Chapter 1 1. ● ● ● ًإذاشئت سهال َ وأنت تجعل،ًاللهم ال سه َل إال ما جعل َته سهال الحزن َ ِبسْ ِم اللَّـ ِه Data Vs Information Data are facts that are recorded and stored. Information is processed data used in decision making. Information Is valuable when Benefit $’s > Cost $’s What makes information Useful? 1. Relevant: makes a difference in decision making 2. Reliable: quality, free from error and bias 3. Complete 4. Timely 5. Understandable 6. Verifiable 7. Accessible Business transactions are: ● Give-Get exchanges ● Between two entities ● Measured in economic terms AIS: Collect, process, store, and report data and information 1. People 2. Processes 3. Technology 4. Controls AIS leads to effective (quality) and efficient( cost reduction) decisions An AIS is influenced by an organization’s strategy. AIS in the Value Chain 1. Primary activities provide direct value to the customer (logistics, operations, marketing and sales, service) 2. Support activities enable primary activities to be efficient and effective. (technology, purchasing, HR, firm infrastructure) Chapter 2 Data processing cycle determines: 1. What data is stored? 2. Who has access to the data? 3. How is the data organized? 4. How can unanticipated information needs be met? Data input: Capture (transaction data) Ensure Accuracy and completeness Ensure company policies are followed Information comes from source documents: 1. Paper source documents 2. Turnaround documents 3. Source data automation Data Storage: How is data organized? ● Chart of accounts ● Transactions journals ● General ledgers (Summary level data for: asset, liability, equity, revenue, expense) ● Subsidiary Ledger ( detailed data for a general ledger: A/P, A/R) Coding techniques: ● Sequence ● Block ● Group ● Mnemonic ● Chart of accounts Make the coding system as simple as possible Computer- Based storage Master file: include resource and people data (Permanent records, updated with transaction files) Transaction file: Activity or event data that is captured (record of a business from a specific time period) Database hierarchy: Files which include records (entities) which include Attributes Data Processing Four types (CRUD) 1. 2. 3. 4. Creating new records Reading existing data Updating previous records Deleting data Information output: Online or Printed out ● Document ● Report ● Query Enterprise Resource Planning systems (ERP): Integrates activities from the entire organization ● ● ● ● ● ● ● Financial: (General ledger and reporting system) Human resources and payroll Revenue cycle Production cycle Project management Customer relation management System tools Chapter 7 Controls ● ● ● Threats: Potential adverse occurrence or unwanted event that could be injurious to the AIS Exposure impact: Potential dollar loss when a threat becomes a reality Likelihood: Probability a threat will happen Primary objective of AIS is to control the organization to achieve its objectives Internal controls objectives: 1. Safeguard assets 2. Maintain sufficient records 3. Provide accurate and reliable information 4. Prepare financial reports according to established criteria 5. Promote and improve operational efficiency 6. Encourage adherence with management policies 7. Comply with laws and regulations Functions of internal controls: 1. Preventive Controls: Deter problems from occurring 2. Detective Controls: Discover problems that are not prevented 3. Corrective controls: Identify and correct problems Internal controls are separated into 2 categories 1. General Controls: Ensure organization’s control environment is stable, well maintained Ex: Security, IT infrastructure, software acquisitions, development & maintenance control 2. Application controls: Make sure transactions are processed correctly Concerned with: Accraucy, Completeness, Validity, authorization of the data SOX (2002) 1. New roles for audit committee (be part of board of directors & be independent) 2. New rules for management (auditors are told about internal control weaknesses) 3. New Internal Control Requirements (management responsibility) 4 Levers of control help to reconcile between control and creativity conflict 1. Belief system: Communicates company core values to employees 2. Boundary system: Helps employees act ethically by setting limits 3. Diagnostic control system: Measure Progress (Performance vs Budget) 4. Interactive control system: Helps top level managers to deal with high level activities proactively, such as: Developing company strategy & objectives, Dealing with threats & risks, Developing responses and action plans, monitor changes in competitive conditions and emerging tech Control Frameworks ● COBIT: framework for IT controls ● COSO: framework for enterprise IC ● COSO - ERM: Expands COSO with risk based approach COBIT allows: ● Management to benchmark control practices of IT environments ● Assures adequate security and control exists for IT Services User ● Auditors to form an opinion of IC and IT security matters COBIT 5 Principles: 1. Meeting stakeholder needs 2. Covering the enterprise end-to-end 3. Applying a single, integrated framework 4. Enabling a holistic approach 5. Separating governance from management Components of COSO Frameworks COSO: Internal environment Risk assessment Control activities Information and communication Monitoring COSO - ERM: same as COSO in addition to Objective setting Event identification Risk Response These objectives fall under: Strategic, operations, reporting, compliance 1. Internal environment : Establishes foundation for all other components ● Management’s philosophy ● Commitment to ethical values ● Organization structure ● HR standards 2. Risk Assessment : Assed from 2 perspectives ● Likelihood: probability an event will occur ● Impact: estimate -ve or +ve impact Types of risk: ● Inherent: exists before plans are made to control it ● Residual: remaining after controls are made to reduce it 3. Control Activities: Policies & procedures ensure that control objectives are met ● Segregation of duties (Custodial function, recording function, authorization function) ● Proper authorization of transactions and activities ● Independent checks on performance 4. Information & Communication: Primary function of AIS is to ● Gather, Record, Processes, Store, Summarize,Communicate Information ● 5 main objectives: 1. Identify and record all valid transactions at their: 2. Proper monetary value 3. Proper accounting period 4. Classify transactions 5. Present transactions 5. Monitoring: ● Perform IC evaluations (internal Audit) ● Implement effective supervision ● Monitor system activities ● Conduct periodic audits ● Install fraud detection software 6. Objective setting: ● Strategic objectives (high level goals aligned with corporate emission) ● Operations objectives (effectiveness and efficiency of operations) ● Reporting objectives (Complete, reliable, improve decision making) ● Compliance objectives (Compliance with applicable laws and regulations) 7. Event identification ● Identifying external/ internal events that could affect organization objective (-ve or +ve impact) 1. What could go wrong? 2. How can it go wrong? 3. What is the potential harm? 4. What can be done about it? 8. Risk Response (RAAS) Reduce: implement effective internal control Accept: do nothing, accept likelihood of risk Avoid: Do not engage it the risky activity Share: buy insurance, outsource, hedge Chapter 8 COBIT: Addresses IT & internal control Information for management should ensure 7 Elements: 1. Effectiveness: Relevant & timely (Input = correct output) 2. Efficiency: info must be produced in a cost effective manner 3. Integrity: Accurate, complete, valid (not false) 4. Availability: available whenever needed 5. Compliance: controls must ensure compliance with internal and external policies 6. Confidentiality: Sensitive information is protected from unauthorized disclosure 7. Reliability: management have info to be able to conduct its governance responsibilities COBIT Cycle 1. Management develop plans to organize information resources to provide the information needs 2. Management authorizes and oversees efforts to acquire the desired functionality. 3. Management ensures that the resulting system actually delivers the desired information. 4. Management monitors and evaluates system performance against the established criteria. Trust Services Framework: Organize IT controls to ensure system reliability (CAPPS) 1. Confidentiality: Sensitive organizational data is protected 2. Availability: System and information are available. 3. Privacy: Personal information about 2nd & 3rd parties are protected 4. Processing integrity: Processed accurately, completely, in a timely manner, proper authorization 5. Security: Access to the system and data is controlled and restricted to legitimate users Management role in IS Security ● Create security aware culture ● Inventory and value company information resources ● Assess risk, select risk response ● Develop and communicate security: plan, policies, procedure ● Monitor & evaluate effectiveness Security approaches: Defense in depth: Multiple layers of control (preventive and detective) to avoid a single point of failure Time-based model: security is effective if t (P > D + C) time: attacker penetration > detect attack + corrective action Steps in IS System Attack How to mitigate risk of attack? Preventive Controls: 1. People: culture of security set by top management, Training 2. Process: Authentication: verifies the person and what can he access 3. IT solutions: Antimalware, network access, device & software hardening controls, encryption 4. Physical Security: limit entry to building, restrict access to network & data 5. Change Controls & Change Management: documentation, approval, testing, backout plan, monitoring Detective controls: 1. Log analysis: to identify possible attacks 2. Intrusion detection systems: Firewall permits traffic, sensors analyze for intrusion attempts 3. Penetration testing 4. Continuous Monitoring: employee compliance security policies & performance of business processes Response (corrective): 1. Computer incident response team: Recognize problem,Containment,Recovery, Follow-up 2. Chief information security officer: Independent responsibility for information security 3. Patch management: Fix known vulnerabilities by installing the latest updates Chapter 9: Confidentiality Vs Privacy Confidentiality: organizational intellectual property Privacy: focuses on protecting personal information of 2nd parties Protecting Confidentiality and Privacy of Sensitive Information ● Identify & classify info to protect: where is located, who has access, classify value ● Encryption: Protect information in transit and in storage ● Access controls: digital watermarks, data loss prevention, data masking ● Training Privacy Concerns 1. Spam-unsolicited email that contains either advertising or offensive content. 2. Identity theft-assuming someone’s identity, usually for financial gain. Generally Accepted Privacy Principles (GAPP): 10 practices recommended for privacy 1. Management: procedures/ policies with assigned responsibility & accountability 2. Notice: Provide notice of privacy policies/ practices prior collecting data 3. Choice & consent: Opt in vs opt out 4. Collection: only collect needed information 5. Use & relation: use info only for stated reason 6. Access: customer should be able to review, correct, delete provided info 7. Disclosure to 3rd parties: which provide same level of privacy 8. Security: protect from loss or unauthorized access 9. Quality: integrity & accuracy of information. Provide customer ways to review info 10. Monitoring & reinforcement: Procedures in responding to complaints, compliance Encryption: Preventice control, key length longer = stronger Types of encryption 1. Symmetric: Uses one key to encrypt and decrypt (both parties need to know the key) 2. Asymmetric: Uses two keys (can create digital signatures) Virtual Private Network (VPN): ● Securely transmits encrypted data between sender and receiver ● Sender and receiver have the appropriate encryption and decryption keys Chapter 12 Revenue Cycle: Provide the right product, in the right place, at the right time, for the right price Activities: Sales order entry —- Shipping —---- Billing —----- Cash Collection General Threats and Controls 1. Inaccurate or invalid master data: Data processing integrity controls, Restriction of access to master data, Review changes to master data 2. Unauthorized disclosure of sensitive information: Access controls, encryption 3. Loss or destruction of Data : Backup and disaster recovery procedures 4. Poor performance: Managerial reports 1. Sales order entry: take customer order, approve credit, check inventory, respond 5. Incomplete/ inaccurate orders: Data entry restrictions, restriction master data 6. Invalid orders: digital signatures or written signatures 7. Uncollectible amounts: Credit limits, aging of A/R, specific authorization for new customers 8. Stockouts or excess inventory: Perpetual inven., Sales forecast, periodic physical counts 9. Loss of customers: CRM systems, self help websites, evaluation of customer service rating 2. Shipping Process: pick & pack order (picking ticket), ship order (packing slip, bill of lading) 10. Picking wrong items or quantity: Barcode/ RFID, reconciliation of picking list to sales order 11. Theft of inventory: Restrict physical entrance, document transfers, segregation of duties 12. Shipping Errors: reconciliation of shipping document with sales order, pick list, packing slip 3. Billing Process: Invoicing customer (sales invoice), Updating A/R (monthly statements) 13. Failure to bill: Separation of billing & shipping, periodic reconciliation of documents 14. Billing Errors: Data entry controls, reconciliation of shipping documents to sales order 15. Posting errors in A/R: Data entry controls, reconciliation of batch totals, reconciliation to general ledger, mailing monthly statements to customers 16. Inaccurate credit memos: Segregation of duties, configuration of system to block credit memo except with authorization or corresponding documentation of returned goods 4. Cash Collection Process: Process Customer Payment, update their account balance, deposit payments to bank 17. Theft of Cash: Segregation of duties (handle deposits X reconcile bank acc., create memos) 18. Cash flow problems: cash flow budgets, credit cards Identify information needed to make decisions 1. Operational Data to do recurring tasks 2. Current/ Historical data for management to make strategic decisions 3. Information to evaluate performance of critical process Revenue Margin: Net Sales- COGS - Selling costs Chapter 13 Expenditure Cycle Activities 1. Order 2. Receive & store 3. Approve Supplier (vendor) invoice 4. Payment Key decisions ● Optimal level of inventory ● Best supplier (quality/ price) ● IT use to improve efficiency and accuracy ● How to take advantage of vendor discounts ● How to maximize cash flow General Threats and Controls 1. Inaccurate or invalid master data: Data processing integrity controls, Restriction of access to master data, Review changes to master data 2. Unauthorized disclosure of sensitive information: Access controls, encryption 3. Loss or destruction of Data : Backup and disaster recovery procedures 4. Poor performance: Managerial reports 1. Ordering ● Identify product, quantity, purchase time (purchase requisition) ● choose a supplier (purchase order) 3 approaches to ordering: 1. Economic quantity ordered (EQO) 2. Materials requirements planning (MRP) is based on forecast sales 3. Just-in-time inventory (JIT) responds to actual sales (demand). Advanced systems automatically initiate purchase requests when quantity falls below reorder point Ordering Threats & Controls 1. Stockouts and excess inventory: Perpetual inventory system, bar-coding or RFID 2. Purchasing items not needed: Review and approval of purchase requisitions 3. Purchasing items at inflated prices: Prices lists, competitive bids 4. Purchasing goods of poor quality: Use approved suppliers 5. Unreliable suppliers: Monitor supplier performance, require quality certification 6. Purchasing from unauthorized suppliers: purchase from approved suppliers 7. Kickbacks: supplier audits, prohibit gifts 2. Receiving Process Goods Arrive: Verify goods ordered vs purchase order (quantity, quality) Receiving Report Obligation to pay vendor: But first make sure that goods are authorized, quantity, quality Improving efficiency: bar coding, RFID, EDI, Audits Receiving Threats & Controls 1. Accepting unordered items: Authorized PO needed before receiving goods 2. Mistakes in counting: Barcodes or RFID 3. Verifying receipt of services: Budget control & audits 4. Inventory theft: Restrict physical entrance, document transfers, segregation of duties 3. Approve Supplier invoice: Match supplier invoice to: purchase order & receiving report (supplier invoice + purchase order + receiving report = voucher) Approve supplier invoice for payment (disbursement voucher) 2 Approaches to processing vendor invoices: 1. Non-voucher system: Invoices are processed and stored to avoid duplicate payments. 2. Voucher system: disbursement voucher is used Three way match approach: Receiving Report = (Q) Vendor Invoice (P) = Purchase Order Two way match approach: Q Receiving report X P Purchase order= Pay vendor Threats & Controls: 1. Errors in supplier invoice: Verify invoice accuracy 2. Mistakes in posting AP: Data entry edit controls, reconcile with general ledger 4. Cash Disbursements: Cashier review voucher package, approve payment, prepare check, signs the check Improving efficiency: EDI, ERS (invoicless), Procurement cards, FEDI Threats & Controls 1. Failure to take discounts: File invoices by due date to take advantage of discounts 2. Pay for items not received: Match supplier invoice to (purchase order, receiving report) 3. Duplicate payments: Pay original invoices, Cancel supporting document when paid 4. Theft of cash: Physical security of checks, Separation of duties, Reconcile bank account 5. Check alteration: Check Protection machines 6. Cash flow problems: Cash flow budget Chapter 16 General Ledger and Reporting: Primary objective is to collect & organize: 1. The accounting cycle activities 2. Financing activities 3. Investing activities 4. Budget activities 5. Adjustments Process: 1. Update General Ledger 2. Post Adjusting Entries 3. Prepare Financial Statements 4. Produce Managerial Reports General Threats & Controls Invalid general ledger data: Data processing integrity control, access restriction, review changes Unauthorized disclosure of Financial Statements: Access controls, encryption Loss or destruction of data: Backup and disaster recovery procedures 1. Update General Ledger: posting journal entries that originate from 2 sources ● Accounting subsystem: Different business cycle ● Treasurer: Non-routine transactions (may be documented on journal voucher) Inaccurate updating of GL: Reconciliation of subsidiary ledger to GL, access control, audit trail Unauthorized journal entries : Audit trail, access controls, reconciliation & control reports 2. Post Adjusting Entries: originate from controller's office Trial balance: lists balance for all general ledger accounts Adjusting entries Accruals: end of accounting period (events happened but not in FS) Cash last Deferrals: end of accounting period (Exchange of cash prior event) Cash first Estimates: Portions of expenses expected to occur (depreciation) Revaluations: Reflect differences between actual & recorded value of asset Corrections: Counteract effects of errors found in the general ledger Inaccurate adjusting entries Standard adjusting entries, spreadsheet error protection Unauthorized adjusting entries : Audit trail, access controls, reconciliation & control reports 3. Prepare Financial Statements: Income statement, Balance sheet, Cash Flows Inaccurate FS: Training & audits, use of packaged software, processing integrity controls Fraudulent Financial Reporting : Audits eXtensible Business Reporting Language (XBRL) ● Instance document: contains data from FS ● Taxonomy: set of files defining various elements & the relationship between them ● Link bases: Describe relationship between elements 4. Prepare Managerial reports: budget & performance reports Evaluating performance: ● Responsibility accounting: Reporting results based upon managerial responsibilities in an organization (ex: production vs sales department) ● Flexible Budget: based upon level of activity ● Balance Scorecard: Measures financial & non financial performance (financial, customer, internal operations, innovation & Learning). Measures targets & actual ● Graphs: Data Visualization and proper graph design Poorly Designed reports & Graphs: Responsibility acct, BS, Training on graph design