AFM 502/ACC 621 Textbook Summary [Full Course] File contains concise, easy-to-read summaries of assigned textbook readings. Readings arranged chronologically by when they were assigned for ease of use; organized by chapter for increased readability.

97 Pages
Unlock Document

Accounting & Financial Management
AFM 502
Clark Hampton

Chapter 1 – Introduction to Computer-Based Information Systems From To Page Page # Beginning With # Ending at Chapter1 1.6 Impact of Information Technology on Business 1.14 Electronic Meeting Systems 1.16 Challenges 1.20 Behavioral Key Dimensions of Practice by IS Control and 1.21 1.38 Organization of Data into Files Audit Practitioners 1.42 Master Files and Transaction Files 1.43 Access Method and File Maintenance 1.45 Database Management Systems 1.46 File Design Considerations 1.47 Information Processing Activities 1.50 Interactive Programming 1.58 Intranets and Extranets 1.59 The World Wide Web 1.59 XBRL for Financial Reporting End of Chapter - Information Technology (IT) is more than just technology. IT includes infrastructure components such as computer hardware, system and application software, and the public and private networks than underlie today’s information systems. The trio of people, processes, and technology is a convenient shorthand for what we mean by IT - For most entities in both the public and private sectors, success depends on the effective harnessing of IT-based information systems though: o The effective alignment of investment in IT with the entity’s business objectives, and o The effective management and renewal of the portfolio of investments in IT - IT Governance: Strategic alignment of IT strategy and business strategy, and IT portfolio management - One of the oldest uses of information technology for competitive advantage was in the reservation systems developed by the major airlines - The phrase “competitive advantage” is widely used to describe the use of computers as part of an enterprise’s competitive strategy - Use of IT for competitive advantage: o E-Business  E-commerce involves buying and selling goods and services on-line  The term e-business, a broader concept, is used to describe the application of IT to organizational tasks such as sales and marketing, accounting and finance, training and education, etc.  E-business involves the application of IT to business processes to improve their effectiveness and efficiency – in short, to contribute to an entity’s competitiveness o Transaction Processing  Transaction processing involves transaction initiation, input, transmission, processing, storage and output o E-Commerce  E-commerce is the exchange of value between parties via electronic networks  About 10% of all e-commerce activity involves Business-to-Consumer (B2C) transactions, while 90% involves Business-to-Business (B2B) e- commerce  Key categories of e-commerce include: • Content provider • Direct to Customer • Full Service Provider • Intermediary/Broker • Shared Infrastructure • Value Net Integrator/Infomediary • Virtual Community • Enterprise or Government Portal o Office Automation  Office automation systems include a variety of systems designed o support the productivity of office workers  The main goals of such systems are enhanced communication, data sharing, group work and collaboration, and end-user empowerment • Communications and Networking • Data Sharing • Group Work and Collaboration • End-User Empowerment o Software tools such as word processors, spreadsheets, presentation managers, and data extraction and analysis software empowers users to solve problems though end- user computing rather than having to rely on central IT support personnel or outside consultants o Sales/Marketing  Sales Force Automation (SFA) • Provides contact management, sales forecasting, and order management. Telemarketing services supported by such systems are increasingly being used by entities to market products and services to business and residential customers  Customer Relationship Management (CRM) • Premised on keeping informed about customer interactions with the entity, including sales, service calls, and enquiries. The entity can then better anticipate and deliver the products and services that its customers need or want and prevent erosion of its customer base to competitors  Data Warehousing and Data Mining • Data Warehouse: A database designed to support analysis and decision making. This data may be based in part on day-to-day transaction processing, but may be supplemented by other data sources. Cannot simply be a haphazard collection of data, data must be organized in that serves the purpose of the warehouse • Data Mining: The extraction from existing data implicit, useful information that was previously not known. This is done by finding patterns in the data • Metadata: Information about the information (e.g., how frequently the information changes, the last time the information was changed, the source of the information, etc.)  Business Intelligence (BI) and Data Analytics • BI systems enable data capture, and warehousing of data from any source (internal or external) and transform it into decision- relevant information for making operating, tactical, or strategic decisions o Services  IT Outsourcing • Service Level Agreement (SLA): A long-term contract that outlines the services to be provided from one party to another • When an entity outsources significant parts of its operations it can obtain significant benefits; however, it can also encounter risks such as loss of control over the outsourced operations, inability to monitor performance by the outsourcing service provider, conflicts of interest between the outsourcing service provider and itself, etc.  Cloud Computing • There are three well known cloud computing types: o Software-as-a-Service (SaaS)  Uses cloud computing to deliver a specific application over the internet. Customer uses a service provider’s application over a network (e.g. Gmail, Google Apps) o Platform-as-a-Service (PaaS)  A cloud-based environment where customers can build their own applications that run on the provider’s infrastructure and are delivered to users via the internet (e.g. Google App Engine, Microsoft Azure) o Infrastructure-as-a-Service (IaaS)  Provides customers with a complete internet- accessible infrastructure including processing, storage, and network bandwidth. Customers pay for these resources upon which they can run multiple operations systems and applications (e.g. Amazon Web Services) o Purchasing  Operating Resource Management (ORM) • ORM systems support procurement of goods and services required to operate an entity’s activities, including office and maintenance supplies, travel and office equipment o Production  Supply Chain Management (SCM) • Reduces the cost of carrying excess inventory throughout the supply chain, while preventing disruptions throughout the supply chain due to shortages and delays. This is done by optimizing the logistics, productions, and distribution processes, from forecasting materials requirements to meet customer demand, to acquiring materials from suppliers in co-ordination with production scheduling  Enterprise Resource Planning (ERP) • ERP systems are designed to integrate an entity’s manufacturing, distribution, scheduling, finance and accounting function through co-ordinated work flows and shared databases • Implementing an ERP can be a costly and risky undertaking, since extensive business process redesign or reengineering is often required to match up the entity’s business with processes with the features of the ERP  Logistics o Finance/Treasury  Accounting Information Systems (AIS) o Human Resources  Human Resource Management Systems (HRMS) • Improve an entity’s ability to implement and monitor personnel management policies and procedures, including employment records, experience profiles, and benefits management o Management  Decision Support and Expert Systems  Executive Information Systems (EIS) and Dashboards • EIS are systems designed to provide information to top level managers. Executives could instantly make enquiries about the status of various aspects of the company, such as sales trends for a particular product or the productivity of a particular manufacturing plant  Electronic Meeting Systems - Challenges: o IT is affecting the way in which organizations are structured, managed, and operated o IT is changing the nature and economics of accounting activity o IT is changing the competitive environment in which professional accountants participate  Accounting and accounting system development  Tax planning and tax return preparation  Internal and external auditing activities - Opportunities o Information creation and information system design  Professional accountants have traditionally created information to enhance management decision-making. With the advent of new information technologies and expanded sources and means of access to information, professional accountants can help bring richer sets of information to bear on specific managerial decision s or help screen out essential information from the potentially overwhelming proliferation of available information o Information system management and control  Professional accountants can provide a valuable service by bridging communication gaps between top management or functional managers lacking IT skills and technologists lacking in business backgrounds. Adding a sound business perspective to the consideration of IT issues o Information system evaluation  As information technologies proliferate, there are increasing demands for objective assessments of information system controls such as controls over system availability, security, processing integrity, maintainability, and information integrity - Professional accountants, in addition to extensively using various types of information technologies, often play important managerial, advisory, and evaluative roles as discussed below: o User Role  Users employ various information systems tools and techniques to help them meet their objectives or to help others meet their objectives o Manager Role  Includes participation in strategic planning for use of IT to support an entity objectives, membership on an IT steering committee, evaluating potential IT investments, etc. o Designer Role  Activities will often emphasize the identification of user needs, consideration of costs and benefits of proposed solutions, the appropriate selection and combination of hardware/pre-packaged software/essential control features o Evaluator/Auditor Role  These roles or activities provide the rationale for topics to include in the professional education of all accountants and for the design of a program of continuing education to maintain and enhance their ability to perform these roles and to keep abreast of new developments affecting these roles - Specific audit objectives by IS practitioners: o Auditability of IS Management/Operation Process  Auditability of Software  Auditability of Data o System Acquisition and Development Process o System Maintenance and Change Management Process o Compliance with Laws, Corporate Policies, and Contracts  Outsourcing Contracts  Service Level Agreements (SLA) o Security over Information System Facilities, Processing Activities, and Data  Confidentiality of Information  Privacy o Availability of Information System Processing and Business Continuity o Transaction Processing Integrity/Reliability o Service Organization Controls (SOC)  SOC 1 Report: Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting  SOC 2 Report: Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy  SOC 3 Report: Trust Services Report for Service Organization o Value of IS Services and Facilities (3Es)  The three dimensions of value are: • Economy • Efficiency • Effectiveness - General Systems Concepts: o System  A system is an organized set of activities. When we speak of an information system we generally mean that there is some sort of input, a processing activity which acts on the input, some method of storing raw data or semi-processed data, and an output produced by the processing activity • Information processing activities may be manual (e.g., involving clerks and journals), mechanical (e.g., involving production machinery or process monitoring equipment), or electronic (e.g., involving terminals, computers, data files, and programs). Most business systems rely on a combination of manual and electronic processes o Sub-system  Sub-systems may be large or small and their boundaries may be hard to define. It is common to subdivide systems into smaller units or sub- systems to enhance analysis and understanding of those systems o Applications and Business Processes  Systems and sub-systems are aggregated into applications and business processes  Application: A system with a specific business purpose (e.g., customer order entry, order fulfillment, and invoicing)  Business Process: An aggregation of applications with an overarching purpose (e.g., the sales and service process)  A core business process represents the main customer-facing activities of the business. The successful execution of the core business processes creates value in the eyes of customers. A core business process comprises the following elements: • Process objectives • Business rules • Process owner • Process actors/agents • Inputs • Activities/Sub-processes • Outputs • Systems • Risks • Controls - An IT infrastructure is made up of the following components: o IT Architecture Standards o IT Components o Communications Infrastructure o Shared and Standard Applications o Shared IT Services o IT Enabled Intangibles o Human IT Infrastructure - Data vs. Information o Data are the facts, the raw materials from which information is created. The AIS transforms data into information. Information is the finished product in a form immediately usable for managerial-decision making, financial reporting, or control - There are four main types of information: o Routine  Used to be the main focus of accounting systems in the past. However, changes in the competitive environment and the parallel development of information technologies are causing a move away from routine reporting towards the other uses o Exception  A response to the overwhelming volume of routine paper reports generated and the information overload that can result. o Ad hoc  Facilitated by advances in storage technologies combined with easy-to- use query languages and database systems which permit delay of information production to the time when it is most needed to support management decisions o Predictive  Enabled by in-house database systems, commercial on-line information services, and business intelligence systems - Attributes of Information: o Intrinsic: Accuracy, objectivity, believability, reputation o Accessibility: Access, security o Contextual: Relevance, value-added, timeliness, completeness, amount of data o Representational: Interpretability, ease of understanding, conciseness, consistency - Core Attributes of Information Integrity: o Accuracy/Correctness  While there are subtle distinctions between accuracy and correctness (i.e., an item can be accurate but not correct) these terms are considered synonymous in this book. This concept is subsumed under verifiability/auditability o Completeness  Every discussion of accuracy is also a discussion of completeness and vice-versa. The degree of completeness achieved sets the upper bound on the degree of accuracy that is achievable o Currency/Timeliness  Various forms of time stamping can provide useful information to enable stakeholders to assess the limitations of information integrity on this dimension. When information is enhanced by time stamping. Its degree of accuracy is more understandable and more verifiable o Validity/Authorization/Authenticity  The concept of validity means that information represents real conditions, rules, or relationships rather than characteristics of physical objects  Transactions are valid if they were initiated and executed by personnel or systems that have been granted the authority to do so and if approvals are authentic and within the scope of the authority granted to the approver(s)  The concept of validity includes elements of both accuracy and authorization  Non-Repudiation is an important aspect of information validity/authenticity in a transaction processing or information management context. Non- repudiation/authenticity depends on a combination of practices that can convincingly demonstrate that a transaction occurred, that its timing is correctly stated, that it is what it purports to be, that the transactor/source is authentic (correctly identified) and is acting within the authorization framework (policy, regulation, or law) governing the transaction, and that it was not and could not be tampered with since it was created o Confidentiality o Privacy  Defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information  Personal Information: Information that is, or can be, about or related to an identifiable individual. Includes any information that can be linked to an individual or can be used to directly or indirectly identify an individual (name, email address, SIN number, physical characteristics, or purchase history)  Personal information is different from confidential information. No single definition of confidential information is widely recognized, must be agreed upon by business partners prior to information exchange  Non-personal information ordinarily is not subject to privacy protection because it cannot be linked to an individual - Enablers of Information Integrity, Confidentiality, and Privacy o Understandability/Granularity/Aggregation  Granularity: The scale or level of detail present in a set of data or other phenomenon o Security  Includes physical and logical access controls and safeguards over information to protect it against acts of nature and intentional malicious acts such as unauthorized creation, modification, or destruction, as well as inadvertent errors that could compromise its integrity. Also involves protecting the confidentiality of information; that is, protecting it against unauthorized viewing or dissemination o Availability/Accessibility  For information to be complete, current, and timely, it needs to be available and accessible to users in accordance with business specifications and to be retrievable in a usage form when required  Security and availability are complementary in the sense that security aims to restrict unauthorized access to information and availability aims to facilitate authorized access to information o Dependability/Predictability  Includes several similar, but not identical, characteristics: • Dependability • Repeatability • Stability • Predictability o Consistency/Comparability/Standards  Represents the stability of measurement and presentation over time or space o Verifiability/Auditability/Neutrality/Objectivity  Verifiability is the ability of independent observers, applying the same processes and tolerances all other things being the same, to replicate substantially the same result o Credibility/Assurance  Credibility/assurance stem from procedures that are actually performed (e.g., by internal or external auditors) to verify/audit the integrity of the information by gathering evidence about its representational faithfulness  Difference is that verifiability/auditability represents necessary conditions for obtaining assurance about information integrity o Information Integrity and Processing Integrity  Information integrity is enhanced by processing integrity. Processing integrity determines the upper limit of informational integrity Table : Conceptual Relationship Between Core Attributes and Enablers of Information Integrity Understandabil Secur Availabl Dependab Consiste VerifiablCredibl ity e e le nt e e Complete H H H H H H H Current/Timely L L VH H M M M Valid/Authoriz L VH L M M VH H ed Accurate/Corr M H M VH H VH VH ect - Information integrity attributes must be considered in the context of the stakeholder’s specific requirements with the recognition that perfect information integrity is not achievable because completeness, currency, accuracy, and authorization are affected by delays in data recognition, processing, and utilization, however small. Thus, the standard for information integrity is not 100% representational faithfulness, but rather representational faithfulness within accepted tolerances - Computer-based Accounting Information Systems (AIS) rely on three key components: o Organization of data into files stored on electronic media for rapid access  Transaction files  Master files  Tables  Databases o Information processing activities for maintaining those files and providing useful information from them. These information processing activities can be summarized in to the following key phases (error prevention, identification, correction, and reprocessing are integral to all of these):  Initiation  Input  Transmission  Processing  Storage  Output  Interface with other systems o Controls to provide reasonable assurance that:  Only accurate, valid, and authorized data is collected and recorded  The currency of the data is consistent with the purpose for which it is intended  All data is accurately and completely recorded and processed into information in a timely manner that reflects the needs of the intended users of the information  Errors are prevented or detected and promptly corrected  Results or summary figures can be traced to the original source data, and  Outputs are only distributed to or accessible by authorized recipients of the information - Perhaps the two most important kinds of files in AISs are master files and transactional files o Master File: A collection of records pertaining to one of the main subjects of an information system (e.g., customers, employees, products, etc.) Contains descriptive data that is relatively permanent (e.g., customer number, name, address, etc.) o Transaction File: A collection of transaction records used to update the master file, also serve as audit trails and history for the organization o The basic difference is that transaction files essentially contain non-recurring data, whereas master files contain semi-permanent or recurring data which will be required repeatedly - Database Management Systems (DMS) are based on the concept of data being independent from the program accessing it. With DMSs, the physical management of data is taken away from the individual application programs. All the data is put into a “pool” called the database, which is sharable by many different programs. The DMS is used to perform all physical manipulation, such as retrieving, adding, and deleting physical records. Redundancies, inconsistencies, and wasted space are reduced by enabling several different applications to use the same physical data - A database administrator is used to analyze information uses, design the database, manage the database management system, and act as a liaison between the IS department and the many users sharing the data in the database - Transaction Processing Phases: o Transaction Initiation  There are three classes of transactions of concern: • Transactions which create, modify, or delete semi-permanent data such as masters files, tables, and database entries for recurring use during processing • Transactions processed in the normal course of business to record economic activities such as purchases, sales, receipts, disbursements, etc. • Error correction transactions used to correct errors detected during processing o Input Preparation  In more sophisticated data entry systems, the data preparation process is carried out by a variety of devices such as bar code readers, scanners, radio frequency identification (RFID) tag readers, etc. o Transmission/Input  In its most basic form, electronic data transmission involved four components: • A sender or data source • A message or data • A communications channel or carrier • A receiver of the transmitted data  For sensitive data, encryption is used to maintain its confidentiality in the event the data transmission in intercepted by unauthorized parties o Processing o Storage o Output o Error Prevention, Identification, Correction, and Reprocessing  Errors, omissions, and delays may occur at any of these stages of transaction processing  Rejected transactions are usually sent for correction to the initiation source which is considered to be the best and most reliable means of correcting them Figure : Stages of Transaction Flow - Transaction Processing Modes: o Off-line  No direct interface between the user and the computer (e.g., a user might prepare source documents and send them to the computer operator for keying) o On-line  The user interacts directly with the computer and data is input through a terminal. The whole process is controlled by the computer which may prompt or instruct the user in how to input the data o Realtime  Output is available quickly enough to control real life activity (e.g., airline reservation systems, savings account processing at banks, etc.) The concept of realtime is closely related to immediacy o Interactive Processing  Involves user interaction with the computer (subtle difference) - Intranet: A network that is internal to an organization and uses internet technologies (e.g., use of a browser.) Intranets have all the advantages of the internet, including ease of use, compatibility with other systems, and simplicity. Initially used to convey information to employees that once was printed like procedure manuals, personnel manuals, and policy statements - Extranet: Networks that are available to users outside of a company and may use web technology. Extranets have all the advantages of intranets but extend those advantages to outside parties such as suppliers and customers - Virtual Private Network (VPN): A secure and encrypted connection between two points across the internet. Created as an answer to the security concerns of intra and extranets. Data sent through a VPN goes from that user’s PC to a firewall, which encrypts the data and sends it over an access line to the company’s internet service provider. The data is then carried through tunnels across the internet to the recipient’s internet provider. From that point, the data travels over an access line, through another firewall where it is decrypted and sent to the recipient’s PC. VPNs reduce networking costs and staffing requirements, somewhat akin to outsourcing, but with better cost reductions - XRBL (eXtensible Business Reporting Language) was developed to further enhance business information exchange by providing a standardized method to prepare, publish, and exchange business, especially financial, information. Regulators and government agencies in many countries are increasingly implementing XBRL for regulatory filings Chapter 2 – Management, Control and Audit Implications of Information Technology Chapter 2 Mass Marketing and Distribution of IT 2.3 Start of Chapter 2.8 Products and Services Reduction of Barriers to Systems Use and End- 2.8 2.9 Miniaturization and Mobility User Development 2.11 The Computer Mystique: Widespread Abdication 2.13 Social Consequences of Error, Abuse and of Responsibilities for Control Failure of Information Technology 2.17 Transaction Processing Errors 2.27 Use-Based Data Quality Programs 2.29 Computer Fraud 2.33 Boot Sector Viruses 2.34 System Failure and Disasters 2.46 Other Assurance Services 2.48 Internal Control in the Context of an Audit 2.55 Reporting on XBRL-Related Documents - Information technology can represent a source of increased control, or a source of risk. Incorrect manual computations, improper recording of transactions, incorrect application and internal controls, and inadequate internal controls are likely to be sources of problems when information systems are computerized. Most frequently, the errors are associated with data entry errors, while general controls are not a common cause of misstatements - In terms of magnitude, problems with personnel, program changes and exception reports result in the largest misstatements - Features of computer based information systems and their risk and control implications: o Speed  The same speed that can lead to millions of transactions being processed in an efficient manner, can lead to hundreds, possibly thousands, or errors being processed in an instant, potentially engulfing error correction processes  Thus, there is a need for continuous monitoring of computer systems via automated controls embedded within software so that they can operate continuously and at the speed of the computer processing itself o Consistency of Performance  If poorly designed or programmed, the computer system will consistently and without fail, repeat each error over, and over again  In some cases this consistency of performance can prove useful to auditors since computer errors are less likely to resemble the “needle in a haystack” phenomenon that is characteristic of the random errors committed by human clerks, and which can be so difficult to find o Real Time Processing  Eliminates the time buffer for error checking/correction  Thus, controls must be “baked-in” to systems when they are developed to ensure that business activities are not prevented by processing problems o Inflexibility and Maintainability  Retrofitting computer systems is difficult due to: • The technical difficulty of making those modifications • The difficulty of making changes in habitual human interactions with various system components (resistance to change) o Online Data Access and Integrity  The extensive reliance on online data is raising growing concerns about its integrity, confidentiality, and privacy • Integrity is concerned about completeness, currency, accuracy, and validity of data/information • Confidentiality is concerned about the protection of access to and disclosure of sensitive information • Privacy is concerned about people’s right to control the use of personally identifiable information o Ease of Access to Data and Computer Programs o Indirect Access to Assets o Convergence of Information and Communications Technologies o New Data Capture and Mass Storage Technologies o Use of Data Warehouses o Vulnerability of Data and Program Storage Media o Programmed Accounting Procedures and Controls  Computer-based accounting systems are capable or executing accounting procedures and exercising accounting controls automatically. This can be a great boon to the enterprise. However, since accounting programs often replace accounting clerks, if those programs are not at least as good as the clerks were , if the procedures are not designed and programmed to be sound, or if the control procedures are not properly implemented, then it is possible for there to be no one in the organization actually carrying out these procedures o Absence of Input Documents o Single Transaction Update of Multiple Computer Files or Databases o System-Generated Transactions o Lack of Visible Output or Visible Transaction Trail o Integration of Sub-systems Through Networks an Data Sharing  Data sharing can occur in several ways: • Re-keying of the output of one sub-system in the preparation of the input of another sub-system • Direct transmission of the output of one sub-system to another sub-system • Updating of data files or database by one sub-system and subsequent use of the same data by another sub-system at the same time via remote access  Regardless of the way in which integration of sub-systems is actually implemented, the result of such data sharing is that errors in one sub- system will tend to proliferate to other sub-systems and, absent effective data checking procedures, will degrade the entity’s information and the decisions based on that information o Interdependence of User procedures and Programmed procedures  For example, a computer might reject invoices with improperly coded customer numbers. However, if users who receive exception reports on those items do not correct the customer numbers and promptly resubmit the invoices for processing, accounts receivable and sales will be understated for that time period o Reduction of Barriers to Systems Use and End-User Development  The reduction of barriers to system use is encouraging wider penetration of information systems into profit-oriented and NFP organizations of all sizes for accounting and broader management and strategic purposes and increasing the role of end-user computing  Often, a single individual is the “expert” user of the computer, leading to significant dependence by the enterprise on the individual. Less expert employees may feel threatened  The proliferation of data files often increases the risk of unauthorized access to sensitive enterprise data by hackers and malware (i.e., viruses, spyware, and trojans.) o The Computer Mystique: Widespread abdication of Responsibilities for Control  Blind faith in the results of the computer system processing where such faith is not warranted  In its worst manifestation, this attitude can lead to abdication of responsibilities, especially by management personnel who may opt to leave computer control issues up to the technical personnel - Financial Consequences of Unreliable Systems o There are two main categories of consequences of system errors, abuses, and failures:  Financial losses stemming from excessive cost ands and competitive disadvantage  Social consequences such as degradation of quality of life arising from flaws in information processing activities - Poor data quality can have important and far-reaching consequences for an entity. Such as: o Lower customer satisfaction o Lower employee satisfaction o Poor decision-making (poor decisions that take longer to make) o More difficult to set and execute strategy - Transaction Processing Errors o Research indicates that errors in the input phase account for the vast majority of all errors. Input phase errors include:  Omitted/Missing Data  Lost Data • It is possible to trace or re-create the lost data, assuming adequate records are kept at transaction initiation stage  Late Data/Cut-off Errors  Inaccurate Data Entry • Perhaps the most significant of all the errors in transaction processing. Most of the investment required to reduce transaction procession errors focuses on eliminating inaccuracies  User Interface Controls • Of all the causes of input phase errors, the most prominent are poor design of documents and user interfaces. Some of the causes of inaccuracies include: o Poor source document design o Poor user interface design o Inadequate editing and validation procedures  Duplicated Data  Unauthorized Data/Overrides  Fraudulent Data - There are four fundamental preventative strategies for eliminating input errors: o Replace human operators by automated data entry devices o Improve the design of forms and user interfaces o Provide user training incentives o Improve editing, and validation procedures - Transmission Phase Errors: o Incomplete Transmission o Delayed Transmission o Garbled Transmission o Duplicate Transmission o Unauthorized Distribution of Private/Confidential Information o Interception of Transmission/Eavesdropping o Interception of Transmission/Tampering o Fraudulent Transmission/Spoofing and Phishing - Processing Phase Errors o Incomplete Processing o Untimely Processing/Cut-off Errors o Back-up/Recovery Delays o Wrong File o Incorrect Logic  Input, output statements  Assignment statements  Branching statements  Looping statements  Data type definitions, and  Logic errors involving time o Duplicate Processing o Unauthorized Logic o Fraudulent Logic o Testing and Maintenance Errors o Failure to Make Required Changes - Stored Data Errors o Conversion Errors – Omissions o Conversion Errors – Cut-Off o Non-current Files/Updating Delays o Environmental Change and Non-current Data o Conversion Errors – Inaccuracies o Conversion Errors – Invalid/Fraudulent Data o Back-up and Recovery o Operator Errors o Software Errors o Conversion Errors – Duplication o Back-up and Recovery – Duplication o Error Correction – Duplication o Inconsistencies Due to Data Redundancy o Uncontrolled Use of Data Fields o Failures/Disasters/Vandalism - Output Phase Errors: o Lost Output o Late Output o Incomplete Output o Inaccurate Output o Distribution of Unauthorized Users o Manipulation of Output o Output Use Errors  Flow-through of all earlier errors  Information delays, error correction delays, etc.  Unpredictable schedule of output relative to input  Poor labelling of printed data  Inappropriate aggregation of data  Lack of user training - Fraud is defined as: an intentional act to deceive or mislead, convert assets to one’s own benefit, or make intentional false statements or misinterpretations often accompanied by omission, manipulation of documents or collusion - Computer fraud requires three elements: o A perpetrator lacking integrity of ethics o Motivation to commit the fraud o The opportunity to commit and conceal the fraud - There are four main categories of hacker: o Novice: inexperienced youth who logs on to large systems for fun o Student: Bright student who enjoys learning about computer systems and hacks out of curiosity; generally not seeking to do any intentional damage o Tourist: Out for thrill and adventure, driven by challenge of breaking into a “secure” system o Crasher: A vandal, motivated to destroy systems, close down accounts, and crash electronic bulletin boards - The virus is an offshoot of a technique called the “time bomb”. A time bomb is simply a logic statement which is activated when the system detects a given time or date. However, time bomb logic is destructive code designed to cause program malfunctions or destroy files o A logic bomb is similar to a time bomb, except instead the program is coded to malfunction when a specified set of logical conditions occurs - There are three different levels of disasters: o Equipment failure o The loss of the computing facility o The loss of the information system personnel - More than half of the technology projects undertaken by private sector and public sector entities end in failure. The three main reasons are: o Poor planning o Weak business case for the project, and o Lack of involvement from top management - Assurance services can be classified into two categories: o Financial statement audit assurance, and o Other assurance oriented services whose objectives may encompass any number of issues such as evaluation of security, privacy, efficiency, cost effectiveness, etc. - We can classify most financial audits into three major phases: o Acquiring or updating an understanding of the entity and its environment o Obtaining an understanding of internal control an assessing inherent and control risks, and o Substantive verification of financial statement assertions - Basic Components of Internal Control: o Control Environment o Entity’s Risk Assessment Process: An entity’s process for identifying and responding to business risks and the results thereof o Information Systems, Including the Related Business Processes, Relevant to Financial Reporting and Communication o Control Activities: The policies and procedures that help ensure that management directives are carried out. Of particular relevance to information processing are:  Application controls, and  General IT controls o Monitoring of Controls - Audit Evidence: o Authenticity: The identity of the person or entity that created the information can be confirmed. o Integrity: The completeness, currency, accuracy, and validity/authorization of the information o Non-repudiation: A party, person, or entity having sent or received an information cannot deny having taken part in the exchange an repudiate the information content - There are two types of controls that auditors may wish to test: o Controls that leave no visible evidence, in which case the auditor’s compliance procedures consist mainly of observation o Controls that leave a visible record of their performance, in which case auditors should normally apply their tests to a number of transactions selected from the period covering the control risk assessment - Tests of Controls: o System Changes/Conversions o IFRS Conversion - An interesting evidence-related problem arises when an entity uses a service organization to process and/or store its data. Ideally, the user’s auditor should visit the service organization and evaluate the controls there. This is, however, not always possible because the service organization may not allow the user’s auditor access. The auditor may therefore be faced with the following two alternatives: o Ignoring the service organization’s controls and either relying entirely on evaluating the user’s controls and/or carrying out compensating audit procedures. This approach would be appropriate with simple systems where the user has implemented adequate controls and does not depend on those at the service organization o Relying on a report from a service auditor, normally the service organization’s auditor. A potential stumbling block in obtaining such a report is the support for this concept by the service organization management who will be faced with the cost of the audit - There are three types of Reports on Service Organization Controls: o SOC 1 Report – Reports on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting  Type 1 – A report on management’s description of the service organization’s system and suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date  Type 2 - …throughout a specified period o SOC 2 Report – Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy  SOC 2 reports specifically address one or more of the following five key system attributes: • Security • Availability • Processing Integrity • Confidentiality\Privacy o SOC 3 Report – Trust Services Report for Service Organization Chapter 7 – Controls over Acquisition, Development & Maintenance of Information Systems Chapter 7 Start of Section 2: Roles for Professional Accountants in 7.3 7.36 the System Acquisition/Development and Chapter Maintenance Process. - CICA IT Control Guidelines specifies the following minimum controls standards to ensure an effective and efficient process of systems development and acquisition (Control Objective H): o Policies and standards should be established and enforced to ensure the efficiency and effectiveness of the systems development and acquisition process o There should be procedures to ensure that all systems are developed and acquired in accordance with the established policies and standards o All personnel involved in systems acquisition and development activities should receive adequate training and supervision to ensure that they have the necessary knowledge, skills, and tools to support the achievement of the enterprise’s objectives o Standards for project management of information technology acquisition, development, and implementation initiatives should be established and enforced - Given that any system is only as good as the people who put it in place, proper training and supervision of personnel in the development process is important - The development of acquisition of an information system can be a complex task. Consistent with the literature on strategic planning and programming, authority and responsibility for coordination and control should be given to a project manager. The project plan should be prepared by the development team and would include a description of the phases, the method to be followed, and the deliverables at each phase. The project plan should be approved by senior management (via the steering committee) at the initiation of the project - A system development framework is very useful for the following reasons: o It encourages a uniform approach to information systems and provides for easier evaluation of applications before, during, and after implementation o It enhances control during the analysis, design, and development of information systems o It provides for early management involvement in information system development and can ensure a controlled commitment of resources and adequate opportunity to terminate projects at any stage o It provides a proven, structures methodology for the design and development of information systems, while allowing for flexibility and innovation Figure : A Systems Development Framework - There are two main competing views of how the phases of system development should be related: o Waterfall System Development  Requires the sequential execution of the five stages of system development, completing each phase prior to completing the next, in a manner similar to a cascading set of waterfalls • Investigation • Requirements Analysis and Initial Design • Development • Implementation • Maintenance o Spiral System Development  Involves iteration through the phases of system development with progressive refinement of the system taking place as more and more of the user requirements are understood, defined, and implemented - The phases of system development are: o Investigation  Identification and initiation of projects is formalized. Involve a preliminary survey, which is the process of determining whether there is a problem, the nature of the problem, and whether computerization may be a possible answer. If the conclusion is that a problem does exist, then this phase is expanded to include a feasibility study  Semantic Gap: Different perceptions of reality  The investigation stage should focus on appropriate behavioural factors (e.g., shifts in political structure or power), in addition to technical considerations, as the former could be more significant determinant of success than the latter o Requirements Analysis and Initial Design  The objective of this phase is to learn enough from a detailed examination and diagnosis of the present system to provide a firm foundation for the design and implementation of the most appropriate method of fulfilling the user’s information processing requirements from the many possible alternatives available  In determining user requirements, a number of methods are available: • Asking the user • Analyzing the current system to identify the needs for the proposed system • Analyzing the systems to which the new system must interface or the system which will use the information provided by the new system, and • Use of the heuristic approach: a prototype (an experimental version) of the system is built, allowing users to determine requirements through use  Literature suggests that the identification of user requirements for the new systems may be difficult to accomplish. Some of the reasons given for the difficulty are the: • Constraints on humans as information processors • Variety and complexity of information requirements • Complex patterns of interactions amount the users and analysts in defining requirements o Acquisition/Development  The objective of this phase is the acquisition or licensing, configuration and development of IT components required to perform the IS functions of the new system  Another important objective is to design the specific system solution which will make the selected alternatives effective, but at the same time flexible; that is, easily alternated and expandable with a minimum of disruption  Testing is a key part of this phase  Options for IT acquisition/development: • In-House vs. Outside IS Processing • Outsourcing • Pre-programmed Package Software vs. Custom Development • Open Source • Purchased Software Modification • Detailed Design Specifications • User Approval • Acquisition of Hardware and Software o The selection/acquisition process generally involves the following steps:  Screen what is available  Written proposals • Request for Information (RFI): Used to gather general information on the capabilities of vendors. This information can then be used to create a “short list” of potential vendors • Request for Proposal (RFP): Sent to “short list” vendors who are asked to propose equipment and/or software to satisfy an entity’s needs  Evaluate potential suppliers • Vendor’s financial condition • Likelihood of vendor staying in business • What kind of vendor support available  Evaluate the product • Analytical Modelling: A mathematical approach to performance evaluation and is best suited for design calculations such as the queuing analysis of an online system • Simulation: Not suitable for the selection of a specific piece of software such as an application program; but, simulation can include software considerations in evaluating the performance of a total computer system • Benchmarks: Represent a sample of an existing workload and so include software considerations. Strictly speaking, a benchmark is an existing application which has been recoded if necessary for the system being evaluated • Synthetic Modules: A synthetic application is coded to represent a typical function and unlike benchmarking, it is not restricted to being an existing application. Like a benchmark, a synthetic program is actually executed • Consultants  Test the product • A good testing session should demonstrate satisfactory processing for an entire cycle (to ensure proper recycling of files)  Negotiate an agreement, and finally • It is almost universally accepted that no purchases should sign a “standard” form contract with a vendor. A standard form contract will always be in terms most favourable to the vendor • Specific contract terms and conditions should include: o Hardware o System software o Application software o Third party suppliers o Cost o Terms of payment o Implementation o Off-site processing o Systems warranty o Service and parts warranty o Title o Education and training o Patents o Documentation o Risk of loss o Arbitration o Remedies  Install the equipment and software o Implementation  The objective of this phase is to put the new system into operations  Parallel Testing: Involves data being processed completely through both the old system and the new system  Pilot Testing: Involves processing a large volume of test or live data through the new system, and carefully checking the results. Care should be taken when using pilot tests to ensure the test data is complete and representative  Acceptance Testing: “Hands on” type of testing. It is performed by the users prior to formal acceptance of the system. Testing a system should ensure at a minimum that: • The system works right • Recoveries from processor failure occur in a timely manner with correct information returned to each terminal • There are no lost messages • Response time requirements are met • System-generated reports to individual terminals and for site operations are accurate, regardless of the primary site  This is a key phase for auditor involvement. Usually, a post- implementation review is conducted shortly after implementation. The objective is to determine areas where the new system has either fallen short of, met, or exceeded the original objectives and evaluation criteria. In addition, the development process itself should be reviewed. It is through this process that lessons are learned for future development o Maintenance and Change Management  Most systems spend the bulk of their lifetimes and incur the bulk of the costs associated with operating them during this phase  Some of the most common causes of changes to existing systems are: • Information needs change from time to time and it is usual for organizations to make changes to programs periodically to incorporate new information requirements • New functions or reports required by users to enhance the existing system • Changing legal or statutory requirements may require changes to programs (e.g., tax changes) o Documentation  This is not a separate phase of the system development lifecycle (SDLC), but specific documentation must be developed throughout the entire development process - Project management is the process of planning, scheduling, and maintaining the progress of the activities that comprise the project. The focus is to reduce the risk of failing to complete the project to satisfactory standards while optimizing the use of resources (e.g., time, money, people, space.) Project management includes the following steps: o Initiation  Preliminary survey • Should take place through interviews, reviews of systems, procedures, and budgets to determine whether in fact a system problem does exist, what management’s information requirements are, possible alternatives to meet these requirements, and finally, whether a new system would likely generate benefits which would justify its implementation • Since it is likely that there would be more requests for new systems or revisions to existing systems than there are funds available, the preliminary survey becomes an economic screening device for senior management (normally through the steering committee)  Feasibility study • Involves the collection, organization, and evaluation of facts about a system and the environment in which it operates, to broadly define user’s information requirements and to outline the processing alternatives available to meet those alternatives • This is done through an examination and diagnosis of the present systems; that is, equipment, personnel, operating conditions, demands put on the system, and so on • At the outset, a steering committee should be established and it should clearly define the scope and objectives of the study. This committee should report to top management to give it the necessary status and authority to function effectively. The membership of the IT steering committee should consist of: o A senior management representative (e.g., general manager or vice-president) o A senior financial representative (e.g., comptroller or treasurer) o A senior IT specialist o Heads of departments expected to be extensive affected by system changes o A qualified audit representative  Prioritization and resource allocation • There is no absolute way to value a project’s worth. Therefore, all projects should be listed in an inventory and force ranked based on business values such as NPV, IRR, Payback, etc. using checklists and scoring models • Once individual projects are ranked, the resource allocation should not ignore the impact of one project on another. Best practice in this area is to achieve a balanced portfolio of development projects. This can be done by dividing projects into classes, based on criteria such as the following : o Size: Small/Large o Risk: High/Low o Term: Short/Long o Scope: Local/Global o Need: Nice to have/Mandatory o Cost: Low/High o Strategic direction o Planning  Define objectives and deliverables  Specify methods to be used to achieve objectives  Set up a schedule o Execution  Implement planned activities  Manage project personnel o Control  Monitor activities, costs, and quality  Report on performance o Termination  Complete project and manage transition to next phase - Some of the techniques that can be used to reduce programming errors include: o Use improved information requirements determination o Use improved design practices o Use structured programming o Use small programs o Use team programming o Use walkthroughs o Use automated programming techniques (CASE) to replace human programmers (and reduce coding and logic errors) o Use effective software testing techniques o Enforce change authorization procedures o Check for approval prior to cataloguing programs for regular use o Use librarian controls o Maintain access controls o Perform periodic reviews - Advantages to end-user computing: o Faster, cheaper application development o Relief from the shortage of system development personnel o Transferal of the development process to the parties with greatest knowledge of their own requirements - Risks associated with end-user computing: o User-friendly software makes powerful programs available to people with limited computer training, including senior managers o Since many users of these powerful packages occupy important decision making positions, the consequences of their errors may be more serious than in conventional transaction-processing systems o Errors in using spreadsheets may not be detected by conventional control procedures, and may not be noticed, particularly by inexperienced users o The ease of use of forecasting, statistical, and simulation models may hide the fact that the wrong model was selected or the model is being misused o Quickly developed programs are prone to errors. Errors in coding can be made with arithmetic, branching and looping statements o There are inherent limitations in the accuracy of numerical results in some computers Chapter 3 – Legal & Regulatory Issues Related to Information Technology - Protection of IT is primarily achieved through patent, copyright, trademark, and trade secret protection - The purpose of copyright law is to prevent the labour, creativity, and skill in a work from being taken. Copyright does not extend to protect ideas; rather it is confined to their expression. The term of protection generally exists for the life of the author (including year of death) plus 50 years - Registering copyright provides the advantage of creating the presumption that copyright subsists in the work of the owner. If infringed, and the copyright is registered prior to being infringed, the infringer is deemed to have reasonable grounds for suspecting that copyright existed in the work and cannot be excused from paying damages as an “innocent infringer” who did not know that copyright existed in the work - Although the work must be original to qualify for copyright, the standard of originality is not particularly high. Generally, compilations and information that require “sweat of the brow” to assemble and that have some originality will be protected by copyright - Computer programs are explicitly listed as being protected by the Copyright Act. In fact, copyright is the main tool used to protect computer programs - The Canadian Copyright Act also protects “moral rights” in a work. Moral rights in a work will be infringed if, to the prejudice of the author, the work is distorted, mutilated, modified, or used in association with a product, service, cause or institution - The author is generally the owner of a copyright. However, where the author of a work was in the employment of another person (an employer), and the work was made in the course of employment, the employer shall, in the absence of an agreement to the contrary be the first owner of the copyright - Copyright will be infringed where any breeches the exclusive rights of the owner without the consent of the owner (e.g., copying, performing in public, telecommunicating, or authorizing or inducing infringement by allowing infringement). The Copyright Act acknowledges that certain acts should not be considered to the Copyright infringement under a Fair Dealing exemption. The Act acknowledges that fair dealing for the purpose of research, private study, criticism, review, or news reporting does not constitute infringement - Under a new Bill (C-11), if a copyright work includes a “digital lock” on it, the exemptions that would normally apply to infringement no longer apply. Therefore, copyright owners will not have the ability to trump long establishes exemptions to copyright infringement through digital locks - Digital Lock: Any effective technology, device, or component that restricts one from exercising the exclusive rights of a copyright owner or remuneration rights (i.e., that control the reproduction of copying of a work.) Also called “technological protection measures” - A trademark is any mark (i.e., a word, words, phrase, sounds, logo, design) used for the purpose of distinguishing goods or so as to distinguish goods or services manufactured, sold, leased, hired, or performed by them from those manufactured, sold, leased, hired, or performed by others. A registered trademark may last as long as the trademark is used, and the owner will have to pay renewal fees every 15 years - A trademark owner will be protected against use of any mark or name is likely to cause confusion in the market place. The test for confusion is whether a consumer would believe that the products or services used in association with the confusing marks would emanate from the same source - Anyone who deliberately or unintentionally uses a confusingly similar name or trademark of another person to attract business may have committed “passing off” and can be sued by the trademark owner. To sue for passing off the owner must establish: o That it has acquired a reputation in association with mark o That the defendant has misrepresented to the public so as to cause deception or confusion between the owner and defendant; and o That damage has been or is likely to be cause to the owner - A patent grants its owner a legal right to exclude others for a specified term of years from making, selling, or using the invention to which the patent relates. The Canadian Patent Act defines invention as “any new and useful art, process, machine, manufacture, or composition of matter, or any new and useful improvement in any art, process, machine, manufacture or composition of matter.” Typically, the term of patent protection is 20 years from the filing date of the patent application, however , the length of term of the patent grant may vary from country to country - Certain types of inventions are not patentable because it would not be in the public’s interest to allow a monopoly of certain technologies (e.g., methods of medical treatment, purely mental operations, and/or methods for conducting business) - For technology to be protected as a trade secret, the information must be confidential. If the secret is shared with a third party, it must have been disclosed in circumstances importing an obligation of confidence. The protection afforded a trade secret will last only as long as competitors fail to duplicate the invention by legitimate, honest means such as independent research or “reverse engineering” (as long as the product itself is lawfully obtained) - Trade secret protection may be available when other forms of protection such as patents may not be (e.g., if a computer related technology does not meet the requirement of novelty, usefulness, and unobviousness) - Domain names are registered and categorized by top level domain (tlds). These are divided into generic top level domains and country code top level domains (ccTLDS). By far the most popular tlds is .com - Cybersquatting: The practice of registering domain names in bad faith that are the trademarks or trade names of other companies with the intent of trying to sell the domain names to the owners of the names and marks for profit - To combat the problem of cybersquatting, it is now a mandatory part of every registration agreement for domain names in the following top level domains: .com, .org, .net, .biz, .info, and .name; that the registrant agrees to be bound by the terms of the International Corporation of Assigned Names and Numbers (ICANN) dispute resolution policy. This policy is meant to provide a quick and easy remedy against cybersquatters. A complainant must prove each of the following elements to force a problematic domain name to be transferred to the complainant or otherwise disposed of: o The domain name registered is identical or confusingly similar to a trademark or service mark in which the complainant has rights o The respondent has no legitimate interest in respect of the domain name; and o The domain name has been registered and used in bad faith - The rules for .ca have been changed to essentially a first come first served basis, where applicants will be granted any acceptable and available domain name and applicants will not be limited to a single domain name. The applicant must still have a Canadian presence (i.e., be a Canadian citizen or resident in Canada) - Whether a hyperlink infringes on copyright will “largely depend upon whether the link can be shown to reproduce or authorize the reproduction of the works of another or constitute a communication to the public or the authorization of another to communicate a work to the public, without the authorization, express or implied, of the copyright owner”. Liability in Canada appears to be dependent on the type of hyperlink used. The Copyright Board has characterized links as falling into two categories: o Automatic links  Could be liable for copyright infringement o User-activated links  Held not to involve a communication to the public, not liable for copyright infringement - Metatags are sets of keywords in the source code of an HTML page that help search engines to categorize websites. It appears the use of any trademarked name in an attempt to draw traffic to a site for commercial purposes is inappropriate and could be considered trademark infringement - The primary purpose of licensing agreements is to allow others to use the product without actually transferring ownership of it. By licensing the right to use the product, the owner is able to generate revenue and control the product’s exploitation. Licensing is the most common vehicle for exploiting software - When a company acquires a license to use computer software, it usually only obtains the object code for the software (the source code is not licensed). In order to ensure that the user/licensee will be able to obtain source code if necessary and at the same time protect the software owner’s proprietary rights to the source code, the parties typically enter into an escrow engagement. Essentially this agreement will provide that the software owner will deposit the source code with a third party (an escrow agent) where it will remain held in confidence. If certain triggering events occur, such as failure to maintain the software (i.e., by bankruptcy) the user/licensee will have access to the source code to allow him to maintain the software - Internet Traffic Management Practices (ITMPs): Broadly defined to be tools used by Internet Service providers (ISPs) to manage local internet traffic on their networks. ITMPs are of two general types: o Technical, or
More Less

Related notes for AFM 502

Log In


Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.