Chapter 1
1.
●
●
●
ً‫إذاشئت سهال‬
َ
‫ وأنت تجعل‬،ً‫اللهم ال سه َل إال ما جعل َته سهال‬
‫الحزن‬
َ
‫ِبسْ ِم اللَّـ ِه‬
Data Vs Information
Data are facts that are recorded and stored.
Information is processed data used in decision making.
Information Is valuable when Benefit $’s > Cost $’s
What makes information Useful?
1. Relevant: makes a difference in decision making
2. Reliable: quality, free from error and bias
3. Complete
4. Timely
5. Understandable
6. Verifiable
7. Accessible
Business transactions are:
● Give-Get exchanges
● Between two entities
● Measured in economic terms
AIS: Collect, process, store, and report data and information
1. People
2. Processes
3. Technology
4. Controls
AIS leads to effective (quality) and efficient( cost reduction) decisions
An AIS is influenced by an organization’s strategy.
AIS in the Value Chain
1. Primary activities provide direct value to the customer (logistics, operations, marketing
and sales, service)
2. Support activities enable primary activities to be efficient and effective. (technology,
purchasing, HR, firm infrastructure)
Chapter 2
Data processing cycle determines:
1. What data is stored?
2. Who has access to the data?
3. How is the data organized?
4. How can unanticipated information needs be met?
Data input:
Capture (transaction data)
Ensure Accuracy and completeness
Ensure company policies are followed
Information comes from source documents:
1. Paper source documents
2. Turnaround documents
3. Source data automation
Data Storage:
How is data organized?
● Chart of accounts
● Transactions journals
● General ledgers (Summary level data for: asset, liability, equity, revenue, expense)
● Subsidiary Ledger ( detailed data for a general ledger: A/P, A/R)
Coding techniques:
● Sequence
● Block
● Group
● Mnemonic
● Chart of accounts
Make the coding system as simple as possible
Computer- Based storage
Master file: include resource and people data (Permanent records, updated with transaction files)
Transaction file: Activity or event data that is captured (record of a business from a specific time period)
Database hierarchy:
Files which include records (entities) which include Attributes
Data Processing
Four types (CRUD)
1.
2.
3.
4.
Creating new records
Reading existing data
Updating previous records
Deleting data
Information output: Online or Printed out
● Document
● Report
● Query
Enterprise Resource Planning systems (ERP): Integrates activities from the entire
organization
●
●
●
●
●
●
●
Financial: (General ledger and reporting system)
Human resources and payroll
Revenue cycle
Production cycle
Project management
Customer relation management
System tools
Chapter 7
Controls
●
●
●
Threats: Potential adverse occurrence or unwanted event that could be injurious to the AIS
Exposure impact: Potential dollar loss when a threat becomes a reality
Likelihood: Probability a threat will happen
Primary objective of AIS is to control the organization to achieve its objectives
Internal controls objectives:
1. Safeguard assets
2. Maintain sufficient records
3. Provide accurate and reliable information
4. Prepare financial reports according to established criteria
5. Promote and improve operational efficiency
6. Encourage adherence with management policies
7. Comply with laws and regulations
Functions of internal controls:
1. Preventive Controls: Deter problems from occurring
2. Detective Controls: Discover problems that are not prevented
3. Corrective controls: Identify and correct problems
Internal controls are separated into 2 categories
1. General Controls: Ensure organization’s control environment is stable, well maintained
Ex: Security, IT infrastructure, software acquisitions, development & maintenance control
2. Application controls: Make sure transactions are processed correctly
Concerned with: Accraucy, Completeness, Validity, authorization of the data
SOX (2002)
1. New roles for audit committee (be part of board of directors & be independent)
2. New rules for management (auditors are told about internal control weaknesses)
3. New Internal Control Requirements (management responsibility)
4 Levers of control help to reconcile between control and creativity conflict
1. Belief system: Communicates company core values to employees
2. Boundary system: Helps employees act ethically by setting limits
3. Diagnostic control system: Measure Progress (Performance vs Budget)
4. Interactive control system: Helps top level managers to deal with high level activities
proactively, such as: Developing company strategy & objectives, Dealing with threats &
risks, Developing responses and action plans, monitor changes in competitive conditions
and emerging tech
Control Frameworks
●
COBIT: framework for IT controls
●
COSO: framework for enterprise IC
●
COSO - ERM: Expands COSO with risk based approach
COBIT allows:
●
Management to benchmark control practices of IT environments
●
Assures adequate security and control exists for IT Services User
●
Auditors to form an opinion of IC and IT security matters
COBIT 5 Principles:
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management
Components of COSO Frameworks
COSO:
Internal environment
Risk assessment
Control activities
Information and communication
Monitoring
COSO - ERM: same as COSO in addition to
Objective setting
Event identification
Risk Response
These objectives fall under: Strategic, operations, reporting, compliance
1. Internal environment : Establishes foundation for all other components
●
Management’s philosophy
●
Commitment to ethical values
●
Organization structure
●
HR standards
2. Risk Assessment : Assed from 2 perspectives
●
Likelihood: probability an event will occur
●
Impact: estimate -ve or +ve impact
Types of risk:
●
Inherent: exists before plans are made to control it
●
Residual: remaining after controls are made to reduce it
3. Control Activities: Policies & procedures ensure that control objectives are met
●
Segregation of duties (Custodial function, recording function, authorization function)
●
Proper authorization of transactions and activities
●
Independent checks on performance
4. Information & Communication: Primary function of AIS is to
●
Gather, Record, Processes, Store, Summarize,Communicate Information
●
5 main objectives:
1. Identify and record all valid transactions at their:
2. Proper monetary value
3. Proper accounting period
4. Classify transactions
5. Present transactions
5. Monitoring:
●
Perform IC evaluations (internal Audit)
●
Implement effective supervision
●
Monitor system activities
●
Conduct periodic audits
●
Install fraud detection software
6. Objective setting:
●
Strategic objectives (high level goals aligned with corporate emission)
●
Operations objectives (effectiveness and efficiency of operations)
●
Reporting objectives (Complete, reliable, improve decision making)
●
Compliance objectives (Compliance with applicable laws and regulations)
7. Event identification
●
Identifying external/ internal events that could affect organization objective
(-ve or +ve impact)
1. What could go wrong?
2. How can it go wrong?
3. What is the potential harm?
4. What can be done about it?
8. Risk Response (RAAS)
Reduce: implement effective internal control
Accept: do nothing, accept likelihood of risk
Avoid: Do not engage it the risky activity
Share: buy insurance, outsource, hedge
Chapter 8
COBIT: Addresses IT & internal control
Information for management should ensure 7 Elements:
1. Effectiveness: Relevant & timely (Input = correct output)
2. Efficiency: info must be produced in a cost effective manner
3. Integrity: Accurate, complete, valid (not false)
4. Availability: available whenever needed
5. Compliance: controls must ensure compliance with internal and external policies
6. Confidentiality: Sensitive information is protected from unauthorized disclosure
7. Reliability: management have info to be able to conduct its governance responsibilities
COBIT Cycle
1. Management develop plans to organize information
resources to provide the information needs
2. Management authorizes and oversees efforts to acquire
the desired functionality.
3. Management ensures that the resulting system actually
delivers the desired information.
4. Management monitors and evaluates system performance
against the established criteria.
Trust Services Framework: Organize IT controls to ensure system reliability (CAPPS)
1. Confidentiality: Sensitive organizational data is protected
2. Availability: System and information are available.
3. Privacy: Personal information about 2nd & 3rd parties are protected
4. Processing integrity: Processed accurately, completely, in a timely manner, proper authorization
5. Security: Access to the system and data is controlled and restricted to legitimate users
Management role in IS Security
●
Create security aware culture
●
Inventory and value company information resources
●
Assess risk, select risk response
●
Develop and communicate security: plan, policies, procedure
●
Monitor & evaluate effectiveness
Security approaches:
Defense in depth: Multiple layers of control (preventive and detective) to avoid a single point of failure
Time-based model: security is effective if t (P > D + C) time: attacker penetration > detect
attack + corrective action
Steps in IS System Attack
How to mitigate risk of attack?
Preventive Controls:
1. People: culture of security set by top management, Training
2. Process: Authentication: verifies the person and what can he access
3. IT solutions: Antimalware, network access, device & software hardening controls, encryption
4. Physical Security: limit entry to building, restrict access to network & data
5.
Change Controls & Change Management: documentation, approval, testing, backout plan, monitoring
Detective controls:
1. Log analysis: to identify possible attacks
2. Intrusion detection systems: Firewall permits traffic, sensors analyze for intrusion attempts
3. Penetration testing
4.
Continuous Monitoring: employee compliance security policies & performance of business processes
Response (corrective):
1. Computer incident response team: Recognize problem,Containment,Recovery, Follow-up
2. Chief information security officer: Independent responsibility for information security
3. Patch management: Fix known vulnerabilities by installing the latest updates
Chapter 9:
Confidentiality Vs Privacy
Confidentiality: organizational intellectual property
Privacy: focuses on protecting personal information of 2nd parties
Protecting Confidentiality and Privacy of Sensitive Information
●
Identify & classify info to protect: where is located, who has access, classify value
●
Encryption: Protect information in transit and in storage
●
Access controls: digital watermarks, data loss prevention, data masking
●
Training
Privacy Concerns
1. Spam-unsolicited email that contains either advertising or offensive content.
2. Identity theft-assuming someone’s identity, usually for financial gain.
Generally Accepted Privacy Principles (GAPP): 10 practices recommended for privacy
1. Management: procedures/ policies with assigned responsibility & accountability
2. Notice: Provide notice of privacy policies/ practices prior collecting data
3. Choice & consent: Opt in vs opt out
4. Collection: only collect needed information
5. Use & relation: use info only for stated reason
6. Access: customer should be able to review, correct, delete provided info
7. Disclosure to 3rd parties: which provide same level of privacy
8. Security: protect from loss or unauthorized access
9. Quality: integrity & accuracy of information. Provide customer ways to review info
10. Monitoring & reinforcement: Procedures in responding to complaints, compliance
Encryption: Preventice control, key length longer = stronger
Types of encryption
1. Symmetric: Uses one key to encrypt and decrypt (both parties need to know the key)
2. Asymmetric: Uses two keys (can create digital signatures)
Virtual Private Network (VPN):
●
Securely transmits encrypted data between sender and receiver
●
Sender and receiver have the appropriate encryption and decryption keys
Chapter 12
Revenue Cycle: Provide the right product, in the right place, at the right time, for the right price
Activities: Sales order entry —- Shipping —---- Billing —----- Cash Collection
General Threats and Controls
1. Inaccurate or invalid master data: Data processing integrity controls, Restriction of
access to master data, Review changes to master data
2. Unauthorized disclosure of sensitive information: Access controls, encryption
3. Loss or destruction of Data : Backup and disaster recovery procedures
4. Poor performance: Managerial reports
1. Sales order entry: take customer order, approve credit, check inventory, respond
5. Incomplete/ inaccurate orders: Data entry restrictions, restriction master data
6. Invalid orders: digital signatures or written signatures
7. Uncollectible amounts: Credit limits, aging of A/R, specific authorization for new customers
8. Stockouts or excess inventory: Perpetual inven., Sales forecast, periodic physical counts
9. Loss of customers: CRM systems, self help websites, evaluation of customer service rating
2. Shipping Process: pick & pack order (picking ticket), ship order (packing slip, bill of lading)
10. Picking wrong items or quantity: Barcode/ RFID, reconciliation of picking list to sales order
11. Theft of inventory: Restrict physical entrance, document transfers, segregation of duties
12. Shipping Errors: reconciliation of shipping document with sales order, pick list, packing slip
3. Billing Process: Invoicing customer (sales invoice), Updating A/R (monthly statements)
13. Failure to bill: Separation of billing & shipping, periodic reconciliation of documents
14. Billing Errors: Data entry controls, reconciliation of shipping documents to sales order
15. Posting errors in A/R: Data entry controls, reconciliation of batch totals, reconciliation
to general ledger, mailing monthly statements to customers
16. Inaccurate credit memos: Segregation of duties, configuration of system to block credit
memo except with authorization or corresponding documentation of returned goods
4. Cash Collection Process: Process Customer Payment, update their account balance,
deposit payments to bank
17. Theft of Cash: Segregation of duties (handle deposits X reconcile bank acc., create memos)
18. Cash flow problems: cash flow budgets, credit cards
Identify information needed to make decisions
1. Operational Data to do recurring tasks
2. Current/ Historical data for management to make strategic decisions
3. Information to evaluate performance of critical process
Revenue Margin: Net Sales- COGS - Selling costs
Chapter 13
Expenditure Cycle Activities
1. Order
2. Receive & store
3. Approve Supplier (vendor) invoice
4. Payment
Key decisions
●
Optimal level of inventory
●
Best supplier (quality/ price)
●
IT use to improve efficiency and accuracy
●
How to take advantage of vendor discounts
●
How to maximize cash flow
General Threats and Controls
1. Inaccurate or invalid master data: Data processing integrity controls, Restriction of
access to master data, Review changes to master data
2. Unauthorized disclosure of sensitive information: Access controls, encryption
3. Loss or destruction of Data : Backup and disaster recovery procedures
4. Poor performance: Managerial reports
1. Ordering
●
Identify product, quantity, purchase time (purchase requisition)
●
choose a supplier (purchase order)
3 approaches to ordering:
1. Economic quantity ordered (EQO)
2. Materials requirements planning (MRP) is based on forecast sales
3. Just-in-time inventory (JIT) responds to actual sales (demand).
Advanced systems automatically initiate purchase requests when quantity falls below reorder point
Ordering Threats & Controls
1. Stockouts and excess inventory: Perpetual inventory system, bar-coding or RFID
2. Purchasing items not needed: Review and approval of purchase requisitions
3. Purchasing items at inflated prices: Prices lists, competitive bids
4. Purchasing goods of poor quality: Use approved suppliers
5. Unreliable suppliers: Monitor supplier performance, require quality certification
6. Purchasing from unauthorized suppliers: purchase from approved suppliers
7. Kickbacks: supplier audits, prohibit gifts
2. Receiving Process
Goods Arrive: Verify goods ordered vs purchase order (quantity, quality) Receiving Report
Obligation to pay vendor: But first make sure that goods are authorized, quantity, quality
Improving efficiency: bar coding, RFID, EDI, Audits
Receiving Threats & Controls
1. Accepting unordered items: Authorized PO needed before receiving goods
2. Mistakes in counting: Barcodes or RFID
3. Verifying receipt of services: Budget control & audits
4. Inventory theft: Restrict physical entrance, document transfers, segregation of duties
3. Approve Supplier invoice:
Match supplier invoice to: purchase order & receiving report
(supplier invoice + purchase order + receiving report = voucher)
Approve supplier invoice for payment (disbursement voucher)
2 Approaches to processing vendor invoices:
1. Non-voucher system: Invoices are processed and stored to avoid duplicate payments.
2.
Voucher system: disbursement voucher is used
Three way match approach: Receiving Report = (Q) Vendor Invoice (P) = Purchase Order
Two way match approach: Q Receiving report X P Purchase order= Pay vendor
Threats & Controls:
1. Errors in supplier invoice: Verify invoice accuracy
2. Mistakes in posting AP: Data entry edit controls, reconcile with general ledger
4. Cash Disbursements:
Cashier review voucher package, approve payment, prepare check, signs the check
Improving efficiency: EDI, ERS (invoicless), Procurement cards, FEDI
Threats & Controls
1. Failure to take discounts: File invoices by due date to take advantage of discounts
2. Pay for items not received: Match supplier invoice to (purchase order, receiving report)
3. Duplicate payments: Pay original invoices, Cancel supporting document when paid
4. Theft of cash: Physical security of checks, Separation of duties, Reconcile bank account
5. Check alteration: Check Protection machines
6. Cash flow problems: Cash flow budget
Chapter 16
General Ledger and Reporting: Primary objective is to collect & organize:
1. The accounting cycle activities
2. Financing activities
3. Investing activities
4. Budget activities
5. Adjustments
Process:
1. Update General Ledger
2. Post Adjusting Entries
3. Prepare Financial Statements
4. Produce Managerial Reports
General Threats & Controls
Invalid general ledger data: Data processing integrity control, access restriction, review changes
Unauthorized disclosure of Financial Statements: Access controls, encryption
Loss or destruction of data: Backup and disaster recovery procedures
1. Update General Ledger: posting journal entries that originate from 2 sources
●
Accounting subsystem: Different business cycle
●
Treasurer: Non-routine transactions (may be documented on journal voucher)
Inaccurate updating of GL: Reconciliation of subsidiary ledger to GL, access control, audit trail
Unauthorized journal entries : Audit trail, access controls, reconciliation & control reports
2. Post Adjusting Entries: originate from controller's office
Trial balance: lists balance for all general ledger accounts
Adjusting entries
Accruals: end of accounting period (events happened but not in FS) Cash last
Deferrals: end of accounting period (Exchange of cash prior event) Cash first
Estimates: Portions of expenses expected to occur (depreciation)
Revaluations: Reflect differences between actual & recorded value of asset
Corrections: Counteract effects of errors found in the general ledger
Inaccurate adjusting entries Standard adjusting entries, spreadsheet error protection
Unauthorized adjusting entries : Audit trail, access controls, reconciliation & control reports
3. Prepare Financial Statements: Income statement, Balance sheet, Cash Flows
Inaccurate FS: Training & audits, use of packaged software, processing integrity controls
Fraudulent Financial Reporting : Audits
eXtensible Business Reporting Language (XBRL)
●
Instance document: contains data from FS
●
Taxonomy: set of files defining various elements & the relationship between them
●
Link bases: Describe relationship between elements
4. Prepare Managerial reports: budget & performance reports
Evaluating performance:
●
Responsibility accounting: Reporting results based upon managerial responsibilities in
an organization (ex: production vs sales department)
●
Flexible Budget: based upon level of activity
●
Balance Scorecard: Measures financial & non financial performance (financial,
customer, internal operations, innovation & Learning). Measures targets & actual
●
Graphs: Data Visualization and proper graph design
Poorly Designed reports & Graphs: Responsibility acct, BS, Training on graph design