Group 2 AIS
Chapter 6
Relational Databases and SQL
Business Intelligence (BI)
Provides analytical and reporting capability to enable the analysis of data warehouses and to
help managers make the best possible decisions for their companies because it is designed
to support managers in making tactical, strategic and data driven decisions. Unlike
enterprise systems, which was discussed in the previous chapter that primarily focus on
assisting companies on their day-to-day operations and transactions, BI parses all of the
data of the business and presents reports that are easy to digest, performance measures,
and trends that inform management decisions.
As we go on with the topic we will realize that BI a natural extension of enterprise systems
and not as a completely new development because BI is often installed into an existing ERP
as an additional module. Also, with the use of spreadsheets, BI can improve internal controls
within a company.
For example, if data of an enterprise system is transferred into a spreadsheet that is not an
integrated part of the enterprise system there is a possibility that they will face numerous
errors in that spreadsheet so By increasing spreadsheet use within the system BI increases
the available control a company can exert over spreadsheet use, which in turn increases its
compliance with the Sarbanes-Oxley Act (Section 404).
BI in the Era of Big Data
In the era of big data Business analytics were developed which is a set of disciplines and
technologies for solving business problems using data analysis, statistical models and other
quantitative methods. It is also used to detect fraud occurrences in near real time.
Furthermore, advanced business analytics can actually predict future occurrences of
fraud. There are two major revolutions of BI in the era of big data are real-time analytics and
predictive analytics. Real-time analytics encompasses the technology and processes that
quickly enables users to leverage data the second it enters the database because it uses
real-time in-memory databases. Example, companies use real-time data analytics to prevent
hackers by using the analytics to monitor the way data is accessed and spot unusual or
suspicious activities, then shut hackers and data thieves down before data is lost or security
concerns fester. Predictive analytics on the other hand is similar to the “precrime”
predicting tool in the movie Minority Report, where agents can use it to visualize future
murder cases. In simple words it is the use of data to predict future trends and events and
historical data to forecast potential scenarios that can help drive strategic decisions. For
example, a hotel uses predictive analytics by developing multiple regression models that
consider several factors to determine the number of staff needed in a specific time to avoid
overstaffing or understaffing because overstaffing may cause too much cost while
understaffing could cause a bad customer experience, overworked employees, and costly
mistakes.
Health Care Fraud
Last 2009, health care fraud in the United States cost an estimated $125–$175 billion
annually, being the second largest component in healthcare spendings. However, currently
only 3 to 5 percent of healthcare fraud is detected, making only a small fraction of the lost
money recovered. Healthcare organizations and government agencies must take advantage
of the capabilities of big data and business analytics can be used to review large amounts of
healthcare claims and related billing information to find the indicators of healthcare fraud by
the use of pattern tracking, anomaly detection, and correlation analysis for fraud detection
that can be done in real time and near-real time.
REA Modeling
●
●
●
Entities and Attributes
Entity in an accounting system can be classified as (REA) resources which have
economic value to the organization like merchandise inventory, equipment, and cash;
events or business activities like order sales and purchases; or agents which are the
people and the organization such as customers and employees; which the data is
collected. Instance of an entity is one specific thing of the type defined by the entity.
For example, Andrew and Kathy are employees, they are the instances of the
Employee entity, another is Manila and Quezon city, examples of instances of the
entity City. Data models describe entities by capturing their essential characteristics.
used to identify user requirements for data in a database.
Attribute is an item of data that characterises an entity or relationship. Example
Employee = Name, Address, Birthdate (Age), Salary. Key attribute is the attribute
whose value is unique for every entity that will ever appear in the database and is the
most meaningful way of identifying each entity.
(Pic of Attribute hierarchy for the Entity CLIENT)
(Pic of Symbols Used in E-R and REA Diagrams)
Relationships
Relationships are the associations between entities. Entities from the database
must be able to logically present the relationships that exist within them in order to
make the data stored in them available to users who want to reconstruct descriptions
of various business events through the use of relationship mapping.
*go back to the previous slide (Pic of Symbols Used in E-R and REA Diagrams)
Three-step strategy:
1. Identify users’ existing and desired information requirements to
determine whether relationships in the data model can fulfil those
requirements.
2. Evaluate each of the entities in pairs to determine which entity in the pair
provides a better location to include an attribute.
3. Evaluate each entity to determine if there would be any need for two
occurrences of the same entity type to be linked.
(Pic of Relationship Types in the REA Model of the Client-Billing Business Process)
The relationship Supervises is called a recursive relationship which occurs
between two different instances of an entity.
Model Constraints
In model constraints we explore different relationships and identify the constraints
used to specify relationships.
Three relationship types:
1. 1:N (one-to-many),
2. M:N (many-to-many),
●
3. 1:1 (one-to-one)
Cardinality is the most common constraint specified in E-R diagrams. The
participation constraint specifies the degree of minimum participation of one entity
in the relationship with the other entity. This constraint is either 1 or 0, meaning that a
relationship between the two entities is either mandatory (1) or optional (0).
(Pic of Relationship Constraints in the Client Billing Business Process)
REA Data Models and E-R Diagrams
Relational Databases
● Relational Database Concepts
● Mapping an REA Model to a Relational DBMS
—--------------------------------------------------------
REA Data Models and E-R Diagrams
REA Model Components
●
The data included in the exchange.
○ Resources are the assets of a business.
■ They are scarce economic resources and are within the control of
the entity concerned. Examples of economic resources are cash
and cash equivalents, properties, plants, and equipment.
However, for the REA model, accounts receivable are not regarded as
resources.
○ Events are activities that influence changes in economic resources.
■ They are the result of production, exchange, consumption, and
distribution.
■ For example, when a sale is made, it changes the economic
resources of the entity. Sales mean an increase in revenue on one
hand and an increase in cash and cash equivalents on the other hand.
Therefore, economic events are the critical aspect of the REA model.
○ Agents are people that are involved in an economic event.
■ Economic agents have the power to use or dispose of economic
resources.
■ These agents can be within or outside an organization.
■ Examples of agents include sales clerks, production workers, shipping
clerks, customers, and vendors.
RECAP: Resources, Events, Agents (REA) Models
● The REA data model was developed specifically for use in designing
accounting information systems.
○ It is still more of a theoretical model than practical as most accounting
information systems maintain the classical accounting style such as double
entry and ledger.
■ The use of debits and credits are not the focus and are not required.
○ The data are collected and stored in a database that can then be used to
provide reports and financial statements.
■
●
●
●
How? Since REA databases do not employ journals and ledgers, how
can they support financial statement reporting?
■ Journals, ledgers, and double-entry bookkeeping are the traditional
mechanisms for formatting and transmitting accounting data, but they
are not essential elements of an accounting database.
■ REA systems capture the essence of what accountants account for by
modeling the underlying economic phenomena directly.
■ Organizations employing REA can thus produce financial statements,
journals. ledgers, and double-entry accounting reports directly from
event database tables via user views.
○ For financial events / transactions.
It focuses on business semantics underlying an organization's value chain
activities.
○ A value chain is a step-by-step business model for transforming a product or
service from idea to reality.
○ Value chains help increase a business's efficiency so the business can deliver
the most value for the least possible cost.
○ The end goal of a value chain is to create a competitive advantage for a
company by increasing productivity while keeping costs reasonable.
○ The value-chain theory analyzes a firm's five primary activities and four
support activities.
It provides guidance for identifying the entities to be included in a database
and structuring the relationships among the entities.
A fundamental requirement for moving toward an event-driven model, such as REA,
is the complete integration of data related to an organization’s business events.
Entity Relationship (ER) Diagrams
● A graphical representation that depicts relationships among people, objects,
places, concepts, or events within an information technology (IT) system.
● A model of how an accounting system can be re-engineered for the computer age.
○ Entity relationship diagrams provide a visual starting point for database
design that can also be used to help determine information system
requirements throughout an organization.
○ For example, an ERD representing the information system for a company's
sales department might start with graphical representations of entities such as
the sales representative, the customer, the customer's address, the
customer's order, the product and the warehouse.
○ Then lines or other symbols can be used to represent the relationship
between entities, and text can be used to label the relationships.
Main Objectives in the Development of Resources, Events, Agents (REA) Models
1. To identify the data required by managers and other users to perform effectively and;
a. Easily incorporate financial and non-financial data, and accounting and
non-accounting data.
2. To integrate the data in a way that allows those users to efficiently access the
information needed.
INTEGRATION OF TWO BUSINESS PROCESSES
1. Client Billing
○ For service organizations such as public accounting or consultancy firms.
i.
Track the person-hours spent by each employee.
ii.
Record each employee’s work for a specific client.
iii.
Capture data about all employees who provided client services.
iv.
The database must aggregate each employee’s time worked, each
employee’s billing rate, and sufficient information about the client to deliver the
billing statement.
○ Three entities are involved in the billing process:
i.
the agent EMPLOYEE,
ii.
the agent CLIENT, and
iii.
the event WORK_COMPLETED.
○ The process here is that when a customer place order, the sales clerk checks
for the availability of the product, prepares sales order and many other bills,
updates different accounts, ships the product and they receive cash. In REA
diagram, it should not be showing all the accounting details, hence only the
important activities are shown.
○ • The important activities which should be recorded are Customer places
order to sales clerk, Warehouse Employee ships the product to Customer and
Customer makes the payment (by checks) to Cash Receipts Clerk.
○ • The Resources are Computer Inventory and Cash. (Though customers can
pay by credit card, online payment, or checks, it can consider all as one
entity)
○ • Events are Place Order, Ship Product, and Receive Payment.
○ • Agents are Customer, Sales Clerk, Warehouse Employee, and Cash
Receipts Clerk.
2. Human Resources
● Service businesses also are interested in tracking employee work activities as part of
the human resources process.
● The human resources process includes payroll activities, employee education and
development, and other activities.
○ REA terms the HR business process is identified (Fig. 2) as a special case of
the acquisition/payment cycle, consisting of four key business events; labor
requisition, labor schedule, labor acquisition and cash disbursement [7].
● Two Additional Entities:
○ RELEASE_TIME and TRAINING_COMPLETED, which are added to the
model that also includes the previously identified agent entity EMPLOYEE
and event entity WORK_COMPLETED.
● These four entities enable the database to aggregate the information it needs to
determine the employee's pay rate, hours worked, hours spent in training, and hours
of sick time and vacation time used.
○ The human resources department needs information about employee
education and development so it can monitor training activities and ensure
that the employee is receiving enough continuing education to comply with
state licensing requirements and the firm’s policies.
○
●
●
Human resources also will monitor the percentage of billable hours the
employee has accumulated as a measure of job performance.
To accomplish these activities, human resources must be able to link data about
completed work activities and training programs to specific employees. This
information can be drawn from the agent entity EMPLOYEE, the event entity
TRAINING_COMPLETED, and the event entity WORK_COMPLETED.
Human resources can use this information to accumulate a given employee’s training
record and calculate that employee’s percentage of hours worked that were billable
hours.
REA data model will continue to expand through an explosion of entities and relationships.
Many organizations have moved toward the integration of all data across the organization.
● Use of the REA approach can yield:
● More efficient operations by helping identify non-value-added activities, by storing
financial and nonfinancial data in the same central database, and greater support for
management decisions;
● increased productivity through the elimination of non-value-added activities;
● competitive advantages.
Relational Databases
Legacy Systems
● Systems that have existed in an organization over a long period of time and were
developed using an organization’s previous computer hardware and software
platforms.
○ Legacy system is software that was created many years ago, but it continues
to work on older technologies pretty well.
○ They are implemented on old technologies and platforms.
○ Outdated development, design, and architecture approaches are used.
○ No unit and integration tests.
○ The system is difficult to make changes to.
○ The system breaks down unexpectedly.
○ Bad unreadable code that calls into question the operation of the entire
system.
○ Routine operations are not automated, which periodically leads to the same
type of errors and increases the bus factor, which is the level of specific
knowledge that certain team members have. The higher this factor, the more
difficult it becomes to continue developing the project after those team
members are replaced by others.
○ System and infrastructure not properly documented.
● HOW SYSTEMS BECOME LEGACY
○ Since the launch of the system, many new innovations have been created,
but the system continues to work on older technologies and platforms.
○ The team that created the system did not cope with the task due to low
technical competence, and now the project is dead weight.
○ As in the previous case, the system was created without a proper technical
knowledge base, but it was launched, and in general, it works.
Relational Database Concepts
● Relational databases often are perceived by users as a collection of tables.
● A relation is a collection of data representing multiple occurrences of a resource,
event, or agent.
● A tuple is a set of data that describes a single instance of the entity represented by a
relation (e.g., one employee is an instance of the EMPLOYEE relation).
○ To identify a tuple uniquely, each tuple must be distinct from all other tuples.
This means that each tuple in a relation must be identified uniquely by a
single attribute or some combination of multiple attributes.
● A relational database is a type of database that stores and provides access to data
points that are related to one another. Relational databases are based on the
relational model, an intuitive, straightforward way of representing data in tables. In a
relational database, each row in the table is a record with a unique ID called the key.
The columns of the table hold attributes of the data, and each record usually has a
value for each attribute, making it easy to establish the relationships among data
points.
Referential integrity
● Specifies that for every attribute value in one relation that has been specified to allow
reference to another relation, the tuple being referenced must remain intact.
○ To ensure that data is always accurate and accessible, relational databases
follow certain integrity rules. For example, an integrity rule can specify that
duplicate rows are not allowed in a table in order to eliminate the potential for
erroneous information entering the database.
○ Relational model and data consistency
■ The relational model is the best at maintaining data consistency
across applications and database copies (called instances). For
example, when a customer deposits money at an ATM and then looks
at the account balance on a mobile phone, the customer expects to
see that deposit reflected immediately in an updated account balance.
Relational databases excel at this kind of data consistency, ensuring
that multiple instances of a database have the same data all the time.
Mapping a REA Model to a Relational DBMS
● Put these two concepts together.
● Mapping the REA model onto a logical database model.
1. Create a separate relational table for each entity.
a. First, specify the database schema.
2. Determine the primary key for each of the relations.
a. The primary key must uniquely identify any row within the table.
3. Determine the attributes for each of the entities.
a. The key attribute specified in the REA model is matched to the corresponding
attribute in the relation.
4. Implement the relationships among the entities.
a. The mapping of the relationships in the model to the relationships in the
relational schema is straightforward.
i.
One-to-many (1:N or N:1) relationships
1. Sales (many) and Cash Receipts
2. One to many relationship is a type of cardinality that refers to a
relationship between two entities in an entity relational diagram
(between two tables in a database).
3. A simple example would be a binding between the entities
person and birth_certificate. Each person must have their own
birth certificate.
ii.
One-to-one (1:1) relationships
1. Sales and Cash Receipts
2. One to many relationship is a type of cardinality that refers to a
relationship between two entities in an entity relational diagram
(between two tables in a database).
3. A simple example would be a binding between the entities
order and item. Each order may have multiple items, but a
product (e.g., a TV) may be delivered within a single order.
iii.
Many-to-many (M:N) relationships
1. Sales (many) and CR (many)
2. Many-to-many relationship is a type of cardinality that refers to
a relationship between two entities in an entity relational
diagram (between two tables in a database). A simple example
would be a relationship between the entities student and
course. Each student can have multiple courses and each
course is for multiple students.
5. Determine the attributes, if any, for each of the relationship tables.
Benefits of relational database management system
The simple yet powerful relational model is used by organizations of all types and sizes for a
broad variety of information needs. Relational databases are used to track inventories,
process e-commerce transactions, manage huge amounts of mission-critical customer
information, and much more.
—------------------------------SQL: A Relational Database Query Language
SQL is a powerful database language that can be used to define database systems, query
the database for information, generate reports from the database, and access databases
from within programs using embedded SQL commands.
It has become the de facto standard database language—evidenced by continual efforts by
the industry to provide standardization guidelines for vendors and the number of variations of
the language that exist in databases from supercomputers to personal computers.
Constructing Relational Databases
CREATE command - used to create the relations that form the database structure.
1. Assign the relation a name
2. Assign each attribute a name.
3. Specify the data type for each attribute.
Data type descriptions - combination of alphanumeric or numeric values.
Alphanumeric types
·
CHAR (for fixed-length strings)
·
VAR-CHAR (for varying length alphanumeric strings).
Numeric data types
·
INTEGER
·
FLOAT (which has a floating decimal point).
4. Specify constraints, when appropriate, on the attributes.
Most notably, we need to make sure that the primary key values are not left empty (i.e., null);
otherwise, there will be no key value by which to identify and pull the tuple’s record from the
database. We may want to require that other attributes be assigned some value rather than
having the option of being null. In each of these cases, we can assign a value of NOT NULL
as the constraint.
Populating the Database
Data can be changed in the database in three ways:
1. INSERT – used to add a single tuple to an existing relation.
The INSERT command in its simplest form only requires the user to specify the SQL table
and the values to be inserted for each attribute if a value is provided for every attribute.
2. DELETE - method by which we delete a tuple from a relation.
The DELETE command requires specification of the table name and inclusion of a WHERE
condition, which is used to identify the unique tuple(s) for deletion.
3. UPDATE - used when we want to change one or more attribute values for one or more
tuples in a table.
To accomplish a change of an attribute value, the UPDATE command must be able to
identify the table with the value to be updated, the new values to be placed in the database,
and the conditions for identifying the correct tuple for UPDATE.
To make the change, we identify the tuple using the WHERE condition we just used for
deletion, and we change the existing values by using a SET command to set the new values
for the database.
Basic Querying Commands
SELECT
●
●
SELECT commands retrieve the values for a list of attributes from the tuples of a
single relation.
SELECT commands allow us to join data across multiple tables to link specific
pieces of information that are of interest
1. a list of attributes that we want to SELECT from the database (SELECT)
2. a list of tables where these attributes can be found (FROM)
3. a WHERE clause that sets the conditions under which attribute values are to be
retrieved. (WHERE)
Chapter 7
Controlling Information Systems: Introduction to Enterprise Risk Management and
Internal Control
Organizational Governance
A process by which organizations select objectives, establish processes to achieve
objectives, and monitor performances.
Objective setting includes defining mission, vision, purpose, and strategies to establish
relationships.
Internal control and monitoring activities are implemented to review performance and provide
feedback to provide a reasonable assurance that objectives are being achieved.
Enterprise Risk Management
A framework that has proven to be an effective process for organizational governance.
A process, effected by an entity’s board of directors, management, and other personnel,
applied in strategy settings and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
The ERM framework addresses four categories of management objectives:
●
●
●
Strategic: High-level goals aligned with and supporting its mission.
Operations: Effective and efficient use of its resources.
Reporting: Reliability of reporting.
●
Compliance: Compliance with applicable laws and regulations.
Components of Enterprise Risk Management
The ERM process starts with the first component, the
1. Internal environment: The internal environment encompasses the tone of an
organization and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
2. Objective setting: Objectives such as mentioned a while ago, the strategic and
related objectives, must exist before management can identify potential events
affecting their achievement. ERM ensures that management has a process in place
to set objectives and that the chosen objectives support and align with the entity’s
mission and are consistent with its risk appetite.
3. Event identification: Internal and external events affecting achievement of an
entity’s objectives must be identified, distinguishing between risks and opportunities.
Risks - events that would have a negative impact on the organization’s objectives –
require assessment and response
Opportunities - events that would have a positive impact on organization’s objectives
– channeled back to the strategy-setting process
4. Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Likelihood is the possibility that an
event will occur, and impact is the effect of an event’s occurrence. Risks are
assessed on an inherent and a residual basis.
5. Risk response: Management selects risk responses from the four response types:
avoiding, accepting, reducing, or sharing risk—developing a set of actions to align
risks with the entity’s risk tolerances and risk appetite.
● We can avoid a risk by leaving the activity that is giving rise to the risk.
● We can reduce a risk by taking actions that reduce the likelihood of an event
or reduce the impact
● We can share a risk by, for example, buying insurance or outsourcing the
activity.
● We can accept a risk by taking no action
6. Control activities: Policies and procedures are established and implemented to help
ensure the risk responses are effectively carried out.
7. Information and communication: Relevant information is identified, captured, and
communicated in a form and time frame that enable people to carry out their
responsibilities. Effective communication requires that appropriate, timely, and quality
information from internal and external sources flows down, up, and across the entity
to facilitate risk management and intelligent decision making.
8. Monitoring: The entirety of ERM is monitored, and modifications are made as
necessary. Monitoring is accomplished through ongoing management activities,
separate evaluations, or both.
●
The Sarbanes-Oxley Act of 2002
THE SARBANES OXLEY ACT
●
●
●
●
A U.S. law passed on July 30, 2002 to protect investors from corporate accounting
fraud by improving financial reporting and auditing standards
Bill Sponsors: Sen. Paul S. Sarbanes and Rep. Michael G. Oxley
Enacted primarily due to financial statement fraud that was occurring in the early
2000s (Enron, WorldCom, Tyco, Sunbeam)
Emphasis placed on need for effective internal controls
KEY PROVISIONS OF SOX
●
●
●
●
●
●
Created a new accounting oversight board (Public Company Accounting Oversight
Board or PCAOB)
Strengthened auditor independence rules
Increased accountability of company officers and directors
Mandated upper management to take responsibility for the company’s internal control
structure
Enhanced the quality of financial reporting
Put teeth into white-collar crime penalties
OUTLINE OF SOX
Title I—Public Company Accounting Oversight Board:
Section 101: establishes the Public Company Accounting Oversight Board (PCAOB), an
independent board to oversee public company audits.
Section 107: assigns oversight and enforcement authority over the board to the Securities
and Exchange Commission (SEC).
Title II—Auditor Independence:
Section 201: prohibits a CPA firm that audits a public company from engaging in certain
nonaudit services with the same client. Most relevant to AIS is the prohibition of providing
financial information systems design and implementation services to audit clients.
Section 203: requires audit partner rotation in their fifth, sixth, or seventh year, depending on
the partner’s role in the audit.
Section 206: states that a company’s chief executive officer (CEO), chief financial officer
(CFO), controller, or chief accountant cannot have been employed by the company’s audit
firm and participated in an audit of that company during the prior one-year period.
Title III—Corporate Responsibility:
Section 302: requires a company’s CEO and CFO to certify quarterly and annual reports.
They are certifying that they reviewed the reports; the reports are not materially untruthful or
misleading; the financial statements fairly reflect in all material respects the financial position
of the company; and they are responsible for establishing, maintaining, and reporting on the
effectiveness of internal controls, including significant deficiencies, frauds, or changes in
internal controls.
Title IV—Enhanced Financial Disclosures:
Section 404: requires each annual report filed with the SEC to include an internal control
report. The report shall state the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for financial reporting.
The report must also contain management’s assessment, as of the end of the company’s
fiscal year, of the effectiveness of the internal control structure and procedures of the
company for financial reporting.
Section 406: requires that companies disclose whether or not they have adopted a code of
ethics for senior financial officers.
Section 407: requires that companies disclose whether or not their audit committee contains
at least one member who is a financial expert.
Section 409: requires that companies disclose information on material changes in their
financial condition or operations on a rapid and current basis.
Title V—Analysts’ Conflicts of Interests:
Requires financial analysts to properly disclose in research reports any conflicts of interest
they might hold with the companies they recommend.
Title VI—Commission Resources and Authority:
Section 602: authorizes the SEC to censure or deny any person the privilege of appearing
or practicing before the SEC if that person is deemed to be unqualified, have acted in an
unethical manner, or have aided and abetted in the violation of federal securities laws.
Title VII—Studies and Reports:
Authorizes the Government Accountability Office (GAO) to study the consolidation of public
accounting firms since 1989 and offer solutions to any recognized problems.
Title VIII—Corporate and Criminal Fraud Accountability:
Section 802: makes it a felony to knowingly destroy, alter, or create records or documents
with the intent to impede, obstruct, or influence an ongoing or contemplated federal
investigation.
Section 806: offers legal protection to whistleblowers who provide evidence of fraud.
Section 807: provides criminal penalties of fines and up to 25 years’ imprisonment for those
who knowingly execute, or attempt to execute, securities fraud.
Title IX—White-Collar Crime Penalty Enhancements:
Section 906: requires that CEOs and CFOs certify that information contained in periodic
reports fairly presents, in all material respects, the financial condition and results of the
company’s operations. The section sets forth criminal penalties applicable to CEOs and
CFOs of up to $5 million and up to 20 years in prison if they knowingly or willfully falsely so
certify
Title X—Corporate Tax Returns:
Section 1001: conveys a “sense of the Senate” that the corporate federal income tax returns
are signed by the CEO.
Title XI—Corporate Fraud and Accountability:
Section 1102: provides for fines and imprisonment of up to 20 years for individuals who
corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the
documents’ integrity or availability for use in an official proceeding, or to otherwise obstruct,
influence, or impede any official proceeding.
Section 1105: authorizes the SEC to prohibit anyone from serving as an officer or director if
the person has committed securities fraud.
Section 404: Management Assessment of Internal Controls
Requires each annual report to contain an “internal control report”, which must include:
●
●
●
●
Statement of management’s responsibility for establishing and maintaining adequate
internal control for financial reporting
Statement identifying the framework by management to evaluate the effectiveness of
the internal control over financial reporting
Management’s assessment of the effectiveness of the company’s internal control
over financial reporting as of the end of the company’s most recent fiscal year
Statement that the external auditor has issued an attestation report
Defining Internal Control
● The COSO Definition of Internal Control
INTERNAL CONTROL
In 1992, the COSO organization introduced a framework, Internal Control—Integrated
Framework, which itself became known as COSO. The definition of internal control
contained in COSO 1992 has become widely accepted and is the basis for definitions of
control adopted for other international control frameworks:
Internal control is a process—effected by an entity’s board of directors, management,
and other personnel—designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness (the degree to which an objective is accomplished) and efficiency (the ability
to accomplish an objective with minimal waste of resources) of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
COMPONENTS OF INTERNAL CONTROL
• Control environment: Sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure.
• Risk assessment: The entity’s identification and analysis of relevant risks to the
achievement of its objectives, forming a basis for determining how the risks should be
managed.
• Control activities: The policies and procedures that help ensure that management
directives are carried out.
• Information and communication: The identification, capture, and exchange of information in
a form and time frame that enables people to carry out their responsibilities.
• Monitoring activities: A process that assesses the quality of internal control performance
over time.
17 PRINCIPLES OF INTERNAL CONTROL
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises
oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent
individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in
the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of
objectives.
9. The organization identifies and assesses changes that could significantly impact the
system of internal control
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation
of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to
support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support
the functioning of internal control.
14. The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the
functioning of internal control
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations
to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior
management and the board of directors, as appropriate.
FRAUD AND ITS RELATIONSHIP TO CONTROL
By its meaning, fraud is an intentional act or deception meant for unethical or unlawful gain.
Fraud always entails manipulating information for criminal purposes. Foreign Corrupt
Practices Act is the law that is implied to prevent irregularities and states that “a fundamental
aspect of management’s stewardship responsibility is to provide shareholders with
reasonable assurance that the business is adequately controlled”.
Title XI of the Sarbanes-Oxley Act
Based on the Title XI of the Sarbanes-Oxley Act
Title eleven is also known as the "Corporate Fraud Accountability Act of 2002" and reviews
additional guidelines regarding the rules and punishments concerned with fraudulent
corporate activities. This title gives the commission authority to freeze the funds of a
company suspected of committing violations of securities laws. The funds can be held in an
interest bearing escrow account until a full investigation is able to be completed. This title
also grants the Commission the authority of prohibiting a person from serving as a director or
officer of a securities issuer if a cease-and-desist proceeding is filed concerning the
violations of securities law. The Commission may bar a person from such activities as long
as "the conduct of that person demonstrates unfitness to serve as an officer or director of
any such issuer."
The act was made because they want to prevent fraud in the company by doing research
and brainstorming ideas to evaluate the risk of misstatement to consider the valuation of the
entity to the fraudulent activity. The person assigned is the auditor who should take into
account the results of his or her assessment.
The PwC report also indicates that fraud is a worldwide problem that is on a rising trend,
particularly during recessions. Both reports show that the losses are significant.
Furthermore, both reports concur that internal controls and audits are insufficient for
detecting fraud. To address the risk, fraud-prevention programs and detection measures,
such as hotlines, are required.
2012 ACFE REPORT TO THE NATION ON OCCUPATIONAL FRAUD AND ABUSE
Between October and December 2011, the Association of Certified Fraud Examiners (ACFE)
gathered data from Certified Fraud Examiners (CFEs) from 96 countries reporting fraud
cases they had personally investigated. Over half of the cases or 57.2% were from the
United States alone, an increase of 39% from 2010. The CFEs reported 1,388 cases of
fraud, with a median loss of $140,000. Almost one-fifth of these cases resulted in losses of
at least $1 million. We learn the following from the report summarizing these frauds:
● When projected to the entire global economy, respondents indicated that fraud costs
the average business 5% of its annual sales, amounting to a total loss of $3.5 trillion.
● Frauds were more likely to be detected by tips (e.g., through hotlines such as those
required by SOX) than through audits or internal controls.
● 77% of the frauds were committed by individuals in accounting, operations, sales,
executive/upper management, customer service, or purchasing.
● Most fraudsters were first-time offenders with previously clean employment records.
● The most common red flags displayed by fraud perpetrators were living beyond their
means (44 percent of cases) and experiencing financial difficulties (30 percent of
cases).
● Small businesses (less than 100 employees) were disproportionately victimized by
fraud (32 percent of cases) due to relatively weak anti-fraud controls.
IMPLICATIONS OF COMPUTER FRAUD AND ABUSE
There are now more prospects for criminal infiltration thanks to the widespread use of
computers in commercial settings and their interconnection with one another and the
Internet. Numerous crimes, including identity theft, fraud, larceny, and embezzlement, have
been committed using computers. Computer fraud, computer abuse, or computer crime are
common terms used to describe crimes using computers. When an organization conducts
E-business, certain of these frauds become more common. For instance, if a transaction is
fraudulent, the company that accepts payment by credit card and when the credit card is not
physically present during the transaction (such as sales made over the phone or online)
must suffer the loss.
Computer Crime
Computer crime refers to any crime in which a computer is the intended victim or the means
by which the crime is carried out. The majority of computer crimes fall into these two basic
types where:
●
●
The computer is used as a tool for the criminal to accomplish the illegal act. For
example, are those criminals who are using computers to hack an account in the
bank. In the Philippines where E-wallets like G-Cash and Paypal become rampant
when it becomes to paying, these applications are still weak when it comes to
internal control because there are a lot of users that are having problems like their
money in the account missing or being hacked.
The computer or the information stored in it is the target of the criminal. Computer
viruses fall into this category.
Malware- designed specifically to damage or disrupt a computer system
● Salami Slicing- computer crime refers to any crime in which a computer is the
intended victim or the means by which the crime is carried out.
● Back Door- A backdoor refers to any method by which authorized and unauthorized
users are able to get around normal security measures and gain high-level user
access (aka root access) on a computer system, network, or software application.
● Trojan Horse- Trojan Horse (Trojan) is a type of malware that disguises itself as
legitimate code or software. Once inside the network, attackers are able to carry out
any action that a legitimate user could perform, such as exporting files, modifying
data, deleting files, or otherwise altering the contents of the device.
● Logic Bomb- A logic bomb is a set of instructions in a program carrying a malicious
payload that can attack an operating system, program, or network. It only goes off
after certain conditions are met. A simple example of these conditions is a specific
date or time.
● Worm- A computer worm is a subset of the Trojan horse malware that can propagate
or self-replicate from one computer to another without human activation after
breaching a system. Typically, a worm spreads across a network through your
Internet or LAN (Local Area Network) connection.
● Zombie- A zombie a malicious program that is installed on a device that transforms it
into a “zombie” that attacks other systems. A computer or other device transformed
by zombie malware is first infected by a virus or Trojan.
Before we proceed into the ethical consideration and the control environment, I want
you all to know what a computer virus is. A computer virus is a piece of program
code that can attach itself to other programs and "infect" them. Viruses can replicate
themselves in the same way that biological viruses do. When you run an infected
program, open an infected document, or boot a computer from an infected disk,
viruses are activated. Computer viruses modify their "host" programs, destroy data,
or make computer resources inaccessible.
ETHICAL CONSIDERATIONS AND THE CONTROL ENVIRONMENT
Ethical behavior and managerial integrity are outcomes of "corporate culture," which
includes ethical and behavioral standards, how they are communicated, and how they are
reinforced in practice. Official policies specify what management desires to occur. What
actually happens and which rules are followed, bent, or ignored are determined by corporate
culture. Management is in charge of internal control and can respond to this requirement
either legally or by creating a "control environment." In other words, management can either
follow the "letter of the law" (by form) or respond substantively to the need for control. The
control environment reflects the organization's general awareness of and commitment to the
importance of control throughout the organization (primarily the board of directors and
management). In other words, management can make an organization's control conscious
by leading by example and addressing the need for control at the top of the organization.
A FRAMEWORK FOR ASSESSING THE DESIGN OF A SYSTEM OF INTERNAL
CONTROL
In this chapter's final major section, we begin our presentation of a framework for assessing
the design of an internal control system, including defining control goals and control plans.
We are still using a matrix to help us with our analysis. This type of matrix is known as a
control matrix, and it is a tool designed to help you evaluate the potential effectiveness of
controls in a business process by matching control goals with relevant control plans. If you
remember the Suprina system flowchart tackled in chapter 4 of the book and now let’s use
this process to understand how internal controls are working. But before that, place yourself
as a manager, what are your concern objectives and the related risks? There are concerns
we want to know as:
● We want all of the orders to be entered in a timely manner, but orders might be lost,
stolen, or delayed.
● We want all of the orders to be recorded correctly, but we might miss some orders,
record orders we didn’t get from a customer, or record order amounts incorrectly.
● We want all inventory changes to be recorded correctly.
● We want to accomplish all this with a minimum of resources
A constant theme throughout this text has been that an organization defines goals, assesses
risks, and then implements processes and controls to provide reasonable assurance that
those goals are met. The topic also wants to be consistent to know the purpose of internal
control where the purpose is to provide reasonable assurance of achieving objectives in 3
categories such as operations, reporting, and compliance with applicable laws and
regulations. For our control framework, we convert those three categories into control goals
for two categories, operations process control goals and information process control
goals.
(Pic of Suprina Systems Flowchart)
Control Goals of Operations Processes
- business process objectives that relate to guaranteeing efficiency and effectiveness
of operations
1. Ensure effectiveness of operations - aims to ensure that a given
operational process is fulfilling the purpose for which it was created.
Effectiveness: A measure of success in meeting one or more goals for the
operations process.
2. Ensure efficient employment of resources - This refers to efficient
utilisation of business resources to meet business goals.
Efficiency: A measure of the productivity of the resources applied to achieve
a set of goals
3. Ensure security of resources
Security of resources: Protecting an organisation’s resources from loss,
destruction, disclosure, copying, sale, or other misuse.
Control Goals of Information Processes
- business process objectives for reliable reporting
1. Ensure Input Validity
Input validity: Input data are appropriately authorized and represent actual
economic events and objects.
2. Ensure Input Completeness
Input completeness: All valid events or objects are captured and entered
into a system once and only once.
3. Ensure Input Accuracy
Input accuracy: All valid events must be correctly captured and entered into
a system.
4. Ensure Update Completeness
Update completeness: All events entered into a system must be reflected in
the respective master data once and only once.
5. Ensure update accuracy
Update accuracy: Data entered into a system must be reflected correctly in
the respective master data
Types of Error
Programming Error - logical or technical errors may exist in the program software
Operational Error - This may happen if input data are used for more than one
application, and we fail to use the inputs for all of the intended processes.
Control Plans
- reflect information-processing policies and procedures that assist in accomplishing
control goals.
Control Plans classified:
based on Control Hierarchy:
1. Control Environment
2. Pervasive Control Plans
3. Business Process Control Plans
In Relation to to the Timing of their Occurrence:
1. Preventive Control Plans
2. Detective Control Plans
3. Corrective Control Plans