Deere site, which releases the part for shipment, and informs Federal Express over the Internet to carry the part to the purchaser overnight. Depending on the degree of expertise gained by the CPA, she may be able to offer services in the design and implementation of an Intranet, an organization-wide network that permits communication and information processing throughout the firm. For this, Internet or some other infrastructure may be used.

3-12

PROBLEMS 3-1.

a. b. c. d. e. f. g. h. i. j. k. l.

Both computers and humans Primarily computers Primarily computers Primarily by humans Both computers and humans Primarily by humans Primarily by computers Primarily by humans Both computers and humans Primarily by computers Primarily by humans Primarily by humans

Note: Even in situations where human involvement is high, there are computer-aided programs available to ensure reliability, completeness, and accuracy of the output. For example, the logic involved in APB No. 15 (Requirement l) can be computerized into a spreadsheet to automate certain steps in the procedure. 3-2. a. Microcomputers are quite diverse, and therefore create problems in compatibility (e.g., not being able to transfer an application from one computer to another without modification), and upgrade requirements. More vendors means more needs to be understood and implemented, and the timeline for product development of each vendor could be different. Moreover, the end-user support and training requirements would be significant. In addition, a cluster of independent computers does not provide the benefits that result from networking such computers. Improvements could result from standardization of equipment (e.g., no more than two vendors) and creation of a local area network. b. The firm has a centralized configuration that incorporates primarily accounting information systems only. Improvements can result from expanding the system from AIS to MIS, developing a data-base orientation, and converting to a distributed systems environment. c. The composition of the steering committee provides a very narrow perspective. Since the committee members are all from the information systems function, their perspectives and priorities will drive the information systems being developed. This may be a very different list of projects than what the users of the system need. This situation can be improved by redefining the steering committee composition, which should include adequate representation from end-user areas or functions, and top management. d. The commitment not to use client–server architecture can be expected to be a major tactical error. The concerns expressed by the chief information officer are valid and are usually expected in the fast emerging areas of information technology. However, the benefits of a client–server-based system can far outweigh the difficulties produced by factors such as the lack of industry-wide standards. Some of the concerns, such as control and security of the system, can be addressed by additional measures, or compensating controls outside the client–server system. e. The current practice is inefficient and perhaps ineffective as well. The phone call requires the availability of appropriate staff member at the home office, takes time from the home office staff, and creates the possibility of errors by the home office staff verifying the stock figures. It is possible that the salesperson makes an error in listening or in writing down the

3-13

information received over the phone. An improvement can be made by redesigning the information system so that the salespersons will have direct access to such information over a communications line. f. More technologically advanced book publishers are likely to use electronic data interchange, linking the firm with major buyers of their books. In this manner, buyers can search the catalogue, check availability of the book to be ordered, place an order, and specify the place and mode of delivery, all over the EDI. Subsequently, even the payment can be made through electronic fund transfer, using the connectivity of both firms with the banking network. The tremendous ease-of-use of the system combined with the reduction in cycle time (reduction in non-value added time) creates a strategic advantage for the publisher and its customers. In order to survive and compete, the book publisher will have to seriously consider adopting such options soon. g. Product design and development is an iterative process among many people, both within and outside the firm. Traditional and drawing methods do not permit quick corrections or modifications, or interactive development of the design over a computer network. At a minimum, the firm should consider adopting a computer-aided design (CAD) software that is acceptable to all parties involved in the process. This move can result in less waiting time, quicker resolution of questions and concerns, better evaluation of the product, and possibly a much better product design. h. The bankruptcy could have been avoided by the management if they were able to identify the potential customers. It seems that they knew what information was needed, but they could not obtain such information. Such lists can be obtained from firms, such as American Business Information, which maintain relevant data bases and produce customized lists. The use of such data in a timely manner requires the firm to have an adequate computer-based system. For example, the list on a CD-ROM needs to be accessed to produce letters to potential customers. Then, a follow up of all responses to the letter would be necessary. The firm should track all such activity using a computer-based data base and applications. i. A computer-based inventory management system can solve this problem. Each inventory item record should include a location code so that the item can be found quickly. Also, the quantity on hand should be updated immediately upon receipt or issue so that accurate information is available. Perhaps the system can be further enhanced by including a location map so that access to the item is easy and quick. The system can also be linked through a client–server network so that documentation of overnight delivery is electronically transmitted to the selected carrier, such as Federal Express, and the tracking of the item sent can be feasible from the firm’s computer. j. In the cycle-time literature, there is what is called a three percent rule, which says that 97 percent of the time involved in a typical cycle can be avoided because it is mostly waiting time. In this case, if the blue print were transmitted electronically, the cycle would be reduced considerably. This should be followed by a teleconference between the firm, its designer, and the customer so that any questions or concerns can be addressed immediately. k. Sheer diversity of the word processing software packages causes problems in compatibility across the software used. Documents created using one package may be difficult and time consuming to convert to another software package. Packages may have different architectures, functions, and protocols. Their new versions or upgrades may be released at different points in time. End-user training also is spread over the whole range of software. All this results in inefficiency and waste of time and resources. Standardization would help a great deal; if the firm cannot afford to select only one package, it would be acceptable to limit the widely used software to no more than two or three packages. 3-3. a. Airline Company

3-14

E-Commerce: • Airline ticket purchases over the Internet. • Utilize EDI (Electronic Data Interchange) system with vendors to locate, order, and track shipments of aircraft spare parts. Intranets and Extranets: • Will allow information sharing with airplane parts suppliers and will decrease the transaction costs by conducting business electronically • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. • The Extranet can be used to answer frequently asked questions to significant customers Data marts and data warehouses: • Consolidate and integrate information from past years regarding customer/flight information and arrange the information into a meaningful format • Provide detailed information to relevant departments to analyze how to keep the seats filled Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web Site to offer information regarding the company, flight availability, arrival and departure times, and how to book a ticket over the Internet • Email should be used as a communication medium • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Enable the company to coordinate logistics by acquiring raw materials from airplane parts suppliers • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments

3-15

b. International Insurance Company E-Commerce: • Providing policy offerings along with necessary forms to fill out over the Internet. • Allowing customers to prepare and execute queries over the Internet to answer frequently asked questions Intranets and Extranets: • Will allow information sharing with significant clients providing insurance through their jobs • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. • The Extranet can be used to answer frequently asked questions to significant customers Data marts and data warehouses: • Consolidate and integrate information from past years regarding client, insurance plans, marketing, etc. information and arrange the information into a meaningful format • Provide detailed information to relevant departments to analyze how to maintain existing customers while attracting new ones • Provide analysis on forecasting of customers who will likely buy various insurance plans and why • Agents can quickly access policy, pricing, customer, and other pertinent information Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web Site to offer information regarding the company, types of insurance plans available, information regarding agents in that area, brochures available about individual plans • Email should be used as a communication medium • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments

3-16

c. Regional Bank E-commerce: • Utilize Electronic Bill Presentment and Payment (EBPP) which involves delivery of bills directly into consumers' e-mail boxes. • Online banking is used to allow customers do complete their banking chores on the Internet. Intranets and Extranets: • Will allow information sharing with significant clients doing business with the bank • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. • The Extranet can be used to answer frequently asked questions to significant customers Data marts and data warehouses: • Consolidate and integrate information from past years regarding significant customers and their accounts to make better decisions regarding future promotional campaigns • Provide detailed information to relevant departments to analyze how to maintain existing customers while attracting new ones • Store data regarding transactions Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web site to offer information regarding the company, types of bank accounts available, information regarding services such as online banking, brochures available about various accounts, and information regarding nearest branch offices • Email should be used as a communication medium • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments

3-17

d. Hospital E-commerce: • Allow customers to schedule an appointment with the appropriate doctor over the Internet • Allow customers to fill out patient information over the Internet • Provide information related to the hospital, doctors, staff, and other relevant information Intranets and Extranets: • Will allow information sharing with medication suppliers and other affiliated medical centers • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures related to better handling the business and patients • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. Data marts and data warehouses: • Consolidate and integrate information from past patients, their conditions, treatments, and effectiveness to make better decisions regarding future patients with similar conditions Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web site to offer information regarding the hospital, types of procedures available, accreditation, and a listing of the doctors, brochures on various surgical procedures, and information regarding how to make an appointment • Email should be used as a communication medium • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Enable the company to coordinate logistics by acquiring medical supplies from vendors in a quicker manner • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments e. Local Retail Company E-commerce: • List a survey on the Web site to discover information pertaining to buying preferences by offering incentives (Examples include: coupons, gift certificates, weekly drawings, etc.) • Offer merchandise to customers over the Internet • Utilize EDI with suppliers

Intranets and Extranets:

3-18

• • • • •

Will allow information sharing with suppliers and will decrease the transaction costs by conducting business electronically Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures Deliver mission critical applications Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. The Extranet can be used to answer frequently asked questions to significant customers

Data marts and data warehouses: • Consolidate and integrate information from past sales and arrange the information into a meaningful format to have greater sales in the future • Provide detailed information to relevant departments to analyze how to maintain existing customers while attracting new ones • Provide analysis on forecasting of customers who will likely buy various products Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web site to offer information regarding the company, types products available, store locations, and how to order from the Internet • Email should be used as a communication medium • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Enable the company to coordinate logistics by acquiring products from vendors • Enable the company to coordinate distribution process to ship products to customers on time • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments f. Natural Gas Utility E-commerce: • Utilize Electronic Bill Presentment and Payment (EBPP) which involves delivery of bills directly into consumers' e-mail boxes. Intranets and Extranets: • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs.

3-19

• • •

The Extranet can be used to answer frequently asked questions to significant customers changes more rapidly in order to gain competitive advantages The client/server environment will prove to be an effective way to handle, update, and store information.

Internet and World Wide Web: • Create a Web site to offer information regarding the company and its services • Email should be used as a communication medium by the employees • Provide a medium for user groups to discuss information relating to the business Enterprise-wide accounting, human resource, and manufacturing software applications: • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments g. Local Manufacturing E-commerce: • Implement EDI system with distributors • Sell on line to end customers, rather than to distributors Intranets and Extranets: • Will allow information sharing with retailers and will decrease the transaction costs by conducting business electronically • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. Data marts and data warehouses: • Consolidate and integrate information from past years regarding significant customers and their accounts to make better business decisions • Provide detailed information to relevant departments to analyze how to maintain existing customers while attracting new ones • Store data regarding business transactions

Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information.

Internet and World Wide Web:

3-20

• • •

Create a Web site to offer information regarding the company, types products available, store locations, and how to order from the Internet Email should be used as a communication medium Provide a medium for user groups to discuss information relating to the business

Enterprise-wide accounting, human resource, and manufacturing software applications: • Enable the company to coordinate logistics by acquiring raw materials in a more efficient manner • Enable the company to coordinate distribution process to ship products to retailers on time • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments h. Catalog Retailer E-commerce: • Offer merchandise to sell to customers over the Internet • Offer other items related to a customer’s purchase over the Internet to create higher sales • Utilize EDI with suppliers Intranets and Extranets: • Will allow information sharing with suppliers and will decrease the transaction costs by conducting business electronically • Users can use these technologies to exchange ideas and to discuss topics relating to new processes and procedures • Deliver mission critical applications • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. • The Extranet can be used to answer frequently asked questions to significant customers Data marts and data warehouses: • Consolidate and integrate information from past sales and arrange the information into a meaningful format to have greater sales in the future • Provide detailed information to relevant departments to analyze how to maintain existing customers while attracting new ones • Provide analysis on forecasting of customers who will likely buy various products Client/Server Architecture: • low-cost computers can act as servers • As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing • Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages • The client/server environment will prove to be an effective way to handle, update, and store information. Internet and World Wide Web: • Create a Web site to offer information regarding the company, types products available, store locations, and how to order from the Internet • Email should be used as a communication medium

3-21

•

Provide a medium for user groups to discuss information relating to the business

Enterprise-wide accounting, human resource, and manufacturing software applications: • Enable the company to coordinate distribution process to ship products to customers on time • Ability to track resource availability and allocation • Provide faster daily, weekly, and monthly procedures and processes through the coordination of all systems from the various departments 3-4. a. 1. The advantages of changing to the new platform include cost savings due to efficiency gains and increased value due to improved decision-making. New platforms provide considerable enhancements over the traditional platforms in terms of sharing information, empowering employees, and providing real-time information for decision making. Distributed systems also produce division of work so that users can perform the tasks that are appropriate for them to complete. The disadvantages of changing to the new platform are the costs of technology, system development (modification and implementation), and training of technology and end-user employees. Security and control risks are also greater in the new platforms. An additional disadvantage arises from the fact that technology continues to change at a rapid pace; consequently, additional investment in improvements becomes a major factor. 2. By not changing the IS platform, the firm can save in the cost of transition. This would include the cost of new hardware, software, systems development (modification and implementation), recruitment of new IT skills, and training of technical and end-user staff. Perhaps the firm can avoid some degree of uncertainty arising from the constantly changing information technology. Although these benefits might be real, not moving to a new platform might ultimately prove to be a costly strategic error. This is because the new technology would help create and share new knowledge with employees and other stakeholders, thus improving the effectiveness and efficiency of the firm, and place the firm in a sound competitive posture. b. 1. LAN: A local-area network (LAN) is a type of distributed network created when two or more linked computers are grouped within a limited geographic area. A LAN consists of workstations, servers, network controllers, and communication links. A network operating software, communication software, and other utility or systems software are also required. LANs enable users to share a variety of common resources, such as printers, files, accounting software packages, and spreadsheets. WAN: wide-area network (WAN) is a network formed among computers and interconnected devices that are geographically distant from one another. Two wide-area network architectures are centralized networks and distributed networks. WANs comprise of computers, (remote) terminals, and the necessary communication devices and channels. A network operating software, communication software, and other utility and system software are also required. 2. The client–server computing is a logical model of computing that processes applications within a physical local-area network or wide-area network or both. The processing is split between a user workstation (called a client) and one or more computers (called servers). A data base server linked to the system shares and maintains data for the client–server applications. At Federal Express or United Parcel Service, a package tracking system would typically be based on a client–server computing model. The users would locally access the system either for a query or for entering transactions. These days, the system can also be put on the Web for the customers to access and query to check where their package is.

3-22

3. Attributes that are likely to make an application a good candidate for client/server computing include: • Need for data sharing across the organization • Ability to enter transactions from any place throughout the organization • Need for real time data maintenance • Empowering the employee any place, any time • Decentralized mode of operation c. Increasingly, accounting information systems are being integrated with other transaction processing systems, making the interfaces seamless across different applications. AISs accept inputs from other systems and in turn, provide outputs for further processing to other applications. Moreover, as AISs move to newer platforms, such client–server computing, the systems will become more open to additional risks and exposures. Audit trails would most likely become even more fragmented as the systems become more paperless. Intra- and interoraganizational communications between systems will become even more prevalent, causing concerns about additional risks and exposures from such communication systems. Reliability of processes and systems would become critical to produce reliable accounting information. Financial and accounting managers will need to understand information technology and systems to a much greater degree. 3-5.

3-23

A ring LAN for purchasing and receiving

Supplier invoice

Receive goods Warehouse

Accounts payable

Payment authorization

Cash disbursements

Purchasing

Check with voucher

Purchase orders Purchase requisition Notice of shipment

b. Upon receiving a purchase order, the purchasing department issues a purchase order to a supplier. A detailed record of the purchase order is maintained on the LAN; all authorized users (e.g., warehouse) will have access to the record. The warehouse enters data regarding receipt of a shipment from a supplier. Accounts payable receives an invoice from a supplier, verifies related information on the LAN, and authorizes payment. The cash disbursement function issues checks along with payment vouchers to suppliers as and when such payments become due. c. An inoperable workstation in a ring configuration causes the entire LAN to be inoperable. Such downtime could affect the efficiency of the purchasing and receiving functions. Moreover, each workstation in a ring configuration can directly communicate with its neighbors; however, it cannot easily communicate with the other workstations in the network. This could result in a loss of efficient communication with related functions, for example, communication between purchasing and billing.

3-24

A bus LAN for billing and sales Invoices, bills

Customer orders

Sales order station

Billing

Shipping

Sales order station Print server Laser printer

Sales order station

File server

Customer orders

Credit and collection

Accounts receivable Sales order station

Customer orders

Payments from customers

Cash receipts

e. All applications and data available on the bus (common cable) are accessible by authorized system users. Each function manages its information system requirements. For example, upon receiving an order from a customer, the sales order station enters sales data, which are then accessed and reviewed by the credit and collection function in order to approve credit,

3-25

where necessary. The warehouse ships orders for which customer credit has been approved. The billing department reviews customer orders and shipping data, and prepares and sends invoices to customers. The cash receipts function receives payments from customers and maintains records of such receipts. Based on invoices sent to, and cash received from customers, the accounts receivable function maintains accounts receivable records. f. The disadvantages of using a bus LAN to process billing and sales applications include the following: Since the entire LAN depends on the bus (common communication link) for all its communication needs, any failure in the bus could cause disruption in the billing and sales operations and accounting. Moreover, a common communication cable reaching out to every node may affect the security of all workstations linked to the bus. For example, a virus on the bus could easily spread to all workstations on the bus. 3-6. a. The client–server architecture has several features. It results in the transfer of computing from mainframes to microcomputers. In turn, this creates a decentralized system. Since the clients are active decision makers, information processors and providers of inputs, this architecture truly empowers the employees. The operations are invariably integrated with transactions processing (data capture, data processing, queries or outputs, and decision making). b. 1. Immediate updating of accounting files as transactions are entered. 2. Reduced time to generate and distribute financial reports and analyses. 3. Simplified accounting cycle, resulting in faster end-of-period closings. 4. Simplified data entry process. 5. Improved customer service. For example, the publishing firm can provide on-the-spot, up-to-date information on book prices, availability, and scheduled delivery times. The shipping activity, once the order is entered, can also be monitored. The same system would generate billing, where prepayment is not received. c. 1. The system requires significant investments and may not be cost-effective, especially for small firms. 2. The client–server system can be less reliable than mainframe hardware and software, although improvements in client–server systems may be forthcoming soon. 3. Even if information is allowed to flow freely, employees may not understand how to employ it or share it on a peer-to-peer basis to aid in making decisions related to their job functions. A significant amount of training may be required to generate payoffs from a client–server system. 3-7. A. 1. At least three advantages of mainframe computer systems include • the available speed, power, and memory which are needed to process the largest, most complex tasks without the complexity and concerns of networks. • the mainframe programs, partially because they have existed for a long time, are debugged, and, therefore, are more reliable than microcomputers. • a more centralized computing environment which leads to better control of applications, program development, data files, computer operations, and quality standards with greater uniformity. 2. At least two disadvantages of mainframe computer systems include • not being user friendly and requiring a high level of expertise to operate while using highly trained expensive information systems staff. • time delay in developing and implementing new systems, as the programs are complex. B. 1. At lest three advantages of microcomputer/client–server systems include

3-26

• • • 2. • •

being more user-friendly, thus making available more data processing power to users. easily meeting rapidly changing business needs with new systems applications. many generic software applications available in the marketplace. Two disadvantages that have been encountered with microcomputer/client–server systems include the loss of central control. Security is more difficult, relative to remote stations, the server, and data files. personnel being tempted to use the microcomputer for personal purposes.

C. At least two factors and /or actions that have been taken to prolong the lives of mainframe computer systems include • systems that were originally developed in-house, work well so that it is not costbeneficial to transfer or rewrite the programs. • the availability of parallel processing and emerging software capabilities. D. At least two reasons why companies may not want to retire their mainframe computer systems include the following. • Large companies have made enormous investments in mainframe platforms that would have to be written-off on the financial statements. • Many users rely on mainframes to perform their most vital computing functions which may require more memory, processing power, and data files than those available on microcomputers. 3-8.

a. A nationwide brokerage firm is well served by a hybrid network that links all its offices to a

mainframe computer in its headquarters in New York via a star configuration. It maintains microcomputers in each office which process transactions locally; however, the microcomputers serve as terminal emulators to receive stock market information and to accept summary data. The data base is centralized; it serves as a data bank when providing securities data to clients. If each store essentially communicates only with the warehouse in managing inventory levels, a star configuration with a centralized data base would serve the needs. Each store can receive information about inventory at the warehouse and can request replenishments over the network. If communication across stores is also desired, a ring configuration with distributed data bases could prove more useful. An integrated steel manufacturer is best served by a wide area distributed network that links all of its mills and sales and service centers with its headquarters. The network should employ a hierarchical configuration, with the mainframe computer at the headquarters site. In addition, it should maintain direct communications links with its key suppliers and major customers through an electronic data interchange system. A large grocery chain is best served by a centralized point-of-sale network with a centralized data base. Each check-out stand has a point-of-sale terminal that is linked through store controllers and other data communications devices to the mainframe computer. The credit checks are performed by electronic data interchange links to credit services such as Visa and MasterCard. A nationwide electronics products firm is best served by an extensive wide-area distributed network that links together the various plants and office complexes by a ring configuration. Each office complex is served by a local area network (LAN) that facilitates efficiency in office operations. Each plant is equipped with a computer-integrated-manufacturing (CIM) system that aids production control. Each LAN and CIM system represents, in effect, one

3-27

node in the nationwide distributed network, and each contains its separate data base. Thus, the firm’s overall data base can be viewed as being partitioned. 3-9.

a. Although payroll has most attributes of a batch processing system, some aspects of the

application can be more efficiently managed in a client–server environment. The firm is very large (37,500 employees). There may be several locations involved and in each case, many changes in employee records can occur. Whereas some aspects, such as payroll processing, may still be left as a centralized operation, others (such as recruitment, employee development, and employee benefits) can be placed within a client–server environment. The firm’s two retail outlets are involved primarily in sales. They need to know what items are in stock, which ones are on order, and what are expected delivery dates for on order items. If the warehouse were to be linked to the two retail outlets, it would be appropriate to consider having inventory management function on the C–S network. Applications such as accounts payable are not of much use to the outlets. The Port’s operations are complex; many diverse functions are involved. The information needs should be met in a timely manner, from different locations and all the time everyday, so that the port operations are run efficiently and effectively. Therefore, a C–S environment is a logical choice. This is a situation similar to requirement (a) above. Fixed asset accounting is a system where changes in records are minimal. Adjusting entries, such as period-end depreciation, can be managed centrally. Whereas it makes sense to centralize the fixed asset accounting system, perhaps the changes in fixed assets can be reported in a timely manner if that aspect of the system was placed on a C–S environment. Quick access warrants availability of data to the end users almost all the time. Ease of access requires that the system is not unduly complicated to hinder or discourage the system’s use by the managers. A large mainframe-based system, even if it is involved, should only be the back-end of such a system. It would be ideal to have the system in a Client–server configuration. This, however, may not obviate the need for programmers and analysts to program certain anticipated queries and reports.

3-10. a. The savings in cost ($30 million) and cycle time (3 days) are attractive. The feasibility of a C–S system as an alternative has been established. The only downside is that zero downtime and security objectives may not be met by a C–S system. However, further analysis should be conducted to determine if these objectives could either be modified or met with additional resource commitment. If a reasonable solution can be found to these concerns, a C–S system should be implemented. If these constraints are firm, it is likely that a C–S system cannot be a viable alternative due to additional risk exposures presented by this environment. b. The firm is large and physically distributed (226 outlets). The management seems to be sophisticated (30 management accountants). The firm’s experience with a LAN environment is significant. A C–S system offers an ideal option for improvement at this time. c. Yes, the firm would benefit by installing a C–S system. Inventory management, order entry, monitoring stockouts, timely delivery of goods to the stores, and cash forecasting are among the many aspects that would benefit considerably, if operated in a client–server environment. d. End users within this firm are decentralized geographically and would need decision support through easy-to-access, relevant information. Whereas the mainframe may still be required as a back-end processor, the firm most likely will benefit by installing a C–S system.

3-28

e. The time to process is beyond management’s expectation. This time can be cut down if individual outlets are empowered to process their own transactions, using centralized data and rules to process local transactions. This is feasible to do by installing a C–S system.

3-11. Airline company: Airline ticket purchases over the Internet. • Ability to see information relating to costs, flight arrivals, flight departures, and availability of flight at the click of a button. • Allows more people to view information in front of their computers compared to calling airline representatives. Utilize a Web-based or an EDI (Electronic Data Interchange) system with vendors to locate, order, and track shipments of aircraft spare parts. • Save costs related to airplanes that cannot fly due to various circumstances. • Allows up-to-the-second status on spare parts ordered. b. Insurance company: Providing policy offerings along with necessary forms to fill out over the Internet. This allows up-to-date insurance plans and services offered to customers. • Provides quick internal access to customer service-related information • Forward-thinking providers are better at understanding and anticipating their customers' needs. This allows more reliable forecasting for future periods. • Allows better management of a customer’s life cycle. • Create customer loyalty • Able to attract new customers. Allowing customers to prepare and execute queries • Provides information-based queries such as a claim status • Gives explanations of a particular benefits associated with the appropriate health plans c. Bank: Utilize Electronic Bill Presentment and Payment (EBPP) which involves delivery of bills directly into consumers' e-mail boxes. This is not to be confused with e-mail notification of bill delivery, in which consumers receive an e-mail message alerting them that an e-bill is waiting for them at a Web site. • • • • •

Use this to grow customer loyalty Provides quicker delivery of bills compared to mailing through the mail Creates big cost savings as compared to sending out bill through the post office Provides a marketing mechanism to “collect the money and sell.” Companies address their customers-or sell space to third parties for this purpose-much more efficiently electronically than on paper Gives customers more payment options

Online banking is used to allow customers to complete their banking chores on the Internet. • Allows customers to view up-to-the-minute information on account balances 3-29

• • • • •

View deposit and withdrawal information. View information related to clearance on checks Wire transfer funds Integrate account activity with personal financial management software Allows customers to order checks

d. Hospital: Allow customers to schedule an appointment with the appropriate physician over the Internet • Save costs related to administration expenses • Patients can view all available times to pick best time Allow customers to fill out patient information over the Internet • Patients save time because they do not have to fill out forms at the actual time of the appointment • Allows faster processing of patient information • Reduces time related to administrative employees keying in the information into the system Provide information related to the hospital, doctors, staff, programs and events, etc. • Patients can view the accreditation of the hospital • Patients can read about various surgeries, complication, symptoms, recovery time, and other relevant information • Patients can request brochures • Patients and send email regarding questions e. Retailing Company: List a survey on the Web site to discover information pertaining to buying preferences by offering incentives (Examples include: coupons, gift certificates, weekly drawings, etc.) • Allows the discovery of buying patterns • Create customer loyalty • Attract new customers Offer merchandise to customers over the Internet • Saves costs in comparison to hiring sales associates • Will provide accurate and detailed descriptions of items • Allows the maintenance of a “Virtual Company” Utilize a Web-based or an EDI system with suppliers • Allows “Just-In-Time” process to save costs related to inventory • System will automatically detected when to order more products • Inventory counts will be more accurate

f. Electric Utility: Utilize Electronic Bill Presentment and Payment (EBPP) which involves delivery of bills directly into consumers' e-mail boxes. This is not to be confused with e-mail notification of

3-30

bill delivery, in which consumers receive an e-mail message alerting them that an e-bill is waiting for them at a Web site. • • • • • •

g. Publishing/Television Company: Shopping Network Channels can also sell products over the Internet • Customers will have access to all types of products sold by the network as compared to the “item currently being displayed on the television set.” • Customers can order without the assistance of telephone personnel. The various networks can have a listing of all of the shows that will be broadcast for the current and following week. In addition, a survey could be posted on the Web-Site to ask viewers for their input regarding show preferences. • Create viewer loyalty • Discover more information on target markets • Provides affinity analysis regarding the types of shows that should be shown back-toback • Provides information on what types of advertisement campaigns views prefer to see during various shows Publishing companies can post information related to past, current and in-process publications over the Internet • Writers can view what is happening in the market place • Readers can order books on-line • Provide an efficient method to “up-sell” by listing related books of interest. h. Manufacturing: Implement a Web-based or an EDI system with distributors • Allows an on-line system for ordering parts, checking inventory, and reviewing order status • Distributors are able to place orders, see the inventory availability, check the status of orders, and get [price] quotations • Replaces an older dial-up application utilized by distributors that is costly and difficult to use • All connect charges are fixed so that distributors/owners can send transmissions whenever they want at no premium, thus enabling near real-time commerce Sell on line to end customers, rather than to distributors • Eliminates middlemen • Reduces costs for both manufacturing companies as well as for the end customers

3-31

i. Service Company: Provide Web-based CRM (Customer Relationship Management) systems • Allows employees to retrieve information if a quick manner • Allows users to directly access queries relating to sales revenues, what services individual clients buy, etc. • Less need for IT support • Provide help desk right over the Internet 3-12. 1. D 2. H, I 3. B, E 4. F, G 5. A

6. C,G 7. H, G 8. C 9. J 10. H

3-13. a. Curly Super Fries Company can utilize the Internet to gain competitive advantages. The company can create a Web Page where it can gain access to customer information regarding their business. The computers at various sites could replicate all information related to the business to a central server via a remote login. This will allow all restaurant locations to have up-to-the-minute results of sales and other pertinent information. Email is a very popular way to communicate and should be utilized heavily. Surveys could be posted to the Web site asking viewer preferences regarding favorite food products, advertisements, and personal data to gain useful information. This will allow the company to complete an affinity analysis. b. Curly Super Fries Company could benefit by using both an Intranet and Extranet. Intranet Uses: • The managers at the various locations could use the Intranet to exchange ideas and to discuss topics relating to new processes and procedures • Intranets can be utilized to share files relating to each location, conduct management meetings, track the sales of each restaurant location, and to deliver mission critical applications • The company will be able to save costs related to travel and faster implementation of projects • Current employees will be able to job search on the Intranet. This will allow the retention of good employees even if they decide to change their jobs. • The Intranet can be used to answer frequently asked questions • • • •

Limitations: The implementation of Intranets is expensive. Curly Super Fries Company do a cost/benefit analysis to determine if the implementation will provide continued benefits to the company Maintaining the intranet implementation will often solely fall on the IT department but can fall on the user departments themselves Intranets are generally unstructured and can cause Curly Super Fries Company "a headache" if the existing IT department is big and structured Intranets are usually driven by the users, if the managers at the various locations do not believe that the Intranet is needed, implementation will probably not take place

3-32

Extranet Uses: • Will allow information sharing with suppliers and will decrease the transaction costs by conducting business electronically • The managers at the various locations could use the Extranet to exchange ideas and to discuss topics relating to new processes and procedures • Extranets can be utilized to share files relating to each location, conduct management meetings, track the sales of each restaurant location, and to deliver mission critical applications • The company will be able to save costs related to travel and faster implementation of projects • Current employees will be able to job search on the Extranet. This will allow the retention of good employees even if they decide to change their jobs. • The Extranet can be used to answer frequently asked questions •

• • • •

Limitations: Companies that utilize Extranets usually provide significant customers to have access to company information. In the case of Curly Super Fries Company, the customers are individual people compared to big manufacturing and dealer companies. This might not be cost effective due to this reason. The implementation of Extranets is expensive. Curly Super Fries Company do a cost/benefit analysis to determine if the implementation will provide continued benefits to the company Maintaining the Extranet implementation will often solely fall on the IT department but can fall on the user departments themselves Extranets are generally unstructured and can cause Curly Super Fries Company "a headache" if the existing IT department is big and structured Extranets are usually driven by the users, if the suppliers and restaurant managers do not believe the Extranet is needed, implementation will probably not take place

b. A data warehouse is typically a subject database that allows users to tap into a company's vast store of operational data to track and respond to business trends and facilitate forecasting and planning efforts. Data warehouses contain integrated, historical data that is common to the entire corporation. Curly Super Fries Company can use this technology to consolidate and integrate information from many different sources such as the various restaurant locations and external sources and arrange the information into a meaningful format. This will support executives and the managers to make complex business decisions by analyzing trends, target marketing, etc. The data warehousing technology can also be used to analyze the competition to sustain a competitive advantage. 3-14.

(Adapted from the Certificate in Management Accounting Examination, June 1983, Part V, Question No. 3.) MEMORANDUM To: Mr. Charles Breski, President, Pinta Company From: Myself Subject: Point-of-Sales System

a. A point-of sale (POS) system is an online processing system that employs terminals as electronic cash registers; these terminals capture relevant data at the point of each store sale, either (1) through keying operations or (2) by means of optical scanners that read the product code. In most POS systems the captured data are immediately transmitted via a network to a

3-33

central computer, where certain checking and processing functions are performed interactively. Among the functions that can be performed are the following:

(1) Checking the credit of a customer. Upon receiving the customer’s credit card, the checkout clerk would insert it into a reader device attached to the terminal. The number of the credit card is then transmitted to the credit center maintained by a large bank. There the number is checked against the customer’s credit record maintained on centralized on-line files. If the check does not reveal a credit problem, the system would accept the sales data and signal the clerk in some manner (e.g., by a flashing green light at the terminal). If a credit problem exists, the data would be rejected and the clerk notified (e.g., by a flashing red light).

(2) Updating the relevant files and completing the sale. Upon capturing the sales data, the POS system will match the product number against the proper product record stored in the product file. It then (1) retrieves the price from the record and returns the price and description to the terminal, where they are listed on the sales receipt slip, (2) updates the product file to reflect the reduction in store inventory due to the sale, (3) updates the sales summary file to reflect the sales amount, and, in the case of a credit sale, and (4) updates the customer’s accounts receivable record for the amount of the sale.

(3) Automatically reordering needed merchandise. When the on-hand quantity of the product falls to the predetermined reorder point for a particular store, the POS system automatically places a reorder for the store. This reorder may take the form of a hard copy report or a transmitted message sent to the firm’s distribution warehouse.

(4) Preparing managerial reports. Based on accumulated sales data, the system will periodically prepare reports, analyses, and statistics for managerial planning and control.

(5) Electronically transferring funds. When the sales data are captured, they can also be transferred to the computer network of the customer’s bank if the electronic funds transfer feature is incorporated. The amount of the sale is then posted to the customer’s bank account as a debit, and to the store’s bank account as a credit.

b. Advantages of a POS system include the following: (1) Customers are checked out faster because prices are not entered by hand. (2) Electronic processing provides a more accurate determination of customer bills. (3) Recordkeeping is simplified by the “one read” data entry approach. (4) Inventory control is improved, especially if inventory data is posted on a real-time basis.

(5) Price changes are easier to implement. Disadvantages of a POS system include the following:

3-34

(1) A POS system has a higher cost than conventional cash registers. (2) A back-up system must be available should the POS system be out of service; the use of this alternate system could be disruptive, however.

(3) Customers may object to the absence of prices on the item. (4) Terminals are a security risk because of the many operators and the close proximity to customers.

c. Control problems of a POS system include the following: (1) Terminals are a security risk because of the many operators and the close proximity to customers.

(2) Working files could be lost or destroyed. (3) The inputting and changing of prices in the computer files may be subject to unauthorized actions. Controls and security measures that are needed by a POS system include: (1) Organizational separation of checkout clerks and system personnel. (2) Complete documentation of all aspects of the POS system. (3) Sound system change and development procedures. (4) Security measures such as access logs, transaction logs, passwords for POS terminals, read-only memory with respect to price and other sensitive data, boundary protection, usage limitations on POS terminals, data backup and reconstruction procedures, access restriction on terminals and computer site, system back-up, and a disaster recovery plan. (5) Sound computer operating practices, including scheduled preventive maintenance. (6) Thorough training of clerks and systems personnel. (7) Evaluative procedures by internal auditors and a security administrator. If you have any further questions, please do not hesitate to ask.

3-15. a. I would recommend the minicomputer alternative. Most of the benefits of developing an integrated data base oriented system that could support operations, accounting, and decisions would not be feasible on five standalone microcomputers. The hardware components suitable for such a system include: minicomputer (central processor) and internal memory, magnetic disk drive (hard drive), visual display terminal(s), keyboard, printers, magnetic tape (cassette) drive, magnetic disk drive, and CD ROM drive.

Hardware components will include microcomputers, main server, backup server, printers, cables, network hubs, and routers. b. An operating system (Windows 95, for example); utility software; compilers (e.g., for COBOL and C languages); and software packages that include an electronic spreadsheet, DBMS, word processing, report generator, graphics, and presentation software (Microsoft Office, for example).

•

Financial Budget/Tracking Analysis software package to increase effectiveness of forecasting the future of the business and to keep track of incoming and outgoing cashflows

3-35

•

Software that includes writing, spreadsheet, presentation, and database applications to increase business processes

a. Software for: analyses of accounts receivable and sales data, inventory control and management, cashflow projections and control, tax preparation and planning; decision support software for mortgage loan applications processing.

• • • •

Project management software to allow a more efficient way to schedule work projects Web-Design software to create an attractive Internet site for its customers Data mining software to discover customer behavior/buying patterns and to provide an affinity analysis to increase sales Programming software to implement in-house processes and procedures

d. Client/Server computing system provides many advantages. The popularity of client/server computing is due to the low-cost computers that can act as servers along with software that can manage this environment. As a distributed processing system, all information inputs to the server will update company information in a quick fashion compared batch processing. Migrating to client/server will provide the benefit of being able to make business process changes more rapidly in order to gain competitive advantages. Due to the fact that the Gripper Brake Company operates in different states, the client/server environment will prove to be an effective way to handle, update, and store information. 3-16. Alternative A:

3-36

Denver

Central Computer System

Kansas City Store

Terminal

Store

Specifications: Wide Area Network Client/server system Star configuration (a mainframe computer in Denver) Departmental dedicated single-server platform Public/WATS lines preferred (because of low cost) Terminals at each store: Microcomputer-based workstation with a network interface card, fax-modem, and printer. A superworkstation in Kansas City. A graphical user interface operating system Data communication software and middleware All applications software and a DBMS.

3-37

Alternative B:

Store

Terminal

Kansas City

Superworkstation

Store

Terminal

Denver

File Server

Specifications: Wide Area Network Client/server system Star configuration Departmental dedicated single-server platform Dedicated bus line. Public/WATS lines from stores to the bus. Dedicated line from Kansas City to the bus. Terminals at each store: Microcomputer-based workstation with a network interface card, fax-modem, and printer. A superworkstation in Kansas City. A graphical user interface operating system Data communication software and middleware All applications software and a DBMS.

3-38

CHAPTER

Data Management

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

5. SYNTHESIS

4. EVALUATION

3. APPLICATION

3, 6, 7

1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14

2. COMPREHENSION

1, 2, 5

2, 3

1. CONCEPTUALIZATION

[ ] Infoage

CHAPTER 4 DATA MANAGEMENT DISCUSSION QUESTIONS DQ 4-1. Inventory Master file Data element Item number Item description Item location Reorder level

Inventory Issues file Data element Item number Quantity issued Department name (to which the quantity is issued) Requisition number

Field size (no. of positions) 5 15 6 5

Data type Numeric Characters Numeric Numeric

Field size (no. of positions) 5 5 8

Data type Numeric Numeric Characters

Numeric

DQ 4-2. The file-oriented approach might be preferable to a firm in the following situations:

(1) There is one dominant activity, such as sales, to which the firm devotes its information system. (Other activities may not require the services of an information system. Payroll, for instance, may be handled by a service bureau).

(2) The current file-oriented system is performing quite well, and management is reluctant to assume the risk of a new approach.

(3) The firm is relatively small, and management is so actively involved that it does not require the added information that can be provided by the data base approach.

(4) New data base technology, such as the object-oriented data model, is expected within a few years; management prefers to wait for this revolutionary new technology, so that it can avoid the need to make a later change.

DQ 4-3.

4-2

Two major areas in any information system are data and (data) processing. Generally, a documentation technique would either focus on an overview of the system, such as the physical or logical view of a system, or it would concentrate on data view or processing view. The processing view, such as a program flowchart, sends data in the background and explains more in depth about the logical manipulation involved in the processing operation. The data view does exactly the opposite; it sends the processing part in the background, and explains more in depths what data are processed, where do they come from and how they results in maintenance of other data, or various outputs. Nevertheless, the data view incorporates a limited view of processing, and vice versa. Let’s take an example of a childcare center. The context diagram of a childcare center would show parent and child as customers, and the center as a resource for childcare. Other entities involved would most likely be the bank, the controller (or management of the center) and suppliers (of learning resources, food, etc.). The system contained within a single circle in the context diagram incorporates all processes of the system. When the context diagram is further expanded into a level-zero diagram, the single circle in the former would be represented by several circles (processing steps). For example, parents apply for enroll their children. The enrollment form is processed and application may result in enrollment, or the child may be waitlisted, or the enrollment may be denied. Enrolled students attend the childcare center. Periodically, parents are billed and in time, their payments would be received. On the expenditure side, staff is paid salaries, and suppliers are paid for goods or services rendered. All of these steps emerge within the hierarchy of data flow diagrams we develop for a childcare center. Although processing steps are thus clarified or noted in a data flow diagram, it is important to remember that they only explain what kind of processing is done, and not how it is done. The question of how is left to the processing documentation.

DQ 4-4. Documentation techniques comprise a major part of the language of information systems. For a professional accountant, client services would include the use, evaluation, analysis, and/or design of an information system. One cannot perform these services unless he/she fully understands how to read, interpret, and develop such forms of systems documentation. A public accountant can employ these techniques for supporting her conclusions, suggesting modifications to existing systems, or clarifying a statement or an argument concerning the client’s system. Of course, a public accounting firm can internally use these techniques to describe and document its own information systems. DQ 4-5. The most important distinction between the two is that whereas a primary key allows us to uniquely identify records within a file, a secondary key does not do so. For example, the value of a customer number, say 34891, is assigned to only one specific customer, say Rita Hanson, and to no other customer. The primary key therefore helps in associating transactions with the entity to which those transactions actually belong. For each entity, there is only one primary key, but there may be one or more (or none) secondary keys. Secondary keys are those data elements within a record in a file that allow us to search and locate related information fairly quickly. Thus, in a student record at a university, class standing (with the values: freshman, sophomore, junior, senior, and graduate) may be defined as a secondary key. Using the key and specifying the key value (say, junior), the registrar can find and list all

4-3

juniors in the file or data base. Since there are more than one juniors, you can see that the use of the key does not allow us to uniquely identify any student. At times, to retrieve relevant information, two or more secondary keys may be employed simultaneously. For example, grade point average can be used along with class standing to produce a list of all juniors who have maintained perfect cumulative grade point average. Sometimes, to search for the record, one may not have the primary key value. For example, if Rita Hanson, our customer, calls us to ask about her account balance but does not remember the customer number assigned to her account, we may search records to produce those that have last name HANSON, then scan those records and find Rita’s record. If there are two or more Rita Hansons in our customer file, we will need to review each record to determine which one is the unique record that belongs to the customer in contact. Or we may use another secondary key, such as customer phone number, to zero in on the specific customer we are dealing with. Thus, broadly speaking, primary keys helps us uniquely identify records in a file and therefore useful in updating or modifying existing data (data maintenance activity). Secondary keys help in retrieving relevant information from the existing records. DQ 4-6. a. General ledger: Primary key: GL Account Number (numeric, 2134-539) Secondary keys: Account balance (numeric, $3467.59) Normal balance (alpha, A=debit, B=credit) Primary grouping (alpha, A=assets, B=liabilities, etc.) b. Accounts receivable: Primary key: Customer Number (numeric, 34598) Secondary keys: City (alpha, Omaha) Account balance (numeric, $45,304.34) Credit limit (numeric, $50,000.00) c. Accounts Payable: Primary key: Vendor Number (numeric, 21897) Secondary keys: City (alpha, Kansas City) Account balance (numeric, $23,897.52) Reliability rating (alpha, a= outstanding, b= above average, etc.) d. Inventory: Primary key: Item Number (numeric, 7654) Secondary keys: Location code (numeric, 2-5-34 for warehouse #2, aisle 5, bin 34) Unit of measure (alpha, un for units, lb for pounds, etc.) Reorder level (numeric, 3450 (units)) e. Cash Receipts: Primary key: Cash receipt number (numeric, 56892) Secondary keys: Date (date code, mm/dd/yy) Amount (numeric, $4356.89) or Type (alpha, currency, check, credit card) Source (alpha, w for warehouse, s for store, m for main office)

4-4

f. Purchase Orders: Primary key: Purchase order number (numeric, 23680) Secondary keys: Vendor (numeric, 21897) Date (date code, mm/dd/yy) Amount (numeric, $21,789.55) or Buyer (alpha, Baker) g. Patient: Primary key: Patient number (numeric, 213479) Secondary keys: Soc. Sec. No. (numeric, 123-45-6789) Home phone number (numeric, 402-345-6789) Physician (alpha, Dr. Chopra)

h. Cash Disbursements:

Primary key: Cash disbursement number (numeric, 7654) Secondary keys: Date (date code, mm/dd/yy) Check no. (numeric, 314) Amount (numeric, $220.34) Work Order: Primary key: Work order number (numeric, 56921) Secondary keys: Customer number (numeric, 4521) Estimated date of completion (date, mm/dd/yy) Estimated cost (numeric, $23,907.00)

Note: Amount as a secondary key: Since amounts could vary over a wide range, the use of amount as a secondary key could result in a significant burden on the system.

DQ 4-7. a. Logical b. Logical c. Both, if the data base programmer is involved in the design and implementation of the data base. d. Physical. Software engineers are typically concerned with data base design, and may need to work with physical views for system efficiency, system throughput, or any other dimension affecting the performance of the data base system. e. Logical f. Logical. However, the internal auditor as an information systems auditor may need to review physical views if the audit objectives warrant such a review.

4-5

PROBLEMS PROBLEM 4-1 A RECORD LAYOUT FOR A STUDENT MASTER FILE Student ID Last Name First Name Middle Initial Country Code Phone Street Address City State Zip Code Degree Program College or Division Semester Hours Earned Quality Points Earned

Numeric Alpha Alpha Alpha-Numeric Numeric Alpha Alpha Alpha Alpha Numeric Alpha Numeric Numeric Numeric

5 Record Key 10 Required, Indexed 8 Required, Indexed 2 Not Required 3 Required only for foreign students 20 Required 20 Required 10 Required 2 Required 9 Required 3 Required, Indexed Required, Indexed 3 Required 3 Required

Note: An alternative layout appears on the next page. Please note that the two solutions do not use the same data. Error! Not a valid link. 4-2. a. Record b. File c. Data element d. Data element (A value of the data element) e. File f. File g. Record h. Data element (A value of the data element) 4-3. a. Both. Generally speaking, dates appear on transaction files. However, date fields may appear in master files also, for example, date of employment. b. Master file. Sometimes, the design of the system may be such that account balances are not stored in any file, they are computed as and when a query is made. c. Both. In order to match transaction record with a master record to which the transaction belongs, it usually is necessary to have account number in both files. d. Transaction file. e. Master file. Generally, the primary key, such as customer number, would appear on transaction records. The customer number then is used to look up customer name, as and when necessary. f. Transaction file. g. Master file. h. Both. i. Master file. See (e) above for a similar situation. j. Master file.

4-6

k. Transaction file. l. Master file. m. Master file. n. Master file. See (b) above for a similar situation. o. Transaction file. p. Both. q. Transaction file.

4-7

4-4. A context diagram for registration processing is as follows:

Students

Instructors

Req.

Sch. Lists Registration processing

Registrar Summ.

4-5. A context diagram for purchases processing is as follows:

Management Suppliers P.O.

Storeroom Report s

Inv.

Good s

Purchases processing

Inventory control department

Good s

P.O. R.R. Inv.

Req.

4-8

Cash disbursements department

4-6. A context diagram for a situation involving the processing of payroll transactions: Error! Not a valid link.

4-7. A context diagram for a situation involving a credit-checking system: Error! Not a valid link.

4-8. A context diagram for a situation involving an audit process: Error! Not a valid link.

4-9. A level-zero data-flow diagram for a situation involving the processing of purchase transactions: Error! Not a valid link.

4-9

4-10. A level-zero data-flow diagram for a situation involving the processing of payroll transactions: Error! Not a valid link.

4-11. A level-zero data-flow diagram for a situation involving a credit-checking system: Error! Not a valid link.

4-12. A level-zero data-flow diagram for a situation involving an audit process: Error! Not a valid link.

4-10

4-13. A level-one data-flow diagram for the subprocess: conduct audit planning. Error! Not a valid link.

4-14. (Adapted from the Society of Management Accountants of Canada Examination, March 1988, Information Systems Section, Question No. 4.) a. Record layouts, in columnar form, are as follows, where a * designates a primary key and a + designates a secondary key. (1) General Ledger header file: Data item Field size Mode General account number* 5 N General account title 25 A Sub-account number* 4 N Account type + 1 A Responsibility center code+ 3 N

(2) General Ledger balance file: Data item Field size General account number* 5 Sub-account number * 4 Commitment amount 13 Budget amount 13 Actual balance+ 13

Mode N N N N N

b. The format of the summary report is as follows :

Project Description

Outstanding Commitment ($)

Down and Out The Account Summary Report As of (Month, Day, Year) Budget Actual Amount ($)

4-11

Expenses

Variance ($) %

4-12

CHAPTER

Computer-Based Transaction Processing

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

4. EVALUATION

5, 6, 10

11, 16

3. APPLICATION

2, 15, 16, 17

2, 3, 4, 5, 6, 7, 12, 14, 20, 23

2. COMPREHENSION

1, 3, 4, 7, 8, 11, [12], 13, 14

8, 9, 10, 13, 15, 17, 18, 19, 21, 22, 24

5. SYNTHESIS

1. CONCEPTUALIZATION 9

[ ] Infoage

CHAPTER 5 COMPUTER-BASED TRANSACTION PROCESSING DISCUSSION QUESTIONS DQ 5-1. • Is there a source document? Does the document serve any other purpose beside data collection? Are there any alternative ways these other purposes may be met if the source document is eliminated? • Are the data structured or unstructured? • Do the inputs collected require immediate processing to maintain existing stored data? • What are the current and possible future locations where data are collected? • Would we continue to meet legal requirements (e.g., privacy and confidentiality of collected data) if we were to choose the on-line data collection approach? • Would the accuracy and timeliness of data improve if such data were collected on-line? • Is the firm in any way constrained by it agreements, such as labor union contracts to limits its preferences? These are some of the criteria that one might use in making the decision. Following a comprehensive evaluation of all evidence, the decision may still hinge on economic, technical, or operational feasibility of the chosen alternative. For example, a clear case may have been made for on-line data capture, but the additional investment requirement for implementing this option may not pass the economic feasibility test.

5-2

DQ 5-2. Alpha Solutions, Inc. W eek ending:______________

Em ployee num ber: ______________

Em ployee nam e: ___________________________________ Day

Client

Project

Billable hours Non-billable Non-billable Total hours activity code hours

M onday

Tuesday

W ednesday

Thursday

Friday

Saturday

Sunday

Em ployee's signature: _____________________

DQ 5-3. Conditions under which use of a turnaround document would be appropriate include the following: • Almost all data are already prepared by the firm • The external party has no action to take concerning the document, or part of it, that needs to be returned to trigger further processing at the firm • The document has machine-readable data, for example, data that an OCR device can read. • Input is collected off-line. • Upon receipt of input through the turnaround document, the transactions are processed in a batch mode. Up-to-dateness of data stored in the system is not essential. • Activity ratio (the ratio of number of records affected to the total number of records in a file) is high.

5-3

DQ 5-4. Point-of-sale system: Transaction data are captured on-line. For example, at a grocery check out counter, items purchased are scanned against a scanner, which “picks up”—reads—the UPC (uniform product code) and sends it to the system. At the same time, the system reads from the product price file (a reference file) the price of the product and allows the POS system to compute the charges to the customer. While data are captured, they are also processed (multiplication of units by price per unit, and so forth). Also, if certain items are subject to sales tax and others are not, the system keeps track of such data and uses them in printing the final charges to the buyer of the groceries. Additionally, the system may also update store inventory at the same time. ATM transaction processing system: As you swipe your bank card on the card reader in an ATM facility and enter your password (which the system authenticates), the system verifies your account number and accesses data such as your name, and account balance. You then provide additional data as to what type of transaction you wish to conduct (deposit, withdrawal, etc.) and what is the amount of the transaction. The system then checks appropriate information (for example, in the case of a withdrawal, do you have enough balance in the account to cover it?). If such tests prove satisfactory, the system releases the cash you requested and prints a copy of the transaction for you. On-line registration system: An on-line registration system may be designed to capture student registration data in several ways. For example, the system requires you to go to one of the terminals on campus and input data, or you may have access over the phone (with an 800-number line, if you are registering away from campus) or over the Internet. In each case, the first thing the system is set up to do is to capture your identity (SSN or Student Number) and authenticate you as a user (password is the most widely used means for this). Once you are recognized as a legitimate user, the system will permit (and often guide) data entry for registration. At the end of the transaction input, the system may provide you a confirmation number as an evidence of receipt of data (that is, you did request registration for certain classes) or even processing of such data (that is, you are now enrolled in certain classes). The former may imply on-line data capture only, whereas the latter involves immediate processing of captured data. DQ 5-5. Computerization has had a tremendous impact on the collection and processing of transaction data. It enables routine transactions to be converted with great speed and accuracy and at very low incremental costs. A computer is capable of storing large amounts of collected and processed data. Stored data can be retrieved quickly and can be easily and inexpensively converted (e.g., summarized, arranged, and arrayed) for use in reports, analyses, decision models, correlations, comparisons, and so forth. Thus, computerization can be very helpful to managers in their decision making. The impact of computerization on the collection and processing of non-transaction data has not been as great as it has been on the conversion of transaction data. While computers can be programmed to handle non-transaction processing, the effort is often not worthwhile. Nontransaction data generally is not as voluminous or standardized as transaction data, for instance. Also, it generally must be gathered from a wider variety of sources. Furthermore, it occurs in a wider variety of formats. Thus, the costs of collecting, processing, storing, and retrieving nontransaction data are greater than for transaction data, while satisfactory results are more difficult to achieve. On the other hand, certain types of non-transaction data (e.g., interest rates, sales forecasts) are employed in computer-based planning models and budgets. Since these models are being increasingly used to aid in managerial decision making, and since they cannot be used

5-4

effectively apart from computers, the collection and processing of non-transaction data can be said to be influenced to some degree by computerization. DQ 5-6. On-line input and delayed batch processing might occur in such situations as the following:

a. Cash receipts transactions. As cash is received over the counter or in the mailroom, the data concerning the receipts can be entered via a terminal. However, there is unlikely to be any urgency in updating the customers’ accounts. Thus, the receipts transactions could be batched by the computer system and then processed during a slack period (e.g., at 2 a.m.).

b. Mail order sales. Sales orders may be received by phone or mail and entered into the computer system via a terminal. However, the orders may be accumulated before the merchandise is picked from the shelves. Thus, the order transactions could be batched until designated times (e.g., noon and 4 p.m.).

c. Patient billing in hospitals. On-line input via terminals is necessary to maintain the records concerning health status in an up-to-date condition. However, not all processing need be on an on-line basis. Patient billing data for such services as x-rays, room use, surgery, and so on, could be accumulated and processed in a batch for all resident patients at the end of each day (e.g., 5 p.m.). DQ 5-7. The frequency of reporting is directly related to the value of the on-line processing approach. The more frequently reports are to be prepared, the more important and hence more valued are up-to-date files. Reports that contain out-of-date (aged) information can be misleading and thus can have negative effects (e.g., added costs). Therefore, the added cost of on-line processing will likely be more than offset by the value of up-to-date information if reports are needed on a very frequent basis (e.g. hourly). DQ 5-8. a. In the two situations presented, situation (1) essentially illustrates an online input application, while situation (2) essentially illustrates a batch input application. Thus, situation (1) offers greater timeliness, flexibility, and simplicity, while sacrificing economy, efficiency (i.e., productivity), and the opportunity of assuring against the loss of data by the use of batch totals. Situation (2), on the other hand, offers economy, efficiency, and the opportunity of employing batch totals, while sacrificing timeliness, flexibility, and simplicity.

b. In the two situations presented, situation (1) describes on-line processing, while situation (2) describes batch processing. Thus, situation (1) offers up-to-dateness in stored data, flexibility, and simplicity, while sacrificing economy and efficiency in processing. On the other hand, situation (2) provides economy and efficiency in processing, plus the opportunity to detect lost data or errors in processing by the use of batch totals; it sacrifices up-todateness in stored data, flexibility, and simplicity.

c. In the two situations presented, situation (1) illustrates a report that could be prepared by the batch processing approach, whereas situation (2) illustrates a report that the online input and online processing approach. Thus, situation (1) offers economical and efficient report preparation, while sacrificing timeliness and up-to-dateness. Situation (2) on the other hand, provides timely report preparation, but only at the sacrifice of economy (and possibly

5-5

efficiency). (Economy is sacrificed chiefly because of the more expensive equipment needed for the online input and processing approach). DQ 5-9. Magnetic disks offer several advantages that are useful in maintaining a general ledger. If batch processing is employed, the general ledger accounts may be updated immediately after batches of transactions have been posted to the subsidiary ledger. If online processing is employed, the effects of each transaction can be posted to general ledger accounts concurrently with posting to the subsidiary ledgers (files). In either case, current general ledger account information can be quickly retrieved at any time and made available to managers and employees. These above mentioned benefits can be achieved without the need for sort runs and related tape-handling operations by human operators. Thus, magnetic disks can improve the processing efficiency as will as the accessibility of general ledger accounts. In addition, magnetic disks enable new accounts to be more easily added to the general ledger. DQ 5-10. Several steps related to file processing and maintenance are common to a variety of transaction types. Consequently, general-purpose programs known as utility routines have been devised for with respect to such steps. For instance, sort utility routines are typically employed during sort runs, e.g., to sort sales transaction data according to customer number. Other utility routines are typically employed to transfer or convert data from one storage medium to another and to merge two sorted files into one file. Utility routines also can be (and are) developed and employed to update master files, such as the customer accounts receivable master file. However, a utility routine for this purpose would likely be quite complex, since it must be able to accommodate variations with respect to such factors as:

a. The number of files involved in the update run. (In some cases more than one transaction file, and on occasion more than on master file, can be involved.)

b. The record formats for the transaction file(s) and master file(s). c. The number of data elements and positions of fields being updated. (Often more than one data element is updated; also, the relative positions of the affected fields within the records may vary.)

d. The formats of outputs produced during the update run. (Often transaction listings, managerial reports, and exception and summary reports are desired as by-products of update runs.) DQ 5-11. A telephone directory acts like an indexed sequential file in the following manner: A user begins a search for a particular last name by opening the directory to a page roughly corresponding to the relative location of the first letter of the name within the alphabet. For instance, if the name is Parker the searcher will open the directory about five-eighths of the way from the front. Then the searcher will check the names listed at the top of the page, to see whether he or she should move forward or backward in the directory. The searcher “homes in,” as indicated, until the names at the top of a page bracket the name (e.g., Parker). Finally, the searcher scans through the names on the page until the desired name (e.g., Parker) is found, and then scans through the desired

5-6

name until the person having the desired first as well as the last name is located. Thus, the listings at the tops of the pages serve as a type of index, albeit imperfect, that speeds the search. DQ 5-12. Tradeoffs involved in the design of a classification plan and coding system include the following:

a. Benefits versus costs. The information gained from a more detailed classification plan and code should provide added benefits that exceed the costs of designing the plan and using the code.

b. Details versus simplicity. The code must be sufficiently detailed to provide needed information and to accommodate growth but not so complex or lengthy that it is difficult to remember and apply.

c. Standardization versus flexibility. The plan should result in consistently applied codes and should aid in integrating the reporting systems. However, sufficient flexibility is needed to enable non-routine transactions to be accommodated. At Infoage, where new products or revisions of existing products are frequently encountered, flexibility in the code is essential.

d. Automated versus manual application of code. A code should be designed with the demands and capabilities of automations kept in mind. However, since people typically will use the code, their needs should also be kept in mind. Thus, even though mnemonic codes may be wasteful of computer storage and less convenient than numeric codes for automated processing, they may on occasion be wise choices because of the aid they provide to the human users. DQ 5-13.

Yes, it is beneficial to prepare more than one type of flowchart or diagram of the same transaction processing system. Each system has a logical view and a physical view. You may prepare, for example, a DFD to represent a logical view and, for the same system, a computer system flowchart to show its physical view. Also, for each view, you may have to document in greater detail the flow of data, which means you may have different DFDs or systems flowcharts for the same system at different levels of details. Finally, documentation of systems is often prepared with a particular emphasis (process, document flow, data, or logic). For example, a document flowchart shows the flow of documents across organizational units (divisions, or departments). This type of chart permits an analysis of the processes and documents from the viewpoint of internal controls. Thus, to reflect a certain emphasis, more than one type of flowchart or diagram may have to be prepared. DQ 5-14. First, every system has two views: the logical view and the physical view. Together, the DFDs (logical views) and system flowcharts (physical views) complete most of the description of an information system. Second, both DFDs and system flowcharts are used not just to describe systems, but also to analyze or redesign the system. Third, DFDs provide an excellent way to provide input to, or generate output from, CASE tools used in systems analysis and design. DQ 5-15. Computerization has had a tremendous impact on the collection and processing of transaction data. It enables routine transactions to be converted with great speed and accuracy and at very low incremental costs. A computer is capable of storing large amounts of collected and processed data. Stored data can be retrieved quickly and can be easily and inexpensively converted (e.g., 5-7

summarized, arranged, arrayed) for use in reports, analyses, decision models, correlations, comparisons, and so forth. Thus, computerization can be very helpful to managers in their decision making. The impact of computerization on the collection and processing of non-transaction data has not been as great as it has been on the conversion of transaction data. While computers can be programmed to handle non-transaction processing, the effort is often not worthwhile. Nontransaction data generally is not as voluminous or standardized as transaction data, for instance. Also, it generally must be gathered from a wider variety of sources. Furthermore, it occurs in a wider variety of formats. Thus, the costs of collecting, processing, storing, and retrieving nontransaction data are greater than for transaction data, while satisfactory results are more difficult to achieve. On the other hand, certain types of non-transaction data (e.g., interest rates, sales forecasts) are employed in computer-based planning models and budgets. Since these models are being increasingly used to aid in managerial decision making, and since they cannot be used effectively apart from computers, the collection and processing of non-transaction data can be said to be influenced to some degree by computerization. DQ 5-16. On-line input and delayed batch processing might occur in such situations as the following:

5-8

PROBLEMS 5-1.

a. Revenue cycle. Sales invoice. Accounts Receivable Subsidiary Ledger. b. Expenditure cycle. Purchase order. c. General Ledger and Financial Reporting cycle. Worksheets, General Ledger, and subsidiary ledgers.

d. Revenue or enrollment cycle. Registration form (hardcopy or preformatted computer-based e. f. g. h. i.

form). Expenditure cycle. Receiving report. Purchase (Vendor’s) invoice. Accounts Payable subsidiary ledger. Resources Management cycle. Attendance (time) records, payroll register. Conversion cycle. Materials requisition. Work in Process Inventory records. Resources Management cycle. Purchase order. Revenue cycle. Time records.

5-2. Flowcharts are on the following pages.

5-9

5-2 a. A context diagram for relating to sales of products by Infoage

Sales

Inventory control

Sales of products

Shippling notice Sales order

System for product related activities Bank

Shipping notice Purchase order Deposit slip and checks

Remmittance advice with check

Customer Invoice Cash receipt posting General ledger posting

Accounts receivable posting

Accuonting processing systems

5-10

5-2 b. A context diagram for expenditures relating to sales of products by Infoage

Receiving

Inventory control

Receiving report Receiving report

Purchase order

Shipping notice

Purchase order

System for product related activities

Purchasing

Purchase order Shipping notice

Receiving report Purchase requisition

Supplier's invoice

Supplier Check payable

General ledger posting

Cash disbursement posting

Accounts payable posting

Accounting processing systems

5-11

5-3 a.. Level-zero diagram for Infoage's processing of sales invoices Shipping notices

Billing department

1.0 Batch shipping notices and compute total

Batch of shipping notices

2.0 Prepare batched documents for sequential processing. Edit. Sort.

Batch totals

Sorted batches of shipping records

Credit sales transaction listing (sales journal) Subsidiary and general ledgers

Pricing reference file

3.0 Process billing data. Prepare invoices. Post sales to accounts receivable subsidiary ledger. Post summary totals to general ledger. Verify batch totals.

Open sales order file

Open sales invoice file Sales invoices Updated records

Credit customer

4.0 Prepare sales analysis and other reports

Sales report

Sales manager

5-12

b. Level-zero diagram for a hospital's processing of cash disbursments. Disbursement vouchers

Cashier

1.0 Batch documents and compute total

Batch of documents

2.0 Prepare batched documents for sequential processing. Edit. Sort.

Batch totals

Sorted batches of disbursement records

Check register

Subsidiary and general ledgers

Open voucher file

3.0 Process disbursement data. Prepare checks with vouchers. Post payments to accounts payable subsidiary ledger. Post summary totals to general ledger. Verify batch totals.

Checks with voucher

Suppliers

4.0 Prepare sales analysis and other reports

Cash distribution reports

Treasurer

Note: Disbursement vouchers are usually prepared by the accounts payable department, using supplier invoices and data files (e.g., open purchase order file). A batch of disbursement vouchers is forwarded to the cashier for payment. 5-4.

a. MICR (magnetic ink character recognition) devices can be employed to transcribe data from checks to another medium (e.g., hard drive).

b. POS (point of sale) terminals can be used to capture transactions at the check outs, using light pens or a scanner that recognizes UPC codes.

5-13

c. OCR (optical character recognition) devices can be used to transcribe data onto cartridges that would store information to be sorted and processed further. It appears that even this may not be necessary any more, for the transaction is captured on the site transaction (e.g., a department store) and is transmitted electronically to the credit card center. d. OCR devices would scan the turnaround documents returned by the customers. The transcribed file then can be used for sorting and further processing. e. Employees may directly input their data in a log of activities, using a keyboard. Often, a time allocation sheet or report is used. This may be scanned to read data into a machine-readable file; a less efficient way is to input manually all such data using a keyboard. f. At the time of receiving a request over the phone, entry can be made on-line, using a preformatted screen. Each entry will have an automatically generated reference number, and date and time stamp. The receiver will verify the transaction details prior to ending the conversation. Upon confirmation, the transaction can be entered into an on-line file of such transactions, to be used for further processing. Also, investors can enter data directly by touch-tone phones, based on prompting by messages recorded by the funds “family.” 5-5. COURSE ENTRY FORM TERMINAL NO.* 59

DATE* 04-05-98

STUDENT NUMBER

987-65-4321

STUDENT NAME*

SMITH

JOHN

CALL COURSE COURSE TITLE* SEM. TIMES* DAYS* BLDG. & NUMBER NO.* HRS.* ROOM* ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ ACCEPT SCHEDULE?

Y OR N >

* Provided by computer system. Note: Call Number is a data element that uniquely identifies each class offered during a session or semester, and may be known by some other term (e.g., line number), depending on the university. Also, this form would appear somewhat different if prepared with FORMS via Access.

5-14

5-6. Terminal No. Date Patients Name Street Address City Age Insurance Company Attending physician Type of illness or injury (code) Description Disposal of patient (code) Comments Additional Comments (Y or N) > * Provided by computer system.

* *

Time

State

Zip Means of delivery No.

Sex

* Time discharge

5-7.

a. Apartment file: • Apartment number • Monthly rent • Apartment status (rented or vacant) • Apartment type (one-, two-, or three-bedroom) • Apartment code Tenant file: • Tenant first name • Tenant last name • Tenant middle initial • Tenant sex • Tenant number • Tenant phone number • Emergency phone number • Apartment ID • Date rented • Who to contact in case of emergency • Number of occupants Note: This file may include a data element to show the date the rental was discontinued. Subsequent to the departure of the tenant, the record would be archived into a history file (not discussed in the problem).

5-15

Rent receivable file: • Apartment ID • Tenant last name • Date billed • Current rent due • Rent received • Total rent due • Date rent received • Check number b. 1. Renting an apartment will most likely use the immediate processing approach due to the fact that Park Plaza needs to know which apartments are available to rent to new tenants. There might be more than one employee trying to sign new leases for tenants. All employees need to have information in real-time of which apartments are available to rent. If the immediate processing approach is not used, various tenants might be leased the same apartment. The process of renting would result in adding a new record in the tenant file. At the same time, the apartment status in the apartment file will be updated from “vacant” to “rented.” 2. Billing tenants for rent will most likely use the periodic processing with batched data entry and sequential updating due to the fact that this is a monthly event in which every tenant in the apartment complex needs to be billed. Batched control totals such as the billed amounts are computed and compared to the rent receivable account to verify accuracy and completeness of billing. This process will update the rent receivable file, using the apartment file. 3. Receiving rent will most likely use the periodic processing with on-line data entry and sequential updating. A Park Plaza clerk will input all checks related to the rent for a tenant on-line through a terminal. This will allow the data related to the received rent to be stored within the system at the earliest possible time. These data files showing rent received will then be used to update the rent receivable file.

5-16

c. The rent receivable subsidiary ledger is more likely to have been organized by tenants to show the details of payment/non-payment. It will also show the date the payment was received. Tenants who paid after the due date will probably be assessed a fine, although the designed files do not provide for this event. In addition, the tenants who have not paid rent will probably be sent second notices after a certain passage of time. This file also needs to be accessed by apartment number. Consequently, the file organization would most likely be indexed sequential. The primary key can be designated as apartment number and a secondary key would be the tenant name. d.

5-17

Renting: From tenant

Tenant application and deposit

Review and process

Set up a tenant record; update the apartment file

Adding a new record in tenant file; updating apartment file

Tenant file

Apartment file

Confirmation of rental Confirmation of rental

Tenant rental documents

5-18

To tenant

BILLING AND RECEIVING RENT

Month-end

Process rental notices

Tenant file

Update rent receivable and print rent notices

Rent receivable file

Reoncile total collections due

Rent notices Apartment file

To tenants

From tenants

Checks for rent

Rent receipt

Issue receipt

Record receipt in a transactions file

•

Rent receivables aging report

Rent receipts

Periodically (e.g., twice a week)

5-19 Rent receivable file

Update rent receivable file

Report of rents collection

• • • •

Error or edit listings showing variances of billed amount versus rent received from tenant Reports to compare predetermined batch totals to computed rent totals Reports to list which tenants paid after the due date to assess fines Report showing which apartments are available to be leased

5-8.

a. The weekly processing of payroll is best suited to batch entry and sequential updating, since

b. c. d.

e. f. g.

i. j. k.

this mode is highly efficient and economical in handling large volumes of similar transactions. Transaction data such as time records can be sorted and processed in a single run. Reservation of seats on scheduled airline flights must be handled by the immediate processing mode, since up-to-date information is required to be available upon demand. Periodic sequential processing is appropriate, since most records in the accounts receivable subsidiary ledger will be accessed. Statements can be printed efficiently in a batch mode sequentially. Data can be captured in an on-line mode. Although most credit inquiries are handled on-line, the data base is not likely to have been updated for the numerous transactions arriving during the day. The added efficiency of sequential updating is likely to outweigh the advantage of very current (up-to-date) information in the individual records. This should be handled by immediate processing, since it provides continuously up-to-date records and allows immediate responses to inquiries concerning individual orders. Since adjusting journal entries are recorded as a batch at the end of each month, it seems appropriate to use batched data entry and sequential update. Alternatively, if such entries are limited in number, direct updating may be possible. If the daily volumes of orders are large and received mostly by mail, order transactions can be entered as a batch and updated sequentially. If batches are processed at the end of each day, the elapsed time may not be significant in getting the shipments out to the customers. On the other hand, receipt of orders by phone, directly at the business premises or through a telemarketing firm) would make it more efficient to capture transactions on-line. Assuming that these are patient care records, immediate processing would be crucial to ensure timely availability of up-to-date information. If these are billing records, it is likely that batched data entry and sequential updating would occur. Typically, final billing of patient does not occur at the time of release of the patient. Consequently, the need for immediate processing of customer service charges may not be necessary. This is in contrast to billing hotels and motels where charges are paid at the time of check out. Immediate processing is desirable for monitoring the progress of production operations through the various processes. Batch data entry and sequential updating is suitable for updating production volume and cost records. Since the records do not need to be continuously up-to-date, batch entry and sequential updating is appropriate. If the file organization permits and the number of transactions is limited, batch entry and direct updating can be a viable alternative. Since auto manufacturers manage a vast number of inventory items and usually follow the just-in-time inventory approach, EDI is often used for communication with vendors. To minimize waiting time (non-value-added time) and target just-in-time delivery, immediate processing and transmission is commonly employed. Since the processing takes place at scheduled times and usually affects a significant portion of the suppliers’ records, batch data entry and sequential updating is appropriate.

5-20

m. At the check out, immediate processing takes place. The immediate processing uses a price reference file and the inventory item UPC code. At this time, inventory balances may not be updated. Instead, the transactions may be stored, and further processed sequentially at the store later. Alternatively, these transactions data may be transmitted to a central location for further processing. n. Immediate processing is the most desirable. Much like airline reservations, timely and up-todate information is needed to determine space availability. 5-9. The flowchart begins on the following page.

5-21

From mailroom

Orders from salesman

Posting machine invoice preparation

Sales order transactions

Batch total

Charge sales invoices

Invoice file

Copies 1&2 to customer

Cash remittance advices

OCR Device Conversion

Data conversion to tape

Copy 3 to shipping Run no 1 Data conversion to tape

Run no 3

Edit data

Sales order transactions

Edited cash remmittance transacions

Run no 2 Run no 4 Sort by customer number

Sort by customer number

Sales order transactions

Cash remmittance transactions Run no 5

Accounts receivable master file

Updated Accounts receivable master file

Update

Error listing

5-10. The flowchart begins on the following page.

5-22

Job messages

From receipt of goods

Purchase order copy

Counts of merchandise received entered on copy

Enter receipt Exception and error display

Edit receiving data

Receipt transactions

Open purchase order file

Update master files and generate reports

Inventory master file

Back order file

Receiving report Receiving report files

To stores and account payable

5-11. The computer-based processing approaches that might serve the needs of Auto Barn include the following: 1. Immediate processing; 2. Periodic processing, with on-line data entry and sequential updating; and 3. Periodic processing, with batched data entry and direct updating.

5-23

A key success factor in this case is that the staff, using the information system, should be able to guide the customer if the item is in stock and if it is, where is it located; if the item is unavailable at this time, how soon can it be available; and if there is a substitute item that would work just as well, whether it is available. To obtain this level of support from an information system, all of the data should be current (up-to-date) and accessible, and the system should be on-line to access the data. Periodic processing (Options 2 and 3) provides information that is current immediately following the previous update, but as the transactions arise after this point in time, the information available is less accurate. This is because effects of the transactions are reflected only as batches of transactions are processed for updating the inventory records. If batches are made and processed frequently, the information provided by the system would be more current but not fully updated or accurate. Immediate processing (Option 1) processes transactions as they arise. Consequently, the information is always up-to-date. To guide the customer without any hesitation or waste of time, this mode of processing would be the best. This method can be expected to enhance customer satisfaction, help identify stockouts in the normal process of selling, and reduce cycle time needed to serve customers. 5-12. Computer system flowcharts are shown on separate pages.

5-24

From students

Course request sheets

Compute batch total

Batch total

Error and exception display Course request sheets (batch) Enter requests and edit

Sort by name

Course status file

Compare

Course request file

Course request file Process course request file Student master file

Student schedule file Course schedule file

Print course schedules

Course schedules

To students

5-25

Exception and summary report

From students

Course request sheets Document

Compute batch total

Batch total

Course request sheets (batch)

Compare

Enter requests

Course request file

Edit

Summary and exception report

Course request file

Segment by requested courses

Course request file (by segment)

Sort by course number

Course request file (by course)

5-26

b. (continued) A

Course status file

Course schedule file

Process registration by course

Course schedules by courses

Sort by students

Course schedule by student

Print course schedules

Course schedules Document

To students

5-27

Student master file

Data stored on-line

From student

Scan a schedule Schedule of courses

Course status file

Enter requests via touch-tone

Error, exceptions, closed classes, etc. through audio response Student master file

Course schedule file

Process requests for courses

Completed schedule

Confirm the schedule and print

Student schedule file

Course schedule

File for student pick up

Course schedules

5-28

5-13.

a. Cash Receipts file

Sort (by customer number)

Error and exception display

b. Enter inventory data

Edit and transmit

Home office computer

c. Shipping file

Process Shipping notice

Shipping notice

To Billing Department

d. Master Sales Order file

Sales Order file

Update Master Sales Order file

Master Sales Order file (updated)

Cash Receipts file Error and summary report

5-29

e. Sales Order file Update Master Sales Order file

Master Sales Order file

Cash Receipts file

f. Accounts Receivable Master file

Generate Aging report

Accounts Receivable Aging report

Review

Accounts Receivable Aging report

File

g. Payroll transactions

Sort (by employee ID)

5-30

Payroll transactions (sorted)

h. Deposit slip

Cash Receipts file

Process for deposit

Rejected Sales Order file

Sort (by sales order number)

Rejected Sales Order file (sorted)

Extract inventory data

Extracted inventory data file

Inventory Master file

Generate report

Report generation

Rejected sales order report

Inventory reorder list

From suppliers

Error and exception display

Invoices Document

Visual scan

Invoices Document

Enter

5-31

Edit

Daily Sales Invoice file

Print reports A/R master file

Listing of names within zip codes

Extract names and zip codes

To Marketing Manager File of extracted data

Extract data sorted by zip codes

Extracted data sorted by zip codes

Extracted data sorted by name

Sort by names within zip codes

5-32

Timekeeper Payroll transaction file

Time cards Update

Review and correction Master payroll file

Report generation

Time cards

Display transactions Payroll register

Paycheck and earnings statement

Review by controller

Distribute

Enter time records, edit

Payroll transaction file Payroll register

Employees

Payroll registers

Sort by Social Security Number

5-33

5-16. a. Errors in the use of flowchart symbols: Incorrect symbols have been used for the following: Source documents; compute batch total (manually); batch total; transactions file (on magnetic disk); reports; and sort transactions data (computer performed). “To management” should be a terminal point of procedure. Errors in logic: A separate report generation run might be appropriate, although an update run may produce some reports. A comparison of batch total with error and summary report data should be made at the end of each run. The other two copies of the report (for controller and for filing) must be indicated on the flowchart. An edit run on transactions data is missing. Updated master file is not indicated, and connector “A” has no linkage. b. The flowchart begins on the following page.

5-34

From user department Report file Report Source document

Report Generation Scan and complete batch total

Master File

Enter Data

Updated Master File

Error and Summary report Master File

Source data file

Error and Summary Report Edit

Edited Source Data File

Source Data File

Sort

5-35

Update

5-17.

Customer

Sales clerk

Cashier

Receive cash and prepare sales slip

Cash

Accountant

Bank

Cash

Sales Slip 2 Sales Slip 3

Cash Prepare sales summary, count cash, and prepare deposit slip

Sales Slip 2 Sales Slip

Deposit slip 2 Sales Slip

Deposit slip 2 Sales Slip Sales book

Validat e

validate and return

N File in sales office when fully used

Process as a batch

Sales Slip 2 Sales summary

Deposit slip

General ledger clerk

Sales summary Compare and account for all numbers

post and file

Sales Slip 2

Sales Slip

(batched)

Deposit slip

Sales slips

Deposit slips

General ledger Summary file C

5-18. Customer number 128 156 194 205 210 234 288 297 312 364 368 377 399

Current balance 130.00 2590.00 776.00 3831.00 200.00 833.00 512.00 5710.00 30.00 1002.00 00.00 295.00 2010.00

Exception report: 321

80.00

5-19. a. After the computer operator verifies, by reference to the header label, that the proper file has been mounted on the tape drive, a retrieval computer program begins at the beginning of the file. It then checks the primary key in each record, from 100 through 156. When it reaches 5-36

the record whose key value is 157, the program then causes the computer to system to perform the desired action (e.g., to print the contents of the record). b. Several advantages are provided when a file is stored on a magnetic disk. If batch processing is employed, the records may be retrieved directly, without the need to sort the transactions beforehand. Data in the records may be retrieved directly, without the need to search sequentially from the beginning of the file (as described in (a) above). Also, new records can be added without the necessity of writing the entire file into a new storage area (or using a new tape). c. An index to convert the file on magnetic disk to an indexed sequential file organization is as follows: Key value Disk address Key value Disk address Key value Disk address 100 0820 136 0829 172 0838 104 0821 140 0830 176 0839 108 0822 144 0831 180 0840 112 0823 148 0832 184 0841 116 0824 152 0833 188 0842 120 0825 156 0834 192 0843 124 0826 160 0835 196 0844 128 0827 164 0836 132 0828 168 0837 When a user makes an inquiry involving the record whose primary key value is 157, the search software moves to disk address 0834 (since 157 is between 156 and 160). At that address each record is scanned sequentially until 157 is reached. d. If the file is stored randomly, the record whose key value is 157 can be accessed after the software performs the computations specified by the hashing scheme. As described in the problem statement, the disk address is computed to be 0769, and is found by dividing 157 by 13 (result: 12.0769) and keeping the first four digits of the remainder (0769). 5-20.

a. Area Tempe Phoenix Mesa

Disk address 250,254,258 251,255,257 252,253,256, 259

Number of bedroomsDisk address 3 253,256 4 250,251,252,257,259 5 254,255,258 Date of Construction Disk address 1984 252 1985 251 1986 255 1988 256 1989 253 1990 250 1991 257 1993 259 1995 254 1996 258

5-37

Asking price (000$) Disk address 100-105 251,252,253 105-110 256 110-115 ---115-120 250 120-125 ---125-130 259 130-135 255,257 135-140 254 140-145 258

b. When inverted files such as those prepared in (a) above are available, the procedure for obtaining answers to inquiries is for the user to specify in appropriate terms the desired requests. The appropriate terms depend upon the query language being employed with the data base software package, but they would express the key information items indicated in the listed inquiries. If a relational data base management software package is used, the inquiries would be expressed in the language specified by the package. For instance, the answers to the three inquiries would appear as shown below if R:BASE were employed, the data were stored in a table named MLS and the following commands were entered: 1. SELECT ADDRESS AREAS FROM MLS WHERE AREA = MESA 2. SELECT ADDRESS AREA FROM MLS WHERE AREA = TEMPE AND PRICE < 120 3. SELECT ADDRESS AREA FROM MLS WHERE BEDROOMS = 4 AND AREA = PHOENIX AND CONSDATE > 1989 1. Address Area 4328 Sunset Rd. 2264 Robson Dr. 3101 Gilbert Rd. 5150 Vista Dr.

2. Address 2340 Cricket Dr.

3. Address 1730 Brown St.

Mesa Mesa Mesa Mesa

Area Tempe Area Phoenix

c. Examples of inquiries are: Which houses in Phoenix, priced between $100,000 and $120,000, have four or more bedrooms? Which houses in Tempe or Mesa are available that were constructed in 1987 or later? Which houses in Tempe have five bedrooms, an asking price of less than $140,000, and were built later than 1989?

5-38

5-21. a. Disk address Supplier number --------------- -----------------010 1000 020 1001 030 1002 040 1003 050 1004 060 1005 070 1006 080 1007 090 1008 100 1009 060 110 1010

Date of most recent purchase ------------------10/3 9/6 9/17 8/30 10/7 9/21 9/14 10/2 9/11

Pointer field --------080 110 070 * (end) 010 (start) 030 090 100 020 9/28

9/5

040

b. Month of most recent purchase -----------------------------------8 9 10

Disk address --------------------------------------------040 020,030,060,070,090,100,110 010,050,080

Disk address Supplier number --------------- -----------------010 1000 020 1001 030 1002 040 1003 050 1004 060 1005 070 1006 080 1007 090 1008 100 1009 110 1010

Date of most recent purchase ------------------10/3 9/6 9/17 8/30 10/7 9/21 9/14 10/2 9/11 9/28 9/5

Month of most recent purchase -----------------------------------8 9 10

Disk address --------------------------------------------040 020,030,060,070,090,100,110 010,050,080

5-22. a. Pointer field --------080 110 070 * (end) 010 (start) 030 090 100 020 060 040

5-39

5-23. a. Policy number* (6)

Face amount of policy@ (7) N

Polic yhold er name (35) A

Street address (30)

City+ (25)

State+ (2)

Zip code+ (9)

Date of birth (6)

Sex (1)

Cash surrender value@ (7)

Date of issue+ (6)

Maturity date# (6)

Renewal date (6)

Name of beneficiary (25)

Relationship of beneficiary (1) A Legend

Type of policy + (1) A

Yearly premium (9)

Date of last payment (6)

Balance due (10)

A means alphabetic, N means Numeric, AN means alphanumeric, * means primary key, + means secondary key, @ means rounded to dollars, # means that the maturity date applies only to endowments. Lengths of fields appear as numbers in parentheses. b. Needed data elements in a fixed-length transaction record include: policy number, transaction code (showing the type of transaction, e.g., billing, payment, cancellation, renewal, change), amount involved in a billing or payment transaction. A transaction number and date will likely be generated automatically by the computer program and attached to each transaction. c. The key advantage of using an indexed sequential file for the master file is: It enables the policy-related transactions to be processed each week in an efficient sequential manner against the policy master file. It allows individual policy records to be accessed during the week for updating and/or reference. Furthermore, report listings of policies, arranged according to policy numbers, can be prepared easily. The advantage of using a random file is that it enables individual policy records to be accessed more quickly than by means of an ISAM file. Thus, the processing of change-type transactions during the week can be performed in a shorter time. Also, the billing and payment transactions can be processed during the week, thereby maintaining the policy records in a more up-to-date fashion. Furthermore, reports organized according to secondary keys can be easily prepared when the random file structure is employed. d. 1. A transaction code might be alphabetic or mnemonic in nature, using BIL for billing transactions, PAY for payment transactions, CAN for cancellation transactions, REN for renewal transactions, and CHG for change-type transactions. Alternatively, a single digit number could be used, e.g., 1 for billings, 2 for payments, and so on.

5-40

2. Each policy could be assigned a group code comprised of two fields: the first field would represent the type of policy, in terms of a letter, while the second field of five digits could be a sequence code assigned in order as each new policy is issued. An example might be T29832, where T represents a term policy and the digits refer to the 29832nd policy issued. e. Data as described might be contained in each of the following files. Reference file: data may pertain to the terms of each type of policy. History file: Data may pertain to canceled policies. Report file: Data may pertain to periodic reports to be printed, e.g., a report showing old policies carried by respective policy holders, a report showing the amounts billed and paid for each week this year. Suspense file: Data may show the details of transactions found by the edit program to have errors or omissions, e.g., transactions for which the policy numbers do not match active policy numbers in the master file. 5-24. The flowcharts appear on the following pages.

5-41

From Sales Ordering Department

Sales Ordering Department A

Orders received from customers PT-yellow

SOA-yellow

PT-pink PT-white

Enter sales order and generate SOA

SOA - yellow Compare SOA and PT SOA - pink

Weigh

PT-white (serves as packing slip)

Fill order box shipment and Review status of enter charges and seal inventory; if shortages, on PT inform production scheduling

SOA - green SOA-yellow

To customer

Input freight and handling charges Sales Order invoice and generate

Acknowledgement (SOA) - white Shred Customer file A

Batch program to Control file N

Generate shippingidentify daily orders PT-yellow to manifest be filled To customer

I-yellow

I-pink

To sales representative Manifest Shipping manifest

PT-pink Order shipment report Shipping manifest

I-green Invoice (I)-white

PT-yellow

Invoice file N

PT-pink PT-green

To Carrier

Review Order Shipment To Accounting Report Manager

Generate pick tickets (PT)

To customer

PT (Pick Ticket) white

Manifest file D

To Shipping/Receiving Department

5-42

Shred

5-43

CHAPTER

Database Modeling and Applications

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

PROBLEMS

4. EVALUATION

3. APPLICATION

11, 12

1, 2, 5, 6, 8, 9, 10, 12

2. COMPREHENSION

2, [3], 4, 5, 8, [10]

3, 4, 7, 11, 13, 14

1. CONCEPTUALIZATION 1, 6, 7, 13

[ ] Infoage

CHAPTER 6 DATA-BASE MODELING AND APPLICATIONS DISCUSSION QUESTIONS DQ 6-1. The benefits to the development of a single overall database include:

a. Minimized data redundancy, since all or almost all duplicate files and data elements can be eliminated through the use of associative techniques (e.g., pointers, indexes, and common columns in tables).

b. Easily accessible data for the widest possible variety of demand or ad hoc reports, since data pertaining to all of a firm’s activities and resources can be retrieved and organized as desired by individual users.

c. Maximized flexibility, since all data elements can be standardized and hence all application programs can thus be easily modified as needed to accommodate changes. Drawbacks to the development of a single overall database include:

a. Increased costs for the needed data base management software and the additional secondary storage devices.

b. Increased vulnerability to the loss of much of the firm’s valuable data and to unauthorized accesses of the stored data.

c. Increased resistance of users, due to the unfamiliar and complex nature of the supporting system. A feasible alternative to the development of a single overall data base is to develop segregated databases that are organized according to key functions, entities, resources, and/or activities. These databases may possibly be linked to each other to allow the accessing of related data, although such accesses would be slower and less efficient than if the databases were fully integrated. The major benefits of this alternative would be lower costs, less complexity, and less vulnerability. DQ 6-2. The successful use of a data base approach requires elaborate software. This software is in addition to various application programs that are used by the organization and is known as a data base management system (DBMS). An organization has the option of either developing its own DBMS software within its organization or purchasing a commercially developed one. The advantages of purchasing a commercially developed DBMS software package include the following:

a. While this type of software package is quite expensive, it is likely to be less expensive than the costs required when the organization develops and maintains its own software package.

6-2

b. A wide variety of packages are available commercially, so it is possible for an organization to choose a package that reasonably suits its specific needs. Furthermore, the package can be obtained and put into operation without significant delay.

c. Most commercially developed packages have been extensively tested and “proven” through the experiences of user organizations. The disadvantages of a commercially developed DBMS software package include the following:

a. Although a number of DBMS packages are available, all currently available packages have limited capabilities.

b. Even if a particular package possessed greatly enhanced capabilities, it could not accommodate an organization’s specific needs as efficiently as one that is specifically developed for that organization. DQ 6-3. For Ann Strong, a key to success lies in the management of projects or engagements. These projects require a heavy investment of time. Consequently, a human resource management relational database that monitors employee productivity by project should prove extremely useful to Ann. With such a database, Ann should be able to track direct costs of projects (especially salaries), fees charged, and project margins. The same database can also provide information regarding value added (margins generated) by each employee. A relational database of this nature would be easy to understand and use, flexible to manipulate, and capable of addressing a great variety of information requests, including unanticipated queries. Other related applications include customers/revenue management, payroll and labor distribution, and bidding for new engagements. For Infoage, a critical function is the inventory management and control. Purchases/accounts payable, inventory, sales/accounts receivable are all integrated activities. The same products may be purchased from more than one supplier, and a supplier may ship more than one product to Infoage. Several many-to-many relationships exist in the inventory management function. Also, depending on the information processing needs, entry from any of the various nodes may be desired. Due to such factors, Infoage should benefit from a network application of its inventory management. DQ 6-4. In a file-oriented environment, files are separately associated with applications. Ownership of data is spread throughout the organization, although all files may be stored at a central location. Responsibility for back up and recovery of data also lies with the owner of the data. Contamination any one or more files is limited to the affected file; other data are not affected. In a database environment, related data are integrated and therefore are highly vulnerable. A breakdown in hardware or software has a much more severe effect than in a system having insulated applications and files. If a database becomes inoperable, the applications that use the database cease functioning. Extensive data can be lost through errors in programming, foolish or fraudulent acts of users, or destructive acts (e.g., viruses) by unauthorized persons. Any loss of data or contamination of the database affects all applications. Lost data may take a long time to recover or recreate; until such time, applications relying on the database cannot be run. Reports, queries, and all other outputs of the system may come to a complete halt until the data are

6-3

recovered. Compared to a file-oriented environment, these are significantly more severe control and security concerns that need to be addressed in the design and implementation of databases. DQ 6-5. In a data base environment, data are separated from the various application programs and other accesses by users. Data are integrated, and all data within a database are owned in common by the users. Since this integrated, independent data base needs to be managed as a resource for the benefit of all users, a new position - called data base administrator, has been created. The DBA has the overall responsibility for the data resource and for maintaining the DBMS. This position is important because of the responsibilities assigned: creating data, defining relationships among data, ensuring data independence, enforcing data management standards and procedures, maintaining data dictionary, ensuring data integrity, and so forth. The DBA is much like the librarian in charge of a library: assigning call numbers, maintaining user access to journals and books, protecting the resource, setting standards of operation (e.g., for clearing unused books off the shelf). Defining data requirements, establishing data structures, protecting data and maintaining relationships among data, and enforcing data management standards are among the functions of a DBA. DQ 6-6. A data dictionary is also described as data about data, or meta data. It describes the logical structure of the data base, in particular the schema and subschemas, as established by the DBMS. Every data element in the database is described in the dictionary: name, field size, mode, files to which it belongs, etc. The language used to build and maintain the data dictionary is called the data definition language. The purposes of having a data dictionary include the following: it is used by the DBMS to satisfy requests from application programs and other users’ software; it maintains data definitions and relationships among data; it provides an important source of information to accountants, auditors, and the DBA. DQ 6-7. In object-oriented data base (OO DBMS), data and methods (functions that act on data) are stored together in the same node. Whereas relational tables provide only data, the objects provide a more complete view of data as well as actions on such data. This approach, called encapsulation, helps reduce the size of the application programs that access the database. Secondly, the feature called inheritance allows subclasses (subdivisions of classes that are similar to entities but broader in scope) to inherit methods and/or data from higher classes within a class hierarchy. This means that programmed instructions can be reused, thereby standardizing the processing and saving programming efforts. Finally, a feature called polymorphism permits a method to respond differently to an object’s characteristics. For instance, graduate student attributes in the graduate program in Computer Science data may differ somewhat from those in the Master of Business Administration data. In updating the data of a graduate student, the method would adjust the instructions to accommodate these differences. These features permit dramatic improvements in a OO DBMS over a relational DBMS. A major obstacle in replacing a network or relational database with an OO DBMS lies in the difference in structures. Whereas network and relational databases are essentially data sets and relationships among them, OO DBMS also include methods. In OO DBMS, encapsulation, inheritance, and polymorphism provide considerable flexibility and efficiency due to a distinctly different structure. A direct and easy translation (conversion) of a network or relational database into an OO DBMS is difficult if not impossible.

6-4

DQ 6-8. Such transformation is generally undertaken to make the existing (and often quite successful) DBMS to continue to remain commercially viable. The idea is much like “new, improved” products often introduced in consumer products. The claim is that such revisions include features to adopt an object orientation and therefore, a full-scale transition to OO DBMS may not be necessary. Technically, this is achieved by providing a special DB/2 command set that works with the original DB/2 code to create an OO code. This approach does not greatly reduce the comparative advantage of OO DBMS. An OO DBMS offers a very different, more flexible, and more efficient structure. Additionally, an OO DBMS can accommodate non-textual data (sound, for example), while relational DB cannot do so. Of the two approaches, which one will win the race is difficult to predict. Both seem to have future promise. The former emerges from its established maturity and strength. The latter has yet to emerge as a fully tested, fully developed option that already has shown great promise. Another aspect to consider is that network structures (with explicit links) enable transaction processing to be performed more efficiently. Combined with the data retrieval capabilities of a relational database like DB/2, this offers a more balanced and hence competitive product. However, OO approach will likely win out in time because of its particular benefits - even though it does not facilitate the processing aspect. DQ 6-9. Note: Figures 6-18 and 6-19 are useful in answering this question. When developing a system, one of the initial steps is understand the entity involved and relationships among them. This can be clarified by preparing E-R diagrams. Using E-R diagrams as a source, logical DFDs can be prepared to determine the processing to be performed on the data. It is also possible to first develop DFDs and then translate them into E-R diagrams. This is because both relate to data, one defining the relationships among data and the other defining the processes involved as data move through the system. A logical DFD is a logical representation of data flows with a focus on the processes involved. It is not concerned with the technology required to implement the process. A variation of a logical DFD, called a physical data flow diagram, specifies where or by whom the processes are performed, and the particular technology used. Flowcharts are pictorial representations of transaction processing systems that portray flows of some type. The main categories of flowcharts are document, program, process, and system. A system flowchart shows the physical elements required to transform data into outputs. A computer system flowchart focuses on the computer-based portions of transaction processing systems. Processing steps within a computer system flowchart have traditionally been detailed by means of one or more program flowcharts. Program flowcharts have largely been replaced in recent years with structure charts and structured English. Structure charts are prepared in a hierarchy of levels, progressively describing the logic in more detail and within a smaller domain (a subsystem, or a subsubsystem). A low-level structure chart enables a computer programmer to create source code subroutines, which are then converted to detailed source programming code instructions. To summarize, tools and techniques to depict information systems may help describe the logical or the physical view. In either case, a hierarchy of charts or diagrams is likely to prepared. DQ 6-10. Note: The accompanying CD-ROM includes additional information on CASE. Diane’s observation is generally true. CASE tools require a large initial investment of funds. The commitment to training and development of staff takes more funds and time. The training is usually quite expensive both in terms of time and cost. Employees are usually reassigned to

6-5

CASE projects, which means other assignments would be delayed. Learning curves are rather long because of the complexity of the CASE software. Whereas Diane’s observations are realistic, the basic issue is that prior to adopting CASE methodology and selecting CASE tools, the organization must have evaluated its benefits and costs. Without the top management commitment, both human resources and required funds may not be devoted to the CASE approach over the long run. The recognition of costs and benefits in a realistic manner is one of the initial steps in most large undertakings, including the decision to adopt the CASE approach to systems development. DQ 6-11. a. A form for entering the courses students request to take each semester may be obtained from your university/college. If your university registration system accepts registration requests only by phone or via the Internet, you may not be able to obtain a physical form, although there would a logical form (or arrangement of data inputs to be captured). In case of a webenabled system, it may be possible to print the form and review its characteristics as well as content.

b. A preformatted data entry screen for course requests is as follows: COURSE ENTRY SCREEN Terminal No .

Date

ENTER STUDENT NUMBER

Student Name

ENTER SCHEDULE LINE NUMBERS FOR REQUESTED COURSES: Course No.* Course Title* Sem. Hrs.*

Times*

Days* Room*

ACCEPT SCHEDULE? Y OR N >

* Provided by computer system

c. In the student registration application, other methods of data capture that might be possible include the following: 1. Scanning a hard-copy course request form filled out by student.

6-6

2. Having students electronically access a blank course request form, using their identification numbers and passwords. This form can be completed and sent electronically to the registrar. 3. Having students access registration system over the phone to provide requested course data over the phone (voice input). DQ 6-12.

a. The specific query would vary depending on the data available, type of data structures, and the purpose of query. If this is a broad-based review of inventory, values of all data elements of interest can be displayed as a list. However, if the number of records involved is huge, it is likely that the manager is conducting a review of exceptions to certain criteria or rule, such as items showing negative balances. Here is an example of an SQL query format: SELECT ITEM_NO, ITEM_DESCRIPTION, QTY_ON_HAND FROM INVENTORY TABLE WHERE QTY_ON_HAND = 0 b. This report would show beginning and ending cash balances, and forecasted cash inflows and outflows for each quarter. If consistency with cash flow statements (prepared for financial reporting) is desired, projected cash flows can be grouped into three categories: financing, operating, and investing. An additional column may be used to show the combined picture for all four quarters. The report would also include comments concerning unusual items, and possible actions, such as short-term investment of surplus cash, or additional credit line with a bank to meet temporary shortages. Quarterly Cash Flow Forecast Quarters ending March 31, June 30, Sept.30, and Dec.31, 2001

Quarter I

Chapter 6 Item Description

Quarter II

Quarter III

Quarter IV

Beginning balance Cash inflows from: Sub-total Cash outflows due to:

Sub-total Ending balance Projected cash surplus or (deficit)

DQ 6-13.

Object oriented data structures, in contrast to traditional data structures, have the following advantages: •

OO data structures permit the inclusion of objects.

6-7

• • • •

Since data and their processing are encapsulated, it is easier to modify applications. Object orientation naturally reinforces modularity, while traditional orientation only encourages modularity. Processing code is shared. Thus, classes of objects that require the same type of processing share common processing logic or program modules. Once you have developed a library of reusable classes, it becomes possible to develop systems and applications much faster. Ideally you can pull most of your application together from class libraries, which have already been tested and are known to be of high quality.

6-8

PROBLEMS 6-1. a. The components that comprise a data base system are: 1. The data which are nonredundant collections of records that are integrated and shared. 2. The software comprised of the DBMS and application programs. 3. The hardware that is compatible with the software and user needs. 4. The user of the system, consisting of the end users that access the data base as well as the programmers and data base administrator. b. The advantages of a data base system for Mariposa include: 1. A common system for the accessing of data by many diverse users. 2. Elimination of the redundancy of data with respect to fields, records, files, and systems that also reduces (or eliminates) data inconsistency. 3. Reduction of redundant requests for, and collection of data from, originating users. 4. Standardized conventions respecting data items, records, files, storage, and programming, thereby leading to reduced program maintenance and efficient use of programming and system resources. 5. Establishment of a data dictionary that enforces common naming requirements and policies between segments of the firm. The disadvantages of a data base system for Mariposa include the necessity to perform such added duties as: 1. Giving higher priority to data security, integrity, and backup due to the dependence on one data management schema that handles the data of nonrelated functions. 2. Creating detailed protection schemes to satisfy and communicate procedural needs of the various users who must depend on this single system. 3. Conducting a formal review of the reporting system to revise current (or develop new) reports as a consequence of the wider audience served by the database. 4. Conducting an involved assessment of the hardware. 5. Retraining or adding staff. 6. Converting historical data and reports to the DBMS. c. The factors that Mariposa should consider before converting to a data base system include: 1. The preparation of a feasibility study to identify its costs and benefits. 2. The impact on personnel including any training and changes in personnel alignments, or hiring new personnel. 3. The selection of a reliable software supplier to assure that the data base software will provide flexibility for growth and will be compatible with current and proposed hardware. 4. The data and report requirements of end users. d. The duties of a data base administrator include: 1. Designing the database, including development of standards, identification of the data items to be stored, strategy for storage and access of data, and implementation of security. 2. Maintaining the database, including requests to make changes or additions to the database. 3. Administering the data base function by preparing budgets, forecasts, and personnel requirements; coordinating critical uses of data; communicating all policies, procedures, and requirements to all data base users. 6-2. a. Benefits that Bunting would gain by moving to the data base approach include: 1. Reduction of the excessive redundancy of data items and, consequently, reduction of needed storage space. 2. Standardization of data names, so that each data item will have only one name that is referenced by all application programs. 3. Simplicity in revising application programs, so out-of-date programs can be brought up-to-date and made more efficient quickly and easily. 4. Integration and structuring of each related data item, so that needed reports can be promptly provided to users. b. Steps that should be taken in converting to the data base approach include the following: 1. Build a conceptual model that incorporates key entities and relationships as well as Bunting’s physical setting and environment. 2. Determine the information needs of the operations manager and other managers of Bunting. 3. Develop the subschemas for each of the users. 4. Combine the subschemas to form the overall schema. 5. Select the appropriate logical data model. 6. Acquire a suitable commercial DBMS. 7. Implement the schema via the

6-9

data definition language (DDL). 8. Load data into the database and establish relationships in accordance with the schema. 9. Implement the applications, using the data manipulation language. c. The DBMS should be selected on the basis of the needs of Bunting and the capabilities of the available hardware. Since no DBMS is perfect, the needs of Bunting should be prioritized. Thus, if the highest priority is the ability of the database to meet a wide variety of information needs, Bunting might decide on a relational database model, preferably the one that fits its hardware capabilities. The components that should be contained within the DBMS include: 1. A database control system. 2. A data definition language. 3. A data manipulation language. 4. A query language. 5. A report generator. 6. A security package. 7. A data backup and recovery system. d. Due to the size and complexity of Bunting’s planned database, it should not initially incorporate all files and programs. Instead, it should build up the database in a modular manner. One approach to do this would be to first establish a materials flow database, centered on the acquisition and dispatching of materials. This activity is a logical beginning point, since the dispatching activity is already controlled by an on-line processing system. Next, construction programs and cost accounting could be added, since construction operations are also controlled by an on-line processing system. (Another reason for establishing these activities on a high-priority basis is that they are the primary operations that generate revenues.) The accounting activities can be added later. The accounting applications would be redesigned to employ on-line processing and magnetic disk files before or at the time they are converted to the data base approach. 6-3. Events Hospital Surgery Lab test Cash receipt Purchase

Resources

Agents

Clinic Cash Laboratories Building

Patient HMO Supplier Physicians

University Registration Graduation Placement Admission

Computer Classrooms Dorm Endowment

Student Alumni Employer Supplier

Public accounting firm Engagement Cash receipt Continuing education Tax return preparation

Expertise Cash Computer Building

Client AICPA IRS Other offices

Construction contractor Contract Bid Purchase Closing (delivery)

Cash Equipment Supplies Prospective customer

Supplier Customer Supplier Stockholder

Professional football club

6-10

Game Travel Practice Press meeting

Cash Uniforms and gear Doctors Stadium

Patrons Supplier Ticket agents Referees

Brokerage firm Purchase of security Sale of security Statements to clients Advising clients

Cash Computer Building Furniture and fixtures

Client Stock exchange Bank Stockholder

6-4. a. 1. Planning and determining data requirements. A purpose of this phase is to identify the scope and ascertain the feasibility of a database. The scope in Ann Strong’s case is the overall activities of the firm. The feasibility focuses on whether the benefits of a proposed database are greater than its costs, and whether the database will be effectively used. If the data requirements are not properly planned, the effectiveness of the database to the firm will be compromised, and its value will diminish. 2. Modeling the conceptual view. Once data requirements are determined, they should be organized to be operationally useful. A conceptual model is developed according to a set of rules and using a technique, such a entity-relationship diagram. Without modeling, the database cannot be organized and consequently, cannot become operational. 3. Specifying the logical view. This is to select the logical data structure that is most suitable for implementing the conceptual model. Once the logical data structure is selected (e.g., relational structure), the next step is to construct the logical views (schemas and subschemas) by mapping the conceptual model into schemas and subschemas, using techniques, such as data structure diagrams. This phase provides a full logical description of the database, including the data dictionary. 4. Selecting the data base software. To implement the logical design, a particular DBMS is selected. Without the DBMS package, internally created or purchased from outside, it is not possible to create the database in its operational form. 5. Implementing the physical database. The type of hardware and storage, the locations of data on the storage medium, and the access method to employ are among the many decisions made in this phase. Next, a number of implementation activities are initiated. For example, data must be loaded from the previous files into the new database and then tested for correctness. This phase is important in bringing the entire project to fruition. a. A suitable DBMS must include the following: 1. A DBCS (data base control system) that controls the various components of the database. 2. A DDL (data definition language) that provides the commands by which users can access and manipulate data within the database. 3. A query language that enables users to query the database, and retrieve information relevant to the user. 4. A DML (data manipulation language) that provides the commands by which users can access and manipulate data within the database. Assuming that a relational data structure is selected, a “short list” of DBMS might include Oracle, Access, and Focus. c.

Many examples can be given here. For planning purpose, Ann Strong, may look at the scheduled activities of each staff member with clients, project deadlines and progress to-date, anticipated shortage of expertise in light of the projects in progress. For control purposes, it would be possible to review billed hours by skill level, total revenues generated, cash received, and segment margin (estimated and actual) by engagement.

6-11

6-5. a. The duties and responsibilities of the data base administrator include: 1. Design and control of a firm’s database. This responsibility includes ensuring application independence and backup and recovery procedures. 2. Definition and control of data dictionary. 3. Assignment of user codes and maintenance of other security measures. 4. Control of all changes in data and in programs that use the database. b. 1. Planning and determining data requirements. A purpose of this phase is to identify the scope and ascertain the feasibility of a database. The scope in Morgan Company’s case is the overall activities of the firm, except payroll. The feasibility focuses on whether the benefits of a proposed database are greater than its costs, and whether the database will be effectively used. If the data requirements are not properly planned, the effectiveness of the database to the firm will be compromised, and its value will diminish. 2. Modeling the conceptual view. Once data requirements are determined, they should be organized to be operationally useful. A conceptual model is developed according to a set of rules and using a technique, such a entity-relationship diagram. Without modeling, the database cannot be organized and consequently, cannot become operational. 3. Specifying the logical view. This is to select the logical data structure that is most suitable for implementing the conceptual model. Once the logical data structure is selected (e.g., relational structure), the next step is to construct the logical views (schemas and subschemas) by mapping the conceptual model into schemas and subschemas, using techniques, such as data structure diagrams. This phase provides a full logical description of the database, including the data dictionary. 4. Selecting the data base software. To implement the logical design, a particular DBMS is selected. Without the DBMS package, internally created or purchased from outside, it is not possible to create the database in its operational form. 5. Implementing the physical database. The type of hardware and storage, the locations of data on the storage medium, and the access method to employ are among the many decisions made in this phase. Next, a number of implementation activities are initiated. For example, data must be loaded from the previous files into the new database and then tested for correctness. This phase is important in bringing the entire project to fruition. c. The sales manager might be able to query the database to determine the amount of inventory available for sale of any particular item. If available, further details can be obtained, for example, the location of the inventory. The sales manager should also be able to check back orders and expected dates of arrival of the ordered shipment. A construction firm (customer) might be able to determine when deliveries of certain items (fixtures, for example) are scheduled, and other comparable (chandeliers, for example) fixtures inventory within the price range of the ones that have been on order. 6-6. a. Phases of data base development: 1. Plan and determine data requirements. At this stage, it is necessary to decide upon the scope and ascertain the feasibility of the database. The scope in this case may be identified as the scheduling of employees with clients, or more broadly as also billing the clients, preparing the payroll, and generating reports on individual employee productivity, ratings, and feedback on them from employers. The feasibility of the data base would involve an assessment of whether such a data base is feasible technically, economically, operationally, legally, and also possible to be installed in a timely manner.

6-12

2. Model the conceptual view. At this stage, data requirements are formalized into a conceptual model according to a set of rules. Decisions are made regarding particular entities to include and cardinalities of relationships among them. Entityrelationships diagrams are drawn to describe the conceptual model of data to be stored and managed within this system. 3. Specify the logical view. After constructing the E-R diagram and identifying the needed data attributes for each entity, a logical view of the data base is constructed by selecting the logical data structure (e.g., tree, network, or relational) that is most suitable for implementing the conceptual model. Then the logical views (schema and subschemas) that reflect the logical data structure are constructed. For example, the view of data and relationships among them as seen by someone responsible to identify a suitable employee for a particular client’s needs defines a subschema that needs to accommodated within the total data base, described logically by a schema. 4. Select the data base software. At this stage, a particular DBMS is selected to fulfill the logical design. In this case, a commercial DBMS package could serve the purpose; there is no need to develop the firm’s own DBMS software. 5. Implement the physical database. The type of hardware and storage, the locations of data on the storage medium, and the access methods to employ are among the decisions that should be made at this stage. After the physical aspects have been decided, a number of implementation activities must take place. For example, employee and skills data must be loaded from the previous repositories into the database and then tested for correctness. b. Tables, including a relationship table, necessary for defining the database are as follows. A primary key in each case is identified in parentheses. Employee table (Employee number) Skills table (Skill code) Employee/Skill table (Employee number, Skill code) [concatenated key] Client table (Client number) Client services table (Client service reference number, Client number) [Client number is the foreign key] c. Contribution margin, by skill, each week Employee placement by skill and skill level Employee skill level upgrades, promotions, and firing this month Demand and supply of skill levels for the month The format of the first report listed above is as follows: TempClerk Weekly Contribution Margin Report For the week of January 6, 1997 Skill

Beginner Semi-skilled

Word Processing Data Entry Book keeping Filing Document imaging Total

5500.00 2300.00 1400.00 200.00 300.00 9700.00

Skilled

Expert

Total

6290.00 4060.00 2180.00 18030.00 2450.00 2690.00 2400.00 9840.00 1660.00 3850.00 4270.00 11180.00 300.00 670.00 350.00 1520.00 700.00 810.00 960.00 2770.00 11400.00 12080.00 10160.00 43340.00

6-13

6-7. a. Job/skill Job Number 100 100 100 100 200 200 200

Skill Number 20 40 50 60 10 30 60

Job Job Number 100 200

Description Lab Facility Filter System

Accumulated Cost 30,000 14,500

Employee

Has (Employee Skill)

Skill

To do (Job/skill)

Job

6-8. a.

Events Treatment Billing Admission Prescription

Resources Medical items Operating room Patient room Pharmacy

6-14

Agents Patients Employees Third party insurers Physicians

b. 1

Admission

Obtain

assigned to

Patient

Patient room

Patient/ Physician

m m

Physicians

Support

Receives

Prescribe

Treatment

Order

Prescription

Obtained from may involve

Involves Pharmacy

Operating room

1 n

Billing

addressed to

Third party insurer

Patient ( Patient number, Social security no., Insurance plan no., sex, age) Employee ( Employee number, Social security no., Department ) Physician ( Physician number, Name, specialization, Salary) Resources ( Reference number, Patient number, Type of Resource, description, Cost ) Third party Insurer ( Company name, address, phone number ) Treatment ( Treatment Ref number, Treatment code, Person authorizing, Person treating )

6-15

d. Patient / Physician Patient no Physician no

e. Patient / Treatment Treatment code Patient no.

6-9. a. Major entities for the three application areas are as follows: (1) Store sales-stores, store clerks, store managers, customers, store inventories, sales, sales returns, cash receipts, cash. (2) Inventory management—warehouse, storekeepers, inventory manager, warehouse inventory, receipts from suppliers, shipments to stores. (3) Purchasing—buyers, purchasing manager, purchases, purchase returns, suppliers, inventory items.

b. An E-R diagram appears on the following page.

6-16

Cash Receipt

Made by

Customer

Made to

Sale (or sales return) 1

Made by

Flows to

Store clerk Includes

1 n Cash Shipment

Converts to

Inventory Items (Store) m

Flows to

Maintains n

n Inventory Items (warehouse)

Store (including manager)

n 1

Maintains

Storekeeper

1 Warehouse (including manager) 1

Accepts

n Receipts from suppliers

c. Reports: 1. A report on seasonal items, especially at the beginning or early in the season, should prove useful. Such items can be reviewed to see if any backorders are due to be delivered soon, or if a new source of supply would need to tapped. This would help reduce loss of revenue due to stockouts.

6-17

2. A report on inventory items that are at or below reorder level at the warehouse. Since the warehouse is the primary source of supply to the stores, any stockouts at the warehouse would affect sales at the stores. Consequently, it would be critical to watch inventory levels at the warehouse. This is especially true of fast moving items. 3. A report on best selling items at each store. This would permit a closer monitoring of inventory and sales of such items. Sales patterns over time could facilitate better projections and therefore, sufficient inventory levels. Also, such reports could reveal local characteristics of each store, valuable information that could be used in planning and promotion. d. A data dictionary is a centralized repository or file that focuses on individual data elements stored within an on-line database. Since the three key application areas described in the problem will involve some of the same data elements, it is necessary to standardize the names and other attributes of each data element. A data dictionary enforces this type of standardization and identifies the standardized name, field length, mode, and other attributes for each data element. It will also likely specify all of the programs that may access a data element, as well as the names of all persons who are authorized to access the element. 6-10.

Assumptions include the following: Rents are fixed and no change is made to the set rents. Partial months are billed by month. a. An E-R diagram is as follows:

6-18

1 Tenant Rents

is obligated to

1 Apartment

Generates

1 Rent

Consists of

Rent Billed Line Item

Rent Received Line Item

b. Note: An initial set of tables includes the following. Students familiar with the third normal form may design tables that are normalized from the beginning. In such cases, the requirement (b) and (c) are merged. Sample data are included in the normalized data base in Requirement (c): Apartment Table Apartment Number Monthly Rent Apartment Status Apartment Type Tenant Table Tenant Number Tenant First Name Tenant Middle Initial Tenant Last Name

6-19

Tenant Sex Tenant Phone Number Apartment Number Date rented Number of occupants Additional data elements that may be included are: Contact in case of emergency: Last Name First Name Middle Initial Emergency Contact Phone Number Tenant credit rating Last address: Street Apartment Number City State Zip Code Rent Receivable Table Apartment Number Tenant Number Month Billed Current Rent Due Rent Received Date Rent Received Check Number

c. Tables in the third normal form are as follows: Tenant Table Tenant Tenant Number First Name 913 914 915 918

John Lisa Bob Wes

Tenant Middle Initial

Tenant Last Name

Tenant Sex

Tenant Phone Number

Apartm ent Number

Date Rented

K T A

Wiley Smith Lewis Wolfe

M F M M

967-2352 967-2764 967-3111 967-3905

1103 2115 3119 1516

5/11/98 6/30/97 9/01/98 5/01/99

Number of Occupa nts 1 3 2 4

Apartment Table Apartment Number

Monthly Rent

Apartment Status

Apartment Type

1103

450

6-20

1104 1516 2115 3119

450 550 700 800

V O O O

1 2 3 4

Apartment status: O = Occupied; V= Vacant; Apartment type: # equals the number of bedrooms

Rent Table Apartment Number 1103 1516 2115 3119

Tenant Number 913 918 914 915

YTD Rent Billed 1350 1650 2100 2400

YTD Rent Received 900 1650 1400 2400

Note: Apartment Number and Tenant Number will be the concatenated primary key in the Rent Table. For Rent Billed Line Item Table and Rent Received Line Item Table, Tenant Number and Month Billed will be the concatenated primary key. Issues related to partial payment are not resolved in this solution; rather, it is assumed that the amount billed will be received from the tenant. Rent Billed Line Item Table Tenant Number Month Billed 913 1 913 2 913 3 914 1

Date Billed 12/31/98 01/31/99 02/28/99 12/31/98

Rent Due 450 450 450 700

Month billed: 1 = January, 2 = February, and so on. Rent Received Line Item Table Tenant Number Month Billed 913 1 913 2 913 3 914 1 d. Query 1: SELECT FROM WHERE Result: 914 918 Query 2: SELECT FROM WHERE

Date Received 01/05/99 02/05/99 03/02/99 01/04/99

APT_NO, TENANT_LAST_NAME TENANT TABLE NUMBER_OF_OCCUPANTS > OR = 3 Smith Wolfe APT_NO TENANT TABLE APT_STATUS = V

Result: 1104

6-21

Amount Received 450 450 450 700

Query 3: SELECT FROM WHERE

MONTHLY_RENT APARTMENT TABLE APT_NO = 1104

Result: 450 6-11. a.

Record for supplier No. 87

Supplier record

Purchase order record

261

First purchase order record

6-22

424

261

424

Second purchase order record

Customer record

Remittance advice record

Sales invoice record

Record for custormer No 12

418

First sales invoice record

418

576

1025

1198 576

Second sales invoice record

First remittance advice record

1198

Second remittance advice record

Record for employee No. 718

1200

Employee record

Skill record

1200

6-23

First skill record(e.g., for 1450 skill No. 8)

1450

Second skill record

d. Skill record

Record for Skill No. 8

860

First 950 Employee record

860

Employee Record

950

Second employee Record (e.g. for Employee No. 718)

e. Skill record

Department Record

Employee Record

Record for Department No. 2

Record for 860 Skill No. 8

860

Record for employee with Skill No. 8 and in Dept. No. 1

950

Record for employee with Skill No. 8 and in Dept. No. 2

720

950 1010

720

Record for employee with Skill No. 5 and Dept. No. 2

890

950

To next employee record in Skill No.5 chain

990

To next employee record in Dept No. 1 chain 990

Record for Emloyee with Skill No. 3 and 1080 in Dept No. 2

* To the next employee record in Skill No. 3 chain

6-12. This problem is rather challenging, but it is quite illustrative of the nature and purposes of databases and the principal types of data structures. It can be assigned “as-is” to graduate students or to classes in which data base development has been previously discussed. Otherwise, you may need to provide hints or to partially develop the entity-relationship diagram for the class. a. A feasible entity-relationship diagram pertaining to the academic activities of the Southeastern State University is shown on the following page. The displayed entityrelationship diagram meets all the stared conditions in the problem; that is, it incorporates

6-24

the six listed entities and it specifies those relationships that are necessary to reflect the academic situation and to allow the indicated outputs to be prepared. Since the preparation of this type of diagram involves a degree of judgment, alternative displays may be just as valid. The assumptions underlying the prepared entity-relationship diagram are: (1) Registration and grade assignments are the beginning and ending events of the academic process and are reflected as such. (2) Classes do not “make” unless an established number of students register. (3) Students and instructors, the two agents in the process, are related only through the classes. (4) Students and classes are related through the registration and grade assignment events as well as through a direct relationship. (5) Student-classes and classes-classrooms reflect two many-to-many relationships. The remaining relationships are one-to-many. (6) No direct relationship exists between the students and the classrooms. When an output shows both the students and classrooms (as in student class schedules), the linkage is made through classes, which in turn are to the classrooms as well as to students.

Instructors

Registration

Taught

Creates

Initiate

Students

Incorporates

Receive m

m m

Classes

Provide

Grade assignment

Held in n Classrooms

b. A data structure diagram based on the network structure is as follows, where a downward slanting arrow designates an entry point:

Students

Registration

Classes

Grades

Classrooms

Instructors

6-25

A data structure diagram that revises the diagram in b above to show intersection records is as follows: Students

Registration

Classes

Classrooms

Students/ classes

Grades

Instructors

Classes/ classrooms

d. A ring list that reflects an occurrence for a particular student who has registered for four classes is as follows, where the circled numbers indicate disk addresses: 350

684

MELODY DUNSION

520

RECORD FOR ACC221

260

RECORD FOR CIS302

490

RECORD FOR ART101

730

RECORD FOR MAT201

730

e. An SQL expression is as follows: SELECT

SSN, NAME, GPA

FROM

STDREC

6-26

REMAINING FIELDS OF RECORD

520

WHERE

MAJORS = ACCOUNTING AND GPA > 3.00 AND STANDING = SENIOR OR AGE > 20

The following tables should be included in the relational data base: STUDENT TABLE CLASS TABLE CLASSROOM TABLE INSTRUCTOR TABLE REGISTRATION TABLE STUDENT GRADES (TRANSCRIPTS) TABLE

6-13 a. 1. Which skills, identified by number, are required by Job 200? Job Skill No. 200 10 200 30 200 60 JOIN JOB and JOB/SKILLS TABLE, then SELECT and PROJECT 2. In which skills, identified by description, do we have vacancies greater than 0? Skill description Vacancies Carpenter 1 Truck driver 2 SELECT from Skill Table, then PROJECT 3. Which JOBS, identified by description, exceed accumulated cost of $20,000? Job No Description Accumulated cost 100 Lab facility 30,000 SELECT from JOB Table. b. 1.

Dept. no. Skill no. Skill description 1 10 Lathe operator 1 20 Carpenter 1 30 Arc welder 2 40 Lab technician 2 50 Truck driver 2 60 Mechanic JOIN DEPT/SKILL table with SKILL table, then PROJECT. Employees in Beta department: Skill no. Employee no. 40 2000 50 3000 60 3000 60 6000 JOIN DEPT/SKILL with EMPLOYEE/SKILL, then SELECT. For Job No 100 Dept Name Alpha

Skill description Carpenter

6-27

Alpha Lab technician Beta Truck driver Beta Mechanic JOIN DEPT/SKILL and DEPT then JOIN the resulting table with SKILL table. SELECT by DEPT and PROJECT( Dept. Name, Skill Description) c. To obtain employee names in b(2), the employee table must also be joined to the newly formed table from which the desired columns and rows are extracted. To obtain skill descriptions, the skill table must also be joined before extracting the desired data. 6-14. a.

Supplied by

Parts

Required

Suppliers

Quotes

Prices

b. 1.

Supplier name ABC Co. LMN Co. Join PRICES and SUPPLIERS, then PROJECT and SELECT. Supplier name XYZ Co. LMN Co. Join PARTS AND PRICES, PROJECT (remove Prices and Part No.) Then join that table with SUPPLIERS table, SELECT and PROJECT.

3. NONE 4. Sort PRICES TABLE by Supplier No. within Part No. Count number of suppliers for each part. SELECT Part No. where the number of suppliers equals one. JOIN the derived table with PARTS, and PROJECT Pname.

6-28

Part Name Screw

Part No. P113 P113 P113

Supplier LMN Co.

Part name Nut Nut Screw

Supplier Name ABC Co LMN Co LMN Co

JOIN all three tables, PROJECT all but Supplier No. Compare price to 0.50 (Select and Project all but price)

6-29

CHAPTER

Risk Exposures and the Internal Control Structure

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

4. EVALUATION

5, 6, 20

6, 7, 11, 12, 14

3. APPLICATION

8, 18

1, 8, 10, 13, 15, 17

2. COMPREHENSION

1, 3, 4, 7, 9, 10, 13, 14, 15, 16, 17, 2, 3, 4, 5, 9, 16 19

5. SYNTHESIS

1. CONCEPTUALIZATION 2, 11, 12

[ ] Infoage

CHAPTER 7 RISK EXPOSURES AND THE INTERNAL CONTROL STRUCTURE DISCUSSION QUESTIONS DQ 7-1. A response to a manager who states that her firm does not need accounting control over cash, since only one person handles cash and she can be trusted, might include the following points: a.

Without controls, it is not possible to be certain ("to know") that she can be trusted.

Even if she can be presumed to be honest, it is not fair to tempt her by the absence of controls.

It is not fair to her in another respect: if a shortage in funds occurs, it will appear to be her fault (even though she may be entirely innocent.)

Also, what happens when she becomes sick, takes a vacation, or resigns? With no other persons involved in the cash procedure, it may be difficult to determine the cash position. Without documentation (a key type of accounting control), it would be difficult for another person to handle the cash-related procedures in an efficient or error-free manner.

In any case, it is desirable to have more than one person involved in each procedure. In addition to reducing temptation, the use of two or mare persons in each procedure enables on person to check the work of another, and hence to reduce the likelihood of errors.

If the firm is subject to the Securities Exchange Act of 1934, it is required by the Foreign Corrupt Practices Act of 1977 to maintain adequate internal accounting controls.

If the firm is very small, and hence the involvement of two or more persons in cash-related procedures in not very feasible, other controls (e.g., lock boxes) can still be employed.

Finally, the installation of a sound system of internal accounting controls (to the extent feasible) can be good "business", since it can reduce the costs involved in audits of the firm's accounting records.

DQ 7-2. Examples of high risk exposures are: (1) high value but small sized items of merchandise, such as electronic components, miniature cameras, cigarette packs, etc., (2) negotiable securities, such as Treasury bonds, (3) vehicles that are vulnerable and expensive, such as company limousines, and (4) frequent transactions such as purchases, Examples of low risk exposures are: (1) bulky facilities that are located in relatively safe areas, such as conference tables, (2) low value merchandise or supplies, such as asphalt siding or roofing tar, and (3) infrequent but low value transactions such as disposals of depreciated assets. DQ 7-3. At the time of writing the Solutions Manual, the Web site could not be accessed.

7-2

DQ 7-4. Information that can be found at this site: •

About the Institute of Internal Auditors

•

The Profession

•

Academic Relations

•

Annual Report

•

Audit Specialty & Industry Specific Groups

•

Auditor's Discussion Groups

•

CAE Services

•

Career Opportunities

•

Certifications

•

Chapters and National Institutes

•

Corporate Partners

•

Conferences

•

CSA Center

•

Educational Products

•

Email/Phone

•

Even Calendar

•

Governance Draft report

•

Guidance Task Force

•

Membership

•

News Release Archives

•

Periodicals

•

Professional Issues

•

Professional Practices Pamphlets

•

Quality & Benchmarking

•

Research Foundation

•

Seminars

•

Standards

•

Technology issues

7-3

CSA, a powerful governance tool, can help auditors, management, and other functions examine and assess business processes and control effectiveness within the organization. CSA involves interaction between auditors or other facilitators and auditees. Through the CSA process, auditees learn more about controls and their own responsibility regarding controls. They become involved in executing controls and maintaining an effective control environment. (Description of CSA is provided by the IIA Web-Site) Major periodicals published by the IIA are: •

AuditWire

•

Connections

•

CSA Sentinel

•

The Gaming AUDITORium

•

The IIA Educator

•

Internal Auditor

•

The Leader's Link

•

Tone at the Top

Some seminars sponsored by the association are: •

The IIA's Core Curriculum

•

Internal Control Curriculum

•

Information Technology Curriculum

•

Customized Seminars

Information technology issues covered at the site include: •

Issues related to Year 2000

•

Email Policies

•

Managing Security

•

Computer Assisted Audit Tools

•

Current Impact of IT on Internal Auditing

DQ 7-5. When a manual information system is converted to a computer-based system, certain types of errors are eliminated. These errors include the following: a.

Calculation errors, e.g., calculations of extensions, column totals, etc. These errors are generally eliminated by means of the hardware controls built into computers.

7-4

Input data errors, such as invalid identification numbers, unreasonable quantities or amounts, incorrect mode of data (e.g., alphabetic instead of numeric) are generally detected by means of programmed checks.

Incomplete data errors, such as the omission of a purchase order number. These errors are generally detected by means of completeness checks.

Posting errors, e.g., posting to the wrong master file, to the wrong account in a file, to a file containing data pertaining to the wrong point in time (e.g., day). These errors can be detected by internal label checks and by posting or matching checks.

While it is not possible to eliminate all errors when computer-based information systems are introduced, the number of errors can be significantly reduced. DQ 7-6. When a firm converts from a manual AIS to a computer-based AIS, the conversion has he following effects on the listed parties: a.

An accountant who is intent on embezzling funds may be hindered by the greater complexity of the computer-system and by the fact that the data are stored on computer files in invisible form. However, if he or she becomes familiar with the workings of the system, especially the operating system and the application programs, the accountant might be able to embezzle more easily if adequate controls and security measures are not installed. Moreover, the complexity of the system might enable the accountant to hide the embezzlement for a longer period.

A competitor who is intent on accessing confidential files can be hindered if effective security measures such as passwords, callback procedures, and encryption are established and maintained continuously. However, because a computer-based system, especially a system that includes transmissions over communications lines and allows on-line access, is inherently vulnerable, it unfortunately is not too difficult for a determined and persistent competitor to find a way to access the files of the typical organization today.

A disgruntled ex-employee who is intent on disrupting data processing operations is aided if the computer system is centralized in a mainframe computer, since he or she can focus on one localized area rather than numerous manual processing points. The ex-employee could gain access to the computer room and easily disable the computer, or could gain access to the system via a terminal and enter erroneous data or erase data from files. However, if the computer room and terminals are adequately safeguarded via security measures, the exemployee could be more effectively hindered form causing disruptions than in the case of a manual processing system.

DQ 7-7. • Rapidly changing technology •

Ever-changing tax laws

•

Change from centralized structure to work teams

•

Accessibility of committing crimes via the computer

7-5

•

Intangible controls are more long-term due to the fact it ties in personal as well as organizational ethics

•

Companies understand value of trusting employees

Both hard and soft controls need to be present depending on size and type of the organization. Larger/centralized structures should place more emphasis on tangible internal controls while smaller/decentralized structures should place more emphasis on intangible internal controls. DQ 7-8. If the significant improvement in quality of data will be conducive to higher benefits for the firm, it is recommended that the company invest the additional 45 percent. Factors to consider are as follows: •

Importance of reducing risk exposure

•

Total costs related to implementation of the system including one-time, recurring, opportunity, and losses caused by control failure

•

The seven steps to conducting a cost benefit analysis (Figure 7-7)

DQ 7-9. Losses of dollars and lives more likely than not occurred due to the teenage hacker. The court system must decide on how to punish these individuals in order the lower the risk of future attacks by hackers. Punishments such as the slap on the wrist as described in the Discussion Question will not deter other hackers from committing similar crimes.

DQ 7-10. Differences between small and mid-size firms in performing on-going and periodic monitoring activities arise from the differences in size and complexity. Generally, larger firms can afford more structured and elaborate monitoring. Also, if the internal and external environment of the firm is simple, the monitoring can also be easier and perhaps informal. In a small public accounting firm, the owner CPA is closely involved in the daily business operations, and can quickly spot deviations in critical processes and uncover inaccuracies in the reports she receives. She understands her business well. Many of the on-going and periodic monitoring activities she would follow may not have been documented; however, she knows and understands the value of informal monitoring activities. Being a CPA, her awareness level on internal control structure may be high; not all small businesses may emphasize monitoring activities to the same degree. Also, she is familiar with correspondence with regulators and with complaints received from vendors and customers, which may indicate a breakdown in the control process over time. A mid-size firm can also conduct its monitoring activities. For example, the president may review reports of daily amounts deposited, and visit the inventory room to gain a perspective on

7-6

how much inventory exists. He or she may ask the accountant to perform periodic evaluation of internal controls, since there is no separate internal audit function within the firm. Annually, an external auditing firm conducts an in-depth, independent evaluation of the internal control structure and performs a financial audit. Compared to a small firm, a mid-size firm can be expected to have more, more sophisticated, and formal monitoring activities. DQ 7-11. Board of directors can significantly influence its firm’s internal control internal control structure: •

Board can select a very qualified external audit committee to perform specific functions to detect control deficiencies and irregularities

•

Follow recommendations set by the audit committee

•

Stress importance of a strong internal control structure to management

•

Conduct yearly review of internal control structure by the external audit committee

To reduce instances of material fraud: •

Identify risk exposures and take appropriate action

•

Require the implementation of both tangible and intangible controls

•

Provide strict enforcement of management policies and control procedures

•

Be aware of computer crimes and take preventive action

•

Require a review of committed/attempted fraud(s) by the external audit committee of the board

DQ 7-12. Internal control structures can never be regarded as completely effective. The effectiveness depends on the competency and dependability of the employees. Unethical behaviors of managers can weaken the internal control structure. Through unethical behavior, managers can have a negative impact on the internal control structure. See list below: • Managers can overstate inventory counts to conceal theft •

Fraud could be committed through collusion

•

Managers could manipulate and produce false financial statements

•

Managers could misappropriate assets

Generally, the higher the level of manager, greater the likelihood that fewer internal controls exists to detect violations; consequently, integrity, trust, and ethical conduct of the manager is substantially all that one can rely on for control and security purposes. Ironically, the higher the level of manager, greater the impact of unethical conduct, both in terms of economic and other consequences on the firm. Note: Internal control structures cannot be effective and can only provide reasonable assurance of detecting fraud and errors. Management philosophy and ethical employee conduct must also complement each other to have a strong internal control structure.

7-7

DQ 7-13. Time cards and attendance sheets provide control over the number of hours employees actually worked during a pay period. Hours worked are also reconciled with outputs achieved. For example, an engineering firm would ask its employees to account for billable hours and an explanation of how the remaining time was spent (administration, committee work, etc.). These data provide an operational control. Moreover, these data are also used in the payroll preparation and distribution, which in turn will have financial accounting and reporting implications. Also important is the dimension of customer billing, which is supported by billable hours included in the employee productivity reports. Thus, customer billing is supported by the accepted bid (which includes hours approved for the project and rate for each skill level), and employee hours on the project. A financial reporting control can help to meet the compliance objective. For example, labor distribution summary, which reconciles wages paid against wages accounted for as manufacturing overhead, work-in process, finished goods, administrative expenses, sales expenses, etc. provides the basis for compliance with generally accepted accounting principles for recording assets and expenses.

DQ 7-14. Certain risk exposures are interrelated, in that an exposure in a pair tends to cause or heighten the degree of the other exposure. Among the variety of examples that might be offered are the following: a.

A disgruntled employee in a small business (which prevents adequate organizational independence) and the handling by the business of large amounts of currency (rather than checks and other forms of cash).

Poorly trained employees and a highly sophisticated computer system that contains most of the data of the business.

DQ 7-15. Formal internal control structures are constructed on the basis of a key assumption: If the structure incorporates sufficient controls and security measures, such as organizational independence and sound procedures, their presence should deter employees and others from committing fraudulent acts. Presumably an employee will be much less likely to commit such an act, for instance, if collusion with one or more other employees is necessary for a fraudulent purpose to be achieved. That is, an individual would apparently be reluctant to suggest an irregularity to another, because there is a high risk that the other person might report the instigator to a superior, or at the very least, might think poorly of the instigator. Thus, a soundly constructed structure of controls is relatively safe form fraud. However, certain behavioral tendencies appear to be at variance with the above-mentioned assumption. For instance, informal group pressures very often inhibit employees from "informing" on other employees. Also, the presence of controls may represent a threat to certain types of employees, who may become resentful and attempt to "beat the system" even if such acts constitute fraud and even sabotage. Even those employees who do not feel active resentment may be indifferent to their firm's welfare. Thus, they may overlook instances of fraud that they accidentally discover. They may even ignore certain prescribed procedures (e.g., a receiving clerk may not count received goods, or an accounts payable clerk may not compare relevant

7-8

documents pertaining to suppliers' invoices), which if performed carefully might uncover instances of fraud.

DQ 7-16. It is generally true that a firm that maintains a strong internal control structure is most likely to succeed in achieving its financial and nonfinancial objectives. All five components of the ICS need to be managed in a dynamic way by the firm to achieve success. For example, the firm should be able to successfully identify significant external risks as they arise, and to manage the identified relevant risks. The probability of a firm achieving such a delicate balance varies across firms and industries. Consequently, “success stories” vary in the degree of success of the firms involved.

DQ 7-17. Internal control structure consists of five components: control environment, risk assessment, control activities, information and communication, and monitoring. The roles and responsibilities of managers, Board of Directors, internal auditors, external auditors, and chief financial officers vary across these components. Board of Directors has the overall responsibility of maintaining an effective internal control structure. The Board carries out this responsibility through top management, and its own subcommittees, such as an audit committee. The audit committee has an overriding responsibility to establish an internal audit function, to review the scope and status of audits, and to review audit findings with the board and ensure that management has taken proper action recommended in the audit report and letter of reportable conditions. The audit committee also maintains a direct line of communication among the board, management, external auditors, and internal auditors, and reviews the audited financial statements with the external auditors and the board of directors. Moreover, the committee evaluates the internal audit function, supervises special investigations, and checks on compliance with laws and regulations and with corporate codes of conduct. In contrast, internal auditors are involved in the actual design, implementation, and evaluation of internal controls. They perform risk assessment, define control activities, design information and communication features, and help monitor activities. Internal auditors are involved in managing the ICS on a continuous basis; external auditors perform a separate, independent evaluation of internal controls, and perform different kinds of audits and assessments. The nature of work done by internal and external auditors is quite similar. Consequently, an effective internal audit function facilitates the external audit. Chief financial officers are essentially users and beneficiaries of the ICS. The ICS ensures that the assets are safeguarded, are used for intended and authorized purposes, and that information generated is reliable and accurate. Managers are also users and beneficiaries of the ICS. Depending on their level, position, and role within the organization structure, they may be involved in all or any of the five control components. For example, the chief information officer can be expected to be involved in the discussions on the nature and degree of computer-based controls to be implemented in an electronic data interchange network to be designed for the firm.

DQ 7-18. Firms ignore risks due to the following reasons:

7-9

•

Leadership of the firm does not see such risks as a major threat to business

•

Lack of knowledge related to the technology

•

The absence of development of adequate technology to control emerging technology

•

The ever changing pace of the technology

•

The sense of urgency to implement new technology to seize competitive advantage

•

High cost to implement controls

•

Lack of personnel to address such issues

•

Lack of skills to implement controls

Susceptibility to Financial Risk •

Management could show negative actions or inertial towards the control environment shaping through the new technologies

•

Organizations might not be able to hire competent employees to oversee and maintain, or control, the new technologies

•

Management might not be able to assess risk appropriately due to the new technologies

•

Problems relating to the new technologies might affect timely communication of information throughout the firm

•

There is a greater likelihood of disruption, which may cause loss of data or may produce unreliable data.

Susceptibility to Operational Risk •

Employees might not have adequate training to complete routine tasks through the new technologies

•

Disgruntled employees might purposely do damage to data files and hardware components

•

Fraud may occur due to collusion between various employees

•

Computer hackers could obtain access to confidential data files

DQ 7-19. The main objective of the Association of Certified Fraud Examiners is to reduce the incidence of fraud and white-collar crime through prevention and education. The association offers the Uniform Certified Fraud Examiner certification. The white paper is a bimonthly magazine devoted to timely, insightful articles on White-collar crime and fraud examination techniques.

7-10

The EthicsLine is a toll-free number (800-500-0333) used to anonymously report allegations of ethical violations, fraud, waste, and abuse. Companies may subscribe to EthicsLine in order to provide employees with someone to call if they suspect something is amiss. The EthicsLine can be effective for companies that strive to provide additional assistance in case of problems arising from their jobs or in their organizations. There are no typical perpetrators of fraud and abuse. Perpetrators can range from the young bank teller to the older more sophisticated business person. Main methods of committing the crimes include asset misappropriation, corruption, false statements, false overtime, petty theft and pilferage, use of company property for personal benefit, and payroll and sick time abuses. Fraud and abuse costs U.S. organizations more than $400 billion annually. Employees frequently commit occupational fraud and abuse as a way of "getting back" at the organization for perceived workplace injustices. Occupational fraud and abuse cannot be eliminated in the workforce, but its costs can be reduced by providing an open environment where there is a balance between trusting the employees too much and too little. DQ 7-20. The computer virus problem is getting out of control due to the following reasons: •

Known viruses are growing at an exponential rate every year.

•

Networked, boundary-less, virtual systems are linked with the external world. This exposure makes the transmission of virus much easier.

•

Mainstream programming languages are making it easier for people to program viruses.

•

Lack of user education/awareness causes infected programs and data to spread the virus and make recoveries even more difficult.

•

Lack of use of good antivirus software programs causes the infected areas to remain infected.

Solutions: •

Purchase and implement a highly effective antivirus software program.

•

Upgrade the antivirus program for every available revision so those recent viruses for which the program is modified can be treated.

•

Set up an alert system.

•

Organize a team of employees charged with the responsibilities to manage the risk exposures from viruses.

•

Educate users on the potential problems of viruses and how to prevent the problems.

•

Design and implement procedures for back up and recovery.

•

Scan all executable attachments before opening files.

•

If viruses do attack and data are lost, utilize the services of companies that can recover the data.

7-11

•

Limit employee access to the Internet, and all available LANs and WANs, according to what his/her responsibilities warrant.

Note: There does not seem to be a foolproof solution to this problem, unless someone decides not to use the computer at all. However, a variety of overlapping proactive, preventive, detective and corrective steps could minimize the consequences.

7-12

PROBLEMS 7-1. a. See Discussion Question 1. The response here would be similar if not identical.

b. The presence of adequate controls can reduce the costs involved in auditing the firm’s AIS. Also, the benefits such as reliable information, better protection of assets, and so on can have cumulative value that greatly exceeds the costs of the controls.

c. The implication of stealing could occur if there ever was any shortage and proper internal controls were not in place. There can be instances where shortage occurs because of errors or omissions. In all such cases, appropriate internal controls would permit the detection of discrepancies and corrective actions, where necessary. It is crucial for a firm to have trusted employees, but that should not be used either as an excuse to not implement internal controls or as a substitute for internal controls.

d. Among the difficulties in establishing a sound internal control structure are the following: (1) Gaining the commitment and financial support of Jane. (2) Determining the points at which controls are needed and the degree of risk exposure at each point. (3) Arranging adequate separation of responsibilities between the two employees in handling the various transactions. (4) Motivating the employees to be control-conscious and hence to make the internal control structure workable.

e. For a small firm, a complete consideration of all five components is necessary, but a formal implementation of each may not be necessary. Because of the size of the firm and due to the owner involvement in nearly all aspects of the business, many of the needs met by a formal ICS in a large firm may be met by informal procedures and owner involvement. For example, the owner would review customer complaints, reconcile bank statements, make bank deposits personally, or assist in processing sales. In this manner, the monitoring of activities is done by the owner/manager on a continuous basis, and the absence of an internal control function or the lack of effective segregation of duties can be more than offset by the presence and the role of the owner/manager. Note, however, that the recognition of exposures and how they will be managed should ideally be a conscious consideration; otherwise, some exposures may remain uncontrolled.

f. Several checks can be designed as a part of the operating procedures to detect if the internal controls are “working.” For example, a day, date, and time stamp on every piece of mail received in the morning could reveal if the checks received in the morning were deposited the same day. A duplicate copy of the cash register transactions log inaccessible to the cashier would record cash received, the date and time of the transaction, and the amount. Sequentially numbered documents would help preserve the sequence of transactions, such as purchases and sales. 7-2.

a. Human resource policies and practices. Under budget reduction pressures, discretionary items impacting the long run are the first to be cut. Consequently, training budgets are always under pressure. The management must make supervisors responsible for appropriate

7-13

c. d.

e. f. g. h.

training and professional development of their subordinates. Additionally, any proposed reductions in training costs should be subject to approval by the top level in the firm. Integrity and ethical values. Pressures to perform will exist in the corporate arena. However, managers should possess high moral values and “live by” the code of conduct. Top management should be aware of such pressures, arising from their own actions, and should encourage an open dialog so that compromises in integrity do not result. Note that the subcomponent, management philosophy and operating style, is a contributing factor in this situation. Organization structure. In this situation, an effective separation of duties does not exist. The controller’s function and internal audit are incompatible functions. A solution lies in making the internal audit function report directly to the president. Management philosophy and operating style. Regardless of how this issue gets noticed, the board of directors should deal with it. The audit committee of the board should be assigned the task of investigating the issue, with the help of both internal and external auditors. Findings should be discussed at the board level. A process for making choices between alternative accounting principles must be adopted and responsibility for the process must be assigned to a high level manager. Decisions of the top management must be routinely reviewed by the audit committee. Assignment of authority and responsibility. The firm should establish a reporting system for the responsibilities assigned to the top management. The board should regularly review the top management’s performance. Human resource policies and practices. Policies and practices of human resource management must be documented and enforced. Any violations of the procedures must be reviewed and, if necessary, reported to higher levels. Commitment to competence. The company must recruit and staff all positions with personnel who have the knowledge and skills to accomplish a job at a satisfactory level of performance. Management philosophy and operating style. See (d) above.

7-3. a. Human resource policies and practices. Whereas this might be indicative of deep rooted problems within the firm, the proximate cause seems to be the human resource policies and practices. The firm should institute periodic feedback from employees, employee satisfaction surveys, periodic performance evaluations, planned and approved training program, and exit interviews. Such measures can reveal problems and concerns that need to be addressed to improve employee retention. b. Assignment of authority and responsibility. It is crucial to have approved job descriptions and responsibilities. Without such documentation, it would be difficult to hold employees accountable for their duties, their quality and level of performance. c. Human resource policies and practices. Employee training and development are important factors in achieving the goals of the firm. Without competent people who continue to learn and strive for the organization, success of the firm will be compromised. The policy of not offering any more than a one-time, two-week, formal training session may have evolved on account of various reasons (e.g., budget-related pressures), but it needs to be reported to higher management, reexamined, and corrected. d. Management philosophy and operating style. Leadership at the top can exert a great deal of influence on the risk orientation of the firm, sometimes at the peril of taking the firm down to bankruptcy. Appropriate control could come from the Board of Directors of the firm. The Board should assess the overall strategies of management and, where appropriate, exert influence to control such risk.

7-14

e. Management philosophy and operating style. An open communication with and continuous feedback from customers and employees should be a positive factor for an organization’s success. The risks of failing are high when top management does not communicate well with the customers and employees. Appropriate control could come from the Board of Directors or its subcommittee. Sometimes, a major change in the management team may be necessary to correct the situation. f. Management philosophy and operating style. It is top management’s responsibility to instill corporate culture and values among members of the firm. A failure to do so can result in questionable practices. For a small firm, the only intervention likely to make a difference would probably be from the owner(s). A change in leadership may be necessary to correct the situation. g. Human resource policies and practices. Any compromise in effective and established recruiting policies could only be harmful to the organization, although some short-term cost savings could result from such practices. To recruit and retain competent employees, the practice of on-site interviews should be reinstated. The matter should be brought to top management’s attention, so that it can be investigated and corrected. h. Organization structure. Unless the firm clearly defines and communicates the roles and responsibilities of its employees, and the reporting relationships within the structure, accountability would be difficult to enforce and chaos would result. A corrective action would be to document and convey the organization structure, so that errors can be avoided in the future. 7-4.

a. Control environment. The company should prepare and adopt a written code of corporate

b. c.

conduct, which determines the appropriate tone of employee behavior. The management philosophy and operating style should constantly reinforce ethical behavior and should nurture and support a culture that encourages ethical behavior. Monitoring. In this case, monitoring of on-going activities was not carried out properly. The supervisors responsible for monitoring should be asked to correct the situation. Risk assessment. Although the catastrophe was “unanticipated,” its occurrence was probable (once in every five years on average). The risk should have been identified and managed. This weakness cannot be corrected in this case, since the company has gone out of business. However, for a viable company, disaster recovery planning, including insurance coverage for the contingency could have prevented the demise of the company. Information and communication. Information must be identified, processed, and communicated to the appropriate managers and key employees, so that they can run and control the business. The suspected impropriety should have been discussed by the cost accountant with the manager to whom the plant manager reports, and/or with his/her own supervisor. Control activities. Among the general controls for activities related to computer information processing, controls related to the information systems development life cycle must be included. Such controls, when implemented, provide assurance that systems and applications developed are authorized and are consistent with the standards and protocols of the firm. Control environment. Failure to identify a major weakness in the internal control system points to the failure to hire competent employees (commitment to competence). The weakness has been corrected by following the option of outsourcing the internal audit function. Another option would be to replace the key staff in the area. Control environment. Integrity and ethical values and management philosophy and operating style are the root cause in this case. When top management is involved, it is difficult to correct the weakness, for their authority and responsibilities reside at the highest, leadership

7-15

level. In this case, the board of directors or its appropriate subcommittee should hold a special meeting to address the situation. (The facts in this case suggest that management did reverse its position, conveyed the truth, and made a commitment to its customers.) h. Information and communication. Although this information is correctly reported at this time, it may be too late to take any corrective actions. The information and communication component should support dynamically the operation and control of the business. An earlier feedback in some form could have prevented the situation or the loss of sales. 7-5. a. Control environment. Mere documentation of a code of conduct is not sufficient; its practice and enforcement is the key to an effective control environment. In this case, management should set the tone of practicing what is documented. Periodic review of concerns, issues, and violations related to the code of conduct should be conducted by a committee that is chaired by a senior manager. b. Although a lack of information communication and monitoring seem to have played a part in this situation, the central cause is the absence of control activities. The district manger should have made independent checks on the reports submitted by the three regional managers. The lack of guidance from the district manager is not enough to justify overstatement of the yearend inventory. Consequently, the question of integrity of the regional managers also arises in this case. An independent review of the situation must be initiated by the superior of the district manager, and its results should help identify corrective actions. c. Risk assessment. Before implementing the client-server system, the questionable reliability of the system should have been studied as a part of the overall assessment of risk exposures in this move. The issues reliability problems of client-server systems has been adequately discussed by experts in the field. The correction action at this time may lie in managing the risk of system failures. Existing security and control measures (e.g., backup and recovery, contingency planning) should be reviewed in light of new or enhanced risks presented by the client-server system, and additional measures should be taken, where appropriate. d. Control environment. A code of conduct sets the tone of values and culture of the organization. Its absence could compromise the entire control environment within the firm. Unfortunately, very few controls exist over actions of top management. Possibly, the Board of Directors or its appropriate subcommittee could exert influence to help revert management’s decision. e. Control activities. The production manager should make independent checks to verify the reliability of information the manager receives. A review by the manager’s superior and guidance for future action would certainly help avoid such problems in the future. f. Control environment. When the Board or its audit committee fails to play its role in managing risk exposures, considerable damage might result because of the resulting lax attitude and lack of leadership. A change in the Board membership, or in the membership of the audit committee could result in a more aggressive leadership role of this group in risk management. g. Control environment. It appears that the communication of the firm’s code of conduct was limited and incomplete. If suppliers and other stakeholders are aware of the standards, there would be less pressure on the employees to explain the standard and decline gifts. It is difficult for employees to decline a positive gesture of gratitude, especially if it is from a customer of the firm. Employees should be informed as to what might be considered a proper course of action to follow under such difficult situations. Employee education in, and widespread communication of, ethical standards is necessary in this case. h. Control environment. When top management lacks integrity, the probable impact of risk is high, and controllability of the risk is very low. Only the owners of the business (Board or its subcommittee) can exert influence in this case.

7-16

7-6. Note: The listing on the weaknesses match the listing on the impacts. Weaknesses: 1. Control environment was weak due to the unethical behaviors displayed by top executives. 2. Management code of ethics failed to produce high integrity. 3. Reasonable assurance regarding the strength of the internal control structure was not provided because the audit committee was lax in performing its duties. 4. More than half the Board members were insiders and executives. Consequently, the internal control structure may have been weakened. 5. Formal expense reporting policies were not in place. 6. Top executives did not act as strong role models. 7. For a firm of its size, Goldent Company needed stronger formalized internal control standards and policies. 8. Style of management was overly aggressive with constant pressures to boost stock price. 9. Incentives depended on short-term profits. 10. The internal audit director reported directly to the CEO and rarely met with the corporate audit committee. 11. The manual labor intensive accounting software provided opportunities for unintentional as well as intentional errors. 12. Mr. Benson did not follow recommendations set by the external auditors. Potential impact of each weakness: 1. Employees would follow by example and also display unethical behaviors. 2. Personal code of ethics might have contradicted with the poor management code of ethics. Good employees might have terminated their employment. 3. The assessment of the internal control structure was not appropriate. 4. Management was negatively dominated by a small, powerful, and influential group. 5. Unreliable financial reporting was a standard practice and the accounting system was inadequate. 6. Lower ranked employees did not have good guidance. 7. The company’s current internal control structure procedures and policies were inadequate. 8. Employees had incentives and were pressured to display unethical behaviors to meet top management’s demands to raise the stock price.

7-17

9. Employees had incentives and were pressured to display unethical behaviors to meet top management’s demands to raise the stock price. 10. Management philosophy and operating style has a significant influence on the control environment. 11. Fictitious reporting occurred. 12. Benson and other executives recklessly managed the company. 7-7. a. Abuses and crimes to which a typical university computer network serving all users is subject include the following: A. Sabotage of the computer system, such as damaging equipment. B. Theft of components of the computer system, such as microcomputers. C. Destroying data in computer-based files (perhaps by means of magnets). D. Ignoring preventive maintenance, thereby inviting possible breakdowns. E. Borrowing microcomputers and other components for use at home (perhaps over weekends). F. Utilizing software from computer network for personal gain. G. Accessing and viewing of data files by “hackers” from off-campus. H. Accessing of student files and changing grades. I. Accessing of parking files and removing files. J. Accessing of library files and removing records of charged-out books. K. Entry of new records for fictitious employees, so that paychecks will be mailed to the addresses provided. L. Entry of fictitious payments of tuition for registered students. b. Note: To address this requirement, ask a group of students from the class to interview the internal auditor of the university or college. Alternatively, you may invite the internal auditor to your class to discuss this requirement. If an internal auditor is not appointed at your university or college, the external auditors may be interviewed or invited to the class. The comments included here are not based on any empirical evidence. Hence, they are more in the form of postulates or hypotheses rather than facts. First, most not-for-profit organizations suffer from paucity of funding. Consequently, less is invested or spent on internal controls. (There may be exceptions; for example, Federal Reserve Bank). Second, most not-for-profit organizations are formed in the spirit of service, where trust is assumed. A higher level of expected trust might lower the perceived

7-18

significance of the internal control structure. Third, universities and certain not-for-profit organizations (e.g., hospitals) experience a constant flow of customers (students, patients) with a high degree of turnover. Consequently, some of the controls (e.g., access to classrooms or libraries at a university) can only be broad in order for the control to be cost effective. Regardless of the type of environment and nature of constraints faced by such organizations, there exist standards and guidelines for the design, implementation, and maintenance of the internal control structure. Overall, the need for a sound internal control structure at not-forprofit organizations has been clearly expressed and is being addressed at most such organizations. 7-8. Control problems that are introduced by the new minicomputer system of Hot & Shot include the following: A. The eight terminals connected to the minicomputer offer multiple points of access, so that it is easier for unauthorized persons to view and perhaps change data in the system. For instance, an employee who also happens to be a client (perhaps to have his or her tax return prepared) could change an amount billed to him or her for a sale. B. Data stored on the on-line magnetic disk unit is vulnerable to loss, perhaps from a power outage or a person with malicious intent. For instance, all of the billing data could be wiped off the disk. C.. Much of the data processing steps are concentrated within the application programs executed by the minicomputer system. Thus, errors in processing procedures, which would be detected by the cross-checks of clerks in manual systems, could escape notice for extended periods. For instance, errors in the computation of sales taxes may occur with respect to each bill but be undetected for months. D. The data entered into the minicomputer system are less likely to be screened beforehand by clerks than in a manual system. Thus, errors in input data remain undetected. For instance, errors in the names or addresses of clients or in the hours spent on various activities could be incorrect when entered for the purpose of preparing bills. E. Data stored within the minicomputer system are invisible and unreadable by humans. For instance, listings of billings cannot be used by the office manager until they are printed onto hardcopy. F. Audit trails may not be complete, especially if source documents (such as time reports) are not used. G. Software packages may be incorrectly altered by the programmer, either through carelessness or through a desire for personal gain. For instance, the programmer might modify a payroll program to increase his salary level. H. The components of the minicomputer system are subject to damage or breakdowns, perhaps due to disasters, without backup equipment being available.

7-19

7-9. A. If bank reconciliations are not prepared, various errors and omissions relating to cash may remain undetected. Instances include errors or omissions, made either by the bank or by the firm, in recording cash receipts or withdrawals or in preparing and/or recording debit or credit adjustments. B. If comprehensive procedures manuals are not maintained, employees may perform improper steps or overlook certain steps in the procedures; thus, incorrect or undesirable results in processing might ensue. C. If a receiving clerk is not required to list all items received and their quantities, he or she could accept the incoming goods as being in accordance with those ordered when in fact the received goods may be deficient or differ from those ordered. D. If daily cash remittances are not listed when received in the mailroom, an employee could extract a check and destroy the accompanying remittance advice; if the totaled remittances are not compared to the deposit slip, an error in preparing the deposit slip could escape undetected. E. If all cash received is not deposited intact in the bank the same day, the cash could be stolen during the night or sometime before it is deposited. Also, there could be a temptation to pay bills by a part of the cash, thereby increasing the likelihood of an occurrence such as described in C. in Problem 6-5. F. If auditors do not examine the financial statements yearly, errors in processing transactions could go undetected and the year-end balances would be incorrect. Also, clerks or managers might not properly apply generally accepted accounting principles. 7-10. (Adapted from the Certified Internal Auditor Examination, May 1985, Part I, Question No. 43) Activity Transaction Execution

Risk 1) Unauthorized a) Play of games

b) Collection of coins

c) Record of collection

2) Theft or loss of cash

Transaction Recording

1) Incorrect account classification 2) Incorrect time period

7-20

Control 1) Proper authorization for each transaction a) Machine counter Manager on duty Use of token system b) Two-key system Dual collection system Dual custody of cash receipts c) Record of cash Dual signature on cash summary Cash summaries 2) Bonding of employees Segregation of duties 1) Chart of accounts 2) Prenumbered documents Prompt record Sequenced documents

3) Incorrect amount

4) Omit transaction or incomplete recording Access to Assets

1) Theft of games 2) Theft of machines 3) Damage to machines

4) Theft of money

5) Loss of money Periodic Comparisons of Accountability

1) All risks previously discussed may not be under adequate control

3) Compare to deposit slip Independent verification by another clerk 4) Independent verification

1) Manager on duty Use of token system 2) Physical control safe, locks, keys, building security 3) Physical control (above) Manager on duty Employee training 4) Security of deposits in transit Dual custody Separation of control over records Rotation of duties Bonding of employees 5) Same as above 1) Segregation of duties

2) Bank reconciliations 3) Surprise inspections and/or surprise audits 4) Analytic management reviews by machines, time, location, etc. 5) Discussion of cost benefit compared to controlling risks

7-11. a. The firm’s internal control structure should change considerably. The new system brings more of an open environment, where information is shared not only within the firm but also with external parties. Risks of distributed systems arise from diversity: more and different hardware components, and constant communication and sharing of programs and data. Risks of loss of data and even systems downtime increase in a distributed environment. • Company must be committed in recruiting competent employees to work in the new distributive network environment. • Allow faster communication of information between employees, suppliers, and customers • Company must monitor the new system to continuously evaluate the activities • Operation control processes will provide numerous benefits because the new system will increase effectiveness and efficiency in the day to day operating tasks b. Operational objectives: • Company will have to educate the employees regarding how to effectively use the new system

7-21

•

It would be essential to have a full commitment of vendors to work with the new EDI system as an integrated partner in the value-chain. Certain employees in vendor organizations will need to be trained by the vendors. • Day-to-day tasks will be completed more efficiently and effectively. • Company will be able to give a quick response to suppliers and customers. • Target inventory levels are likely to be lower than in the past. • Payments to vendors would be quicker, resulting in adjustments to cash float management. Financial reporting objectives: • Reports used by upper level managers will be updated to include the most current financial information • On-line data can be made available for managers to use financial information to achieve targets set for their financial performance (e.g., inventory turnover). • Due to the fact that the transaction processing process will become more integrated, the company will be able to prepare more reliable financial statements Compliance objectives: • Due the fact that efficiency and effectiveness will increase, employees will be able to monitor the compliance to company standards while staying current with the relevant laws and regulations c. 1. During installation of system: • Installation might cause downtime of system and not allow information to be added, updated, and retrieved by employees during the conversion. • Trouble-shooting can be more complex due to a variety of hardware, software and communication components and the multiplicity of vendors involved. This could cause delays in achieving on-time transition. • Customers and suppliers might be delayed in receiving responses. Both customers and suppliers might be affected. Lost sales and stock out are likely. • The conversion may take longer than expected. • Reengineering goals may not be achieved fully, due to compromises made either to meet target dates or budgets. 2. After converting to the new system: • Employees might not have the training to work effectively in the new environment. • Skills required for the new environment could be scarce, causing cost overruns in salaries and benefits. • The client-server technologists may not work well with the legacy systems technologists, causing morale problems. • Computer hackers could do damage from outside the organization. d. Risks are high during the installation of the system. Most of these arise from the nature of transition and corresponding uncertainties. This is a significant, non-linear change for the firm. Once in operation, risks associated with the new system are higher due to the “newness” of the system, diversity of components and resources, distributed processing, and sharing of data and programs. EDI adds to the virtuality of the system, causing additional control concerns. With the mainframe system, employees had a higher degree of comfort due to their familiarity with the system. In addition, a centralized, mainframe system is more amenable to control and security than an open system.

7-22

7-12. a. High risk areas include the following: • Integration of the EDI technology of company B with the merged company (A and B) • Change of risk exposure due to the corporate restructuring relating to difference between the two computer-based systems to be integrated. Since details are not available, the exact nature of exposures cannot be identified. • Operational control of the two companies might differ. b. Argument #2 is the most valid of the three. The control environment “sets the tone of an organization, influencing the control consciousness of its people.” It is the foundation that supports the internal control structure. If Company A believes that the reports are consistent with the management philosophy, then the reports support the internal control structure of company A. Note: Reconsidering Requirement (a) at this time, one might argue that the two companies, A and B, are very dissimilar in their approaches to internal control, and this might cause problems in post-merger integration of the two companies. c. Disagree. Although qualitative or intangible in nature, corporate culture is one of the most important factors in understanding the internal control environment and structure of a company. The corporate culture is directly connected to the integrity of the firm as well as the control environment. An overly aggressive corporate culture could predict a weak internal control structure. Differing corporate cultures will more likely than not provide problems for the two merging companies. d. 1. It can be logically inferred that Company A exhibits higher concern for compliance with the ethical standards set by the firm and not that it exhibits higher ethical standards. If the employees and top executives of company A do not follow the code of ethics and guidelines, this might prove that company A has a weak control environment. Assuming that policies at Company A are followed, one might conclude that the company exhibits higher ethical standards. 2. It cannot be logically inferred that company B will have an unsuccessful audit of ethical behavior due to the absence of a formal corporate code of ethics. Company B might have a strong control environment where it does not need a formal corporate code of ethics because high ethical practices are day to day practices. On the other hand, an audit of ethical behavior at Company B would be difficult to begin because of the absence of well-articulated policies of corporate conduct. 7-13. A. The elements of a legal definition fraud are: 1. A false representation of a material fact; 2. (a) Representation made with knowledge of its falsity, or, (b) Sufficient knowledge lacking on which to base representation; 3. A person acts on the representation; and, 4. The person acting is damaged by their reliance.

7-23

B. The aspects of fraud in this case that correspond to the elements of fraud are: 1. (a) The charge of a one percent origination fee on certain commercial loans when none is to be charged (false representation), and, (b) The statement that the customer wanted a cashier’s check for the same amount as the original check; 2. The loan officer knowingly made both false representations; 3. The loan applicant (customer) acted on the representation, and 4. The customer was overcharged by the amount of the loan origination fee. C. Factors that allowed this fraud to occur are: 1. Allowing the loan officer to negotiate customer checks at teller windows without customer acknowledgment; 2. Allowing entries on the customer’s copy of loan documents that did not appear on the bank’s copy; and 3. Absence of a third person review and approval of the total loan package. D. The audit procedures that would have discovered this fraud are: 1. Review of unusual deposits, including a review of all account activity for bank employees, and, 2. Confirmation with applicant (customer) of loan detail. 7-14. A. While internal auditors should not be considered insurers or guarantors against fraud and irregularities, internal auditors are responsible for exercising due professional care in conducting their work. Due professional care requires that internal auditors should: • be alert to the possibility of errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. • have sufficient knowledge of fraud to be able to identify indicators that fraud might have been committed. B. Several steps that an internal auditor should take when fraud is suspected include: • informing the appropriate authorities within the organization. • documenting the activities that are suspected as being fraudulent. • recommending whatever investigation is considered necessary in the circumstances. • having the authority to inform higher levels of management, i.e., the audit committee or outside directors, if no action is taken to resolve suspected wrongdoing. C. At least two recommendations that the internal auditor should make for each of the three situations, in order to prevent similar problems in the future, are presented below. It should be noted that all recommendations should be evaluated on the basis of cost-benefit analyses. Situation 1 • Implement and communicate a company policy about the theft of goods and services and the penalties associated with such actions. • Permit the employees to purchase these tools at cost. Situation 2 • Implement better segregation of duties as the controller should not be able to order inventory, control the shipment of inventory, and subsequently authorize and issue payment for this inventory. – All purchases of inventory should be initiated by the Purchasing Department

7-24

–

Payments should not be made without the proper supporting documents, i.e., receiving documents signed by properly authorized personnel. • Shipments to other than normal locations should require separate authorization. Situation 3 • The Personnel Department should require employees to complete a termination form that states the last date worked and forward a copy of this form to the Payroll Department. • Checks should be distributed by the Payroll Department directly to the employee. 7-15. a. Frauds are usually classified as either internal or external. Internal frauds are committed by the managers or employees of a firm (e.g., preparation of phony inventory tickets to inflate ending inventory). External frauds are committed against the firm by nonemployee parties (e.g., scrap dealer takes away good metal parts along with the scrap). b. Financial frauds are concealed in one of two ways: on-book and off-book. On-book frauds involve concealing the fraudulent activity in the normal accounting records. For example, unauthorized cash could be drawn from the firm’s bank account, recorded as a credit in the regular books and records, and the theft could be disguised as a debit to a regular business expense. Off-book frauds are not concealed in the normal accounting records. These frauds are maintained off the books and are more difficult to uncover since no visible audit trail exists. For example, a bartender may record half the cash sales in the cash register and pocket the other half. c. The six types of potential fraud are: Misrepresentation of material facts, failure to disclose material facts, embezzlement, larceny, bribery, and illegal gratuity. There are several indicators of potential fraud evidenced in this scenario. One convenient way to help identify such indicators is to look for evidence of motive and opportunity to do wrong. 1. Motive (a) They may be buying the approval of their fellow managers by giving them expensive gifts. These costs may be in excess of their ability to legitimately pay. (b) They may be living in excess of their legitimate ability to pay. They have: (1) a light twin engine aircraft, which they often take on long trips, (2) a 40-acre farm, and (3) nice automobiles for both of their teenaged children. Most two-salaried families cannot afford all of these amenities. (c) They may have a very serious gambling problem. The scenario states that: (1) they often fly their airplane from their home to a resort for gambling trips and (2) they seldom win. 2. Opportunity (a) One spouse has sole custody of the organization’s vehicles and related replacement parts inventory. This is the access to assets that is so vital to the perpetration of a fraud. (b) The other spouse is Head of the Inventory Control Section of the Comptroller’s office. This is the access to records that is so vital to the perpetration of a fraud. (c) They are often the last persons to leave the workplace. Often that is late at night, after having let the guards leave the premises early. This provides the time to: (1) move bulky inventory items and (2) make changes in records (d) They never take the two-week vacation available to all management level personnel. This provides the continuity necessary to keep a fraud concealed. d. Yes, they do in some respects. For example, most directors are bright, well-educated, and highly motivated. They are used to accepting challenges. The director’s spouse (and also the

7-25

director) may have expensive tastes or habits, and may be suffering from addiction to drugs or gambling, or high living costs. e. There are several audit procedures that may help give evidence of fraud if it exists. One way to conveniently classify audit procedures is the: (1) observation of conditions, (2) interviewing of people and (3) examination of records. Interviewing may be premature at the earliest stage of a fraud investigation because of the risk of telegraphing the internal auditor’s concern, which may motivate the perpetrator to further conceal the evidence, or even flee. Of the two remaining classes of audit procedures, the examination of records is the place to begin. 1. Examination (a) The records of interest begin with: (1) purchases of assets for ultimate delivery to the Maintenance Department and (2) receipt of assets for ultimate delivery to the Maintenance Department. These help determine what should be accountable to the Maintenance Department. This is the standard. (b) A second set of records is the inventory accounts for the Maintenance Department. These help determine what the potentially irregular records claim to be accountable to the Maintenance Department. This is the actual. (c) A third set of records is that which relates to the disposition of assets. This is probably a subset of the questionable inventory records. None the less, they provide a point of departure. As such, they are another standard. (d) The dispositions should each be confirmable. The major ones of interest are those which relate to the alleged sale to some third party and those which allege that certain expendable items are used up, then thrown away. Confirmation of the first class of items can be obtained via letters of confirmation from the third parties coupled with cash receipts records from the Comptroller’s office. Confirmation of the disposition of used items will probably be analytical. The internal auditor will determine a reasonable usage rate. Thus, an industry standard becomes the measure of actual disposition. (e) A comparison is made between the standard and the actual, and the difference is investigated. 2. Observation (a) The accountable assets identified from the purchasing and receiving records, which the combined disposition/vendor confirmation/cash receipts records would suggest, should be observable. f.

Safeguards to prevent or deter fraud include the following: 1. Establish and enforce a strong written code of professional conduct. 2. Adopt and enforce sound personnel policies and controls (e.g., reference checks on employment applications. 3. Appoint a corporate audit committee of non-officer directors. 4. Establish a properly developed internal audit function. 5. Develop and implement a plan of continuing education and certification of the internal audit staff. 6. Adopt auditing-through-the-computer approach (e.g., design and implement embedded audit routines). 7. Develop and implement systems development controls. 8. Require that a complete and up-to-date documentation of systems should be maintained.

7-16. (Adapted from the Certified Internal Auditor Examination, November 1989, Part I, Question No. 54)

7-26

A. The type of risk described in the purchases-related problem is fraud, which encompasses the illegal and intentional act of theft of assets. It is perpetrated by and for the benefit of the purchases journal clerk. Because the fraud is committed by a trusted employee, it may continue for an indefinite period without detection if adequate controls are not in place. B. The scheme can be classified as a larceny. Since the purchasing clerk does not have authorized possession of cash and is not responsible for cash disbursements, the scheme is not classified as embezzlement. The clerk takes away the firm’s property (cash) with the intent to spend it for personal use. Here, the intent to commit the crime and carrying away of the property occur simultaneously. Under most criminal statutes, embezzlement and larceny are types of theft. C. On-book plots involve some degree of manipulation of the books of accounts, usually through a journal entry. Off-book plots do not require any direct manipulation of the transactions involved in, or affected by the fraud. Since the clerk is responsible for purchases, it is possible for him/her to create and control the flow of fictitious transactions that result in the disbursement of cash, which eventually is received by the clerk. Depending on the creativity used by the criminal, either type of fraud could be very difficult to detect. Generally, a firm that has adopted a sound internal control structure should be able to detect on-book frauds relatively easily and quickly. This is because such frauds require the use of the firm’s books of accounts, where the recorded fictitious transactions are likely to be noticed for unusual nature or pattern, or an internal control or the audit process may trigger a review of such transactions. Off-book frauds are more difficult to uncover since no visible audit trail exists. D. Control procedures needed to detect and prevent this situation include the following: 1. Requiring that each check in payment of a purchase be supported by these documents: a purchase requisition that authorizes the purchase transactions, a purchase order that actually places the order with a valid supplier (vendor), a receiving report that reflects the actual physical receipt of the ordered goods within the firm, and an invoice from a valid and existing supplier (vendor). The person authorized to sign the check should review all the documents before signing. 2. Requiring that a vouching process be performed with respect to each invoice received from a supplier (vendor). 3. Sending each check directly to the mail room for delivery to the post office, and preventing access to the mail room by non-mailroom employees (such as accounting personnel). E. An example of an off-book purchase fraud would be a series of authorized purchases by the clerk from a vendor, where the two parties agree that the prices of purchased items to be charged to the firm would be much higher. The difference between a normal price and the price charged is shared by the two parties. Thus, the clerk gets a personal check at home from the vendor (or an entity controlled by the vendor) regularly for his/her share of the overpriced purchases. Control procedures that could be useful in detecting or preventing offbook purchases fraud include the following: 1. For every item purchased, a list of authorized suppliers should be maintained. A higher level manager should be responsible to approve suppliers. Thus, all additions, deletions, and modifications of the list a controlled by those who are not directly involved in purchasing.

7-27

2. A price list of all items routinely purchased by the firm must be maintained and approved. Exception to the approved prices should require special permission from higher levels of management. 3. Materials purchased but never used must be investigated. Slow moving or obsolete inventory must be analyzed and persons responsible should be held accountable. 4. Inventory items valued at market under the Lower of Cost or Market rule must be carefully analyzed to identify what caused the drop in the value. 7-17. a. •

Damaged files within various application programs

•

Many different employees complaining about similar damages to their files

•

Data losses or inaccessibility to data or programs

•

Unusually high systems resources utilization, e.g., the Internet on-line usage charges

b. •

Non-use of an effective antivirus software

•

Opening executable files through email attachments without scanning beforehand

•

Using floppy disks from outside the organization without scanning for viruses

c. Agree. Computer viruses can delete and alter current data files. This in turn affects the integrity of the financial reporting process. Moreover, loss of data could result in an increased possibility of the loss of assets. Unfortunately, there is no foolproof remedy to the virus problem. d. 1.

Helpful information:

•

Education of what a virus is

•

History of viruses

•

Types of viruses

•

How to avoid infection

•

What to do in case of infection

2. Harmful information: •

Computer criminals can use the list above to program viruses, or make it more difficult to prevent infections.

Education about the various types of viruses and how to prevent infection is a good way to prevent harm to the accounting system. This information should be shared with the rest of the organization to prevent the spreading of virus infections.

7-28

e. Virus detection for students will vary. It would be very surprising if students find no viruses at all. In a university setting, the spread of viruses is easy and quite common due to transfer of information on disks among students and faculty. This possibility is enhanced by usually poor controls against viruses in computer labs and classes.

7-29

CHAPTER

General Controls and Application Controls

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

4. EVALUATION

15, 16, 17, 18

3. APPLICATION

[15]

11, 13, 14

2. COMPREHENSION

1, 2, 6, 7, 8, 9, 10, 12, 14, 16, 17

1, 2, 3, 4, 5, 6, 7, 8, 9

5. SYNTHESIS

1. CONCEPTUALIZATION 3, 4, 5, 13

[ ] Infoage

10, 12

CHAPTER 8 GENERAL CONTROLS AND APPLICATION CONTROLS DISCUSSION QUESTIONS DQ 8-1. General controls apply to all organizations. However, the emphasis placed on a specific control (or a group of controls) and how it is applied would vary across firms due to differences in the nature of business. For example, a small firm may not develop any software in-house; consequently, the system development life cycle controls may exist only to a limited degree. For example, the process of software evaluation, acquisition, installation, and documentation may apply only to purchased software. In contrast, a large firm may develop applications in-house and would require somewhat elaborate procedures to control such development activities. Both the small and the large firm are likely to have databases, therefore, controls such as access controls, concurrency controls, and echo checks apply to both. The operations of a large firm may be physically located in different places. If data were communicated electronically across these locations, it would be necessary to also have communication controls, which include user identification, password protection, level of access authorization, dial-back procedures, and perhaps even encryption of data. It appears that a small firm would have lesser need to implement communication controls. Finally, a larger firm has greater opportunity to implement organizational controls, documentation controls, and management practice controls. For example, the separation of systems development from systems operation, forced vacations, rotation of employees, systems documentation, back up and recovery procedures, and other such practices would be more visible at a large firm. These practices equally apply to a small firm, but may be informally implemented only to a degree that the size and operations of the firm would require them. DQ 8-2. As knowledge capital becomes more prevalent in the “information age,” soft controls are becoming more and more important than ever before. Hard controls are needed in order to safeguard assets and ensure business integrity. As people are equipped with more complex knowledge of technology and the infinite possibilities that it allows regarding unethical practices, soft controls play an integral part of maintaining and influencing the control environment of an organization. Employees usually “attack” their place of employment due to foreseen injustices. Businesses need to address such issues and react by being socially responsible to their employees and to encourage a friendly environment for its people. DQ 8-3. Although the site, RAIN, was found, the specific section, lonestar/kits, could not be accessed. The acronym RAIN stands for Regional Alliance for Information Networking. Founded in 1991, RAIN was the first public access Internet services in the world, and is now pioneering Public Interest Broadcasting. It is an alliance of educational organizations—museums, colleges, environmental organizations, human services and health agencies—all working with the RAIN network to develop and broadcast content-rich programming for the community and the classroom. The site has several kits, most which are learning tools for specific technology.

DQ 8-4.

8-2

(1). Data are sometimes captured without use of source documents. This results in the loss or fragmentation of the audit trail. Additional features should be carefully defined in order to compensate for the loss of the audit trail. (2) On-line systems are designed to perform a series of interrelated tasks without human intervention. In such cases, any errors, intentional or unintentional, will propagate throughout the system. Since the use of hardcopy documents or even logs may not be required, the detection of such errors and error correction can be very difficult. (3) On-line processing systems often allow for “in place” updating of data elements (e.g., account balance); consequently the original data (e.g., previous balance) is lost. (4) On-line systems using data base organization for data management have their data concentrated in one or more databases. In the event of a system failure (hardware, software, power supply, etc.) the data could become inaccessible or may be lost. Thus, the task of establishing a sound control framework becomes quite challenging in on-line systems. DQ 8-5. Preventive and Access Controls: • Documentation controls to describe the AIS/MIS operations regarding system standards, systems applications, program, data, operating, and user documentation • General and specific authorization controls to approve and execute transactions • Provide passwords to users to give authorization to add, modify, and delete transactions • Recording transactions on sequentially numbered computer based source documents • Batch controls to prevent incorrect posting of transaction data and to prevent loss of transactions • Edit tests, programmed checks, self-checking digits, echo checks, redundancy checks, and completeness checks to aid in the preventive detection and verification of incorrect data DQ 8-6. A primary purpose of the exercise is to determine the difference between the two totals and reconcile the difference by identifying specific errors. The difference must be resolved before the output can be released by the control section. The following are the main steps: 1. Identify if there is a difference between the two totals. Often, the summary and exception report will show the difference. 2. If more than one control totals are computed, determine which control totals show a difference. For example, if there is a difference in record counts (suggesting fewer records processed) and also in amount control totals (suggesting lower amount posted or processed), the missing record will account for part or all of the difference between the amounts. On the other hand, if the computer-based record count is larger than the count provided initially, an unauthorized record may have been added to the batch. 3. Examine the nature of the difference. Transposition errors often cause a difference that is divisible by 9. A misplacement of a decimal point would cause a difference depending on the size of the amount; the bigger the amount, the larger the difference. 4. If the entire difference is not detected in this manner, it may be necessary to compare each record in the batch. DQ 8-7. When source documents are not used, an audit trail can be maintained by logging every transaction as it is captured. Each transaction would also have a date and time stamp, possibly the origin of the transaction (terminal number or branch number, for example). This may be further augmented by keeping extended records (e.g., record showing previous balance prior to the recent update) in master files. Processing procedures may require that a printed transaction listing is prepared at the end of the day. In addition, each transaction should be identified by a

8-3

unique and sequentially assigned transaction reference number. When posting the effects of each transaction, the transaction reference number is also recorded in the general ledger account records. Finally, if the application uses a data base, as part of the backup and recovery procedures, a copy of the data base is made at a given point in time, and a log of all transactions occurring since this time is kept. This allows us to trace changes in the recorded amounts since the day of the data base backup. DQ 8-8. Yes, it is possible to incorporate too many programmed checks into an application edit program. This may happen in situations where cost-benefit evaluation of the proposed application controls is not done or is incorrect, additional controls are subsequently added without reviewing the totality of controls that would exist upon such additions, or where the nature of the application and the software used permits the possibility of designing numerous controls. It is important to remember that only a reasonable assurance is expected, and that a foolproof system is not likely to be cost effective. DQ 8-9. As a minimum, a financial accounting software package should have the following application controls: 1. A chart of accounts. It should be possible to create a hierarchy of accounts and to use a summary account. No transaction can be journalized or posted without an account code. 2. Each journal entry must balance. Debits = Credits. 3. When an account number is entered, the system should echo back data elements such as account name. 4. A trial balance should be available for review at any time. 5. A transaction is posted immediately upon completion of the journal entry, and a transaction log for the day can be printed. 5. No account can be deleted as long it has a balance. These are some of the examples of application controls to look for in a financial accounting package. Additional programmed checks that would strengthen such a package include the following: 1. Automatically generated unique and sequential transaction reference number. 2. Features available to design relationship checks. 3. Ability to identify non-routine journal entries and abnormal account balances. 4. Ability to accommodate complicated account codes. DQ 8-10. Risk assessment component of the internal control structure is related to the general and application control activities. Businesses are exposed to risks due to various internal and external sources such as employees, customers, computer hackers, criminals, and acts of nature. General and application controls identify the errors and risks, both intentional and unintentional, that affect a firm’s business objectives and focuses on compliance with policies and procedures, segregation of duties, etc. DQ 8-11. Implications of weaknesses include input and processing errors relating to reasonable hours worked, overtime pay, invalid employee identification numbers, letters appearing in fields reserved for recording hours and pay amount, and paying wages to terminated employees. Possible impact on the financial statements includes misstatement due to overstating salary and payroll taxes expense and understating income. DQ 8-12. Disagree. A sound internal control environment is not entirely separate from general and application controls. Rather, a sound internal control environment includes good general and application controls to provide reasonable assurance as to the effectiveness and efficiency of

8-4

operations. The environment also includes other objectives to provide reliable financial reporting and compliance with applicable laws and regulations. A sound internal control structure also should include controls regarding management philosophy and ethics to provide an environment conducive to reinforcing good business practices. DQ 8-13. Knowledge-based/expert systems incorporate into a computer program the knowledge and reasoning process of human experts. This system improves the quality, reliability, timeliness, and consistency of decision making and thus ensures high general and application controls. The expert system does not allow user interaction with the financial model itself and therefore the risks associated with the business processes are evaluated. The user provides the expert system with specific data via the user interface and the expert system recommends the outputs. The system automatically applies business rules sequentially to provide a valid and reliable conclusion. Due to the fact that users do not have access to the model itself, risks can be assessed and controls can be effectively evaluated. DQ 8-14. Weaknesses and errors should always be reported and listed in exception and summary reports. It is the responsibility of the employees in the appropriate departments to use good judgement to either correct the mistake or let it pass through the system. DQ 8-15. Batch total from transmittal sheet should match total computed during processing General ledger: • Total amount of debit balances • Total amount of credit balances • Total count of journal entry transactions • Count of transactions affecting each account Accounts receivable and payable: • Total count of customers on account • Total count of vendors on account • Total amount of receivable balances • Total amount of payable balances • Total of vendor and customer numbers Invoicing: • Total number of sales to customers to invoice • Total sales in dollars • Total count of invoicing transactions

8-5

Payroll: • Total hours worked • Amount of salary or wages • Total values relating to employee numbers Inventory: • Total quantities of items on hand • Total quantities of items sold throughout the day, week, etc. • Total of the unite prices of items sold and on hand DQ 8-16. Types of resources related to internal controls/audits offered from Web sites include: • Internal control techniques • Internal control enhancement • Internal control assessment • Risk-Based audits • Self-assessment of risk and controls • IT audits to assess internal controls Operational auditing has transformed to a highly focused assessment of organization capability and performance. Operational auditing of unit activities, systems, and controls within an enterprise assesses the efficiency and effectiveness of business processes and procedures. This applies directly to the assessment of general and applications controls covered in this chapter. Audit steps such as preliminary surveys are being replaced by collaborative risk assessment. Cross-functional teams and contemporary management tools such as process reengineering are being used to audit organizational functions. These processes are of great value in assessing and evaluating general and application controls. DQ 8-17. Categories of general controls listed in the chapter are Organizational controls, Documentation controls, Asset accountability controls, Management practice controls, Information center operations controls, Authorization controls, and Access controls. There are no specific categories of general controls listed in the Statement of Auditing Standards #78 (SAS 78). The statement focuses on the relevance of a given control to the objective of reliable financial reporting, and de-emphasizes how that control is categorized. The three objectives of internal control processes are reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. SAS 78 focuses on the first objective. Chapter 8 has a broader, information-systems oriented focus; it considers all three objectives, and especially the first two.

8-6

PROBLEMS 8-1. Item A B C D E

Preventive, detective or corrective Detective Preventive, corrective Detective Detective Preventive

General, operational, or management Operational Management/general General General, operational Management

Detective

Management, general

G H I J K L

Preventive, corrective Detective Detective Preventive Detective Detective, corrective

Operational Operational General Management Management, general General

8-2. Item A

Classification Detective

B C D E

Preventive Corrective Preventive, detective Detective

F G H

Preventive Preventive Detective

Preventive, detective Detective Preventive

J K

Relates to other subcomponent(s) of the internal control structure Monitoring Monitoring Monitoring Monitoring Control environment, risk assessment, control activities, and to some degree, information and communication, and monitoring Control environment, risk assessment, and control activities Monitoring Risk assessment, monitoring Control environment Risk assessment, monitoring Monitoring

Explanation Permits the replacement to detect any deviations from the defined procedures. Also, this can be considered as a deterrent to some extent, thus making the control preventive as well. Allows for segregation of duties. Permits the normalization of operations. Segregation of duties reduces chances of collusion (preventive) and helps detect any errors (detective) The reconciliation detects deviations. Corrective actions would follow. Permits consistency in procedures, which helps prevent errors. Differences between balance per book and balance per bank are detected. Corrective actions, including journal entries, would follow. One person’s work is checked by another. Thus, the procedure prevents collusion and helps detect errors. The log provides information about errors and malfunctions. Prevents loss of data if the one of the copies is lost. Also allows for independent monitoring of the activity by a separate function/person.

8-3. a. 1. Improve organizational independence by separating the responsibilities for maintaining personnel records, approving hours worked by employees, preparing payrolls, signing paychecks, and distributing paychecks. 2. Restrict access to signed paychecks to those persons authorized to sign and distribute paychecks. 3. Employ a person such as a paymaster

8-7

to distribute paychecks. If feasible, have an internal auditor distribute paychecks periodically, in order to verify the authenticity of each recipient. Send customers a periodic statement of transactions and the account balance. Encourage them to verify the balance and call or write in case of any perceived discrepancy. Salespersons should be instructed not to receive any payments (cash or checks) from customers. If they are authorized to receive payments from customers, they should be bonded, and should be asked to turn in all receipts signed and cash or checks to the cashier the same day. Require the storekeeper to count all goods delivered to the storeroom and to sign a copy of the receiving report, thus acknowledging receipt of the goods. The receiving report would then be forwarded to the accounts payable department. Adjusting entries to cash should be very rare, if at all one is required, and should be endorsed by the treasurer prior to recording it. All evidence of need for the entry and the amount of the adjustment should be submitted. Adjustments to receivables should be submitted, with proper evidence, only by the authorized personnel; similarly, all adjustments to inventory should accompany evidence suggesting the need for and the amount of, adjustment and its approval by authorized personnel. Establish adequate organizational independence by requiring that (1) responsibility for verifying the authenticity and accuracy of suppliers’ invoices and approving them for payment be organizationally separated from (2) responsibility for writing, signing, and mailing checks. Thus, an accounts payable clerk could be assigned the former responsibility, while the cashier might be assigned the latter responsibility. Other related controls include requirements that (1) each check be signed by two persons and (2) periodic bank reconciliations be prepared. Install a clock for employees to register the hours worked on their time cards. Also, increase supervision at the timekeeping function; this may be done by installing a camera that permits someone to watch the activity and/or videotapes the location continuously. No overtime should be paid unless authorized by the supervisor. All payments from receivables, both in cash and by checks, should be received by the cashier, not the accountant. Secondly, all write offs of accounts receivable should be authorized by the credit and collections department and signed off by the treasurer prior to making a journal entry to write off a receivable. Authorization to make journal entries to accounts such as Allowance for Doubtful Accounts can be restricted to the chief accountant. Separate the function of accounting from the function of treasury. Assign the duty of opening the mail to at least two individuals, and do not involve the accountant in this duty. All cash received must be deposited daily, and a remittance advice must be made if it does not accompany the payment. No payments should be made directly from cash receipts; all cash received must be deposited in the bank. Limit authorization to make journal entries to the long-term notes receivable account to the chief accountant. All payments, both in cash and by check, must go directly to the cashier, who should deposit in the bank all receipts on the same day. Pricing policies should be approved by a subcommittee of the Board of Directors, and the audit committee of the Board must review periodically if the pricing policy is followed as set by the Board’s subcommittee. All departures from the policy must be carefully evaluated and corrective action taken, where appropriate. All asset valuation procedures should be a direct responsibility of the chief accountant, who should review the results, including depreciation amounts as well as net book values. The firm’s internal audit function should audit all material depreciation calculations and valuations. The audit committee of the Board should review reports of the internal audit function as well as external auditors.

8-8

All incoming mail should be opened by two persons. If the amount remitted does not accompany a remittance advice, one should be prepared. All cash should be handed over to the treasurer, who should deposit the funds in the bank on the same day. Cashiers should not have access to the books of accounts, and the accountant should not have access to cash. All employees handling cash should be bonded.

8-4. a. (1) Improve organizational independence by separating the responsibilities for (a) opening the mail, (b) preparing the cash deposit, and (c) recording cash receipts transactions in the customer’s records. (2) Do not allow the accounts receivable clerk to have access to cash received from customers. (3) Request customers to remit checks or money orders only (and not currency). b. (1) Require the cashier to record all receipts of cash on a receipts register that provides prenumbered receipts, with one copy being provided to the customer and one copy being retained for use in entering payments to customers’ records. (The second copy could be “locked” in the register and thus inaccessible to the cashier.) (2) Do not allow the cashier to have access to the customers’ records. (3) Maintain the counter in a location that can be easily seen by managers and other employees. c. Prepare daily trial balances (or summaries of daily postings prepared from journal vouchers), with differences between total debits and credits being traced to individual transaction documents. d. Prepare a bank reconciliation upon receiving the monthly statement from the bank; the reconciliation should include the comparison of all withdrawals from the bank account during the period with the total amount of checks and other debits entered in the journal. Since the amount of the debit memo will have been deducted by the bank but not by the firm, a difference will appear. e. (1) Design disbursement voucher forms that are simple and easy to prepare by the clerks, using a change procedure that involves approval by the head of the accounts payable department. (2) Provide adequate documentation concerning the preparation of all forms and allow time to train clerks in the preparation of new forms. f. (1) Obtain fidelity bonds that indemnify the firm if an employee having access to negotiable assets (such as bearer bonds) commits a fraudulent act. (2) Maintain negotiable assets in a safe place, such as a safe deposit box, which can only be accessed by two officers of the firm. g. Require a financial statement audit that is conducted by external auditors from a public accounting firm. 8-5. a. Employ a change procedure that requires preapproval of all changes to software by appropriate managers and entry of all changes in a log, that involves the use of copies of the operating system software during the actual reprogramming, that requires adequate testing of programmed changes by qualified persons in addition to the programmer, and that requires final approval of changes by appropriate systems personnel. b. The internal audit function should have been involved from the beginning of the system development. This could have ensured that risk exposures are properly identified, evaluated, and managed in the designed systems and procedures. A backup and recovery plan must be designed to recover data files from system failures. On a system-wide basis, a disaster

8-9

h. i.

contingency and recovery plan should be prepared, approved by management, and implemented. Establish a data control section, which would receive all data inputs from user departments, distribute all outputs from computer operations, monitor the data processing schedule, reconcile all batch control totals as shown on exception and summary reports, and maintain control over the correction and resubmission of transactions found to contain errors. Most such “private” files are lost or rendered useless simply because there is no knowledge of their existence and/or hardly any documentation exists. Even at the end-user level, it should be a requirement that all applications developed will have to be declared as a part of the overall systems applications portfolio, and that all applications must be documented by the developer according to the standards adopted by the firm’s information resource management function. The data security manager should not have access to everything: reports, passwords, disks, and magnetic tape files. An automated access log of the manager’s activities should be maintained, for audit and verification purposes. Disposal of all media should be subject to clearing such media; in some cases, contents may have to erased prior to the disposal of the medium. Standards must be developed for the disposal of sensitive waste. Selected paper to be disposed of may be required to be shredded. The data security manager’s entry and exit into the premises should be electronically logged. Finally, janitorial services responsible for cleaning sensitive areas should be subject to security clearance, and their activities must be monitored closely (e.g., using closed circuit cameras). Establish and enforce sound computer operating practices, including close supervision, careful planning and scheduling of data processing jobs, and periodic (e.g., weekly) reports that reflect the productivity of the operators. Separate programmers from operational programs, whether by restricting access to the computer facility (in the case of batch processing systems) or by restricting access to operational terminals (in the case of on-line processing systems). Also, establish a formal program change procedure (such as described in Requirement a above) that requires authorization for any program changes deemed to be necessary. 1. Organizationally separate programming and computer operations functions. 2. Restrict access to programs by prohibiting programmers from entering the computer room. 1. Do not allow computer operators to make changes to data in computer runs; instead, have the control section return erroneous transactions to the user department (in this case the payroll or timekeeping department). 2. Require that corrected transactions be resubmitted for processing, so that the corrected data are re-edited by programmed checks. The data processing manager’s career profile should have been checked prior to his hiring. He should not be authorized to have access to any data files; in the event that such access becomes necessary and is therefore authorized, all accesses must be logged electronically. The firm should adopt a code of conduct, which must specify restrictions on consulting activities, and key managers should be sworn to confidentiality of the firm’s information to which they have access due to their roles and responsibilities within the firm.

8-10

8-6. a. Limit or reasonableness test. b. Reasonableness test or compatibility test. Also, an echo check where the system would ask for the verification of the quantity ordered, by answering Yes or No. c. Character or field check. d. Record count included in the batch transmittal sheet that accompanies the time cards. e. Library access controls. A separate librarian is assigned to have the custody of program and data files, and is responsible to issue files to authorized personnel only. f. Access control lists (matrix). This will identify who is authorized to access what files and for what purposes (view, modify, print, etc.). Also, restrictions can be placed as to which terminals are authorized to access certain files, and even the time periods during which such access is available. In addition, to further protect sensitive information, the file may be encrypted so that if it falls in the hands of unauthorized users, its content is rendered useless. g. Access control to output bins. Only the control group within the operations area should have access to output bins. All reports, especially the sensitive information, should be recorded on a distribution log, where authorized user representatives initial the log to acknowledge receipt of the report. h. A review of the external label by the computer operator can help prevent the error. Additionally, once mounted and ready to be used, the internal label check should also be made. In the event that the error could not be avoided, back up and recovery procedures should help recreate the affected data. i. A validity check where numeric values entered during input are matched against a list of acceptable numbers stored in a file. Another possibility is to design a redundant data check wherein the entry of a number will echo back the name or description of the entity for purposes of verification and confirmation. If this data conversion process was in a batch mode, a hash total of the batch would help detect the discrepancy. 8-7. a. A hash total generated at the time of the data input edit run would detect the difference for the batch as a whole. An analysis of the difference would help detect the error. If data entry was on-line, a validity check against a file of all valid numbers would help detect and correct the error on-line. b. A zero-balance check can be programmed, wherein the application checks if the amounts of debits entered equals the amounts of credits entered. If the entry does not satisfy the condition, it is rejected. c. Access to programs by programmers (or personnel in the system development area) should be only as authorized. An access control list (matrix) should be developed which prohibits access to programs in production by the systems development staff. “Development” copies of programs which are being modified should be made available to those programmers who are on the project team working on the program. Additionally, program change control should be implemented so that, prior to changeover of any applications from development to production, all changes are reviewed, tested, and signed off by all concerned parties, such as internal auditors and end-users. d. A limit check or reasonableness test can detect the error. Any transaction resulting in a negative balance should be rejected by the system, and the discrepancy should be investigated. e. An amount control total used during the input edit run would help to detect the error. If online editing is performed as each transaction is entered, the system can be designed to echo back the amount and require the clerk to verify and confirm it before the transaction is accepted.

8-11

An access control list should be developed to block access by programmers to all files and programs in “production.” Sensitive files, such as payroll files should not be kept on-line except when needed. Also, contents of such files should be encrypted so that in the event of unauthorized access, the information is not useable. g. An echo check on the amount field should help. The system can be designed to feedback the amount on the screen, requiring confirmation from the user that the entered amount is correct. Such verification can help detect most entry errors in the amount of the transaction. h. All reports, especially sensitive reports, should be controlled by an area or function responsible for report distribution. A distribution register or log must be maintained, where an authorized representative of the receiving unit should sign to confirm the receipt of the report. i. Prior to transferring an application developed or modified to the “production” or operations area, the application should be subject to program change control procedures, which help ensure that only authorized changes have been made to the application. Program change controls require reviews and tests of the application, wherein the results are approved or signed off by designated persons, such as internal auditors and end-users. 8-8. a. On-line data entry should be supported by preformatted screens. Primary key values entered should be verified by checking for validity; the system would do this by comparing the entered value against a list of acceptable values for the data element. Also, the system can be designed to echo back the values entered, so that the user can verify the values and confirm their accuracy. A redundant data check can also be employed; the system in this case will return associated values (e.g., when a customer number is entered, the customer name is returned by the system on the screen) for confirmation that the correct record is being accessed. b. A log of all computer runs must be maintained, showing day, date, time, period of the batched transactions, etc. c. A field check (also called a character check) should detect the error. d. To a buyer, the supplier master file should be accessible in a Read Only mode. Purchases transactions initiated by the buyer must be recorded in a separate transaction log, which should be edited prior to further processing. e. Such errors should be detected and reported by the system on a system operator’s console, so that corrective action can be taken. In a batch processing run, it should be possible to track the number of records accessed from the master file and compare that number with the total number of records in the file. f. The computer operator should have no access to reports; the reports should be transmitted directly to the printer(s) in the Control Section, and in case of on-line processing, the responsible user’s printer. Except for the error messages related to the operation of the computer and processing of the application, the operator should not have access to any other transaction or master file data, or reports. g. Only authorized personnel should have access to the program they are assigned to modify. Even in case of authorized personnel, the changes are made on what is called a development copy of the program; the copy “in production” remains unchanged. To detect unauthorized changes, auditors run tests (e.g., a test to measure program length) that would disclose changes made. h. A limit check or reasonableness test should help detect such errors. Most system now permit the entry of dates in various date formats (e.g., MM/DD/YY), where edits might be built in to check for such errors.

8-12

8-9. 1. O 2. N 3. C 4. M

5. 6. 7. 8.

D N I L

9. F 10. L 11. J 12. E

13. B 14. A 15. D 16. G

8-10. 1. D 2. L 3. P 4. J

5. 6. 7. 8.

O D A B

9. M 10. A 11. I 12. E

13. Q 14. F 15. C

8-11. a. Perform reconciliation between the payroll and the general ledger file. Balancing totals of critical fields should provide an effective control over the described situation. b. The users may not be aware that changes have been made. Moreover, • Debugging of the software later can be a very difficult and time-consuming task. • External and internal audits relating to information systems will prove to be a difficult task. • Research of discrepancies between general and subsidiary accounts might be difficult to trace. • Operational procedures relating to the application software may not be sufficient to inform users about the changes made by the consultants. c.

General controls must be in place before application controls can be relied upon. This is because general controls set the environment within which application controls exist and operate. Weak general controls can easily ruin the effectiveness of a strong set of application controls.

d. • Restrict access to and monitor installation of software products or tools having powerful update capabilities. • The human resources department should only update personnel files. Adequate segregation of duties is required for organizational independence • Utilize passwords to prevent unauthorized employees from accessing files to update personnel on the computer system • A copy of the output of automatic logs and registers of all updates made should be sent to the human resources department and the management department where that new employee would complete his/her job. This log should include name and employee ID number of the person who made the updates. Note, however, that this will not help prevent the situation from occurring, just detect the violation. e. The application controls being verified by this analysis are called edit and validation controls. 8-12. a. (1) See solution in textbook (2) The self-checking digit in the number 33693 is computed as follows: 2 x 9 = 18

_ 5R8

8-13

3 x 6 = 18 4 x 3 = 12 5 x 3 = 15 63

11/ 63 11 - 8 = 3

Thus, 3 is the correct self-checking digit. b. The correct self-checking digit for the number 7325 is computed as follows: _5 R 8 2 x 5 = 10 11/63 3x2= 6 4 x 3 = 12 11 - 8 = 3 5 x 7 = 35 63 Thus, 6 is an incorrect self-checking digit; instead, 3 is the correct digit. c. The correct self-checking digit for the number 28346 is computed as follows: 2 x 6 = 12 3 x 4 = 12 4 x 3 = 12 5 x 8 = 40 6 x 2 = 12 88

8R0 11/88 The self-checking digit is therefore 0.

Thus, 0 is the correct self-checking digit.

8-14

d. The self-checking digits for the following numbers should be: (1) 357920 2x2= 3x9= 4x7= 5x5= 6x3=

4 27 28 25 18 102

9R3 11/102 11 - 3 = 8

Thus, the entered number 357920 should be rejected as invalid. (2) 186252 2 x 5 = 10 3x2= 6 4 x 6 = 24 5 x 8 = 40 6x1= 6 86

7R9 11/86 11 - 9 = 2

Thus, the entered number 186252 should be accepted as valid. (3) 243760 2 x 6 = 12 3 x 7 = 21 4 x 3 = 12 5 x 4 = 20 6 x 2 = 12 77

7R0 11/77 The self-checking digit is therefore 0.

Thus, the entered number 243760 should be accepted as valid. e. (1)

3 5 7 9 2 x x x x x 6 5 4 3 2 18 15 28 18 4  102 11 x 10 = 110 8 Thus, the complete number should be 357928.

8-15

(2)

1 8 6 2 5 x x x x x 6 5 4 3 2 6 40 24 6 10  86 11 x 10 = 88 2 Thus, the complete number should be 186252.

(3)

2 4 3 7 6 x x x x x 6 5 4 3 2 12 20 12 21 12  77 11 x 7 = 77 0 Thus, the complete number should be 243760.

8-13. Specific general controls needed for the on-line reservation system of Gose Hotels include the following: • Organizational controls: The data processing function should be organizationally independent of the systems development function. • Documentation controls: The system should adequately documented, and such documentation should be complete and up-to-date. • Asset accountability controls: The identities of reservation clerks must be linked to the reservation transactions they enter into the system. • Management practice controls: Competent people should be hired. Appropriate and adequate training should be provided to the reservation clerks and other systems staff. • Data center operations controls: A close supervision, careful planning and scheduling, and organized procedures must be employed to manage the data center operations. • Authorization controls: Establish standard conditions under which reservation transactions are approved and executed. • Access controls: Access authorization lists must be maintained. The level of access for each user should match the user’s roles and responsibilities. Specific transaction controls needed for the on-line room reservation system of Gose Hotels, including programmed checks on key data elements, are as follows: a. Well-designed source documents, i.e., reservation forms that are completed and initialed by the reservation clerks. b. Preformatted screens that are displayed to aid reservations clerks in keying reservations data. c. Concise codes (e.g., hotel codes, special requests) that reduce the possibility of keying errors. d. Automatic tagging of transactions with a unique sequential number, as well as with the number of the originating terminal the time of day, and the entry date. e. Validity check of each code (e.g., hotel code, special request code) against stored lists, in order to ascertain that valid codes are entered.

8-16

f. Field checks of characters in the entered data items in order to determine if characters of proper mode (e.g., alphabetic, numeric) have been entered. g. Echo checks that display the location of the hotel and the description of the special request upon the entry of their codes, so that the reservation clerks can visually verify the correctness of the entries. h. Prompts that request the reservations clerks to enter added needed data, e.g., the number and types of rooms to be reserved. i. Completeness test that checks the keyed-in data items, in order to verify that no necessary data have been omitted. j. Relationship checks that compare the types of rooms requested with the availability of such rooms, in order to determine the sufficiency of requested rooms. k. Logical check that compares the reservation dates against the entry date, in order to ascertain that the reservation dates pertain to the future. l. Reasonableness check that compares the quantity of rooms requested against a pre-established upper limit that is viewed as being reasonable for that particular type of room, in order to detect quantities that appear to be unreasonable. (This check may not be necessary if the relationship check in j. above is employed.) m. Updating check that verifies (1) the posting of a “reserved flag” in the records of rooms that have just been reserved and (2) the creation of a new record for the traveler making the reservation. n. Error correcting procedure, in which the edit program requires that all detected errors be corrected and all needed data be entered before a transaction is accepted for processing. o. Automatic printing of a numbered reservation confirmation and storage of a copy of the confirmation in an on-line file. p. On-line storage on new records created for travelers who have made reservations and the cross-referencing of these records to the records of reserved rooms. q. Printing of detailed daily listings of transactions, arranged by assigned numbers and also arranged by hotels. r. Printing of daily proof activity listings that reflect all changes to hotel rooms records, with these listings being reviewed by hotel managers. 8-14. General control for AB Distributors: • Organizational independence between systems development and data processing functions to prevent unauthorized changes • Documentation controls to help users understand and interpret policies and procedures • AB Distributors must follow the appropriate systems change procedures to ensure the benefits and necessities of the new systems environment • Data transmission in a distributed environment adds to the risk exposures. Appropriate transmission controls, including encryption of data, should be considered. • Distributed systems need to be available continuously. To ensure availability, back up and recovery procedures should be defined and implemented. Similarly, for the system as a whole, disaster contingency and recovery planning should also be undertaken. • The appropriate personnel should actively monitor the new environment in order to prevent and detect problems arising from the change in the environment.

8-15. In general, segregation of duties is inadequate with respect to the staff accountant and the vicepresidents. Also, while not truly a matter of segregation, it should be noted that the subsidiary’s

8-17

board of directors should preferably include qualified persons from outside the parent of the subsidiary, particularly since the board reviews the financial statements of the subsidiary. Furthermore, it would be desirable to have an appropriate individual within the accounting department accountant review the statements and all month-end adjustments. Specific areas in which segregation of duties is inadequate include: a. Direction of day-to-day operations. While the problem does not state exactly which operations are directly performed by the president and the two vice-presidents, it implies that they jointly handle the operations. This arrangement does not pinpoint responsibilities and also dilutes the effectiveness of the three officers, since they also have other responsibilities (i.e., liaison and additional projects). b. Payables and cash disbursements. A vice-president should not both approve invoices for payment and then also sign the checks. Also, the signed checks should not be received back by the staff accountant for mailing, since the staff accountant also has access to the suppliers’ payable records. Instead, the checks should directly go to the mailroom or post office. Furthermore, the staff accountant should not have access to the blank checks, since they could be used to prepare fraudulent checks. Instead, the blank checks could be controlled by the president. c. Cash receipts from real estate sales. The staff accountant (and parent’s accounting department) should not be involved in all of the processing and should not handle the cash. Instead, a cashier should receive the deposit and prepare the deposit slip and carry the deposit to the bank. d. Cash shortages and promissory notes. A cashier or vice-president, rather than the staff accountant, should be involved in preparing the promissory notes, which are a financial instrument. The role of the staff accountant should be to record the note in the accounts. Of course, the staff accountant should not receive the proceeds from the notes or advise management concerning their payment dates. Instead, these duties should probably be performed by the cashier. e. Bank reconciliations. An employee or manager not involved in the processing activities or an external accountant, rather than the staff accountant, should reconcile the cash accounts.

8-16. Control Weakness Absence of short-term and long-term plans for the information systems.

Potential Impact on the Company Given the rate of change in technology, this would lead to loss of competitive advantage in the future. In addition, existing systems would

8-18

Updated versions of accounting applications have not been implemented.

Offshore software development is undertaken without proper risk management.

IS staff is overworked. There is a breakdown in the segregation of duties. Informal process of report generation and distribution.

Systems documentation is sparse and vague.

The organizational location of programmers and analysts.

Lack of written input preparation procedures. Lack of segregation of duties within the accounting function.

fall short in meeting future need due to growth. The company is not utilizing the benefits that the updated software would provide. Some of these updates might be critical to the firm, for example, Year 2000 compliance upgrade. Risk exposures arising from offshore software development could result in a compromise of system development methodology, including program change controls. For trans-border communication, unencrypted data and programs could fall in wrong hands. This situation could lead to fraud and consequent loss of assets, including information. The reporting system should follow accountability and need-to-know requirements. Clear guidelines should exist regarding who gets what report and when. Without this proper use of information may not occur, and unauthorized access to information could be damaging to the company. This will cause system inefficiencies and even lack of system availability. Clearly laid out, detailed systems documentation facilitates smooth operation. Although the two groups belong to the same unit (systems development), they should be segregated within the unit. Lack of segregation could result in collusion, compromising the company’s information systems resources. This could result in inefficient data entry and erroneous data input. Segregation of duties must be clearly defined in the accounting department and supported by appropriate password assignment. The lack of segregation leaves room for errors and fraud.

b. The new environment will be far more distributed than centralized. This means more communication, greater end-user involvement, and complex and distributed data processing. Systems must be carefully developed and implemented. End users should be provided training to develop skills necessary to work with the new system. Access controls must be more rigorously implemented. Communication controls should be enhanced, and where appropriate, data encryption should be employed. 8-17. Reference: Ratliff, Richard L.; Wanda A. Wallace; Glenn E. Sumners; William G. McFarland; and James K. Loebbecke. Internal Auditing Principles and Techniques, 2nd Ed. Altamonte Springs, Fl: The Institute of Internal Auditors, 1996. pp. 99-120. A. Control Strengths:

8-19

1) Scanners are used. The use of scanners reduces the number of input errors and can be considered a control strength even if the advantages might not be realized in this case. 2) A centralized price table is used. If well controlled, centralized price tables provide an efficient way by which to ensure that prices are uniform and that sales are recorded in accordance with approved pricing. 3) Supervisory approval of price changes is required. All price changes are supposed to be approved by the buyer. If implemented correctly, this would be a strong control. 4) Buyers are evaluated based on the profitability of the items they acquire. This is a broad managerial control to emphasize the responsibilities of the buyers and to help insure goal congruence with the organization. Controls are designed to influence behavior; therefore, a compensation system needs to be recognized as a control. 5) Access to the regional database is limited to buyers. This should ensure the implementation of only authorized price changes. 6) Passwords are required to access the database. Passwords can be effective in helping control access to data. 7) Local changes to price tables are not uploaded to the master price database. The master database, therefore, is not corrupted by local changes. 8) The full database is downloaded each morning. This control ensures the uniformity and accuracy of prices. 9) Reconciliation of the price table with the authorized price lists is performed by the merchandising manager's assistant. This provides an independent reconciliation control by someone outside of the buyer's area. 10) Daily reports on store profitability are prepared. This is part of management's monitoring controls and should alert management to important changes or trends. 11) Approval is required for new additions to the price database. Products are added to the database only upon the approval of the merchandising manager. This ensures that only authorized products are added. 12) A validity (edit) check is performed on product numbers. All items must conform to the company's list of valid product numbers. This helps ensure that incorrect items are not entered into the price table. A. Control Weaknesses and B. Potential Impact on the Organization: 1) Weakness: There is no evidence of a verification of the completeness of the download to the individual stores each day. Impact: This could result in incomplete downloading or incorrect downloading of data. Some reconciliation or the use of control totals would help ensure the complete downloading of the records to the individual stores. 2) Weakness: Each buyer has access to the full database, not just to the portion for which that buyer is responsible. Impact: An individual buyer may either inadvertently or deliberately change prices without proper authorization. 3) Weakness: The buyer occasionally delegates password access to an assistant. Impact: The assistant has complete access to the database and may inadvertently or deliberately change authorized prices. Further, there is no accountability as to who made changes. 4) Weakness: Review of price changes to the database is not performed in a timely manner by someone independent of the buyer. The reconciliation is done quarterly, which is not frequent enough to catch problems.

8-20

Impact: Since the database is critical to the organization, a timely review of changes should be performed by someone independent of those making the changes. This should lessen the number of errors that customers are encountering. 5) Weakness: The store managers have broad authority to make price changes. Impact: This broad authority may weaken management's evaluation system which holds the buyers responsible for the profitability. 6) Weakness: The full database is downloaded every day instead of only downloading changes. The volume of items downloaded can be a potential cause of error, especially if there is no reconciliation of the downloaded database with the master database. Impact: Downloading the entire database takes more time and effort than downloading only the changes, and is therefore less efficient. Also, there are more opportunities for errors to occur. 7) Weakness: Price changes made by store managers are effective only for a day, since the regional database is downloaded again each morning. Impact: If a store manager forgets to update local price changes each day, customers may be charged incorrect prices for goods. This weakness may explain some of the customer complaints regarding pricing. 8) Weakness: Close-out items that are entered at the cash registers do not require individual product identification. Impact: Lack of identification of close-out items sold may cause a loss of control over perpetual inventory because these items are not removed from inventory as they are sold. This could be the cause of the inventory shrinkage problems. 9) Weakness: Inventory shrinkage is occurring. Impact: Occurrence of inventory shrinkage indicates an internal control weakness. 10) Weakness: Daily sales reports reflect performance by store and by department only. The reports do not furnish information about product movement. Impact: The value of the reports is limited; they would be more useful if they contained data on overall product performance. 11) Weakness: The merchandising manager's assistant has access to the database to enter new products. If this access also provide access to the price table, this would be a weakness since this individual also reconciles the price table to the authorized price lists. Impact: Unauthorized price changes could be entered by the assistant.

8-21

8-18. a. Specific name of the edit check or program check: Test Specific name Test 1 Zero balancing test, completeness test 14 2 Existence check 15 3 Range test 16 4 Limit test 17 5 Reasonableness test 18 6 Field check 19 7 Sign test 20 8 Completeness test 21 9 Limit test, reasonableness test 22 10 Sign check 23 11 Field check 24 12 Validity check 25 13 Echo check 26

Specific name Limit test Existence check Existence check Validity check Relationship check, echo check Sequence check Field check Validity check, limit/reasonableness test Reasonableness/limit test Access control list Existence check Sign test Validity check

a. The accountant developed a fairly comprehensive set of tests. However, this may not provide sufficiently adequate tests of BusinessWorks package to determine if data-entry errors and processing errors were detected before financial statements and reports were reproduced as outputs. Additional tests should be included to check for possible errors in recording transactions. These are illustrated in Requirement (e). Also, the results of the tests conducted are mixed. The failure to prevent/detect errors of certain types (see Items 1,4,7,9,15,16,17, 20, and 22) can have a major impact on the reliability of financial information produced using the software package. For example, in Item 1, the acceptance of an incomplete journal entry would make the trial balance out of balance. b. Sources to determine the specific types of controls incorporated into the package: Source Specific program controls listed 1. Documentation in BusinessWorks manual Passwords 2. Exception and summary reports Control totals 3. Data dictionary or record layouts Field check, limit/reasonableness test, echo check, relationship check, range check 4. Application system flowcharts Controls specific to the processing mode used (immediate versus periodic processing) 5. Access control list/table/matrix Authorization 6. Source documents Input validation

c. Other edit and program checks recommended 1. Delete an account with a non-zero balance

Purpose of test If permitted, this would compromise the

8-22

2. Make an adjusting entry with Cash as one of the accounts involved. 3. Make an adjusting entry with all balance sheet accounts. 4. Make an adjusting entry with all income statement accounts. 5. Make an entry using a future date. 6. Delete an entry already accepted by the system. 7. Make an entry, which involves a nonexistent account. 8. Make a closing entry that closes out the revenues and expenses to an account other than retained earnings. 9. Verify if sequences are assigned to key documents, such as checks 10. Verify if journal vouchers are sequentially numbered.

integrity of the system. If permitted, this would cause the accounting information unreliable. If permitted, this would cause the accounting information unreliable. If permitted, this would cause the accounting information unreliable. If permitted, this would compromise the integrity of the system. If allowed, this would compromise the reliability of data. If accepted, this proves that control over the chart of accounts is inadequate. If permitted, this would cause the accounting information unreliable. If absent, this would cause a risk exposure to cash management. If absent, this would make it difficult to control entries made in the system.

Note: Depending on the time period when this site (www.sota.com) is accessed, different and more current information about the software, BusinessWorks, can be found. Discussion groups may or may not be actively engaged in discussing internal controls at the time the exercise is done. The site as such provides only general information about the package, not specific to the internal controls. If every student is required to send an e-mail to obtain information about controls in BusinessWorks, too much duplication could take place, and responses may not obtained. Perhaps groups/teams of students may be assigned to compile and evaluate controls in different accounting software packages. Please allow for several weeks of lead time for the students to accomplish the requirement.

Sage software home page has information DAC software. This can be downloaded or you can request a CD containing relevant information for evaluation purposes. Neither of these sources may be adequate to fully evaluate the package. “Guide to Accounting Software for Microcomputers” and “Evaluation of Computer Software” produced several sources on the Web. The former search provided more focused and limited number of items. Neither search produced anything that was clearly and directly relevant to the evaluation process, nor did it produce any results of evaluation of any software. Students should refer to other parts of the textbook, especially Chapter 14 (Systems Development) for information useful in conducting software evaluations. Also relevant to this exercise would be accounting trade publications and professional journals, such as the Journal of Accountancy.

A report to Perrin Remanufacturing Company’s management should include the following discussion: • Justification for the change • Criteria for selection • Comparative analysis of BusinessWorks and DAC using the criteria

8-23

• • •

Qualitative issues that are specific to the circumstances of the company and how will BusinessWorks and DAC address these issues. Summary of feasibility studies (economic, operational, time line, etc.) Recommendation

8-24

CHAPTER

Security for Transaction/ Information Processing Support Systems

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

11, 12

4. EVALUATION

3, 4, 11, 12, 13, 14, 15, 18, 19

3. APPLICATION

[7], [10]

1,2

2. COMPREHENSION

2, 3, 4, 5, 6, 8, 9, 13, 14, 15, 17

5, 6, 7, 8, 9, 10, 16, 17

1. CONCEPTUALIZATION 1

[ ] Infoage

PROBLEMS

CHAPTER 9 SECURITY FOR TRANSACTION/INFORMATION PROCESSING SUPPORT SYSTEMS DISCUSSION QUESTIONS DQ 9-1. a. Accountants require only a basic understanding of the specific security measures relating to physical facilities and data. They should be aware of suitable security measures for both batch processing and on-line processing systems, be aware of their capabilities, be able to recognize their presence in particular computer-based systems, and be capable of ascertaining that they are functioning properly. However, they do not need to understand the detailed inner workings of passwords, cryptographic codes, and so on.

b. Accountants require a thorough knowledge and understanding of transaction controls, for computer-based as well as manual systems. Since transaction controls are necessary in order to generate accurate and complete information, these controls are consequently critical to accountants in the fulfillment of their responsibilities. For instance, when serving in their audit role accountants are expected to review and evaluate all of the transaction controls within the scope of their examination and to express opinions concerning their adequacy. In computer-based systems a particularly important set of transaction controls is the array of programmed checks employed within the transactions processing systems. Auditors may apply special audit techniques to assure the capabilities and overall adequacy of these programmed checks. DQ 9-2. If we were to think of internal controls and security measures as layers of protection within a firm, the most internal circle would be identified as application controls. The next outer circle would be general controls, which apply to all activities related to information processing. Both general controls and application controls comprise a major part of one dimension of internal control structure, called control activities. The next outer circle would be security measures. Without securing the building it would be difficult to safeguard the firm’s assets. Conceptually, the security measures are quite similar to general controls. Whereas general controls apply across the information system, security measures apply throughout the organization, including information systems. For example, at a university, access to a college building is a matter of adequate security measures, but access to a computer center’s tape library is a matter of general controls. Parking lot access and protection of a dignitary visiting campus are matters of security measures, not general controls. Both general controls and security measures are complementary control activities with a difference in scope. Consequently both use techniques and procedures that often are similar in nature. DQ 9-3. An online processing system possesses certain features that can cause difficulties in maintaining an effective control structure. These features, which require the construction of a tight Web of controls and security measures over the input stage, include the following:

a. Greatly extended accessibility, via remote terminals, to the system data bases and processors. b. Increased fragmentation of the audit trail, due to less dependence upon source documents, transaction listings, and summaries.

9-2

c. Extremely high reliance upon automation and integration, with less opportunity for the application of human judgment. DQ 9-4. a. Ensure the privacy of confidential information in immediate processing system: • Utilize user ID and authentication to prevent inappropriate personnel and outsiders to view confidential information. • Enforce access control lists to allow only authorized users to have access to confidential information. • Protect sensitive data by encryption. • Confidential information should be destroyed after the need has expired. • Use access control software to restrict and monitor access to records. • Use a log to track movement of data files, programs, and documentation. • Implement automatic lockup of terminal after several attempts to access system by unauthorized users.

Ensure only authorized use is made of data within AIS: • Utilize usage limitations to permit access to the specified file, records, or data elements to perform specified functions. • Where appropriate, store data in Read-only Memory (ROM) format so that data cannot be altered. • Review access to data to verify if access is consistent with the authorized use. Generally, ensuring use of data for authorized purposes would be more challenging than ensuring data access to authorized personnel only. DQ 9-5. This site answers all types of questions related to security and control of information systems. Frequently asked questions are listed in various categories, including the following: • General Questions • Running a Secure Server • Protecting Confidential Data at Your Site • CGI Script • Safe Scripting in Perl • Server Logs and Privacy • Client Side Security • Specific Servers Within each of these categories, questions are listed that a viewer might ask and when a viewer double-clicks on the question, a detailed answer is provided. The information listed on this site can be very useful for internal and external auditors, for the site offers detailed information about security and control-related issues. Using this site, both internal and external auditors can gain a better understanding of the systems security environment. DQ 9-6. There are many Web sites dealing with the issue of security of information systems, especially computer-based information systems. The following is a list of topics that suggests the type of information available at various sites:

9-3

• • • • • •

An initial checklist for establishing a secured network Various check lists that an administrator should cover when an intruder has been discovered Problems introduced by sharing files across a network. Security information specific to Windows NT. The problems of network packet capture and possible solutions. A listing of vendors and resources available

The selection of an on-line article would vary across students and over time, as the content is replaced at such sites. Although some articles can be too technical in nature, almost all of the articles are likely to relevant to a professional accountant. This is because accountants are involved in the use, design, and evaluation of information systems that use information technology. Often, the accountants are also responsible for risk management, including risk exposures from using information technology. A firewall is a system or group of systems that enforces an access control policy between two networks. The most important thing to recognize about a firewall is that it implements an access control policy. The firewall is a good security measure in that it protects confidential and harmful data from entering and exiting the network. The firewall can prevent outside intruders from getting access to a company’s network to distribute or manipulate information. Frequently, large companies are not only concerned with the justification of expenses related to “hooking up” to the Internet, but they are also concerned with the safety of doing so. A firewall provides not only real security - it often plays an important role as a security blanket for management. DQ 9-7. Generally, the more complex the firm and larger the asset base of the firm, the greater the need for more sophisticated security measures. For such a firm, it is likely that elaborate, more expensive security measures are cost effective. Smaller firms or firms with simple environments can afford only limited, less elaborate security measures. The three firms identified in the question form a rough order of magnitude: the CPA firm being the smallest and less complex, Infoage in the middle, and a large company with mainframe computers as the largest firm. Security for physical noncomputer resources Protection from unauthorized access. Access controls include security guards, receptionists, fenced-in areas, grounds lighting , burglar and fire exit alarms, motion detection alarms, locked doors, closed circuit television monitors, safes, locked cash registers, locked file cabinets, and lockboxes in post offices. Large firms with expensive mainframes may find that a large number of these measures are needed to adequately protect its resources. A medium-size firm such as Infoage would find many of these too costly to implement, such as guards, receptionists, and television monitors. Other security measures, such as safes and vaults, insurance coverage, locked boxes, burglar and fire exit alarms are within the security budget of Infoage. Some of these latter measures may be cost justifiable for Ann Strong’s firm. Before she can decide what security devices are needed, Ann should determine if the relevant risks identified require such measures and if they are cost-effective. Two measures are generally useful for all size firms. One is close supervision of employees who handle assets, such as Infoage’s mailroom clerks who open mail containing currency and checks. The other is to affix nonremovable barcodes to assets such as office equipment, microcomputers, and production machinery.

9-4

Protection from disasters. Measures such as sprinkler systems and fireproof vaults are generally applicable to all firms, although their usage would be greater for larger firms. Protection from breakdown and interruptions. Protection of resources from breakdowns (preventive maintenance, for example) apply more to Infoage and the large company. Measures to protect from business interruptions apply to all firms in different degrees. Security for computer hardware facilities Protection from unauthorized access. The computer facilities should be physically isolated to the extent possible (mainframe-based operations may have more room to do so). The physical location should not be advertised, nor should it be visible from the street. Physical access to computer facilities should be restricted to authorized persons. In today’s computer environment, physical isolation may neither be possible nor enough. Where terminals are used for system access to users, it is necessary to limit their use to authorized activities, specific terminals, and designated time periods. Such restrictions are easy to implement even by a small CPA firm. Smaller companies such as Infoage or the CPA firm that utilize only one or a few microcomputers can prevent unauthorized access by a few other inexpensive measures, such as close supervision, locking the keyboard, and using card activated locks. Protection from disasters. To protect against disasters arising from acts of nature or human actions, larger-size firms utilizing expensive mainframe computers can spend huge sums to protect against disasters. The computer center should have proper water drainage, underfloor water detectors, water pumps, and sump pumps. The facility should be air-conditioned and humidity controlled, and should be constructed on a high terrain to minimize the threat of floods. The site should be constructed of fireproof materials and should contain a fireproof vault to serve as the library. Smoke detectors, fire alarm systems apply to all businesses; however, elaborate disaster prevention measures may not be necessary nor cost effective for small or medium-size firms. Protection from breakdown and interruptions. This is essential for the CPA firm, even more so for Infoage, and certainly critical for a large firm with mainframes. Very large firms often designate a position responsible for this function. Security over data and information Protection from unauthorized access to data and information. The principle of least privilege access should be enforced. This is likely to be cost effective even in a modest size organization with on-line, data base oriented systems. Protection from undetected access of data and information. This becomes more important for large firms with complex information systems involving many users and having access capabilities over the communication lines. Standalone microcomputers at the CPA firm are not linked for remote access. Infoage’s network needs to be protected using passwords, automatic lockout, and callback procedures. The large firm with a mainframe computer may resort to even more protective measures, such as encryption. DQ 9-8. Security and privacy are related and overlapping issues. Generally, security can be regarded as a broad concept or concern. Included in the objectives of security is the privacy or confidentiality objective. A secure system ensures the confidentiality of private information stored in the

9-5

system. In addition, a secure system would also address other concerns such as availability of data and system on an on-going basis. As Web-enabled systems become more prevalent, the systems environment tends to be virtual. This in turn creates a greater need to secure and protect confidential information. Therefore, protecting confidential information (about customers, employees, and other stakeholders) will become an even more important aspect of secured systems in future. DQ 9-9. The selection of an on-line article placed on the Inforworld site would vary across students and over time, as the content is replaced at such sites. Although some articles can be too technical in nature, almost all of the articles are likely to relevant to a professional accountant. InfoWorld dedicates space and time to the issue of security, and covers quite an array of issues and concerns in this area. The journal site also provides links to other useful sites and resources sharing the same concerns. InfoWorld is generous in its policies toward downloading and printing material from the journal. However, policies addressing the issue of downloading and printing of articles vary across sites. Some sources disallow printing, others might permit the printing of executive summaries, and still others would permit printing of almost everything on their site. DQ 9-10. All companies, regardless of size or mode of processing should implement the basic concepts of DCRP. Although it should cover all five components of DCRP, a local small CPA firm’s plan would be less formal, less structured, and less comprehensive. In comparison, Infoage’s plan may be more elaborate. Risk exposures at Infoage are greater than at the CPA firm. Therefore, more time and resources should be spent by Diane Varney and her task force at Infoage to develop a DCRP. DQ 9-11. Most DCRPs focus on the recovery of essential operations, including computer- and communications-based processes. The emphasis is placed on things that can be predictably controlled. For example, the supplies needed, copies of programs and databases, hot or cold site availability are addressed thoroughly. The human element is ignored or less well addressed due to the following:

a. The thinking about systems and resources often misses the essential element, humans. b. A possible assumption that people react to emergencies as well as they operate under normal conditions.

c. Implied understanding as to what it is that the organization is responsible to protect. d. Incremental costs of the human element are minimal or not obvious. It is assumed that employees responsible to report for duties in the event of a disaster will be safe and available. Most tests of a DCRP are likely to find that the discrepancies between the actual and expected outcomes are essentially due to a poor treatment of the human factor.

9-6

DQ 9-12. 1. Since computer- and communications-based systems are vital to a firm’s operations, it is difficult to make any progress in recovery without first recovering the system. It is assumed that the rest will follow if the systems are first recovered. 2. Loss of any other assets can be bearable. For example, the loss of an office building, if insured, could be met by renting office space or constructing a new building. The loss of data and computer applications could drive the firm to bankruptcy. It is often impossible to fall back to manual systems. 3. A primary purpose of all five components is to restore full operational capabilities. Consequently, the recovery is central to all other components of a DCRP (emergency, back up, test, and maintenance). DQ 9-13. A risk analysis leads to a DCRP. It is not possible to prepare a cost-effective and complete DCRP without knowing what risk exposures are to be managed and the intensity and possible impact of each of the exposures. For example, if the region in which the firm is located never experienced an earthquake, it would be meaningless to plan the protection of computers from an earthquake. An assurance that the plan covers all major exposures identified by the risk analysis is also provided by the results of such analysis. Thus, the risk analysis step validates the DCRP and ensures its cost effectiveness. DQ 9-14. Disaster Recovery Journal (DRJ) is a journal dedicated to publishing articles on disaster contingency and recovery planning. The journal publishes articles relating to the following areas: • Project Initiation (e.g., Objectives and Assumptions) • Functional Requirements (e.g., Fact Gathering) • Design and Development (e.g., Designing the Plan) • Implementation (e.g., Implementing the Plan) • Testing and Exercising (e.g., Post-implementation Review) • Maintenance and Updating (e.g. replannig) These articles are useful to accountants and auditors in that they provide valuable information regarding disasters and the type of harm that could occur to the company as well as the people and how to prevent and recover from such disasters. Accountants and auditors can gain insights as to what the risks are and how to strengthen the control environment by understanding the issues related to disaster contingency and disaster recovery planning. Thus, they can appropriately plan their work after analyzing the business environment. Other types of information found on this site include: • Job advertisements • Chat room • Products that are available • Events (e.g., conferences) • Glossary of terms • Other links related to disaster contingency and recovery planning

9-7

DQ 9-15. Distributed computer networks differ substantially from centralized mainframe computers in their characteristics. Here are certain examples: • •

• •

Distributed networks depend heavily on communication throughout the network. This component adds a whole new dimension to risk exposures. In mainframe computers that are centralized, the risks due to communication are limited. Distributed networks are more complex because of a variety of hardware, software, and communication components involved. These resources typically are obtained from different vendors. Problems with the network can be attributable to a whole host of possible reasons, including the communication links that help form the network. There is much greater end-user involvement in distributed networks, causing problems due to lack of systems knowledge, other pressing tasks unrelated to the system, limited technical knowledge, and so forth. Physical security, although still important, does not help much in containing risk exposures in distributed networks.

A distributed computer network system must implement more security and controls due to the fact that a network consists of multiple interconnected hardware devices that automate critical accounting and business applications. It also connects firms to their customers and enables network users to access proprietary databases. Listed below are specific risk exposures related to the distributed network system: • Loss of capability of transmitting and processing data because of equipment and software breakdowns, including bridge/router failure, cabling problems, or network operating system failure • Loss of capability of transmitting and processing data due to power outages, viruses, theft, loss of key personnel, or natural disasters • Unauthorized access of data through tapping of communications lines by vengeful exemployees or hackers • Unauthorized access of data by snooping employees via terminals and microcomputers in open and unprotected areas • Numerous errors in data entry, such as accidental file deletions, owing to unsophisticated users who access the network at a variety of remote locations • Errors in the main database due to uploading of unverified data from terminals and microcomputers to the host computer • Fraud and errors as a result of weaknesses in controls at various remote locations within the network DQ 9-16. a. Locating the computer center in the basement: Advantages: • Isolation is a good way to reduce risk from intruders. • Isolation will discourage access by disgruntled and unauthorized personnel. Disadvantages: • Computers should be in a cooler temperature environment with humidity control-the boiler room is hot and humid.

9-8

b. Placing windows around the center Advantages: • Glass is an additional barrier between unauthorized users and the computer system. • Glass prevents intruders from hiding in the computer center. • Cleaner, controlled environment can be maintained because of glass windows. Disadvantages: • A natural disaster such as an earthquake could shatter the glass and destroy the system hardware components. • Unauthorized persons could break the glass and enter the computer room. • Large glass windows “announce” the existence and location of the computer room, causing additional exposures. c. Providing three entrances to the center Advantages: • Allows access into the computer center if intruders “block” one of the other entrances. • Faster exiting structure in case of fire. Disadvantages: • Increased risk exposure by allowing more possible entrances for intruders. • More personnel/devices are needed to guard the computer center DQ 9-17. An enterprisewide computer network interconnected by local-area and wide-area networks is likely to face the following vulnerabilities: • • • • • • •

Loss of capability of transmitting and processing data because of equipment and software breakdowns, including bridge/router failure, cabling problems, or network operating system failure Loss of capability of transmitting and processing data due to power outages, viruses, theft, loss of key personnel, or natural disasters Unauthorized access of data through tapping of communications lines by vengeful exemployees or hackers Unauthorized access of data by snooping employees via terminals and microcomputers in open and unprotected areas Numerous errors in data entry, such as accidental file deletions, owing to unsophisticated users who access the network at a variety of remote locations Errors in the main database due to uploading of unverified data from terminals and microcomputers to the host computer Fraud and errors as a result of weaknesses in controls at various remote locations within the network

Security measures that should be taken include the following: • Appoint a security administrator with wide ranging system security responsibilities. • Encrypt messages that contain confidential information. • Establish and enforce effective user-identification and user-authentication policies. • Utilize error detecting and correcting procedures and/or devices. • Plan and implement back up and recovery procedures. • Place hardware components in protected and restricted locations

9-9

• • • • • • •

Use systems software that is write-protected and that performs parity checks, echo checks, and other software checks. Use a network audit system (NAS) or a network management system (NMS) software package to monitor network resources, compile reports on server performance, detect systems breaches, and monitor the network server administrator. Validate inputs to detect and correct, or prevent data input errors. Maintain standardized documentation and procedures throughout the network server site. Provide proper training to users and information technology staff. Providing close supervision at each remote site. Limit access to vulnerable network server entry points.

PROBLEMS 9-1. a. Several risks to the proposed network system are as follows: • Loss of capability of transmitting and processing data because of equipment and software breakdowns, including bridge/router failure, cabling problems, or network operating system failure • Loss of capability of transmitting and processing data due to power outages, viruses, theft, loss of key personnel, or natural disasters • Unauthorized access of data through tapping of communications lines by vengeful exemployees or hackers • Unauthorized access of data by snooping employees via terminals and microcomputers in open and unprotected areas • Numerous errors in data entry, such as accidental file deletions, owing to unsophisticated users who access the network at a variety of remote locations

9-10

•

Errors in the main database due to uploading of unverified data from terminals and microcomputers to the host computer • Fraud and errors as a result of weaknesses in controls at various remote locations within the network Risks can have a major impact on the overall survival of a company. The failure to properly address these issues and implement appropriate security measures could allow employees and hackers to commit fraud and destroy confidential proprietary information. b. Risks that could be overcome by the planned applications include: • Loss of customers due to unavailability of information • Lack of timely information for effective management of operations • Risks of stockouts/overstocks or obsolescence c. Passwords for accessing the system should be given to the couple who is about to get married. Of course, the couple is expected to share the passwords with their relatives and friends. However, the couple and all potential customers should be warned about sharing the password only on a need-to-know basis. Customers should not have access to information regarding other “soon-to-be-married” couples. Access control lists should be maintained to list authorized customers who are allowed to use the system. Information regarding the online gift registry should be archived after the passage of an appropriate amount of time following the event (marriage). d. Unauthorized persons might attempt to gain access to confidential data through tapping of leased lines. To counteract this wiretapping of the communication lines, the firm could protect data through encryption. This technology allows information to be encoded at the sending point, transmitted in the coded form, and then decoded at the arrival at the receiving end. The firm should also install a firewall to prevent unauthorized people from coming through the Internet into the organization’s private network. 9-2. The risks of placing the mission-critical HR applications on the intranet include the following: • • • •

Outsiders could gain access to the firm’s Intranet and view sensitive information. Unauthorized employees may be able to manipulate and alter the information within the HR applications. Unauthorized employees could purchase company stock under a different employee’s account. Due to systems failure, the application program may become unavailable or data might be lost.

a. Security measures that MCI should implement to ensure the confidentiality of the HR database include the following: • • • •

Install a firewall to prevent unauthorized users, including outsiders, from gaining access to the Intranet information. Utilize user identification and authentication measures. Each employee should be able to access only his/her records, and not anyone else’s. Encrypt password data stored in the system. Install a disk mirroring technique to provide real-time data protection and improve data availability.

9-11

• • • •

Keep an activity log to take “snapshots” of transaction changes within the database in case of update failure. Utilize automatic lockups to lock a terminal after several failed attempts have been made to access the system from the terminal. Encrypt sensitive data. Conduct employee awareness programs to maintain systems security.

9-3. a. Both means of communication are exposed to unauthorized access (e.g., through wiretapping) by others to the firm’s data. Communication pathways that are shared pose a greater challenge than those that are owned or leased for dedicated use. Regardless of the specific means of data communication, there are two orientations to security measures involved in data communication. First, measures should be taken to protect data from falling into wrong hands. Second, in the event that data fall into wrong hands, they should be in a condition that renders such data difficult, if not impossible, to use. The first goal would require measures such as dial back procedures and user identification and authentication. The second goal is largely achieved through data encryption. b. Security measures to minimize the likelihood of entering fictitious orders from the store terminal include the following: • Implement authentication procedures to approve the authenticity of users during log on. • Utilize the principle of least privilege access. • Keep an access log of all attempts to place the order including the name and employee number of the person placing the order. Have security staff regularly review such logs and take corrective actions, where appropriate. • Design internal controls to prevent possible fraudulent actions, such as ordering the merchandise in unusual quantities, ordering merchandise that already exists at the sourcing store, or requesting delivery at a location other than the store (street address or post office box). c. Diskless workstations could increase security because they prevent: • unauthorized persons from copying confidential files onto disks • the uploading of inappropriate files • virus infection from uploading files • use of unauthorized or unlicensed software or data 9-4. (Adapted from the CMA Examination, December 1984, Part V, Question No. 6) a. 1. The four areas of vulnerability are hardware, software, people, and the computer network. Risk exposures for these areas and the degrees of exposure are as follows:

(1) The equipment comprising the hardware could be damaged due to such occurrences as fires, floods, power outages, or malicious acts. Overall, the exposure to these risks is moderate; although the equipment has a high value, the likelihood of fires and other occurrences is relatively slight. (2) Unauthorized changes could be made to the software, thereby adversely affecting its reliability arid efficiency or creating an undesirable benefit (such as fraudulent appropriation of funds) for some perpetrator. Overall, the exposure to these risks is moderate; although the effects of changes could be costly to the firm, only a relatively few persons possess the programming skills needed to make changes. (3) Unauthorized employees and other persons could gain access to confidential data.

9-12

Overall, the exposure to this risk is great, since numerous persons would have the opportunity to use the terminals or other online devices. Furthermore, such persons could possibly create great losses, e.g., by eliminating the balances due from customers. (4) Data could be intercepted (tapped) as messages are transmitted via the computer network. Overall, the exposure to this risk is moderate; while the interception of confidential market plans and financial results could be costly, much of the data for the firm is not transmitted and thus subject to interception. Also, relatively few persons have the skill and equipment to perform taps. 2.

Control procedures for the above risk exposures are as follows:

(1) Place the computer facility in a location that is above flood level and that is not easily accessible to most employees; install a fire deterrent system such as FM 200 gas or sprinklers. (2) Establish a sound procedure for making changes to software; allow changes to be made only through a special terminal; maintain a log of all computer software changes. (3) Assign passwords to authorized users that restrict the access to only those data sets needed by the users. (4) Encrypt confidential data during transmission or employ transmission lines that are fully secured against taps. b. 1.

Aidbart should have a contingency plan for recovering from natural and humanmade disasters that affect not only its computer processing capabilities but also its critical business operations. A disaster contingency and recovery plan should enable Aidbart to respond to disasters without suffering irreparable damages. When a complex, computer-based system is used, as in the case of Aidbart, the importance of such a plan is even greater, for the computer-based processes (inputs, programs, hardware, media, etc.) will have to be recreated in the event of a loss of the system or any of its components.

The five major components of a contingency plan are: emergency, backup, recovery, test, and maintenance plans. The emergency plan provides guidelines to follow during and immediately after a disaster. A backup plan ensures that key employees, vital records, and alternate backup facilities are available to continue business and data processing operations. A recovery plan ensures that a skilled recovery team is formed to reconstruct and restore full operational capabilities. The purpose of the test plan is to uncover and correct defects in the DCRP before a real disaster occurs. A maintenance plan devises guidelines ensuring that the entire plan is kept up-to-date.

9-5. a. Require that all bids, for purchases exceeding a certain material amount, will be opened and reviewed by a committee, not an individual. Procedures and policies to be followed in the bidding process and in arriving at the award decision should be documented and followed. Adopt and implement a code of conduct that clearly specifies rules regarding receipt of gifts from internal or external parties, and consequences for the violation of these rules. b. Provide for constant supervision over all cashiers. Cameras can also be used for surveillance. Adopt and implement a code of conduct and specify consequences for violations of the code.

9-13

c. This is a low impact, high controllability situation, and it would be best to resist overcontrolling the petty cash. Conduct periodically a surprise audit of randomly selected vouchers to verify if the recipient existed and the payment was valid. d. Require a written consulting contract, which must be approved by both the end-user function as well as a higher level manager responsible for the function. It may also be necessary to have other departments endorse the contract, for example, the information systems function in the case of outsourcing information management needs of a user department. Services rendered should be certified or acknowledged by the user department, which must also endorse the invoice for payment. e. Rules regarding the use of frequent flier miles collected during job-related travel must be clearly delineated and communicated. Practice varies across organizations. f. The bookkeeper should not have access to cash. All payments above a certain amount must be approved by higher levels of management. Miscellaneous payments should have a ceiling (e.g., $100); any amount larger than the ceiling must be requested using the proper procedure. Even miscellaneous expenses should be supported by receipts to be turned in at the time of requesting payment. g. This is a very common scenario. It can happen with supplies, steaks, metal, or any other type of inventory. Establish standards for disposal of all trash. Keep very few, closely monitored trash containers. Parts of the store should be under surveillance, using cameras, by security guards. Conduct a surprise check of the trash containers periodically. Adopt and implement a code of conduct. 9-6. a. Provide adequate physical protection of the computer center, including fireproof roofing and siding, fireproof vault, smoke detectors, fire alarms, and an automatic extinguisher system employing FM 200 gas. Also, store duplicate copies of data files at a site physically removed from the computer center and establish a contingency and disaster recovery plan. b. 1. If the files are stored on magnetic tape, apply the grandparent-parent-child backup procedure. 2. If the files are stored on magnetic disk, apply the periodic dump and reconstruction procedure. c. Keep the central tool room locked, with admission restricted to tool room personnel. d. Install a lockout, a software feature that prevents two or more users or programs from accessing the same data concurrently. e. 1. Employ a tape file protection ring, so that data cannot be written on the tape. 2. Employ an internal header label check, which would show in this case the label for the tape that was designated as the input file (rather than the label for the accounts receivable master file). f. Develop and implement a contingency and disaster recovery plan. g. Invest in creating an uninterrupted power supply for the computer. Backup power supply is a typical feature of many critical computer installations. h. Maintain a distribution log that specifies who is to receive each output from the computer system, especially confidential reports. i. Make a backup copy of the employee payroll file and store it at an off-site location.

9-7. a. Provide adequate security over data by employing such security measures as follows: 1. Assign passwords that must be entered before files can be accessed. 2. Employ a callback procedure that verifies whether the caller is accessing the system from an unauthorized terminal. 3. Encrypt all stored data that are classified or confidential. 4. Employ an access log that detects and records all attempts to access the database.

9-14

b. Maintain an access log that shows all accesses by the computer operator and changes made to master files. c. Restrict access of employees to only those files for which they have a legitimate need. This restriction may be achieved by assigning a password that enables a warehouseman to obtain access only to files pertaining to warehousing operations. d. Maintain an access log that shows all accesses by payroll personnel and changes made. (Other security measures, such as limitation on terminal functions and passwords, would not be effective in this situation, since payroll clerks need access to salary records to perform their assigned duties.) e. Improve password security. Require a callback procedure to determine if the caller is using the authorized line of communication. Implement a control matrix to define different types of access authorizations: view only, print, modify, etc. Maintain a transaction log that records all transactions entered, terminal identification number, and time of the entry. Minimize or eliminate interfaces between academic and administrative computing. f. Provide adequate security over the tellers’ terminals by employing such security measures as follows: 1. Lock all terminals after working hours, so that they cannot transmit data to the central database. 2. Assign passwords that must be entered before files can be accessed. 3. Employ a transaction log that records all transactions entered from terminals, including the times of entry. g. Lock all terminals after working hours, so that they cannot access any data from any of the files. Maintain passwords and other access controls. Authorization to print sensitive files should be limited to certain terminals only. Highly sensitive files and strategic information should be kept off-line. h. Deny access, disconnect line, and notify security if the password entered is not valid within the first three attempts. Employ call-back procedures. Maintain sophisticated access controls at file levels. Encrypt confidential data. i. Access privilege must be “Read Only.” Uploading of any data, programs, or executable files in any form should be denied. Where this must be permitted, such inputs must be isolated and screened prior to use; under no conditions such inputs should be allowed to change existing systems. As in the case of Microsoft, no matter how many Web addresses are maintained, there should a single address for all outside parties.

9-8. a. Fired employees whose duties are in highly sensitive areas should be asked to leave the premises right away. In fact, the employee should be escorted by security to the door. Also, all passwords and other means of access that belong to the employee must be canceled immediately. b. Identify and eliminate the virus. Re-load backup copies of the lost data. Develop and enforce a policy to prevent viruses from affecting the system (e.g., precautions regarding uploading data or programs from a floppy disk). c. Make the computer physically secure. Keep backup copies of data and programs as well as documentation. d. Access to a centralized computer system must be severely restricted. Everyone authorized to enter the installation must have the number to enter on the keypad installed outside the installation to enable the access door to open. Even the premises in which the installation is located must be subject to heavy security, so that no one unauthorized enters the building. To correct the situation in the event of such a disaster, the firm must develop and implement a disaster and contingency recovery plan. e. Restrict access to the computer facilities. Specifically, prohibit visitors from entering the computer room and require the use of badges or other security measures (such as voice

9-15

patterns) to gain entrance. Also, employ a data librarian whose responsibilities include the issuance of data and program files to computer operators under a strict checkout procedure. f. Identify and watch carefully disgruntled employees who are employed in sensitive jobs. Reassign them, if necessary, and limit or eliminate their access to the network. If a loss occurs, the firm will have to rely on contingency and disaster recovery plans to regain operational capabilities. g. Establish standards for disposal of all trash, especially sensitive material, in the information systems area. Keep the trash container within the building. Parts of the building should be under surveillance, using cameras, by the security guards.

9-9. a. Establish access controls. Change passwords often. For all dial up linkages from remote locations, require a callback procedure. Remove all sensitive data from the on-line computer. In the event that the data still get in the hands of competition, render them useless by storing them in the encrypted form. b. Change codes frequently. Take precautions against wiretapping. Monitor all remote accesses to the system, and limit the time and terminal from which specific types of transactions can be processed. Encrypt the codes. c. Establish proper check out procedures. Require a log of all equipment checked out, and include information in the log such as the date of check out, expected date of return, purpose of the equipment use while it remains checked out. Have both the employee and the employee’s supervisor sign the log. d. All of the software should be protected so that it cannot be downloaded. Any attempt by a user to download a software must be logged, and the log should be reviewed by those responsible for system security and intellectual property. The firm should adopt and implement a code of conduct. e. Restrict programmer access to what they are authorized to develop or modify. Programmers should be allowed no access to any of the data files in the system operations area. Restrict data modifications privileges to only those who need them, and identify those also with their terminals. Require the system to not accept data outside of defined hours. f. Develop, adopt, and enforce policies and procedures to acquire, install, and inventory all copies within the firm. Penalize those found using unauthorized copies, reward those who identify unauthorized copies in use within the firm. Adopt and implement a code of conduct. g. Restrict access of executives to only those data and information they are supposed to use. Restrict data update and modification privileges to only those who enter the policy transactions. All policies—and at least policies with material amount of coverage if not all policies—must be independently verified for existence of the policy, the identity of the insured, etc. Finally, the internal audit section should have performed an analytical review of growth in policies and, given the changes, should have further investigated the matter. h. Change access codes frequently. Take precautions against wiretapping; require callback procedures when remote access is attempted. Terminate the line after three attempts to access have been made, and alert security. Monitor all remote accesses to the system, and limit the time and terminal from which specific types of transactions can be processed. Encrypt sensitive files, or store them off-line when not in use. i. Ask an appropriate steering committee to set policies and procedures regarding whether or not games should be installed on the firm’s systems. If installed, under what conditions are the employees allowed to access and play such games. Alert supervisors that they should consider evaluating workloads on their direct reports and eliminate any waste of time involved.

9-16

All passwords and other means of access that belong to the employee must be canceled immediately. Establish and maintain strict access controls. Change passwords often. For all dial up linkages from remote locations, require a callback procedure. Remove all sensitive data from the on-line computer. In the event that the data still get in the hands of a former employee, render them useless by storing them in the encrypted form. k. Identify and eliminate the virus. Re-load backup copies of the lost data. The data base administrator (DBA) should log off when away from the DBA’s computer, since it usually is a powerful computer with comprehensive and system-wide privileges assigned under the DBA’s password and user identification. l. Implement security measures to prevent wiretapping. Remove all sensitive data from the online computer. In the event that the data still gets in the hands of competition, render them useless by storing them in the encrypted form. 9-10. a. • Encrypt credit card data to prevent unauthorized persons from using the information. • Install a firewall to prevent hackers from entering the network. • Protect from or minimize losses through appropriate insurance coverage, if available. b. • Have backup servers and databases to maintain duplicates of data. • Hire a security administrator or promote from within the organization to deal with security issues in a dedicated manner. • The Internet access should be provided only on a need-to-know basis. For authorized users, monitor access to unusual sites. • Access to networks should be restricted. Uploading programs and data on the network should be restricted and incoming programs/data should be first isolated and checked (e.g., for viruses) before use. • All network accesses (including attempts to access) should be logged, and the security administrator should review the log for unusual activities. c. • Install a firewall to prevent hackers from entering the network. • Use system software that is write-protected to ensure that the Web server software is not altered. • Access to networks should be restricted. Uploading programs and data on the network should be restricted and incoming programs/data should be first isolated and checked (e.g., for viruses) before use/execution. d. • • • • • •

Encrypt data to prevent unauthorized persons from using the information. Install a firewall(s) to prevent hackers from entering the network. Utilize access control software to restrict and monitor data and file access. Hire experienced personnel to detect hacking. Utilize systems-triggered alarms/alerts. Keep highly confidential and sensitive data off the system.

e. • Utilize effective anti-virus software and scan all executable files.

9-17

• •

f. • • •

All attachments to e-mail messages should be carefully reviewed. Do not open any executable files without proper investigation of what it does. Any measure that would have system-wide impact should be re-examined by another knowledgeable party before its use.

Implement a disaster contingency and recovery plan. Assess the types of disasters that could occur and determine how to prevent the loss of systems availability in each case. Have backup servers, programs, and databases (that is, the entire system) in at least one other location. These are called hot sites (where a duplicate system can take over with little delay) or called sites (where the system can be configured within a reasonable time). Independent companies run such sites.

g. • Install a firewall to prevent hackers from entering the network. • Use system software that is write-protected to ensure that the Web server software is not altered • Isolate all revisions to the Web content for review and approval prior to its use. No exceptions. h. • Utilize effective anti-virus software and scan all executable files prior to their use. • No programs or executable files can be loaded on the network. Only the network administrator should have that privilege. • Increase employee awareness of the risks of using programs available on the Internet. • Advise employees not to access certain sites. Impose heavy penalties for deviations. i. • • •

Confidential information should only be accessible by authorized persons. Information meant for internal use should be kept on an intranet. Individuals accessing the Web site should have access to only publicly available information. The http address should not enable them to browse information with restricted access (e.g., to employees).

9-11. (Adapted from the Certified Internal Auditor Examination, November 1982, Part IV, Question No. 36) a. A weakness exists, since too many persons with noncompatible duties have access to the computer room. To correct this deficiency, the firm’s policy should be changed to allow access only to computer operators and other information systems employees having assigned duties that can only be performed in the computer room. To implement this policy, the computer room door(s) should be kept locked. Also, closed circuit television may be installed at security guard stations. b. This is a weakness. Those who have been authorized to access the servers are, by the nature of their job responsibilities, going to need access to the servers. Only a designated network administration should be authorized access to the servers. All others should have access to network nodes (or clients) to perform their tasks. c. Both a strength and a weakness are present. Having the vault door locked at night and two persons directly responsible for opening the door is a strength, since a locked vault provides greater security. Allowing all information systems personnel to know the vault’s

9-18

combination is a security weaknesses. To correct this weakness, allow only two employees to know the combination, with one of the employees preferably being the tape or data librarian. This is a strength and a weakness. To back up files is a critical operation in the process of recovery of files that might get lost or damaged in future. However, backups must be done according to the needs of each file or data set. For example, certain files may need to be backed up much more frequently, whereas others can be backed up at monthly or even longer intervals. This weakness can be corrected by determining and following a backup schedule based on relevant variables, such as frequency of update to the file, criticality of the file for the business operations, etc. Another weakness lies in the fact that the back up tapes in the same vault at the same location where regular copies of files are stored. In the event of a fire or other catastrophe, the backup files would also be lost. To correct the weakness, backup files should be stored at a remote location. Both a strength and a weakness are present. The grandparent-parent-child retention cycle is a desirable practice, since it provides adequate back-up files. However, storing all ancestors in the vault is a weakness. At least one ancestor file should be stored remote to the computer site. Both strengths and weaknesses are present. The strengths derive form the duties of the administrative manager, since they represent sound planning, coordinating, and supervising activities. In addition, the review of program modifications provides control over programmers’ work and hence a barrier to unauthorized or unsound program changes. On the other hand, the duties assigned the administrative manager are too broad, since he or she is oriented primarily to data processing. A separate manger, located in the systems development area of the information systems function, rather than the data processing area, should supervise programmers and analysts and review modifications to programs. Both strengths and weaknesses are present. The flexible time schedules are a strength, since they tend to motivate employees and hence lead to increased productivity. Also, debugging and testing at night is desirable, since the added load would not strain the computer system’s capacity (as it might be if debugging and testing were performed during the day). The weaknesses also concern flexible work schedules. For better control, the programmers should not be allowed to operate computer equipment; instead, the computer operators should run all programs, even testing programs, in order to maintain adequate segregation of duties. Several weaknesses exist in this procedure. (1) Systems development is initiated by the data processing manager, whereas it should be initiated by the users. (2) Priorities are set by the data processing manager, whereas they should be set by the steering committee. (3) All costs of development work are absorbed by the information systems functions, whereas they should—when feasible—be allocated to the benefiting departments in accordance with a fair rate. (4) The long-range plan has remained unchanged since last year, whereas it should be revised at least quarterly. Assigning each program to one programmer is a weakness, since it minimizes the opportunity for the optimal division of duties and for cross-checking the developed programs. Thus, the person who codes a program should not solely test and document the program. At least two programmers should be assigned tasks relative to each program. The responsibility for documentation should be clearly defined, with criteria (so that documentation standards are followed) and deadlines (so that the documentation is produced soon after the program is developed and tested). If programmers are busy, sufficient support should be provided to them so that the documentation can be produced. Some of the documentation can be online, and such documentation can be developed along with the application development. The practice of obtaining verbal instructions from programmers should be discontinued. Finally, it is a weakness to keep the only copy of the documentation in the vault. In the event of fire

9-19

or other natural disasters, the documentation would be lost, damaged, or may not be accessible. A backup copy of the documentation should be stored at a remote site.

9-12. a. Effective control and security measures that are currently employed by the firm include: 1. Extensive documentation. 2. An approval process for passwords. 3. A user authorization table. 4. A transactions-conflict matrix. 5. Validation of user requests for data. 6. Required use of passwords to access data. 7. Maintenance of terminal activity logs. 8. Editing of terminal input data. 9. Precomputation and reconciliation of batch control totals. 10. Reconciliation of processing control totals to changes in the database. 11. Reconciliation of output results to transaction control totals. 12. Preparation of backup copies of the data base on a daily basis. b. From an overall perspective, the listed general controls are weak as compared to the transaction controls. In f act, the latter appear to be relatively strong, since the majority of the items listed above affect inputs, processing, and outputs. Thus, a conclusion is that the general controls and security measures need to be strengthened. Specific general control weaknesses are: 1. The lack of a data base administrator who is separate from computer operations and computer programming. 2. Unrestricted access to system documentation, which should be available only on a “need-to-know” basis. 3. Unrestricted physical access to terminals, which should be accessible only to those whose duties require their use. 4. Uncontrolled distribution of printed outputs.

9-13. a. Important questions to ask include: 1. Who is responsible for information security? 2. Is there a policy on information security? 3. What information do you consider sensitive? 4. What activities generate sensitive information? 5. Where are these activities performed? 6. Who performs these activities? 7. Who has access to sensitive information? 8. Have any procedures been established for handling sensitive information? 9. Are there any plans to improve information security? 10. What controls exist to protect sensitive information? b. On-line sales transactions pose the following risks: 1. Monitoring of phone lines by competitors. 2. Loss of data in event of phone line failure. 3. Unauthorized access of main computer data banks from the store’s own personal computers. 4. Unauthorized access of main computer data banks by tapping into phone lines. 5. Transmission errors due to noise on the phone line. c. Controls for each of the risks cited in (b) are, in order: 1. Encryption of transmissions. 2. Backup on-site capability. 3. Password protection. 4. Encryption of transmission or password protection. 5. Parity bit or confirmation feedback. 9-14. A. At least four computer security weaknesses that existed at MailMed Inc. prior to the flood occurrence include:

9-20

• • • •

systems documentation being prepared only when time is available; consequently, documentation will likely be incomplete and not current. the systems and programming staff having access to the computer room without supervision of the operation staff; programmers could alter data files or operational programs. the location of the facility on the ground floor behind large plate glass windows which invites attention and possible exposure risk, as well as failure to protect against flooding. no regularly scheduled backups being prepared, thus exposing the company to loss of data processed between backups.

B. At least five components that should be incorporated in a formal disaster recovery plan in order for MailMed Inc. to become operational within 72 hours after a disaster affects its computer operations capability include: • off-site alternatives of continuation of service (i.e., contingency plans for operations on a temporary basis) and backup hardware sites such as hot sites, vendor sites, service bureau sites, etc. MailMed should maintain arrangements with computer equipment vendors to provide availability of hardware to replace damaged hardware as soon as practical. • off-site storage of program and data files, documentation (systems and operations), and supplies. • detailed written procedures for recovery of operations, which should include instructions on obtaining critical information from off-site storage, planning of a communications link between headquarters and the emergency site, as well as telephone numbers of all of the team members. • procedures for on-going control and maintenance of a temporary site. • the testing and training for plan implementation, including testing each department individually, testing whole plan (mock disaster), trial runs, testing backup procedures, testing restore operations, and recording test results. C. At least three factors, other than the plan itself, that MailMed Inc.’s management should consider in formulating a formal disaster recovery plan include: • maintaining business operations and cash flows as well as meeting obligations and contractual requirements (safeguarding company assets). • maintaining customer service and competitive position. • determining appropriate levels of business interruption insurance and/or other insurance. 9-15. a. The computer security weaknesses present at Gleicken Corporation that made it possible for a disastrous data loss to occur include: 1. Housing the data processing facility in a building with exposed wooden beams and a wooden-shingled exterior. The building should be constructed of fire retardant materials. 2. The absence of a sprinkler system or FM 200 gas system and fire suppression under a raised floor, as well as fire doors. 3. An on-line system with infrequent (i.e., weekly) tape backups. Backups, with checkpoints and restarts, should be performed at least daily. Grandparent and parent backup files should be retained at a secure off-site storage location.

9-21

4. Data and programs are kept in the data processing room. Instead, they should be kept in a library separate from the data processing room, with the library area constructed of fire retardant materials. 5. Lack of a written contingency and disaster recovery plan with arrangements in place to use an alternate off-site computer center in the event of a disaster or an extended service interruption. While phone lists of data processing personnel are maintained, non-assigned responsibilities concerning actions to be taken are listed for personnel. 6. Lack of complete systems documentation that should be kept outside of the data processing area. b. 1. The components that should be included in the disaster recovery plan at Gleicken Corporation in order to ensure computer recovery within 72 hours encompass the following: I. A written contingency and disaster recovery plan that is reviewed and approved by senior management, data processing management, end user management, and the internal auditors. II. Backup data and programs, to be stored at an off-site location that will be quickly accessible in an emergency. III. A disaster recovery team, with duties and responsibilities assigned to each member based on skills and functions. Duties and responsibilities should include: obtaining use of a previously arranged alternate data processing facility, activating the backup system and network, retrieving backup data files and programs, restoring programs and data, processing critical applications, and reconstructing data entered into the system subsequent to the latest saved backup/restart point. 2. Factors, other than those included in the contingency and disaster recovery plan itself, that should be considered when formulating the plan include: i. Arranging business interruption insurance in addition to liability insurance. ii. Ensuring that all systems and operations documentation are kept up-to-date and are easily accessible for use in case of a disaster. iii. Performing a risk/cost analysis to determine the level of expense that may be justified to obtain reasonable, as opposed to certain, assurance that recovery can be accomplished in 72 hours (e.g., that the purchase of a duplicate hardware setup is justified). 9-16. Note: Whereas a number of security measures can be identified, it is important to consider that the final selection would depend on the cost effectiveness of such measures, individually and collectively, to reasonably manage the risks involved. Security measures for Curly Super Fries Company: • Install a firewall to prevent hackers from entering the network. • Implement effective procedures for user identification and authentication. • All network accesses (including attempts to access) should be logged, and the security administrator should review the log for unusual activities. • Physically isolate the database servers to prevent unauthorized access. • Encrypt data to prevent unauthorized persons from using information on network. • Implement a disaster contingency and recovery plan. • Utilize effective anti-virus software. All executable files entering the system must be isolated and scanned prior to making the decision to use such files. • Appoint a security administrator. • Install a disk mirroring technique to provide real-time data protection. • Have backup servers in case the main server “crashes.”

9-22

• • • •

Keep an activity log to take “snapshots” of transaction changes within the database in case of update failure. Provide proper training for the new system environment. Maintain standardized documentation and procedures throughout the various restaurant locations. Provide support to users to ease the adjustment to new environment.

9-17. Note: Whereas a number of security measures can be identified, it is important to consider that the final selection would depend on the cost effectiveness of such measures, individually and collectively, to reasonably manage the risks involved. Security measures for AB Distributors: • Supply passwords to customers to have access to authorized information in the network system. • Utilize access control lists to list internal and external systems users and the extent of their authorization. • Install a firewall to prevent hackers from entering the network. • Encrypt sensitive data to prevent unauthorized persons from using such information. • Utilize effective anti-virus software. Isolate and scan all executable files prior to their use. • Appoint an administrator to establish a security plan that addresses security issues for the network • Install a disk mirroring technique to provide real-time data protection. • Have backup servers in case the main server “crashes.” • Keep an activity log to take “snapshots” of transaction changes within the database in case of update failure. • Provide proper training for the new system environment. • Maintain standardized documentation and procedures. • Provide support to users to ease the adjustment to new environment. • Physically isolate the database servers to prevent unauthorized access. • Implement a disaster contingency and recovery plan.

9-23

9-18. Risks Inconsistencies of data between the timekeeping, payroll, and labor cost accounting applications Unauthorized access of data through tapping of local-area network by hackers or vengeful employees

Internal controls Maintain standardized documentation and procedures for the various applications programs to ensure data integrity. Use programmed checks to reconcile control totals. Encrypt sensitive data to prevent unauthorized persons from using the data even if they get access to such data.

Weak control structure due to inappropriate personnel having access to timekeeping, payroll, and labor cost programs

Utilize organizational controls to ensure proper segregation of duties. For each end user, ensure that the principle of least privilege is enforced. Data access may be restricted at file, record, or even data element level. This can be further enhanced by using access locks based on data values for specified data elements.

Errors in data entry due to unsophisticated users who are not trained to use the application programs

Provide appropriate in-house training to prevent or minimize input and processing errors. Implement necessary corrective controls. Immediately following the decision to terminate an employee, all access privileges granted to the employee must be discontinued. No exceptions.

Former disgruntled employees who may display grudges against the firm

9-19. a. • Install a firewall to prevent undesirable “downloading” of files and programs. • Appoint an employee such as a systems administrator to research the latest in virus programs and how to “hack” systems and then educate the rest of the firm. • Don't run programs from any source you don't trust completely. • Buy and use credible, up-to-date virus-protection software. • Be knowledgeable about your computer systems. • Stay informed about security issues. • Use BODetect utility to remove Back Orifice. • Implement a solid solution to repeated "infections" with BO. • Implement systems-driven procedures to manage passwords. This will ensure, for example, that certain password values will not be accepted by the system, and users who do not change their passwords according to prescribed rules will be denied access to the system. b. The anti-hacker sites provide valuable information regarding Back Orifice. The sites offer information as to what BO is, how computers become infected, how to tell if the computer has been infected, how to prevent infection, what to do in case of infection, and security measures to take after removing the infection. There are utility programs such as Norton AntiVirus and McAfee that find but do not remove BO. BODetect actually will detect and remove BO. There

9-24

are other types of antihacking programs and patches available including Antigen, ToiletPaper, BOSniffer, and BOPlug. c. Hotlist Directory: • Organizations & Agencies • FIRST Teams • Professional Organizations • U.S. Government • Education in Computer Security • Major Research Centers • Cryptography and Computer Security Courses • Other Education/Research Projects • Events and Calls for Papers • Publications • Journals, Newsletters and Mailing Lists • FAQs and Glossaries • Books & Book Information • Other Publications • Security Archives, Servers & Indices • Comprehensive Sites • Tools • "Underground" Sites • Cryptography • PGP-related Information • Export Control & Politics • Other Cryptography • Computer Viruses • Privacy Issues • Computing Ethics • Network Security • Firewalls • Security in WWW • Security in Java • Electronic Commerce • NT Security • Intrusion Detection • Commercial Sites • Security-related Vendors • Primarily Firewalls • Law • Physical Security • Miscellaneous This site provides information regarding security, law, and privacy. The information at this site can be very useful to accountants and auditors, for it provides information regarding the issues described above as they relate to relevant industries. Accountants and auditors can use such information to assess the risk exposures, and use, design or evaluate internal control systems.

9-25

Listed Below are the various links provide for the underlined security topic Intrusion Detection: • COAST Intrusion Detection Pages • COAST Intrusion Detection Hotlist • RSA Security Inc. • Wheel Group—NetRanger • Haystack Labs, Inc. • Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection and Configuration Analysis • ASAX, Advanced Security Audit Trail Analysis on Unix : Papers and Research Reports • Bro: A System for Detecting Network Intruders in Real-Time • Secure Logging Systems • Data Mining Approaches for Intrusion Detection • Networks, Security and Electronic Commerce Group—Overview • Visual Audit Browser • Logcheck Software of UNIX by Psionic Software Systems • SRI Intrusion Detection • Michael Sobirey's Intrusion Detection Systems page • Network Intrusion Detection • MimeStar Incorporated • ASAX Intrusion Detection Project • SecureNet PRO IDS • GRIP: Guidelines and Recommendations for Incident Processing • The Information Systems Audit and Control Association & Foundation • The President’s National Security Telecommunications Advisory Committee: Network Group Intrusion Detection Subgroup Report • Computer Misuse Detection System • Graph-based Intrusion Detection Systems (GrIDS) • POLYCENTER Security Intrusion Detector Links for other security topics will differ. d. The type of information provided on the Web site at http://www.alw.nih.gov/Security/security-www.html also deals with security, law, and privacy issues. The difference between this site and the Web site at http://www.cs.purdue.edu/coast/hotlist is that the latter provides a broader list of various links that users can link to in order to obtain more information.

9-26

CHAPTER

Auditing of Information Systems

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

PROBLEMS

4. EVALUATION

10, 11, 12

2, 4, 12, 19

3. APPLICATION

7, 8

3, 5, 6, 7, 8, 10, 11, 13, 15, 16, 17, 18, 20

2. COMPREHENSION

2, 3, [4], [5], 6, 9, 13, 14

1, 9, 14

1. CONCEPTUALIZATION 1

[ ] Infoage

CHAPTER 10 AUDITING OF INFORMATION SYSTEMS DISCUSSION QUESTIONS DQ 10-1. The level and types of computer-related knowledge needed by a general staff auditor have been subjects of controversy. While all agree that he or she needs sufficient knowledge of computers and computerbased information systems to communicate intelligibly with experts, some feel that additional knowledge is needed. For instance, the American Institute of CPAs and the Canadian Institute of Chartered Accountants argue that all general staff auditors should be able to carry out audits of simple batch computer-based systems. This ability requires a level of knowledge that is higher than that needed to discuss computer-based systems. It also requires an understanding of key computer-related audit approaches and techniques, e.g., knowledge concerning the development and use of test data and generalized audit software. On the other hand, information systems auditors (e.g., specialists in the auditing of computer-based systems) need detailed and thorough knowledge concerning a variety of areas. Stanford Research Institute and the Institute of Internal Auditors have identified seven areas of knowledge, which should be possessed at a high level of learning by experienced information systems auditors:

1. Data processing principles and concepts. 2. Development, implementation, and operation of computer-based application (transaction processing) systems.

3. Application controls for computer-based systems. 4. Data management methods and techniques. 5. Controls pertaining to the computer service center. 6. Controls needed to ensure the development of effective application systems. 7. Programming languages such as COBOL. DQ 10-2. An external auditor has responsibilities that extend beyond the expression of opinions concerning the representations in financial statements. The auditor should suggest improvements in internal accounting controls and data processing procedures (especially with respect to editing, reconciling of general ledger and subsidiary ledger account balances, checking of batch totals, and so on). By effecting improvements in the accounting information system, the auditor enhances the ability of the AIS to generate financial statements that express fairly the results of operations and the financial condition of the firm being audited. DQ 10-3. Audit techniques necessarily lag developments in computer technology, i.e., computer hardware, software, and applications. This lag occurs because the techniques must focus on the specific features of the processors, storage media, and communications devices. If the audit techniques are computeroriented, they must be implemented via programming languages and other software. In fact, certain

10-2

techniques, such as embedded audit modules, must be designed as integral components of hardware and software systems. Thus, it is not difficult to understand and explain the lag in audit techniques. What is puzzling, however, is why the lag is so protracted. For instance, most generalized audit software packages cannot easily access data from complex data structures, even though commercial data base packages have been available for a couple of decades. Also, audit techniques have not progressed greatly in addressing the problems inherent in distributed computer networks, although newer generalized audit software packages, such as ACL and IDEA, have made considerable progress in this direction. DQ 10-4. If a company has its shares traded on a U.S. stock exchange, it would be required under the Securities and Exchange Act to file audited financial statement with the SEC and also to distribute to shareholders copies of the audited annual reports as well as an announcement of annual shareholders’ meeting, agenda of the meeting, etc. Companies that are closely held (e.g., the entire stock ownership is within a close group) may not be required to have their financial statements audited. Since the information supplied does not convey if Infoage is a closely held or a public company, it is difficult to determine if audited financial statements would be necessary. Regardless of the SEC requirements, companies often have their financial statements audited. Such statements are credible in the eyes of banks, other lenders and investors, lessors, and so forth. Consequently, firms often choose to engage auditors to audit their annual financial statements. Diane, who knows the firm and its obligations better, could have thought of not having the annual audit because she is convinced that the internal control structure of the company is sound enough to produce reliable information. Although this may be true, even in situations where a sound internal control structure exists, auditor would invariably perform a minimum amount of analytical review and tests of transactions (in addition to the review and testing of internal controls). The bottom line is that an annual audit, regardless of the SEC filing needs, should prove useful to Infoage. DQ 10-5. Infoage’s board of directors is responsible for recommending the appointment of auditors and shareholders vote on the appointment of the auditors. In making the final selection between the two firms, factors to be considered include:

1. Industry specialization. Does either firm have clients in the same industry as Infoage? This will permit auditors to be knowledgeable about the industry. Consequently, industry ratios, trends, market conditions, and auditing standards practices related to the industry would be well known to the auditors, making them both efficient and effective in the audit engagement. 2. Track record in offering audit services, firm-wide resources available to support audit and other engagements. 3. Relative strengths of the firms. For example, which one does more of auditing through the computer, has more expertise in computer-based information systems, and generally, offers other related services (e.g., client server systems). 4. Type of audit work suggested, both quality and quantity. Rates charged for each skill level. Whereas a small CPA firm could provide a great deal of personal attention, the breadth of expertise, industry knowledge, and economies of scale (since the bids are about the same, the regional firm may do more) are more likely to be offered by the regional firm. DQ 10-6. Control environment. Since the CPA firm is small, concerns regarding adequate segregation of duties

10-3

may arise. Although a financial audit may only incidentally examine some areas of this component, it may be appropriate to review organizational structure, ethical code of conduct, and assignment of authority and responsibility. Risk assessment. Has the firm identified and addressed all significant internal and external risks? Is the firm viable financially? Do any major risk exposures remain to be evaluated and managed? Control activities. A review and evaluation of internal controls, largely from the perspective of a financial audit. Information and communication. Is the chart of accounts adequate and meaningful? Does the system generate reports that ensure reliable information (e.g., exception and summary report)? Is there an adequate audit trail within the financial accounting system? Monitoring. Does effective supervision and monitoring of activities exist? Are deviations from targets noticed? Is corrective action taken? Are the firm’s assets safeguarded? Are the assets used as authorized? DQ 10-7.

A general audit software package such as ACL could assist an internal auditor in fraud detection. Based on the specific objectives for the investigation, the auditor may find that certain data/statistics from the targeted information system may provide further clues or evidence. ACL can be used to perform routine functions such as summarizing, calculating, reorganizing, and analyzing data. This will leave more time for the internal auditor to perform an in depth analysis for fraud detection and will allow the internal auditor to maintain better control over the audit. ACL, using the power of the computer, permits the internal auditor to examine vast amount of data quickly to identify conditions or evidence that may support the nature and extent of fraud. However, if the data are not structured and are not computer-based, generalized audit software cannot be used to search the data. DQ 10-8. A sample of test data transactions to test the edit routines and programmed checks in the payroll programs are as follows: • • • • • • • •

Validity check, such as self-checking check digit, verify that employee numbers are valid. Completeness check to verify that every employee is assigned to a department. Relationship check to determine if the claim of overtime hours matches with the employee class (exempt vs. non-exempt, for example). Limit check to determine if the overtime hours claimed is within a reasonable limit. For example, if the union contract suggests that no employee shall work more than 20 hours of overtime in a week, the limit on overtime hours would be 20. Field check, to verify that the characters used in the field are appropriate, e.g., all numbers in regular hours reported. Limit check to verify that employees of a given classification are paid at a rate that falls within a range predetermined for the employee class. Sign check to verify that hours reported is not negative. Sign check to ensure that cases with net negative pay are not issued paychecks.

DQ 10-9.

10-4

It is becoming increasingly important that auditors be consulted during the development phases of a new information system because:

a. New information systems are more complex, and control problems are more sever. This is particularly the case with communications-based systems having distributed configurations and with data base systems.

b. Certain auditing techniques, such as audit monitors, must be installed during the development period in order to be effective.

c. Attempting to install necessary controls during the operational phase can be extremely costly in complex systems; they are much less expensive to install during development phases.

d. Compliance with the Foreign Corrupt Practices Act, which mandates the existence of adequate internal control systems, can be most safely achieved by the careful attention to controls before the new system becomes operational. An internal auditor can be a member of the system development team, especially if the project warrants significant control and security considerations, generates financial information and would therefore be subject to internal control review and evaluation periodically, or is a critical applications development project. Alternatively, as an independent consultant, an internal auditor can provide a list of controls that should be implemented in an information system, or sign-off on controls recommended by others. An external auditor can be retained to fill the same role. The auditor may assist the firm in the evaluation of external software (accounting or security software, for example), or help in conducting cost-benefit study of a proposal. DQ 10-10. If a financial audit were to be conducted, the auditors would ascertain if the AIS is generating reliable information. For example, are all authorized transactions captured? Are the transactions processed properly? If the system is not reliable, a much larger sample of transactions needs to be tested and a more extensive analytical review and substantive tests would be conducted. However, in order to rely on transactions that are recorded, one still needs to assume that the accounting system provides a reasonable assurance that all of the firm’s transactions are recorded in the system. If such assurance were not feasible, nearly 100 percent of transaction testing would be necessary. This may be impossible or cost prohibitive, which would make the company unauditable. DQ 10-11. All three computer-based auditing approaches—auditing around-the-computer, auditing through-thecomputer, and auditing with-the-computer—will continue be used by various organizations and auditors. Factors that will determine which will be used will include: • • • • • • • • •

Specific audit objectives Soundness of the processing programs Estimation on reliability of outputs from a set of inputs Nature and extent of audit trails Simplicity or complexity of processing operations Availability, completeness and currency of the systems documentation Size and type of organization being audited Assessment of risk as related to the internal control structure Users of the audit report

10-5

Information systems are becoming increasingly more complex. Various factors contribute to this trend, including advancing technology, changing competitive environment of businesses, trend toward alliances and partnerships, the use of the Web as a primary window to the world, and globalization of markets. As systems become more complex, the role of around-the-computer audit approach would diminish, because this approach ignores the internal processes of the target systems and consequently, is useful only where the systems processes are simple. To pay much greater attention to the computer-based processes, it will become necessary to use through-the-computer approach to audit future systems. General audit software is a powerful means to perform tests of transactions where AISs are computer-based. Generalized audit software packages are easy to us, are quite efficient in performing certain tasks, and can be used a variety of different system environments and configurations. Therefore, it would be tempting to visualize that 100 of the transactions will be tested. However, the feasibility of doing so is only part of the answer. Auditors will have the option of using the sampling techniques, which may not require the testing of entire set of transactions. DQ 10-12. The list of factors in the answer to DQ 10-11 would be helpful in considering options in this situation. In a complex system, if the ICS (internal control structure) is judged to be effective, the auditors need to test the relevant controls for compliance. This would require auditing through-the-computer. The reason is that in a complex system, what appears to be a strong set of relevant controls has to work in order for the system to behave as expected. To get an assurance about the behavior of controls, it is necessary to test for compliance using through-the-computer audit techniques. If the system is simple, auditing aroundthe-computer may be an appropriate and cost-effective choice to proceed at this stage. DQ 10-13. 1. Assurance services are independent professional services that improve the quality of information or its context for decision-makers. Implicit in this definition is the idea that people use assurance services when they have to make decisions. The services are intended to improve the information used in the decision process. Presumably, better information should lead to better decisions. Rational decisions are made based on information. Assurance services might involve any type of information. Information can be financial or nonfinancial. It can be internal or external to the decisionmaker. The goal of assurance services is information improvement, not the issuance of a report on it (though there might be a report). Assurance services can: • Capture information. Assurance services can capture information by using existing or improved measurement tools. • Improve information reliability. Raw information is refined into reliable information. Improving the reliability of information is the scope of the attestation standards. This type of service is independent of the decision-maker. Any raw information can be refined, regardless of whether it is used for decision making at all. • Improve decision-making. Services can improve decision making by enhancing not only the reliability of information, but also its relevance and availability for the decision-maker. Decision making also can be improved by improving the context, such as decision models, used by the decision-maker. This facet of assurance services differs from other existing attestation models. 2. Major categories of assurance services include: • Risk Assessment • Business Performance Measurement • Information Systems Reliability • Electronic Commerce

10-6

• •

Health Care Performance Measurement Elder Care

3. The type of assurance services that a firm needs depends largely upon the relevance and the appropriateness to the industry to which the firm belongs. One can only diagnose the clients’ problems by actively listening to them. It is of utmost importance to take a proactive approach to client’s problems, goals, and philosophy instead of waiting until the client addresses the specific issues. Developing a wide network of contacts will provide a source of referrals to the client. Many new assurance opportunities are in areas in which there are no standards, rulebooks, or right answers. These are the areas that often provide high value to clients. For professional accountants, it is important to commit to a life-long selfstudy in order to provide sound recommendations based on new learning. 4. The American Institute of Certified Public Accountants (AICPA) announced today (Fall 1999) that it has added a consumer complaint resolution mechanism to CPA WebTrust, making it the most comprehensive seal of assurance service on the Internet. Developed jointly by the AICPA and the Canadian Institute of Chartered Accountants, WebTrust is designed to make cyberspace a safer place to conduct business. This new mechanism enhances the existing service by adding binding, third party arbitration to resolve privacy, customer service and product quality complaints. In addition to introducing the newly available consumer complaint resolution mechanism, WebTrust also examines a Web site's business practices and disclosures, information and privacy protection controls, and assures that the business is able to deliver on its sales promises.

5. A. Transaction Integrity The entity maintains effective controls to provide reasonable assurance that customers' transactions using electronic commerce are completed and billed as agreed. These controls and practices address matters such as: (1) transaction validation; (2) the accuracy, completeness, and timeliness of transaction processing and related billings; (3) the disclosure of terms and billing elements and, if applicable, electronic settlement; and (4) appropriate transaction identification. These matters are important to promote confidence in electronic commerce. B. Information Protection The entity maintains effective controls to provide reasonable assurance that private customer information obtained as a result of electronic commerce is protected from uses not related to the entity's business. These controls and practices address privacy and security matters such as encryption or other protection of private customer information (such as credit card numbers and personal and financial information) transmitted to the entity over the Internet. These group of controls also address the protection of such information once it reaches the entity, requesting permission of customers to use their information for purposes other than those related to the entity's business, and for obtaining customer permission before storing, altering, or copying information on the customer's computer. Consumer concern about the safeguarding of private information traditionally has been one of the most significant deterrents to undertaking electronic commerce transactions. Information protection controls address this concern effectively. DQ 10-14. 1. COBIT (Control OBjectives for Information and related Technology) links information technology and control practices thus providing a valuable IT control methodology. COBIT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors. As such, COBIT represents an authoritative, up-to-date control framework, a set of generally accepted control objectives, and a complementary product that enables the easy application of 10-7

the Framework and Control Objectives—called the Audit Guidelines. COBIT applies to enterprise-wide information systems, including personal computers, mini-computers, mainframes and distributed environments. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives. 2. The IS Audit & Control Journal is a bimonthly publication of the Information Systems Audit and Control Association. The Journal provides important information on professional development to those involved with information systems audit, control and security. 3. The journal site provides index of articles by subjects, such as auditing, client/server, COBIT, computer viruses, and security/control. The index is not current (lists articles published through the end of 1998). At this time, full text or abstracts of the published articles are not available, simply the titles of published articles can be found. Selected articles on the Web (on-line journal):

September 1999 Software Development is Risky Business—is Audit Ready? Exclusive! by George R. Comrie, P.Eng., CDP, CMC August 1999 Selecting the "Right" Business Continuity Planning Recovery Strategy Exclusive! by Ken Doughty, CISA CBCP June 1999 A Personal View of a World Class IT Auditing Function Exclusive! by Allan R. Paliotta, CISA, CFE, CFSA

April 1999 Building a Y2K Command Center Exclusive! by Gregory J. Blatnik March 1999 A Millennium Horror Story? Exclusive! by Derek J. Oliver January 1999 Paths Towards the New Millennium Exclusive! by Yusuf Musaji One page version for printing

1. Journal Editor is Michael P. Cangemi. 5. CISA (Certified Information Systems Auditors)

10-8

PROBLEMS 10-1. (Adapted from the Certified Management Accountant Examination, December 1994, Part 4, Question 4) a. Several objectives of the internal auditing function are: 1. The efficiency and economy of operating performance, by determining if goals and objectives are being met, resources are being used properly, as well as identifying inefficiencies and offering constructive recommendations for improvements. 2. Evaluating the effectiveness of the internal control system and offering constructive recommendations for improvements of weaknesses and risks. 3. Ensuring the maintenance of accurate and complete records, as well as verifying compliance with established policy and procedures, government laws, and regulations.

b. The ideal positioning and reporting responsibility of the internal auditing function within the organization is to be an independent staff department reporting directly to the Audit Committee of the Board of Directors. The internal auditing function should have sufficient authority to promote independence and ensure broad audit coverage.

c. The internal auditors usually perform management, compliance, operational, project management and change control, internal control and fraud audits.

d. The external auditors typically perform financial audits. A financial audit is concerned with the fairness with which financial statements present the firm’s financial position, results of operations, and cash flows. Although the external auditors are solely responsible for attesting to the fairness of the financial statements, they may receive assistance from internal auditors in performing the audit. The functions of internal and external auditing are complementary in many respects, and an effective internal auditing section within a firm can assist the external auditors to a considerable extent. For example, reviews of internal controls, participation in the design and/or evaluation of internal controls in new or modified systems, and taking physical count of a sample of inventory items and reconciling the physical count with the book balance in a perpetual inventory system are among the many tasks that, if effectively performed and documented, could support the external audit process. Instead of performing such tasks, if necessary, the external auditors could decide to rely on the work of the internal auditors. Note, however, that public accountants offer many other services, including various audits (e.g., security audit). Depending on the strengths, priorities, and achievements of the internal audit function, the public accountants may be able to consider receiving different degrees of support from the internal auditors for a given engagement.

e. Assuming the external auditors are satisfied with the competence of the internal auditing staff and with the company’s internal auditing structure, at least three coordination efforts that should occur between the internal auditing staff and the external auditors include: 1. Holding periodic meetings to improve communication and discuss accounting and auditing issues. 2. Scheduling audit work and coordinating their respective audit plans to minimize duplication of effort. Perform some test work on behalf of the external auditors. 3. Sharing the internal audit work papers with the external auditors.

f. The benefits that Davis Industries could derive from the addition of an internal auditing function include:

1. Assistance with external auditors and potential reduction of external audit fees. 10-9

2. An independent appraisal of the efficiency and effectiveness of all phases of a company’s operations, both financial and nonfinancial. 3. Giving assurance that internal controls are in place and effective, which assists management in the safeguarding of assets by possibly detecting fraud. 4. Identifying risk areas and recommending improvements of accounting and operating controls. 10-2. (Adapted from Certified Management Accountant Examination, Part 2, Question 4, December 1991) a. The purpose of the external auditor’s review and evaluation of the internal accounting control structure in connection with the audit of Microtronics Inc.’s financial accounting is to meet the requirement of the second generally accepted auditing standard of field work. This standard provides that a sufficient understanding of the internal control structure (ICS) and the associated risks is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. There is an inverse relationship between the strength of the ICS and the nature, timing, and extent of the tests to be performed.

b. To determine if Microtronics’ ICS is adequate, an external auditor would use a two-stage process. First, the auditor conducts a preliminary assessment of the ICS. In this stage, based on the system documentation and other available evidence, the auditor attempts to determine if a sound ICS is likely to exist within the client’s system. A preliminary assessment involves reviewing, documenting, and assessing the ICS; assessing initial control risk; setting the initial level of control risk; and establishing whether it is cost-effective to conduct tests of controls. Next, the auditor conducts tests of controls to determine if in fact the controls exist, and function as intended. In this process, the auditor performs tests of controls, evaluates the findings of the tests, resolves whether or not to rely on the controls, and develops the final audit program.

c. Phase One. Obtain knowledge and understanding of the procedures and methods prescribed (review the ICS). The external auditor should review accounting manuals, internal audit reports, and policy statements such as those pertaining to codes of conduct and conflict of interests. The external auditor should also make inquiries of management and observe entity activities and operations. The auditor is interested in the flow of transactions and related controls over processing of those transactions. A few transactions of each type should be selected and traced through the accounting system from initial to final recording. Phase Two. Assess the control risk. To properly assess the risks, the external auditor should review the evidence gathered in the first phase and, in instances where the auditor intends to rely on specific accounting controls, the controls should be tested to be sure they are functioning properly. The auditor must then decide whether more evidence will likely support a further reduction in assessed control risk and whether it is cost efficient to obtain the additional evidence.

d. Such a review is necessary for an external audit. It is likely to minimize the overall cost of the audit. Moreover, for Microtronics to achieve its own goals, it is essential that it has in place a sound internal controls structure. It appears that unless an external audit is a requirement for a firm, it may not be mandatory for the firm to follow the recommendations of the COSO report. However, for its own benefit, the firm should implement such recommendations to the extent that such implementation can be cost-effective.

e. Note: Figure 15-X in the textbook provides detailed information relating to this requirement. The firms that have a flattened organizational structure, empowered lower-level workers, and client-server

10-10

architectures are more complex in their character, attributes, and culture. The ICS, therefore, will be more complex as well. For example, on-line collection of evidence through embedded audit modules will be commonly used in these firms. Control features designed would be dynamic and distributed. Reliance on users to secure the system and to guard the integrity of data would be much greater. Every empowered worker would have to learn to be a sophisticated knowledge worker. It would be difficult to conduct a financial audit of such a firm without heavy reliance on the ICS. Since these are complex systems, auditing through-the-computer would probably be the only option left in terms of the audit approach. Auditors will have to be more sophisticated and current in their knowledge and skills of information technology. 10-3. a. The audit process to be followed consists of the following steps: 1. Develop the audit objectives and scope. 2. Perform a review of the internal control structure pertaining to the production labor and materials system; document by means of such techniques as flowcharts and questionnaires. 3. Assess the level of control risk. 4. If the assessment in (3) indicates that the computer-oriented control structure can be relied on, devise and perform tests of control. 5. Evaluate, on the basis of results of the tests of controls, the operational effectiveness of the portion of the internal control structure relating to the labor and materials system. 6. Develop the audit program, including the audit objectives relating to the production labor and materials application(s) and the substantive tests and procedures needed to achieve them. 7. Perform the substantive tests. Use the GAS package if appropriate. 8. Prepare a letter of reportable conditions in which any discovered control weaknesses are described, plus the auditors’ report to the owners.

b. Audit techniques and procedures: 1. Reviewing evidence. Review any changes to the system made during the year, and determine

3. 4.

if appropriate systems development controls were used in the system development life cycle. A comparison of previous year’s programs with this year’s programs to identify changes may be appropriate to conduct. Controlled reprocessing of a sample of transactions should be considered, especially if the production labor and materials system is newly developed this year. Observing operations. Review access authorization matrix, and identify if it is consistent with duties of the users of the system. Test if the access authorization works as documented. Identify if passwords and user identifications are issued according to a documented procedure, and whether users are required to change passwords regularly. Identify and evaluate terminal control and access procedures. Observing inputs and outputs. Observing computer operations. Verifying on-line edits of labor and materials data. Review of batch processing of the job costing application; the movement of output results error reports; and verification of error correction process. Observing the processing. Since special audit instructions (embedded audit modules) have been incorporated into the job costing program during its development, outputs of these modules should be reviewed to determine if any internal controls are missing or are ineffective. If significant discrepancies exist in the outputs, consider using other means of testing controls (e.g., integrated test facility) to obtain and evaluate additional evidence. Trace selected transactions to observe the functioning of labor, materials, and job cost applications. Observing the distribution of output reports to the users, verifying that the distribution is in accordance with the distribution manual or log; reviewing the reports and tracing selected batches and file balances to their entries in the reports. 10-11

c. Audit objectives to be achieved during substantive testing include: 1. Verify accurate quantities of materials issued and labor hours charged. 2. Verify prices of materials and rates of labor, as well as extensions are proper. 3. Verify that jobs are charged appropriate costs, no more and no less. Collectively, all jobs should absorb the cost of manufacturing activity; exceptions may be in the treatment of variances.

d. The specific functions a GAS package can perform during substantive testing include the following: 1. To select a sample of jobs, based on the sampling criteria provided. 2. To verify extensions (e.g., price times quantity). 3. To detect abnormal situations. For example, jobs with no materials costs; jobs that have been charged overtime hours; labor rates and materials prices exceeding a certain predefined limit; and total job costs exceeding estimates, bids, or quotes to the customers. 10-4. a. It is somewhat surprising that the types of irregularities found later were not detected by the external auditors. It is widely believed that insofar as the auditors exercise due care and follow GAAS, they are not responsible for any undetected irregularities. And this is a feasible scenario. In other words, aggressive search for suspicious activities is different from an external audit of financial statements. However, if in the process of external auditing, auditors did discover even a tangential (or mild) evidence of irregularity, they should follow up the matter and resolve possible issues. b. During the past several decades, the auditors have been subject to an increasing amount of pressure to uncover financial irregularities, regardless of the official pronouncement of their scope of responsibilities. A professional position does not deter corporate stakeholders from perceiving the auditors’ role as much more, encompassing detection of areas of financial irregularities. And courts have agreed to listen to these arguments. c. If the leadership is corrupt, there are few alternatives left for the organization. Leadership poses high impact exposures combined with limited, if any, possibilities of control. An unethical leader can drive the firm to unethical acts. Contributing to such unethical behavior on the part of top management are factors such as pressures to impress the investment community, bonuses and incentives tied to financial performance, personal greed. Ethical leaders shape organizations that reflect integrity and can live through tough times. The question of ethics arises also in relation to the external auditors. External auditors are supposed to be independent, professionally qualified, and subject to a code of conduct. These qualifications should allow them to show integrity in their behavior and at the same time, blow whistles on those who are not ethical. Although convincing evidence is not presented in the problem to conclude that former external auditors were unethical, the auditors’ track record leaves a sense of doubt about their acts. 10-5. a. An integrated end user computing system on a LAN is distributed in nature, serving various functions (time keeping, payroll, and labor cost distribution) in the firm. The processes are on-line, performed interactively and almost continuously. Data and applications interact in various ways -- often without human intervention -- in processing inputs, updating records, and performing queries. In this system environment, comparing expected results of selected inputs with actual results (an around the computer approach) will not provide insights about the “black box.” The most effective audit approach would be the through-the-computer approach.

10-12

b. Since the system is already in place, the embedded audit module technique would not be possible at least in the short run. Test data technique would provide considerable evidence of the processes and controls within the computer-based system. However, this technique does not provide enough evidence about concurrent changes in the affected files and records. To improve this situation, it would be necessary to adopt the integrated test facility (ITF) technique. After the tests of controls are completed using ITF, it would be necessary to conduct tests of transactions, which can be achieved using generalized audit software (GAS) such as ACL. Incidentally, results of substantive tests using GAS packages may also provide additional evidence about controls within the system. 10-6. (Adapted from the Certificate in Management Accounting Examination, June 1, 1976, Part III, Question No. 5) a. Specific application controls and programmed checks that should be incorporated in the programs of Linder's new computerized inventory control and purchase order system include:

(1) Batch control totals of transactions, including amount control totals, hash totals, and record counts.

(2) Comparison of totals computed during processing runs with the preestablished batch control totals.

(3) Self- checking digit checks on such transaction data as inventory item numbers and supplier numbers.

(4) Validity checks on transaction codes, inventory item numbers, etc. (5) Field checks on the codes of transaction data. (6) Limit checks on the quantities of goods ordered and received. (7) Sign checks on the on-hand balances of inventory items in the master records. (8) Internal label checks on the transaction and master files.

(9) Relationship checks that compare the quantities of goods ordered with the quantities of goods received.

(10) Sequence checks on the arrangement of records in the transaction files. (11) Matching checks that compare the primary keys in the transaction records with the primary keys in the master records during the updating step.

(12) Error correction procedure that suspends transactions containing errors until they are corrected and either (a) lists the transactions on an exception and summary report or (b) displays error messages on the data entry video display terminal.

(13) Printed transaction listings and logs, input-output control logs, and other outputs that foster the audit trail. b. A matrix that relates the fields of data to needed programmed checks may appear as follows:

10-13

Programmed check

Transaction code

Validity

Field

Supplier name

Supplier number

Inventory item no

Quantity ordered

Unit of measure

Limit X Relationship Completeness Redundancy matching

X X

c. Techniques that can verify proper functioning of the above controls include: (1) Test data technique, which employs test data to test the manner by which the programs detect transaction errors and dispose of the data containing the errors and/or irregularities. (If the system involves on-line processing, the variant of the test data technique known as the integrated test facility should be employed.)

(2) Parallel simulation technique, which simulates the functions of the firm's programs by means of special programs written by auditors. The results obtained by parallel simulation runs (as shown on exception and summary reports, transaction listings, etc.) are compared with those obtained during the regular processing using the firm's programs. (3) Embedded audit module technique, which traces the processing of selected transactions, captures the contents of primary storage areas at designated points in the execution of the programs, monitors processing results, and copies these types of data into an audit log. The contents of the audit log are reviewed by the auditor. 10-7. (Adapted from the Certified Public Accountants Examination) An embedded audit module can be useful in tests of controls within the on-line deposit/withdrawal processing programs of the Central Savings and Loan Association. Its primary mission is to collect transaction data and to monitor the processing steps in order that the auditor can ascertain whether the controls within the deposit/withdrawal programs are functioning as intended. Specific uses of the above embedded audit module might be as follows:

a. To record accesses and attempted accesses of the seven on-line terminals. In particular, repeated attempts within a short span of time to access a specific terminal should be recorded.

b. To capture the details concerning deposit and withdrawal transactions that are larger than a specified amount, say $10,000.

10-14

d. To capture the data pertaining to and processing instructions performed with respect to all transactions containing erroneous or irregular data (e.g., an attempted deposit by a customer who provides an inactive or canceled account number or a social security number; an attempted withdrawal by a customer whose amount exceeds the balance in the account).

e. To capture the data pertaining to (and the related processing instructions performed for) a statistical sample of deposit and withdrawal transactions.

f. To collect statistical data concerning the daily volumes of deposit and withdrawal transactions at each of the seven terminals, so that the totals can be compared to summary and balance reports prepared by the end-of-day processing programs of the Central Savings and Loan Association. 10-8. (Adapted from the Certified Internal Auditor Examination, May 1995, Part I, Questions, 30-31, 3335) a. Use generalized audit software to prepare a list of purchases by product line. Compare the amounts with the amounts authorized by the marketing manager.

b. A combination of the following control procedures would be necessary to accomplish the objective: 1. Require passwords for each agent, and change the passwords periodically to make them difficult to guess.

2. Require that authorized products be entered into the product data base by someone independent of the purchasing function. 3. Require that the authorized “vendor” data base be maintained by someone independent of the purchasing function.

c. A computerized audit technique that would provide the most persuasive evidence about the correct operation of the program is an integrated test facility. If an integrated test facility were implemented, the auditor would submit test items throughout the period under analysis, and review the results of processing of such items.

d. An audit approach that would best address the stated objective would most likely use generalized audit software. Generalized audit software can be used in this case to compare the table of contents of the program library with an auditor copy made previously. Differences would be identified through a comparison, and a sample of such difference may be selected for further investigation. 10-9. a. Not suitable. No transactions are processed using programmed logic. b. Yes. The batch processing of transactions using programmed logic is an environment quite appropriate for the use of test data technique. c. Yes. Rules that have complicated formulas can be tested using test data. d. No. No transactions are processed in this case using programmed logic. e. No. Real time processing systems are not suitable to run test data. f. Yes. A batch sequential processing mode and high volume of transactions is an appropriate environment for the use of test data technique. g. Yes. The test data technique is suitable for the accounts receivable application developed using the DBMS. h. Yes. The spreadsheet includes logic that computes or manipulates data. Consequently, test data technique is suitable for use here.

10-15

i. No. The report generation on EDI does not provide the environment of transactions processing using programmed logic. j. No. This is an on-line system with immediate processing features. Consequently, test data technique is not suitable. k. No. No transaction processing is involved in this case. l. Yes. Accounting software packages that process transactions are appropriate to test using test data technique. m. No. A check digit program usually appears in an on-line system with immediate processing features. Consequently, test data technique is not suitable.

10-16

10-10.a. A matrix that specifies the data items verified by programmed checks is as follows: Program med check Field

Supplier number

Voucher number

Voucher date

Invoice date

Invoice number

Due date

Check number

Check date

Amount

Pur. Ord. number x

Complete ness

Sign x Sequence

Validity

Limit x Relationship

b. Test transactions containing errors (except for the first valid transaction) that can be used to test for programmed checks in Weimer’s edit program pertaining to payment transactions: Data Items Test Code

Programmed check being Tested

Supplier number (1) 4600

Voucher number (2) 20300

Vouche r date (3) 060391

Invoice date (4) 052691

Invoice number (5) 99999

Purchase order no. (6) 10600

Due date (7) 070291

Check number

Valid transaction

Amount (10)

Expected result

530000

Check date (9) 070291

5000.00

$5000.00 decrease in cash and payables

Field check; error in field (2)

4621

2047M

060391

052691

78551

10682

070291

530052

070291

1100.00

Exception message

Completeness test; error in field (6)

4678

20325

060391

052091

35611

070291

530052

070291

2762.00

Exception message

Sign check; error in field (10)

4703

20303

060291

052391

13859

10685

070291

530052

070291

-550.00

Exception message

Sequence check; error in field (1)

4686

20317

060291

052591

09608

10609

070291

530052

070291

1728.00

Exception message

Validity check; error in field (1)

4734

20298

060291

052691

58320

10716

070291

530052

070291

375.50

Exception message

Limit check; error in field (10)

4791

20431

060391

052291

22321

10795

070291

530052

070291

50175.0

Exception message

Relationship check; error in field (3)

4798

20447

070391

052491

04300

10853

070291

530052

070291

1322.00

Exception message

Purposes of the above test transactions are as follows:

10-17

1. 2. 3. 4. 5. 6. 7. 8.

To see if the program processes valid transaction correctly. To see if data of an incorrect mode is detected. To see if a missing data item is detected. To see if a negative amount is detected. To see if an out-of-sequence transaction is detected. To see if an unauthorized or canceled (and hence invalid) supplier number is detected. To see if an amount that is larger than a pre-established maximum amount is detected. To see if a voucher date or due date that is later than the date of the check is detected.

The errors in the above test data might appear as follows on an exception and summary report: SUPPLIER NUMBER 4621 HAS AN INVALID CHARACTER IN THE VOUCHER NUMBER FIELD SUPPLIER NUMBER 4678 HAS NO DATA IN THE PURCHASE ORDER NUMBER FIELD SUPPLIER NUMBER 4703 SHOWS A NEGATIVE AMOUNT SUPPLIER NUMBER 4686 IS OUT-OF-SEQUENCE SUPPLIER NUMBER 4734 IS AN INVALIDE SUPPLIER NUMBER SUPPLIER NUMBER 4791 HAS AN AMOUNT THAT APPEARS TO BE UNREASONABLY LARGE SUPPLIER NUMBER 4798 HAS AN INVLID RELATIONSHIP BETWEEN DATES

10-11. a. Test data that can be used to test for programmed checks in Weimer’s program for editing sales transactions is as follows:

10-18

Data Items Test code

Programmed check being tested

User code (1)

Transacti on code (2)

Customer number (3)

Sales branch no (4)

Sales person no (5)

Expected ship. Date (6)

Product number (s) (7)

Quantity/ quantities (8)

Valid transaction for two-product order

W861

SALE

22548

8351

030691

343456 426315

20 90

Field check; error in field (2)

W861

SALE

45862

8268

031591

426315

110

Validity check; error in field (1)

P861

Check digit verification; error in field (3)

W861

SALE

32160

8351

031491

362186

Sign check; error in field (8)

W861

SALE

33685

8268

030791

343456

-87

Relationship check; error in field (5)

W861

SALE

26843

2868

030691

413285

Completeness test; error in field (6)

W861

SALE

22548

8268

325812

135

Limit check; error in field (8)

W861

SALE

43218

8137

030791

456243

9800

Reasonableness check; error in field (6)

W861

SALE

37215

8069

131091

325812

Matching check; error in field (3)

W861

SALE

46852

8137

031291

326518

106

* No transaction data will be accepted when user code is invalid.

10-19

Purposes of the above test data are as follows:

1. To see if the program processes a valid transaction involving more than one product. 2. To see if data in incorrect mode will be detected (The remaining fields may be tested to see if alphabetic data would be detected in numeric fields). 3. To see if an invalid user code will be detected. (The transaction code, customer number, sales branch number, salesperson number, and product number may also be tested for validity). 4. To see if a customer number with an incorrect check digit will be detected. (The product number may also be tested for incorrect check digits). 5. To see if a negative quantity is detected by the edit program. 6. To see if a salesperson number that does not correspond to the sales branch to which that salesperson is assigned will be detected by the edit program. (It is assumed that the first digits of a salesperson's number represent the sales branch number to which the sales person is assigned.) 7. To see if a blank field will be detected by the edit program. (All fields may be tested.) 8. To see if an unlikely order quantity will be detected by the edit program. 9. To see if an unreasonably distant shipping date will be detected. (A date prior to the current date might also be tested.) 10. To see if a new customer, for which no master record has yet been established, will be detected. An illustration of an error detected by a relationship test being displayed on the visual display screen of the terminal:

SALES TRANSACTION EDIT PROGRAM CUSTOMER PLACING ORDER SALES BRANCH SALESPERSON PRODUCT NUMBER QUANTITY ORDERED EXPECTED SHIPPING DATE

26843 8 2868 413285 76 MARCH 6, 1997

ERROR MESSAGE INVALID RELATIONSHIP BETWEEN SALES BRANCH 8 AND SALESPERSON 2868 PLEASE RE-ENTER ABOVE CODES

10-20

b. Whereas the test data approach tests the processing of each transaction, the integrated test facility (ITF) approach tests the entire system (or subsystem). For example, it tests effects of test transactions on master records. To do this, fictitious entities are created within the system (e.g., a customer master record). Moreover, the ITF approach is used on-line and during the processing of regular transactions. As in the test data technique, the auditor obtains printouts (or electronic copies) of the summary records and the error reports, and compares these printouts with predetermined results. 10-12. (Adapted from the Certified Internal Auditor Examination, May 1995, Part I, Questions 28-29) a. To gain assurance that the spreadsheet application has properly implemented the freight dispatching algorithm, all of the three options should prove useful. However, their limitations should be considered when interpreting results from using each option. The first option, often called parallel simulation technique, validates the actual processing outputs. Since the two algorithms are independently developed and since the same test data are used, the evidence would be compelling, if the test data are nearly complete (i.e., cover almost all situations). The technique has several limitations. Developing a simulation program is timeconsuming and expensive and requires considerable programming expertise. After the test results are obtained, difficulties are often experienced in tracing differences between the two sets of outputs back to faults in the “production” programs. The second option, often called program code checking, will yield results similar to those in the first option, provided that the auditor is well versed in using this technique. A thorough examination of the code itself is probably the best way to determine if the logic embedded in the program is correct. However, this option fails to test the “real” operation of the program, requires a reasonable degree of computer literacy and programming expertise, and demands considerable time to properly apply the technique. The third option, called test data technique, will provide results similar to the first option, except that instead of two programs, there is only one program (production program) that would be tested. This technique is relatively simply to apply, since it does not require a high degree of computer expertise on the part of the auditor. Also, it normally does not interfere with the regular processing activities of the firm. However, the technique suffers from several limitations. Test data can be very expensive and time-consuming to develop, since the error possibilities are numerous even in relatively simple applications. Also, the test data approach must be used in conjunction with other audit techniques (as is done in Option One) to form an overall assessment of control risk.

b. A conclusion that is justified from the audit evidence is that the increased freight cost must be due to some other cause than the spreadsheet calculation. 10-13.

(Adapted from the Certified Public Accountants Examination, May 1984, Auditing Section, Question No. 4) a. Validation or programmed edit checks that could be applied with respect to each cue are as follows:

New employees routine (1) Field and completeness checks 10-21

(2) Field, validity, self-checking digit, completeness, and echo checks (The echo checks retrieves the employee name upon the entry of the employee number.) (3) Field, completeness, and relationship checks (The relationship check compares the employee’s SSN to the employee’s name and number.) (4) Field, completeness, and limit checks (5) Field and completeness checks (6) Field, completeness, and limit checks (7) Field, completeness, and validity checks Current payroll routine

(1) Field, validity, self-checking digit, completeness, and echo checks (2) Field, completeness, sign, and limit checks (The sign check verifies that the quantity of hours is a positive number.)

(3) Field, completeness, limit, sign, and relationship checks (The relationship check verifies that the employee has a hourly rate and is thus eligible for overtime pay.) (4) Field, completeness, sign, and batch control total checks b.

(1) Field check—ensures that the proper modes of data are entered relating to the employees.

(2) Sign check—ensures that positive or negative signs are entered into and accepted by the system where only such signs are required to be entered or that the absence of a positive or negative sign appears where such an absence is required. (3) Validity check—ensures that only authorized data codes are entered and accepted by the system. (4) Limit check—ensures that only data within predetermined limits are entered into and accepted by the system. (5) Self-checking digit—ensures that only specific code numbers prepared by using a particular algorithmic procedure will be entered into and accepted by the system. (6) Completeness check—ensures that all required data fields have entered data (i.e., that no blank fields exist). (7) Logical (relationship) check—ensures that spurious data, such as overtime hours for exempt-status employees, are not accepted. (8) Batch control checks—ensures that all data comprising a batch have been processed. (9) Echo check—ensures that entered code numbers, e.g., employee numbers, relate to the desired entities, e.g., employee names. 10-14. (Adapted from the Certified Internal Auditor Examination, November 1990, Part III, Questions 81-96) 1. a 2. b 3. b 4. c 5. a 6. b 7. c 8. a 10-22

9. a 10. b 11. c 12. a 13. b 14. c 15. a 16. a 17. b 18. a 19. a 20. c 10-15. (Adapted from the Certified Public Accountants Examination, November 1975, Auditing Section, Question No. 5) a. The external auditor may find that the records are incomplete; consequently, a comparison with the actual inventory count is incorrect. The auditor may also find that inventory issues and receipts are posted to a wrong record. In taking the physical inventory, the auditor may run into problems of measuring the quantity on hand (e.g., yards of nylon fabric used in making tents), or even finding the location (if records are incomplete, the location has been changed since the last update, or the location code is not maintained) where the item is stored. Comparable, similar looking items may have been misplaced in a wrong bin.

b. A generalized audit software package can be used to assist in the audit of the inventory at Boos and Baumkirchner in the following ways: 1. Aid in assuring that the set of finished count cards is correct, by (1) comparing data on the set of prepunched inventory count cards to data in the inventory master file (on disk storage) and (2) listing all differences. 2. Aid in determining the items and parts to be test counted, by selecting a random sample of inventory records from the inventory master file (on disk storage). (In selecting the sample, the software package can be “told” to exclude all items with a high unit cost or total value, that have already been selected for test counting.) 3. Aid in determining the extent of inventory obsolescence. By listing all items or parts for which the date of last sale or usage indicates a lack of recent transactions. 4. Aid in determining the extent of over-stocked or slow-moving items, by listing all items or parts for which the quantity on hand appears excessive in relation to quantities used or sold during the year. 5. Aid in determining the extent of slow -moving or obsolete items, by listing all items or parts for which the quantity on hand appears excessive in relation to the economic order quantity. 6. Aid in verifying the accuracy of the client’s year-end inventory, by (1) comparing the quantities physically counted (and punched on the count cards and read by the computer) with the quantities on hand as shown in the inventory master file (on disk storage), and (2) listing any differences. 7. Aid in verifying computations performed by the client, by (1) extending and totaling all items and parts in the inventory and (2) printing the total. (This total will then be compared by the auditor with the balance that appears in the inventory control account in the general ledger.)

10-23

8. Aid in analyzing the content of the inventory file by (1) computing inventory turnover for each item and part, (2) summarizing quantities and amount of purchases from major suppliers (vendors), and (3) computing the sales to inventory cost ratio. 9. Aid in verifying computations by (1) computing the economic order quantity of each item and part, (2) comparing the computed value of the economic order quantity with the value shown in the record of the inventory master file, and (3) listing the difference between the two values.

c. Yes, the external auditor can employ the GAS package to obtain an understanding of the firm’s internal control structure. For example, using the GAS package, all items with a negative balance can be traced and investigated. Items that have been reordered recently but have not moved over a long time can be identified and reviewed. The ratio of quantity used or sold this year to the quantity on hand can reveal items that may be obsolete or overstocked. Although these are somewhat indirect ways of understanding the firm’s ICS, the process to identify them can be cost effective and insights gained can be valuable.

d. Examples of other audit tasks that the external auditor can perform are: 1. Verify the total number of records in the file. Compute total of the ending value of 2. 3. 4. 5. 6.

the inventory for all the records combined. Perform extensions (price times quantity). Trace records with high unit price and/or high ending balance. Select a sample of inventory items. Maintain documentation of the audit work performed. Maintain a schedule of the audit, and a prioritized list of things to do.

e. Some likely uses of microcomputers as audit tools: 1. Use of a GAS package adapted for microcomputer use. 2. Developing flowchart, data flow diagrams, and other systems documentation, using software such as Visio.

3. Use a template, a program and on-screen format that is constructed with the use of a spreadsheet package. Templates permit auditors to perform tasks that were formerly done manually (e.g., prepare trial balance, maintain data for the year-end closing process, compute ratios, conduct structured analytical reviews, schedule and manage the time of the auditors). 4. Perform audits in a paperless, virtual environment. The work done on a microcomputer is uploaded to a central file or data base, so that everyone has access to all the information available on the audit. Questions and discussion points can also be posted and addressed by the audit team without constraints of time and place. (Note: The microcomputer is only one of the components of such a system.) 10-16. a. Use generalized audit software to develop a complete list of the parts shortages that caused each of the production shutdowns, and analyze this data. b. Recalculate parts needed based on current production estimates and on the MRP for the revised production techniques. Compare these needs with purchase orders generated from the system for the same period. c. Batch control totals, including amount control totals and hash totals. 10-17. 10-24

a. Audit problems that the firm’s external auditors are likely to encounter include the following: • • • • •

Lack of understanding of financial accounting requirements (e.g., GAAP) Inadequate training of staff involved in accounting applications Inconsistent treatment of similar transactions by different subsidiaries If dedicated accounting staff is not available, segregation of duties may not be satisfactory, and accounting cycles may not be completed on a timely basis. Cycle time reduction for month-end closing can be stressful and error prone, if the transition is not carefully planned and implemented. This may cause more work/uncertainty for the external auditors.

b. In auditing purchase orders, the internal auditors are not likely to use around-the-computer approach. Instead, they would use through-the-computer approach. Reasons for this decision are as follows: • Purchase orders will be in electronic form, not physical form. • Automated procedures deterministically affect how purchase orders are handled by the system. This needs to be understood and evaluated by actually examining the systems processes and related controls. • In an EDI system, purchase orders do not comprise an independent, standalone document. Purchase orders are part of the value chain and will need to be treated as such. For example, how the vendors send responses to purchase order, how they will invoice for the purchases, how the firm will process accounts payable, and how payments will be made (for example, through electronic fund transfer system (EFTS)) will affect integrated audits of the firm’s accounting cycles. c. Controls to be implemented to minimize the risks of wiretapping include the following: • Use of call back procedures for logging on to the desired network • Encryption of sensitive data transmitted across the network nodes • Users may not be permitted to upload any programs or data directly into the system • Keeping highly sensitive, confidential data off the system, if possible • Using effective user authentication procedures (e.g., password management) 10-18. (Adapted from the Certified Internal Auditor Examination, May 1990, Part I, Question No. 53) a. Security risks posed by a data base include the following: 1. Accesses of data by unauthorized persons, either employees or persons outside the firm that operate the data base. 2. Changes of data by unauthorized persons. 3. Losses of data that is stored and not backed-up. 4. Unauthorized modifications to the data base software.

b. Whereas AIS applications are essentially programs written to process data, a data base is a repository of data and relationships among such data. An audit of an application involves a review and testing of the logic or procedure in the program, followed by tests of transactions and analytical review of outputs. An audit of a data base involves a review and testing of the data structures designed within the data base, and controls and testing for integrity, availability, and reliability of the data. The auditor reviews the data dictionary, other related documentation, and the procedure for maintaining the data dictionary. During the detailed review step, the auditor should examine controls such as access controls (e.g., passwords and

10-25

access control matrix); transaction logs, activity logs, and programmed checks (e.g., concurrency controls). During tests of controls, the auditor might perform the following: 1. Trace selected transactions through the system. 2. Review the console log and investigate selected entries. 3. Enter test transactions for processing, using an integrated test facility. 4. Monitor transactions with an embedded audit module. 5. Examine the use of, and authorization to use, critical software modules, such as a pointer maintenance utility in a hierarchical or network data base.

c. Concerns of an auditor with respect to the data base of SunStates Bank, and techniques for dealing with these concerns, are as follows: 1. That all data related to the human resource are captured, that the data are accurate, and that the data are processed and stored within the data base. Audit techniques include (a) reviewing source documents (in the case of batched hard copies) and tracing the data to the data structures in the data base, and (b) employing an integrated test facility with test transactions being entered via the terminals. 2. That each transaction is authorized according to management’s general or specific criteria Audit techniques include review of source documents or transaction logs for authorization signatures or codes. 3. That each transaction is processed accurately and promptly and the processed data are properly stored. Audit techniques include (a) tracing input transactions to output reports and to data structures within the data base, and (b) employing embedded audit modules to review selected transactions. 4. That authorized personnel receive the appropriate outputs. Audit techniques include reviewing the distribution log and examining the actual outputs received by selected personnel. 5. That only authorized use is made of computer hardware, the data stored in the data base, and the programs that process the data, and that data are not lost. Audit techniques include (a) examining the controls and security measures needed for a data base and computer network, e.g., passwords, data dictionary, restricted functions for terminals, call back procedures, back up and recovery procedures, and (b) employing embedded audit modules and software analyzers to test the accesses to the data base.

d. Most generalized audit software packages are designed to test applications in file-oriented environments. Some of these packages can process several files at a time; however, they are not designed to interface with a data base.

e. Structured Query Language (SQL) commands are used to make queries on a data base. The SQL is powerful and flexible, and thus permits almost any kind of query. Consequently, SQL facilitates most of the tasks that are typically done using GAS in a file-oriented environment. 10-19. a. Auditing through the computer techniques such as parallel processing or integrated test facility can be used to evaluate the appropriate matching of the purchase receipts and invoices. Auditing through the computer techniques are used to determine if the processing programs are soundly developed. These techniques provide the auditor with greater assurance as to the achievement of audit objectives. For example, the integrated test facility approach allows test transactions to

10-26

simulate live transaction processing to evaluate the adequacy of the built-in controls and other control measures. To ensure that the process works as expected through out the year, it may be necessary to review and test the changes made to the program following the completion of the audit procedures. b. At year-end, reports on all unresolved non-matching invoices should be reviewed. If these data are computer-based, generalized audit software may be used; if not, manual methods would be employed. The discrepancies may be identified as deterministic, arising due to incorrect or incomplete logic in the system, or probabilistic, arising due to human errors within the firm or by vendors. Appropriate corrective measures, including additional controls or modification of existing controls, should be considered. f. Points the auditor should address when making a recommendation regarding the cost/benefit of computer security include the following: • the auditor should address safeguarding the records and files. This is a very important point due to the fact that the destruction of files and records will make data unavailable for ongoing business operations. • It is also important to point out the devastating impact on higher costs of recovery, loss of business, and loss of image/goodwill if there is an occurrence of a computer disaster. • The electronic commerce system will pass sensitive company and customer information via the Internet. The auditor should point out the importance of using encryption to prevent hackers from being able to use (in the event that they are able to access) sensitive/confidential information. Any measures that help assure the customers that their data are secure are critical in electronic commerce. • Disaster recovery and contingency planning needs to be addressed more carefully since ecommerce presents higher risks of systems failure. • E-commerce environment is dynamic and consequences of unavailability/unreliability of the system can be catastrophic. Therefore, proactive efforts offer a significantly greater payoff compared to reactive measures. 10-20. (Adapted from the Certified Internal Auditor Examination, May 1991, Part I, Question No. 53.) a. Security risks posed by an electronic data interchange network include the following:

(1) Accesses of data being transmitted between computer systems by unauthorized persons. (2) Alteration of transaction data being transmitted or stored in the receiving firm’s data base. (3) Losses of data being transmitted. (4) Breakdowns of the transmission network, due to natural or human causes.

b. A memorandum relating to the auditing of the EDI network installed by Sportgarb, Inc. is as follows: MEMORANDUM TO: Internal audit staff FROM: Director of Internal Auditing DATE: June 3, 199X SUBJECT: Proposal for auditing the EDI for the Sportswear Division

10-27

Of the techniques suggested for the continuous audit, the integrated test facility (ITF) is the best technique. It will allow us to process test data by the EDI system on a continuing basis. Thus, we can test the new system throughout its periods of operation. Also, because the ITF technique allows the test transactions to be entered together with the “live” transactions, it functions in a real-time mode. Consequently, it eliminates the time lags that are a characteristic of the typical audit. The other techniques considered are inadequate, for the following reasons:

1. The test data technique is suited for batch systems rather than on-line systems. 2. The parallel simulation technique involves the reprocessing of transactions. Since we need to test the actual system in a continuous mode, the parallel simulation technique is inadequate.

3. The snapshotting and mapping techniques are variations of the embedded audit module. The snapshotting technique captures all of the data being processed at specified times, in order to analyze the reasons for atypical behavior of the programs. Mapping locates unexercised (unused) program instructions, in order to determine how thoroughly the selected transactions employ the programs. The aims of these techniques are not essential objectives of a continuous audit. Furthermore, embedded audit modules (which include snapshotting and mapping features) cannot be incorporated into processing programs and systems without prior planning. As the problem states, the new system is already being developed. In order to determining the performance of the EDI system, as a part of the audit, it will be necessary to measure such significant operating parameters as stock or inventory turnover, lead time for reorders, contribution margins and expected stock-outs. Values of these key data should be computed for two periods (before and one year after the EDI conversion). The comparison of these two sets of values would reveal the differences in the performance of the EDI system (if any). 10-21. a. SAP R/3 enterprise resource planning (ERP) software is quite different compared to mainframe legacy software. The legacy systems are typically centralized in terms of both data and applications; they are less interactive, and often focused on efficiency-driven mass processing of volumes of similar transactions. Generally the user interface in legacy systems is weak at best. Data extraction, if not visualized at the design stage, becomes more expensive both in terms of money and time required. Cross-functional exchange of information is difficult. In ERP, much greater level of data integration is achieved, processes are streamlined (this is often forced by the software), graphical user interfaces are provided, and the information can be sliced and viewed in a number of different ways as needed. The system is all-encompassing “under one umbrella,” supporting cross-functional and teambased work environment for entire value chain(s) of an organization. The client-server and local area network software is “closer” to ERP software in that both serve distributed systems, have GUI interfaces, focus on system effectiveness, and so forth. However, the integration and streamlining of data and applications throughout the firm is an overriding objective of an ERP software, not so in the case of C/S or LAN software. LAN software supports C/S environment and both may be isolated, disparate, and local in nature. In other words, a firm may have many C/S systems and hundreds of LANs throughout the 10-28

organization, but these may not be integrated to work harmoniously under one unified structure. b. Refer to the spotlighting on ERP in Chapter 5, page 164. The spotlight describes mainly the transition problems and concerns. For Bajacar, moving to an ERP system is a major departure, for it currently uses mainframe based legacy systems. Risk exposures will arise from the distributed, on-line environment with integrated data and applications organizationwide. User training, reengineering of processes throughout the operations, loss or fragmentation of audit trails, enhanced impact of loss of data/programs/systems, and possible widespread impact of errors (including intrusions and viruses) are some of the major risk factors. c. During the ERP software implementation, internal auditors will be challenged to work as proactive partners in the design. They are likely to participate in reengineering processes, evaluating the loss of internal control and compensating controls present or necessary to implement. They will also be asked to proactively advise design teams in implementing new control and audit techniques, such as embedded audit modules. In addition, they may be asked to review user-training programs from the perspective of control and security of the new system. After the ERP software implementation, internal auditors will have to get acquainted with new ways of auditing the firm’s systems. Their comfort with the new system may depend on the extent of their participation in the implementation of the software. Around the computer approach will not work anymore, although it may have been an appropriate approach for the legacy systems. Auditors will have to depend on through the computer audit approach, for the new processes are complex, interconnected, and without (or with fragmented) physical audit trails. The task of external auditors would also become more challenging, for they will have to depend more on the reliability of the processes, and controls applied to them, and less on substantive tests of transactions (although a minimal amount of substantive testing will always be expected. For external auditors, an understanding of the technology involved and related systems characteristics will be a must. d. The internal audit staff will need to augment their skills not incrementally but rather in a nonlinear mode. An in-depth understanding of the ERP software, its structure, how it works, its control strengths and limitations, its potential as an audit resource, are among the many things internal auditors will have to understand. Under the ERP umbrella, individual applications and systems will also change considerably. For example, systems and applications will be much more integrated, performing a series of tasks without human intervention. Also, vendors and customers may be tied into the firm’s system through EDI applications and electronic fund transfer systems.

10-29

CHAPTER

The General Ledger and Financial Reporting Cycle

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

5. SYNTHESIS

4. EVALUATION

11, 12

3. APPLICATION

3, 4, [5]

2, 3, 4, [6], 7, 10

2. COMPREHENSION

[1], 7, 8

1, 8, 9

1. CONCEPTUALIZATION 2, 6

[ ] Infoage

CHAPTER 11 GENERAL LEDGER AND FINANCIAL REPORTING CYCLE DISCUSSION QUESTIONS DQ 11-1. The differences in general ledger accounts needed by a merchandising firm versus a manufacturing firm relate mainly to the work-in-process generated by the latter type of firm. Thus, a manufacturer needs a Work-in-Process Inventory account for the balance sheet, plus Raw Materials Inventory and Finished Goods Inventory accounts. In contrast, a merchandiser needs only a Merchandise Inventory account. Also, the manufacturer needs such expense accounts as Direct labor, Direct Materials, and Manufacturing Overhead) plus an Applied Manufacturing Overhead account (if a predetermined rate is established). These differences can best be seen in the discussions in Chapter 14, which covers inventory management and raw materials conversion into finished products. DQ 11-2. A general ledger system that is on-line and is continuously updated offers several benefits. The information accessed from the system can be expected to be very current information. For example, sales figures for the day can be retrieved at the end of the day. If the sales were recorded in a batch mode twice a week, each Wednesday and Friday, the most current week’s sales figures would have to be estimated for planning and control purposes. Secondly, the data are available on-line, permitting authorized managers to make routine or nonroutine queries. Information generated in this manner can be timely, relevant, and accurate, providing decision support that is extremely valuable. DQ 11-3. The general ledger accounts needed by a not-for-profit organization differ in several respects form those needed by a merchandising firm. First, the not-for-profit organization has no profit, so it does not need a Net Income account. Similarly, it does not pay income taxes and does not need accounts related to such taxes. Second, the accounts related to revenues are generally called Revenue accounts, rather than Sales accounts. Third, it does not have stockholders or owners, so no such accounts as Retained Earnings or Capital Stock or John Smith, Capital, are needed. Instead, an account such as Contribution (or Revenues) in Excess of Expenses is employed. Certain not-for-profit organizations, such as governmental agencies, require more complex account structures. For instance, they require accounts related to appropriations and authorizations in lieu of (or in addition to) actual revenues and expenses. DQ 11-4. a. A manufacturing firm will have the conversion cycle that permits the firm to employ resources and manufacture finished goods. b. A bank will have customer deposits and withdrawals, storage via safe deposit boxes, loans (both individual and commercial), and investment advisory services. c. A hospital is likely to have in-patient as well as outpatient services, clinical laboratories, xray and MRI labs, emergency services, gift shop, and volunteer group support. d. A university will have student recruitment, admission, enrollment, and registration cycles. e. A municipality can be expected to have cycles to manage transactions concerning licenses and permits, street clean up and maintenance, property tax collection, etc.

11-2

An electric utility will have transaction cycles to record and process transactions related to electricity generation and distribution, billing and collection of payments from customers, construction of new lines and related facilities, etc. g. An insurance firm will have transaction cycles to manage the issuance of policies, premium billing and collection, assessment of and payments for damages and losses covered, reinsurance, and investment of funds available. DQ 11-5. The following is a list of some of the web-enabled applications most suitable for a firm such as Infoage: • • • • • •

Taking orders for computers and accessories Capturing requests for services Ordering products from suppliers Offering on-line information to customers regarding their orders Offering updates on technology and new products, product prices, etc. Receiving payments for products and services

DQ 11-6. Three analyses that are needed primarily as control devices are the general journal listing, the general ledger change report, and the trial balance. Through journal voucher numbers that appear on the general journal listing, cross-references are available to create an audit trail. Using journal voucher numbers, it is therefore possible to trace any transaction to verify how it was recorded and which accounts were impacted and by what amounts. A purpose here is to track transactions as a unit of record, much like in a Journal. General ledger change report shows beginning and ending account balances, plus changes that occurred to each account during the period. Thus, each posting can be reviewed to understand the impact of accounting transactions on the account balance. Also, the report includes control totals relating to the trial balance and the transaction count. The trial balance is a listing of account balances in the general ledger at any point in time. It presents an arithmetic check of equality of debits and credits and lists account balances. Additionally, account oriented analyses may be produced. Intended for managers, such analyses is based on major but individual general ledger accounts. Examples include analyses of sales, broken down by products or markets; analyses of cash, broken down by receipts and expenditures; analyses of accounts receivables, broken down by customers and ages of amounts due. Analyses such as these aid managers in planning, decision making, and controlling operations. DQ 11-7. Features of the responsibility accounting system that provide useful financial performance results to managers of a firm: • Hierarchical arrangement of reports for the corresponding hierarchy of responsibility centers. This is usually achieved through a sound coding system. • Drill-down features for reviewing in greater detail a chosen item, or for reviewing lower level performance reports of responsibility centers reporting to the manager. • Reports that clearly lay out variances or exceptions. • Ability to access non-accounting, including qualitative, data or information. • Systems features such as access from anywhere, anytime; paperless distribution over a LAN or the web; use of graphs and/or videos; ability to provide instantaneous feedback to all levels.

11-3

DQ 11-8. Additional facets that may be logically linked to general ledger codes include the following: • Responsibility center codes • Products and services codes for revenue accounts and selected expense accounts • Customer, supplier, employee codes where appropriate. For example, a customer account code would be useful to linking the controlling account (Accounts Receivable) in the general ledger with the detailed accounts in the accounts receivable subsidiary ledger. • Expenditure codes to identify types of expenditure. For example, revenue expenditure categories used to identify all expenses and capital expenditure categories to identify all capital outlays.

11-4

PROBLEMS 11-1.

a. Dr. 422-1-00000 Cr. 201-0-52471 b. Dr. 201-0-84237 Cr. 102-0-00000

c. Dr. 500-0-00000 Dr. 554-0-00000 Cr. 102-0-00000 d. Dr. 500-0-00000 Dr. 542-1-00000 Dr. 542-2-00000 Cr. 102-0-00000 Notes: 1. The responsibility center code is assigned only in conjunction with expenses or revenues. 2. The expense transactions in requirements c and d are assumed to be paid in the period in which incurred; they are not recorded in Accounts Payable, since they do not involve suppliers of merchandise. 3. The control account number 500 is also shown as being debited in transactions c and d, since it provides control over all individual expense accounts. 11-2. a. A coding system that will enable the preparation of the listed financial statements and managerial reports is as follows: ABBCDDE where A is the major account classification, BB is the subaccount classifications, C is the district. DD is the office, E is the indicator of controllability or noncontrollability over expenses by the local supervisor. Discussion. Transactions having a 1, 2, or 3 as the leftmost digit affect the balance sheet; transactions having a 4, 5, 6, 7, 8 or 9 as the leftmost digit are used in the preparation of the income statement. Transactions involving expenses (i.e., those having 5, 6, 7, 8, or 9 as the leftmost digit) are used in the preparation of the responsibility report and operating statements. In the case of those transactions involving expenses incurred on behalf of local offices, the code reflects controllability or noncontrollability by the presence of a 1 or 2, respectively, in the rightmost position. Those positions in the code not relevant to specific transactions (such as the rightmost position in the case of all transactions other than those mentioned in the preceding sentence) are represented by zeros.

11-5

The required reports can be easily prepared by sorting transactions according to appropriate coding positions. For instance, responsibility reports for the supervisors of local offices can be prepared by sorting on the fifth, sixth, and seventh positions; similar reports for district managers can be prepared by sorting on the fourth position. Operating statements can be prepared by sorting on the fourth, fifth, and sixth positions. Examples. (1) The acquisition of electrical insulators for local office number 3 in district 1 would be coded as 127-1-03-1 (or 1271031). (2) Depreciation of electrical distribution lines in district 5 would be coded as 503-5-00-0 (or 5035000), where 503 represents depreciation on the utility plant. (3) Salaries incurred by the office staff in district 4 headquarters would be coded as 920-4-00-0 (9204000), where 920 represents administrative salaries. (4) Regulatory commission expenses incurred for the firm as a whole could be coded as 928-0-00-0 (or 9280000), where 928 represents regulatory commission expense. (5) Revenues from sales of electricity to neighboring municipal utilities would be coded as 481-0-00-0 (or 4810000) where 481 represents revenues from sales of electricity or gas to public authorities. b. A customer code useful for analyzing sales is as follows: AABBBBBCD where A is the district and county within which the customer resides, BBBBB is the coding for the subdivision, block and lot of the customer’s dwelling. C is the type of customer (1 = residential, 2 = commercial, 3 = special), D is the type service (1 = gas, 2 = electric, 3 = both) For instance, a residential customer who resides in district 5, subdivision 23, block 85, and lot 12, and who receives electric service, would be coded as 5238512-1-2. Notes: (1) Letters could be used in place of numbers in many of the positions. For instance, the types of customers could be coded R for residential, C for commercial, and S for special. Also, note that if the local offices were coded with letters, only one position would be needed since no more than 20 local offices reside within a district. (2) The customer code should be employed together with the chart of accounts to reflect individual transactions involving customers.

11-6

11-3. Three journal vouchers for Merchandise Unlimited, Inc. are as follows: a. Journal Voucher No. 569 Date: 10/12/-Account Titles Codes Debit Credit Cash in bank 101 12435.20  Accounts receivable 120 12435.20  To record payments received from credit customers and deposited on this date. Prepared by: Approved by: Joan Campbell Martin Turner b. Journal Voucher No. 598 Date: 10/27/-Account Titles Codes Debit Credit Cash in bank 101 10000.00  Capital stock 280 10000.00 To record the issuance and sale of capital stock and the deposit of the proceeds (at par value). Prepared by: Approved by: Joan Campbell Martin Turner



c. Journal Voucher No. 617 Date: 10/31/-Account Titles Codes Debit Credit Rent expense 547 2400.00  Prepaid rent 163 2400.00 To record the expiration of prepaid rent for the month of October. Prepared by: Approved by: Joan Campbell Martin Turner

11-7



11-4. a. A journal entry input screen is as follows: Journal Entry J.V. No. 768 *

Date: 9/15/99 * Debit

Credit

2900 RETAINED EARNINGS* $50,000.00 2780 DIVIDENDS PAYABLE* $50,000.00 TO RECORD DECLARATION OF $5 PER SHARE DIVIDEND ON CAPITAL STOCK PAYABLE ON 9/30 TO STOCKHOLDERS OF RECORDS ON 8/29. To accept transaction, enter A > To post another debit, enter D > To post another credit, enter C > *Provided automatically by computer system. b. Note: Most general ledger accounting packages have satisfactory graphical user interface characteristics. Students may be asked to first enter journal entries through a journal voucher form in an existing system. If students have adequate background in MS Access or any other relational data base, it would then be possible for them to attempt to design a Journal Voucher Table and related data entry form using a relational data base management system. Data elements necessary to create within a table/form are shown in Requirement (a). Note that students may not be able to accommodate in their design compound journal entries, which will involve repeating groups of debits and/or credits.

11-5. Transactions with indicated types and journal entries are as follows (omitting explanations): a, Non-routine entry Cash

800,000 Common Stock

800,000

b. Adjusting entry (accrual) Accounts Receivable Consulting Revenue

9,000 9,000

c. Routine external Inventory

22,345 Accounts Payable

22,345

d. Adjusting entry (revaluation) Loss due to Inventory Deterioration Allowance for inventory loss

3,800

e. Adjusting entry (deferral) Consulting Revenue Unearned Fees

8,500

f. Routine external Sales Returns & Allowances Accounts Receivable

12,300

3,800

8,500

12,300

11-8

g. Adjusting entry ( correction) Supplies Expense Inventory

1,800

h. Adjusting entry (expired costs) Depreciation Expense - Furniture and Fix. Accum. Depn. - Furniture and Fix.

4,000

1,800

4,000

11-6. a. General Ledger Master Table Account Responsibility number code 114 FIN 110 FIN

Budgeted amount Total debits, Total credits, for the month month-to-date month-to-date 8000.00 1500.00 0.00 40000.00 12000.00 1500.00

Chart of Accounts Table Account Account Number description 110 Accts. receivable 114 Notes

Account classification A A

Cross-reference Table Account number Journal voucher number 114 7165 110 7165

Amount of line Dr. or Cr. item 1500.00 Dr. 1500.00 Cr.

Journal Voucher Transaction Table Journal Voucher Date of number transaction

Preparer's initials

7165

4/10/97

GQ05

11-9

Dr. or Cr. Dr. Dr.

Reference number

Description of Amount of transaction (or transaction transaction code) Exchange A/R for 1500.00 N/R

b. General Ledger Master File Account Responsibility Total debits, Total credits, number code month-to-date month-to-date 6000 MKT 0.00 31000.00 Responsibility center/Budget Table Responsibility Responsibility Responsibility code center number center description MKT 5620 Sales

Manager in charge 608

Budgeted Budgeted amount for amount for January February 50000.00 24000.00

11-7. a. Master files include: General Ledger, Accounts Receivable Subsidiary Ledger, Accounts Payable Subsidiary Ledger, Merchandise Inventory, Fixed Assets. Transaction files include: Journal Voucher, Cash Receipts, Cash Disbursements, Credit Sales, and Credit Purchases. In addition, General Ledger History file and Journal Voucher History file may be maintained, and a Financial Reports Format file may be used. b. A record layout of the General Ledger master file: Account Account Account Account Total Total Current Dr. or number description classifica balance, debits, credits, account Cr. tion beg. of year-toyear-tobalance year date date Numeric Alphanume Numeric Currency Currency Currency Currency Numeric ric (code) code 5 15 1 11 ch, 2 11 ch, 2 11 ch, 2 11 ch, 2 1 ch. characters characters character dec. dec. dec. dec. A system may be designed where current account balance is computed and displayed each time a user calls for it. In such cases, there will be no need to include the data element in the record layout. a. The record layout with sample data: Account Account Account Account number description classificati balance, on beg. of year 61109 Accounts 3 (for 30000.00 payable liabilities)

Total debits, year-todate 45000.00

Total credits, year-todate 20900.00

Current account balance

Dr. or Cr.

5900.00

2 (for credit)

a. If Joose establishes a budgetary control system, the budgetary data might be stored in a Budget Master file. This file contains the budgeted amounts of assets, liabilities, revenues, and expenses allocated to the various responsibility centers of the firm. A Responsibility Center Master file, containing the actual revenues and costs for the various divisions, departments, work centers, and other responsibility centers will also be necessary. b. A data structure diagram for a network data base:

11-10

Budgeted amount for December 45000.00

e. A data structure diagram for a network data base:

Chart of accounts record

Journal voucher transaction record*

General ledger record

Subsidiary ledger records

Cross reference record

Journal voucher history records

*Represents all types of transactions, including daily summaries of routine transactions, nonroutine transactions, and adjusting,correcting,reversing, and closing entries. c. 1. Programmed checks include: For each journal voucher number, total amounts of debits will be compared to total amounts of credits to check if the two are equal. For the batch, certain batch totals may be used. For example, total number of journal vouchers (transactions) in the batch. The update program will keep track of the total number of journal vouchers posted, so at the end of the update run, batch total precomputed and supplied to the update application can be compared with the computer-generated total. This will allow us to determine if all of the transactions have been processed by the update application. Similarly, an amount control total can be used to compare total debits and credits in the batch with the total amounts of debits and credits posted by the update (posting) application. Finally, the update application may include code to prepare trial balance following the postings, to ensure that it does balance at the end of the update run.

11-11

2. Programmed checks include: The system will verify if the total of amounts debited in each journal voucher equals total of amounts credited. If this check fails, the system will alert the user and will not accept the transaction for further processing. Also, the system can be designed to echo account names when account numbers are entered, so that the user can visually verify if the correct accounts are accessed. Other programmed checks may also be included, for example, if a credit to an account is an unusual event (this would be true for depreciation expense account), the system will prompt the user to verify if the account to be credited is the correct account. For each entry, there will a final check asking the data entry person to approve what has been entered before it is accepted as a transaction by the system. Finally, although batch totals are not a critical element of online systems, the application can be designed so that the system maintains total amounts of debits and credits, or any other batch control total desired. Note: An access control, which a general control and not a programmed check, can be designed so that summarized transactions and nonroutine transactions are entered by only by a limited number of qualified people that are authorized to do so.

11-12

11-8. a. Error! Not a valid link. Error! Not a valid link. b. Error! Not a valid link.

11-13

At the end of each month: Error and exception display Journal voucher

Key-to-disk edit

General ledger file

General ledger clerk Update

Enter program closing command

Transaction ledger

Close temorary accounts extract data

Budget file Comparative actual and budget data

Balance sheet

Income statement

To management

11-14

11-9. a. Transaction controls that should prevent or detect each of the errors listed, assuming that the AIS employs manual processing, are as follows: a. (1) Prepare trial balances on a frequent basis. (2) Require a second clerk to review the postings of transactions to the general ledger. b. (1) Prepare trial balances on a frequent basis. (2) Require a second clerk to compare the debits and credits of a transaction for equality. c. (1) Require that journal vouchers be prenumbered and each number be checked off a list upon posting. (2) Require that journal vouchers be individually approved before posting. d. Establish a list of standard adjusting journal entries, including the accrual of interest, and post from this list each month-end. e. (1) Periodically reconcile the balance in the accounts payable control account with the total of balances in the accounts payable subsidiary ledger. (2) Require clerks to investigate nonexistent accounts payable numbers on transactions, to correct the numbers, and to post to the correct suppliers’ account records. f.

(1) Prepare trial balances on a frequent basis. (2) Require clerks to investigate nonexistent accounts payable numbers on transactions, to correct the numbers, and to post to the correct suppliers’ account records.

g. (1) Require nonstandard adjusting entries to be approved by someone not involved in transaction processing. (2) Organizationally separate the function of cashiering from the preparation and entry of journal vouchers pertaining to nonstandard adjusting entries. b. Transaction controls that should prevent or detect each of the errors listed, assuming that the AIS employs on-line processing, are as follows: a. and b. (1) Prepare trial balances on a frequent basis. (2) Incorporate a programmed edit check that verifies the equality of debits and credits being entered for processing. c. Require that journal vouchers be prenumbered and each number be verified by the computer system as entered; if the same number appears a second time, the system should refuse to accept the entry. d. Establish a list of standard adjusting journal entries, including the accrual of interest, maintain the list in a file on a magnetic disk, and execute a posting program at the end of each month.

11-15

e. (1) Incorporate a programmed edit check that compares entered accounts payable account numbers to a valid list of numbers; if an invalid number is involved, the system should refuse to accept the entry. (2) Incorporate a programmed edit check that checks the total of balances in the accounts payable subsidiary ledger to the general ledger control account balance on a daily basis. f.

(1) Prepare trial balances on a frequent basis. (2) Incorporate a programmed edit check that compares entered general ledger account numbers to a valid list of numbers; if an invalid number is involved, the system should refuse to accept the entry.

g. (1) Require nonstandard adjusting entries to be approved by someone not involved in transaction processing. (2) Organizationally separate the cashiering function from the preparation and entry and journal entries pertaining to nonstandard adjusting entries. (3) Prevent the cashier from having access to the on-line general ledger accounts, using such means as passwords. 11-10. a. The performance report for the fabricating department of The Mecom Co. is as follows: The Mecom Co. Fabricating Department Performance Report For the Month of June, 19-Actual

Raw materials Direct labor Supplies Utilities Indirect labor Depreciation--equip. Totals

$ 6,600 12,800 650 1,680 3,400 1,000 $26,130

Budget

$ 7,000 12,000 700 1,600 3,000 1,000 $25,300

Variance (Over) Under Budget $ 400 ( 800) 50 ( 80) ( 400) 0 $ ( 830)

b. Allocated overhead costs and the salary of the department head are uncontrollable and thus should not appear in the main body of a responsibility report to the department head. If they are included, they should be shown in a separate section at the bottom of the report. If sufficient data were provided, it would be desirable to compute variances pertaining to raw materials usage, direct labor efficiency, direct labor rates, and overhead spending (efficiency). c. Assuming that the organization structure is similar to Figure 11-22, the account code would be 623-1332.

11-16

11-11. (Adapted from the Certified Internal Auditor Examination May 1979, Part III, Question No. 31). a. Key aspects of management control that are supported by the proposed report and related procedure are: (1) Focus on a cost center, i.e., the operating department. (2) Focus on a significant cost element, i.e., labor costs. (3) Comparison of actual results with pre-established cost standards, thereby yielding variances of labor costs. (4) Computation of variances by a competent party, i.e., an accounting clerk, and review of satisfactory results by the foreman of the affected department. (5) Emphasis on exception reporting, since significant variances are given special handling. (6) Emphasis on economical preparation since much of the required data are generally available. (7) Applicable to all departments. Key aspects of management control that are violated by the proposed report and related procedure are: (1) Lack of focus on the control of individual jobs. (2) Lack of timely reporting, since the reports are to be issued biweekly and most jobs are completed in less than a week. (3) Lack of specific criteria for determining whether or not a particular variance is significant. (4) Inappropriate distribution of reports, since the foreman, who is organizationally responsible for initiating corrective actions, does not receive reports when variances are significant. (5) Possible lack of prompt action since the assistant controller is to investigate only if time is available. (6) Lack of concern for the revision of cost estimates when conditions change. (7) Lack of attention to the control of direct materials and overhead costs. b. Monthly change control reports enable the accountants to trace the transactions that resulted in a change in the account balance. To ensure the accuracy of financial information, the matters of concern for the accountants reviewing the change control reports include the following: 1. Sales. Have all jobs completed and delivered during the month been recorded as sales? Does the amount invoiced match with the estimated cost for the job? Does the total sales figure appear to be in line with the expectations of sales for the month?

11-17

2. Direct labor cost. Does the amount of direct labor cost incurred appear to be reasonable in relation to sales for the month and change in the work in process inventory? For the jobs completed during the month, is there a significant difference between estimated and actual direct labor cost? 3. Indirect labor cost. Does the change in the account balance appear to be reasonable in light of the level of production activity for the month? Compared to the direct labor cost for the month, does the amount of indirect labor cost appear to be normal? If the change in the account balance is abnormal, what factors could have caused the indirect labor costs (e.g., abnormal equipment repairs costs). 4. Work-in-process inventory. Did the inventory account balance increase or decrease? If the change in the balance is material, what are the reasons for such a change? Are the delivery schedules promised to customers met by the firm? Is the valuation of work in process inventory proper? Is the inventory accounted for is accurate? 11-12. (Adapted from the Certificate in Management Accounting Examination, June 1986, Part IV, Question No. 7) a. The advantages of the quarterly reporting system selected by SharpEdge include the following: * All quarters will have an equal number of days and weeks providing uniform reporting periods. * As a result of the uniform quarters, SharpEdge’s financial statement will be more comparable from period to period. * Although estimates are required, the estimates will be similar and of the same nature for each reporting period and hence are likely to be more accurate after several periods. * The new reporting system allows SharpEdge to issue its statements on a more consistent and timely basis.

b. The top management of SharpEdge is likely to accept the limitations in the monthly operating reports because the reports will be more timely. Under the new monthly closing and reporting procedure, reports will be available one week after the closing date; under the old system the reports were as late as three weeks after the closing date. SharpEdge’s accounting department appears to have isolated those areas requiring estimation and will be able to apply a degree of consistency to these estimates. Therefore, SharpEdge’s management should perceive that only unusual variations in the firm’s operations would seriously affect the accuracy of the monthly reports.

11-18

c. Estimates

Current Assets

Current Liabilities

Overstate by profit margin on returned sales*

No effect

Effects on cash and accounts receivable would offset

No effect

No effect No effect

Overstate wages payable Understate wages payable

Overstate inventory Understate inventory

No effect No effect

Understate inventory Overstate inventory

Understate payables Overstate payables

Sales returns Lack of inclusion

Cash receipts Over-or underestimate

Payroll Overestimate Underestimate Manufacturing Overestimate Underestimate Payables Underestimate Overestimate

* Inclusion of returned sales would decrease accounts receivable by the selling price of the goods returned and increase inventory by the cost of the goods returned.

11-19

CHAPTER

The Revenue Cycle

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

4. EVALUATION

3, 4, 6, 7, 8, 9, 10, 12, 13,

3. APPLICATION

2, [4], 6, [11]

1, [2], 5, 11

2. COMPREHENSION

1, 3, 5, 7, 10

5. SYNTHESIS

1. CONCEPTUALIZATION 8

[ ] Infoage

CHAPTER 12 THE REVENUE CYCLE DISCUSSION QUESTIONS DQ 12-1. An information system can be seen as a system of allocation of tasks between humans and machines. Traditionally, businesses design systems where most humans are their employees. This is changing. More and more of the tasks that are assigned to humans are now going to customers, not employees. For example, students enroll in courses, customers order books over the Web, and travelers bid for hotel room over a web site. This self-service aspect of a Webbased system increases efficiency and productivity. Customers perform many functions that would normally be handled by company employees. Using web-enabled systems, customers can study an investment opportunity, change their asset allocation in a retirement plan, order books, reserve airline tickets, and so forth, without any employee involvement of the business firm they are dealing with. Thus companies save in resources that would otherwise be spent on employees devoted to handling inquiries, because the customer takes on some of the tasks that employees used to perform. Incidentally, businesses are providing incentives or disincentives to move current and prospective customers to the Web. For example, Trans World is offering 1,000 frequent flyer miles if a traveler books his/her ticket over the Web. Also, selected attractive fares are available with airlines if and only if you book your tickets using their web-enabled systems. And banks have begun to charge for services where a bank employee provides the service rather than the Web. DQ 12-2. (a). Inputs are more likely to be captured using technology. For example, preformatted screens with online input and edit of such input can be used. The presence of hardcopy source documents decreases; instead, electronic input of source data would be more useful. For example, time clocks can capture employee attendance data electronically. Even where some of the hardcopy source documents are used, document imaging may be used to provide on-line access to documents and quicker, more reliable processing of inputs. (b). Although the form of input could change, the sources of input will most likely experience little change. This is because the transactions will be initiated by the same sources, regardless of how data are captured. For example, employee attendance data need to be captured, no matter what form of input we choose (hardcopy timecards or electronic clocks and badges). (c). Files in an online input batch processing computer-based systems would be accessible online for editing data online. Access to the files is easier, and periodic and demand reports can be cost effectively generated. (d). Some of the processing steps would be eliminated. For example, data conversion may not be necessary in the process of data capture. (e). Internal controls can be much more sophisticated. Programmed checks can be designed within the application to detect errors and inconsistencies at the earliest possible point in time. Thus, reliability of information can be improved considerably. When online methods of data capture are used, audit trails may become fragmented; additional data may need to be maintained or controls need to be designed to manage this change. For example, transaction logs are created, and back up and recovery procedures are followed. (f). More timely and reliable outputs are likely to be available. Additional periodic reports, if necessary can be produced cost effectively. Demand reports can be produced reliably and cost effectively. Query features can be automated.

12-2

Although file updates occur in a batch mode, most information could be timely and relevant for making decisions. DQ 12-3. Marketing managers depend more heavily on the management information system to obtain needed information for decision making. Information arising from environmental sources and captured by these systems can include customers' preferences, competitors' prices and product plans, market share, and expected economic growth rates. Information created internally includes sales forecasts, product capabilities, and warranties. When such data are available online, marketing managers can use them to generate information for tactical and strategic decision making in a timely manner. DQ 12-4. For a firm such as Infoage, a variety of transaction-processing aspects can be facilitated through a web-enabled system. For example, customers can enter their service requests on the Infoage web site, review quotes, and order services. They can also order products and services using webbased systems and make payments as well. Customers can review their account activity and current balance on the web, and e-mail any questions or queries they may have for Infoage. DQ 12-5. For cash sales, the function of maintaining the receivables records is unnecessary (see Figure 121 for reference). Consequently the revenue cycle becomes much simpler. Customers pay at the time of purchase; therefore, all of the documents and processing steps related to customers do not need to be designed within the revenue cycle. Forms: Usually customer orders are placed orally at the time of sale, although a written order is possible. Billing is not necessary, and if delivery is taken at the time of the sale, no shipping documents are required. Similarly, sales invoices and remittance advices are absent. Cash refunds due to returns and allowances are possible, but credit memos and write off notices would not exist. Files: The customer master file and accounts receivable master file will not be needed. Procedures: The processes of posting sales to customer accounts and posting cash receipts to customer accounts are not required. Since the control account and the subsidiary ledger do not exist, the question of reconciling the two does not arise. Outputs: Outputs that contain customer-related information would be missing, for example, the sales journal, accounts receivable summary, and accounts receivable aging analysis. DQ 12-6. Programmed edit checks that may be employed in posting sales and cash receipts transactions to master files include: a. The redundancy matching check verifies that the account numbers and customer names within the individual transactions being posted match the account numbers and names in the accounts receivable subsidiary ledger. b. The posting check compares the after-posting balance in each updated customer account to the before-posting balance, ascertaining that the difference equals the amount of the transaction. c. The sign check ascertains that the balance in a customer's account is a debit (the normal type of balance); if a credit balance appears, the account is flagged. d. A relationship check compares sales date to payment date (if discount periods are involved).

12-3

DQ 12-7. If cash discount is given for bills paid within ten days, the program that posts cash receipts to individual customer accounts compares the invoice date with the cash receipt date. If the date of cash receipt does not fall within ten days from the invoice date and a cash discount is included in that transaction, the transaction is rejected for further verification. DQ 12-8. A bank reconciliation should be prepared periodically, since it provides a detective-type control over all cash transactions, both receipts and deposits. It therefore indicates when errors and omissions have occurred with respect to cash-related transactions and also verifies that the current amount shown in the cash account is in accord with the amount shown by the bank statement to be held in the bank account. DQ 12-9. Application controls employed within a revenue cycle that are unique to online processing systems include: a. Preformatted CRT screens to aid the entry of transactions. b. Automatic numbering and logging of all transactions. c. Use of concise codes for entered data. d. Echo of data (e.g., names) upon the entry of codes (e.g., numbers). e. Redundancy matching check built into entry programs. f. Completeness tests built into edit programs. Application controls employed within a revenue cycle that are unique to batch processing system include: a. Batch control totals for each batch of transactions. b. Turnaround documents for cash receipts transactions. c. Key verification of transaction data converted to disk or tape. d. Sequence checks built into processing programs. DQ 12-10. Checks received from customers in payments of previous credit sales should not be used as the media for posting to the accounts receivable ledger, since checks represent cash -- an asset. Since the principle of separation of duties dictates that those employees who do the posting to the ledger should not also have custody of assets, they consequently should not receive the checks for use in posting. Instead, the remittance advices, which reflect the amounts received, should be used for posting. If remittance advices are not received with the checks, they should be prepared or reasonable substitutes should be employed. For instance, Xeroxed copies of the checks could be employed as remittance advices. DQ 12-11. Generally, the nature of information needs of the marketing manager would be comparable across organizations. However, differences in size, complexity, and industry to which the organization belongs can result in somewhat different descriptions of information needs. Compared to a merchandising firm (Infoage, for example) a manufacturing firm has an additional function; the manufacturing of products it sells. This will result in additional information needs, such as product designs, direct and indirect costs of manufacturing each product, and the quality of products manufactured. For a hospital, there are no products involved, since it delivers services. Services need to be rendered as patient needs arise. This means the marketing manager will have

12-4

to look at capacity planning (number of beds available), availability of doctors with specialties (cardiac surgeons, for example), etc. In addition, it would be necessary for the marketing manager to understand the implications of changes in health care coverages, Medicare, and Medicaid provisions.

12-5

PROBLEMS 12-1. a. ARW International Sales Analyses For the week ending __________

Region

# of outlets

Hardware Total

Per outlet

Software Total

Per outlet

Internet-based services Total Per outlet

TOTAL

Total sales

SALES

It would be useful for managers to see not only total sales but also a comparison with targets, and sales per outlet as well. Exceptions should be highlighted to catch managers’ attention. The above report is illustrative only, and can be designed in various ways. One of the features that can be introduced to the report is what is called the “drill down” feature, which will permit managers to see data in as much detail as they need to study. For example, in the above report, a click on a specific row would present a country by country report for the region (chosen by clicking on the row). b. A group code should facilitate various views of sales useful to managers in planning and controlling operations. In such a code, critical dimensions of ARW International’s revenue sources must be reflected. These include the three products and services groups (hardware, software and Internet-based services), and the geographical regions. Considering these factors, the following group code: Sales Summary Account – Sub account – Region – Country – Sales Outlet To illustrate, sales summary account may be a four-digit number in the chart of accounts; sub account is a one digit code (1 for hardware, 2 for software, 3 for Internet-based services); regions may be represented by continents or some other suitable geographic divisions appropriate for the firm’s business (one digit); country codes may be the same as for telephones (3 digit numeric); and the sales outlet number (2 digit numeric) identifies the specific outlet. Thus, 6150-2-6-091-67 represents software sales of outlet #67 in India, which falls within the South East Asia region.

12-6

c. The potential benefits to ARW of setting up a Web-based system for its customers include: • Lower costs of operations, greater efficiency • Lower inventory levels • Shorter cycle times • Possibly lower amounts of receivables, higher receivables turnover d. ARW should consider the following steps with respect to on-line customer orders that are paid by credit card: 1. Authentication of the customer is critical. The identity of the person ordering should be verified. Typically, a password is used as a means for authentication. 2. Encrypt credit card information so that even if someone is eavesdropping on the communication lines, the encrypted information will not be useful. 3. Do not accept orders unless complete information is provided including full address and phone number. 4. For orders that have different “ship to” and “bill to” addresses, require a fax with credit card number and signature authorizing the transaction. 5. For orders that come from free e-mail services, request additional information such as non-free e-mail address, the name and phone number of the bank that issued the credit card, the exact name on the credit card and the exact billing address. 6. Pay particular attention to orders that are larger than your typical order amount and to orders with next-day delivery. 7. Take extra steps to validate international orders before you ship your product to a different country, especially if the “ship to” address is different from the “bill to” address. 8. If you are suspicious about an order, call back the customer to confirm it. 9. If possible, use software or services such as Cybersource and Clear Commerce Corporation to fight credit card fraud on-line. 10. If you find out that a credit card thief has scammed you, you should notify your merchant account processor immediately. You should then inform the legitimate cardholder that his or her card number has been stolen. e. Other security issues that must be addressed if ARW decides to implement a Web-based system include the following: • Authorization. It is important to ensure that only authorized individuals make changes to the Web content. • Accountability. Changes made to the Web site and its contents must be documented. To establish responsibility for any modifications made, a Web server log should be maintained. • Data transmission. In order to maintain the confidentiality and integrity of data transmitted via the Web, encryption should be employed. • Disaster contingency and recovery plan. Proper back up procedures, including fault tolerance, should be in place to minimize unexpected interruptions. A recovery plan should also be devised to ensure reconstruction of lost data. 12-2. a. Please refer to the diagrams on the next page.

12-7

Customer record

Remittance advice record

Sales invoice record

Cashier 1

Customer

Received from/by

Cash receipt

Deposited

Cash

Shipped and Billed

m Sales

Sale/Cash Receipt

b. Invoice Line Item Table Sales Product Invoice number number

Unit price

Quantity shipped and sold

Customer/Account Receivable Table Customer number

Customer name

Customer shipping address

Customer billing address

Cash Receipt Table CR Number Customer number

Date

12-8

Phone number

Credit limit

Trade discount allowed

Amount Received

Account balance beginning of year

Yearto-date sales

Year-todate payments

Sales Invoice Header Table Sales Customer Sales order Invoice number number number Invoice/Receipt Table CR number

Billing date

Shipping document number

Terms

Total sales amount

Invoice number

12-3. a. 1. Cash receipts may be abstracted. 2. Payments from customers may be lapped. b. When funds are received from delinquent customers, their accounts may be fraudulently written off and the collections taken from the amounts to be deposited. (To be successful, this fraudulent act requires that the person involved has access to the list of customers who are delinquent and to the list of remittances and also can change the deposit slip without detection). c. Sales invoices may be lost, without the loss being detected, and thus they cannot be matched against subsequent payments; lack of payments will consequently remain undetected. d. 1. Posting errors can occur in either the subsidiary ledger accounts or in the control account. 2. Fraudulent acts involving individual accounts can remain undetected. e. 1. Orders that are not shipped may not be detected. 2. Orders that are shipped may not be billed, since any shipping notices not sent to the billing department will remain undetected. f. Shipments may be billed more than once, thus possibly incurring ill will from customers and loss of their future business. 12-4. a. Calculate a batch total of amounts at the time sales invoices are prepared, and compare this predetermined total with a batch total of amounts posted from the sales invoices. b. Prepare a shipping notice, listing the actual quantity of goods shipped, and use this shipping notice (together with the sales order) in the preparation of a sales invoice. c. Prepare a shipping notice, as in b above, and send to the billing department. Also, maintain a copy of each sales order in the billing department, periodically review the copies, and investigate any orders more than a week old that have not been billed. d. Prepare daily trial balances (or summaries of daily postings prepared from journal vouchers), with differences between total debits and credits being traced to individual transaction documents. e. Prepare a pre-numbered sales invoice (and perhaps a monthly statement) and mail to each credit customer after the ordered goods are shipped; a customer who does not receive a shipment will normally detect the omission and notify the firm that shipped the goods.

12-9

Prepare a monthly statement for each credit customer, and include a notation on the statement of delinquent amounts (and interest charges, if any).

g. Prevent access to the finished goods warehouse by unauthorized persons such as shipping clerks; allow goods to be removed from the warehouse only on receipt of copies of authorized orders from customers (e.g., stock request copies), require shipping notices to be prepared of all goods shipped, and mail sales invoices to customers that reflect all goods shipped. h. See the answer to a) i.

Require that credit memos relating to sales returns are supported by receiving reports showing that the goods have actually been returned and be approved by a credit manager and one other manager.

j. 1) Improve organizational independence by separating responsibility for (a) opening mail, (b) preparing cash deposits, and (c) recording cash receipts in the customers records 2) Require a mail room clerk to verify each cash receipt with an accompanying remittance advice (or to prepare an advice if none is received), to list each amount on a remittance list, and to total the remittance list. 3) Request customers to remit only checks or money orders (but not currency). 4) Do not allow the cashier to have access to customers' records. k. Maintain a distribution log that specifies the appropriate recipients of reports. l.

Employ internal labels on all tape files, which are displayed for the computer operator on the computer console before processing begins.

m. 1) Key verify all amounts entered onto a transaction tape. 2) Calculate a batch total on amounts received and recorded on remittance advices, and compare with the total computed of amounts keyed onto the magnetic tape. n. Employ a completeness check or test on entered transaction data. o. Employ a validity check, which is applied by the edit program during the entry of data. p. Employ a field check, which is applied by the edit program during the entry of data. q. Restrict the mail room terminal from access to and the capability of updating the accounts receivable file; instead, have mail room employee accumulate the receipts via the terminal onto a remittance listing, which is available to the accounts receivable employees and cashier. Then, have the accounts receivable clerks activate the posting of receipts to the customers' accounts. r.

Employ a relationship check, which compares the purchases and payment dates and completes time period; this check should be applied upon the entry of cash receipts data.

12-10

12-5. a. Sources of the items in the daily listing of cash receipts are as follows: Customer number—accounts receivable master file Customer name—accounts receivable master file Remittance advice code—remittance advice Cash payment amount—remittance advice Daily deposit number—computer-generated Date—computer-generated Sources of the items in the monthly accounts receivable aging analysis are as follows: Customer name—accounts receivable master file Total balance owed—accounts receivable master file Aged portions of balance—computer-generated b. The flowchart of a proposed computer-based cash receipts procedure for the Jason Department Store is separately provided. c. A record layout of the remittance advice transaction record follows: Customer number (6)

Remittance advice code (3)

Customer name (35)

Customer address (75)

Type of account (2)

Payment date (6)

Amount paid (10)

N = numeric, A = alphabetic, AN = alphanumeric d. Transaction controls that are suitable to a computer-based system that processes cash receipts transactions by the batch method include: (1) Use of turnaround documents for remittance advices. (2) Preparation of batch totals, e.g., record count of advices, hash total of customer account numbers, amount control total of amounts remitted; comparison of batch totals on a run-byrun basis. (3) Use of pre-numbered batch transmittal sheet. (4) Deposit of cash receipts intact. (5) Use of the following programmed checks during the edit run (together with the data items being checked). Type of edit check

Custome r number

Custome r name

Custome r address

Remittan ce advice code x

Type of account

Payment date

Field x x x Validity x x Self x checking digit Limit Relationship* x * Payment date is compared to the invoice date, to assure that the payment date is later.

12-11

Amount paid x

(6) Use of an error correction procedure that involves a control group and an error log. (7) Use of the following programmed checks during the processing run (together with the data items being checked). Type of edit check Sequence Redundancy matching Posting Sign Internal label check

Customer number x x

Customer name

Master file name and date

Account balance (after update)

x x x x

(8) Reconciliation of cash receipts listing against amount shown on deposit slip. (9) Review of accounts receivable aging schedule and reconciliation to the control account in the general ledger. (10)Preparation of bank reconciliation on a monthly basis, including the verification of total cash receipts. e. A data flow diagram of the cash receipts procedure is separately provided. 12-6. a. Weaknesses and recommended improvements for the sales and cash receipts procedure of the Aqua Valves and Fittings Company are as follows: Control Weakness 1. Sales orders unrecorded.

are

Recommended improvement

unnumbered

and 1. Prenumber all sales orders, in order that copies may be filled sequentially and missing orders accounted for. Enter sales orders in a sales journal and post periodically to the general ledger. 2. Orders are accepted for credit without 2. Require that all orders for credit are approval of the customer's creditworthiness approved before they are filled. This step can best be performed by Sid Center, who might refer to the customer's credit rating and record of past transactions. 3. An inadequate number of copies of sales 3. Prepare an additional copy of each sales orders are prepared order; file two copies of the order (an office copy and customer copy) by customer name in the office, and send the third copy to the yard (as is currently done).

4.Customers do not acknowledge receipt of 4. Request each customer (regardless of ordered and picked-up items whether the sale is for cash or credit) to stop at the office first. Give the customer a copy of the

12-12

sales order, stamped paid if for cash, which he or she carries into the yard. Upon giving the customer the ordered items, request him or her to sign the copy attached to the assembled items. Return this acknowledgment to the office and fill in numerical order. Periodically review this numerical file for missing numbers, and investigate any such missing sales orders.

5. Filled orders are not verified in the yard

5. Assign the responsibility for assembling orders to one of the two yardmen (say Phil Stone). Then assign the other yardman (Fred Bass) the task of checking the contents of each assembled item against the sales order and initialing the form. (Fred would also be assigned other tasks related to storing newly received items.) When a customer arrives in the yard to pick up his or her ordered items, have the second yardman (i.e., Fred Bass) request that he or she count the items and sign the yard copy of the sales order.

6. Cash sales are not adequately controlled.

6. Acquire a cash register (if one is not already owned); specify that Rita Records or Nolan Kobb put cash received over-the-counter in one register drawer and the office copy of the related sales order in another drawer. Before the close of banking hours each day have Rita prepare a tape of the amounts on the sales orders in the latter drawer and enter in a cash receipts journal. Then have Sid Center compare this tape with the controlled tape inside the cash register, a count of the cash, and the deposit slip (to be discussed later). (The copies of sales orders and tapes would later be filed together by date, and the total cash receipts for the day would be posted in the general ledger.)

7. Responsibilities for handling cash received 7. Specify that Sid Center is to open all mail by mail are not adequately segregated and list remittances from customers. Have Sid give the remittance list to Rita Records, who then totals the list, enters in the cash receipts journal, pulls the office copies (of the sales orders against which payments have been received), and removes them to a closed orders file. (This last step in effect posts the payments to the customers' accounts.) Assign Nolan Kobb to prepare the deposit slip each day before the close of banking hours, based on the actual mailed-in remittances given to him

12-13

directly by Sid Center and the cash received over the-counter. After Sid Center checks the deposit slip and compares the totals to the remittance list and cash register tape, have Nolan Kobb carry the deposit to the bank and return the stamped duplicate copy of the deposit to Sid. 8. The bookkeeper prepares the monthly bank 8. Specify that Sid Center is to prepare the reconciliation as well as the monthly monthly bank reconciliation and to review the statements to customers. monthly statements for customers before they are mailed. (Note also that each customer's scrutiny of his or her monthly statement constitutes another control over its accuracy.) 9. Inadequate control is maintained over 9. If reasonable, establish a control account customers' accounts receivable. within the general ledger over accounts receivable and maintain a subsidiary ledger of accounts receivable. Have Rita post to the customer account records. However, this type of control may be too elaborate for so small a firm. If so, the following procedure may be employed: Continue to maintain a closed orders file, to which paid credit sales orders are transferred (See Improvement No. 7.) Then, at the end of each month (or week, if volume warrants), have Rita prepare (1) an aging schedule of outstanding accounts receivable (by reference to the file of open sales orders), (2) a total of all credit sales for the period (from the sales journal), and (3) a total of all remittances from credit customers for the period (from the cash receipts journal). Provide this information to Sid, who can verify that the total outstanding accounts as of the beginning of the period, plus the total of credit sales, less the total of remittances equals the total currently outstanding accounts receivable. Furthermore, he should perform a more detailed check and trace discrepancies by referring to the journals, the closed file of sales orders, and the open file of sales orders, and the general ledger. Alternatively, he may request the firm's outside accountant to perform this task. (Sid Center may also use the aging schedule to press for payments that are over 30 days old).

b. A context diagram and a level-zero data flow diagram of the revenue cycle for Aqua.

12-14

Customer

Yard

Payment Order

Orders Monthly statement Assembled order Order pickup

Revenue cycle checks, deposit slips Monthly statements

Deposits (cash reciepts)

Mail from customers

Orders

Office

Bank Cash

12-15

A level-zero data-flow diagram of the revenue cycle for Aqua

Order

Customer

1.0 Prepare sales order

Cash

Open sales orders

Sales order

Ordered idtems, sales order

Deliveries

2.0 Assemble ordered items

3.0 Order pickup

Customer

Monthly statement

Cash

4.0 Prepare monthly statements Checks, remittance advice

5.0 Receive payments Checks

Bank 6.0 Deposite checks

Remove orders where payment is received

A systems flowchart for an immediate processing computerized procedure.

12-16

Open sales orders

General Manager's office Error and exception display

customer call

Enter order

Open sales order

Sequentially numbered

Sales order Document

Customer with Cash payment

Document

To customer

Enter Receipt

Error and exception display Cash to be deposited daily

To bookkeeper

Process cash receipt Cash receipts

Open sales order

Receipt Receipt Receipt

Cash receipts

12-17 To customer

To bookkeeper

Alcove

Sales order

Assem ble order

Sales order

Error and exception display

Shipping date Enter data

Sales orders

Open sales order

Process deliveries

Shipping note

To bookkeeper

With shipment in alcove

Match sales order with shipping note. Check cash receipt or stamp both copies of Shipping note as "Delivered". Move receiver sign file copy

Clear delivery

To customer (with deilivery)

Shipping note

Error and exception display

Enter data

Shipping file

Daily deliveries file

Shipping notes

12-18

Shipping file

General Manager's Office Customer with credit purchase

Accounts receivable master file

Check credit

Error and exception display

Credit history file

Delivery authorization

To customer

To bookkeeper

Credit authorizaton

Customer payments in mail

Open mail

Checks

Summary of receipts

To bookkeeper

12-19

Bookkeeper

Daily deliveries file

Open sales orders

sales order history (closed orders file)

Post deliveries

Accounts receivable file

Daily deliveries summary

Daily sales summary

Summary of cash receipts

Enter checks received

Cash receipts

Update

Accounts receivable file

Accounts receivable listing, summary of balances

12-20

d. Sales Order Customer name: Customer number: Cash or credit sale:

Item number

Sales order #: Date:

Description

Quantity

Unit price

Credit approval by:

d. Programmed edit checks: • Sales order number will be automatically and sequentially assigned by the sales order application. • Date will also be assigned by the sales order application. • Item description will be echoed by the system upon entry of Item number. The sales order application will look up unit prices and display on the order. • Quantity cannot be zero or negative (limit check). In certain cases, it may make sense to design a range check if the maximum quantity one could order can be anticipated for the item. • For credit sales, credit approval needs to be entered before the sales order can be transmitted to the yard (completeness check). f. Data elements needed to record cash sales: Sales order no., Date, Amount. Data elements needed to record credit sales: Customer no., Sales order no., Date, Amount Data elements needed to record payments on account: Customer no., Remittance advice no., Date, Amount To process (post, update) cash sales, credit sales, and payments on account, additional data elements required would be General Ledger account number, and debit or credit. g. Transaction files: Cash Receipts Journal, Sales Journal Master files: General Ledger (Primary key, GL Account Number), Accounts Receivable Subsidiary Ledger (Primary key: Customer number; if a customer has more than one accounts, use Customer Account number as the primary key) h. General controls for the new computerized procedure include the following: • Access authorization. Each user must have authorization to access what they need to perform his or her functions. Passwords should be used to authenticate the users. • System documentation. The entire system should be fully documented. The documentation should be kept current.

12-21

• •

Back up and recovery. Back up copies of files should be maintained. The recovery procedures should be tested periodically to ensure that the system recovery is feasible. Segregation of duties. Aqua is a small firm. Consequently, there is limited scope of separation of duties. However, incompatible duties must be segregated to the best possible extent.

12-7.

(Adapted from the Certificate in Management Accounting, June 1985, Part V, Question No. 2.) a & b: Weaknesses and Potential Problems Recommendation(s) to Correct Weaknesses

a. Orders received over the telephone are not confirmed by customers in writing. This could result in errors or in filling bogus orders. b. Customer credit histories are not checked before approving orders. This is resulting in excessive late collections and uncollectible accounts. c. Sales orders are filed by date in the marketing department, thereby leading to difficulty in handling customer questions and complaints. d. Only two copies of sales orders are prepared, an insufficient number to insure a proper matching in the billing department.

e. Items that are out of stock are merely noted. Inaction in these cases could cause lost sales. f. There is no reconciliation of inventory relief and billing, thus possibly leading to undetected under-billing. g. The receiving and shipping departments share a computer terminal and personnel in both departments have access to the physical inventory and can update inventory records through the terminal. This can result in the theft of inventory with no means of tracing the theft.

h. The receiving department does not compare incoming deliveries to purchase orders, thereby leading to the possible acceptance of unordered goods.

12-22

a. Require a written customer purchase order as confirmation of telephone orders.

b. Check customers' credit and do not make sales to those who do not meet credit standards. c. Establish customer files and file sales orders by customers' names.

d. Prepare, at a minimum, a three part sales order, sending one to the billing department. That department should match its copy with a signed copy from the shipping department before preparing a sales invoice. e. Establish procedures to schedule production for back orders and to ship and bill the product once it is available. f. Integrate billing and inventory relief within the computer system, eliminating the need for reconciliation. g. Provide each department with its own terminal, which should be limited to inquiry purposes only. The physical custody and record keeping of inventory should be separated, with perpetual records being updated by purchasing, accounts payable, and billing. Access to the physical inventory should be limited to receiving, which would add incoming goods to the physical inventory and select goods from the warehouse for shipping. h. Send copies of purchase orders (without the quantity data) to the receiving department, which should match the delivery to the purchase order and indicate

A complete inventory listing is printed only i. once a year. Errors in the perpetual inventory records may remain undetected for too long a time period.

quantities received. Print inventory listings periodically throughout the year, and compare physical counts to the listings on a cycle basis.

c. A level-zero data flow diagram of the marketing, shipping, and billing procedure is as follows (omitting the receiving activity, which is not a part of the above procedure): A level-zero data-flow diagram of the marketing, shipping and billing procedure

Customer Obtain an order

1.0 Prepare sales order

Sales order

Perpetual inventory records

rder les o ed sa Sign

Shipping

2.0 Prepare for shipment

Sales order

Sales invoice

Billing records

Sales invoice Sales invoice

3.0 Prepare sales invoice

Billing Signed sales order

12-8. Note: Since numerous illustrations have been provided throughout the textbook and this ma manual, this problem is solved only for selected parts of the requirements.

12-23

a3. On-line entry and processing of shipping data

Edited order transactions

Previously checked for credit acceptability

Open sales order file Process for shipping

Shipping notice file

Finished goods inventory master file

Shipping notices

N Shipping notices

Accounts receivable master file

Process

Sales invoices Document Sales invoice file

To customers

12-24

Back order file

Listings of product shipped and on back-order

b. A level-zero data-flow diagram of the sales procedure

Customer

1.0 Prepare customer's order, edit data

Customer orders

Edited order

Acounts receivable records

2.0 Check for credit acceptability

Orders

Finished goods inventory data

Listings of products shipped

Bank order data 3.0 Check for product availability,p repare for shipping Account receivable records

Shipping notices

4.0 Update customer records and print invoices

Invoices

Customer

c. Benefits that Thistle can expect to obtain if it uses the Web to market its products include: • Reduction in non-value-added time. For example, order can be acknowledged right away and shipping notes and sales invoices can be sent electronically in realtime. • Reduction in cycle time. Because of the reduction in non-value-added time and other efficiencies gained in Web-based systems, the cycle time is reduced substantially. • Reduction in paperwork. The handling of physical paper, its filing, and disposal are all significantly reduced or completely eliminated. For example, Thistle may decide to mail electronic copies of invoices, thus reducing paper work, saving postage cost, and dramatically improving the speed of communication.

12-25

• •

Improved efficiency. Due to all of the above benefits, the system efficiency can be expected to improve substantially. Improved customer satisfaction. A properly designed and implemented system is likely to improve satisfaction of customers in dealing with Thistle. Improved customer satisfaction may have long term positive impact on Thistle’s prosperity.

d. Security issues that must be addressed if Thistle decides to implement a Web-based system include the following: • Confidentiality of information. To ensure that what customers send is well guarded and used only for the authorized purposes. In addition to controls within the organization, Thistle should also consider data transmission controls and data encryption. • Access authorization, authentication. It is critical that users of the system, both inside and outside the firm, are properly identified and authenticated. • System integrity. The system should be of high level of integrity, and should be available almost all the time. • Protection against fraud. To protect Thistle against fraud, several measures may be required. For example, complete address and phone number of the customer should be required. Additional scrutiny is warranted where “ship to” address is different from “bill to” address, and when orders originate from free e-mail services. • Disaster recovery and contingency planning gains heightened importance, because such a system would become a critical lifeline of revenues and its availability cannot be compromised under any conditions. 12-9. (Adapted from the Certified Public Accountants Examination, Auditing Section.) Weakness

Recommended improvement

1. Major applications are assigned 1. Rotate assignments of applications among permanently to computer operators, the operators and require the operators to thereby leaving their performances open to take vacations, so that improper actions are abuse and errors. detected. 2. Computer operators make program changes 2. Establish a program change procedure that and reconcile the computer log. involves computer programmers, rather than operators. Also, assign an independent group, such as a data control section or internal auditors, to review and reconcile the computer. 3. Computer operators, on a rotating basis, 3. Establish a data librarian, who is have control and custody of the tape files organizationally and physically separate and system documentation. from the computer operations, to maintain control and custody over the tape files and system documentation. Require computer operators to sign for the use of tape files when needed in application processing and to return the files to the librarian when their use is terminated. Do not allow the computer operators to have access to system documentation, which should be made available to system developers and programmers when needed. Computer

12-26

4. Computer programmers have access to the computer room, while the supervisor of operators does not.

5. Systems documentation is limited.

6. Batch totals and processing controls are not used.

7. Billing department clerks perform inappropriate tasks, i.e., entering prices of items shipped, preparing adding machine tapes, accounting for the numerical sequence of shipping notices.

8. Shipping notices and adding machine tapes are sent directly to the computer department for processing.

9. Sales invoices are used as a detail accounts receivable record.

12-27

operators should only have access to run manuals needed for processing. While computer operators must of course have access to the computer room, programmers should not have access. Since they understand the application programs involved in processing, they could make unauthorized changes if provided access. On the other hand, the supervisor must have access to the computer room in order to supervise the operators properly. (Systems analysts, like programmers, have not legitimate need to enter the computer room.) In addition to the types of documentation listed, systems documentation should include computer system flow-charts, data flow diagrams, charts of accounts, report formats, control procedures, and errorcorrection measures. Batch totals should be computed on key data elements on the shipping notices (e.g., quantities shipped, product numbers, document counts); also, program checks should be performed by an edit program on the key data elements entered from the shipping notices (e.g., validity check on customer numbers, limit checks on quantities shipped, relationship checks on the quantities shipped versus quantities ordered, as shown by the open order file). Prices of items should be stored on magnetic tapes or disks in pricing file and entered by the computer billing program; tapes of units shipped and other batch totals should be computed by shipping clerks for batches of shipping notices and listed on batch transmittal sheets; a computer program should confirm the sequence via a sequence check during the processing run. Shipping notices, together with batch transmittal sheets, should be sent first to a data control group, which records the batch totals on an input-output log. A formal accounts receivable master file should be established and stored on tape or disk; after the preparation of sales invoices the computer application program could perform additional runs in which the invoice data are sorted according to

10. The outputs from sales invoice processing are inadequate and verified inappropriately.

customer account numbers and then posted to the records in the accounts receivable master file. The sales invoices, which should be pre-numbered, would then be placed in an open invoice file on magnetic tape or disk (to be used in the cash receipts processing). 10. In addition to a daily sales register, outputs should include such reports as changes to accounts receivable records. The totals of sales amounts billed, and the totals of the amounts posted, should be listed on exception and summary reports, which would then be compared by data control clerks (rather than by computer operators). Finally, the sales invoices would be transmitted by the data control group to the mailroom and the other outputs to the general accounting and billing department.

12-10. a. Credit manager: 1. Approval customer credit based only on familiarity with the customer’s (contractor’s) reputation. 2. The charge form is not endorsed by the credit manager. 3. An initial overdue notice is not enough to consider six-months past due accounts as uncollectible. Accounts Receivable supervisor: 1. Verification of pricing should not be the responsibility of the A/R supervisor. 2. Reconciliation of A/R subsidiary ledger should be performed at regular intervals. Cashier: 1. Two persons should open mail and list the checks received. Cashier should not be involved, if possible. 2. Cashier should not be responsible for reconciling monthly bank statements. Bookkeeper: 1. Bookkeeper should not be responsible for sending monthly statements to contractors. 2. Bookkeeper should not have the authority to approve and convey write-offs to the A/R supervisor. 3. Bookkeeper should not make decisions on additional credit extension to those customers whose accounts are six months overdue. b. The weaknesses described above fall into two broad categories: Management of customer credit and segregation of duties. Management of customer credit: Approval of customer credit should be based upon sound and comprehensive criteria, customer history with Rural, and other external sources of such data. The credit manager must acknowledge decisions by signing, or otherwise indicating, his or her decisions. Collections of accounts receivable should be subject to welldocumented and systematic procedures. For example, an overdue notice to the customer

12-28

cannot be considered as an adequate effort to collect the amount due. The final write-off decisions, or decisions to extend credit, should be made by high level managers (perhaps a credit committee) in consultation with the credit manager, not the bookkeeper. Segregation of duties: The verification of pricing should be system controlled. Changes to the pricing data stored in the system should be the responsibility of those responsible for pricing. Two designated persons, other than cashiers, should open mail. An accounting staff that is not involved in handling cash should reconcile monthly bank statements. Monthly statements to customers should be sent by the accounts receivable supervisor, not cashier. 12-11. a. The Sunshine Housewares Company Kitchenware Division Salesperson’s Call Report For _____________

Salesperson’s Name: _________________________________ ID Number: _______________

Time Out

Type of outlet

Branch: ______________ Branch No.: __________

Outlet name and address

12-29

Result of the call

b) 1. Note: This report is not a part of the requirement. However it is included to illustrate the complete hierarchy of reports. The Sunshine Housewares Company Kitchenware Division Salesperson Branch Performance Report For the week of Salesperson’s Name: ID Number:

Branch: Branch No.:

I. Sales and Gross Margins:

Target. Qty.

Actual. Qty.

Variance $

Target $

Actual

Variance Target

Gross Margin Actual

. Variance

Budget

Actual

Variance

Utensils Ceramic cookware Cutlery Total II. Direct Expenses: Salespersons’ salary and benefits Mileage Telephone calls Meals and Lodging Total Segment Margin

12-30

b) 2. The Sunshine Housewares Company Kitchenware Division Branch Performance Report For the week of Branch: Branch No.: I. Sales and Gross Margins: .

Sales

Target

Actual

Variance

Gross Margin

. Target

Actual

Variance Salesperson #1 Salesperson #2 Salesperson #3 Salesperson #4 Salesperson #5 Salesperson #6 Salesperson #7 Salesperson #8 Salesperson #10 Total II. Expenses and Margins: .

Expenses

Budget

Actual

Net Margins

. Variance Salesperson #1 Salesperson #2 Salesperson #3 Salesperson #4 Salesperson #5 Salesperson #6 Salesperson #7 Salesperson #8 Salesperson #10 Total Branch office salaries: Branch supplies: Branch miscellaneous supplies: Branch Segment Margins

12-31

Variance

Budget

Actual

c) The Sunshine Manufacturing Company Kitchenware Division Division Performance Report For the month of I. Sales and Gross Margins: .

Sales

Target

Actual

Variance

Gross Margin

. Target

Actual

Budget

Actual

Variance Branch 1 Branch 2 Branch 3 Branch 4 Branch 5 Branch 6 Branch 7 Branch 8 Total II. Direct Expenses: Variance Branch 1 Branch 2 Branch 3 Branch 4 Branch 5 Branch 6 Branch 7 Branch 8 Division office salaries: Division supplies: Division miscellaneous expenses: Total

Division Segment Margin

12-32

d) The Sunshine Housewares Company Marketing Division Performance Report for the month of I. Sales and Gross Margins: .

Sales

Target

Actual

Variance

Gross Margin

. Target

Actual

Budget

Actual

Variance Kitchenware Patio General Housewares Total II. Direct Expenses: Variance Kitchenware Patio General Housewares Total III. Division Segment Margins: Kitchenware Patio General Housewares Total IV. Other Expenses: Advertising Marketing planning Office salaries Supplies Miscellaneous expenses Total Net Margin

12-33

1 character for vice-president level (Assume 2=Marketing) 1 character for division level (Kitchenware, patio, general house ware, advertising, and marketing planning) 2 characters for branch level within division 2 characters for sales person level For example, 21-0810 may represent within the marketing function Kitchenware Division, Branch 8, Salesperson 10. Direct expenses can be represented using a group code. For example, Mileage expenses are coded as 383, the mileage expenses of the Salesperson 10 in branch 8 of Kitchenware could be shown as 1-0810-383

12-12. (Adapted from Certified Management Examination, December 1991, Part 4, Question Number 8) a. The data that Sullivan Sport should capture and store in the computer-based accounts receivable file records for each customer include the following: 1. Customer identification data such as account number (primary key), name, and address. 2. Credit data such as credit limit, credit available, current credit status (current, days past due, delinquent, etc.), and outstanding balance. 3. Related transaction data such as transaction date, dollar amount of each transaction, date of last sale, salesperson assigned to the account, and delinquency (collection) notices. b. 1. In general, the proposed reports do not appear to be adequate to satisfy all of management’s objectives. A. The Accounts Receivable Register will provide timely information on customer account balances. However, the report does not contain any credit information or aging of outstanding balances and will not satisfy the management objective of providing information to aid in controlling bad debts or recognizing delinquent accounts. B. The Customer Statements will provide timely notices to customers regarding amounts owed. However, the statements do not contain any aging information or notification of any change in credit status. C. The information in the Activity Reports should help control bad debts by notifying the Sales Department about customers who have exceeded their credit limit or are continuing to place orders when they are considered delinquent. D. The Delinquency and Write-off Register will satisfy the management objective of notifying the Sales Department of customer accounts that are delinquent and/or closed.

12-34

2. The proposed reporting structure at Sullivan Sport should be changed in the following ways: A. The Accounts Receivable Register should be expanded to include more information about each customer, i.e., account status, credit limit, aging of the account balance, etc. B. The Customer Statements should also include additional data about the account, i.e., an aging schedule to show the customer the status of the current balance, notification of when payment is due, credit limit available, etc. C. An Activity Report need to be run on a more timely basis as a monthly report does not provide sufficient notification of delinquent customers or customers who have exceeded their credit limit. The information on customers who have not purchased any merchandise for 90 days is not appropriate for this report and should be included in a sales report, possibly coded to individual salespeople or territories. D. The Delinquency and Write-off Register should be run on a more timely basis to allow management and Sales Department to react to situations where new orders should not be accepted. E. Reports allowing the reconciliation of the subsidiary ledgers with the general ledger should be generated. 12-13. (Adapted from the Certificate in Management Accounting Examination, June 1979, Part V, Question No. 6) a. The control weaknesses and defects in the new system, as well recommended improvements are as follows: 1. Weakness: Clerks in the cashier’s office credit payments, via an on-line terminal, to the customers’ accounts. Since these persons receive custody of the customers’ cash payments, they could commit lapping, a form of fraud. Lapping would consist of delaying the posting of amounts to the accounts and fraudulently keeping the cash amount for themselves. Later payments pertaining to other accounts would then be credited to the accounts from which amounts were earlier taken. This process would continue until the person replaces the cash or the firm discovers the fraud. Improvement: Control over the physical cash receipts should be segregated from access to the accounts receivable records. Thus, the cashier’s office should be limited to the comparison of the remittance advices (or a listing of cash received) to the actual cash receipts, forwarding the listing to the accounts receivable department, and delivering the cash to the bank together with deposit slips. Control over the billing process should also be separated from the application of cash receipts. Late payments and past due accounts should also be investigated by someone other than the person who maintains the accounts. 2. Weakness: System development and operating and operating personnel have unlimited access to the programs and files. Improvement: Operating personnel should not be given access to programs for purposes of modification. Likewise, system and programming personnel should not have access to online files containing operating data or programs. Access codes or passwords should be established. A should program change procedure should be established that prevents online modification of programs. 3. Weakness: Hard copies of remittances (R/As) are retained by the cashier.

12-35

Improvement: Remittance advices should be retained by general accounting. 4. Weakness: There does not appear to be any reconciliation between the accounts receivable control account and the subsidiary file. Improvement: The accounts receivable control account and the subsidiary file should be reconciled monthly, at the same time the accounts are aged. 5. Weakness: Control tapes or listings of cash receipts or invoices are not being made. Consequently, there is no reconciliation between detail postings to the accounts receivable files and the total of transaction amounts. Improvement: Control totals of cash receipts and invoice amounts should be computed. Reconciliations between these totals and the totals from accounts receivable detail postings should be performed by general accounting personnel. 6. Weakness: The validated deposit slip that is returned from the bank is never compared with the retained copy of the deposit slip or the amount posted to the accounts receivable control account. Improvement: the validated deposit slip should be compared to the copy of the deposit slip retained in the cashier’s office and to the amount posted to the accounts receivable control account; this comparison should be done by someone outside the cashier’s office. b. Please refer to the flowchart on the following pages.

12-36

Mail clerk

Cashier

From post office

Remittance listing

R/As Mail Checks

Enter check data

Open and sort

Cash receipt?

Restrictively endorse checks

Edit check data

Cash receipts file

Yes

Generate deposit slips

1 2 Deposit slip

To other procedures Remittance advice included

Yes Remittance listing Checks

Prepare R/A

Remittance advices (R/As) Compare totals on deposit slip to the total on the remittance listing

Checks

Errors and exceptions

Enter cash receipts data

1 Remittance listing

Deposit slip

Deposit file

Edit R/A date

Checks

Cash receipts file

Prepare remittance listing

To bank (for deposit)

Deposits B

C Analyze reports and take actions

Aged A/R trial balance

Past due acct.

Analyses

12-37

Cashier

General accounting

Data processing

Remittance listing Errors and exceptions

Enter R/A data

Edit R/A data and compare to cash receipts list

Cash receipts file

Post cash receipts to customers' records

Accounts receivable master file

General ledger master file

From bank

Reconciliation of A/R control with A/R file

Deposits Aged A/R trial balance C Past due accounts Review and correct if necessary

2 Deposit slip

3 B

Accounts receivable master file

Print summary reports

Summary of detail positions

Review to see that total of postings agrees with validated deposit slip and with retained deposit slip

Cash receipts file

Reconcile

Deposit slip

C C From bank

From cash disb. proc.

Monthly bank statement

Cash disbursement summaries for month

Preformed by manager not involved in cash trans.

To management or aud.

Cash receipt summaries for month

Prepare bank reconciliation

Bank reconciliation

12-38

CHAPTER

The Expenditure Cycle

OBJECTIVES

DISCUSSION QUESTIONS

PROBLEMS

4. EVALUATION

1, 4

1, 10, 13, 14

3. APPLICATION

[7], [11]

2, 3, 4, 5, 6, [7], 8, 9, 11, 15

2. COMPREHENSION

2, 5, [6]

5. SYNTHESIS

1. CONCEPTUALIZATION 3, 8, 9, 10

[ ] Infoage

13-1

CHAPTER 13 THE EXPENDITURE CYCLE DISCUSSION QUESTIONS DQ 13-1. Forms of input: Many documents are involved in the expenditure cycle. Examples include the supplier’s invoice, debit memorandum, and disbursement check. Most such hard-copy documents are also likely to be used in firms employing computer-based processing. In an online input mode, transactions may be collected on-line (e.g., shipments to customers) in electronic form and hard-copy documents may be produced only as needed. Sources of input: Data used in the expenditure cycle are mainly based on inputs from those who manage inventories or authorize acquisition of inventory (or services), and from suppliers. A change from manual to computer-based processing does not affect the sources of input in most cases. Files: Files in a computer-based expenditure cycle would be comparable to those found in manually maintained expenditure cycles. However, there are benefits of having computer-based files. More data in each record can be stored, where appropriate and necessary. The retrieval and processing of records is much faster and consistent, and it is possible to compile or access related information in a timely and cost-effective manner. Processing steps: Although the basic processing of data remains the same, the logic embedded in computer programs (applications) executes the steps. To ensure that all data that should be processed are in fact processed and errors are identified and corrected, certain additional steps are included in the processing programs. For example, batch control totals are used in processing credit purchases. Also, accuracy in on-line data collection is facilitated by means of validation checks. The system also can be designed to “echo” back data to ensure that correct records are being accessed and processed. Internal controls: A greater need for internal controls arises due to concentration of data, higher risk of data loss, and loss or fragmentation of an audit trail. Therefore, application controls such as batch control totals, self-checking digits, validity checks, and sequence checks are employed to ensure proper processing of all authorized transactions. Also, back up and recovery procedures, disaster contingency recovery planning, and other general controls are employed to ensure system continuity and integrity. Outputs: In manual expenditure cycles, query processing is cumbersome and time consuming. Computer-based on-line input systems permit access to collected data much more efficiently. Queries can be processed quickly to generate desired information. Periodic reports can be made more comprehensive; additional reports can be generated using computer-based data. DQ 13-2. The inventory management function in a retail firm encompasses the purchasing of merchandise from suppliers, the receipt and storage of such merchandise, and the distribution of the merchandise to customers. Sources of information for inventory managers, other than from expenditure cycle processing, may include suppliers and potential suppliers, shippers, and public warehouses. Industry associations and their publications should also prove useful sources of information. These sources can be utilized to access useful information, stored within the firm's

13-2

computer system, or available on-line directly from the source, for example, on the industry association's WEB page. DQ 13-3. If the terms of payment include the possibility of a cash discount for prompt payment (e.g., within ten days), the cash disbursement processing system will compare the date of the payment against the date of the invoice to determine if the cash discount should be deducted from the gross amount of the payment. DQ 13-4. Application controls employed within an expenditure cycle that are unique to online processing systems include: a. Preformatted CRT screens to aid the entry of transactions. b. Automatic numbering and logging of all transactions. c. Use of concise codes for entered data. d. Echo of data (e.g., supplier name) upon the entry of codes (e.g., supplier number). e. Redundancy matching checks built into data entry programs. f. Completeness test built into edit programs. Application controls employed within an expenditure cycle that are unique to batch processing systems include: a. Batch control totals for each batch of transactions (e.g., disbursements). b. Key verification of transaction data converted to disk or tape. c. Sequence checks built into processing programs. DQ 13-5. A check payable is an asset being disbursed to a supplier. The check voucher traces the transaction that results into the disbursement, that is, the authorization and preparation of the check to be made and mailed to fulfill an obligation. Generally, the document that traces the transaction (check voucher in this case) is an appropriate evidence of the transaction and not the asset (check payable) leaving or entering the firm. Consequently, the check voucher should be used to record the transaction. DQ 13-6. Note: Batched data entry may be combined with either sequential updating or direct updating. The answer below assumes sequential updating. If Infoage employs batch input (rather than online input) for purchases and payables, the main differences in processing steps are as follows: Data Entry: A source document would be necessary in most cases. Transaction data may be required to be transcribed onto a machine-readable medium such as magnetic tape or disk. Sorting: Transaction data would require sorting according to the primary key (e.g., supplier number) by which the master file to be updated (e.g., accounts payable) is arranged. Updating: Updating of master files occurs through the matching process. If the primary key value on the transaction record is equal to the primary key value on the master file record, then

13-3

the master record is updated using the transaction data. Note, however, that batch input does not necessarily require Batch totals and exception reports: Batch totals for key input data elements are prepared for each batch of transactions. The system compares these totals with its own internally generated comparable figures, and provides a summary and exception report at the end of each run. Transactions that are in error are corrected and resubmitted for processing. Programmed checks: Due to the nature of batch processing, certain programmed checks are more likely to be used in batch mode of processing. For example, the internal label check (to ascertain that the file being accessed is the proper file) and the sequence check (to ensure that transaction records are in the same sequence as the master file records) are appropriate in batch processing. Reports and other outputs: The information requirements to be met by the system using batch input are likely to be identical to the requirements in online input. Although the scheduled operational reports and managerial reports may have the same content, information in batch processing is likely to be less up-to-date. Also, the flexibility in generating demand managerial reports or in making queries could be limited in batch processing. DQ 13-7. The expenditure cycle has two major subsystems: Purchasing/Payables Processing System and Cash Disbursement Processing System. If we assume that the individual retail sales outlets are not making any direct purchases from outside, the two subsystems will take the following form: Purchasing/payables processing system. Each outlet would send a purchase requisition to the warehouse, which will treat the requisition as if it was an internal purchase order. Shipments from the warehouse to each outlet will accompany the shipping notice/invoice. If the inventory management system of each outlet is integrated with the purchasing/payables system of the warehouse, it would be possible for the warehouse inventory clerk to monitor inventory levels at each store and order replenishments with or without consulting the outlet manager. Cash disbursement processing system. The shipping notice/invoice will show the internal transfer prices charged for each of the inventory items shipped to the store by the warehouse. Each price will include the purchase cost of the merchandise and, if the warehouse is treated as a responsibility center, a charge for its administrative costs. Actual disbursement by the outlet to the warehouse is not necessary; transfer entries only are made in the books. Additional controls necessary for this system include: a. Approval of merchandise by the outlet manager. Generally, the warehouse should purchase only the merchandise that the stores would be able to eventually acquire from the warehouse. This is especially important in a computer industry where product development cycles are short. b. Receipt of merchandise by each outlet must be acknowledged by a signed copy of shipping notice/invoice sent by the warehouse with the shipment. c. Any returns from each store to the warehouse must be documented and acknowledged as received by the warehouse inventory clerk. DQ 13-8.

13-4

The electronic data interchange (EDI) system provides a virtual communication link between the firm and its major suppliers. The EDI system permits the firm to communicate and transact with its suppliers almost immediately. Purchasing data (from the firm) and billing data (from the supplier) are transmitted electronically. The EDI system offers several major benefits: a. Managing the inventory on a just-in-time basis, thus reducing the inventory levels far below traditionally maintained levels. This reduces the working capital requirements and improves asset turnover. b. Reduction in wait time (non-value-added time) involved in the purchasing procedure. c. More timely, accurate, and useful information available concerning accounts payable of the firm (accounts receivable of the supplier). d. Reduction in operating costs, since the system is more efficient and involves fewer steps. e. Fewer hardcopy documents needed to be produced and processed. f.

Prompt vouching and approval of invoices for payment.

One example of how cash disbursements are handled using an EDI system: At the time when the vendor's invoice arrives, the system already has complete information on the related purchase, from such sources as the purchase requisition, purchase order and receiving report. These can be stored in the form of documents using a document imaging system. When the invoice is received, appropriate data will be entered in the system, for example, invoice amount, invoice date, and discount percent. The data would be matched against the related purchase order, shipping notice, and receiving report. The accounts payable clerk will verify the purchase and the related obligation, and "place" the invoice in an approved invoice file. When the payment date arrives, the approved invoices will be listed and checks written, signed, and mailed. Alternatively, funds may be transferred in the supplier's bank account through Electronic Fund Transfer System (EFTS). DQ 13-9. The effectiveness of the petty cash can be ensured by using the imprest system. It begins with the establishment of a petty-cash fund at some level. The fund’s balance remains fixed in the general ledger account at the established level. However, the amount of petty cash currency itself decreases (is used) over time. The petty cash custodian prepares a petty cash voucher for each disbursement from the fund, which the payee signs before receiving currency. At all times the total amount of the paid vouchers plus the cash remaining in the box should equal the established amount of the fund. When the remaining currency reaches a low point, the accounts payable department is requested to prepare a disbursement voucher. The petty-cash vouchers are attached together with a prepared check. The authorized check signer reviews the vouchers and signs the check. Then the custodian cashes the check and replenishes the fund. The replenishment check is listed in the check register. In addition to relying on the imprest system, it is also necessary to follow appropriate control procedures, such as a surprise cash count.

DQ 13-10.

13-5

Prenumbered disbursement vouchers are printed from the data stored in the vouchers file. One copy of the voucher is filed with the supporting documents in an unpaid vouchers file arranged by due dates. Since prenumbered vouchers are printed without regard to due dates, the arrangement by due dates, and later, payment by due dates causes gaps in the numerical sequence of paid vouchers. However, this gap shows primarily the timing difference and over time, as disbursements become due, all numbers show up, albeit out of sequence, on the paid disbursement vouchers list. DQ 13-11. Infoage should consider the following factors in determining whether to implement a procurement card system: • What is volume of small purchases? Are they geographically distributed? For example, do the outlet stores make frequent purchases of small amounts? • Do the small purchases collectively add up to a high percentage of total purchases? • Would it be feasible to clearly define criteria and spending limits for such purchases? • Do the benefits of a procurement card system exceed the additional costs of the system?

PROBLEMS 13-1. Control procedures that could have prevented the fraudulent activity include:

13-6

• •

A policy concerning answering surveys over the phone. Some companies have a policy of no participation, which prohibits leakage of any information, whether it is critical or not. A purchasing policy that clearly defines certain criteria. These include: • how a vendor gets on the approved vendor list; • that there will be no purchases made from any vendor who is not approved; • purchase orders placed over the phone must be confirmed by fax or by any other electronic medium, and must include all significant details, such as specifications and prices; • that no phone orders will placed with the first time vendors.

13-2. a. Inventory and financial decisions that can be improved: 1. Locating inventory more efficiently 2. Reducing cycle time for putting together a truckload 3. Inventory planning and control model, such as economic ordering quantity or JIT 4. Dynamic forecasting of sales, which should be a critical input to purchase decisions 5. Decision to create a list of approved suppliers 6. Decision to evaluate lost discounts 7. Decision to enter into long-term alliances with certain suppliers 8. Minimizing stockouts for the firm as a whole b. Managerial actions and system changes needed to aid in making these decisions: 1. Add an elaborate location code for all items stored. Any new items must have a location code. 2. Provide lead time for putting together a shipment. If possible, based on ordering characteristics, arrange location codes so that shipments can be collected without much movement through the warehouse. The system should provide data to support early start on shipments. 3. Improving decision making in purchasing; when to order and how much to order. Anticipating changing demands and tracking non-moving or slow-moving items. Establishing a return policy for certain items with possible quick obsolescence. System should provide data to build and verify such models and also provide data to use the models for achieving effective operations. 4. Super Electronics operates in a dynamic environment where change is constantly occurring. Therefore, Super’s system should include a forecasting model to generate prospective demand patterns for its merchandise. The output of this application helps managers to make purchasing decisions. 5. For a company of the size and complexity, it is essential that policies and procedures are established to develop and maintain an approved vendor list. The system should be built to screen new vendors and track performance of currently approved vendors based on the established criteria. 6. The system should be modified to record purchases at net of discount, so that all lost discounts will be immediately exposed. Also, the system should flag all upcoming disbursements which would result in a lost discount unless paid on time. 7. If Super is buying from certain suppliers on an ongoing basis, it is important to establish a long term alliance, which would be mutually beneficial. Decision to determine the significance of exchanges with current suppliers, the nature of relationship, volume of purchases, and future potential—all these should be provided by the system in order to support decision making.

13-7

The system should allow shippers to turn to other warehouses to make up for a stockout in the target warehouse. Thus, the system should, for certain purposes, treat all warehouses as a virtual network for shipping goods. Based on costs and benefits, the system should use clearly established criteria to encourage or discourage access to other warehouses for meeting stockouts.

A Web-based purchasing system can ideally support Items 7 and 8. Even applications from vendors to seek approved status (Item 5) can be captured over the Web and continued communication with the applicants can take place via the Web. A Web-based system can help expedite timely payments electronically and thus minimize or eliminate discounts lost (Item 6). c. Benefits the company can expect if it implements a Web-based purchasing system: • Lower costs of operations, greater efficiency • Lower inventory levels • Reduction in non-value-added time. For example, order can be acknowledged right away and shipping notes and sales invoices can be sent electronically in realtime. • Reduction in cycle time. Because of the reduction in non-value-added time and other efficiencies gained in Web-based systems, the cycle time is reduced substantially. • Reduction in paperwork. The handling of physical paper, its filing, and disposal are all significantly reduced or completely eliminated. For example, Thistle may decide to mail electronic copies of invoices, thus reducing paper work, saving postage cost, and dramatically improving the speed of communication. • Improved efficiency. Due to all of the above benefits, the system efficiency can be expected to improve substantially. • Improved relationship with supplier. A properly designed and implemented system is likely to improve relationship with vendors. d. Control procedures that are necessary if the company implements a Web-based purchasing system: • Access authorization, authentication. It is critical that users of the system, both inside and outside the firm, are properly identified and authenticated. It is important to ensure that only authorized individuals make changes to the Web content. • Accountability. Changes made to the Web site and its contents must be documented. To establish responsibility for any modifications made, a Web server log should be maintained. • Data transmission. In order to maintain the confidentiality and integrity of data transmitted via the Web, encryption should be employed. • Disaster contingency and recovery plan. Proper back up procedures, including fault tolerance, should be in place to minimize unexpected interruptions. A recovery plan should also be devised to ensure reconstruction of lost data. • Confidentiality of information. To ensure that what customers send is well guarded and used only for the authorized purposes. In addition to controls within the organization, Super Electronics should also consider data transmission controls and data encryption. • System integrity. The system should be of high level of integrity, and should be available almost all the time. 13-3. a. Data elements needed to record and process purchases on credit, purchase returns, and cash disbursements transactions include:

13-8

Quantity of each supply item ordered or returned Expected unit price of each supply item ordered or returned Description of supply item (or service) ordered Date of purchase order, purchase return, or disbursement Date when ordered supply items (or services) needed Shipping arrangements Expected terms of payment Purchase requisition, purchase order, or credit memo number Names of buyer and clerks involved in transactions Quantity of each supply item received and stored Date when supplier's invoice received and approved for payment Supplier account number Supplier name and address Actual unit price for each supply item or service billed Current account balance of each supplier's account payable Date payment due and discount period (for each supplier invoice) Disbursement and voucher check numbers Amount of each invoice and voucher Date of payment by check

b. Files needed to score the above data elements, plus primary (P) and secondary (S) keys, are as follows: Accounts payable master file—supplier number (P), current account balance (S) Supplier master file—supplier number (P), supplier name (S), supplier city (S), supplier zip code (S), year-to-date purchases (S) Open purchase order header file—purchase order number (P), supplier number (S), order date (S), expected delivery date (S) Open purchase order line-item file—line-item number plus purchase order number, a concatenated code (P), inventory item number (S), quantity ordered (S) Receiving report file—receiving report number (P), receiving date (S), inventory item numbers of items received (S), quantities counted (S) Purchase return (credit memo) file—credit memo number (P), date items returned (S), inventory item numbers of items returned (S), quantities returned (S) Open vouchers file—voucher number (P), supplier's invoice numbers (S), purchase order numbers (S), voucher bate (S), payment clue elate (S) Check register file—check number (P), supplier's number (S), purchase order numbers (S), date of payment (S), amount of payment (S)

c. Suggested group codes are as follows: (1) Supplier number—ABBCCCD, where A represents the type of supplier (e.g., supplies or service provided), BB represents the year that the supplier was approved for use, CCC represents the unique code for a supplier, D represents a check digit. (2) Purchases transactions—AAAABBBBBBCCCCCCCDDEEFFGGGGGG, where AAAA represents the purchase order number, BBBBBB represents the order date,

13-9

CCCCCCC represents the supplier number, DD represents the buyer, EE represents the department, FF represents the type of purchase (e.g., supplies, service), GGGGGG represents the expected date of delivery. (3) Cash disbursements transactions—AAAABBBBCCCCCCCDDDDDD, where AAAA represents the check number, BBBB represents the voucher number, CCCCCCC represents the supplier number, DDDDDD represents the payment date.

d. Reports that would be useful in analyzing transactions and supplier account activities include: (1) Open purchase orders report, which shows those purchases that are still outstanding and unpaid. (2) Open vouchers report, which lists all approved vouchers that have not yet been paid. (3) Cash payments report, which shows all disbursements made during a day or week. (4) Overdue deliveries report, which shows those purchase orders whose requested delivery dates have past without incoming shipments. (5) Purchase receipts and returns report, which shows all receipts of ordered supplies and returns of undesired ordered supplies. (6) Supplier performance reports, which evaluate suppliers according to prices charged, lead times, quality of supplies, and so on. (7) Purchase analyses, which show levels of purchasing activity for each supply item, service, supplier, buyer, and city department. 13-4. a. A preformatted screen format to be used by the receiving clerk appears on the following page.

13-10

* Date

Transaction Code Receiving Report No.

* Receiver

Purchase Order No.

Supplier No. *

Supplier Name

Item No.

Description*

Quantit y

Conditi ons: Goo d Damag ed Unac c.

Additional Items? Enter Y or N

13-11

Conditi on

b. Programmed edit checks that should be incorporated into the data entry program are as follows: (1) Validity checks of the transaction code, purchase order number, supplier number, and inventory item numbers, in order to ascertain that the numbers are valid. (2) Self-checking digit on each inventory item number, which is verified automatically by the system upon being keyed-in by the receiving clerk. (3) Field checks of characters in the purchase order number, inventory item numbers, and transaction code to determine if all entered characters are of the proper mode. (4) Limit checks that compare the quantities of items received with pre-established upper limits that are viewed as being reasonable for the respective items. (5) Relationship checks that compare the quantifies of items received with quantities shown as being ordered on the purchase order. (6) Sign check of the quantity-on-hand field in the inventory master file, in order to detect the presence of a negative balance. (This type of check is more appropriate during transactions involving the issue or sale of items; however, it may be applied during receiving transactions as a means of spotting possible errors in previous processing.) (7) Completeness check that scans the keyed-in data items in order to verify that no needed data have been omitted. (8) Echo checks that cause the descriptions of items to be displayed on the entry of item numbers (and may also cause the name of the supplier to be displayed on the entry of the supplier number). Security measures needed in this online system include: (1) Access codes or passwords assigned to receiving clerks who use the department's terminal. (2) Restrictions on the use of the terminal, e.g., locking the terminal after business hours, placing the terminal in a location not accessible to other employees or outside parties. (3) Logging by the computer system of all accesses, with the log being printed each day (and reviewed by internal auditors) in order to detect unauthorized accesses. (4) Logging of all transactions by the computer system, with each transaction being automatically assigned a number, in order to provide backup and a complete audit trail. (5) Periodic dumping of the open purchases and inventory master files onto magnetic tape, in order to provide backup of active records. (6) Storage of copies of transaction listings and account activity listings in a location that is remote from the central computer area, in order to provide added protection against loss of data. (7) Adequate security of physical facilities, e.g., protection of the computer system from fire, flood, power lost, and so on. (8) Adequate backup of terminals and other computer equipment. (9) Adequate protection against disaster, including insurance and a master disaster recovery plan.

13-12

13-5. a. Source of each element in the outputs: 1. Check Check number—printed (or system generated) Date—system generated Payee and remaining elements—disbursement voucher 2. Cash disbursements journal Date—system generated Check numbers—preprinted on check stock Supplier numbers—accounts payable master file Supplier names and remaining items—disbursement voucher b. and c. See the following pages.

13-13

From accounts Payable Procdedure

Disbursement vouchers

Batch and prepare batch totals

Batch totals

Disbursement vouchers

Could keypunch onto cards and then convert to magnetic tape, if desired

Key-totape, verify and edit

Exception and summary report

Disburseme nt data

Sort by supplier number

Acounts payable master file

Exception and summary report

Sequential access storage

Update accounts pay file and print outputs

Updated A/ P master file

Cash disbursement journal

Exception and summary report

Checks (including vouchers)

Document

To gen. led. procedure

To suppliers

13-14

Arrington Wholesaling Co. Disbursement Voucher Date

Supplier number

Authorizatio n

Name

Invoice No.

No.

Date

Account

Totals

13-15

Gross amt.

Discount

Net amount

Arrington Wholesaling Co. Little Rock, Arkansas

No .

Amount

Date

Pay to the Order of

(Bank and MICR number)

Invoice No.

Authorized Signature

Account Debited

Gross amt.

d. Amount of Check

13-16

Discount

Net Amount

13-17

d. Accounting transaction controls that are suitable to a computer-based system which processes cash disbursements by the batch method include:

(1) Batch control totals: a record count of the number of vouchers, hash totals of voucher numbers and supplier numbers, and an amount control total of the voucher amounts. (2) A prenumbered batch transmittal sheet to accompany each batch to the control section, where the batch is listed on a batch input-output control log. (3) Key verification of transaction data keyed onto magnetic tape. (4) Use of header and trailer labels for the voucher transaction file. (5) Programmed edit checks on the input data, such as self-checking digits, validity checks, field checks, and limit checks. (See note below.) (6) Sequence checks on transactions after being sorted by supplier numbers. (7) Matching checks that compare the supplier number from each transaction with the supplier number in the master file before updating. (8) Use of a sound error-correction procedure, which includes the suspense of all transactions containing errors and irregularities, the correction of errors by the accounts payable department, and the resubmission of corrected transaction for re-editing. (9) Use of a distribution log with respect to the outputs. (10)Review of checks and supporting documents by the treasurer or cashier before mailing (assuming that the actual signing is performed by the computer system). (11)Review of the cash disbursements journal by the cashier. Note: Suitable programmed edit checks and data elements to which they apply are: *Validity—supplier number, general ledger account to debit *Self-checking digit—supplier number *Field—voucher number, supplier number, supplier name, invoice number, general ledger account number, invoice amount *Limit—invoice amount *Relationship—supplier number, invoice number (These data elements are compared to verify that they relate to each other.) *Sequence—voucher number *Redundancy matching—supplier number, supplier name (Upon entering the former, the latter is echoed back.) *Internal label—name of voucher file *Posting—supplier's account payable balance *Sign—supplier's account payable balance (After the total voucher amount is posted against the account payable balance, a debit balance would be flagged on an exception report.)

13-18

13-10 a.

Acounts payable transaction record layout:

Vendor number

G/L acct #

Invoice number

Voucheer number

Invoice date

Due date

Invoice amount

Discount

Net Amount

Vendor master record layout:

Vendor number

Vendor name

Street number

Street name

Province /state

City

Mode of data items: Alphabetic-- Vendor name, street name, city, province/state, country Alphanumeric-- invoice date, due date, invoice amount, discount, net amount Numeric-- All other data items

13-19

Postal / Zip code

Country

b. Outstanding payable report format:

General ledger account number

Vendor name

Province/ State

City

Invoice number

Due date

Net amount due

d. System flowchart showing preparation of above report

Vendor's invoice

Key-to-tape and verify

Trans-action record

Sort by G/L account numbers

Sorted A/P trans.

Accounts payable master file

Update files and extract report data

Vendor master file

Sorted report data

Print report Sort by vendor number

Report file Outstanding payable report

B A

13-20

To accounts payable mgr.

13-7. a. Check register record

Supplier invoice record

Voucher record

Invoice/check record

b. Supplier Invoice Header Table Invoice number

Invoice date

Voucher number

Due date

Check Register Table Check Payment number date

Payee

Amount paid

Supplier account number

Amount obligated

Voucher Table Voucher number

Voucher date

Invoice/Check Table Invoice Check number number

Amount owed

13-22

Supplier account number

Purchase order number

Terms

Total invoiced amount

13-8. a. Preformatted screen for purchase order data:

13-23

13-24

c, d, and e. The columns for the needed tables are shown below, together with the circled POs and RRs (for purchase orders and receiving reports). Note that while four tables are referred to in the problem, two of the tables—the open purchase and receiving report tables—should be broken into header and line item tables when more than one item of merchandise can be purchased on a single order. Also, a separate table is needed to provide cross references between warehouse codes and shipping addresses. These points should probably be mentioned when the problem is assigned. Alternatively, you could assume that only one item of merchandise can be placed on a single order. Note: The computer system will generate the purchase order number and receiving report number, as well as the transaction dates. Open purchase order table Purchase order no.

Supplier no.

Order date

Buyer no.

Terms

Expected arrival date

Shipping method

Shipper

Whse. code

Shipping address

Ordered items table Line number

Purchase order no.

Expected unit price

Order quantity

Unit of measure

Supplier table Supplier number

Supplier name

Supplier address PO

City

State

Zipcode

Phone number

Year began

Performan ce rating

Preferred supplier

Quantity on order

Purchase order no.*

Quantity on hand

Date of last transaction

Merchandise inventory table Mercha ndise no.

Merchandise descr. PO

Unit of measure RR

Reorde r point

Reorder quantity

*Assumes that only one purchase order is outstanding for any particular merchandise item.

Receiving report header table Receiving report

Date of receipt

Purchase order

13-25

Supplier number

Receiving clerk

no.

initials

Received items table Line code Receiving report number

Merchandise number

Quantity counted

Condition of goods

13-9. (Adapted from the Certificate in Management Accounting Examination, December 1979, Part V, Question No. 6) a. A level-zero data-flow diagram for the purchasing procedure of the Wooster Co. appears on the following page.

13-26

Items and quantities to order Inventory supervisor 1.0 Prepare and mail purchase order in duplicate

Purchase order

2.0 Receive ordered goods

Purchase order Packing slip

Open purchase order data

3.0 Ascertain validity of payment

Packing slip (with goods)

Vouched invoice

Supplier

Invoice 4.0 Prepare cash disbursement

Check (with invoice)

Paid invoice (cash disbursement data)

13-27

The documents that would be required to satisfy the minimum requirements of a basis system and the minimum number of copies are: Internally generated documents 1. Purchase requisition (2 copies) 2. Purchase order (4 copies) 3. Receiving report (3 copies) 4. Disbursement voucher (2 copies) 5. Check voucher (2 copies) Externally generated documents 1. Supplier’s invoice (2 copies) 2. Packing slip (2 copies) c. A document flowchart of Wooster’s expenditure cycle is as follows: From supplier Inventory Department

Purchasing Department

Supervisor phones Prepare P.O.

Shipment from supplier

A/P Department

Packing slip

Invoice

Packing slip Compare, reconcile

Purchase order Document

To supplier Veryfy

Packing slip P.O. Invoice N

Packing slip Write check

Check

Packing slip

Invoice

To supplier

Invoice

Paid invoices

These documents flow through departments in the following manner:

13-28

(1) The purchase requisition is prepared by the inventory supervisor, with the original being sent to the purchasing department as a formal request for an order, and then filed by number, and the copy being filed in the stores/inventory department by number.

(2) The purchase order is prepared by the purchasing department, with the original being sent to the supplier, the first copy to the stores/inventory department to check with the order received (unless there is a receiving department), the second copy to the accounts payable department to be matched with the invoice from the supplier and the receiving report from the stores/ inventory department, arid the last copy being filed in the purchasing department by supplier name.

(3) The receiving report is prepared by the stores/ inventory department, with the original being forwarded to the accounts payable department to be compared with the invoice and purchase order, the first copy to the inventory control section for posting to the inventors subsidiary ledger, and the last copy being retained in the stores/inventory department and filed by number.

(4) The disbursement voucher is prepared by the accounts payable department and the check voucher by a newly established cash disbursements department (or cashier), with originals and supporting documents (invoice, purchase order, receiving report) being sent to the treasurer; after the treasurer signs the check it is sent directly to the supplier and the disbursement voucher (with supporting documents) is returned to the accounts payable department and filed by supplier name. The disbursement voucher copy is retained in the accounts payable department and filed by number, while the check voucher copy is filed in the cash disbursements department by number.

(5) The invoice is prepared by the supplier, usually in duplicate, with both copies going to the accounts payable department for comparison with the receiving report, purchase order, and packing slip. The original is then forwarded with supporting documents and disbursement voucher add check to the treasurer for signing; then it is filed by date. The copy is retained in the accounts payable department and filed by supplier came.

(6) The packing slip is prepared by the supplier and included with the shipped goods. The original is compared with what was actually received and also compared with the purchase order; then it is filed by date received. The copy is sent with the receiving report to the accounts payable department and filed by supplier name.

13-10. (Adapted from the Society of Management Accountants of Canada Examination, June 1988, Internal Auditing Section, Question No. 4)

13-29

The deficiencies (weaknesses), risks, and recommended controls to compensate for the exposure due to the risks for the Acme Manufacturing Company are as follows: Weakness Purchased different makes of microcomputers from different vendors. Some vendors went bankrupt and some stopped producing the product lines. Buying a particular product when a substitute can be obtained at a lower cost.

Risks Incompatibility between units. No vendor support or updated software which will result in the equipment becoming obsolete. Higher production cost.

Buying from the intermediary rather than direct from the producer.

Higher production cost.

Large number of purchase orders on small quantity purchases of gasoline.

Higher processing costs. Higher purchasing costs because not negotiated.

Inordinate number of purchase orders used.

More processing costs and higher prices may have been paid.

Only one quote received for products which are available from several suppliers.

Higher costs as a result of no competitive bidding. Suppliers could be chosen which are not the most cost efficient. Bypassing the purchasing policy may result in paying higher costs. This may indicate that other departments are not satisfied with the services provided by the purchasing department.

Branch managers making direct purchases of items costing more than $500 without purchasing department approval.

Purchaser buying goods from spouse’s company.

Conflict of interest which may result in paying higher prices.

13-30

Recommended Controls Establish a company policy for microcomputer purchases, emphasizing compatibility, stability, and overall cost effectiveness. Require employees to take professional development training and be familiar with the marketplace. Buyer should eliminate intermediary where economically and efficiently feasible to obtain a lower cost. Bulk purchase should be used. Blanket purchase order to be used to reduce processing costs. Purchasing department to review historical data and coordinate the requirements for quantity buying. Policy and procedures to ensure that bids are invited from at least three qualified vendors. Review limit for branch managers’ purchases. Issue warning to ensure all managers observe the policy for purchases over $500. Implement a performance appraisal survey of the purchasing department in order to obtain user feedback. Policies and procedures to ensure conflict of interest guideline is observed.

13-11. (a) Preparation of purchase requisition and purchase orders: Requisitioning department

Purchasing department Select Supplier and Complete Form

Performed by Department Manager

Requisition Completed

Prepared and signed

Requisition

Performed by buyer

Exception and Error Display

Enter Purchase Date

Edit Entered Purchase Data

Budget Master File Purchase Transaction Data Supplier Master File Prepare Purchase Order

Purchase Order Open Purchase Order File

Display of Remaining Budgeted Funds 1 2 3

To Supplier

Purchase Order

To Accounts Payable

To Receiving

13-31

If purchase amount exceeds the budget, the purchase order is put in a hold file and the requisitioner is notified by a hold notice

b. Processing of receipts of ordered goods: Receiving department

When ordered goods arrive

Requisitioning department

Purchase order N Stamp completed

Purchase 3 order

Count goods

Purchase order

Enter receiving data

Exception and error display

Fixed asset master file Edit data and update files

Open purchase order file

Expense control file

Receiving data

To A/P procedure Receiving report file

Receiving report

Sign report

13-32

c. Processing of invoices and recording of accounts payable Requisitioning department

Accounts payable department

From receiving procedure

From purchase procedure

From Supplier

Receiving report

Purchase 2 order

Supplier's invoice

Signs and forwards

Hold until receipt of invoice

Supplier file N

Receiving report Display of differences on documents

Purchase order

Enter invoicing data Receiving report

Compare data on documents

2 Purchase order

Invoice Do differences appear?

To check preparation procedure

Yes

Invoice

Approve for payment Accounts payable master file

Hold basket Enter amount to be paid

Update files

Budget file

13-33

Supplier file N

Open purchase order file

d. Preparation of checks and weekly reports Performed weekly by the data processing department

Includes data concerning approved invoices

Check

From accounts payable procedure

Print checks and reports

Accounts payable master file

Listing of checks

To Suppliers

Performed weekly

Not needed if purchase orders numbered sequentially

Supplier master file

Summary journal vouchers

Show total amounts of new payables and disbursements; could be generated during a separate run using data from accounts payable master file

To general ledger clerk

To cashier

Open purchase order file

Sort data by order date

Sorted open purchase order file

Print report

13-34

Open purchase orders report

To purchasing department

b. A level-zero data-flow diagram of the procedure pertaining to the expenditure cycle

Manager

1.0 Prepare requisition

Open purchase order record

Purchase order or hold notice 2.0 select supplier, estimate prices, enter requirements data

Accounts payable

Purchase order

Supplier

3.0 Computer processed purchase order preparation

Purchase order

4.0 Process receiving data

Purchase order

Fixed asset and expense control record

Recieving Receiving report

Receiving reports

5.0 Requisition accepts items received

Supplier Invoice

Receiving records

Receiving reports Purchase order receiving reports

Accounts payable records

6.0 Aprove invoice for payment

Accounts payable Purchase documents

Approved invoices

Open purchase order records

7.0 Process payables

Supplier records Check

Supplier Summary jornal vouchers

A listing of checks

13-12. a. The buyer could order merchandise from the supplier in which he or she owns part interest,

13-35

even though another supplier may provide the merchandise at a better price or of a better quality. b. The person could prepare and sign checks that show a friend or relative (or himself/herself) as payee and then post the disbursements to various suppliers' accounts in the accounts payable records. c. Invoices could be approved and paid that reflect larger quantities than were ordered and/or received. d. When receiving and stores are combined with purchasing, substandard operating performances could be more easily concealed; for instance, quantities and conditions of goods ordered are less likely to be carefully checked, so that short deliveries or damaged goods are likely to be accepted and stored. e. Substandard operating performances could occur more easily when purchasing and accounts payable are combined; for instance, suppliers' invoices may not be as carefully checked against purchase orders, so that actual unit prices approved for payment may be significantly higher than those shown on purchase orders. f. Purchase orders could be lost or misplaced, so that undelivered goods on outstanding orders might remain undetected. g. Errors in posting to the accounts payable ledger or general ledger could occur. h. Suppliers' invoices could be paid more than once without the error being detected. i. (1) If the bank statement is reconciled by the person who signs the checks, funds could be taken by that person and the reconciliation misfooted to cover the thefts. (2) If the bank statement is reconciled or the accounts payable clerk, posting errors or omissions involving cash disbursed to suppliers could be overlooked; a second person who cross- checks the work of another (via the bank reconciliation ad reconciliation of the accounts payable ledger and general ledger) is more likely to detect such errors or omissions. j. Assets (cash) are likely to be lost due to lack of separation of duties between the clerk who receives suppliers’ invoices and the clerk who approves them for payment. k. Travel expenses are not checked for authorization, since the sales manager is on vacation. This could result in payment of unauthorized travel expenses, resulting in loss of assets (cash) to the firm. Secondly, oral statements on incurred travel expenses may result in overstatement of expenses (deliberately or otherwise), resulting in loss of assets to the firm. l. The petty cashier might be tempted to take cash from the petty cash for personal use. m. The supplier might deliver items and quantities different than listed on the bill of lading. Employees on the dock, including the cleaning staff, might pilfer some of the product for their personal use. 13-13. (Adapted from the Certified Management Accountant Examination, December 1988, Part V, question No. 3.)

a. Three areas where Lexsteel Corporation may be exposed to fraud or embezzlement due to weaknesses in the procedures described, and the recommended improvements to correct these weaknesses, are as follows:

Weakness

Improvement

1. Branch managers are permitted

1. A procedure for expediting emergency orders should be

to issue purchase orders in an

13-36

emergency by dealing directly with the vendors (suppliers), thereby avoiding purchasing controls. The branch manager can decide when an emergency exists and is permitted to choose a vendor in a subjective manner,

developed for the purchasing department.

2. Invoices are sent to and directly to

2. Lexsteel should require entered by proper authorizations and verification documentation (i.e., purchase order, receiving report, requisition) prior to payment.

accounts payable, without authorization or verification documentation from the purchasing or receiving departments. Payments for undesired or unreceived goods could be processed.

3. Checks are prepared on invoices.

3. Checks should be paid based on the original invoice only after it had been verified to the original purchase order and receiving report. The invoices should be cancelled after the checks have been signed.

There is no supporting documentation attached to the checks when they are forwarded to the treasurer for signature. The invoices cannot be canceled after payment. allowing the possibility of a second payment of the same invoice.

b. Three areas where management information could be distorted due to weaknesses in the procedures described, and the recommended improvements to correct these weaknesses, are as follows: Weakness

Recommendation

1. Cash balances will be distorted

1. Checks should be drawn only when cash is available and mailed immediately. Procedures should be established for taking advantage of vendor discounts when appropriate.

because all checks are drawn when due but may be held for future mailing when sufficient cash is available. Cash management will also be affected by inaccurate due dates, lack of procedures for taking vendor discounts, and inaccurate information for economic order quantity calculations.

2. Accounts payable information will

2. Invoices should not be entered into the system until then matched with supporting documents, and receiving documents should be matched against original purchase or-

be distorted by drawing checks and holding them for future payment, by entering invoices without supporting documentation, and by inaccurate receiving documentation.

13-37

In addition, inaccurate due dates damage vendor relations.

ders. Due dates should be calculated from the date goods are received.

3. Inventory balances are likely to

3. Procedures for cycle counting with periodic reconciliation of book to physical and quantities should be implemented.

be misstated because of no physical counts, poor receiving documentation, weak accounts payable procedures. The lack of control over emergency orders could distort inventory balances and cause duplicate purchases.

c. Strengths in the procedures described include the following:

(1) The firm has a centralized computer-based system and data base in place. This eliminates duplication of effort and data redundancy while improving data integrity, efficiency, productivity, and timely management information. (2) Most purchase orders are issued by the centralized purchasing department from computerized production orders or bills of material. This limits overstocking of materials inventory and employs the specialized expertise in the purchasing function. (3) The functions of purchasing, production control, accounts payable, and cash disbursements are centralized at the corporate headquarters. This improves management control and avoids a duplication of efforts. The separated departments help maintain internal control by the segregation of duties for authorization, payment, and coding. 13-14. (Adapted from the Certified Internal Auditor Examination, May 1995, Part I, Questions 30-34) a. Several difficulties can be encountered in maintaining an adequate control over an EDI network. These may emerge from hardware, software, data, or communications aspects of the EDI. For example, the hardware used by trading partners may be quite diverse and incompatible. With open communication lines between trading partners, additional exposures arise in terms of loss of data to unauthorized users, and potential for viruses infecting the firm’s systems. Issues concerning continuity of operations gain even more significance, since any interruptions would likely affect trading partners of the firm as well. A control weakness in the described procedure is in the receiving function. It appears that there is no inspection of goods for quality. b. Control and security measures that should be taken with respect to the EDI network include the following: 1. Require passwords for each agent, and change the passwords periodically to make them difficult to guess. 2. Require that authorized products be entered into the product data base by someone independent of the purchasing function. 3. Require that the authorized “vendor” data base be maintained by someone independent of the purchasing function. 4. Use an automated access control program that identifies all users, data, and actions that can be taken by the users. 5. Develop and implement a disaster contingency recovery plan.

13-38

c. 1. An audit procedure that would provide an evidence about the proper functioning of the control relating to limiting the amount of purchases for a particular product line would be a procedure that uses a generalized audit software. Such a software can extract data regarding purchases by product line, and compare these data with the amounts authorized by the marketing manager. 2. An audit procedure that would provide an evidence that the program for approving items for payment is functioning properly is an integrated test facility. If an integrated test facility is implemented, the auditor would submit test items throughout the period under analysis, and review the results of processing of such items.

13-15. Flowcharts for Requirement (a) begin on the following page.

13-39

PLANT OPERATIONS DEPARTIMENT From purchasing department Request for purchases Approval by plant manager Purchase order

Prepare inventory materials requests

Match and file

Inventory materials request

Inventory requests/ purchase orders

Inventory requests

PURCHASING DEPARTMENT Inventory materials request

Prepare prenumbered purchase order

From receiving department

Reciever

Copy 1 to supplier, Copy 2 to plant operations, Copy 3 to receiving, Copy 4 to accounts payable, Copy 5 to folder, Copy 6 to archive

Match

Purchase order Purchase order Purchase order

Purchase orders

Inventoroy material request

Reciever Inventoroy material request

Supplier file copy Purchase history

13-40

RECEIVING DEPARTMENT From purchasing department

Upon receipt of shipment

Purchase order

Enter date and quantity received; photocopy

Purchase orders

Receiver Receiver

To accounts payable department To purchasing department

13-41

From purchasing department

From receiving department

Purchase order

Receiver

From supplier

ACCOUNTS PAYABLE DEPARTMENT

Invoice

Compare, match, collate, staple with voucher ticket Match and file

Purchases

From data processing

Voucher tickets To another clerk Voucher ticket part #1

Voucher register

Voucher ticket part #2

Invoice Verify clerical accuracy

Verifiy entries in voucher register

Purchase order Receiver Voucher ticket

Compare batch totals Verify clerical accuracy, assign distribution codes

Prepare a batch All documents except voucher ticket part #1

Adding machine tape

Voucher package To data processing department

13-42

Adding machine tape

Daily voucher register

Adding machine tapes

Voucher register

DATA PROCESSING DEPARTMENT From accounts payable department

Adding machine tape

Voucher tickets (batched)

Assign batch number, enter in log

Vouchers with batch tickets

Vouchers

Key to tape

Batch ticket

Voucher tickets

To accounts payable department

Edit run

Exception and summary report

Vouchers (edited)

Batch tickets

Update run General ledger

Voucher tickets and error records

Daily voucher register

Error report Accounts payable master file

Enter corrections Daily voucher register

To accounts payable department

Voucher tickets and error records

b. Weaknesses; possible errors or

Recommended improvements 13-43

discrepancies

1. Requests for purchases not prenumbered; filing of copies not appropriate. Thus, copies might be lost before goods are ordered.

2. Copy of purchase order sent to the receiving department apparently contains quantities ordered. Thus, the receiving clerk may not count the goods received, so that it is possible that the quantity actually received will differ from the quantity on the purchase order (receiver copy).

3. Records pertaining to the receipts of goods not adequate. Thus, copies might be lost prior to payment procedure.

4. Numbers not assigned to batch tickets until they arrive in EDP department. Thus, batches might be lost enroute.

5. Data keyed from voucher tickets onto magnetic tape not keyverified. Thus, keying (transcription) errors might be introduced.

6. Batch total of invoice amounts keyed to magnetic tape not computed and compared to predetermined batch total after transcription step. Thus, errors in transcribing data to tape not likely to be detected.

7. Total of invoice amounts on error records (i.e., erroneous transactions that have been corrected and reentered for

1. Prenumber all requests for purchases; file one copy numerically (not by inventory item name) in the plant operations department, and periodically account for the sequence of numbers. 2. Blank out the quantities ordered on the purchase order sent to the receiving department.

3. Prepare prenumbered receiving reports; file one copy numerically in the receiving department, and periodically account for the sequence of numbers. 4. Prenumber all batch tickets, and account for sequence of numbers when entering batches in batch log. 5. Key verify all data entered onto magnetic tape.

6. Compute batch total of invoice amounts as keyed to tape, and compare to predetermined total.

7. Add total of invoice amounts, as pertaining to error records, to predetermined batch total, and use this combined total as the

13-44

processing) not added to predetermined batch total. Thus, these error records could be lost and the loss not detected.

8. Erroneous transactions on report reviewed and corrected in DP department, and correction not approved. Thus, errors may not be properly corrected.

9. Voucher tickets from batch sent to DP department used to compare with voucher register entries. However, these tickets held in DP department until all errors corrected. Also, the tickets destroyed after comparison. Thus, the comparison of tickets with voucher register might be delayed for days, with the possibility that the comparison may be forgotten. Also, by being destroyed the voucher tickets are not available to provide support of processed batches.

basis for control over loss of data.

8. Establish a control section that is error organizationally separate from the DP department. Return error report (and voucher register) to this section, which then records the errors in a control log and forwards erroneous transactions to the accounts payable department for correction. After the transactions are corrected, and the corrections are approved by the accounts payable manager, resubmit them to the control section, where they are checked off the control log, keyed to tape, and reentered for processing. 9. Retain voucher tickets sent to DP department as support for batch tickets filed there. Use voucher tickets previously filed in the accounts payable department for comparison with voucher register entries, and have comparer initial a box on the batch ticket to confirm that comparison has been made. voucher

c. A voucher register, which serves as a journal, records the disbursement vouchers. Totals of obligations are posted from the voucher register, rather than from an invoice register, to the general ledger accounts. Related individual disbursement vouchers provide the basis for posting to the accounts payable subsidiary ledger. The payables manager could also benefit from a report on discounts lost. This report would provide information on the amount of discounts lost, using appropriate classification of accounts payable. Two other reports would be useful to the payables manager: 1. The open purchase orders report, which shows all purchases for which the related invoices have not yet been approved for payment. 2. The open invoices report (also called the open payables report or the cash requirements report), which lists all approved invoices that are currently unpaid.

13-45

CHAPTER

Systems Development

OBJECTIVES

DISCUSSION QUESTIONS

5. SYNTHESIS

PROBLEMS

1, 10

4. EVALUATION

3, [8]

2, 4, 5, 6, 8, 11, 13

3. APPLICATION

[5], 10

7, 9, 12, 14, 15

2. COMPREHENSION

2, 4, 7

1. CONCEPTUALIZATION 1, 2, 9, 11

[ ] Infoage

CHAPTER 14 SYSTEMS DEVELOPMENT DISCUSSION QUESTIONS DQ 14-1. From the consultant’s comment, it can be inferred that the information system is not providing suitable information. Very likely the information is not relevant, in that it does not relate to the firm’s original objectives. If this implication is true, the firm should examine its present information system and attempt to improve its deficiencies. In this undertaking, management should carefully review both the firm’s overall objectives and the users’ information needs and then redesign the information system accordingly. DQ 14-2. The following difficulties that can arise when one portion of an information system has been newly designed and installed while the remainder of the system is relatively obsolete and problem-ridden:

a. Conflicts may arise between those departments using the new system and those departments still utilizing the old system.

b. If the old portion of the system “feeds” data to the new system, errors may be introduced and the new system will generate erroneous or inconsistent outputs. c. Because the old system is familiar and “comfortable” to the users, they may desire to retain or restore as many as possible of its features. Thus, they may complain and resist the new system and its new ways of “doing things” if they see portions of the old system being operated by their neighbors in the next department or work area. d. Because the old and new system likely will not fit smoothly together at their interface, the processing procedures will be less efficient and more costly. DQ 14-3. Limitations may arise from the lack of knowledge about the firm’s specific needs, knowledge and skills within the information systems function, and environment of the systems function as well as the firm. Specific hardware and/or software that have proven records elsewhere may not necessarily fit the firm’s needs. An additional factor that could contribute to this could be the enthusiasm of vendors in showing the positive attributes of their products and services, with very little time or thought devoted to constraints, concerns, or problems that could arise in the specific case of the firm. Hidden or unknown training costs, cost overruns, operational and technical feasibility problems, legal issues regarding ownership of intellectual property, and longer than expected implementation time lines could surface. To obtain complete and comprehensive input from vendors, it is necessary to educate the vendors on the exact nature of the organization’s needs, the firm’s information technology environment, and other related criteria. For major projects involving substantial amount of work and/or investment, this can be achieved by issuing a request for proposal (RFP). An RFP would include background information, description of the proposed system, specific requirements of the project, and instructions to vendors. Upon receipt of proposals in response to the RFP, proposals are evaluated and finalists are invited to make a presentation to those responsible for the decision. This is followed by further evaluation and final selection of the vendor. An elaborate process such as this facilitates risk management and ensures project deliverables within time and cost

14-2

budgets. DQ 14-4. Benefits: 1. Effective asset utilization. Little or no investment would be necessary in information systems technology. Aside from a lower investment base, the risk of obsolescence which is very high in the information technology area - is minimized. 2. Attractive business approach. It may be a wise business decision to keep the core information systems activities and outsource non-essential or maintenance activities. In this manner, the core activities central to the success of the firm can be managed well. 3. More specialized and “current” avenues. The firms doing outsourcing would generally employ the most current methods, procedures, and technologies. 4. Lower costs. The firms doing outsourced work have the advantage of economies of scale, which are likely to be reflected in lower costs to their clients. 5. Elimination of effects of seasonality. If the firm’s business is affected by seasonality, the corresponding fluctuations in volumes of transactions may have very little effect on the internal information systems function if the transaction processing applications are outsourced. Drawbacks: 1. Loss of control. There is a risk of losing a degree of control over the firm’s systems. Additional concerns of system security and privacy also arise. 2. Longer contract terms. Generally the outsourcing contracts are for a long period of time (e.g., ten years), and are usually inflexible and costly to break. While later changes within the firm may warrant departure from the outsourcing option, it could be very difficult and costly to do so. 3. Loss of in-house expertise. Since the outsourced components are not supported anymore within the firm, the inhouse expertise would weaken, and may even disappear, over time. If a need arises in the future, it would be difficulty to recreate the expertise. DQ 14-5. To develop a new system or to modify an existing system, a disciplined and systematic approach is necessary. The systems development methodologies incorporate a disciplined approach, which is usually referred to as the systems development life cycle. Typically, the major steps are: planning, analysis, design, selection, implementation, and operation. In the first step, Infoage will plan for the system. What are the goals and objectives of the system development effort and how the new system ties into the overall strategic directions of the firm are important questions to address here. Next, the firm will perform information requirement’s analysis. In the process the systems users will be asked to help in determining the nature and attributes of information that needs to be generated. The proposed system is then designed in its logical or conceptual form, specifying inputs, procedures, outputs, controls, and data base requirements. Specific design alternatives are then identified and a final selection is made. For example, the selected alternative can be a client-server environment supported by a data warehouse. The next phase, systems implementation, includes preparation of detailed specification that lead to computer programs and specific procedures. These are then put into operation by transferring from development function to production function. At this stage, the new system is tested and users and other appropriate personnel (e.g., internal auditors verifying the existence of controls) sign-off on the test results and approve the use of the system for the firm’s operations. Several different approaches can be employed in developing the new system: top-down, bottomup, modular, prototyping, user-developed, reengineering, outsourcing, and vendor-developed approach. Not all approaches are equally applicable in this case, and some are even complementary. For example, given the nature of comprehensive logistics management system, the user-developed approach is not appropriate. A high degree of involvement of the top management is essential because this is a large project involving such critical success factors as inventory management and control. Consequently, top-down approach is more fitting to the

14-3

situation. The system, given its complexity, warrants the modular approach, and the reengineering of the processes involved is almost always worth the consideration in a major effort such as this. Finally, if new technologies and an innovative solution is desired (e.g., client-server system with virtual connectivity with vendors, using EDI), it might be appropriate to design and test a prototype before a full-scale system is developed. DQ 14-6. The expression: “The physical operating system should drive the accounting system” means that the accounting system of a firm should be designed to fit the particular characteristics of its physical operations and flows. Because each firm has a unique set of physical operations and flows, each accounting system must be unique if it is to provide the best possible service to its users. DQ 14-7. Information needs often change when managers are replaced by other managers, even though the decisions themselves do not change. The reasons for such changes in information needs include the following:

a. Different managers employ differing cognitive processes for making decisions. b. New managers are not fully aware of their responsibilities and hence need more explanatory or background information.

c. New managers may not be aware of all the information resources and hence cannot be as precise in their information specifications. The major difficulty posed for the systems analyst by this situation is the necessity to adapt the information provided by the system, so that each decision maker receives the information that he or she needs at any point in time. A systems analyst can handle this situation in either of two ways: (1) He or she can revise the information system each time that a new manager occupies a position. The revision would be based upon a comprehensive discussion with the manager of his or her needs, followed by an analysis of how best to satisfy those needs via redesigned reports and other outputs. (2) He or she can devise an information system that is sufficiently flexible to accommodate a wide range of information needs. Such a system would in effect be a decision support system through which various managers can easily access a comprehensive data base and can specify reports that fit the manager’s information preferences. While an information system having these attributes is difficult to design, the technology is now available. Of the two above approaches, this latter approach appears to be definitely preferable. Not only does it save the time required in system revisions, but it enables each manager to match information to his or her own changing information needs. However, it perhaps cannot be fully implemented. That is, it may always be necessary (and perhaps even desirable) to reexamine information needs to a limited degree each time a managerial change takes place. DQ 14-8. Design alternatives that Infoage could consider with respect to the inventory management project:

1. Leave the system as is. This is not likely to be the final choice; however, it is an option.

14-4

2. Electronically link the two outlets with the warehouse and the main office. This will permit on-line access to the inventory management system by managers and staff at the two stores. 3. Expand the system’s capabilities by integrating EDI with the inventory management system. This will permit online transactions with suppliers, both in purchasing and disbursement of accounts payable. 4. Further expand Alternative 3 by adding banks to the network, in order that electronic payment processing can be conducted, and carriers (such as Federal Express), in order that faster deliveries can be made, where necessary. Infoage deals in computers and related information technology products. The cycle time for new product development in this industry is short. New products in hardware, software, and communication are developed rapidly. New versions of existing products are often cheaper, more powerful, and more flexible. Whereas overstocking in this environment will cause obsolescence, out-of-stock situations will cause lost sales. Just-in-time procurement of inventory is crucial. The procurement cycle needs to be more efficient. For example, waiting time between the decision to purchase from a supplier and the receipt of the purchase order by the supplier needs to be reduced or eliminated. Alternative 4 permits Infoage to be able to create such improvements. Since Alternative 4 promises to deliver most of the improvements, it appears to be the best alternative. A final choice depends upon results of a cost-benefit analysis of the design alternatives. DQ 14-9. Hidden costs traceable to employee fears and uncertainties include declines in productivity, absenteeism and tardiness, careless handling and eve sabotage of computer system hardware, lowered morale, and personal strife with fellow employees and their superiors. DQ 14-10. Although the systems analyst may have designed an innovative and well-structured information system, she likely did not adequately consider the “people concerns.” A system design is only successful if it is operationally feasible, that is, if the users accept the new system and can use it. They likely will not accept it if they are not informed early of its development and fully involved in its development. They will not accept it if it is overly complex or if they have not been fully trained in its use. They will not accept it if they view it to be a hindrance or if they are immobilized by fear and uncertainty concerning their status, their job security, and even their social relationships in the work place. Thus, the systems analyst should have gained the participation of the production manager and employees from the beginning of the project, should have provided reassurances concerning the benefits of the new system, and should have strongly urged top management to reassure the manager and employees concerning security and status and to provide early and sufficient training in the use of the new system. DQ 14-11. A post-implementation review and evaluation of a recently implemented Web-based system should examine the following matters:

a. The extent to which pre-established objectives, such as to accommodate efficient and reliable transmission of document images and data through to the system, are being met.

14-5

b. The degree to which the system performance, such as transmission time and data accuracy, is c. d.

e. f.

measuring up to established benchmarks. The extent to which the system is gaining acceptance from users, such as customers, salespersons, purchasing staff, accounts payable staff, and suppliers. The extent to which the information needs of managers throughout the system are being met. For example, is the treasury function able to use data as expected to more accurately project cash disbursements, and marketing function should be able to evaluate the success of its initiatives on the Web. Whether the key benefits expected from the system are in fact likely to materialize? Examples include reduction in inventory levels (also, lower working capital and savings in inventory carrying costs), and shorter procurement cycles. The lessons learned from the implementation that can be applied to future design and implementation decisions—especially with respect to Web-based systems.

PROBLEMS 14-1. a. The steps in strategic planning that ASL should undertake in developing its Web-based information system: 1. Obtain support of top management. 2. Organize a steering committee. 3. Clarify objectives and constraints. 4. Prepare a strategic systems plan. 5. Submit the plan for top management approval.

14-6

a. Strategic objectives ASL should establish to ensure success in its global expansion include the following: • The system should be scalable across geographical regions. This means not only the ability to extend the system to newer locations, but also the need to meet unique locational requirements, such as currencies and local business practices, conventions, and legal constraints. • The system should be flexible enough to handle multiple technologies (hardware, software, telecommunications) and currency (or datedness) of the technologies (for example, different versions of the same sofware). • The system should be easy to use across different cultural backgrounds and languages. b. The attributes of ASL’s Web-based information system should include the following: Virtual: Interconnectedness both within the organization across the globe and also with suppliers and customers worldwide. Paperless: Much less use of paper; significant use of electronic images, and communication through telecommunication media. Spanning the complete (or nearly complete) value chain: The system should link the entire value chain from suppliers to customers, to banks and other agencies, including auditors (for audit purposes) and government (for filing returns). Secure: The system should be secure and subject to high level of integrity. Privacy and confidentiality of information must be maintained, and even promised to certain stakeholders, such as customers. Available: A system with enterprise-wide impact should almost always be available. Disaster contingency and recovery plans should be made and tested periodically to ensure that the system can be recovered in the event of failure. Efficient: Since Web-based systems cut down on waiting time and non-value-added tasks, the system should be substantially more efficient. c. Pitfalls to avoid in developing ASL’s Web-based information system: Diversion from the predetermined system objectives: This reduces system effectiveness and kills the very purpose of creating it. Cost overruns: The cost must be tracked along the budgeted levels and all variances should be investigated by the managers responsible for the project. Approvals must me obtained for increases in budgeted spending levels. Delays: System must be delivered on time. Often, this turns out to be a great challenge. However, time line should be managed along with the spending levels. A comprehensive Web-based system that links suppliers and customers will take time, for ASL must contact, brief, and consult with these parties (and even prepare them to participate in joining the project). d. The impact of globalization on ASL’s information system: • Maintain cultural sensitivity. • Address unique local requirements. • Standardize corporate information needs and maintain these requirements across the entire network. • Allow for unique needs, including local language-based information sharing, to generate value and comfort among the local employees and other stakeholders.

14-7

• • •

Be flexible in defining the system so that unique local needs can be met by the same system. Train users to function cross culturally. Understand the local business model and support it to the best possible extent. Educate and sensitize the corporate leadership and management in the diversity of global business.

14-2. To: President, Bryan Trucking Company From: Consultant Subject: Suggestions for Changing the Present Organizational Position of the Data Processing (Information Systems) Function Upon investigating the problems faced by your firm arising from inadequate reporting practices, I have identified the source of the problems and several alternative solutions (courses of action). The primary cause of your reporting problems is the present organizational location of the information systems function. The data processing manager reports to the controller, who in turn reports to the vice president of finance. Thus, the information systems function resides three managerial levels below the president and serves as one of several units within the financeaccounting area. The several deficiencies (i.e., late reports, inadequate management information), as well as the stream of complaints from the non-financial vice presidents and the data processing manager, stem in large part from this organizational arrangement. To solve the reporting problems, therefore, it will likely be necessary to shift the information systems function to another location within the organizational structure. Four likely courses of action and their respective advantages are as follows:

1. Place the data processing manager directly under the vice president of finance and on the same level as the controller, the treasurer, and the budget director. This action avoids a severe organization upheaval. It also assures the continued close association of the systems function with those managers (i.e., the reports manager, budget manager, and controller) who are responsible for providing information to top management and for processing transactions. Furthermore, this action confers higher status upon the information systems function.

2. Place the data processing manager directly under the vice president of operations or of sales. This action removes the data processing manager from under the finance function. Therefore, the effect should be to quiet the complaints of the manager under whom she is placed. As in the first alternative, this action confers higher status upon the information systems function.

3. Place the data processing manager directly under the vice president of administration. This action should tend to quiet the complaints of both the operations and sales vice presidents, since the administration function is generally viewed as being nonpartisan in nature. As in the first two alternatives, this action confers higher status upon the information systems function.

4. Place the data processing manager directly under the president and on a level with the other vice presidents. This action confers upon the information systems function higher status than do the other courses of action, since it raises the function two levels in the

14-8

organizational hierarchy. Thus, the information systems function should have greater independence and should be in a better position to serve all the functions on an equal basis. Since this arrangement places the function in direct view of the president, you (Mr. President) can thereby monitor its activities more closely and exert your influence in a more positive and timely manner. Of the four above alternative courses of action, the choice should be between number 3 (placing the data processing manager under the vice president of administration) and 4 (placing the data processing manager under the president). The first two alternatives, while improvements over the present arrangement, do not eliminate the problem of perceived favoritism. If the first action is followed, the operations and sales vice presidents will continue to complain; if the second action is followed, all of the vice presidents except the one under which the function is placed will likely complain. The final choice depends in large part upon your personal preference, situation, and evaluation. If you prefer to exert more direct influence over the information systems function, if you believe that you have the added time available to do so, and if you believe that the data processing manager would benefit from your close direction, then the function should be placed on the vice presidential level. This action would have the positive effect (in addition to those already mentioned) of showing that you believe adequate reports are of over-riding importance. On the other hand, placing the data processing manager at the vice presidential level may cause resentment of the other vice presidents, who question whether the data processing manager merits a two-level promotion. This action also means that you must take time away from other important activities, such as long-range planning, to supervise a fifth manager. If either or both of these drawbacks is unacceptable, then the EDP function should be placed under the vice president of administration. 14-3. (Adapted from the Certified Management Accountant Examination, December 1992, Part IV, Question No. 5) A. 1. Included in its role in the development and design of a new system, management should • establish and participate on a steering committee to partake in the major decisions, establish or approve project schedules/time tables, and monitor the project as it progresses. • outline the types of key information needed to make management business decisions. • select key personnel to lead the project. • provide a motivational “tone at the top” and endorse an adequate organizational communication program to complete the systems progress. 2. Included in their role in the development and design of a new system, the users should • identify the information flows and the shortcomings of the existing systems. • participate in the determination of information requirements, including report formats. • effectively communicate with the systems organization and other users on a regular basis and provide feedback. • assist in establishing internal controls for the new system. B. At least three benefits of installing a new computer system at Marshall Associates are • better service to customers comprehending faster product deliveries, better on-hand

14-9

inventory information, fewer product stockouts, timely records of customer requests and inquiries, and timely credit information. • an increase in productivity, efficiency, and effectiveness as there will be improved job satisfaction and morale due to the automation of otherwise mundane work, allowing the employees to work on more meaningful, challenging, and creative projects. • more reliable, accurate, and timely information providing better management decision making. • integrated data processing applications. C. At least three distinct and mutually exclusive types of documentation that would be used in each one of the four life cycle phases include the following. Systems analysis includes • the feasibility study. • an outline of the present system comprehensive flow diagrams, input/output formats etc. • a formal systems requirements report. Systems design includes • data flow diagrams and systems flow diagrams. • internal control and security documentation. • input and output specifications. Systems acquisition includes • systems specifications outlining the required memory, processing speeds, capacity, etc. • comparing cost/benefit analyses of hardware/software alternatives. • service and/or maintenance agreements. Systems implementation includes • implementation and conversion plans, including PERT diagrams and other scheduling documents • systems testing documentation. • follow-up or post installation analysis documentation which documents the system’s effectiveness as compared to requirements documents and actual processing outputs. 14-4. A critique of the approach to systems development employed by Kids Incorporated is as follows:

(1) Weaknesses and omissions (a) Objectives and information needs not established.

(b) Unduly rigid constraint imposed by president, i.e., "leave the organizational structure untouched."

(c) No strategic plan developed. (d) Too broad a scope attempted; that is, the overall activities of the firm not broken into modules and then assigned priorities for development.

14-10

(e) No project proposal prepared and submitted for management approval. (f) No project controls established; also, unrealistic and arbitrary time limit of four months established.

(g) No attempt to establish and compare benefits versus costs. (h) Study assigned to a single inexperienced person who is new to the firm's operations; no users or systems analysts assigned to work with him as a team.

(i) No survey or analysis of the firm's present operations. (j) Excessive reliance upon representatives from the selected computer manufacturer-who are likely to employ a standard rather than a tailored approach to systems design.

(k) Untested computer selected for use in system, with the likelihood that unforeseen "bugs" will emerge and difficulties will be encountered.

(1) No steering committee established to guide the development and assign priorities. (m) No communication of intentions to employees and lower managers until design completed.

(n) No involvement of managers or employees in participative design of new system. (o) No training in use of new system provided (or at least none mentioned). (p) Certain steps omitted, including determination of economic feasibility of economic feasibility, evaluation of design alternatives, and evaluation of system effectiveness.

(q) Wasteful scrapping of new system without attempt to salvage as much as possible. (Only the reports are retained.)

(2) Sound steps (a) Problem recognized by president, and comprehensive study (rather than a piecemeal effort) initiated.

(b) System study supported by president. (c) Constraints defined, even though one appeared to be unrealistic. (d) Approaches of other firms researched.

(e) Policy of "no firings" announced by president, thereby reducing uncertainty and resistance on the parts of employees. (f) Reports retained when new system scrapped. (Since the reports are likely to be based on ideas learned in MSA accounting courses, they are probably an improvement over

14-11

previous reports. Of course, they would be even more relevant and useful if they had been based on discussions with managers concerning their information needs.) 14-5. a. Weaknesses in Wagstaff’s current approach for accounting for system-related costs include the following: 1. All system-related costs are absorbed as corporate overhead. This non-charging approach leads users to view computer-related services as being “free goods” and encourages the users to employ them in a wasteful manner. The approach also does not encourage users to participate in the development of effective system applications or usage, nor does it motivate Information Systems Service (ISS) to provide efficient and high quality service. Furthermore, the approach of charging all system-related costs to corporate overhead prevents the establishment of a sound basis for evaluating ISS or for planning the growth of its services. 2. The systems manager is evaluated according to the extent that actual costs exceed a nonflexible level of budgeted costs, and his budgeted costs are established on the basis of his estimate of user demand. This approach to evaluation tends to cause two dysfunctional actions on his part. He will be inclined to limit rather than expand the volume of services, in order to minimize actual costs and create a favorable variance. Thus, to discourage requests he may actually be motivated to provide unsatisfactory service, e.g., long turnaround times. On the other hand, the systems manager may tend to overestimate expected user demand, in order to establish as high a budget level as possible. 3. The systems manager has the responsibility for assigning priorities to users’ requests. This approach tends to put undue pressure on the systems manager, since he must deviate from the first-come, first-serve rule to accommodate rush requests. Thus, it is unavoidable that he will be seen as giving preferred treatment to those managers whose rush requests he attempts to service. In essence, this responsibility of assigning priorities, plus the lack of encouragement to provide high quality service, may create an adversary relationship between the users and ISS. b. Advantages of the proposed accounting approach over the current approach include the following: 1. Because users are to be charged for system-related services, the users will be discouraged from using the services in a wasteful way. That is, they will be encouraged to request services only when the expected benefits to them will appear to exceed the costs to be charged to them. They also will be encouraged to take an interest in systems development and to participate in raising the quality of systemrelated services. ISS will gain data that twill aid in planning future growth. 2. The systems manager will be relieved of some of the pressure that he is currently under, since the number of requests should decline. Also, by being empowered to negotiate lower rates for larger jobs, he can persuade users that longer waits translate into lower overall charges to those users. Thus, the number of complaints should decline. 3. Since users will be able to utilize outside commercial processing services if dissatisfied, the systems manager and ISS will be highly motivated to provide

14-12

relatively low cost and high quality service. Otherwise, the charges to users will not cover budgeted costs and the systems manager will receive a poor evaluation. 4. The computation of the chargeback rate will be simple and easy for the users to understand. It can be quickly implemented. Also, since no element of profit will be included in the chargeback rate, it should be relatively low compared to outside market rates; thus users should be encouraged to use the services provided by ISS, rather than to utilize outside services. c. Problems that the proposed approach will likely create and means of over-coming these problems are as follows: 1. The proposed chargeback rate is to be based on actual costs and processing hours. Thus, it will tend to be unstable over time due to changes in costs and usage volumes. When the usage is low, the rate will be relatively high; when usage is high, the rate will be relatively low. Thus, the rate will be inconsistent from month to month, so that the amount charged for a particular service will fluctuate. Correction: Employ a rate based on standard costs or market prices. If a standard cost chargeback rate is established, based on system-related costs reflecting reasonable efficiency at a normal volume, users would consistently be charged the same amounts for the same services. If a market priced rate is used, the problems created by the user of an actual cost rate would also be avoided. (The market priced rate has another advantage, to be noted later.) 2. A single rate is to be charged for most jobs, except that the systems manager will have authority to negotiate a lower chargeback rate. Although a degree of flexibility is thereby introduced, the systems manager is still likely to be subjected to charges of favoritism. Also, he may be pressured to reduce the rate too severely, thus adversely affecting his evaluation. Correction: Allow the rate to be adjusted upward when users demand rush service and downward when users are willing to wait. However, use a predetermined, publicized, and consistent adjustment factor rather than negotiation. Also, consider adjustments to accommodate other differences in job demands, such as requirements for heavily used versus lightly used system components. 3. A single factor, central processor usage hours, is to be employed as the basis of activity in computing the chargeback rate. Correction: Develop an algorithm that weights several factors employed in providing systemrelated services, and use this algorithm as the chargeback rate (assuming that a standard cost chargeback rate is selected for use). 4. Users are to be allowed to use outside commercial processing services. The systems manager may feel compelled to negotiate the chargeback rate below what such services charge in order to increase usage. This practice can cause charges of favoritism and lack of consistency. (See item (2) above.) Correction: Either eliminate the proviso that users can resort to out-side services and employ the standard cost chargeback rate—or retain the proviso, establish a market-priced charge back rate, and convert ISS to a profit center. Either approach should remove the inconsistencies that lead to complaints by users.

14-13

5. The systems manager is to be evaluated according to the extent that the charges to users “cover” his budgeted costs, where the budget is established at a fixed level based on his estimate of user demand. He is therefore likely to reduce the chargeback rate through negotiation to increase charges. Also, he is likely to underestimate user demand, as opposed to his (likely) current practice of overestimating user demand. Neither approach is desirable. Correction: Establish a flexible budget approach, and evaluate the systems manager by a comparison of actual costs charged against budged costs for the actual usage level. This approach will tend to remove the pressure on the systems manager to negotiate rates in order to generate charges and to underestimate user demand. It should therefore improve the planning for future growth in system services. (Note: The systems manager should also be evaluated on the extent to which fixed costs are covered). 6. The budget for systems-related costs is to still be prepared semiannually. This period is probably not sufficiently lengthy to provide stable rates. Correction: Extend the budget period to a year. Also, review the system manager’s estimate of user demand in light of past trends and expected needs, and revise as necessary. 7. The systems manager is still to assign priorities for user requests. Correction: Establish a steering committee of key users, which will have the responsibility of assigning priorities. This will remove the pressure from the systems manager and require the users themselves to settle the issues. 8. All jobs are to be charged with system-related costs. This rule may inhibit desirable system developments. Correction: Omit certain system development projects, i.e., those that jointly benefit several users, from direct charges. Evaluate the systems manager in the case of such projects by comparing estimate lump-sum costs to actual costs incurred. 14-6. (Adapted from the Certified Management Accountant Examination, June 1995, Part IV, Question Number 3) a. The weaknesses in internal control and related exposures include the following: 1. There is a lack of comparison of checks to be issued to the authorized supplier list. This creates an exposure that unauthorized, and perhaps fictitious, vendors may get orders from the firm. 2. No checking is done to ensure that goods were received before payment was made to vendor. This results in a potential for payment for goods or services never received. 3. The bookkeeper has responsibility for recording the firm’s transactions, paying all expenses, and reconciling bank statements. There is very little separation of duties and therefore, the firm’s assets (especially cash) are at risk. b. Although the expenditure cycle showed the control weaknesses, it is clear that given the nature of changes within the firm and growth it has experienced, the entire accounting information system should be the primary scope of the project to be undertaken. Among the improvements that the firm would seek in the new AIS, correction of the weaknesses found in the existing system would be one of the priorities.

14-14

c. A steering committee is generally composed of the major users of the information system. In the general corporate environment, the people or functions that should be included on a steering committee include members of top management to ensure top management commitment, including the chief operating officer, the vice president of finance, the chief information officer, and top management of all major functional organizations that are users of the system. A top management representation is essential to show support to the information systems function, to ensure that appropriate resources will be allocated to the information systems resource, and to ensure that there is a strategic fit between the organization’s business strategy and the information systems development strategy. Since Adart Company is a relatively small firm, employees representing these responsibilities may be fewer and may not have formal designations to suggest a high level representation. Project teams enable persons with differing areas of expertise and experience to pool their ideas. Members of project teams usually include computer systems analysts and programmers, users who are familiar with the operations in the project area, and perhaps a managerial accountant. In Adart’s case, the project has to do with the accounting information system. Consequently, users of the system and a representative of the accounting function are likely to be on the project team. The team would include information systems professionals (e.g., systems analysts). The firm most likely does not have an internal audit function. If so, a representative of the external auditors or a consultant may be asked to provide input concerning control and security aspects of the new system. On this project, Carlon would be a primary liaison between the steering committee and the project team. He may represent the president on the steering committee. At the same time, since the firm has no experience with computer-based systems and no in-house expert in the area of computerized systems, Carlon may provide his insights as an information systems professional, both to the steering committee and the project team. To the project team, he would be a leader, motivator, and an expert. d. The primary purposes of a systems analysis phase are to survey the current information system and to define what is required to create an improved system. Tangible results of these steps are requirements relating to a new system and listed information needs of the users. The specific steps in the systems analysis phase are: Survey present system, analyze survey findings, identify system requirements, identify information needs, and prepare and submit a systems analysis report. In Adart’s case, the existing accounting system will be reviewed. Available documentation of the accounting policies and procedures may be reviewed, accounting personnel may be interviewed, and procedures are identified may be documented in the form of diagrams and flowcharts. Users of accounting information may also be interviewed to determine what decisions they make, what information they need, and whether their information requirements are met by the existing system. A study of findings from such analysis results in the specification of what the new system requirements should be and what needs of information users will be met by the new system. e. The system design process involves two levels: conceptual design and detailed design. A conceptual design provides the overall system structure or architecture, plus a relatively broad view of the combined system components. It is user oriented and logical in nature. A detailed design provides the physical details of each system component, such as reports and data and controls. Usually the detailed design includes such software as the application programs. The conceptual design is developed during the systems design phase, while the detailed design is complied in a succeeding phase. Steps in the conceptual design phase consist of evaluating design alternatives, preparing the conceptual design specifications, and obtaining

14-15

approval for the design. Design alternatives may range from slight modifications of the present system to radically new structures. Once a design alternative is selected, it is expressed in terms of conceptual design specifications (i.e., inputs, procedures, data base, controls and security measures, and outputs). For Adart, several alternatives to an in-house accounting information system exist. The firm may consider outsourcing all or a part of the accounting function. Alternatively, it may decide to use a service bureau to provide the necessary systems functionalities, so that Adart’s transactions can be processed by the firm without having to maintain its own system. f. Improvements in internal control that must be included in any new design: • separation of duties. The person preparing disbursement vouchers and checks should not be authorized to sign checks, record the accounting entries, or reconcile the bank statements. • that the check signer should (1) determine that each check is accompanied by a properly approved unpaid voucher and that the name of the payee and the amount of the check agree with the voucher; (2) review the checks against the authorized supplier listing; (3) verify that goods have been received; and (4) control the mailing of the checks. • that vouchers and supporting documents are stamped, perforated, or otherwise canceled when the check is signed. • that an independent review of bank reconciliations is conducted. • that periodic internal audits of the cash disbursement process are conducted. 14-7. Note: Requirement (a) should read “compute,” not “compare.” a. Computation of the yearly chargeback rate for Lagoon: Fixed costs: Payroll Equipment rental Utilities ($70,000 - $10 x 3,000) Miscellaneous

$210,000 350,000 40,000 30,000

Total fixed costs

$630,000

Fixed component of chargeback rate = $630,000/3000 hours = $210 per hour Variable costs: Supplies ($24,000/3000 hours) Utilities

$ 8 per hour 10 per hour

Total variable costs per hour

$18

Total chargeback rate = $210 per hour (fixed component) + $18 per hour (variable component) = $228 b. Computation of amounts to be charged to the functions during the year: Accounting-finance Marketing Administrative services

1000 hours x $228 per hour = $228,000 800 hours x $228 per hour = 182,400 600 hours x $228 per hour = 136,800

14-16

Purchasing

500 hours x $228 per hour = 114,000

c. Computation of cost variance: Actual hours of service = 1000 + 800 + 600 +500 = 2900 hours Costs at budgeted level: Fixed costs Variable costs (2900 hours x $18 per hour) Total costs at budget Cost variance: Budget costs Actual costs

$630,000 52,000 $682,200

$682,200 700,000 Cost variance

$ 17,800

14-17

14-8. a. Several serious weaknesses and problems can be discussed in the case of the Tasty Restaurant. 1. Poor employee relations. The chefs resent being given “orders” by the waitresses (since they rank higher in a restaurant hierarchy than the waitresses). Furthermore, the chefs do not take orders from one another, apparently because Alvin has not clearly assigned authority and responsibility. These poor relations very likely result in uncaring attitudes and lower productivities on the part of most of the employees within the restaurant. 2. Unorganized purchasing procedure. Both chefs are involved in purchasing food. Hence, they tend to duplicate purchases and thus to acquire more food than needed. Since they order on the basis of their preferences, they very likely pay insufficient attention to prices. As a result, the overall cost for food – the basic merchandise of a restaurant - is higher than it should be. 3. Inefficient customer (food) service procedure. The customers are not served in a caring, timely, or efficient manner. They must seat themselves. After their orders are taken, the waitress goes into the kitchen and calls out their order. Since the orders must be filled by chefs who resent this “order-calling” and who only hear the order once, very likely the customers will (a) wait relatively lengthy periods before receiving their food and (b) experience one or more discrepancies between their orders and the received food. Finally, customers must wait while the waitress takes their payment to the cashier and returns the change. (While this last point could be viewed as an added service, it does slow service and reduces customer turnover.) 4. Awkward and inadequate physical arrangements. The physical space does not appear to be adequate to accommodate the pictured tables and booths. The tables are rather jammed, for instance. Also, the location of the kitchen door and the cashier’s cage require longer traffic patterns for the waitresses than alternate arrangements could afford. In addition, there is no facility, such as benches or a bar, for use by customers who must wait for service. Furthermore, the cluttered physical arrangement, and the lack of a “barrier” such as a cashier’s booth at the doorway, may encourage some customers to leave without paying their checks (as suggested by the unsatisfying low cash receipts). 5. Weak data collection and communication techniques. Waitresses must write out the orders from customers on blank check forms, thus increasing the times required for taking orders and the chances of making errors. Also, the verbal communication of orders to chefs (noted above) increases the possibilities that errors will be made in preparing food for customers. b. Other facts to gather to determine the degree of seriousness of the problems and to help develop a solution include the following: 1. Number of suppliers, preferences of chefs in ordering from specific vendors, prices paid, and quantities ordered. 2. A survey of customers to identify their problems and concerns, menu preferences, what they like and dislike about Tasty Restaurant, and their satisfaction with service, quality of food, prices charged, etc. 3. A reconciliation of estimated cash receipts (based on food items served) and actual cash receipts. 4. Comments and concerns of waitresses and chefs. Topics include relationships with each other, communication concerns and problems, customer-related concerns, etc. 5. Comments and concerns of Alvin.

14-18

c. Sources of facts and techniques (in the same order as in requirement (b) above): 1. Sources: documents and records; chefs. Techniques include review of documents and records, and interviews of chefs. 2. Sources: customers; documents and records. Techniques: An analysis of orders by patrons; interviews of customers; questionnaires administered to patrons. 3. Sources: documents and records (copies of customer orders, cash receipt tapes, and bank deposit slips). Technique: An analysis of data. 4. Sources: waitresses and chefs, Alvin. Techniques: observation and interviews. 5. Source: Alvin. Technique: interview. d. Improvements in: 1. Organizational arrangements: The responsibilities of the chefs can be reassigned. For instance, one chef might be responsible for operating the kitchen, while the other chef might be responsible for purchases. This reassignment should smooth employee relations while freeing Alvin to manage the overall operations and to fulfill his duties as host. 2. Physical arrangements: The physical layout can be altered. Tables might be rearranged to provide paths through which customers and waitresses can more freely move. A counter might be added and (two or three tables removed) to provide more seating places in less space, or more booths might be added along the left wall. A bench might be added by the door for use by waiting customers. The cashier’s cage might be moved to the door and changed into a counter. (If possible, the restaurant should be moved into another building having more floor space. In that case, a bar could be added for use by waiting customers, and more tables might be added to increase the seating capacity.) These changes should improve customer service and reduce the lengthy waits. The relocation of the cashier should also reduce the opportunities for customers to leave without paying their checks, since it overlooks the doorway. Finally, a window can be cut into the kitchen wall, near the present door, and a revolving spindle can be mounted, so that the waitress can attach the check on the spindle (on a first-come, first-serve basis) for the chef to process the order. e. Improvements to the accounting information system: 1. The check form can be improved. It should be replaced by a standardized form that is prenumbered and that contains a listing of the major menu items. The first of these changes will provide a degree of control over the checks, since all the numbers can be accounted for daily. Thus, waitresses and the cashier might not be tempted to abstract cash from the payments by customers and tear up related checks—as they might be doing in the current situation. The second of these changes will enable the waitress to record the menu selections of customers more quickly, thereby increasing customer turnover. 2. Control over the operations, and specifically the cash receipts, is considerably improved by using prenumbered checks that identify the table, number of customers served, and the waitress. The customers can carry the checks to the cashier, pay the designated amounts, receive change, and leave. This, combined with the relocation of the cashier’s cage near the exit door, should help achieve control over the operations. 3. The purchases procedure can be improved. In addition to assigned purchasing responsibility to one chef, rules can be established concerning which food vendors to order from and how much to order. These rules could take prices, service, and quality as well as personal preferences into account.

14-19

4. The information system should generate for Alvin various reports. For example, Alvin can benefit by receiving such information as daily cash receipts, daily purchases and cash disbursements, monthly payroll, etc. In addition, non-financial information such as the most popular menu item, traffic pattern by the hour, and number of customers served daily would help Alvin better manage the restaurant. The modification of the check form affects data inputs, controls over data accuracy, and security over assets (cash). The changes to the purchasing procedure affect the files of needed data concerning food vendors and food items. The relocation of the cashier affects data control and security, while the spindle affects the processing of data concerning customers’ orders. The physical arrangements (e.g., location of the cashier) affects control (over cash). The organizational rearrangement of one chef being responsible for purchases also affects control (over purchases). f.

A restaurant of this size can benefit by installing a computerized system. The cost of such a system these days is affordable. On the other hand, the benefits would be significant. Accurate, reliable, and timely information would be available; more information can be generated that could not be easily obtained previously. Planning and control of the restaurant would improve considerably.

14-9. The solution is on the following pages.

14-20

A structure chart for the inventory management function of Masters Merchandising, Inc., is as follows

Perform inventory management

Replanish inventory

Calculate quantity to reorder

Prepare purchase requisition

Determine supplerwith whom to place order

Receive ordered merchandise

Prepare and mail purchase order

Update inventory records to show order

Determine quantity of merchandise received

Store and record received merchandise

Determine quantitiy of merchandise

Match receipts with orders or returns with credit memos

14-21

Prepare receiving report

Monitor inventory usasge

Update inventory records to show additions

Prepare shipping record and ship merchandise

Prepare inventory status report

Update inventory records to show reduction

Prepare reports to management

Prepare supplier evaluation report

Prepare inventory aging report

b. A context diagram is as follows:

Customer

Inventory control clerk c. A level-zero data flow diagram of the inventory management function is as follows, using the external parties listed plus a receiving clerk: Purchasing manage Supplier data Inventory Supplier v evaluation, contorl name, address clerk c

P.O.

Purchase orders

Replenish inventory 1.0

Inventory

Approval of P.O.

Receiving clerk

P.O.

Purchasing manager

P.O.

Perform inventory management

Receiving clerk

Count of goods received

Receive ordered merchandise 2.0 R.R.

Supplier Supplier ity nt ua Q on

Qua ntity

Packing slip (with goods)

Shi

Quantity received Store and record received mdse. 3.0

nd ha

orde red Inventory data Quantity stored

Shipping notice

Quantity shipped 14-22

Shipping clerk

Count of goods shipped

Monitor inventory usage 4.0

Custo

d. Supplier data Inventory control clerk

1.3 Determine supplier to order from

1.1 Calculate quantity to reorderNeeded

Supplier name and address

Reorder quantity

1.2 Prepare purchase requisition

Inventory data Purchase requisition

Order quantity

1.4 Prepare and mail purchase order

P.O. 1.5 Update inventory records

Purchasing manager

P.O.

Supplier

14-23

e. A level-2 data flow diagram that details the subactivity "prepare and transmit purchase order " is as follows:

Supplier data

Header data

Prepare purchase order header 1.41

PO header

Inventory controland record keeping

Purchase requisition Prepare body of purchase order 1.42

Purchasing manager

P.O. Copy of P.O. Approve P.o. by signing 1.43

Mail purchase order 1.44

Approved P.O.

Supplier

14-10. a. A level-zero data flow diagram of the current dispatching system for Browning Companies is as follows:

14-24

Sales orders

Customers*

Dispatcher

Delivery request

Delivery ticket 1.0 Accept dispartching requests Delivery request

Delivery ticket

Delivery data

Delivery ticket

2.0 Dispatch delivery trucks

Weight data

Delivery ticket with weight

3.0 Deliver load and return

Load weight

Delivery ticket (initialed)

Dispatcher Delivery data

Warehouse

4.0 Complete processing of delivery

Time-stamped delivery ticket

* Or salespersons or construction supervisors, in which cases the data would be in the form of sales calls or requisitions.

Delivery tickets (summarized) Accounting department

b. Improvements to the dispatching system include the following: 1. Installation of computerized facilities, including a computer network consisting of a microcomputer or mid-range computer, on-line magnetic disk files, and terminals. Many of the terminals would be remote units mounted in the cabs of the trucks. 2. Establishment of standard times for deliveries to various points within the service area. 3. Prior scheduling of dispatching jobs to the greatest extent possible, and notification to

14-25

drivers of assignments as soon as orders are received. 4. On-line entries of all actions by dispatchers and drivers, so that the data are captured within the computer system. 5. Employment of a computer planning model to keep track of the availability of each truck throughout the day, of expected completion times on current assignments, costs of dispatching assignments, and so on. 6. Preparation of prompt bills, as well as a greater variety of daily analyses and reports concerning job assignments and costs. Expected benefits from the above improvements include the following: 1. Reduced idle time and overtime of truck drivers. 2. Uniform times for delivering loads to the same locations, and hence reduced overall delivery time. 3. Clarified and prompt bills for customers. 4. Better information for planning and controlling dispatching jobs. c. A new dispatching system can be based on the installation of remote terminals in the trucks and the dispatching center, plus the use of a planning model that is maintained in the computer system. Dispatchers enter data concerning orders directly into their terminals as received. Delivery tickets are automatically generated on printers in the dispatching office. Each ticket shows the truck to be assigned, as well as the time allotted to complete the delivery. The assignment (with the aid of the planning model) is based on truck availability; it also takes into account other deliveries in the same area that can be grouped for efficiency. The allotted time is based on standard times for deliveries to various points within the service areas. Truck drivers make entries into their truck terminals for every action; arrival at work, coffee break, arrival at delivery site, arrival back after delivery, and so on. These time records are posted immediately by the system, so that truck availability and actual delivery times can be known. Furthermore, the postings enable job accounting and truck driver time variance (productivity) reports to be prepared at the end of each day. In addition, the time records serve as the basis for preparing payrolls for truck drivers. d. Two reports that would aid in evaluating and controlling dispatching operations may be described as follows: 1. A productivity report that shows the variances between the actual times to make deliveries and the standard times allowed, broken down by truck driver and days of a week. 2. A responsibility accounting report that compares the actual costs for performing all dispatching operations against a budgeted level. 14-11. (Adapted from the Certified Management Accountant Examination, June 1983, Part II, Question No. 7) a. To the extent that an accounting information system does not supply information to meet the needs of management, it will be ignored or resented as a waste of time and money. Because necessary information is not provided by the accounting information system, managers will seek other sources of information and develop an informal communications network. If the necessary information cannot be obtained from either a formal or an informal communications network, decision-making will be impeded, the planning function will suffer, control will be lacking, and no information will be available to evaluate centers, projects or individuals. This can lead to frustration and decrease in motivation. The organization will experience a lack of goal congruence, suboptimization, waste and inefficiency as inaccurate, or possibly falsified, information is used.

14-26

b. 1. The perceptions of the B & B Company employees indicate that there is a problem with the accounting system because some employees believe the accounting system is: • adequate when the information derived for performance reporting reflects favorably on that individual (i.e., George Vector). • inadequate for cost control when last year’s actual costs are utilized as a standard to measure present performance (i.e., Dora Hepple). • Weak operationally when information is neither timely nor relevant and the same information regarding current operations must be requested each month (i.e., Vern Hopp). 2. The perceptions of the B & B Company employees indicate there is a problem within the firm because there is an atmosphere of distrust, i.e., employees do not trust each other or trust the firm. B & B’s employees perceive the firm as a separate entity of which they are not an integral part. c. Specific behavioral factors and guidelines for addressing them are as follows: 1. Misunderstandings on the part of employees concerning the new accounting information system. Guidelines: Provide full information as quickly as possible concerning plans for revising the system to employees after the plans are developed. 2. Apprehension on the part of employees concerning possible loss of jobs or status. Guidelines: Provide reassurances (from top management) that employees will not lose their jobs or status, and if they must be relocated to new positions, the affected employees will receive necessary training. 3. Alienation from and fear of a new system and “way of doing things.” Guidelines: Involve affected employees in the redesign project by asking for their opinions and advice; when possible assign employees to a systems project team. 14-12. a. Magruder Industries should implement the computer-Integrated manufacturing (CIM) project as the revised net present value analysis is positive, as calculated in the exhibit below.

Magruder Industries Revised Net present Value Analysis Computer-integrated Manufacturing Project Current net present value of profit Additional operational savings [(600,000x.10)x5.65] Rework and scrap savings [($100,000x.6)x3.96 (1 ) ] Available floor space [($14x3,000x.6)x5.65] Additional contribution [($800,000x.6)x2.04) (2) ]

$ (1,578,000)

Revised net present value

$ 120, 180

339,000 237,600 142, 380 979,200

(1) 5.65 less 1.69 (2) 5.65 less 3.61

14-27

b. Increased customer satisfaction is an intangible benefit. Any measurement of customer satisfaction is a challenge; once measured, it needs to be translated into monetary impact, which is difficult and very likely subjective. Assuming that these steps are achieved satisfactorily, the next question is whether the level of customer will vary over time and if it does, what attributes play a role in such variations and which of these attributes are controllable by the firm. Another factor that is at least not clearly tangible is the increased manufacturing flexibility. Converting such flexibility into a value-added resource to generate either cost savings or hard dollars of sales would be a challenge for the management, requiring considerable preplanning and perhaps a long lead time. The ability to manufacture in a flexible mode produces results only when the orders from customers require such flexibility, and the market is ready for accepting the diversity flexible manufacturing can put out. The conversion of this benefit into a quantified benefit is quite difficult if not impossible. c. Of the various ways available, at least two of the ways Magruder Industries could measure the risk of not implementing the computer-integrated manufacturing (CIM) project include •

•

determining possible outcomes; for example, use “what if “ analyses to determine potential loss of market share or bankruptcy by -quantifying and assigning probabilities to these outcomes. -doing a sensitivity analyses under various assumptions. considering other costs, such as increased maintenance cost of the old equipment and downtime.

14-13. (Adapted from the Certified Management Accountant Examination, June 1989, Part V, Question No. 2.) a. The steps that Mickie Louderman should have taken during the decision of the accounting information system (AIS) to ensure that end-user needs were satisfied include the following: (1) Interviews should have been conducted with all users who will be affected by any changes. The improved capabilities of the new computer system should have been presented to the users, particularly as the firm has been growing and creating new information demands, so that these new capabilities could be considered in the system revisions. (2) These fact-finding interviews should identify and clarify the users’ current problems, their future information needs, the organizational units affected, the current procedures used to provide information , user decision responsibilities, and the information needed to make those decisions. (3) The concept of separation of duties was violated by allowing (a) both inventory control and purchasing personnel to issue purchase orders, and (b) payroll clerks to prepare journal entries for payroll processing. b. 1. Most control features of the old system were maintained to decrease the initial installation time. Louderman appointed herself as the authority for all control changes and program testing. As systems are redesigned, the selection of controls must be revisited. This is an opportunity to strengthen the new system and to customize control features to the system. Internal auditors, managers, and end-users can contribute a great deal in identifying and selecting appropriate internal controls; they should be involved in the process. 2. The implementation of one module at a time violated a basic principle of control. Each module must be thoroughly tested, involving all parties concerned. Also, all modules

14-28

must be tested as a single, comprehensive system prior to changeover from the development to production environment. 3. The system documentation must have been on schedule so that a clear and consistent understanding of the system exists among all concerned parties. The implementation of backup procedures on a delayed schedule is not at all desirable; it would be very difficult if not impossible to recover lost data in the event of a system failure. Whereas this is important all the time during the operation stage, it is critical during the changeover. c. Weaknesses to Mickie Louderman’s approach in implementing the new AIS, and recommendation to improve the situation and continue the development of the remaining areas of the AIS, include the following: Weakness (1) Planning was poor and there was no systems analysis or feasibility study. (2) Necessary systems testing and reviews were not conducted prior to implementation.

(3) Systems modules were implemented without adequate documentation, instructions, or training.

Recommended Improvement (1) Perform a thorough systems analysis that includes the aspects of a survey and cost and benefits analysis. Prepare a plan, budget, and schedule for completing the systems project. (2) All system modules should be properly tested for processing, informational, and control effectiveness. An accepted implementation plan for each module must be formalized and followed. Users must be required to participate, not only in the tests of information content and controls, but also in the final implementation acceptance. (3) Newly designed modules should not be implemented until adequate documentation has been prepared and all affected organizational units and personnel have been appropriately trained.

14-14. An appropriate list of implementation activities for the director of Artists Delights, Inc. to submit to the steering committee should include the following: a. Develop a project implementation plan that will result in a new inventory management function designed to overcome existing problems and to achieve established systems objectives. b. Establish time schedules and budgets, and apply techniques for the control of time and costs during the implementation phase. c. Inform the employees and managers of the implementation phase, and clarify the manner that particular organizational units and procedures and individuals will be affected. If feasible, reassure all who will be affected that they will not lose job status or security due to the change. d. Reorganize the project team if necessary in order to incorporate personnel who can provide the needed skills. For instance an accountant should be assigned to the team to aid in strengthening the standards, and an editor might be assigned to aid in the preparation of sound and thorough documentation. Also, consideration might be given to the designation of a key manager in the inventory management function to be the project leader during the implementation phase. e. Systems personnel should be hired at an early stage, since no one in the firm has experience with computers.

14-29

Newly hired systems personnel, plus others who have been assigned to the project team, should be given training as soon as possible. Since no one in the firm has the needed expertise, the affected individuals should be enrolled in an intensive training course provided by a professional education organization. In addition, the users, including higher-level managers, should receive limited training through lectures and seminars. g. Specific hardware and software should be selected: this step entails the preparation of a request for proposal, submitting it to several likely hardware and software suppliers, and evaluating the proposals that are received in response. A consultant should probably be engaged to aid in the selection process, since the firm has had no previous experience in such endeavors. h. Negotiate with selected suppliers of hardware and software, sign contracts, and place orders. i. Undertake the detailed design of the new information system, including the preparation of decision tables, program flowcharts, other preferred logic diagrams, report layouts, file and data base layouts, codes and so on. Based upon these detailed designs, review and adapt the software packages when they are received from the suppliers. Begin to develop custom inhouse programs where suitable software packages are not available. j. Test the software packages and the hardware when received, or on the premises of the supplier. As soon as feasible test the selected hardware and software together in systems tests. k. Prepare the physical facilities that will accommodate the new computer system. l. Develop system and performance standards under the guidance of the team’s accountant members. Allow sufficient time in the schedule for this important activity, since present standards are weak. For instance, it will likely be necessary to work closely with a person designated as a data administrator and with managerial users of the system in completing this activity. m. Prepare extensive documentation to support the new system, and modify the documentation that is provided with the software packages. This documentation should include, in addition to the modified program or software manuals noted above, such items as procedures manuals and computer operation or run manuals. n. Convert inventory-related files as necessary to the new file media. If data base software is to be included in the new system, implement the data dictionary (which would be developed as a part of the standards development and documentation steps.) and the schema that it incorporates. o. Perform final system checks, perhaps by means of the parallel operation or the modular conversion approach. p. Cut over to the new computer system as soon as the above system checks show it is sage to do so. q. Follow up the implementation by reviews, continued support and assistance to users, and evaluations. Also, establish schedules for the development of other related projects, including those that will involve the in-house development of application programs. 14-15. (Adapted form the Certificate in Management Accounting Examination, June 1976, Part V, Question No. 6) a. A network diagram( with activity times in weeks listed alongside the activities ) is as follows:

14-30

3 2 1

3 4 4 6

1 7 5

b. c. d. e.

The overall project time is 21 weeks. The critical path follows events 1-2-5-6-4-8-9-10. A Gantt Chart pertaining to the project appears on the following page. The project ending date is July 26, as shown on the Gantt chart. Delivery of the fixtures in four weeks rather than six weeks will not achieve Ms. Jones’ objective of opening the sore two weeks earlier than the schedule indicates. Receiving the fixtures two weeks earlier will reduce the time required to complete path 1-2-5-6-8-9-10 from 21 weeks to 19 weeks, since the activity from 6 to 4 becomes 4 weeks. However, the new critical path now becomes 1-2-5-7-8-9-10, which involves an overall time of 20 weeks. Consequently, earlier delivery of the fixtures will enable the store to open only one week earlier. f. Additional information that Ms. Jones needs to administer the proposed project includes: (1) The costs that are expected to be incurred during the various activities comprising the project. (2) The manpower levels upon which each of the estimated activity times was predicated. (3) The “slack” times available along each of the paths not on the critical path. (4) The actual times and costs required to complete each of the activities as the project progresses.

14-31

Activity

Gantt chart:

A. Find building B. Negotiate rental terms C. Draft lease D. Prepare store plans E. Select and order fixtures F. Accept delivery of fixtures G. Install fixtures H .Hire staff I. Train staff J. Receive inventory K. Stock shelves

1 8 15 22 29 5 12 19 26 3 10 17 24 31 7 14 21 28 5 12 19 26 2 March April May June July

14-32

Case A Inquiries that can be answered promptly with the aid of the above linkages include: (a) Which purchase orders are outstanding with a particular supplier? (b) What is the purchasing (and/or payables) history for a particular supplier? (c) What is the summary of the experience with respect to a particular supplier concerning lead times, unit prices, etc.? (d) What is a summary of all raw materials, parts, and subassembies on order? (e) What is the complete list of all items on order, broken down by supplier? (f) For which a materials, parts, and subassemblies is a particular supplier the preferred supplier? Ad hoc reports can include certain of the inquiries above; in addition, ad hoc reports may provide summaries organized in any desired manner, such as the suppliers from whom the most purchases have been made.

(13) A cover letter for the design proposal might appear as follows: DATACRUNCHER OFFICE EQUIPMENT, INC. February 2, 199Mr. Harry Myler, Chairman Information Systems Steering Committee Datacruncher Office Equipment, Inc. Dallas, Texas Dear Mr. Myler: This letter summarizes a proposal for an improved system design pertaining to the purchasing and payable procedures. According to the initial proposal for this project, the objectives of the purchases and payable system are to determine promptly when raw materials and parts should be reordered, to determine the most economic quantities to reorder, to select the most suitable supplier, to promptly place purchase orders, to answer inquiries concerning orders quickly, to perform all processing steps within the expenditure cycle efficiently and accurately, and to provide needed information for making sound decisions concerning purchasing and payment activities. Two likely system designs have peen identified. The first of these design alternatives involves replacing the present batch processing mode of purchasing and receiving raw materials and parts with an online processing system, but retaining the present batch processing of payables and disbursements. The second of the design Case A-1

alternatives involves replacing the batch processing mode with an online processing approach throughout the entire expenditure cycle, embedding decision models within the computer system, and establishing a data base. Both alternatives should improve processing efficiency and timeliness, up-todateness of key information, accessibility to the status of ordered goods and receipts, accuracy and reliability and security of data. The second alternative should also enhance managerial decision making, reduce redundancies of stored data, and maintain the payables data in a more up-to-date condition. However, it will be much more expensive than the first alternative. The project team recommends that a combination of the two alternatives be implemented. That is, it proposes that online processing be restricted t the purchasing and receiving activities, but that a data base be established and that the economic order quantity model be embedded (programmed) as a part of the computer system. These features should yield almost all of the benefits cited for the second alternative, while the overall cost will be significantly reduced. The recommended alternative will require the installation of several terminals, magnetic disks, a data base management system, and a more complex operating system. If the steering committee decides at a later date to expand the online processing mode to include payables and disbursements activities, the modifications can be easily implemented. The organization and operations would be impacted to some degree under either design alternative. The main changes would consist of eliminating one of the present data processing centers and eliminating several processing and data preparation clerks; paperwork processing would also be reduced and managers will be able to monitor the status of purchases more closely. The main body of the proposal concerning this recommended system design alternative is attached to this letter. My personnel and I will be pleased to answer any questions that you may have. Sincerely, Tim Baker Director of Information Systems

18-16. Various strategic and tactical decisions relating to purchases and payables are listed on pages 478 and 479 in Chapter 12. Consider for example the decision concerning the levels of inventory that should be stocked. The decision support system to aid in

Case A-2

making this decision should include a relevant and up-to-date and comprehensive data vase, including such data as the past consumption rate of each inventory item, the expected future levels of demand, the costs of storing inventory and reordering inventory, the available suppliers and their performance characteristics, etc.; a model base of decision and simulation models that incorporate the relevant factor and enable their interactions and sensitivities to be explored; and a user interface that allows the user to modify the models easily and to interact with the data base and model base in a “friendly” manner.

Case A-3

Case B Adapted from Bonita K. Peterson and Thomas H. Gibson, “Fraud Detection and Investigation: Microcomputer Consulting Services,” Issues in Accounting Education, 14, No. 1 (February 1999), 99-114. Used with permission of the authors and the American Accounting Association. PART 1: a) What additional work could the Internal Audit Department perform prior to issuing the audit report? Due to the unauditable state of affairs of the MOS, it is difficult for the Internal Audit Department to do much more work. However, prior to issuing the audit report, the Internal Audit Department could also perform some ratio analysis. Specifically, a trend analysis of the ratio of the volume of purchases to the volume of recorded sales over a period of approximately five years might provide some useful insight about the extent of the suspected fraud. Are the ratios the same over this period of time? If not, can the manager provide a plausible explanation for the change in the ratios? Although the manager had been in his current position for eight years, this case took place in the late 1980s. Personal computers were becoming more commonplace at that time, although computers were not yet very numerous. Thus, it is unlikely this suspected fraud occurred during the first few years of the manager's employment period. Another analytical technique the auditors might apply is to multiply the cost of the units purchased by the standard markup percentage (the MCS marked up all products by a flat 6 percent). The resulting figure should approximate the recorded revenue. If the approximate revenue amount differs materially from the recorded revenue amount, the MCS manager should be approached for an explanation. b)

What type of report should the lnternal Audit Department issue, to whom, and with what objectives in mind? The report the Internal Audit Department should issue to the campus computing services director and the administration should state that the Microcomputer Store is unauditable. In addition, the report should explain why the operation is unauditable (documents are not prenumbered, necessary supporting documentation is impossible to locate and no compensating controls existed to offset these material weaknesses). The objective of this report is simply to report what was found, not to draw any conclusions or make any accusations that could not be supported by the audit evidence. c)

What recommendations to the campus computing services director and the university administration would be appropriate for the MCS?

Note: The auditors might find it useful to prepare a flowchart of the MCS system to help illustrate for the campus computing services director and the university administration the internal control weaknesses present and to help explain where controls are needed.

From the audit work performed, it is obvious that internal controls are virtually nonexistent. Thus, appropriate recommendations for the MCS include: •

Adequate separation of duties is desperately needed. Currently, too much responsibility is given to the MCS manager. He had custody of the inventory, the authority to purchase inventory, and apparently the ability to manipulate the record keeping of the inventory (i.e., it

Case B-1

was not possible to determine through a review of the books how much inventory should be on hand and how much was, in fact, sold). The functions of authorization, custody and record keeping must be spread among different individuals, both for the financial records and for the physical assets along with the operating records. otherwise, it is possible to commit and conceal a fraud. •

Adequate supervision is crucial. The direct supervisor of the MCS manager (in this case, the campus computing services director) must learn the details of operating the Microcomputer Store in order to be able to supervise the daily operations properly. Currently, there are no independent checks on the MCS manager's work. Lax management combined with improper segregation of duties makes it remarkably easy to commit and conceal a fraud.

•

Prenumbered documents should be used and accounted for on a regular basis. This control makes it possible to determine whether a document is missing. Any missing document should trigger an investigation to determine if a potential problem exists in its use or authorization.

•

A written procedures manual containing job descriptions needs to be prepared and followed. This is an important tool to assign authority and responsibility. The manual should contain sample copies of the forms and documents used by the Microcomputer Store, along with instructions on how to fill out such forms and how to properly handle specific transactions. This manual will then serve as a useful on-the-job reference for employees, since it spells out management policy with respect to handling transactions.

•

Physical access to the inventory should be controlled so that accountability is maintained.

•

The inventory records should be kept on a perpetual basis, and maintained by one not responsible for ordering, selling or shipping inventory.

•

A physical inventory should be taken at least once a year by personnel independent of those who have custody of the inventory or are responsible for its record keeping, and the count should be observed by the internal auditors; this physical count should be reconciled to the recorded inventory. (There should be a perpetual record of purchases, returns and sales of inventory.) This reconciliation should also be documented and performed by a person independent of recording or maintaining custody of the inventory (e.g., the department's accountant). Any material discrepancies should be fully investigated.

•

Adequate supporting documentation should be required prior to paying for any purchase. This includes a matching (and properly approved) purchase requisition, purchase order and receiving report. The supporting documentation should be reconciled and attached to the vendor's invoice and canceled upon payment of the invoice.

•

Documentation should be maintained that makes it a simple matter to trace the purchase of each individual computer or printer to its campus destination. A shipping document, which indicates the hardware was delivered and set up in the campus department that requested the purchase, should be prepared. This shipping document (along with the purchase requisition, purchase order, receiving report and vendor's invoice) should be the supporting documentation for the MCS sales invoice (this billing should be to a campus department). All related documents should be attached together and filed so that they can easily be retrieved if questions about the transaction arise later.

Case B-2

•

Receivable/payable confirmations for the Microcomputer Store should be performed at least annually by a person independent of those who are responsible for record keeping.

•

Policies regarding "no sales" to private parties should be clearly articulated, well documented and widely communicated.

PART 2: a) At what point should the Internal Audit Department suspect a fraud? What actions should be considered to ensure that professional auditing standards are met? Whom does the Internal Audit Department need to inform? The Internal Audit Department should suspect a fraud upon discovery of the unauditable state of affairs of the Microcomputer Store, coupled with the fact that the MCS manager was running the MCS virtually by himself and had suddenly begun to enjoy a lifestyle that his modest salary could not possibly support. The telephone call from the local repair shop owner and the meeting with the library director certainly did heighten that suspicion to the point of prompting further investigation. The Internal Audit Department needs to remember that it functions as the eyes and ears of management (here, the campus computing services director and the university administration); thus, it is to serve as the information-gatherer (not the prosecutor). It is important that unsupported accusations not be made. In addition, when gathering audit evidence to support the charge that a fraud has occurred, legal ramifications must be continually considered. The fraud suspect must not be treated unjustly, since he/she has not been convicted of any crime at this point. In short, the internal auditors need to be concerned about avoiding acts of libel and slander. However, actions must also be taken that are adequate to prevent a further loss of assets during the investigation. The Internal Audit Department needs to inform those at the highest level within the organization. In this case, that would be the university administration, university police and the university legal counsel. It would not be wise to simply notify the MCS manager's immediate supervisor; since all the facts have not yet been gathered, it is possible that the supervisor may also be involved in the fraud. b) What red flags might have initially tipped off the internal auditors that this employee might be involved in a fraud? The red flags include: • There were virtually no internal controls present in the operation; • Too much control was given to a single employee; • The MCS manager's lifestyle was beyond what his modest salary could support. He had just returned from an expensive European honeymoon, had purchased a new house in the area within the past year and had recently purchased a new sports car; and • There was lax management in the MCS operations (no supervisory oversight, no independent checks). c) In what ways does the MCS manager fit the profile of the typical fraud perpetrator? The MCS manager fits the profile of the typical fraud perpetrator in that: • He had no prior criminal record (the fraud is typically the first criminal offense of the perpetrator); • He apparently spent all that he had stolen (fraud perpetrators rarely, if ever, hoard their embezzled funds); • He was a highly trusted, loyal, responsible employee in a position of trust (he virtually ran the entire MCS operation on his own);

Case B-3

• Like most fraud perpetrators he had no demographic or psychological characteristics that made it possible to distinguish him from honest employees (most fraud research indicates that fraud perpetrators' profiles look identical to their honest counterparts'); and • As found in a majority of reported fraud cases, he acted alone. PART 3: a) What types of audits may the Internal Audit Department perform within X State University? Rank the audits in terms of importance to the university. Student billing and cash receipts accounting Endowment and gift giving Payroll and benefits Fixed assets inventory and maintenance Student services (cafeteria, bookstore, student organizations, etc.) Accounts payable Research grants Note: This provides a generic list of audits listed roughly in order of importance. These audits can be classified as routine and are usually schedule on a cycle-basis. Other non-routine audits may be performed depending on preset criteria, such as new initiatives, level of expenditure, and risk exposures involved. b) Why do you think X State University’s external auditors did not uncover the fraud? If external auditors, during their audit find evidence to suspect any abnormal situations, it would be necessary for them to investigate those situations further. On the other hand, in the absence of such evidence, which they may not encounter in their audit, they are not directly responsible to uncover fraud. The external auditor may not always “run into” an evidence of abnormality, for the audit is to be broad-based and cost-effective. c)

What should have been he key points of the audit report? What supportable audit conclusions could be drawn? The key points of the audit report should be meaningful, factual and informative. The Internal Audit Department must be careful to avoid speculating in the report, or making any unsubstantiated comments (e.g., We believe that...") Supportable audit conclusions that could be drawn are as follows: • The university policy for the Microcomputer Store-that there were to be no sales by the store of hardware, software, or peripheral devices to anyone for personal use, that sales were to be made only to the campus departments for university-related work use-had been repeatedly violated by the MCS manager. • The billing procedures for the MCS were inadequate since there were no billing records for over $14,500 of inventory purchased by the university and in the possession of the three employees who could prove they had personally purchased the equipment from MCS. • The record-keeping procedures of the MCS were inadequate since it was impossible to fully account for expenditures of more than $140,000 that had been paid for with university funds. These expenditures included not only the purchases of computer hardware, but also the installation of software and other internal devices. d)

What additional steps might have been taken by the Internal Audit Department to uncover evidence regarding the existence and the extent of the suspected fraud? The Internal Audit Department might have also performed a net-worth analysis of the MCS manager. Because of the lifestyle changes displayed by the manager, an analysis of net worth

Case B-4

might have provided additional evidence, albeit circumstantial, of the suspected fraud. The amount of the suspected fraud ($140,000) equals the estimated expenditures of the suspect (e.g., new house, European honeymoon, new sports car, as well as regular living expenses) minus the Suspect's known net income. (Access to the suspect's personal records is not required, since much of the needed information can be obtained from public sources and interviews.) A net-worth analysis is an excellent tool that might be invoked after it is determined that there is a good possibility of a fraud. (It should be noted, however, that a good manager would notice any subordinate's lifestyle change where he appears to be living beyond his means. An alert manager then should take informal steps to determine whether a potential problem exists (i.e., Is there outside consulting work being done? Has it been approved in accordance with institutional policy? What is the name of the business? When is the work being done? Who are some of the vendor suppliers?). These are legitimate management questions to help ensure that a subordinate is operating within the confines of existing institutional policy.) The Internal Audit Department might have also been able to work with the state department of injustice to determine if the suspect had been making unusually large cash deposits to his personal bank account (banks are required by Federal law to report such suspicious transactions to the U.S. Department of the Treasury under the Bank Secrecy Act). Since the MCS manager earned a salary of approximately $18,000 and had no other known sources of income, unusually large deposits might be additional evidence of the suspected fraud and could help to determine the dollar amount of the fraud. However, the Department of Justice would have to become involved via the state's legislative auditor's office, attorney general and county attorney. Finally, if it were not for the fact that the MCS manager had, by this time, moved across the country to his new job, the Internal Audit Department might have also been able to set up some kind of "sting operation." In such an operation, the Internal Audit Department and the university police would have people purchase computer equipment from the MCS manager for personal use, unknown to the manager, to determine if he would have not recorded the sales on the MCS books. (The auditors need to be cognizant of the issue of "entrapment." Internal auditors must be concerned that they do not operate under the direction of legal counsel or law enforcement. To be directed by legal counsel or law enforcement would change the internal auditors' standing from one of broad independence to one of a narrow, prescribed, defined investigator role. Since the MCS manager had already resigned and relocated across the country to the coast by this time, entrapment was not an issue of concern in this case.) e) Based on the above facts, how would you tentatively evaluate the internal control environment (ICE) within X State University? If the MCS case is any indication of how other organizational units within the university might be operating, it would be safe to presume that the internal control environment within the university is weak. f)

The Internal Audit Department plans to implement additional internal controls and security measures to prevent such a situation from recurring. 1. Determine the high-risk exposures and low-risk exposures in the MCS operations and accounting system. 2. What specific internal control and security measures, in addition to the ones mentioned in the case, should be implemented to prevent or minimize the high-risk exposures from occurring? 3. What on-going and periodic activities should be conducted to “monitor” the MCS operations and accounting system?

1. High risk exposures would include billing and receivables and inventory and payables. Low risk exposures would include salaries and other expenses of the department.

Case B-5

2. To prevent or minimize the high risks exposures from occurring, the following control and security measures may be implemented (in addition to those suggested elsewhere): Part 1, Requirement c, offers a comprehensive list of control and security measures. Additional specific controls consistent with the list can be identified. For example, purchases over a certain limit should require preapproval. Vendors should be preapproved. Inventory shipping address cannot be different than the university receiving site. All shipments from the university should go through the shipping/dispatch department. It is important to note that the internal control system should be cost effective. 3. A. Ongoing activities: • Surprise count of inventory • Review of payables and receivables • Reconciliation of major inventory components (e.g. microcomputers) inventory • Review of budgeted and actual expenditures B. Periodic activities: • Customer satisfaction survey • Vendor survey • Surprise shopper at the store • Store operations audit PART 4: a) Do you think the university should have brought criminal charges against the MCS manager? Why or why not? Besides the reason of insufficient evidence, why might a company be unwilling to prosecute a suspected fraud perpetrator? Students will argue both sides of the issue of whether the university should have brought criminal charges against the MCS manager. On the one hand, some students will argue that if there is not sufficient evidence to support a conviction, it is a waste of resources to go to court. On the other hand, some students will feel strongly that prosecution should have been attempted because, if left unpunished, the perpetrator often goes on to steal again. In addition, some students will argue that even if the evidence was weak, prosecuting the fraud perpetrator could deter others from committing fraud within the same organization. However, this last belief is a myth about fraud. Research has found that banks that prosecuted fraud perpetrators did not suffer significantly fewer fraud losses than banks that did not prosecute fraud perpetrators. It is theorized that the reason behind this surprising result is that fraud perpetrators generally have large egos. In other words, Smith believes Jones got caught because Jones was not smart enough in committing his fraud; Smith believes he is smarter and will be able to successfully conceal his fraud. In this case, as a public institution the university cannot file any criminal charges. It is limited to taking only administrative action, though it must also report any suspected illegal activity to the state's legislative auditor's office (LAO) and attorney general. The LAO generally coordinates an investigation, in conjunction with the county attorney, and the county attorney generally files any criminal charges. The state did not bring criminal charges because the county attorney believed the state did not have sufficient evidence to successfully prosecute and obtain a conviction. While the evidence gathered certainly pointed toward the MCS manager as committing the fraud, it was not irrefutable in their judgment, the suspected fraud could not be proved beyond a reasonable doubt,

Case B-6

other than those purchases/sales to which the MCS manager confessed and for which he then offered restitution ($14,500). In addition, the suspected fraud perpetrator had already moved across the country, so it was not feasible to confront the suspect face-to-face with the evidence gathered in an admission-seeking interview (typically one of the last steps in a fraud examination). Obtaining sufficient evidence to prove the alleged fraud is one of the biggest problems with white-collar crime. Typically, the fraud perpetrator has been a trusted employee who has expert knowledge about how the accounting system works. This knowledge allows the individual to conceal his fraud, making it difficult to gather sufficient evidence even to determine the full extent of the fraud, much less to successfully prosecute. The fraud perpetrator may still face legal battles, however. A common cash management practice is to carry a fidelity bond, which is an insurance policy that covers most cash embezzlement losses. The fidelity bond will not prevent or detect fraud, but it will protect the purchaser from bearing the entire loss if embezzlement occurs. If the university fidelity bond is drawn upon, the bonding company may file civil charges against the fraud perpetrator for the insurance payout. In addition, embezzled cash is considered taxable "earnings" by the Internal Revenue Service. It is extremely unusual for a fraud perpetrator to report embezzled funds on the perpetrator's tax return. Thus, if there are unreported earnings, the Internal Revenue Service may also file charges in court. It should be noted as well, however, that fraud cases often go unprosecuted for reasons other than insufficient evidence. Companies (e.g., banks) may be reluctant to suffer the negative publicity a highly publicized fraud case can generate; fraud can be extremely time-consuming, difficult and costly to investigate; prosecutors have a difficult time explaining and proving the intricacies of the fraud to a jury with no business background or understanding of accounting; and even when a conviction is obtained, the sentences received are often light, particularly when compared to sentences rendered to a party convicted of robbing a bank at gunpoint for less money. Ernst & Young's international fraud survey (1996) confirmed some of these reasons. A large majority of survey respondents believed that jurors did not understand fraud cases and that the judicial system would be dramatically improved if experienced business professionals served on the juries of fraud cases. The respondents stated their belief that defense lawyers overcomplicated fraud cases to gain an advantage and that the laws needed simplification to improve the process. Finally, over half the survey respondents felt that the sentencing in their home country was too lenient. An example of a lenient sentence is found in the case of C. Arnoldt Smith, former owner of the San Diego Padres baseball team. He pleaded nolo contendere (no contest) to the charge that he had stolen $200 million from his bank, none of which was ever recovered. His sentence consisted of four years' probation and a fine of $30,000-to be paid at the rate of $100 a month with no interest. At that rate, it would take Mr. Smith 25 years to pay his fine. He was 71 years old at the time of his sentencing. b) What other work remains to be done by the internal auditors to bring this case to a close? Other work to bring closure to this case includes implementing controls for the MCS that will prevent such a fraud from recurring. For example, adequate separation of duties and proper supervision is needed; prenumbered documents should be used and accounted for; supporting documentation should be required prior to paying for any purchase; documentation should be maintained which makes it relatively easy to trace the purchase of each individual computer or printer to its campus destination; and the “no sales to private parties" policy should be clearly articulated, well documented and widely communicated. Also, because of the sensitive nature of the investigation, care must be taken to control access to the audit working papers, and the retention of these working papers should be set apart from the normal retention policies. In addition, the internal auditors should ensure that the working papers simply stick to the facts and

Case B-7

that no unsupported conclusions or accusations are included in the working papers (e.g., "We believe that the MCS manager stole $140,000 worth of inventory.."). All issues considered should be documented, and their resolution should also be clearly identified. Similarly, because of the sensitive nature of the documentation contained in the MCS manager's personnel file, the retention policy of the file should be set apart from normal retention policies. At the very least, retention policy should reflect the statute of limitations for civil and criminal matters, which can vary across jurisdictions.

c) A confession by the MCS manager would have made this an "open-and-shut"case. Should the internal auditors have tried harder to obtain a confession, perhaps by relying more upon the university's legal counsel and law enforcement officers in the investigation? It should first be noted that internal auditors will not be operating alone in their fraud examinations. A complete fraud examinations team must be assembled, typically including individuals from a variety of disciplines, such as internal audit, legal counsel, security department investigators and perhaps an outside specialist such as a Certified Fraud Examiner. Certified Fraud Examiners (CFEs) are trained for the task of building a case against a fraud perpetrator. CFEs are skilled in conducting interviews, performing surveillance, using informants and obtaining usable confessions. Most internal and external auditors will serve as assistants to CFEs because this is not "normal" auditing. In this case, under state law the suspected fraud was reported in writing to the legislative auditor's office (LAO) and the state attorney general. A campus team of legal counsel, the chief of police, internal auditors, the information technology director, and an LAO representative was set up to investigate and document the suspected fraud. Thus, while legal and law enforcement personnel assisted in the investigation, these personnel were not relied upon by the internal auditing team to obtain a confession. One outcome of too much reliance on legal or law enforcement personnel during the investigation is the loss of autonomy by internal audit personnel when acting as an "officer of the court." This change in status for internal auditors severely hampers their ability to freely inquire and investigate without having clearly defined "legal due process" being invoked. Internal audit personnel must be adequately trained and supervised to allow the development of a plan for investigation of an incident without undue reliance on and guidance by legal counsel and law enforcement personnel. d)

Do you think the university should have retained a Certified Fraud Examiner (CFE) to aid to aid the internal audit department in conducting the fraud investigation? In obtaining a confession of guilt? If the expertise within the internal audit department is not available or is not adequate to deal with the fraud investigation, retaining a fraud examiner would certainly be helpful. This would help expedite the case and also ensure that the investigation is quite comprehensive and complete. It is likely that confession of guilt would be easier to obtain when an expert from outside the university is engaged. However, involving an external agent in this case would complicate the issue in terms of further action, such as pursuing justice in a court of law.

Fraud researchers have coined the phrase "fraud triangle" to describe why people commit fraud. The three elements that make up the fraud triangle are pressure, perceived opportunity and rationalization; all three must be present for a fraud to occur. The pressure provides the motive to commit the fraud, and usually involves financial need. The opportunity typically presents itself in the form of weak or nonexistent internal controls. Fraud perpetrators must believe that they will be able to commit the fraud and remain undetected. Finally, fraud perpetrators must be able

Case B-8

to rationalize or justify their fraudulent actions as morally acceptable. One of the most common rationalizations is that the fraud perpetrator will pay back the stolen funds, so that the perpetrator is only "borrowing" the money for the moment. Apply the fraud triangle to this case, and describe the pressure, perceived opportunity and rationalization that were present and that allowed the MCS manager to commit his fraud. The pressure or motive to commit a fraud generally takes the form of a financial pressure, although nonfinancial pressures might also exist (e.g., the desire to "get even" with an employer; the need to report results better than actual performance in order to keep one's job, etc.). Here, the MCS manager was apparently spending his embezzled funds to support a more extravagant lifestyle. The opportunity to commit a fraud generally takes the form of poor or nonexistent internal controls coupled with access to money or property. However, it is important to note here that what is required for a fraud to occur is the perception that the opportunity exists to commit a fraud and conceal it. For the MCS manager, the opportunity existed in the form of extremely weak internal controls as discussed earlier in this case. Finally, the third element necessary for a fraud to occur is that of rationalization. The fraud perpetrator must be able to somehow justify the illegal actions and make them consistent with his personal code of ethics (e.g., "Everybody does it,,, "Nobody will get hurt," "I deserve more than I am being paid," "I'm only borrowing the money and will pay it back soon"). The MCS manager apparently rationalized his actions by denying to the bitter end that this was theft; he was simply "borrowing" the inventory temporarily because the time delays in ordering goods for his consulting business were not acceptable. He claimed it was a simple oversight that the inventory was never replaced. It is interesting to see what rationalizations the students can come up with on their own. If this case is used after the course's fraud segment is covered, students should have no trouble coming up with plausible rationalizations. However, if this case is used as an introduction to the course's fraud segment, with a little prodding students can still generally come up with some reasonable rationalizations.

Case B-9

Case C a. A systems plan: Dress Ace! Inc. A Systems Plan January 19xx I. Summary II. Objectives of the redesigned information system III. Assumptions and constraints IV. Systems Projects: 1. Shipping, including receiving and inventory A. Scope B. Problems and objectives 2. Accounts receivable A. Scope B. Problems and objectives 3. Accounts payable A. Scope B. Problems and objectives V. Justification for the redesign projects VI. Summary of data processing equipment currently in use and planned to be used VII. Phases in the system development cycle

Case C-1

DRESS ACE! INC. a. A systems plan: Dress Ace! Inc. A Systems Plan January 199x I. Summary Over the past few months, despite increasing sales and a constant dollar markup in finished goods, the firm seemed to have very little cash in the bank. The firm’s owner is concerned. A primary purpose of this initiative is to study, review, and evaluate the current accounting information system, including internal controls, and to propose system revisions that would ensure that adequate internal controls exist, and that reliable and accurate information is produced for the owner and managers to lead the business. The following sections of this plan covers objectives, assumptions and constraints, specific projects planned, justification for the redesign, and a summary of systems-related resources. Also covered are the phases in system development cycle for the proposed improvements to the system. II. Objectives of the redesigned information system 1. To ensure that accounting information produced is reliable, accurate, and timely. 2. To ensure that an adequate internal control system is built into the accounting information system, so that risk exposures are properly managed, and assets of the firm are safeguarded. III. Assumptions and constraints 1. Dress Ace is a small business. Therefore, it is assumed that it would not be possible to add any more employees. Any addition to the staff, if proposed, will be carefully investigated. 2. The firm’s resources are limited. If a computer-based AIS is proposed, the commitment of resources for such a system will be evaluated to ensure that such a move is costeffective. IV. Systems Projects: 1. Shipping, including receiving and inventory A. Scope: This module covers the receiving of raw materials, finished goods from contractors, and returns from customers. It also covers the shipment of orders to customers. B. Problems and objectives: A primary problem appears to be in the area of internal controls. Accounting for all goods entering the firm and leaving the firm needs to be improved considerably. Such improvements will ensure that information regarding receivables and payables is accurate, complete, and timely, and that there is no loss or theft of goods. 2. Accounts receivable A. Scope: This module covers the accounting for receivables, both in terms of recording sales and cash receipts, as well as in collection management. B. Problems and objectives: A primary problem in this area results from the lack of organizational independence. The bookkeeper is charged with two conflicting

Case C-2

responsibilities, maintaining accounts receivable records and managing cash receipts. This and related procedures will be examined and modifications will be proposed. 3. Accounts payable A. Scope: This module covers the accounting for payables, both in terms of recording purchases and disbursing cash. B. Problems and objectives: A primary problem in this area results from the fact that the bookkeeper is solely responsible for both recording accounts payable and paying virtually all obligations of the firm. An objective is to propose improvements so that the redesigned system will be more secure, and will provide reliable information. V. Justification for the redesign projects Due to the size of the firm and weaknesses in the current accounting system, the firm suffers from considerable gaps and deficiencies in the internal control of the system. Consequently, the firm’s assets are at risk, the efficiency of operations can be improved, more information can be generated to properly plan and control operations, and more reliable information can be produced and reported. No records are available to estimate possible losses from theft, erroneous accounting, or employee fraud. Therefore, it is difficult to estimate possible benefits, although very significant improvements can be realized from a redesigned system. The costs of such a system are anticipated to be at a modest and affordable level. VI. Summary of data processing equipment currently in use and planned to be used Currently, all systems and procedures are manual. An alternative of developing a relatively simple, computer-based AIS will be considered and evaluated. Although specifications for such a system can be developed only at a later stage, it appears that the system will comprise of a simple network of three nodes (one each for the owner, shipper, and bookkeeper). VII. Phases in the system development cycle If this plan is approved, the next five phased of the system development life cycle will be undertaken: system analysis, system design, system selection, system implementation, and system operation. In the analysis phase, users of the current system will be interviewed to determine what their information needs are, and how well are those needs met by the system. The existing system will be observed, and related documentation, if any, will be studied. The system design stage will begin with an evaluation of what is known about the current system, with a view to make improvements, so that the system objectives are met efficiently and effectively. This phase will produce a conceptual/logical map of the proposed system. The system selection phase uses the logical design to produce alternative physical designs of the new system. These alternatives will be analyzed, so that the final physical configuration is selected. The system implementation is the phase where the system is actually brought into existence. Finally, the redesigned system goes into operation on an on-going basis.

b. Problems that exist in the current system: Shipping: 1. All goods arriving (raw materials, finished goods, and returns from customers) are counted and verified by one person, the shipper. The separation of duties is not adequate.

Case C-3

2. Since the owner verifies the goods arriving only once in a while, possibilities of fraud exist. 3. For the finished goods received from contractors, only the packages are counted. Total number of units is not verified, nor is the quality of merchandise examined. If the shipper claims a shortage later on, the contractor’s pay is reduced to meet the deficit. 4. The nature of problems is very similar (to the ones described in (3) above) in the case of merchandise returns from customers. 5. For all goods leaving the firm, the shipper may ship less in filling in the order, while showing a full shipment on the documents. 6. Periodic inventory system does not provide any checks on the receiving and shipping data. Everything but the ending inventory is considered cost of goods sold. Thus, there is no real check on whether or not the cost of goods sold derived in this manner includes losses, thefts, pilferage, or consequences of accounting errors. Accounts receivable: 1. In accounting for receivables, the organizational independence is missing. There exists a lack of separation of duties, for the bookkeeper handles cash received and also keeps books (sales journal, accounts receivable auxiliary, general ledger, etc.). Therefore, the firm’s assets are vulnerable. 2. Mispricing of goods shipped to customers may occur. The owner verifies the invoices and accounts receivable only occasionally. 3. The statements for customers are made directly from accounts receivable auxiliary. Any incorrect posting would result into incorrect billing. Accounts payable: 1. The bookkeeper is solely responsible for both recording and paying virtually all accounts payable. The separation of duties is not adequate and the possibilities of fraud exist. 2. The bookkeeper is in charge if accounts payable records, payments to accounts payable, reconciliation of bank statements, etc. Such broad scope of the bookkeeper’s duties heightens the risk exposures to the firm. For example, the bookkeeper can create fictitious accounts and defraud the firm.

Case C-4

DressAce c1a A level-zero data-flow diagram: Shipping Contractor Supplier

Goods with shipping memo

Finished goods

1.0 Receive, sign shipping memo

1.0 Count packages, sign shipping memo

Shipping memo

Order and shipping data

Missing garment memo

2.0 Unbundle, if necessary, shipp to customer

2.0 Verify receipts against order

Customer orders

Customer

Returns

To bookkepper for accounting

Accounts to be paid

Customer order data 3.0 Prepare request for credit

Request for credit memo

To bookkeeper for billing

4.0 Prepare credit memo

Credit memos

Case C-5

Credit memo

DressAce c1b. A level-zero dataflow diagram: Accounts receivable and sales order processing

Salesperson Customer order

1.0 Prepare internal purchase

Customer Internal purchase order

Invoice

Customer file

2.0 Prepare invoice

Payment

Invoices file 3.0 Enter into sales journal

Sales journal

Accounts receivable auxiliary

5.0 Open checks

Journalize

4.0 Post in accounts receivable auxiliary

6.0 Prepare deposit slip, deposit, post

Post

Post Deposite

Bank

Case C-6

DressAce c1c. A level-zero dataflow diagram: Purchases and accounts payable

Supplier Invoice

1.0 Open mail and forward Invoice

Supplier invoices

Invoice 2.0 Sort, file Invoice due

Contractor's shipping memos

Supplier Payments due 4.0 Stamps invoices as paid; record payment information

3.0 Enter into sales journal

Checks

Contractor

Case C-7

Contractor's cheicks

(2) A computer system flowchart of an improved system Note: An integrated flowchart for all three modules is shown here. It is assumed that the selected alternative is online input, batch processing. From salesperson

Shipping Department

Online error display

Key-to-disk

Process orders

Internal purchase order

Sales order

Shipping memos Online error display

Office Sales order A To customer

Checks

Shipping memo

Shipping memo A To shipping dock To customer

Update accounts receivables

To salesperson

Accounts receivable auxiliary

Enter Returns from customers to shipping Deposit slip

Online error display

Sales invoice

Deposits Sales invoice file A

Enter Update accounts receivables

bank

To customer

Credit memos Accounts receivable auxiliary

Summary Edit, verify

Shipping history file

General ledger Credit memo Credit memos

To customer

Credit memo

Case C-8

Shipping department

From suppliers and contractors

Online error display

Bill Enter

Enter

Receiving memo

Receiving memos (receipts) Edit verify

Receiving memo A

Open invoice file

To supplier Payables data B Accounts payable auxiliary Update

Credit memos

Process adjustments

General ledger

Disbursements Supplier history file Process payments

Billing adjustments

Disbursement summary

Check and renittance advice

Check register

To supplier, contractor

Case C-9

(3) Entity-relationship diagram

Supplier / Contractor

delivers

Sold to

n Shipment

remitted to

m m Customers

n Checks

Contains

remit

Goods

n Bank account

Customers

deposited in

return

Payment

Goods (returned)

adjusted against

1 Supplier / Contractor

Case C-10

Tables needed if a relational database is chosen, include the following: Customer table Customer Number

Name

Address

Credit Limit

Supplier table (includes contractors) Supplier Name Address Number Finished Goods table Item Description Number Shipment table Shipment Number

Date

Unit Price

Carrier

Shipment Line Item table Shipment Item Number Number Customer Invoice table Customer Invoice Number Number Invoice Line Item table Invoice Item Number Number Cash Receipts table Remittance Customer Number Number

Pattern Number

Supplier Number

Quantity Received

Date

Total amount

Quantity

Total Price

Date Received

Amount Received

Cash Disbursement table Disbursement Voucher Number

Supplier Number

Amount

Account Distribution table Disbursement Voucher Number

Account Number

Amount

Case C-11

Check Number

Check Date

Date

c.4. Internal controls that are needed include the following: Shipping and inventory: 1. Two persons should be responsible for counting the items received. The first shipper counts, enters the amount counted on the shipping memo, signs it, and passes over to shipper #2. Shipper #2 recounts the items, verifies his amount against that of shipper #1, records his quantity on the memo, and signs the memo. Shipper #2 remits the memo to the owner. (Note: In this and the following observation, an assumption is that an additional shipper will be required to be hired. Benefits of doing so appear to have the potential to exceed the costs, although the available information is not enough to evaluate this suggestion. Alternatively, either the designer or cutter may be assigned the responsibilities suggested for Shipper #2.) 2. The same procedure as in (1) above applies to goods leaving the firm. The order form indicating the quantity shipped goes to the bookkeeper after both shippers sign it. 3. The firm should seriously evaluate the feasibility of using perpetual inventory system instead of the current periodic inventory system. Under the existing system, all costs that are not assigned to the ending inventory are considered as Cost of Goods Sold. Thus, any losses, thefts, pilferage, and other frauds may not be noticeable. The perpetual inventory method would help identify the difference between actual and book balance, and thus permit an investigation of such differences. Both costs and benefits of maintaining a perpetually inventory system should be considered in the evaluation. 4. The owner should supervise the factory more often. His presence conveys a sense of monitoring of operations. This, in turn, will help improve employee productivity and attention to tasks assigned to them. Accounts Receivable: 1. The owner should take responsibility of opening the mail, preparing the deposit slip, and depositing the checks at the bank himself, preferably on the same day. 2. The owner should make more frequent spot checks and make sure that the bookkeeper is aware that the spot checks are being made. With tighter standards, employees tend to work harder at trying to do their jobs properly. Accounts Payable: 1. It is essential to separate the function of payment to the suppliers from the function of recording the payments. The owner should look after payments, and the bookkeeper should take care of the recording of such payments. This arrangement will permit separation of duties. Other activities: The bookkeeper, although trustworthy, has the entire spectrum of responsibilities in relation to the accounting function. He maintains all the journals, the general ledger, subsidiary ledgers, bank deposits, processing of payments, bank reconciliations, and so forth. This makes it very difficult to achieve separation of duties for responsibilities that are incompatible. The owner’s presence and active participation in many critical activities (e.g., opening the mail, depositing checks) is important to manage risk exposures.

c.(5). Several reports can be suggested, including the following: Sales report (daily, weekly, or monthly) Cash flow report (daily, weekly, or monthly) Monthly accounts receivable aging report

Case C-12

Purchases report (daily, weekly, or monthly) Weekly sales returns report Sales analysis by dress styles Garments received report (daily, weekly, or monthly) An example of a report format is given below.

Dress Ace! Inc. Garments Received and Shipped Report for the week of ________ ______________________________________________________________________________ Style Units Received Units Shipped Units on hand ______________________________________________________________________________

______________________________________________________________________________ Prepared by: Date:

Case C-13

CD-ROM Problems and Cases

OBJECTIVES

PROBLEMS

CASES

5. SYNTHESIS

4. EVALUATION

Datacruncher Office Equipment Dress Ace! Inc. CD 8-5 CD 9-1

Microcomputer Consulting Services

3. APPLICATION

CD 3-3, CD 3-5 CD 7-1 CD 9-2 CD 10-1, CD 10-4, CD 10-5, CD 10-6 2. COMPREHENSION CD 3-1, CD 3-4 CD 7-2, CD 7-3, CD 7-4, CD 7-5 CD 8-1, CD 8-2, CD 8-3 CD 9-3 CD 10-2, CD 10-3 CDM 2-1, CDM 2-4 1. CONCEPTUALIZATION CD 3-2 CD 7-6 CDM 2-2, CDM 2-3

[ ] Infoage

CD-1

CD-ROM PROBLEMS CD 3-1. a. A distributed network provides phoenix networking company with several benefits. It can be very responsive to the diverse needs of consultants and other users. Consultants often work from remote sites and would like to input data or access files and databases from their client’s offices. A distributed network enables the facilities of the network to be used efficiently, since processing jobs can be routed to those unoccupied computer systems in the network that are most suitable. If a particular system fails, the remaining computer systems can generally handle its processing load with slight loss in service. The network is flexible and adaptable to change, since new computer systems can easily be added and present systems deleted. Distributed networks enhance user satisfaction due to control over local processing, improve responsiveness to processing needs of users, make more efficient use of computer resources and balance their processing loads. In addition, such networks have built-in computer system back ups, due to multiple computers, and are flexible and adaptable to change. b. A local area network is created when two or more linked computers are grouped within a limited geographic area, such as a single building or a cluster of buildings. Although computers of all sizes may be included in a LAN, most tend to be microcomputers. At the heart of a LAN is the workstation, a desktop task-oriented area that consists generally of a processor and a video display screen. These workstations generally include features such as windows and graphic displays. They are typically linked to devices such as graphics printers, teleconferencing video screens and audio units, laser printers, and a variety of hardware devices known as servers. c. Benefits include improved efficiency (e.g., faster response time), improved effectiveness (e.g., flexibility in accessing and using the information according to decision needs), improved adaptability to change, and an opportunity to improve back up and recovery system due to distributed data and programs. Concerns/risks are generated from the vastly different processing environment compared to centralized mainframe processing. Data communication adds to the risks of losing data, or a chance of access to sensitive data by unauthorized users, including hackers. Diverse components and resources from different vendors, complex data processing and communication environment, and the need for continuous availability of systems to a variety of users in different locations add to the risks. CD 3-2. a. The controller may not be qualified to lead the MIS function. Five years is a long time in today’s information technology environment, and the firm’s strategic, tactical, and operational use of IT can fall behind the times and the strategic fit between the firm’s operations and the MIS. b. With education that is quite dated in the field, a limited amount of education, and the constantly changing field of information technology, the manager may not be competent, visionary, and willing to lead and manage change. This will cause degradation in the firm’s MIS. Note, however, that much depends upon the individual, his or her leadership qualities, ability and motivation to seek continuing education, communication and decision making skills, and effort level on the job. c. Leadership that is computer illiterate may have difficulty in aggressively promoting the employment of information technology for operational, tactical, and strategic purposes. These days, resources such as Executive Information Systems (EIS), groupware,

CD-2

teleconferencing, and e-mail require hands-on use of technology. Any discomfort on the part of the leadership may have a negative impact on the rest of the managers and staff. Note, however, that outside of such uses, the leadership needs to understand the implications of information technology, and does not necessarily have to understand how a system is designed and implemented. Since the internal audit function is not involved, the identification of risk exposures, evaluation of such risks, and design of internal controls to manage such risks may get no (or very limited) attention. The new system will be implemented with unmanaged exposures. This can increase future audit costs, and intentional and unintentional losses and errors. Since the field of artificial intelligence has been quite promising in designing business applications, the lack of knowledge may hurt the consulting practice, for the staff would be unable to use, design, or evaluate systems and applications based on the science of artificial intelligence. Incidentally, such weaknesses -if known to present or prospective clients- may be projected as an overall degree of incompetence of the consulting firm. The use of external on-line services can help a health-maintenance organization in accessing up-to-date information in the changing field of health care management. On-line services also provide very efficient and user-friendly search engines, thus making the literature search both efficient and productive. Involvement of the top management in strategic planning the firm’s information resources is critical. The strategic fit between the business plans and MIS plans is a key success factor for the firm. In addition, commitment of the top management leads to the allocation of appropriate amount of resources to the MIS function. The hardware store owner and staff may feel very comfortable with the old version. However, the vendor may not be supporting such a version anymore. Consequently, any problems arising with the software may need to be resolved using other sources and expertise. Additionally, the new versions are probably more flexible, versatile, user-friendly, and less error-prone. It is therefore important for the store to migrate to a new version of DacEasy (e.g., Windows 95 version). This is a rather old machine with limited processing power and disk space. The speed is slow compared to today’s microcomputers. Most of the new versions of many software packages will not run on this machine, and the output produced on this system may be difficult to transfer to other systems. The lack of sharing of information may be caused by the lack of training or aptitude. Some users may not know how to share information with others to generate better services and products. Others may have an attitude that sharing information reduces their “power,” therefore it is best not to share information. Regardless of the cause, the information system will be less effective due to the lack of sharing, and dysfunctional decisions may be produced as a result. If the telecommuting personnel are required to transfer volumes of data over the phone line, this may cause a problem. More time will be consumed in the process; some data transfer tasks may take “forever.” For such staff, it may be wise for the firm to invest in higher capacity dedicated lines, or other means of data transfer. Using a DOS version 3.0 may not necessarily be a negative factor for a small business. However, software improvements will be difficult to incorporate, as new operating system software becomes available. Also, it may be difficult to transfer files from this system to other newer versions. Moreover, the firm does have access to more flexible, powerful, and user-friendly features of the newer systems.

CD 3-3. a. It would be timely for the insurance company to consider moving from the legacy system to a system that is based on more current information technology, such as client-server

CD-3

architecture. The insurance industry provides services, has numerous paper-based processes, and has a high volume of transactions. A complete review of document flow and process analysis may help streamline processes, cut down on non-essential tasks, and enable technology to improve or enhance the process. Modified transaction cycles that use clientserver architecture will be more efficient, and are likely to provide greater value and higher levels of satisfaction to customers. Instead of standalone computers, the firm should configure its system in the form of a local area network. LANs can provide several benefits: immediate access to information, consistent and reliable data, sharing of information, and efficient data processing. Additionally, managers may use decision support systems to analyze the data, evaluate alternatives, and make decisions. Wireless communication with remote data entry capabilities and a local area network can improve the system considerably. Using a modified system, the officers can issue tickets using a hand-held computer, which prints a ticket for placing on the windshield. At the same time, data captured is transmitted to the system for tracking, receipt of payment, and further action, where necessary. All of the records are maintained in a database that can provide profiles of violators, their history, and other crimes or incidents in which they participated. GIS (Geographic information system) can be useful in this case. Such a system can provide data about the region, its economic prospects, demographics, industry composition, tax outlook and political system, potential market size, and competition. Processing speed is critical in neural network systems that are data processing intensive. To gain efficiency, it is necessary to move to a more powerful computer, such as a minicomputer or a workstation typically recommended for use as a server in a LAN. The processing of invoices in a controlled and timely manner is necessary. Smaller, more frequent runs should be made to process invoices on an ongoing basis. The problems of duplicate payments and missed vendor discounts may arise simply because the batch is too large to track such exceptions, although other contributing factors may also exist. First, the process needs to be reengineered. More timely reports should be generated to reduce the cycle time. If daily reports are generated and used, the cycle time is reduced by six days. This will reduce the need to carry more inventory. More significant improvements can be achieved by using a data base oriented system with online update capabilities. Second, the inventory management system should be redesigned to be more proactive. Justin-time inventory concepts should be implemented, so that even lower (or zero) inventory levels may be necessary. For such systems, it may be necessary to use EDI to network with the vendors. Teleconferencing and groupware can certainly be of great help in reducing necessary travel time and costs, improving communication efficiency, and reducing the cycle time for the project.

CD 3-4. a. No the company is not too small to effectively use a microcomputer. Medium-sized firms with 25 employees can be expected to have a sufficient volume of transactions and complexity to cost-effectively use a simple, computer-based system. b. Ron Quincy’s arguments for not using a microcomputer are not valid. The computer would cost no more than about $3,000; this is affordable for his firm. Any expected unfavorable impact on employees can be minimized or controlled with proper change management and open communication with the employees. His arguments have some validity, however. Computerization alone cannot be expected to produce results; it is the system that is implemented on the computer that produces results. Consequently, his openness to modify the current accounting system is a good sign. He wishes to have an accounting system that provides relevant information to control costs and manage the business.

CD-4

c. In addition to the information systems resources stated in the problem, it would be appropriate to have a computer-based accounting information systems package. If a trusted employee is trained to use the system, the system would generate benefits greater than its costs. The processes and applications should be simple, easy to use, and easy to maintain. Such a system can generate work orders; record cash receipts and receivables; and track payments due by the due dates, so that no discounts are missed. d. The positive impact: better organization, easy retrieval of information, greater accuracy and reliability of information, greater control over the operations of the company. The negative impact: some degree of loss of control due to concentration of data and expertise; uncertainty of the equipment reliability, need for back up and recovery; resistance to change; greater complexity, and limited knowledge to solve problems in the event the system produces unfamiliar errors or does not function as expected. Added problems may arise from the constantly changing information technology in terms of compatibility, transferability of data, etc. CD 3-5. a. Improvements can be made by using an intranet, a system of communication and information sharing within the firm, whereby requests can be immediately transmitted and replies also received through the same medium. For sensitive and private data, adequate protection will be necessary on the intranet. b. The process can be improved, both in terms of efficiency and effectiveness, by doing the research on an online public information data base. Timeliness and accuracy of the information will improve, accessed information is likely to be far more comprehensive and complete, and the online research capabilities will save time and at the same time, improve the quality of research findings. c. This may be a good time for Rochester General Technologies to evaluate the information system. A first step is to determine if legacy systems should be preserved and maintained, or a system based on a more current technology should replace the existing system. It appears that the maintenance time required is so large that a complete redesign of the system may be appropriate at this time. Newer systems are more flexible and relatively easy to maintain. A consideration may also be given at this time as to whether the firm should outsource certain parts of the AIS. d. Computer simulation of such exercises may precede or replace the exercise. Computer simulations have become very sophisticated, depicting realworld situations with a high degree of accuracy. An additional option is to build a virtual reality lab exercise, which precedes or replaces the current exercise. e. The problem in this case signifies the lack of both internally and externally generated data. The firm must develop and maintain data bases that would provide such information for operational support and tactical and strategic decision making. f. The processing of invoices in a controlled and timely manner is necessary. Smaller, more frequent runs should be made to process invoices on an ongoing basis. The problems of duplicate payments and missed vendor discounts may arise simply because the batch is too large to track such exceptions, although other contributing factors may also exist. g. The existing automated configuration has certain limitations. Data transmission from clinics to the home office, data entry in the home office system, report generation and distribution, and information access at the clinics are major sources of the system constraints. A wide area network with distributed processing capabilities will improve the system. Each clinic can input its own transaction data directly into the system, and can retrieve necessary information without having to rely on the home office. The home office will not have to enter transaction data generated at the clinics.

CD-5

h. An electronic network can achieve the required tasks more efficiently and perhaps at less cost. An Intranet (based on Lotus Notes, for example) would serve the purpose. If properly protected, transmission on the Internet could serve the purpose as well. Even a relatively simple e-mail facility across the firm can achieve this task better. The cycle time would be reduced, costs might be less, and the accuracy of transmission (prevention of loss of data in transmission) can be improved with the new system. CD 7-1. High risk exposures faced by Jiffy include the following: A. Errors in deliveries of letters and packages, due to the large number of transactions and the adverse effect on the firm’s reputation. B. Breakdown in vans and planes, since such breakdowns can cause the 10 a.m. next day deliveries to be missed and the firm’s reputation to be adversely affected. C. Losses of letters and packages, due to their valuable contents and hence the sizable liabilities to the senders that are likely to be incurred. D. Thefts of vans and/or planes, since they are mobile and hence easily removed. (For instance, drug dealers have been known to steal planes directly from airports and to fly them to foreign countries.) E. Damage to files within the on-line computer-based system, since the data concerning customers are vital to efficient operations. CD 7-2. (Adapted from the Certified Management Accountant Examination, December 1989, Part III, Question No. 6). A. Among the several situational pressures in a public firm that would increase the likelihood of fraud are the following: 1. Sudden decreases in revenue or market share. 2. Financial pressure resulting from bonus plans that depend on short term economic performance. B. Among the several opportune situations in which fraud is easier to commit and detection is less likely are the following: 1. Weak or nonexistent internal accounting controls. 2. Unusual or complex transactions such as the consolidation of two organizations. 3. Accounting estimates requiring significant subjective judgment by the management of a firm. C. For purposes of assessing the risk of fraudulent financial reporting, the external factors that should be considered in each of the firm’s environmental situations include the following: 1. Industry environment— (a) Specific trends that are prevalent in the industry relating to such matters as overall demand for the industry’s products, economic events affecting the industry, and whether the industry is expanding or declining. (b) Whether the industry is currently in a state of transition affecting management’s ability to control the firm’s operations. 2. Business environment— (a) The continued viability of the firm’s products in the marketplace (b) The sensitivity of the firm’s operations and profits to economic and political factors. 3. Legal and regularity environment—

CD-6

(a) The status of the firm’s business licenses or agreements, especially in light of the firm’s record of compliance with regulatory requirements. D. There are numerous control procedures and measures that top management could incorporate to reduce the possibility of fraudulent financial reporting. A few examples are as follows: 1. Establish an internal audit group that reports to a committee within the board of directors. 2. Establish an organizational structure that includes adequate checks. 3. Employ a reputable external audit firm to perform yearly audits. 4. Employ highly qualified accountants and provide them adequate training in the firm’s accounting procedures. 5. Perform periodic verification of assets, through such procedures as counts of physical inventories and preparation of bank reconciliations. CD 7-3. (Adapted from the Certified Management Accountant Examination, June 1990, Part V, Question No. 2). a. Computer frauds exhibit the same characteristics as noncomputer frauds, except that the perpetrator uses a computer to help commit the fraud. Also, the average dollar loss is much greater than in manually committed frauds. Computer frauds involve the same six types of frauds (see (b) below); they are often committed internally by management and employees and are concealed using either on- or off-book schemes (see (b) below). Computer frauds can be committed at breathtaking speeds over long distances and are easier to conceal because of the electronic medium often used in the process of committing such crimes. b. Explanation of each type of fraud. 1. Input manipulation requires the least amount of technical skill and almost no knowledge of how the computer system operates. It consists of improper alternation or revision of input documents without authorization, e.g., payroll time cards or time sheets can be altered to reflect over-time hours or added salary increments. Since an audit trail would exist for the altered transactions, this is an on-book fraud. 2. Program alteration requires programming skills and knowledge of the application programs. It consists of revising program codes for fraudulent purposes, e.g., to ignore certain transactions such as overdrafts against the programmers’ accounts, to draw checks and have them sent to a falsely constructed account, to grant excessive discounts to certain specified trade accounts. Since the program alteration causes the transactions to be processed differently (or causes them to be ignored), a modified trail would exist. Therefore, this type of fraud is an on-book fraud. 3. File alternation occurs when a defrauder revises specific data or manipulates data files, e.g., fraudulently changes the rate of pay of an employee in the payroll master file via a program instruction, fraudulently transferring balances among dormant accounts to conceal improper withdrawals of funds. Since an audit trail exists for the altered data or files, this is an on-book fraud. 4. Data theft can be accomplished by data interception or smuggling out computer data files or hard copies or reports/files. With the considerable amount of information being transmitted by long distance lines, the data is vulnerable to being tapped or intercepted. Magnetic tapes, mini-reels, or microcomputer disks can be smuggled out in briefcases,

CD-7

employee’s pockets, and so forth. Such thefts do not direct affect the audit trail. Consequently, this act can result in an off-book fraud. 5. Sabotage is the intentional physical destruction of hardware or software. This act does not directly affect transactions of the firm or the audit trail and hence, can be called offbook. 6. Theft of computer time means the unauthorized use of a firm’s computer. If not prevented, employees might use their firm’s computer to perform personal or outside business activities, which could result in the computer being so utilized that costly capacity upgrades may be necessary. This act does not directly affect transactions of the firm or the audit trail and hence, can be called on-book. c. Examples of computer systems frauds where the computer is directly involved in committing the act: 1. A self-employed computer expert discovered the daily code that authorized funds to be transferred from a large bank to other banks. One day, he called the wire room, gave the correct authorization code, and transferred $10 milling into a bank account opened under his alias. 2. A technician who helped design the computerized ticket system for a major league baseball club stayed around the office one day to show staff workers how to operate the system. Later, club officials discovered that he had also used the system that day to print 7,000 tickets, which he illegally sold through ticket brokers. 3. Persons posing as bank employees would stop depositors in the middle of ATM transactions and direct them to other ATMs, explaining that the ATMs being used were inoperative. Then these persons would withdraw funds from the abandoned ATMs that had been opened (but not closed) by the depositors.

d. Methods of protection: Input manipulation. Protection methods include: (a) proper documentation and authorization of data inputs, and (b) the use of computer programs that are designed to accept inputs only from designated users, locations, terminals, and/or times of day. Program alteration. Protection methods include: (a) the use of copies of production source programs and data files, rather than the actual or “live” programs and data, (b) the prohibition of direct access by computer operators and programmers to production programs and data files, (c) periodic comparisons of on-line programs to off-line backup copies to detect changes, and (d) periodic audits that involve reprocessing of actual transaction data and comparisons of the results with the outputs obtained during normal operations. File alteration. Protection methods include: (a) the restriction of access to the computer center, (b) the prohibition of access by programmers, systems analysts, and computer operators to production data files, (c) the maintenance of production data files in a library under the control of a data librarian, and (d) the prohibition of access by computer operators to applications documentation (except for that needed to perform their duties). Data theft. Protection methods include (a) electronic sensitization of all library materials for detection when an unauthorized removal from the library is attempted, and (b) encryption of sensitized data transmissions.

CD-8

Sabotage. Protection methods include: (a) the immediate denial of access to terminated employees of all computer equipment and information to prevent them from destroying or altering data or equipment, and (b) the maintenance of backup files at secure off-site locations. Theft of computer time. Protection methods include (a) the assignment of blocks of time to processing jobs, with the usage of the computer being denied after the allocated times expired. CD 7-4. A. The types of risk described in the computer hacker problem essentially involves breaches of security. However, the nature of the risk may also be viewed as potentially broader. That is, by receiving stolen property (the source code) and then distributing the code on the black market, the hacker was involved in the theft of assets for possible personal gain (or at least a type of nefarious satisfaction). Also, by distributing the illegally acquired passwords, the hacker was opening the affected computer system to possible acts of violence and theft. For instance, the hacker could destroy certain of the stored information in the files or could sell or otherwise use the information obtained, e.g., could sell marketing plans to competitors. B. A computer virus is a computer program that is designed to copy or attach itself to other computer programs and causes either the display of prankish messages or the destruction of data, such as erasing all the files on a hard disk. A Trojan Horse is an unauthorized program code hidden inside an application program that performs a valid function, such as the payroll program. Generally, viruses get “imported” into a system through data or programs on an external medium (e.g., floppy disk) loaded to the system. Whereas viruses come from outside, a Trojan Horse is often written by someone who has authorized access to a program, to get even with his/her employer or to commit a computer crime. Viruses with static or unchanging structures can be checked and, if identified, removed by what is called a vaccine program. A Trojan Horse is much more difficult to detect and may cause the firm huge losses or destruction of information resources (e.g., loss of data). Techniques such as mapping of computer programs can help detect an unauthorized code. C. Control measures and security measures that might be employed to protect against these risks include: 1. Limiting the access of the hacker and others to the operating systems through tight control over their storage and distribution. 2. Employing anti-virus programs and other software detection routines to “sweep” the computer system software on a frequent basis. 3. Employing access logs that record the actions taken by persons via the various terminals connected to the computer system. (Note that a call back procedure, described in Chapter 9, would not be feasible in this situation, since the hacker is an employee who has access to at least one of the firm’s terminals.)

CD 7-5. (Adapted from Certified Internal Auditors Examination, Items 48-54, Part I, May 1994) 1. C 3. B 5. D 7. C 2. A 4. A 6. B

CD 7-6.

CD-9

A. An employee who handles the merchandise and also maintains the inventory records could take merchandise home and then reduce the quantities shown in the records as being on hand to conceal the theft. B. If the inventory is not physically secured, an employee or nonemployee would be able to steal inventory at will. C. If disbursements are made by cash (except for petty cash) rather than by check, the disbursing employee could keep amounts of cash and then record that payments were made; no documents would be available to verify that the amounts were received by the intended parties. D. If a physical inventory is not taken periodically and compared with the inventory records, shortages may not be detected; consequently, the valuation for inventory on the balance sheet would be incorrect and the need to stem the losses of inventory would not be apparent. E. If returns of sold merchandise are not listed on a credit memorandum form, which is signed by a manager, an employee could receive and keep returned merchandise for personal use; no document would be available to show that the customers who return the merchandise receive credit for the returns. F. If customers are mailed detailed monthly statements, some are likely to overlook errors and improper charges to their accounts. CD 8-1. (Adapted form the Certified Public Accountants Examination, November 1956, Auditing Section, Question No. 2) One possible distribution of functions is as follows: The first employee would maintain the accounts payable and accounts receivable ledgers and would maintain the accounts payable and accounts receivable ledgers and reconcile the bank account. The second employee would maintain the general ledger and the cash disbursements journals and issue credits on returns and allowances. The third employee would prepare checks for signature and handle and deposit cash receipts. Other groupings of functions are possible. In evaluating such groupings, the following should be viewed as unsatisfactory when performed by the same employee:

a. b. c. d. e.

Maintaining the accounts payable ledger and preparing checks for signature. Maintaining the accounts receivable ledger and handling cash receipts. Maintaining the general ledger and handling cash receipts. Reconciling the bank account and handling cash receipts. Issuing credits on returns and allowances and handling cash receipts.

CD 8-2. Require Preventive (P), ment Detective (D), or Corrective (C) a. D b. P,D

General (G), Operational (O), or Management (M) O O

Control environment (CE), Risk assessment (RA), Information and communication (IC), or Monitoring (MO) MO MO, CE

CD-10

c. d. e. f. g. h. i. j. k. l. m. n. o.

D P D D P D D P D D D C P

M G O O O, M M O G M M G M O

MO MO, CE MO MO, CE CE, IC CE, MO MO IC MO MO MO, IC MO, IC MO

CD 8-3. a. 1. Improve organizational independence by separating the responsibilities for maintaining personnel records, approving hours worked by employees, preparing payrolls, signing paychecks, and distributing paychecks. 2. Restrict access to signed paychecks to those persons authorized to sign and distribute paychecks. 3. Employ a person such as a paymaster to distribute paychecks. If feasible, have an internal auditor distribute paychecks periodically, in order to verify the authenticity of each recipient. b. Send customers a periodic statement of transactions and the account balance. Encourage them to verify the balance and call or write in case of any perceived discrepancy. Salespersons should be instructed not to receive any payments (cash or checks) from customers. If they are authorized to receive payments from customers, they should be bonded, and should be asked to turn in all receipts signed and cash or checks to the cashier the same day. c. Require the storekeeper to count all goods delivered to the storeroom and to sign a copy of the receiving report, thus acknowledging receipt of the goods. The receiving report would then be forwarded to the accounts payable department. d. Adjusting entries to cash should be very rare, if at all one is required, and should be endorsed by the treasurer prior to recording it. All evidence of need for the entry and the amount of the adjustment should be submitted. Adjustments to receivables should be submitted, with proper evidence, only by the authorized personnel; similarly, all adjustments to inventory should accompany evidence suggesting the need for, and the amount of, adjustment and its approval by authorized personnel. e. Establish adequate organizational independence by requiring that (1) responsibility for verifying the authenticity and accuracy of suppliers’ invoices and approving them for payment be organizationally separated from (2) responsibility for writing, signing, and mailing checks. Thus, an accounts payable clerk could be assigned the former responsibility, while the cashier might be assigned the latter responsibility. Other related controls include requirements that (1) each check be signed by two persons and (2) periodic bank reconciliations be prepared. f. Install a clock for employees to register the hours worked on their time cards. Also, increase supervision at the timekeeping function; this may be done by installing a camera that permits someone to watch the activity and/or videotapes the location continuously. No overtime should be paid unless authorized by the supervisor. g. All payments from receivables, both in cash and by checks, should be received by the cashier, not the accountant. Secondly, all write offs of accounts receivable should be authorized by the credit and collections department and signed off by the treasurer prior to making a journal

CD-11

entry to write off a receivable. Authorization to make journal entries to accounts such as Allowance for Doubtful Accounts can be restricted to the chief accountant. h. Separate the function of accounting from the function of treasury. Assign the duty of opening the mail to at least two individuals, and do not involve the accountant in this duty. All cash received must be deposited daily, and a remittance advice must be made if it does not accompany the payment. No payments should be made directly from cash receipts; all cash received must be deposited in the bank. i. Limit authorization to make journal entries to the long-term notes receivable account to the chief accountant. All payments, both in cash and by check, must go directly to the cashier, who should deposit in the bank all receipts on the same day. j. Pricing policies should be approved by a subcommittee of the Board of Directors, and the audit committee of the Board must review periodically if the pricing policy is followed as set by the Board’s subcommittee. All departures from the policy must be carefully evaluated and corrective action taken, where appropriate. k. All asset valuation procedures should be a direct responsibility of the chief accountant, who should review the results, including depreciation amounts as well as net book values. The firm’s internal audit function should audit all material depreciation calculations and valuations. The audit committee of the Board should review reports of the internal audit function as well as external auditors. l. All incoming mail should be opened by two persons. If the amount remitted does not accompany a remittance advice, one should be prepared. All cash should be handed over to the treasurer, who should deposit the funds in the bank on the same day. Cashiers should not have access to the books of accounts, and the accountant should not have access to cash. All employees handling cash should be bonded. CD 8-4. (Adapted from the Society of Management Accountants of Canada Examination, August 1982, Information Systems Section, Question No. 6) Note: Requirement (b) should refer to Figure 8-12, not Figure 8-13. a. General controls (including security measures) that are needed with respect to the proposed expense reimbursement procedure include: (1) Segregation of the issuance of checks through such means as: (a) Physically separating the printer from the terminal and placing it in a secure area. (b) Assigning a cashier (or cash disbursement section) the responsibility for issuing checks as they are filled-in by the printer. (c) Requiring salespersons to produce valid identification upon claiming expense checks and to sign a check register. If a representative for the salesperson is to pick up a check, the salesperson should sign a form that authorizes the representative to do so. Also, the representative should sign the check register. (d) Locking the stock of blank checks in a vault after hours. (2) Maintenance of a log by the computer system that records all accesses and entered transaction data and that is not accessible to either the accounting clerk or the check issuer. (3) Performance of periodic reviews by internal auditors of: (a) The log described in (2) above. (b) The expense reimbursement procedure. (c) The printouts listed under the transaction controls. (4) Restrictions on access to terminals by such means as: (a) Placing the terminals in secure areas within the accounting department where nonaccounting personnel are prohibited from entering.

CD-12

(b) Locking the terminals after working hours. (c) Assigning passwords to the accounting clerks that allow access only to the expense reimbursement preparation program. b. Specific transaction controls that are needed in the proposed procedure include the following: (1) Authorization controls, such as the authorization of each expense report by the salesperson’s supervisor prior to submission. (2) Recording controls, such as the recording of expenses on standardized and well-designed expense reimbursement forms by salespersons, to which receipts are to be attached. (3) Editing controls, such as the programmed checks shown in the matrix on the next page, plus the use of preformatted screens and the acceptance of entered data only after accounting clerks correct all detected data errors and press a confirm key. (4) Processing controls, such as (a) the posting of all expenses directly (by the computer system) to the appropriate expense ledger accounts and salespersons’ accounts, (b) requiring that checks over an established limit be countersigned, and (c) comparing the total of checks issued against a computed total obtained from the expense reports. (5) Output controls, such as the review of (a) daily printouts of the details of all postings to accounts, with the accounts of salespersons whose expense totals are over-budget being flagged and (b) daily printouts that list all expense checks issued. Control Data Element Salesperson number Salesperson number Expense account code Actual expense amount Budgeted expense amount

Validity Check

Reasonableness Check

Relationship Check

Echo Check

Field Check

Completenes s check

X X X

X X

Notes: (1) The salesperson name is echoed upon the entry of the number. (2) The actual expense amount is compared to the budgeted amount by the relationship check; if the difference is significant it is flagged via the check. (3) The reasonableness check is essentially the same as the limit check. CD 9-1. (Adapted from the Society of Management Accountants of Canada Examination, March 1988, Internal Auditing Section, Question No. 3). Risks inherent in the operation of the MIS department are as follows: Risk Compensating internal control a. Walls of glass at the data a. Locate the data center in a place that is away from public center view, so that it is not as accessible to malicious damage.

CD-13

b. Tape library is unmanned and unlocked. c. Mounting of tape by a programmer. d. Premature departure of the programmer after fixing a program. e. No one is informed of program changes f. No documentation is provided for changes. g. No long-range plans are developed. h. An arbitrary ten percent is added to the budget each year. i. Control reports are not provided. j. Reports are too voluminous. k. The Disaster Recovery plan is untested. l. The backup site is two blocks from the center.

b. Require that the library be locked when the tape librarian is away; also require all transfers of tape to be recorded. c. Do not allow the programmers to have access to the computer room and consequently not to be able to physically mount the tapes. d. Require programmers to test all modified programs and to demonstrate to users that they function properly. e. Require that all program changes be authorized in writing and the users fully informed of changes that are made. f. Require that all program changes be fully documented as soon as possible after the changes are completed. g. Develop long-range plans and update them yearly. h. Develop annual budgets on the basis of clear needs of the department. i. Generate variance reports to monitor deviations from schedules and from planned costs, so that appropriate corrective actions can be taken. j. Review all reports with managers, in order to determine how reports can be reduced in size or even eliminated. k. Fully test the plan to determine that it is workable and complete. l. Relocate the backup site so that it is sufficiently distant from the center that a single disaster could not destroy both.

CD 9-2. a. Occurrence 1. Access control to the system. Encryption of sensitive data, such as passwords and log-on routines to access systems and applications. Removal of access authorizations based on course requirements at the end of each semester. Occurrence 2. Maintain access control list, and control access to it. Encrypt the list. Implement a policy of frequent review of the list so that it remains current. Occurrence 3. Develop a comprehensive policy of passwords creation, protection and maintenance. Rules should include requirements regarding the length of the password, how often it should be changed, and values that are not acceptable as password values (for example, name of the local football team). User awareness and training are also critical to password management. Occurrence 4. Encryption of data moving through communication lines, so that they are rendered useless in the hands of unauthorized users. Occurrence 5. If such data are not required for processing transactions, they may be kept off the system. If required by the system, they must be encrypted so that they are useless to the competition unless they are successful in decrypting the data.

CD-14

b. To those who are not aware of the hackers’ groups, resources, and tools and techniques, it may appear that considerable computer expertise is required to hack into computer systems. Perhaps this was true in the past; however, the field of hackers has become so organized that even beginners can do a great deal of damage to computer systems.

c. A large number of sites addressing the issue of computer hacking can be found. Several sites are maintained by individual hackers who take pride in their skills. Many hackers have little or no depth in computer education. www.hackershomepage.com is an example of how well organized some of these sites are. The hackers home page has listing of new products, such as pager hacking software, audio and video evidence destroyer, check washing, cell phone hacking, and smart card emulator.

d. Some of the hacking tools (products) that can be downloaded from these sites are noted in Requirement (c). As hackers organize and advance their skills, products, and know-how, accountants and auditors will have to make every possible effort to continue to stay a step ahead of them. Knowing what is happening in this area could permit accountants and auditors to act more proactively in designing controls and adopting security measures. CD 9-3. a. Require that every transaction, and each drink separately in each transaction, be recorded and that a receipt is issued each time, if the customer requests for it. A duplicate cash register receipt should be automatically printed within the cash register. Periodically, conduct an analysis of consumption of liquor with revenues for the period from the bar, to broadly reconcile revenues computed (using liquor consumption translated into number of drinks) with the cash actually received. Finally, send someone at random intervals and at different times to order drinks at the bar, and have the person report discrepancies, if any, in operating practices. b. Send a statement of account to each customer periodically, so that the customer can verify the balance due and cash received on the account. Encourage customers to not make any payments by cash, but rather send or mail checks. Adopt and implement a code of conduct within the firm to encourage appropriate behavior on the part of employees. Require that salespersons receiving any cash from customers must deposit the amount with the firm’s cashier on the same day, or immediately upon return to the office. c. An authorization for payment should require all documents supporting the obligation (e.g., purchase order, receiving report, purchase invoice, etc.). Upon authorization of the payment, all supporting documents must be “canceled,” marked to the effect that they were processed for payment. d. Identify loopholes in the system that led to the embezzlement, and correct these deficiencies. Modify the code of conduct to include broad guidelines as well as specific actions the firm would follow in cases of fraud. Evaluate, seeking legal counsel, if any legal actions can and should be taken against the employee. e. A well-documented travel policy should help, although it may not completely prevent such situations. Number of people having meals; whether it was breakfast, lunch, or dinner, should be required. A ceiling on the total bill, at a predetermined rate per person, should help. Bill and a charge slip (where paid using a charge card) may be required for reimbursement. The corporate card system, such as the American Express card system, should provide even better control over costs. f. Ask for authorization from the supervisor of the employee for all overtime work by the employee. The authorization should document the nature of work to be done during overtime, and why it could not be achieved during normal working hours.

CD-15

g. To prevent purchases of goods not needed, insist on a purchase requisition. Thus, all materials ordered are requested by the end user, who is responsible for its use and will be accountable for the decision to purchase. All received goods must flow from the receiving department to the store, where the inventory control function would be accountable for its receipt and issue. This will help prevent stealing. In addition, require that all goods leaving the premises will be accompanied by a document authorizing such a move (e.g., sale to the customer or employee, transfer to another plant for further processing, scrap sold to a scrap dealer, etc.). CD 10-1. (Adapted form the Certified Management Accountant Examination, June 1988, Part III, Question No. 7) a. The following four criteria will be considered by the external auditors in determining whether an audit client’s internal accounting controls should provide reasonable assurance that:

1. transactions are executed in accordance with management’s general or specific authorization.

2. transactions are recorded as necessary (a) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (b) to maintain accountability for assets. 3. access to assets is permitted only in accordance with management’s authorization. 4. the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

b. (1) The review and evaluation steps or phases in the audit process consist of: (a) Initiating audit planning. (b) Reviewing internal control structure. (c) Assessing the control risk. (d) Performing tests of controls. (e) Evaluation the adequacy of the internal control structure. (2) (a) During the initial audit planning, the auditor reviews the flows of transactions through the accounting system, the organizational structure, personnel policies and practices, management philosophy, and external influences. This review is performed by means of inquiries and examinations of such documentation as systems flowcharts, accounting records, and management policy statements.

(b) During the review of the internal control structure, the auditor examines the controls that are in operation, noting strengths and weaknesses. Among the techniques used by the auditor are observation, inspection of records, inquiries, flowcharts, and questionnaires.

(c) In assessing the control risk, the auditor forms a preliminary determination of the adequacy of the internal control structure. This review is likely to be performed with the aid of internal control questionnaires and/or control matrix forms.

(d) In performing tests of controls, the auditor traces selected transactions through the processing systems, vouches documents for control features (e.g., approvals, audit stamps, prenumbering), observes the actions of processing clerks, observes the presence of control features and security measures, etc.

CD-16

(e) During the overall evaluation the auditor examines notes taken during tests of controls and applies his or her judgment and experience in making the final evaluation.

c. Corrective actions and the future benefits (or avoidance of future problems) that should follow from these corrective actions are listed below for the six weaknesses in controls at Sylvan Engineering.

1. The reconciliation of batch totals, currently performed by the EDP manager, should

instead be performed by the users. This change will enable the data processing department to be independently evaluated and thus avoid possible errors and manipulations of data during the processing activity. Documentation, consisting only of run manuals and currently prepared by the software vendor, should be expanded and prepared by the computer (EDP) department, with review and approval by the management and users within Sylvan Engineering. Expanded documentation should include descriptions and flowcharts of the systems and programs, operation instructions for the computer operators, control procedures to be followed by the computer department and users, descriptions of the inputs and outputs, and other relevant items. Such documentation should provide management, auditors, and users with the materials needed to understand the system, should simplify maintenance of the system and its programs, should aid in the training of new personnel, and help prevent future system-related misunderstandings and troubles. A console log that is produced daily, but not reviewed or retained, should be reviewed each evening by the EDP manager or internal auditor. It should be filed for later reference. These additional actions should allow improper or erroneous actions taken by the computer operators to be detected and promptly corrected. Retained daily logs allow past trends to be detected and needed changes in procedures to be instigated. Program changes, currently initiated by the EDP manager and tested by the software vendor, should be subject to a revised change procedure. In this revised change procedure the program changes would be initiated by the users and undertaken by Sylvan Engineering employees who are assigned to maintain the programs. The changes should be tested by the programmers and reviewed by the EDP manger and users. Finally, the users should formally accept the revised programs by “signing off” on the changes. This revised change procedure should ensure that the users are not surprised and perhaps disappointed with the change programs. User passwords, not currently employed, should be assigned and required in order to gain entry to the computer system. Passwords should be changed periodically, as appropriate, based on the sensitivity of the data. The use of passwords should prevent unauthorized access to sensitive information and prevent manipulation of data and programs. A long-range systems plan, security committee, steering committee, and disaster recovery plan should be established. These plans and committees should enable Sylvan Engineering’s AIS to develop in an orderly and efficient manner without disastrous setbacks. Thus, the long-range plan should coordinate the orderly acquisition of resources, the steering committee should prioritize the development of new and improved system modules, the security committee should establish security measures and controls to prevent unauthorized accesses and changes to the computer system, and the disaster recovery plan should prevent undue losses and delays arising from unforeseen and unpreventable disasters

CD 10-2.

CD-17

a. b. c. d. e. f. g. h. i. j.

Yes. Yes. No. This procedure is beyond the scope of the three segments being audited. Yes. Yes. Yes. Yes. No. This procedure is beyond the scope of the three segments being audited. Yes. No. A certificate from the timekeeper does not provide valid evidence that absent employees are working for the firm. k. No. Reviewing personnel files might be appropriate in some portions of a payroll audit, but is outside the scope of the three segments being audited. l. No. Procedures for payroll check signing involve internal controls over disbursement and fall outside the scope of the three segments being audited. m. No. This procedure is beyond the scope of the three segments being audited. CD 10-3. (Adapted from the Certified Internal Auditor Examination, May 1995, Part I, Questions 53-55, 57, 59) a. The auditor behaved ethically. He/she followed up the matter with appropriate personnel within the organization and reached a conclusion that no fraud was involved, and that the firm did not violate the government contract. The auditor also communicated the legal counsel’s decision to management.

b. A scope limitation from the management that will affect the internal auditing department’s ability to meet its goals and objectives is a matter of serious concern. With such a scope limitation, the very purpose of the audit is compromised. Consequently, it is essential that the internal audit department communicates, preferably in writing, the board of directors.

c. A code of conduct with severe deficiencies would affect the entire organization. This a matter of serious concern and should be communicated by the auditor to the management in a formal report.

d. The auditor behaved ethically. As a professional, every internal auditor should be interested in continuing education and research that would enhance his/her professional knowledge, skills, and attitudes. In doing so, both the auditor and employers (or clients) would benefit. Also, the auditor is not using any practices or procedures of the former employer that were considered highly confidential or for the firm’s use only.

e. Since the management has not taken actions, except in a superficial manner, and since their attempt is to cover up the situation, this major violation needs to be brought to the attention of a higher level of management within the firm. The internal audit department should immediately report the circumstances and the information systems auditor’s findings to the audit committee. CD 10-4. (Adapted form the Certified Internal Auditor Examination, November 1988, Part I, Question No. 54.) Principle Violated Explanation of Violation

CD-18

1. Honesty principle

1. The false sign-off in the interim report as to the computer check of the data base was a dishonest act. Also, the false information on his application for employment was a dishonest act.

2. Loyalty principle

2. Not providing information promptly concerning the situation involved misplaced loyalty. In spite of sympathy for the manager, the auditor owed primary loyalty to the top management and should have advised them immediately of the situation.

3. Conflict of interest principle

3. By considering whether to join the illicit conspiracy, and to receive funds for his silence, Brown violated the conflict of interest principle. He should have immediately rejected the overture.

4. Professional development

4. By not continuing his professional development, especially with respect to the familiarity with computers and audits of computer systems, Brown violated the principle that professionals should continually undertake professional development and should display an adequate level of competence.

and competence principle

CD 10-5. a. Note: “Ethic” should read “ethnic.” A generalized audit software, such as ACL, can provide extensive evidence cost effectively. First, all of the exception conditions should be determined. These may be in terms of limits of data element values (age, for example) or a relationship between two data elements, or a sum total of the entire group or subgroup(s) defined using specified criteria (e.g., all employees over 62 years of age as of a certain date). Ethnic classification can be compared with country of birth, family name, and other criteria helpful to verify the appropriateness of classification. b. Computer-generated invoices should be verifiable using electronic copies of receiving reports and authorized price lists (or approved prices). Workflow arrangement within accounts payable imaging system would provide for the controller to review all related evidence online (although not in hardcopy form) prior to approval of invoices for payment. The auditors should use the same procedures to perform tests of transactions and verify appropriateness of procedures.

CD-19

c. Every scanned document should be indexed and assigned a unique identifying number. This should be used across both SAP- and non-SAP based systems. d. Processing bottlenecks may arise on account of various reasons. Some of these may have to do with hardware (speed, memory availability, storage space, etc.), systems software, application software (number of errors and exceptions, handling of exceptions or errors (is the processing halted or continued?), and data (are they sorted, edited, and complete?). If the systems configuration is appropriate, it would make sense to focus on the characteristics of the application and data involved in payroll processing. e. The internal auditor should investigate the concern, looking for evidence for the nature and extent of fraudulent activity, if any. The audit committee should be informed of the suspicion and the fact that an investigation is in progress. The audit procedures in this case would include the verification of expenditure approvals of various limits below and above $50,000 for specific product lines (and perhaps for all product lines), examination of policies and procedures believed to be in place, and tests of any programmed checks in the purchase order application. f.

The key here is the access control list for each of the databases. Who has access and what the user can do (modify, read, display?) to the data values are important facts to verify. Also, who manages the access control lists, and the procedures used to consider and implement revisions to such lists are important controls to investigate in this case. For a systematic response to the question, how much control should be built into the purchasing application system, it is necessary to develop a matrix of risks and controls that address the risks. Any overlaps in the scope of controls should be reviewed for the need for redundancy. Also, compensating controls should be identified and reviewed for determining if we can live without some of the controls identified earlier. Cost effectiveness of each control as well as all controls combined would be necessary to measure and review for the final decision on controls.

g. Only copy 1 is legal. Keeping a back up copy is entirely appropriate, according to Software Publishers Association (SPA).

h. Elements of World Wide Web policies are likely to include: Access authorization, use for work purposes only, recommendation regarding sites to avoid (nudity and sexual content, for example), respecting/ observing copyrights of the web content accessed and used, policy regarding what can be downloaded. Other issues involve dealing with computer viruses, computer hacking, illegal activities on the web, and promotion using spam. For the firm’s own site, content management, protection measures to ensure that site content cannot be changed by unauthorized users, and navigation paths for external users and internal users are among the many factors to consider. Elements of e-mail policies are likely to include: Use of e-mail facility for authorized purposes, how to handle attachments (especially executable files), software downloads (Do’s and Don’ts), and use of appropriate language. i.

Audit procedures to ensure that applications are properly documented include the following:

CD 10-6. a. Controls the auditor should recommend include the following: 1. Use and maintenance of firewalls.

CD-20

2. 3. 4.

Encryption of sensitive data traveling through the network. Isolation of incoming data. Such data should be screened before use. User identification and authentication policies and procedures.

a. Information available to prospective customers on Sterling’s site: Company profile, Management, Offices, Products and sales, contact phone numbers/addresses, etc. Although one might get some ideal about the nature of product and its users, it is difficult to assess a software product by reviewing only the web-based information. Put differently, there is not enough information to evaluate a product for its appropriateness to a firm’s needs, and certainly, much more information would be needed to conduct feasibility studies (such as financial feasibility, technical feasibility, and operational feasibility). b. Security measures for salespersons’ laptops should include the following: 1. No personal software or data to be loaded on the laptop. 2. No software, including company owned software, should be loaded without authorization. 3. Every laptop should have active virus detection and treatment system. 4. All data coming through the laptops should be isolated, screened, and then used. c. In testing timely acknowledgments, the auditors are attempting address the following risks: Loss of transactions during the communication. Risk of transactions reaching wrong or unintended parties. Risk of incomplete or inadequate transmission. Possibility of non-existence of a trading partner Absence of timeliness of data communication d. Advice to the auditors using ITF: Prepare a sound plan before starting. Keep all affected parties informed. ITF exercises are costly, therefore, think of all controls to be tested before hand. Plan on retrieving the effects of test data from the system. Communicate results to affected/interested parties so the system can be improved. e. The type of arrangement to recover within 24 to 48 hours would typically include a complete backup of all resources and components of the affected system. Data should be frequently backed up, and mirroring should be used along with redundant equipment. A “hot site” ready to take over in the event of a disaster and consequent loss of the system should also be considered. The policy should include elements such as: responsibility assignments in the event of a failure; sequence of steps to take; people involved and their phone numbers, e-mail addresses, etc.

CDM 2-1. a. The more complex the organization, the greater the degree of uncertainty in decision making. Generally, this translates into decentralization of decision making at the level, which is closest to the scene. This means that middle and lower level managers and even workers may be involved in making timely and effective decisions. b. Advantages of group decision making include: Rapid communication of up-to-date information among group members (resulting in timely and more effective decisions); sense of involvement through participative management; immediate response to variances or

CD-21

problem situations, thus preventing any further losses; and innovation in processes through creativity of the group members. Disadvantages of group decision making include: Increased need for coordination and communication; increased cost of group time and communication; accountability of decision effectiveness (Who is ultimately responsible?); and unwillingness or reluctance of some employees to participative process of management. c. Criteria to determine if a group should be involved in a decision include: Multidimensional decision; project-based work; processes that are linked, with preceding processes affecting the performance of those that follow; and the need for multiple skills in making the decision on hand. d. Types of group decision support systems software available include the following: 1. Electronic calendaring/scheduling software that will automatically arrange the activities of the group, avoiding conflicts and coordinating schedules. 2. Group document management software permits documents to be scanned into a computer that is often part of a client/server network. This permits sharing of information in a paperless environment without any constraints of time or place. 3. Workgroup utilities and development software. This category of software permits the group to support its decision process in making effective decisions. Examples are electronic brainstorming utility software, and meeting/conferencing support tools (e.g., videoconferencing). CDM 2-2. (Adapted from Certified Management Accountant Examinations, Part 4, December 1993, Question Number 6) a. The purpose of a management information system is to collect, process, and integrate data from various sources in order to provide information that is useful to all levels of management in planning and controlling activities of an organization. The characteristics of a management information system include an orientation to decision making. b. A description of the characteristics of the three operational support systems and an example of each is presented below. 1. Real-time systems process data from on-going operations almost immediately as the data are entered into the computer. Data are analyzed and processed with the data bases being updated and making current information available while the operations are in progress. Typical features of real-time accounting applications include (1) on-line input and processing of information that uses direct-access files so that data stored within the computer system can be retrieved directly and immediately from on-line storage, and (2) time-sharing so that different users can obtain information simultaneously from the computer system. An example of real-time system is an airline reservation system. 2. Interactive systems are real-time systems that allow users to converse or dialogue with a computer. This enables users to answer processing questions or provide additional data or instructions. An example of an interactive system is a production and inventory control system. 3. Communication-based systems are systems whose functions are to receive inquiries or transaction data from individuals at remote locations, to transmit the received inputs to a central computer location for processing, and to re-transmit the processed information back to remote locations for decision-making purposes.

CD-22

An example of a communication-based system is a network of minicomputers located at various locations of a retail chain that transmit data to the central mainframe. c. Decision support systems. The purpose of a decision support system (DSS) is to improve the efficiency and effectiveness of managerial decisions in the areas of planning and forecasting. The characteristics and capabilities of DSS include (1) the handling of unstructured problems and non-routine data. DSS are aimed at relatively unstructured problems, and (2) simulation, wherein probabilities and expectations are used to simulate a particular situation. Expert systems are artificial intelligence software packages that use facts, knowledge, and reasoning techniques to solve problems that typically require human expert abilities. The purposes of expert systems are varied, including assisting in learning, helping to train decision makers, and even making decisions. Expert systems. The characteristics and capabilities of expert systems include (1) tracing logic: Most expert systems must be able to retrace the logic they followed to reach a conclusion, and usually are also required to communicate this to users on display screens or printed output. Thus at any given point during a session, a user is able to input an answer to a question, ask the system why it is asking the question, and at the end, ask how a conclusion was reached, and (2) certainty factors: The data input to most operational systems (and some decision support systems) are known with certainty and therefore, treated as constants. In contrast, expert systems allow users to assign probability factors to data (i.e., a given situation or event is likely to occur a specified percentage of the time). Neural network systems. Neural networks (NNs) process data the way the brain processes data - in a parallel processing mode. Whereas an expert system is developed from knowledge extracted from an expert, a neural network derives its knowledge from examples of historic data. A neural network consists of many processing elements joined together to form a network that can process multiple operations simultaneously. NNs solve problem by recognizing patterns in data that may be too subtle or complex for humans or other types of computer methods to discern. d. Accounting applications of: 1. Decision support systems: Making of reservations by an airline; checking of credit by a discount store; selecting a new plant site by a large microcomputer manufacturer. 2. Expert systems: Deciding whether to accept a prospective audit; determining if a firm qualifies for Subchapter S tax status; accounting for contingencies (FAS No. 5). 3. Neural network systems: Detecting credit card fraud; predicting bankruptcies; interpreting audit evidence.

CDM 2-3. A.1. In a business environment, a group is two or more people who interact regularly to accomplish a common purpose and who are differentiated n some manner from others around them. Membership in the group can be by choice or assignment.

At least two examples of groups are a • cross-functional work team • quality circle At least two advantages and at least two disadvantages of groups include the following Advantages • More information and knowledge are available. CD-23

•

Better understanding of the decisions and willingness to abide by them due to a feeling of more control and influence by members. Disadvantages • Compromise of decisions resulting from indecisiveness may emerge. • Majority pressure within a group to accept secessions which can generate disagreement and dissension. B.

The general reasons why authority is delegated include • • •

balancing the workload to reduce the burden on management, as they cannot perform every task. creating greater commitment at lower levels due to participation in the process. quicker decision making by people closer to the facts that exist and where decisions will be implemented, thereby producing better decisions.

C. 1. Definitions of the three types of power are as follows: Legitimate power is derived from being appointed or elected to a formal position. Power is based on the acceptance of the manager’s right to delegate, control, reward, and punish. Referent power comes from the manager’s reputation or charisma and the subordinate’s identification with the superior. Expert power is derived, as the individual is perceived to have expertise and experience in a particular field. 2. Each of these specific types of power should be represented by the members selected for Adult Recreation Inc. (ARI) in order for the group to be effective. Some specific reasons for comprehending each of these types of power in the group are as follows. • • •

Due to the impact on ARI’s revenue and profits, a high-ranking member of the organization should be assigned to provide management’s endorsement of the group. As the group will cross organizational lines it would be beneficial to have an executive who could provide referent power to facilitate a strong working relationship within the group. To assure that all facets of the situation are considered, there should be members who are expert in their specialized fields, such as finance, sales, market research, etc.

CDM 2-4. (Adapted from Certified Internal Auditor Examinations) a. End-user computing: Advantages: Permits end-user to access information according to his (her) needs. Information can be accessed any time, any place, without any need for assistance from information systems staff. End-user productivity can be expected to increase. The end-user effectiveness in making decisions could also improve. Disadvantages: Additional costs of hardware, software, and communication will have to be incurred. Additional end-user training will be necessary to use the system. Risk exposures due to widespread distribution of system functions would increase. b. Teleconferencing:

CD-24

Advantages: Travel time and costs would be reduced. Management productivity would increase. Interactive mode of decision-making is maintained. Disadvantages: Additional costs of equipment (lease, rent, or own); costs of communication and staff necessary to support such systems. Possibility of system failures, resulting in cancellation of meetings (or the group may move to another system, such as audio conferencing). c. Telecommuting: Advantages: Saving in time and cost of travel. Increase in employee productivity. Savings in administrative costs, such as office rent. Disadvantages: Loss of touch with other employees (although some contact can be maintained electronically). Increased need for coordination. Some degree of loss of control over “office in the home.”

CD-25