ADM 4346 Accounting Information Systems Auditing

ADM 4346:
Dont worry about chapter 3 4 5 8 or other readings

List and describe questions
For chapter 10
Use words from the slides when possible
Contents
Slide 1 - Accounting Information Systems and the Accountant - Chapter 1...........................................................2
Slide 2 - Information Technology and Accounting Information Systems - Chapter 2.............................................14
Slide 3 - Data Modelling - Chapter 3 Page.............................................................................................. 23
Slide 4 - Database Organizing, Manipulating and Forms and Reports - Chapter 4-5 Page..................................30
Slide 5 - Documenting Accounting Information Systems - Chapter 6 Page.................................38
Slide 6 - Accounting Information Systems and Business Processes - Chapter 7 Page.................52
Slide 9 - Introduction to Internal Control Systems - Chapter 9 Page...........................................58
Slide 10 - Computer Controls for Organizations and AISs - Chapter 10 Page 311.......................72
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11A Page..................81
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11B Page..................89
Slide 11 - Information Technology Auditing - Chapter 12 Page....................................106
Slide 11 - Developing and Implementing Effective AISs - Chapter 13 Page................120
Slide 1 - Accounting Information Systems and the Accountant - Chapter 1
Learning Objectives
Explain the differences between the terms:
Systems, information systems, information technology, and accounting information

systems.
Explain how information technology (IT)
Influences accounting systems;
Supports the use of business intelligence (e.g. dashboards and scorecards); and
Is changing financial reporting (e.g. XBRL)
Show why auditors provide a variety of assurance services
Be more aware of advances in accounting information systems
Be familiar with
Suspicious activity reporting; and
Career opportunities that combine accounting and IT knowledge and skills
What is a System?
Consists of
People, Tools and Objects
Can be:
Manual
Partial or fully automated
What Are Accounting Information Systems?
Accounting Information System (AIS):
collection of data, processing procedures, and outputs
creates needed information for users
can be manual or computerized
serves internal and external users
Accounting Information Systems
*Whats New in AIS?

Sustainability Reporting (MII)
Measuring non-financial performance
Qualitative as well as quantitative information
Impacts on income and future performance
The Accountants Challenge
Provide information to support:
Decision-making
Business and government processes
Accounting and finance
Non-accountants in planning and control
Accounting Information Systems

Fulfills three important business functions:
Collect and store data about organizational activities, resources and personnel
Transform data into information so management can plan, execute, control and evaluate
activities, resources and personnel
Provide adequate controls to safeguard the organizations assets and data
AIS also supports non-financial business processes:
Supply chain management inventory level, demand trends, supplier relationship

management
Marketing sales management, forecasts and summaries; customer relationship

management
Human Resources workforce planning, employment recruitment, retention and

development, and payroll
Production inventory summaries, product cost analysis, material requirements

planning
Finance cash and asset management, multi-company management, credit card

transactions
How AIS Adds Value

AIS can add value to the organization by:
1. Improving quality and reducing costs of products or services.
2. Improving efficiency
3. Sharing knowledge
4. Improving efficiency and effectiveness of supply chain
5. Improving the internal control structure
6. Improving decision making
AIS Interactions
Data vs. Information
Data vs. Information

Data
Information
What is Data? facts
Data Formatted into Information
Data Analytics: design your own report
*Information Integrity and Value (RAVTCRU)
*Information Systems
Information and Business Decisions
Business processes get things done.
These processes are a set of structured activities that are performed by people, machines, or
both to achieve a specific goal.
Information and key decisions result from these business processes.
*AIS Relationship with Business Decisions

Organization goals, objectives, culture, IT influence the AIS and vice versa.
The Information Age

IT a major force in society
Has created the Information Age
Consumer technology enables online shopping, communications and education
Computers enable changes in commerce
Knowledge workers
Produce, analyze, manipulate, and distribute information
Focus on business activities
Accountants have always been knowledge workers
Trends in IT
e-Commerce buying and selling on Internet
e-Business conducting all aspects of business over the Internet
ERP (enterprise resource planning)
Information sources, systems and applications for all business systems accessible by
all business functions
Cloud Computing
Data storage
Infrastructure and platform
Application
*Whats New in AIS?

Suspicious Activity Reporting (SAR)
Used by banks and certain other financial institutions
Detailed reporting on various financial transactions
Combats money laundering, funding terrorism
SAR basically affects any place money can be laundered.

Forensic accounting, governmental accountants, and terrorism
Combines skills of investigation, accounting, and auditing
Seeks patterns in financial data
Provides indicators of fraud, money laundering, financial support of terrorism
Traces arms and chemical orders to final destination
Combats cyber terrorism
*Suspicious Activity Reporting

SAR laws require accountants to report questionable transaction to the Minister of Finance
FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) authority

based on the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
Objective is to implement specific measures to detect and deter money

laundering and the financing of terrorist activities to facilitate the investigation or
prosecution of money laundering and terrorist financing offences.
Institutions affected: banks, broker dealers, money service businesses (e.g.

currency traders), casinos and card clubs, commodity traders, insurance
companies and mutual funds.
Accounting and IT - Figure 1-6

IT impacts all major areas of accounting practice
The Accounting Cycle Figure 1-7
Cost Accounting
Measure and Control Costs
Acquisition, processing, distribution, and selling activities
Focus on value added by the organization
AIS assists in:
Activity-based costing
Corporate performance measurement and business intelligence
Activity-Based Costing
Assigning of Overhead
Traditionally based on labour hours
Increased automation created difficulties
Lacked direct relationship between labour,

overhead and volume of production
AIS Enable
Easier assignment of overhead
Strategic reengineering of business
Corporate Performance Measurement

Responsibility Accounting System
Trace unfavourable performance to responsible department or individuals
Immediate corrective action by managers
Balanced Scorecard uses KPIs
Measures more than just traditional financial performance
Customer knowledge
Internal business processes
Learning and growth
Auditing Assurance Services
Risk Assessment
Business performance measurement
Assurance on relevancy and reliability of measure to support the achievement of goals

and objectives
Information systems reliability
Assurance on the management of business risk
Assurance on information system design to support the provision of reliable information

for decision making
Electronic Commerce
Webtrust Services
Auditing
Traditional role
Evaluate the accuracy and completeness of an organizations financial statements
Present role
Evaluate clients compliance with privacy laws
IT evaluations and audits (security, privacy)
Management consulting
Careers in Accounting Information Systems
Traditional Accounting
Systems Consulting
Certified Fraud Examiner
IT Auditing and Security
Disaster Recovery
Key Terms
Accounting Information System (AIS)
Activity-Based Costing (ABC)
Audit trail
Balanced scorecard
Certified Fraud Examiner
Certified Information Systems Auditor
Cloud computing
Cost accounting
Dashboards
Data
e-business
e-commerce
Enterprise Resource Planning (ERP)
Extensible Business Reporting Language (XBRL)
Financial accounting information systems
Forensic accounting
Information and information age
Information overload
Information systems audit and control association (ISACA)
Information technology (IT)
IT Auditors
Interactive data
Key performance indicators (KPIs)
Knowledge workers
Penetration testing
Ponzi scheme
Predictive analytics
REA accounting
Responsibility accounting system
Suspicious activity reporting (SAR)
Sustainability reporting
System consultants
Value-added resellers
Tim Hortons Franchise

1. What are some of the questions/information you would need about the two
locations (MNT or SITE)?
2. For a given selection (MNT or SITE), what is the impact of the location on:
Operations / Production
Shipping / Receiving
Expenditure / Revenue cycles
HR
3. What information would you collect on an ongoing basis to support management

decisions?
Slide 2 - Information Technology and Accounting Information Systems - Chapter 2

Learning Objectives
After reading this chapter you will:
Be able to describe why IT is important to AIS and why accounts should know about this
technology
Understand why computer processor speeds are not particularly important to AIS
Be familiar with source documents and why they are important to AIS
Describe some common AIS uses for point-of-sale input, magnetic ink and optical character
recognition
Be able to explain the value of secondary storage devices to AIS
Describe the importance of data communication to AIS
Be able to describe some advantages of client/server computing
Be able to explain the advantages/disadvantages of cloud computing
Importance of IT to Accountants
Auditors must be able to:

1. Determine if the IT infrastructure is consistent with organizations goals and objectives
2. Rely on electronic information
Important to have correct information
3. Evaluate the organizations IT systems and controls

4. Assess the integrity of information for decision making
5. Integrate their knowledge of accounting, business system and controls to make
recommendations to improve business processes
6. Understand how IT affects accounting systems
CPU and Peripherals
*Input Devices
Source documents and data transcription
Source document is starting point for AIS
Human readable
Provide evidence of transaction
Provide backup if system fails
Manually prepared documents must be transcribed to be machine readable. Leaves

room for error, fraud, sabotage
Other issue with source document is the inputs. Source error.

Retail Point-of-Sale (POS) devices
Gather and record data at sale
Has to be gathered right
Use Bar Code Readers, Universal Product Code (UPC)
Update sales and inventory information
Track accuracy, completeness, reasonableness of sales transactions
MICR Symbols - Figure 2-5
*Input Devices
Optical Character Recognition (OCR)
Turnaround documents (bill payments)
Both machine and human readable
Plastic Cards with Magnetic Strips
Credit and debit cards, loyalty cards
Capture data each time used (PINs)
Microcomputer Input Devices
Keyboards, mice, and touchpads
Touchscreens / cameras (phones, computers through apps)
Input Devices
To verify legitimate access to a system:
What you know (passwords: low security)
What you have (keys, magnetic cards: low security)
Who you are (biometric scanners: better security )
Behavioural systems: signatures, voices
Physiological systems: fingerprints, iris
Biometric Scanners - Figure 2-7
Central Processing Unit (CPU)
*Record Layout
Fields have a name and starting position along with format (if date fields)
-
In types too
A collection of fields is a record and collection of record is a file
Fields have a starting section and a length. Theres also a certain type, such as logical.
Different length of records. Different types of file lengths. Multiple files.
Importance of Secondary Storage Devices
Primary memory (RAM) used in processing is volatile, contents lost if electrical power is lost
Secondary storage uses permanent media to maintain data accuracy and integrity but
allow rapid access and modification
*Secondary Storage Devices

Types:
Magnetic (hard) disks
CD-ROM
DVDs
Blu-Ray Disc
Flash Memory
*Data Communications and Networks

Communication Channels and Protocols
Channels: the physical paths data take
Protocol: standards that provide compatible communications
Digital data carried as sound patterns, light pulses, or radio waves
ISDN and DSL common standards
*Data Communication and Networks
*Local Area Networks (LANs) - Figure 2-13
Consists of microcomputers, printers, terminals and similar devices that are connected for
communications purposes.
Advantages:
Facilitating communication e.g. company email
Sharing of computer equipment same printers or Internet servers
Sharing computer files on LAN drives (also backup)
Sharing software costs network version rather than standalone copies
Enabling unlike computers to talk to one another
Unlike computers are like Macs and PCs
Wide Area Networks (WANs) - Figure 2-14
Span regional, national and even global areas
Spread across the world essentially
Use a multitude of communications channels leased phone lines, microwave

transmitters, satellite transmissions
Gather financial data from remote sites and distribute accounting information to and
from headquarters
Bank ATMs connected to WANs for the purpose of centralized account information
*Client/Server Computing - Figure 2-15
Advantages of this
-
Some of the processing is on the desk
Having file servers spread you have advantage of faster service (regional servers)
Cuts down on telecommunication costs as youre not constantly accessing main system and it
gets updated
You have more powerful terminal than a main frame computer in each region
Advantages of Client Server Computing

Advantages
Ability to distribute processing throughout network
Can do processing on cheaper desktops, not mainframes
Reduced telecommunications costs
Cost savings from thin client systems
Disadvantages
Changing application versions more difficult
Managing user access and security more difficult
Increased user training requirements

*Wireless Communication
RFID radio frequency identification
Passive - no power source, but can answer inquiries from energized sources
Active chips with antennas, own power source, broadcast range of 100 m or
more
Examples toll roads, shipping crates
NFC - near field communications
Enables mobile devices to communicate with similar devices
Range of about 20 cm
Examples smart phones; Presto
RFID on critical use equipment for hospitals

*Computer Software
Operating Software - first piece of software to start when turn on computer. Include tools such as:
Graphical user interfaces (GUIs)
Utility programs to work with files
Virtual storage to augment RAM
Antivirus software
*Application Software
Personal productivity word processing, spreadsheet, database, personal finances, etc.
Personal productivity commercial use project management, Computer-aided design

(CAD), presentation
Accounting software payroll, accounts receivable/payable, inventory management,

financial reporting
Communications software communications, web browsers, email
Enterprise Resource Planning (ERP) SAP, Oracle Financials, JD Edwards
Key Terms
Antivirus software
Application software
Bar code reader
Biometric scanner
Central processing unit (CPU)
Client/Server computing
Complier
Computer record
Data communications protocol
Data transmission
Digital subscriber line (DSL)
Electronic document and records management system (EDRMS)
Enterprise resource Management (ERP)
Integrated Services Digital Network (ISDN)
Local area networks (LANs)
Near Field Communication (NFC)
Object Oriented Programming Languages
Operating Systems (OS)
Optical Character Recognition (OCR)
Peripheral equipment
Point-of-Sales (POS) devices
Primary memory
Radio Frequency Identification (FRID)
Redundant arrays of inexpensive disks (RAID)
Secondary storage
Software as a Service (SaaS)
Source document
Turnaround document
Utility programs
Virtual storage
Wide area networks (WANs)
Wireless application protocol (WAP)
Wireless communications
Write-once Read-many (WORM) media
Wireless Data Communication

Discussion:
Presto:
Advantages and disadvantages
Customer
OCTranspo
Risks /control weaknesses (3)
Recommendations
Homework Assignment
Case analysis 2-26
pp. 70-71
Slide 3 - Data Modelling - Chapter 3 Page

(not important for midterm)
Learning Objectives
Be able to describe the importance of databases to AIS
Be able to describe different file structures
Be able to describe the concepts of data hierarchy, record structures, and keys
Be able to explain why design concerns such as processing accuracy, concurrency, and security
are important to multi-user databases
Be able to explain the difference between structured and unstructured data and give examples
of each.
Structured and Unstructured Data
Structured data (15% of information) standard formats e.g. relational databases with rows
and columns
Unstructured data (85% of all information) heterogeneous formats
*Big Data
Big Data is characterized by:
Volume
Variety
Velocity
Veracity
US Healthcare 150 Exabytes of data per year (Exabyte = 10^18 gigabytes)
5 Exabyte's of data would contain all of the words ever spoken by human beings on earth
By 2020, 1.7MB of new information will be created for each and every human being on the
planetevery second of every day.
Analyzing big data:
Understand source data and applications
Data preparation cleansing and verification
Data transformation
Business intelligence / decision support
Analysts / visualization
Unstructured Data
*Unstructured Data
Heterogeneous
Variable in format and nature
File types include:
Text
Document
Images
Video
Sensors / RFID
Mobile communications
Social media / blogs
Structured Data
Structured data
Data bits and bytes
File types and formats
Accessing structured data
Data paths
Access to data
Assessing the integrity of the data
Safeguarding the data
What is data?
Bits and Bytes On/Off; 1s and 0s
ASCII, EBCDIC and Unicode
ASCII code 65 = A; 66=B
EBCDIC code 193= A; 194=B
Unicode ?????????????????
Data can be stored using different character sets.

You must be sure of the source of a file and trying to read an EBCDIC file as ASCII and it will produce
unreliable results or total garbage.
Delimited File
Name,Address,Phone#
"Jones, June,876 Baseline Ave,555-1032
Smith, Ray,1281 Grey Street,555-8748
Stevens, Dave,103 North Street,555-8984
Key points:
The fields dont take up the same amount of space on each record and blank/empty fields
The end of field is marked by a delimiter (in this case a coma)
Martin,
10th
markedJean,1241
by a delimiters e.g.
,, Street W,555-0155
Phuong,
Chu,3346 Fieldcrest Street,555-7778
The end of record has an end of record marker (CRLF)
Common types of delimited files:
CSV Coma separated values
TSV Tab separated values
PSV Pipe (|) separated values
Variable Length Records
Some customers have had more purchase transactions than others so their records are longer.
Multiple Record Type
Customer No
Name
Date
Amount
Amount
129078
Date
Amount
Date
X-Wave Corp Limited
2013/01/21
$4,432.35
127721
$1,100.23
20013/04/12
$99.45
2013/08/29
$17.21
2013/11/14
CAATS Limited
2013/09/01
$4,432.35
$4,200.24
2013/04/12
The first line of each pair of records contains the Customer Number and Name.
128123
University of Ottawa
The second line contains their last three purchases (Date and Amount). Multiple record type files can
have hundreds of types of records.
Multiple Record type files
Many types of records usually the first field is the record type. For example:
1 127721 CAATS Limited
2 1233 Grey Mountain Cres.
3 $10,000
4 2013/09/01
$4,200.24
4 2013/04/12
$17.21
4 2013/11/14
$4,432.35
Record Type 1 Customer number and name
Record Type 2 Customer Address

Record Type 3 - Customer Credit limit
Record Type 4 Customer purchases Date and Amount
*What is a Database? (Check textbook for Data Access and this as missing stuff)
Large collection of organized data
Can be accessed by multiple users and used by many different computer applications
Manipulated by database management systems (DBMS)
Most AIS use relational databases.
*Database Keys
Primary Key
Unique to each record (e.g., SIN, part number)
Allows locating of specific records
Foreign Keys
Enable referencing of one or more records in other tables
Matches primary key of related table
Combining Records into one Report
*Databases significance (CiVDPADPacCB)

The extensive use of databases in accounting systems make it important to understand the issues
that could arise, including:
Critical information important and valuable asset to the organization (Equifax

credit files are its business)
Volume YouTube visitors watch more than 100 million videos clips each day
Distribution need to ensure consistency, accuracy, completeness and security of

information in multiple locations
Privacy - protection from unauthorized access (e.g. credit card information)
Additional concerns:
Administration design, development, installation and change control
Documentation database structures, content, security features, entity-relationships,

data dictionary and meta-data
Processing accuracy and completeness input, processing and output; and

transaction controls
Concurrency controls multi-user access to the same record
Backup and Security backup and recovery procedures
Discussion
Technology Inc. (TI) is a custom manufacturer of computer parts, staffed by ten full-time employees
and five part-time employees. On the advice of the bookkeeper, TI purchased an accounting package.
The package contains general ledger, payroll, sales and accounts receivable, and accounts payable
modules.
1. What data files should be created to meet management requirement of:
Sales to each customer and the collection history
Sales by product , by product class and by salesman
2. Identify primary and foreign keys and describe general content for each table.
Key Terms
Access control
Big data
Business event
Data dictionary
Data field
Data hierarchy
Data integrity
Database administrator
Database management system (DBMS)
Foreign key
Master file
Record
Record structure
Relational database
Relationship table
Structured data
Transaction control
Transaction file
Unstructured data
Slide 4 - Database Organizing, Manipulating and Forms and Reports - Chapter 45 Page
Learning Objectives
Be able to describe how to create tables, records, and relationships
Be able to describe the steps for creating:
Databases
Relationships
Queries
Reports
Creating Database Tables

Define record format
Field name
Use mnemonics; not excessively long (e.g. SIN vs Social Insurance Number)
Data type (e.g. numeric, text, date)
Field properties (e.g. size, formatting, mask)
Numeric integer, decimals, long/double
Description (optional)
Identify primary key
Uniquely defines record (e.g. student number)
Creating Database Tables: Record Format Figure 4-3
Database Design
To design a database, you need to have a conceptual view of the entire database. The
conceptual view illustrates the different files and relationships between the files.
The data dictionary is a blueprint of the structure of the database and includes data
elements, field types, programs that use the data element, outputs, and so on.
Designing Databases - steps

1. Design first create tables and records last
2. Name tables systematically use prefixes (e.g. tbl, qry)
3. Use mnemonics for field names
4. Assign data types to fields (e.g. Phone # is text not numeric)
5. Ensure foreign keys are the same type
6. Limit size of field to appropriate length (e.g. province code 2 characters)
7. Use input masks (e.g. Phone # (999)000-0000)
*DBMS Languages
Data Definition Language (DDL)
Build data dictionary
Create physical and logical database structure
Describe logical views for each user
Specify record or field security constraints
Data Manipulation Language (DML)
i.e credit card number being encrypted but required as it was foreign key
Change content in the database (e.g. create, update, insert and delete records)
Data Query Language (DQL)
Enable users to retrieve, sort, and display specific data from the database
*Tools for Data Validation
Data types assigned for fields, Access will reject data not of that type (e.g., 1-9 not a-z)
Input masks limit data to specific formats (e.g., 13/06/2015; or (123) 456-7890
Default values with pre-entered data fields of new records (e.g., 40 hours = standard time)
Drop-down lists with a limited choice of data (e.g., Province code)
Validation rules set a range of values that may be entered (e.g., Year must be between 1972
and 2015)
Referential integrity disallows deleting of information when it would disrupt references

between tables
i.e orphaned children if you delete their files
*Relationships
Identify tables
Parent and Child(ren)
Identify foreign key(s)
Link tables
*Relational files
Tables can be related through Direct (Parent Child) relationships or Indirect (e.g. Parent (Child)
Grandchild) relationships.
Relational Data Tables
*Relational Data Tables conceptual view
Designing Queries
1. Correct spelling and capitalization (e.g. AB not Alb or Ab)
2. AND / OR logic
3. Join tables properly
4. Name queries systematically (not Qry1, Qry2)
5. Selective data fields meet your requirements
Creating the Query
Query Answer
Designing Reports
1. Select underlying tables (data sources) and fields
2. Indicate grouping levels if required (e.g. by province)
3. Indicate sort fields (e.g. by customer name)
4. Name and save report
5. Modify report as desired (e.g. add graphics, colour)
Discussion
1. Identify the data files and relations would be required to verify that all Vendor Invoice (A/P)
amounts agree with receipted amounts (i.e. Unit cost in A/P equals unit price in the inventory
file).
Final output should include the following fields: vendor number, name and address;
product number, product description, product class, class description and unit price.
2. Draw the relationship diagram showing the data files and the foreign keys.
3. Identify the controls that should be in place to ensure amounts are equal.
Record Layouts for Tables
ACL Demo
Demo of ACL
Relate command
Filter
Creating Simple Forms

Two options for creating simple form:
1. Design from scratch using Blank Form
2. Enter the appropriate settings in the Form Wizard
Form Wizard: First Screen - Figure 5-4a
Form Wizard: Second Screen - Figure 5-4b
Form Wizard: Third Screen - Figure 5-4c
Creating Simple Forms

After form is created, customize it
Form controls are objects such as textboxes and labels
Bound controls are textboxes, drop down boxes
Unbound controls are labels, pictures
Property sheet window can customize a control
Control source property
Key Terms
Data definition language (DDL)
Data manipulation language (DML)
Data query language (DQL)
Data type
Field properties
Input masks
Query
Referential integrity
Schema
Structured query language (SQL)
Validation rule
Exercise 5-1
Quantity Received > Quantity Ordered
You have determined that there is no control to ensure that the quantity received is what was
ordered. As a result, the Quantity Received can be more than the Quantity Ordered
Identify three people who could take advantage of this control weakness and how they
could do so.
For each identify a benefit - Why might they do so?
For each - what would be an appropriate control?
Homework Assignment
Groups
Complete on Blackboard (4-6 per group)
Select case (first-come-first-served)
Exercise 5-1:
Quantity Received > Quantity Ordered
Slide 5 - Documenting Accounting Information Systems - Chapter 6

Page
Learning Objectives
Understand why documenting an AIS is important to the organization and its auditors
Be able to create simple data flow diagrams and document flowcharts and explain how they
describe the flow of data in AISs
Be able to create simple system flow diagrams and process maps and interpret these diagrams
Describe how program flowcharts and decision tables help document AISs
Describe software for documenting AISs
*Documentation
Documentation includes flowcharts, narratives, etc. that describe the inputs, processing and outputs
of the AIS. Document is important:
1. Depicts how a system works
2. Training users
3. Designing new systems
4. Controlling system development and maintenance costs
5. Standardizing communication with others
6. Auditing AISs
7. Documenting business processes
8. Complying with regulation such as C-SOX
9. Establishing accountability
Along with control
Makes it easier to do a lot of these things.

Primary Documentation Methods
Systems are frequently deficient in documentation due to implementation pressures
Four common documentation methods:
Data flow diagrams
Document flowcharts
System flowcharts
Process maps
Data Flow Diagrams
Uses
In systems development process
Tool for analyzing an existing system
Describes sources and destinations of data
Types
Context
Physical
Logical
Types of DFDs
Context Diagrams
High-level overview of the system
Show scope (external entities, interfaces, key people and processes)
Physical Data Flow Diagrams
Focus on the physical entities of organization
Logical Data Flow Diagrams
Emphasize tasks of participants
Data Flow Diagrams
Physical Data Flow Diagrams
Focus on physical entities, tangible documents, and reports flowing through the system
Include same inputs and outputs as predecessor context diagram
List job titles of employees
Are simple, more readable, and easier to interpret
Data Flow Diagrams
Logical Data Flow Diagrams
Identify what participants do
Bubbles indicate a task the system performs
Help designers decide:
System hardware, software, etc. to acquire
Activities employees must perform
How to protect and control these systems
Data Flow Diagrams
You have more information and things are broken down (logical flow of information)
Circles instead of showing employees and their job titles is showing jobs that are being
performed
Decomposition
Exploding of data flow diagrams to show more detail
Level 0 data flow diagrams exploded into successive levels of detail
Level 1 data flow diagrams

3.1 Compute gross pay
3.2 Compute payroll deductions
Data Flow Diagrams
All of that needs to be done to process pay cheques
Its always an action
Types of Flowcharts
Document: shows the flow of documents and data for a process, useful in evaluating internal controls
Systems: depicts the data processing cycle for a process
Program: illustrates the sequences of logic in the system process
*Creating Data Flow Diagrams
Example Lemonade stand
Steps:
1. Create a list of business transactions
2. Construct Context Level DFD
(identifies system and entities)
3. Construct Level 0 DFD

(identifies manageable sub processes )
4. Construct Level 1- n DFD
(identifies actual data flows and data stores )
Create a list of business transactions
Customer Order
Serve Product
Collect Payment
Produce Product
Store Product
Order Raw Materials
Pay for Raw Materials
Pay for Labor
Create a list of functional activities
Context Level Data Flow Diagram
Level 0 Data Flow Diagram
Process Decomposition
Level 1 Data Flow Diagram
Document Flows basic symbols - - Do not need to know for midterm exam
Drawing a Document Flowchart

Steps:
1. Identify who
2. Identify the documents
3. Identify where documents are created, processed, and used
Simple Document Flowchart
System Flowchart Symbols
Simple System Flowchart
Business Process Diagram Preparation

Build swim lanes
Identify areas of responsibility for each person involved in process list across top or
side of page
Diagram events or tasks
Sequence of events (in order from top to bottom and left to right)
Draw documents
Documents and reports created or used in process
Draw data files
Data files created or used in the process
Dotted lines with arrows indicate direction information flows
Simple Process Map
Exercise 6-1
In groups of 3-4 - develop a process map for one of the following:
Purchase of a house or car
Rental of an apartment
Other - your choice
Key Players (at least 3)
Events and documents
Key control points
For each control point identify data analysis tests
Identify:
Purchase of House
Flowchart Tools
Microsoft
Visio
PowerPoint
Word
CASE tools
Variety of other software online, free
Key Terms
CASE (Computer-assisted software engineering) tools
Context diagram
Data flow diagrams (DFDs)
Decision table
Decomposition
Document flowchart
End-user computing
Graphical documentation
Job stream
Level 0 data flow diagram
Level 1 data flow diagram
Logical data flow diagrams
Object oriented software
Physical data flow diagram
Process maps
Program flowcharts
Rapid application developments
Sandwich rule
Scope
Signed checklist
Structure programming
System flowcharts
Homework Assignment
Problem #6-12 p. 201
Case analysis 6-21 p.205
Slide 6 - Accounting Information Systems and Business Processes Chapter 7 Page

Learning Objectives
Be able to describe the steps in the financial accounting process and the role of AIS in each
step
Be able to demonstrate the use of Journals and ledgers to assist in processing accounting
transactions
Recognize different types of coding systems used by AISs
Understand why planning an AIS starts with the design of the outputs in order to meet the
users information needs
Recognize the objectives and map the inputs and outputs of the sales and purchasing process
Business Process Fundamentals

The fundamentals of accounting are embedded in modern AIS:
Journals
Ledgers
Trial Balance
Financial Statement
Enable the accounting cycle from transaction recording to financial reporting

Financial Accounting Cycle - Steps
1. Record transaction in journal
2. Post journal entries to ledger
3. Prepare unadjusted trial balance
4. Post and record adjusting journal entries
5. Prepare adjusted trial balance
6. Prepare financial statements
7. Record and post-closing journal entries
8. Prepare a post-closing trial balance
AIS - Financial Accounting Cycle
*Coding Systems
Code Types:
Mnemonic (e.g. S, M, L, XL)
Alphanumeric uses letters and numbers
Sequence sequential set of numbers (e.g. customer accounts)
Block sequent codes with blocks of number reserved for specific purposes
Group lead portion of sequential code (e.g. first 2 of product code is product type)
Use those two code types whenever possible.
Identify all the current assets with a 1 and all investments by looking for 12.
Financial Accounting Cycle
*The Sales Process
Sales Process
Begins with customer order
Ends with collection of cash
Primary Objectives of Sales Process
Process sales or other revenues in a timely and efficient manner
Collect cash in a timely and efficient manner
Objectives
Track sales of goods/services to Customers
Fill customer orders and maintain customer records
Billing and collection of payments for goods/services
Forecast sales and cash receipts
Inputs
Sales Order
Sales Invoices
Remittance Advice
Shipping Notice
Debit/Credit Memo
Outputs
Financial Statement Info
Customer Billing Statement
Aging Report
Bad Debt Report
Cash Receipts Forecast
Customer Listing
Sales Report Analysis
*Threats and Controls Sales Process
Purchase Process
Objectives
Track purchase of goods/services from Vendors

Track amounts owed and make timely accurate payments
Maintain vendor records and Control inventory
Forecast purchases and cash outflows
Inputs
Purchase Invoice
Purchase requisition
Purchase order
Vendor listing
Receiving report
Bill of lading / packing slip
Debit/credit memo
Outputs
Financial Statement Info
Vendor cheques
Cheque Register
Discrepancy reports
Cash requirements forecast
Sales analysis reports
Threats and Controls Purchase Process Exercise 7-1
IT in Sales and Purchasing
Electronic input by voice, scanned bar codes, magnetic ink
Wireless capabilities allow mobility and real time data entry in the field
Automated data-entry technology
Biometrics and bar codes
Inventory management systems
RFID Tags
Current Trends in Business Processes

Business processes outsourcing (BPO)
Differentiate between core and other processes
Pursue strategic advantage as well as cost savings
Business without boundaries incorporates employees located worldwide
Relocating tasks to countries such as India is known as offshoring
Business process management software (BPM)
Collect corporate knowledge, data, and business rules
Accomplish business processes more efficiently
Key Terms
Alphanumeric code
Block code
Business process management
Customer relationship management
Discrepancy reports
Exception report
Group code
Mnemonic code
Numeric code
Purchasing process
RFID tags
Sales process
Sequence code
Supply chain
Homework Assignment
Group topics (first-come-first served)
Topic
Short description of what will be addressed
Case analysis 7-16 pp. 240-241
Slide 9 - Introduction to Internal Control Systems - Chapter 9

Page
Learning Objectives
Be familiar with the primary control frameworks
Be familiar with an internal control system and its components
Understand the importance of enterprise-risk assessment and its impact on internal controls
Understand the importance of COSO and COBIT
Be able to identify the differences between preventive, detective and corrective controls
Understand various methods use to analyze internal control decisions
Controls
Controls in a computer information system reflect the policies, procedures, practices and
organizational structures designed to provide reasonable assurance that objectives will be
achieved.
The controls in a computer system ensure effectiveness and efficiency of operations, reliability
of financial reporting and compliance with the rules and regulations
Internal Controls
Internal control describes the policies, plans and procedures implemented by management to:
Protect assets
Ensure accuracy and completeness of financial information
Meet business objectives
*Internal Control System SArEEC

Methods and measures to achieve the following four objectives:
Safeguard assets
Check the accuracy and reliability of accounting data
Promote and improve operational efficiency
Enforce adherence with management policies
Help ensure adherence to policy and procedures
Comply with laws and regulations
*SAS #94
Limitation of substantive testing methods in complex IT systems that maintain data on

electronic media rather than paper-based media
Auditors must determine how the firm uses IT systems to initiate, record, process and report
transactions
This understanding is necessary to plan the audit and to determine the nature, timing and
extent of tests to be performed to gain a sufficient understanding of internal controls.
The more your system uses, as you move away from paper to electronic. You cant take a sample and
verify things, cant rely on that. You need to actually test the IT controls.
Then theres a number of risks involved.
Which IT Risks Need to be Considered?
AU 319.19
Unauthorized access to menus, programs, and data can result in:
destruction or improper changes
unauthorized, nonexistent or inaccurate transactions.
errors and fraud.
Failure to make necessary changes to systems or programs i.e. obsolete

programs and patches that are not up to date
AU 319.20
Security of the entire database might be compromised by a lack of control at a single user
entry point resulting in:
Improper changes
Destruction of data
Breakdown in segregation of duties can occur when IT personnel and users are given, or can
gain access privileges beyond necessary to perform their assigned duties
AU 319.21
Errors in the design, maintenance or monitoring of IT controls
IT personnel may not completely understand how the IT system and how it processes
transactions
AU 319.22
Edit routines in programs designed to identify and report transactions that exceed certain
limits may be disabled or overwritten
Planning Phase Considerations

AU 319.30
What IT risks can result in misstatements in financial reports?
AU 319.31
Do you have the necessary skills on the audit team; or do you need an IT Audit specialist?
*Control Frameworks
COSO
COSO-ERM
Framework for enterprise internal controls (control-based approach)
Expands COSO framework taking a risk-based approach
COBIT
Framework for IT controls
Mostly looked at through IT perspective
Pull up a set of controls above to test a system. Helps you determine what you need to look at.
*Components of COSO Frameworks (not asked how many components and principles but will for
below) *(CeRaCaIcM)
Control environment
Risk assessment
Policies and procedures manual and automated
Information and communication
Identify and analyze risks; implement appropriate controls
Control activities
Tone-at-the-top; foundation for other control components
Information on roles and responsibilities of employees
Monitoring
Ongoing evaluation of internal controls
COSO Components and Principles
COSO Control Components
The control environment standards, processes and structures that provide the framework includes the organizational structures, the ethical values of the company and expectations of
rigor in performance measures.
Risk assessment identifying and assessing risks that could impact the achievement of
objectives.
Control activities actions to ensure that management efforts to mitigate risk are carried out.
This includes authorizations, verifications and business performance reviews.
Information and communication the generation of information and its dissemination both
within and outside of the company.
Monitoring activities checks to see if internal control is working
*Components of COSO Frameworks
COSO-ERM expands some areas of COSO (in red). For example the coco beans for flavouring
chocolate due to internal strife, competition for bean, weather, etc. How likely would our supply be
limited, if its really high maybe dont offer that chocolate and expand into other areas. Maybe buy
insurance or hedge it.
Internal Environment
Managements philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards
COSO ERM *(SORC)

Objective setting perspectives:
1. Strategic high-level goals
2. Operations day-to-day efficiency and performance
3. Reporting internal and external
4. Compliance with laws and regulations
Event Identification, Risk Assessment and Response:
Manage and control risks by:
identifying threat,
analyzing the risks
implementing cost-effective measures to Avoid, Mitigate, or Transfer risks
Risk Assessment
Risk is assessed from two perspectives:
Likelihood
Probability that the event will occur
Impact
Estimate potential loss if event occurs
Risk Responses *(RASA)

Reduce
Implement effective internal control
Do nothing, accept likelihood and impact of risk
Buy insurance, outsource, or hedge
Do not engage in the activity
Accept
Share
Avoid
Control Activities - examples
Audit Trail
Personnel policies and procedures
Separation of duties (authorizing, recording and custody)
Physical protection of assets (inventory, document and cash controls)
Review of operating performance
Monitoring Internal Control Systems
Establish a foundation for monitoring
Tone-at-the-top
Assignment of monitoring roles
Baseline for ongoing monitoring and evaluation
Design and Execution
Prioritize risks
Conclusions about the effectiveness of controls are supported
Identify internal controls
Information on the operation of key controls
Execute effective, efficient monitoring
Assess and report results
Evaluate identified weaknesses or deficiencies in controls
Report results to appropriate personnel and Board of Directors
Follow-up if needed
COBIT Framework *(SnCeIfHaG)
Current framework version is COBIT 5
Based on the following principles:
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single, integrated framework
Enabling a holistic approach
Separating governance from management
*COBIT Principle *(BrIrIpEi)
*IT Governance Institute (*not to signify importance)

COBIT looks at framework
COBIT5 Separates Governance from Management
COBIT Domains (PoAiDsMe)
2011 COBIT - version 5

Control Objectives for Information and related Technology (COBIT)
Generally accepted IT control objectives
Focuses on execution of IT operations
Val IT: a governance framework for IT
Tightly integrated with COBIT
Helps firm understand IT investment decisions
2011 COBIT - version 5

Control Objectives for Information and related Technology (COBIT)
Generally accepted IT control objectives
Focuses on execution of IT operations
Val IT: a governance framework for IT
Tightly integrated with COBIT
Helps firm understand IT investment decisions
COBIT and Val IT Integration - Figure 9-8
Types of Risk *(IRCD)

Inherent risk
is the susceptibility of an account balance or class of transactions to error that could be

material, assuming that there were no related internal accounting controls
Residual risk
Is the risk that remains after management implements internal controls or some other
type of risk response
Control risk
is the risk that error that could occur in an account balance or class of transactions and
could be material, will not be prevented or detected on a timely basis by the
system of internal accounting controls.
Detection risk
is the risk that an auditor's procedures will lead him to conclude that an error in
an account balance or class of transactions that could be material, does not exist
when in fact such error does exist
*Types of Controls *(PDC)
Preventive controls
Detective controls
Deter problems from occurring (e.g. firewall to prevent unauthorized access to network)
Alert managers when preventive control fails (e.g. variance report)
Corrective controls
Procedures used to solve, correct or recover from a problem (e.g. backup copies of
critical data)
If someone gets through firewall you need detective controls to tell you. You then need to fix it with
corrective control.
Examples of Control Activities
Common control activities include:
Good audit trail
Sound personnel policies and practices
Separation of duties
Physical protection of assets
Reviews of operating performance
*Controls - examples
Preventive
Physical safeguard and access restriction controls (human, financial, physical and
information assets)
Authorization and Approvals
Segregation of duties
Business systems integrity and continuity controls (e.g. system development process,
change controls, security controls, systems backup and recovery)
Passwords and authentication
Edit checks on key fields
Encryption / Decryption
Anti-virus software
Control access to physical facilities
Separation of Duties
Purpose
Structure of work assignments so one employees work checks the work of another
Separate related activities
Custody of assets
Authorizing transactions
Recording transactions
Risk increases if two or more of these are combined

Physical Protection of Assets
Establish accountability with custody documents
Inventory controls
Stored in safe location with limited access
Utilization of receiving and issuance reports
Document controls
Protecting valuable organizational documents
Corporate charter, major contracts, blank cheques, and TSE registration statements
Controls - examples
No internal control unit on Corrective side (mistake)

Discussion 9-1
For each topic below identify preventive, detective and corrective controls:
Forestry (forest fires)
High-rises (risk of fire)
Home (risk of theft)
Explain why the controls is preventive, detective or corrective.

*Evaluating Controls (MrAeAa)
Requirements of Sarbanes-Oxley Act
Statement of management responsibility for internal control structure
Assessment of effectiveness of internal control structure
Attestation of auditor on accuracy of managements assessment
Independent assessment
Cost-Benefit Analysis
Only controls whose benefits are expected to be greater than or at least equal to their costs
are implemented.
May not be the ideal solution
Cost-Benefit Analysis - Figure 9-10
A Risk Matrix - Figure 9-11
Usually have more risks than resources - need to prioritize.
Can use matrix to assist in decision making.
Risk / Control Matrix

For each risk, determine the controls that should mitigate the risk. Identify controls as: Ppreventive; D detective; or C corrective.
The matrix can identify unnecessary controls or risks that are not being mitigated.
Exercise 9-2
For the following flow diagram
identify the controls (c1-C11) represented by triangles
For each control
Determine whether control is preventive, detective or corrective
Determine whether controls is manual or automated
Process Controls
Controls
Limitations of controls:
Judgement
Breakdowns
Management override
Collusion
Operational expediency
Discussion
Identify mitigation strategies or controls for each of the control limitations:
Judgement
Breakdowns
Management override
Collusion
Operational expediency
Key Terms
Control environment
Control objectives for information related technology (COBIT)
Corporate governance
Corrective controls
Committee of Sponsoring Organizations (COSO)
Detective controls
Enterprise risk management (ERM)
Expected loss
Ideal control
Internal control
Operational audits
Risk assessment
Sarbanes-Oxley Act (SOX)
SAS #94
Homework Assignment
Case Analysis:
Case 9-19
p. 309; and
Case 9-20
pp. 309 - 310
Slide 10 - Computer Controls for Organizations and AISs - Chapter

10 Page 311
Be able to describe control objectives related to IT and understand how these objectives are
achieved.
Be able to identify enterprise-level controls and understand why they are essential for
corporate governance.
Discuss the importance of general controls for IT and why these should be considered when
designing and implementing AISs.
Be able to identify IT general security and controls issues for wireless technology, networked
computers, and personal computers.
Know what input, processing and output controls are and be familiar with specific examples of
control procedures in each of these categories.
*Computer Controls
Three broad categories:
Enterprise level controls focus on firm wide issues
IT general controls apply to all information systems
Application controls are to prevent, detect, and correct errors in processing transactions
Enterprise-Level Controls
Enterprise controls are those that affect the entire organization and influence the effectiveness of
other controls.
The tone at the top. Additional important controls are:
Consistent policies and procedures

Such as formal codes of conduct and fraud prevention policies. For example, a company
may require all employees to periodically sign a formal code of conduct stipulating that
computer resources are to be used only for appropriate business purposes and any acts
of fraud or abuse will be prosecuted. This is similar to the computer acceptable usage
policies that are usually read and signed as soon as an employee joins an organization.
Managements risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Canadian Public Accounting Board (CPAB) agreement of guidance issued by US - Public

Company Accounting Oversight Board (PCAOB)
We identified a number of these controls in Chapter 9: managements ethical values,
philosophy, assignment of authority and responsibility, and the effectiveness of the board of
directors. The CPAB agreed with this guidance and issued notice to the Canadian audit firms to
be aware of these changes.
Additional controls that are also very important include the following:
Consistent policies and procedures
Managements risk assessment process.
Centralized processing and controls.
Controls to monitor results of operations.
Controls to monitor other controls, including activities of the internal audit function,
the audit committee, and self-assessment programs.
The period-end financial reporting process.
Board-approved policies that address significant business control and risk

management practices.
Risk Assessment and Security Policies
Key issues for developing a security policy:
Evaluate information assets and identify threats to these assets
Assess both internal and external threats
Perform a risk assessment
Determine whether information assets are under-, over-, or adequately protected
Create a team for drafting security policies
Implement the policies throughout the organization
Develop policy compliance measures and enforce policies
Manage the policies
Integrated Security for the Organization
Trend is to merge physical and logical security
Physical measures protect firms facilities, resources, and data stored on physical media
Logical measures limit access to system and information to authorized individuals
Integrated security combines physical and logical elements. Need comprehensive

security policy to protect confidentiality, integrity, and availability
Integrated Security System

Physical Security
Facility monitoring (e.g. surveillance, cameras, guards)
Access controls to facilities, data centres, computers (e.g. biometrics, access cards)
Alarm systems (fire, water, humidity, power fluctuations, burglar)
Shred sensitive documents
Proper storage and disposal of hard drive and electronic storage media
Secure storage of backup copies of data and master copies of critical software
Logical Security
e-IDs and passwords
System authentication
Biometrics
Log of logon attempts
Application-level fire walls
Anti-virus and anti-spyware software
Intrusion detection systems
Encryption for data in transit
Smart cards
*IT General Controls *(APC)

IT General Controls primarily ensure that:
1. Access to program and data is granted only to authorized users
2. Data and systems are protected from change, theft or loss
3. Development of, and changes to, computer programs are authorized, tested, and
approved before their use
IT is trying to find the right mix above. Do we make changes that are required, authorized, tested?
The person who does that cant be the one implementing. How do we handle incidents? For example
audit the CRA did but the group responsible for knowing the people wrongly accessing database
werent even told. End User Computing is end users making their own programs, some places say no.
Access to Data, Hardware, and Software

Limit logical access to systems through:
Strong passwords
8 or more characters in lengthor longer
Different types of characters (letters, numbers, symbols)
Biometric identification
Distinctive user physical characteristics (voice patterns, fingerprints, facial

patterns, retina prints)
Security
Wireless
Data encryption
Virtual private network
Routing verification procedures
Networks
Header label to identify destination before sending message
Message acknowledgement procedures
Trailer label and transaction segments to verify entire message was received
Data Encryption - Figure 10-4
Virtual Private Network
Securely transmits encrypted data between sender and receiver
Sender and receiver have the appropriate encryption and decryption keys.
Security
Safeguards for PCs, laptops and tablets
Backup contents regularly
Password protect devices
Encrypt sensitive devices
Anti-virus software
Physical storage cables and security devices
Separation of Duties
Separate Accounting and Information processing systems from other systems
Separate responsibilities within IT environment
Controls for Networks
Control problems
Electronic eavesdropping
Hardware or software malfunctions
Errors in data transmission
Control procedures
Checkpoint
Routing verification
Message acknowledgement
Personnel Policies
Separate accounting and information processing from other subsystems
Separate responsibilities within IT environment
Regularly review system access
Use of computer accounts
Each user has account and unique password
Biometric identification adds security
Identifying suspicious behaviour
Protect against fraudulent employee actions
Monitor suspicious behavior and red flags such as lavish spending
Safeguard files from intentional and unintentional errors. (69% of database breaches
were because of internal culprits)
File Security Controls

Protect files from accidental or intentional abuse:
Ensure programs access correct files
Back up critical files
Make sure only authorized changes
Identify files for processing through file labels
Disaster Recovery
Process and procedures to resume business following disruptive event
Focus on essential technologies for daily operations
Disaster Recovery Plan (DRP) should include
Disaster recovery team
Back up and disaster recovery sites (hot, flying-start, and cold site alternatives)
*Availability Controls (FPLPBDrpBcp)
Fault tolerance
Use of redundant components
Preventive maintenance
Data center location and design

Put in best possible place, not in disaster zones.
Raised floor/Air conditioning
Fire suppression
Uninterruptible power supply (UPS)
Surge protection
Patch management and antivirus software
Backup procedures
Incremental backup
Copies only items that have changed since last partial backup
Differential backup
Disaster recovery plan (DRP)
Procedures to restore organizations IT function
Copies all changes made since last full backup
Cold site / Hot site
Business continuity plan (BCP)
Plans for resumption of all operations - not just IT
Business Continuity Planning

Disaster recovery
Process and procedures to resume business
Roles of individuals (disaster recovery team)
Backup sites
Fault-tolerant systems
Hot / cold
Redundancy consensus based protocols; or disk mirroring/shadowing
Backup
Hot / Cold backup of databases
UPS
Hot backup is you swap it in and its ready cold you have to turn everything off to do
Application Controls
Processing - Data Entry Controls
Field check
Sign check
Correctness of logical relationship between two data items
Check digit verification
Compares data from transaction file to that of master file to verify existence
Reasonableness test
Verifies that all required data is entered
Validity check
Input data fits into the field
Completeness check
Tests numerical amount against lower / upper limits
Size check
Tests numerical amount against a fixed value
Range check
Data in a field is appropriate sign (positive/negative)
Limit check
Characters in a field are proper type
Recalculating check digit to verify data entry error has not been made
Batch processing
Sequence check
Batch totals
Summarize numeric values for a batch of input records
Financial total
Hash total
Record count
Prompting
Test of batch data in proper numerical or alphabetical sequence
System prompts you for input (online completeness check)
Closed-loop verification
Checks accuracy of input data by using it to retrieve and display other related
information (e.g., customer account # retrieves the customer name)
Processing Controls
Data matching
Two or more items must be matched before an action takes place
File labels
Ensures correct and most updated file is used
Recalculation of batch totals
Cross-footing
Zero-balance tests
For control accounts (e.g., payroll clearing)
Write-protection mechanisms
Verifies accuracy by comparing two alternative ways of calculating the same total
Protect against overwriting or erasing data
Concurrent update controls
Prevent error of two or more users updating the same record at the same time
Output Controls
User review of output
Reconciliation
Procedures to reconcile to control reports (e.g. general ledger A/R account reconciled to
A/R subsidiary ledger)
External data reconciliation
Data transmission controls
Exercise 10-1
Accounts Payable duplicates
Criteria: Same vendor, invoice number, invoice date and amount
An audit found $1M in duplicates because of weaknesses in the controls over duplicates
For each criteria identify a possible control weakness which would allow duplicates to
happen and recommend a control improvement.
Vendor name in master file. If theres poor control in master file you have vendors with multiple
names and suddenly youve broken test for duplicates. Control is to restrict access.
Key Terms
Application controls
Batch control total
Business continuity planning (BCP)
Cold / Hot backup
Cold / Hot backup site
Data encryption
Disaster recovery
Edit tests
Input controls
Integrated security
IT general control
Output controls
Physical security
processing controls
Security policies
Uninterrupted power supply (UPS)
Validity test
Virtual private network (VPN)
Homework Assignment
Case analysis 10-21
pp. 343 344
1. Identify and briey explain the problems The Big Corporation could experience with
respect to the condentiality of information and records in the new system.
There doesnt seem to be any condentiality as not only stores and warehouses can access the
information system but also laptops and handhelds. While for the former there may be
restrictions for some personnel its not the case for all of them. This means if they ever lose
access to their devices or someone else was to use them they could access condential
information. Furthermore remote terminals could allow access to condential data by
unauthorized personnel. The restrictions themselves are upon certain reports which means of
everything listed such as company records, personnel information, etc, etc there could be a lot of
sensitive information available to anyone who can access the system.
2. Recommend measures The Big Corporation could incorporate into the new system that
would ensure the condentiality of information and records in this new system.
There needs to be a mix of physical and logical securities within the new system to ensure
condentiality of information and records. Physical securities such as facility monitoring such as
surveillance and guards and access controls such as access cards would make the remote
terminals a lot more secure. Likewise logical security such as e-IDs and passwords along with
system authentication could make accessing the system with laptops and handhelds much more
secure. Additionally a log of whos accessing the condential information is important as it can
hold people accountable in case of a breach of security. It could also indicate there were
attempts to access condential information if there were too many log on attempts. There also
needs to be policies in place such as time restrictions on access to the system so that in the
event someone does sneak onto the system they dont have a lot of time to go through the
condential information.
3. What safeguards can The Big Corporation develop to provide physical security for its (a)
computer equipment, (b) data, and (c) data processing centre facilities?
For computer equipment surveillance, cameras, guards, biometrics, access cards, etc would be
enough. For the data itself E-IDs and passwords along with system authentication, rewalls, antivirus and encryption could protect the data well enough. For the data processing centre facilities
there should be backups in case the data is altered, corrupted or damaged. The system and
facility itself needs to be insured and have backups in different locations to provide redundancy.
There needs to be a team to oversee potential issues and constantly update the security as well
to ensure safeguards are up to date and running effectively.
Slide 11 - Computer Crime, Fraud, Ethics and Privacy Chapter 11A Page
Learning Objectives
Understand why it is difficult to define computer crime
Know why there is an absence of good data on computer crime
Be able to provide reasons why computer crime might be growing
Be familiar with several computer crime cases and the proper controls for preventing them
Be able to describe a profile of computer criminals
Understand the importance of ethical behaviour within the environment of computerized AISs
Computer Crime Legislation

Criminal Law Improvement Act 1987
Section 342
Unauthorized use of computers and networks including hacking and theft of passwords
Denial of service of computer networks
Possession of instruments or technology used for forging credit cards
Section 184
Rights of individuals to privacy including defining intercepting of communications as an

illegal act
Sections 402 and 403
Identify theft defined as an illegal act
Defines identify theft including impersonating any person, living or dead, with intent
to gain advantage, steal property or avoid arrest
Computer Crime
Computer crime a criminal offence involving the computer as the object of the crime, or the
tool used to commit a material component of the crime
Pure computer crimes computer is the primary object of the crime. Examples: hacking,
denial of service spreading of computer viruses.
Computer supported crimes the computer is the instrument used in committing the
crime. This can include harassment, fraud, and support of other criminal activities.
Computer Crime - types
Unauthorized theft, use, access, modification, copying, or destruction of software or data
Theft of money by altering computer records or the theft of computer time
Intent to illegally obtain information or tangible property through the use of computers
Use, or the conspiracy to use, computer resources to commit a felony
Use of electronic devices / software to hide taxable transactions
Trafficking in passwords or other log-in information for accessing a computer
Extortion that uses a computer system as a target
Computer Crime - examples
Compromising valuable information
Accuracy of input information
Protection of data
Wire fraud and computer hacking
Encryption
Ethical hackers
Intrusion testing
User education
Denial of service
Firewalls
Anti-virus software
Anti-virus control procedures policies and passwords
Canadian Examples
Rouge Valley Hospital
CRA
Sold names and address of new mothers
Unauthorized access to personal information
Calgary Police
Selling personal information to financial institutions
RCMP
Unauthorized access of CPIC
Personal use
Selling info to Hells Angels
CRA Audit
Audit of Privacy and Security policies and procedures
Privacy Impact Assessments are not always completed to assess risks
Threat and Risk Assessments are not completed
Lack of automated tools to flag inappropriate access and gaps in audit trail
Access to Information and Privacy Directorate is not regularly informed about privacy
breaches
Security Approaches
Multiple layers of control (preventive and detective) to avoid a single point of failure
Security is effective if: P > D + C
where
P is time it takes an attacker to break through preventive controls
D is time it takes to detect an attack is in progress
C is time it takes to respond to the attack and take corrective action
Security just wants you to take long enough that the police get to you.
Layering of Controls
Steps to an Attack
Reconnaissance collect information about target
Social engineering why break in if someone will let you in?
Scan and Map target identify possible points of entry
Do I have to access building, how do I get in, what is allowed in and out
Research vulnerabilities of systems and software
Do they use patches?
Execute - attack and obtain unauthorized access to the system
Cover tracks have several ways out
Have a way to get out without being caught
If its a serious attempt its a lot like how it is in the movies.

Not only yourself vulnerable but also who you give access to. Such as presidents friend and Targets
trusted suppliers.
Preventing Computer Crime and Fraud
Enlist top-management support
Increase employee awareness and education
Assess security policies and protect passwords
Implement controls
Implement physical security
Recognize the symptoms of employee fraud
Employ forensic accountants
How to Mitigate Risk of Attack

Preventive Controls
People
Process
IT Solutions
Physical security
Change controls and change management
Detective Controls
Log analysis
Intrusion detection systems
Penetration testing
Continuous monitoring
Biggest control is change control and change management
Computer Crime, Fraud, Ethics and Privacy Chapter 11 A - 2
Homework
Case 4.5 - Xerox
Fraud - A Definition
In general fraud consists of:
an intentional act (Commit)
the concealment of that act; (Conceal)
deriving a benefit from that act (Convert).
What is fraud?
It can be to the benefit of the organization. (i.e Enron)
Who commits fraud?

Perpetrators:
More than 75% were in accounting, operations, sales, executive/upper management,

customer service or purchasing department.
60% of the time it was one person
65% Male
54% were between 31 and 45 years old
42% had 1-5 years on the job (only 6% had less than 1 year on the job)
54% had a college degree or higher
87% had never been charged or convicted before
84% had no employment issues (punished, terminated)
Why Fraud Happens

Fraud Triangle*
Pressure
To get back at organization
Opportunity
Exists when theres weakness of controls

o You can override things, you tell people its okay
Rationalization
People do it but think its okay

o Like fake accident for insurance I did it but Ill pay it back or they have a lot of money
10-80-10 rule
10% wont commit

10% are actively looking for opportunities
The removal of pressure sometimes isnt enough, but the first act of fraud is harder to do then the
rest of them. Afterwards the risk rises along with the dollar values.
Behavioural Red Flags
Living beyond means
Financial difficulties
Close association with vendor/customer
Unwillingness to share duties
Divorce/family problems
Wheeler-dealer attitude
Irritability, suspiciousness, defensiveness
Addition problems
Past employment-related problems
Complained about inadequate pay
Refusal to take vacations
Excessive pressure from within organization
Past legal problems
Complained about lack of authority
Excessive family/peer pressure for success
Instability in life circumstances
Discussion 11-1
HP fraud at Department of National Defence - $146M over 10 years.
Based on the statements below, what are the possible behavioural red flags for each:
Bulk purchase paid more but justified it; email from boss had same content;
Employee handled all aspects of every contract
Match employee/vendor not employee but a contractor who had signing authority
Argued that auditor didnt understand the complexities of the system;
He had saved the department hundreds of millions of dollars and had received superior
performance appraisals but should be paid more
His house had a 10-car garage, and indoor tennis court
Audit found a computer mouse that cost $650 dollars and IT maintenance contracts
with labour/no parts and parts/no labour
Behavioural red-flag exhibited:
Whealer dealer
Defensiveness
Given much more authority than he should have had
unwillingness to share duties
Wasnt paid enough for what he was doing as far as he was concerned
Phone Scam
Methods of Fraud Investigation

Six basic methods of fraud investigation:
Research and internal audit
Interviewing and interrogation
Forensic analysis
i.e Williams interview
Physical surveillance
staked out for filling car or a dollar 50 a litre when its really a dollar a litre and
theyd split the cash
Electronic surveillance
Undercover operations
Combination of above
Digital Evidence
Data, by its very nature, is fragile and can be altered, damaged or destroyed through changes in:
Network Connections
Running Applications and Processes
Random Access Memory (RAM)
Operating System Settings
Hard Disk Drive
Computer Forensics - Mistakes

A forensic expert can help you avoid these areas of potential disaster:
Damage or Alteration of Digital Evidence
Introduction of a Computer Virus
Failure to Maintain Chain of Custody
Failure to Respect Legal Authority
Disruption to Client Operations
Avoiding Mistakes
Basic Rules:
Handle the data as little as possible
Document everything you do
Dont exceed personal knowledge or experience
Know when to call in the experts
Slide 11 - Computer Crime, Fraud, Ethics and Privacy Chapter 11B Page
Occurrence of Fraud
Perceived root causes of observed misconduct:
Overt pressure to do whatever it takes to meet business objectives
Fear of job loss if they do not meet their objectives
Belief they will be rewarded by results, not the means they use to achieve them
Belief that the code of conduct is not taken seriously by senior management
Bending company rules for personal financial gain
A survey of people who observed misconduct thought the root causes were:
Overt pressure to do whatever it takes to meet business objectives
Fear of job loss if they do not meet their objectives
Belief they will be rewarded by results, not the means used to achieve them
Belief that the code of conduct is not taken seriously by senior management
Bending company rules for personal financial gain
All of these have gone up in the past few years

Thinking of the Fraud Triangle - which of these cause are related to:
- Pressure overt pressure to get the job done; fear of job loss;
- Opportunity not taken seriously by senior management
- Rationalization belief rewarded for results; management attitude
IT Audit Process
IT audit function encompasses:
People
Procedures
Hardware and software
Data communications
Databases
External auditors examine the AIS primarily to evaluate how the organizations control procedures
over computer processing affect the financial statements (attest objectives).
If control are weak or nonexistent, auditors will need to perform substantive testing- specific test
of transactions and account balances (e.g. confirmation of accounts receivable with customers) rather
than an evaluation of controls and processes
Occurrence of Misconduct/Fraud
Integrity survey results:
73% have witnesses misconduct during year
56% feel the misconduct could cause a serious loss of public trust
Serious misconduct in: healthcare, banking and finance, aerospace and defence, government
and technology
Globally 70% of companies suffer from at least one type of fraud last year
How bad is it ?
The KPMG 2013 Integrity survey found that 73% of respondent employees have witnessed
misconduct during the last 12 months.
A majority (56 percent) of respondents thought that the misconduct they witnessed so serious
it could cause a significant loss of public trust if discovered.
The industries with above average rates of respondent-observed serious misconduct this
year are healthcare (57 percent), banking and finance (57 percent), aerospace and defence
(59 percent), government (62 percent), and technology (63 percent).
Source: KPMG Integrity Survey 2013

https://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/kpmg-integritysurvey-2013.pdf?cid=newsletter41textbody8
The Kroll 2013-14 Global Fraud Report states that The incidence of fraud has increased this
year. Overall, 70% of companies reported suffering from at least one type of fraud in the last
year.
Every kind of fraud covered in the survey saw an increase in incidence, with vendor, supplier or
procurement fraud and management
Median Losses due to Fraud
Billing
$ 100K
Payroll
Cheque Tampering
$ 120K
Expense Reimbursements
Non-Cash Misappropriation
$ 95K
Skimming
$ 40K
50K
30K
ACFE 2014 Report to the Nations on Occupational Fraud and Abuse reported a median loss of
$145,000 and 22% of the cases had a loss of at least $1M.
Survey estimated that an organization loses 5% of revenue. Projected worldwide, this is $3.7
trillion dollars per year.
As you can see - the median losses are significant for different types of fraud. In the US the median
loss was $100K and in Canada it was $250K (up from $78K in 2012).
I should mention that the victim in 10% of the cases was government; and the median loss was
$100K.
Yet many federal government departments think that they do not have fraud why?
Median Duration of Fraud Scheme
An overwhelming 93 percent of frauds were committed in multiple transactions. For 42% of those
frauds, the average value per transaction was between US $1K-50K.
The question that arises is Why are the median losses so high? Part of the answer is that it
takes a long time to detect fraud - as can be seen by the median lengths (in months) that it took to
detect different types of fraud. ACFE 2014 study median of 18 months before being detected.
However, when controls were in place the duration of the fraud dropped by 50%
Why would payroll take longer to detect?
- hidden among many employees;
- requires HR and pay info;
- limited supervisory review

- not reviewed as often
- fully automated process once you have fixed your pay no one knows.
Median Duration
2014
2012
How fraud is identified?

The primary means of detection is tips (43%). However, If employees dont know what is expected
and how to report it employee tips will be less - which points to the importance of having good
processes in place to allow employees to report suspected fraud and to protect them if they do. This
includes hotlines and the Public Servants Disclosure Protection Act.
Internal audit identified 14% of frauds which may not seem like much, but it is not their primary
duty so, while it could be better, it is not terrible.
Management review is around 15% - and this points to a bias against considering fraud risk and a
belief that the controls are working.
If the responsibility for fraud prevention/ detection is not clear management, audit and others
wont be looking for it.
Fraud Detection Method

1
1
1
2
3
3
3
4
4
5
7
7
7
14
14
15
16
42
43
Preventive and Detective Controls
Fraud Training for Employees
Fraud Training for Managers/Execs
Code of Conduct
Anti-Fraud Policy
Job Risk Assessments
Rotation/Mandatory Vacation*
Rewards for Whistleblowers*
Hotline**
External Audit of ICOFR
Formal Fraud Mgmt Certification of F/S
Independent Audit Committee
Management Review**
Employee Support Programs**
Internal Audit/FE Department
Surprise Audits*
External Audit of F/S
* Reduced duration by more than 50%

** Reduced loss by more than 50%
KPMG 2013 Fraud study - 54 percent of the frauds were facilitated by weak internal controls. This
suggests that if many organizations tightened controls and the supervision of employees, the
opportunity for fraud would be severely curtailed,
Organizations that utilized job rotation and mandatory vacation policies, rewards for whistleblowers
and surprise audits detected their frauds more than twice as quickly as organizations lacking such
controls.
While all controls were associated with a reduced median loss, the presence of formal management
reviews, employee support programs and hotlines were correlated with the greatest decreases in
financial losses.
ACFE 2014 proactive data monitoring and analysis - results in frauds being 60% less
costly and 50% shorter in duration.
**** Discussion *****
Do any of these address some of the behavioural red flags?
job rotation unwilling to share job or take vacation
employee support financial difficulties or other personal programs (EAP in government)
Fraud Detection
Fraud hotline
Process controls
Reconciliations
Independent review
audits
Fraud detection techniques
Data analysis
Anomalies
Trends
Fraud detection techniques include:
The use of a whistleblower hotline - this is one of the more effective measures organizations
can implement as part of their fraud risk assessment program
Process controls specifically designed to detect fraudulent activity, as well as errors, include
reconciliations, independent reviews, physical inspections/counts, analyses, and audits.
data analysis, continuous auditing techniques, and other technology tools effectively to detect
fraudulent activity. Data analysis uses technology to identify anomalies, trends, and risk
indicators within large populations of transactions.
Fraud Implications for Auditors

Canadian Audit Standard (CAS) 240 Responsibilities relating to fraud in an Audit of Financial
Statements (similar to AICPA SAS #99)
Assess the risk of material misstatements in financial statements due to fraud
Respond to fraud or suspected fraud during an audit
Sarbanes-Oxley (SOX) Act
Section 201 Services outside scope of practices of auditors
Section 302 Corporate responsibility for Financial Reports
Section 404 Management Assessment of Internal Controls
Types of Fraud
Fraudulent Financial Reporting
Intentional falsifying of accounting records to mislead analysts, creditors, or investors
Asset misappropriation
Employee steals or misuses organizations resources
Corruption
Employee misuses his/her influence in a business transaction - violating duty to

employer in order to gain a direct or indirect benefit
Losses Due to Fraud (in 000s)
Asset misappropriations - accounted for more than 85% of cases, yet these schemes also had
the lowest median loss at $130,000.
Financial statement fraud was involved in less than 9% of the cases studied, but caused the
greatest median loss at $1 million.
Corruption schemes fell in the middle in terms of both frequency (approximately 37% of the
cases reported) and median loss ($200,000).
30% of the cases included two or more of the primary types of fraud.
Why do you think the losses for asset misappropriation were lower than other types of
fraud? - often small dollar inflated invoices; bid rigging (small variance in price) shorter time frame before being caught????
What are some other (non-financial) types of losses ?
loss of goodwill;
negative publicity; - remember Martha Stewart?
shareholder confidence; - remember Enron and , Nortel what happened to share

prices?
employee morale;
Also, most studies only consider the cost of known frauds. What about the costs of undetected
frauds?
Median Loss
1000
200
130
Percent of Cases
37
85
Asset Misappropriation
Employees
Creation of, and payments to, fictitious vendors.
Payment of inflated or fictitious invoices.sz
Invoices for goods not received or services not performed.
Theft of inventory or use of business assets for personal gain.
False or inflated expense claims.
Theft or use of customer lists and proprietary information.
An organizations assets, both tangible (e.g., cash or inventory) and intangible (e.g., proprietary or
confidential product or customer information), can be misappropriated by employees, customers, or
vendors.
The main method of prevention is to ensure that controls are in place to protect such assets. To do
this you need to develop; an understanding of what assets are subject to misappropriation, the
locations where the assets are maintained; and which personnel have control over or access to
tangible or intangible assets.
Common schemes include misappropriation by employees such as:
payments to fictitious vendors or against fictitious invoices
Payment for goods/services not received
Theft of assets
Theft of corporate information salesman takes customer list when she leaves
**** why would someone setup a fictitious vendor? ********

- controls to prevent this?
STATS on Quantity received negative quantities.
Employees in collusion with vendors, customers, or third parties
Payment of inflated or fictitious invoices
Issuance of inflated or fictitious credit notes
Invoices for goods not received or services not performed
Preferred pricing or delivery
Contract bid rigging
Theft or use of customer lists and proprietary information
Sometimes the controls are such that collusion is required.

Examples of asset misappropriation by employees in collusion with vendors or customers include:
Fictitious credit notes
Preferred pricing or payment terms
Contract bid rigging
Theft of third party information
Why do these require collusion? how does the fraudster benefit?

What could you do to rig the contract bidding process? date/amount
What could you do to create preferred pricing or payment terms?
What is the advantage to you? ***
Vendors
Inflated or fictitious invoices
Short shipments or substitution of lower quality goods
Invoices for goods not received or services not preformed
Customers
False claims for damaged or returned goods or short shipments
But not all frauds are committed by employees. Vendors and customers can be the perpetrator of
fraud without any involvement of employees:
fictitious invoices
inferior goods
false claims or damaged goods or short shipments
Example - sale of printer cartridges free or lowest price

What did this scheme rely on?
no authority required low dollar item
rush at year end to spend
lots of invoices at year-end
personal greed get something for nothing
desire to save govt money
Corruption
Bribery of
Companies
Private individuals
Public officials
Receipt of kickbacks, bribes, gratuities
Adding and abetting of fraud by others
Corruption includes:
Bribery and gratuities to Companies; Private individuals; or Public officials
Receipt of bribes, kickbacks, and gratuities.
Aiding and abetting fraud by other parties (e.g., customers, vendors).
When and why might this occur?

What about payments to get ensure that your permit gets approved?
Canadian Foreign Anti-Corruption Law was amended in June 2013 to have new provisions which
significantly increase penalties for and the scope of individual and corporate liability for bribery of
foreign public officials. The amended Corruption of Foreign Public Officials Act introduces a form of
books and records offence in relation to falsifying books and records for the purpose of bribing a
foreign public official.
Whereas facilitation payments were permitted under the previous law, this exception is now subject
to elimination by an Order of Cabinet to be made at a future date to be determined. Facilitation
payments are payments made to expedite or secure performance by a foreign public official of an act
of a routine nature, such as issuing a permit, processing official documents or provisioning public
services, such as power supply or police protection.
Financial Statement Fraud
Intentional manipulation of financial statement to:
Misstated Revenue
Inappropriately reported expenses
Masked disclosures
Concealment of acquisitions
Inappropriate balance sheet amounts
Executives cook the books, as they say, by fictitiously inflating revenues, recognizing revenues before
they are earned, closing the books early (delaying current period expenses to a later period),
overstating inventories or fixed assets, and concealing losses and liabilities.
The Treadway Commission recommended four actions to reduce the possibility of fraudulent
financial reporting:
Establish an organizational environment that contributes to the integrity of the financial

reporting process. (Tone-at-the Top)
Identify and understand the factors that lead to fraudulent financial reporting.
Assess the risk of fraudulent financial reporting within the company.
Design and implement internal controls to provide reasonable assurance that fraudulent
financial reporting is prevented.
Do you know of any examples of this happening in recent years??????

- Enron, WorldCom,
Why did these happen? shareholder earnings/expectations
SAS #99
Consideration of Fraud in Financial Statement Audit
Understand Fraud
Discuss risk of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate results of audit tests
Document and communicate findings
Incorporate a technology focus
SAS #99- Consideration of Fraud in Financial Statement Audit

Computer fraud - SAS 99 requires auditors to:
Understand Fraud
Discuss risk of material fraudulent misstatements
Obtain information
Identify, assess, and respond to risks
Evaluate results of audit tests
Document and communicate findings
But SAS 99 also requires audits to incorporate a technology focus auditors have to use technology
to define fraud-auditing and IT auditing procedures.
This is expanded in SAS 94 which we will cover in chapter 9.
Risk Examples
SAS 99 defines various risk factors and can be used as when assessing the risk of fraudulent financial
reporting and other fraudulent acts. In particular, it outlines risk factors, including:
Management Environment
Are financial targets too ambitious and the consequences of failure high?
(Enron)
Are performance measures unrealistic e.g. increase market share by 10% every
quarter or increase shareholder value by 20% every year.
Management style not willing to accept failure.
These types of pressures can increase the risk that an employee will overstate performance to
achieve targets.
Types of analysis suggested include: reviewing production figures for accuracy; review next period
after bonuses have been awarded and look for returns. ????? Others ?????
Competitive Industry with rapidly changing technology (Nortel, BB) can lead to inventory
becoming obsolete and if not re-evaluated lead to overstatement on the financial report. Check
for data and impact of last inventory evaluation. Look at inventory turnover. ? Others ?
Employee Relationships hiring of family member or giving contracts to relatives. One test is to
match employee and vendor address (problems with this approach? How could you improve
it?). You can also compare trends across years totals by contracting officer vendor look at
sudden increases or decreases. ?? Others ??
Attractive Assets if your company has attractive/easily transportable items (hi-tech) then you
are at risk. Test inventory controls and look at trends in reorder quantity. ?? Others ??
Internal Controls
New organization structures and systems the previous manual system may have had
mitigating controls; often it is assumed that new computer systems will contain all the
necessary controls but sometimes these arent even turned on. Therefore, you should test
key controls. ??? Others ????
Business Re-engineering
Re-organization particularly downsizing can lead to issues around separation of duties ???
Others ????
Too much Trust
insufficient monitoring and few audits particularly in purchasing. Even companies that have
ERP systems often dont initiate three-way matching. ??? Others ????
Examine these risk factors can help you complete a Fraud Risk Assessment of different areas of the
company.
Computer Crime, Fraud, Ethics and Privacy Chapter 11B 2
Developing a Fraud Investigation Plan
All the time with fraud:
Define objectives of investigation
Define the indicators of fraud
Identify the required data sources and analysis techniques
Obtain and safeguard the required data
Test the integrity and completeness of the data
Perform analysis
Challenge your assumptions and verify to source documents
When fraud is suspected you need to enhance the fraud monitoring plan and develop a more detailed
fraud investigation plan
why are you performing the analysis and what are you looking for - including stating the
possible symptoms of the fraud;
specifies the required data - single year or several; one business unit or more; also describes
the expected results.
determines the data source and which fields are required; data owners and programmers;
determine the best methods for obtaining the data; file formats; transfer mechanisms; and
how you will safeguard the data
Assesses the integrity and completeness of the data
outlines the tests to be performed, the follow up analyses.
When performing the analysis, it is important to drill down into the data challenging the
assumptions and results. In cases of suspected fraud, the auditor must verify to source or compare
with other sources.
The Fraud Plan is a living document - does not constrain your analyses, but provides a structure and
a purpose.
Important to get sign off, you may want to confer the corporate lawyer.
Discussion 11-2
You have been informed that someone in A/R has changed the system parameters so customers can
have an outstanding balance that is more than their credit limit.
Develop a fraud detection plan to determine if this is happening. Answer the following:
What is the objective of the analysis?
What are the expected results if controls are working?
What is the source of the data and required fields?
What analysis will be performed?
If the controls are not working what additional analysis should be performed and
why?
*Identical Question on Finals.

Fraud Risk: Rumors that someone in A/R has changed the system parameters such that customers
can have an outstanding balance that is more than their credit limit. In groups develop a fraud
monitoring/detection plan by answering
What is the purpose of the analysis? to verify the balances on customer accounts.
What are the expected results? the outstanding balance should be less than 110% of the
customers credit limit.
What is the source of the data? the A/R file for outstanding amounts; the customer file for
credit limits.
What analysis will be performed? calculate outstanding balance for each customer and
compare this with the credit limit and highlight cases where the balance is more than
110% of the limit.
Whats next? The results of the analysis will be verified to the customer file and further analysis will
be performed to look at sales by salesman for the problem accounts to see if there are trends.
Why? - fake customers to meet sales quota.
What else? - someone is stealing the A/R - confirm balances with customers.
******************** 10 minutes ************************************
Objective: Verify that Controls to ensure 0/s Bal < 10% Limit are working
Expectations if Controls are working: No customer has Bal > 10% limit
Source of Data
We need customer number for the foreign key and the purchases and the payments
Doing it within a certain time period then within the curren tperiod
We also need customer master file, the limit and customer number and also limit
Analysis: By customers no and calculate o/s Bal =
What else? IT control should refuse purchases at a certain time. Look at root cause the
caused the control to break.
It could also be someone in receiving raising the customers limit. Customer pays back but
the person steals $200 out of th $1000.
Identify Theft
The minimum information required to impersonate someone is simply their name, but access to the
following can cause real damage:
Full name
Date of birth
Social Insurance Number
Full address
Mothers maiden name
User name / Passwords to websites
Your identity can be stolen simply by someone using your name (for example, at a party
someone gives the person they have been talking to and dont want to see again - your
name and number).
However, if the fraudster has access to any of the following: full name, date of birth, social
insurance number, mothers maiden name, user name and passwords to website real
damage can ensue.
Examples of identity fraud:
Credit card theft
Drain bank account
Create false bank account
Automobile loans / leases
Mortgages / Title theft
Cell phones
Airline tickets
Medical services
Passport
Types of identity fraud
Credit card theft most common type of identify theft
Drain bank account or create false bank account
Use identify to get a drivers license and then use credit card, bank account and photo id to:
Automobile loans and leases
Mortgages / title theft
Cell phone
Airline tickets
Divert your mail
Use identify to obtain a false health care card or passport.

Discussion 11-3
In groups:
Describe five methods a fraudster could use to obtain your identify.
Describe a mitigation strategy or control for each.
Describe five methods a fraudster could obtain your identify.
Dumpster diving bank / credit card statements, phone / water / hydro bills
Steal letters from your mailbox
Pick your pocket
Job offers (online or in newspapers) require resume and personal info
Skimming cards swiping device to capture card details
Internet
Phishing directed email asking you to verify account info
Hacking -
Vishing VOIP to ask user to call and provide account verification info
ATM
Shoulder surfing
Hidden camera
Keyboard overlay to capture keystrokes
Card left behind do you want to make another transaction?
Fraud case in Ontario used fake drivers license and rental info to get bank account and credit
card which they used to get a passport and to lease expensive automobiles. Defaulted on
payments cars shipped overseas.
Key Terms
Antivirus software
Audit Command Language (ACL)
Computer crime
Computer virus
Computer worms
cookie
Firewalls
Hacker / ethical hacker
Identify theft
Intrusion testing
Privacy policy
Social engineering
Slide 11 - Information Technology Auditing - Chapter 12

Page
Homework
Case 6.1 Harley Davidson
Case 6.2 Jacksonville Jaguars
Learning Objectives
Describe how external auditing differs from internal auditing
Understand the information technology (IT audit) process
Identify the software and people skills needed by IT auditors
Know how to determine the effectiveness of internal controls over specific information systems
Describe various techniques used by auditors to evaluate computerized information systems
Describe/discuss IT governance focus on management of IT risk
Be able to detail how audits can use IT to prevent and detect fraud
Know how SOX and CICA rules influence the role of IT auditors
Identify various types of third-party assurance services related to IT
IT Audit Process
IT audit function encompasses:
People
Procedures
Hardware and software
Data communications
Databases
External auditors examine the AIS primarily to evaluate how the organizations control procedures
over computer processing affect the financial statements (attest objectives).
If control are weak or nonexistent, auditors will need to perform substantive testing- specific test
of transactions and account balances (e.g. confirmation of accounts receivable with customers) rather
than an evaluation of controls and processes
IT Auditor Toolkit
General use software Excel and Access
Generalized audit software ACL
Statistics, duplicates, sort, summarize
Automated workpapers
Generate trial balances
Make adjusting entries
Perform consolidations
Conduct analytical procedures
Facilitate consistency across team members
Facilitate timely review and workflow
Document audit procedures and conclusions
Computer-Assisted Audit Techniques

Three broad categories of computer-assisted techniques to test controls:
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
Take a sample of transactions being entered into the system
Calculate the expected results
Compare to system output
Auditing With the Computer

Computer-assisted audit techniques
Generalize Audit Software (GAS) such as ACL
Specialized packages
SQL
Direct access to tables or system extracts
Run analysis routines to test key controls
Auditing Through the Computer

Test processing steps, programing logic, edit routine and controls
Techniques include:
Test deck or test data
Integrated test facility (ITF)
Parallel simulation
Test of program change controls
Program comparison
Review of Systems Software

System software controls:
1. Operating system software
2. Utility programs sorting and copying
3. Program libraries controls and monitor storage of programs
4. Access control software controls access to programs and data files
Continuous Auditing
Real-time assurance
Embedded audit modules
Exception reporting
Transaction tagging
Snapshot technique
Continuous and intermittent simulation
Risk-Based Framework
Steps to determine where and what to audit:
Identify fraud and errors (threats) that can occur that affect each objective; and assess
the probability and impact of the risk occurring
Identify control procedures (prevent, detect, correct the risks/threats)
Evaluate control procedures to determine if control exists and is working as intended

and check for compensating controls
Determine effect of control weaknesses and identify and recommend control procedures
that should be in place
Major Steps in the Auditing Process

1. Audit planning
Why, how, when, and who
Establish scope and objectives of the audit; identify risk
2. Collection of audit evidence

3. Evaluation of evidence
4. Communication of results
5. Audit Process
Audit Planning - Activities
Project Initiation
Project assignment
Project announcement
Opening meetings
Risk Assessment
Conduct initial research
Develop an understanding of the objectives of the area being audited
Identify risks to the areas objectives
Determine area of audit focus
Audit Objectives and Scope
Objectives broad statements developed to define the audits intended

accomplishment.
Scope answers the question what will be audited. It delineates the boundaries of the
audit.
Audit Program
Outlines the work to be performed during the audit
Includes:
Criteria What should be
Methodology and Approach
Time and Resource Estimates
Skill set, # of auditors, training, travel, locations, etc
Audit Conduct - Activities
Pilot Sites
Entry Meetings
To introduce the audit and the team
Gather Evidence
Standards of Evidence
Types of Evidence
Methods of Gathering Evidence
Reliance on work of others
Briefings or Exit Meetings
To validate the plans approach
No surprises approach
Findings
Criteria what should be
Condition what is
Cause why did it happen
Effect so what
Recommendation what should be done
Findings are tracked on finding sheets
Findings are used to develop conclusions for each objective
Develop Working Papers
All supporting documentation to conclusions and results
Standard index used
Supervisory Review
Validation of evidence
Initial Quality Assurance
Audit Reporting - Activities
Closing Conferences
No surprises approach
Ensure we are aware of all relevant evidence
Buy-in
Drafting Reports
Validate facts
Solicit a management action plan
Assess management action plan
Communicate audit results
Management Response
Client responses to recommendations
Presentation to Audit Committee
Provide copy of report for recommendation for approval
Final Reports
Communications - reports, briefing notes, etc
Publish Reports
Vetted (ATIP) and translated
Transparency
Follow-up - Activities
Audit Consistency
Information Systems Audit

IT audit objectives:
1. Protect overall system security (e.g. computer equipment, programs, and data)
2. Accurate and complete processing of transactions, records, files, and reports
3. Prevent, detect, or correct inaccurate or unauthorized source data
4. Accurate, complete, and confidential data files
5. Program development, acquisition and modifications properly planned and authorized
Overall System Security
Control Procedures
Information security plan
Limiting physical and logical access to equipment and systems
Data storage and transmission controls
Anti-virus software and procedures; and firewalls
Fault tolerant design; file backup and recovery; and disaster recovery
Preventive maintenance
Insurance casualty and business interruption
Control Tests
Review information security and disaster recovery plans and results of tests
Review and verify policies and procedures
Physical and logical access
File backup and recovery
Data storage and transmission
Verify use of firewalls and virus protection software and procedures
Verify effectiveness of data encryption and data transmission controls
Verify monitoring and effective use of system logs
Computer Processing
Control Procedures
Data editing routines
Reconciliation and batch totals
Error correction procedures
Operating documentation and manuals
Handling of data input and output
Supervision
Control Tests
Evaluate accuracy and completeness of data editing controls
Reconcile batch totals
Review and validate error correction procedures
Operating documentation and manuals
Verify distribution and storage of reports
Check accuracy and completeness of processing controls
Recreate selected reports to test for accuracy and completion
Source Data
Control Procedures
Source data handling and authorization of input
Preparation and reconciliation of batch control totals
Check digit verification / use of turnaround documents
Data editing routines
Procedures for correcting and re-submitting errors
Control Tests
Examine handling and authorization of source data
Reconcile batch totals and follow-up on discrepancies
Trace disposition of errors
Verify data edit test
Data Files
Control Procedures
Storage secure physical and logical access
Write protection and update controls
Encryption for confidential data
Off-site backup
Checkpoint and rollback procedures
Control Tests
Review physical and logical access controls
Verify preparation and off-site storage
Reconcile master file with control totals
Verify encryption and file handling procedures
Program Acquisition, Development and Maintenance
Control Procedures
License agreements and management authorization for program development and

acquisition
Testing and user acceptance procedures
System documentation
Management authorization for program modification
Change documentation / separation of duties
Logical access controls
Control Tests
Verify license agreements and test for management authorization for program
development and acquisition
Review system development documentation
Test system authorization and approvals
Review test specifications, decks, results and user acceptance results
Verify logical access and separation of duties
Verify program modification approval procedures, testing and user acceptance
Network Communication and Security Controls
Sensitive information in the network should be protected
The critical network devices such as routers, switches and modems protected from physical
damage; and configuration and inventories maintained;
Changes to network configuration authorized, documented; and a threat risk assessment

reviewed after any changes.
The network operation monitored for any security irregularity and formal procedures in place
for identifying and resolving security problems.
Physical access to communications and network sites controlled and restricted; and
communication and network systems controlled and restricted to authorized individuals.
Network diagnostic tools, e.g., spectrum analyzer protocol analyzer used on a need basis.
Firewalls to isolate an organisation's data network from any external network and to limit
network connectivity from unauthorised use.
All firewalls subjected to thorough test for vulnerability prior to being put to use and at
regularly thereafter.
The internal network of the organization physically and logically isolated from the Internet and
any other external connection.
All web servers for access by Internet users isolated from other data and host servers and
procedures established for allowing connectivity of the computer network or computer system
to any outside system or network
Networks that operate at varying security levels isolated from each other
The suitability of new hardware/software assessed before connecting the same to the
organization's network.
Network should be monitored and appropriate follow up of any unusual activity or pattern of
access should be investigated promptly
Secure Network Management Systems should be implemented to monitor functioning of the

computer network.
The system must include a mechanism (e.g., intrusion detection system) for alerting the
Network Administrator of possible breaches in security, e.g., unauthorised access, virus
infection and hacking.
Only authorized and legal software should be used
Typical IT Audit Documentation
Planning and preparation of the audit scope and objectives
Description and/or walkthroughs on the scoped audit area
Audit program
Audit steps performed and audit evidence gathered
Whether services of other auditors and experts were used and their contributions
Audit findings, conclusions and recommendations
Management response
Audit documentation relation with document identification and dates (your cross-reference of
evidence to audit step)
Draft and final copies of report issued
Evidence of audit supervisory review
IT Audit
Risks
Objective
Scope
Audit program
Data collection and analysis
What
How
SysTrust
The SysTrust review encompasses a combination of the following principles:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
Processing Integrity: System processing is complete, accurate, timely, and authorized.
WebTrust
The WebTrust certification can fall into the following four categories:
WebTrust. The scope of the engagement includes any combination of the trust principles and
criteria.
WebTrust Online Privacy. The scope of the engagement is based upon the online privacy
principle and criteria.
WebTrust Consumer Protection. The scope of the engagement is based upon the
processing integrity and relevant online privacy principles and criteria.
WebTrust for Certification Authorities. The scope of the engagement is based upon
specific principles and related criteria unique to certification authorities.
Trust Services
Trust Services are defined as:
A set of professional assurance and advisory services based on a common framework (i.e., a
core set of principles and criteria) to address the risks and opportunities of IT.
In the development of Trust Services the objective was to establish a core set of principles and
related criteria for key areas related to IT, e-commerce, e-business, and systems. These form
the measurement basis for the delivery of the related service(s).
Principles and criteria of trust services developed by the CICA/AICPA:

1. Security protection against unauthorized access
2. Availability information system is available for use
3. Processing integrity complete, timely and accurate

4. Confidentiality / online privacy protection of personal information
5. Protection of information designated as secret or confidential
Each of the principles and criteria are organized and presented in four broad areas:
Policies
Communications
The entity has communicated its defined policies to authorized users.
Procedures
The entity has defined and documented its policies relevant to the particular principle.
The entity uses procedures to achieve its objectives in accordance with its defined
policies.
Monitoring
The entity monitors the system and takes action to maintain compliance with its defined
policies
Exercise 12-1
Key Terms
Auditing around, through and with the computer
Automated working papers
CA WebTrust
Computer assisted audit techniques (CAATs)
Fraud triangle
General use software
General audit software (GAS)
Information system risk assessment
IT auditing
Parallel simulation
Program change control
Risk-based audit
Test data
Third party assurance services
Trust services
Slide 11 - Developing and Implementing Effective AISs Chapter 13 Page

Homework
Case 9.2 Henrico Retail
Case 5.5 Collins Harp
Learning Objectives
Describe the roles of accountants, analysis teams, and steering committees in systems studies
Discuss why systems analysts must understand the strategic goals and operations of a
company
Be familiar with the deliverables in systems analysis work, especially systems analysis report
Create a plan to complete the analysis and design phases of a systems study
Be able to conduct a feasibility evaluation and how to conduct it
Describe the costs, benefits, tools, and techniques associated with systems design work
Evaluate alternative systems proposals and make a selection or choose to outsource
Be familiar with the activities required to implement and maintain a large information system
System Development Life Cycle

Planning and investigation
Systems study team performs preliminary investigation of existing system and develops
strategic plans for the remainder of the study
Analyze current system to identify information strengths, needs and weaknesses
Design changes that eliminate (or minimize) current systems weak points while
preserving its strengths
Analysis
Design
Implementation, Follow-up and Maintenance
Acquire resources for new system; train new or existing employees; conduct follow-up
studies to identify problems; and maintain the system correct minor flaws and update
system as required
Systems Development Planning
Poor planning can lead to:
Systems that do not meet users needs causes frustration, resistance and even sabotage
System that are not flexible enough to meet business requires and are ultimately scrapped
Cost overruns
Time delays to complete project
Systems addressing the wrong problems
No top management approval or support for new systems
Systems that are difficult and costly to maintain
System Analysis
Examine system in depth
General system goals
Top management systems goals
Operating management goals
Data gathering
Review existing documentation flowcharts, dictionaries, process maps, procedure

manuals, chart of accounts, etc
Observe current system in operation
Use questionnaires and surveys
Review internal control procedures
Interview system participants users, managers and operations
System Feasibility Evaluation

Comparison of alternative proposals
1. Technical feasibility hardware, software, interfaces
2. Operational feasibility compatibility with current operating environment
3. Schedule feasibility time to implementation
4. Legal feasibility complies with laws and regulations such as financial reporting requirements
and contractual obligations
5. Economic feasibility anticipated benefits and projected costs
Detailed System Design
Processes to be performed in revised system (what and by whom)
Data elements name, size, format, source, importance
Data structure how data elements will be organized into logical records
Inputs descriptions of content, source, and responsibilities
Outputs description of purpose, frequency and distribution
Documentation descriptions of system and subsystems
Constraints description
Controls to reduce risk of errors and irregularities in the input, processing and output stages
Reorganizations changes to business functions, staffing levels or responsibilities
Make-or-Buy
RFP Evaluation consider each of the proposed systems:
Performance capability
Cost / Benefit
Maintainability
Compatibility with existing systems
Vendor support
Training of employees and systems personnel
Testing and Implementation support
Maintenance
Backup systems
User support availability, language
System Implementation
Physical site
Functional changes
Select and assign personnel
Train personnel
Acquire and install computer equipment
Establish internal controls
Convert data files
Acquire computer software
Test computer software
Convert to new system direct, parallel, or modular
Follow-up and Maintenance

Post-Implementation Review
Top management and operating management satisfaction
User satisfaction
Evaluate control procedures functioning properly
Observation efficiency and effectiveness
Evaluate computer processing functions data capture, preparation and processing

for efficiency and effectiveness
Output meeting management and regulatory requirements
System Change Management
System Change Phases
Key Terms
Change management
Conversion: direct, parallel, or modular
Critical path
Feasibility evaluation: technical, operational, schedule, economic, and legal
Make-or-buy decisions
RFP evaluation
Scope creep
Structured design
System maintenance
Systems analysis
Systems development life cycle (SDLC)
Systems implementation
Turnkey system
What-if analysis
Slide 11 - Accounting on the Internet - Accounting and

Enterprise Software - Chapters 14 15 Page
Learning Objectives
After reading these chapters you will:
Understand basic Internet concepts: TCP/IP, URL, web page addresses
Appreciate why electronic communication is useful to accountants
Know why XBRL is important to financial reporting and EDI is important to AISs
Understand some examples of cloud computing and the difference between business-toconsumer and B2B e-commerce
Appreciate privacy and security issues,
Know why business use firewalls, proxy servers and encryption; and understand digital
signatures and time-stamping techniques
Understand the differences among various types of accounting and enterprise software
Be able to explain how the various functions work in ERPs; and understand the architecture
and use of a centralized database in ERPs
Be able to describe the relationship between business process re-engineering and ERP
implementation
Recognize when an organization needs a new AIS and the process to select an ERP
Internet Basic Concepts

URL Uniform resource allocator (domain address)
IP Address internet protocol address
207.142.131.0.0.5 (geographic/organisation/computer group/computer)
TCP/IP transmission control protocol/internet protocol is the basic communication language or
protocol of the Internet.
Intranet communication network internal to a company
Extranet enable selected outside users to access corporate intranets
XML and XBRL
XML Extensible markup language
Supports general financial reporting and the exchange of financial information between
trading partners
User can define own tags (extensible)
XML tags actually describe the data rather than simply indicate how to display it.
HTML: <b>$1,000,000</b> =
$1,000,000
XML: <SalesRevenue>$1,000,000</SalesRevenue>
$1M has meaning
XBRL Extensible Business Reporting Language
Standardized tags for describing financial information in documents (subset of XML)
XBRL-enabled software will automatically insert XBRL tags in financial files
XBRL
Advantages
Ability to transfer financial information is a standard format facilitates

communications between suppliers, buyers, shippers
Standardized financial filing (SEC required; CSA optional)
Uniquely defines the data even if reported in several places always has same tags
Express relationships as formulas (assets = liabilities + equity)
Exchange of information across platforms and technologies
Disadvantages
Requires users to learn and conform to standards
Requires user to conform to changing specifications
No requirement for auditors to provide assurance on XBRL filings
Internet and Business

E-business
Goes beyond e-commerce and deep into the processes and cultures of an
enterprise. Includes: email, soliciting vendor bids, e-payments, electronic
exchange of data, and a host of cloud-computing services
E-commerce
Buying and selling of goods and services electronically between businesses, business
and government, business and customer
Electronic Business
Electronic Data Interchange (EDI)
Transmission of information over high-speed data communications channels e.g. RFPs,

purchase orders, bills of lading, freight bills, sales invoices, payment remittance forms
E-Payment
paying for a goods or services electronically (e.g. PayPal)
Software application (customer vendor) to store consumers info (e.g. Credit card
numbers)
E-Wallets
E-Commerce
Definition:
A type of business model, or segment of a larger business model, that enables a firm or
individual to conduct business over an electronic network, typically the internet.
Attributes:
Virtual stores (websites) selling directly to customers
Allows customers to create own order forms, shipping labels, and payment documents
Discussion
E-commerce creates opportunities and risks.
What are three risks to a retailer?
What are three risks to customers?
Business-to-Business (B2B)
Business buying and selling goods and services to each other over the Internet
Shortens time from purchase to delivery
Purchase from vendors around the world
Expedite internal paperwork
Real-time data
GPS tracking status and delivery times
Cloud Computing
Purchase of computing services over the Internet
Processing services
Software (SaaS) e.g. tax preparation
Wed hosting (PaaS)
Backup services
Educational service
Business phone services
Payroll services
Advantages
Access to specialized expertise
Cost savings only pay for services consumed
Speed
Avoid peak loading problems
Virtual remote backup
Pay as you go
Security on the Internet

Firewalls
Guards against unauthorized access to company computers.
Inclusion access control list (ACL) of accepted IP addresses
Exclusion rejects messages from known threat addresses
Denial of Service (DOS) attacks overwhelm system resources
Spoofing masquerading as an authorized user
Hacker alter ACL entries
Intrusion detection systems (IDSs)
Passive create logs of potential intrusions and notify system administrators
Reactive have ability to detect potential intrusions dynamically, log off potentially
malicious users, and even reprogram firewall to block further messages from suspected
source
Documents attacks valuable info for network administrators and investigators
Privacy on the Internet

Value-Added Networks (VANs)
Private, point-to-point communication networks
Each user is assigned a unique account code that identifies the external entity and
authenticates subsequent transactions
Create a VAN
From scratch
Dedicated transmission lines from Bell or Telus
Virtual private network (VPN)
Uses tunnelling security protocols embedded in the send to and received

from message
Encrypts all data
Authenticates the remote computer and sender before permitting further

data transmissions
Proxy servers
A network server and software that creates a transparent gateway to and from the
Internet and control Web access
Efficient access to Web
Tests incoming requests for authenticity
Limits employee access to approved sites
Limited information stored on proxy server
Ability to cache frequently used Web pages on its hard drive
Data Encryption
Encryption key transform plaintext into cyphertext
Secret key cryptography single key shared by two communicating parties
Public key encryption requires each party to use a pair of public/private encryption
keys
Sending party uses public key to encrypt message
Receiving party uses second key to decode the message
Digital Signature / Digital Certificate
Encoded signatures or certificates e.g. VeriSign
Digital Time-Stamping
Time and date of transmission, filing or data entry
Integrated Accounting Software

Processes all types of accounting transactions through entire accounting process: general and special
journals, such as sales and purchases, as well as inventory and payroll - may also include job
costing, purchasing, invoicing, and fixed assets
Small and Medium Enterprises
commercial accounting software packages
Midrange and Large scale accounting software
e.g. Sage MAS90 and Microsoft Dynamics GP
Process transactions in multiple currencies
Specialized AISs
e.g. for dental or medical offices, schools, and niche businesses
Enterprise-Wide Information Systems

Key features integration and central database
Integration includes:
Accounting
Finance
Supply chain
Strategic planning
Customer relationship
Human resources
SAP Modules
Advantages of ERP System
Improved flow of the information - stored in a centralized database and can be accessed by
all areas of the organization (i.e., Sales enters data about a customer and the info
automatically is available to Accounting for invoicing)
Data captured once - resolves data redundancy and integrity problems
Improve access of control of the data through security settings
Improve decision making - standardization of procedures and reports
Global and supply chain integration
Reduce inventory investment; improved asset management
Disadvantages of ERP System
Hardware/Software and training costs
Complex need for professional services
Business process re-engineering
Data conversion
Interfaces and customization
Significant amount of time to implement
User resistance; reassignment of employees
Key Terms
Access control list (ACL)
B2B e-commerce
BI tools
Digital certificate, signature, and time-stamping
Domain address
E-Payment and E-Wallet
Electronic data interchange (EDI)
Encryption key
Enterprise Resource Planning (ERP)
Enterprise software
Internet, intranet and extranet
Intrusion detection systems (IDSs)
Proxy server
Public and secret key encryption
TCP/IP, URL
VAN and VPN
XBRL and XML

ADM 4346 Accounting Information Systems Auditing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ADM 4346 Accounting Information Systems Auditing

Uploaded by

Copyright:

Available Formats

ADM 4346:

Dont worry about chapter 3 4 5 8 or other readings

Slide 1 - Accounting Information Systems and the Accountant - Chapter 1

Explain the differences between the terms:

Systems, information systems, information technology, and accounting information

Explain how information technology (IT)

Influences accounting systems;

Is changing financial reporting (e.g. XBRL)

Show why auditors provide a variety of assurance services

Be more aware of advances in accounting information systems

Suspicious activity reporting; and

Career opportunities that combine accounting and IT knowledge and skills

People, Tools and Objects

Partial or fully automated

What Are Accounting Information Systems?

Accounting Information System (AIS):

collection of data, processing procedures, and outputs

creates needed information for users

can be manual or computerized

serves internal and external users

Accounting Information Systems

*Whats New in AIS?

Measuring non-financial performance

Qualitative as well as quantitative information

Impacts on income and future performance

The Accountants Challenge

Provide information to support:

Business and government processes

Accounting and finance

Non-accountants in planning and control

Accounting Information Systems

Provide adequate controls to safeguard the organizations assets and data

AIS also supports non-financial business processes:

Supply chain management inventory level, demand trends, supplier relationship

Marketing sales management, forecasts and summaries; customer relationship

Human Resources workforce planning, employment recruitment, retention and

Production inventory summaries, product cost analysis, material requirements

Finance cash and asset management, multi-company management, credit card

How AIS Adds Value

Data vs. Information

Data vs. Information

What is Data? facts

Data Formatted into Information

Data Analytics: design your own report

*Information Integrity and Value (RAVTCRU)

Information and Business Decisions

Business processes get things done.

Information and key decisions result from these business processes.

*AIS Relationship with Business Decisions

The Information Age

Has created the Information Age

Consumer technology enables online shopping, communications and education

Computers enable changes in commerce

Produce, analyze, manipulate, and distribute information

Focus on business activities

Accountants have always been knowledge workers

e-Commerce buying and selling on Internet

e-Business conducting all aspects of business over the Internet

ERP (enterprise resource planning)

Infrastructure and platform

*Whats New in AIS?

Used by banks and certain other financial institutions

Detailed reporting on various financial transactions

Combats money laundering, funding terrorism