Accounting 345 Notes Chapter 1: AIS Overview Data vs Information Data : set of unorganized facts information : organized - useful for decision making IPO Model ( Input ← Data → Processed ← Information → Output) REA Model (Resources, Events, Agents) - to collect and organize data Resources (goods/services → cash), Events ( give ← → get), Agents (customers, suppliers, investors) Integrated information system Value of information Benefit – Cost 7 characteristics of useful information: - Relevant - reduces uncertainty, improves decision making - Reliable - free from error or bias - Complete - doesn’t omit important aspects of the event - Timely - provided in time for decision makers to make decisions - Understandable - presented in a useful and intelligent format - Verifiable - two independent, knowledgeable people produce the same information - Accessible - available to users when they need it and in a format they can use Business processes 5 transaction cycles - Revenue cycle (Give goods – Get cash) → customers - Expenditure cycle (Give cash – Get goods/raw materials) → suppliers - Production or conversion cycle (Give labor, Give raw materials – Get finished goods) → - Human resource/payroll cycle ( Give cash – Get labor) → employees - Financing cycle ( Give cash – Get cash) → investors/creditors Production cycle - finished goods → revenue cycle Expenditure cycle - purchased goods → revenue cycle Revenue cycle - cash → financing cycle Financing cycle - cash → expenditure cycle Expenditure cycle - raw materials → production cycle Financing cycle - cash → HR/payroll cycle HR/payroll cycle - labor → production cycle General Ledger & Reporting (DATA from all cycles) Chapter 2: Overview of transaction processing & Enterprise Resource Planning Systems Data processing cycles : data input → data processing & data storage → information output Data input quality control Why? GIGO - Garbage in Garbage out What? - IA - Input Accuracy - IV - Input Validity (real transaction?, follows policies or laws and regulations) - IC - Input Completeness How? - Data source automation (bar code, RFID) ← IA - PVE - numbered documents ← IC - Turn around document ← IA Computer based data storage - database → (tables/files/entities) → attributes,records,field Master file/data vs. Transaction file/data Master file/data: permanent (customer, inventory, employee) Transaction file/data: temporary (sales, purchases, payroll) Car Dealership: - MSRP - Master - List Price - Master - Proposed Price - Transaction - Actual Price - Transaction Data processing: - Online real time Transaction → (update real time) transaction file → (update real time) master file - Online batch Transaction → (update real time) transaction file → (update batch (lag)) master file - Batch Transaction → (update batch) transaction file → (update batch) master file ERP Systems Enterprise Resource Planning Advantages of ERP: - Centralized - No duplication of data input - Real time - Share information Disadvantages of ERP: - Costly - customized - Training Chapter 4 - relational database - represents conceptual - and external level schemas as if data is stored in two dimensional tables 1. Query Q-1 1. Visualized output 2. Data source Database Design 3 types of attributes - - <i> Primary key (PK) - an attribute or a combination of attributes that uniquely identifies a record <ii> Foreign Key (FK) - an attribute in one table is a PK of another table - <iii> Non-key attributes (NK) - neither primary key nor foreign key 4 Basic Requirements of a relational database <i> Primary key cannot be invalid ← Entity Integrity Rule <ii> Foreign key can be invalid, but if it is not invalid, it should be corresponding to a value of the primary key in another table <iii> A Non-key attribute should describe a characteristic of the entity <iv> Single value rule How to design a database? Step 1 - Identify tables using REA model Step 2 - Identify Primary keys Step 3 - Identify Non-key attributes Step 4 - Identify/Create Foreign keys 3 types of anomalies: <i> Update anomaly - data values are not correctly updated <ii> Insert anomaly - there is no way to store information about a customer until they make a purchase <iii> Delete anomaly - deleting a row has unintended consequences. Extended amount = P * Q Total amount = sum of extended amount Normalization: Unnormalized data - no PK First Normal Form (1NF) - PK, but PD (partial dependency) : a NK depends on a part of PK (example TA4-2 pg.118) Second Normal Form (2NF) - PK, no PD, but TD (transitive dependency) : a NK depends on another NK (example TA4-5 pg. 120) Third Normal Form (3NF) - PK, no PD, no TD Exam 2: Chapter 3 (System Documentation Techniques): 1. Data flow diagrams (DFD) <i> 4 symbols a. Input (source) /output (destination) b. Process c. Data storage d. Flow line <ii> two levels of DFD - (highest level) Context diagram - one process and no storage. Focus: sources & destinations. (F3-5 pg. 54) - Level 0 DFD (F3-6 pg. 56) <iii> develop DFD - Context - Level 0 a. Identify data/information processing activities b. Group activities Compare DFD (Data Flow Diagram) with DF (Document Flow Chart) <i> changes in physical characteristics of business processes. DFD - No or little impact DF - Significant impact <ii> show areas of responsibilities? DFD - No DF - Yes (test segregation of duties) Chapter 7. Control and AIS Internal Controls (IC) - processes implemented to provide reasonable assurance that control objectives are achieved Overview of control concepts 1. Control objectives - Security of assets - Reliability of reporting - Efficiency and effectiveness of operation - Compliance (laws and regulations) 2. Limitation - Human error - Fraud: ex - management override or collusion - Cost vs benefit 3. Classification - Preventive - Detective - Corrective General controls → applicable to multiple business processes Application controls → embedded into software application Business process control → pertain to one business process SOX (2002) Sarbanes - Oxley Act examples (Enron and WorldCom) 5 key provisions of SOX 1. Auditing Committee <i> 100% independent ← Outsiders <ii> at least one financial expert <iii> hire and fire auditors 2. 3. 4. 5. External Auditors - prohibited from performing certain non-audit services Public Company Accounting Oversight Board (PCAOB) - Auditors auditor Management - certify financial reporting SOX 404 requirements - internal control financial reporting (ICFR) (1) Management self assessment. (2) auditor attest to assessment Committee of Sponsoring Organizations (COSO), Internal Control - Integrated Framework (IC), Enterprise Risk Management - Integrated Framework (ERM) 1. Compare COSO IC with COSO ERM <i> Used by external auditors → IC (Yes), ERM (No) <ii> Major components → IC (5), ERM (8) <iii> Strategic objective → IC (No), ERM (Yes) <iv> IC (Control Based), ERM (Risk Based) 2. Internal/Control Environment (tone at the top) <i> Management’s philosophy, operating style, risk appetite <ii> Commitment to integrity, ethical values, and competence <iii> Internal control oversight by the board of directors <iv> Organizational structure <v> Methods of assigning authority and responsibility <vi> Human resource standards that attract, develop, and retain competent individuals <vii> External influences 3. Risk Assessment & Risk Response <i> Inherent Risk: Pre - IC <ii> Residual Risk: Post - IC Economic impact * Likelihood 4 risk responses <i> reduce (risk) implement IC <ii> accept risk <iii> share risk <iv> avoid risk 4. Control activities (detailed policies and procedures) <i> segregation of duties <ii> proper authorization <iii> sufficient documentation <iv> independent review <v> HR policies: job rotation, mandatory vacation 5. Segregation of duties (recording, custody, authorization) pg. 214 figure 7-5 Chapter 5 Fraud 1. What is fraud? Deliberate act to obtain unfair or unlawful gains. Two forms: 1 (misappropriation of assets), 2 (fraudulent reporting) 2. Who commits fraud? Perpetrators are most likely insiders. 3. Why do people commit fraud? Fraud triangle pg. 134 figure 5-1 (pressures, opportunity, rationalization) Opportunity 3 C’s (commit, conceal, conversion) Pressures (Financial, Emotional, Lifestyle) Rationalization (justification, attitude, lack of personal integrity) HW pg. 150-151 Q 2-3 4. How do people commit fraud? (prevent, detect, correct) <i> prevent: HR - background checking, ethics training, code of conduct. - Set realistic goals, proper compensation plans. - Strengthen ICs <ii> detect: HR - mandatory vacation/job rotation. - Independent review. - Data analytics. - SOX: hotline, whistleblower protection <iii> correct: fidelity bonding (insurance) - - Exam 3 Chapter 6 Computer Fraud and Abuse Techniques Page 177-179 (table 6-1) 15 Terms: Botnet - a network of hijacking computers. Bot herders use the hijacked computers, called zombies, in a variety of attacks DoS - an attack designed to make computer resources unavailable to its users. Hijacking - gaining control of someone else's computer for illicit activities Key logger - using spyware to record a user's keystrokes Phishing - communications that request recipients to disclose confidential information by responding to an e-mail or visit a website Dictionary attack - using software to guess company addresses, send employees blank e-mails, and add unreturned messages to spam e-mail lists. Hacking - unauthorized access, modification, or use of an electronic device or some element of a computer system Malware - software that is used to do harm Social engineering - techniques that trick a person into disclosing confidential information Trap door - a back door into a system that bypasses normal system controls Trojan horse - unauthorized code in an authorized and properly functioning program Virus - executable code that attaches itself to software, replicates itself, and spreads to other systems or files. When triggered, it makes unauthorized alterations to the way a system operates Worm - similar to a virus; a program rather than code segment hidden in a host program, actively transmits itself to other systems. It usually does not live long but is quite destructive while alive - Zero-day attack - attacks between the time a software vulnerability is discovered and a patch to fix the problem is released Ransomware - software that encrypts programs and data until a ransom is paid to remove it Chapter 8 controls for information security Page 238 (figure 8-1) 1. Foundation of information reliability 5 principles - Security - Confidentiality - Privacy - Process integrity - Availability Why is information security the foundation? 2. Two fundamental concepts of information security <i> information security is management issue, not just a technology issue <ii> time based model P(Time): higher the time the better D(Detect): lower the better R(Respond): lower the better P > (D + R) 1. Assessment of information security control system 2. IT Budget 3. How to control information security Page 241 (table 8-1) Chapter 10 Processing integrity and availability 1. Data input control <i> IV (input validity) <ii> IA (input accuracy) <iii> IC (input completeness) Form design <i> pre numbered docs (IC) <ii> turnaround docs (IA) 2. 10 data entry controls (application controls) a. Field check - check data type b. Sign check - (+ or - ) c. Limit check d. Range check e. Completeness check f. Size check (SSN # or Zip Code) g. Reasonableness check (multiple columns) h. Validity check (non -existing) i. j. Closed - loop verification Batch total Batch total <i> record count ← weakest <ii> financial total <iii> hash total (PK#) ← strongest Processing Controls 1. Cross-footing tests 2. Zero balances tests 3. Recalculation of batch totals Pre-processing (batch total #1) Post-processing (batch total #2) (patterns of differences infer type of processing errors) 1. Double and existing # (sign error) 2. An existing # (omission error) 3. Single # followed by 0’s (single transcription error) 4. Difference divisible by 9 (Transposition error) Chapter 12: Revenue Cycle 1. Main Activities - Sales order entry - Shipping - Billing - Cash collection 2. Data Interactions Benford Law - frequency distribution of non-zero leading digits of a set of naturally occurring #’s Shipping notice (trigger docs) Trigger docs - immediately start activity Expected Count: N * log10(1 + 1/y) y= digit Z-score: (Actual - Expected |Z| > z (RED FLAG) Chapter 13 Expenditure Cycle 1. Main activities - Purchase Order Entry - Receiving - Approve Invoice - Cash Disbursement 2. Data interactions Base 0 previous base + (current cutoff - previous cutoff) * previous rate Information records example: Vendor # item # minimum Q V101 I101 30 V101 I102 30 V102 I101 20 V103 I101 20 Price $5 $10 $6 $7 shipping term 3 days 3 days 3 days 2 days Min Q ≤ 50 units AND shipping term ≤ GR/IR: Goods Received/ Invoice Received Dependability data: - Right condition (2.1) - Right item (2.2) - Right amount (2.2) - Prompt delivery (2.2) - Billing accuracy (3.1) Tax = base + (income - cut off) * rate Excel Functions: XLookup(lookup value, lookup array, return array, match mode) Indirect(“xx”& ___) Name a cell / range
