Tutorial for Final Exam

INS2104: Accounting Information System

1. Topics
- Chapter 2,3,4, 6 Business Process, System documentation
- Chapter 9,10,13, 14: Transaction cycle: the revenue cycle, expenditure cycle,
the GL and FR cycle, System development
- Chapter 7,8: Internal Control
- Chapter 16: Ethics and Computer Crimes
2. Structure of the Exam
This examination consists of TWO (2) sections:
SECTION A (40 marks) – consists of THIRTY – FIFTY (30 – 50) True/False and multiple
choice questions. Answer ALL questions.
SECTION B (60 marks) – consists of TWO - FOUR (2- 4) questions. Answer ALL questions.
Time allowance: 120 minutes
3. Question types
3.1. True/False and MCQ questions
- Similar to test banks
3.2. Exercises on Internal Control
- Sample exercises: 8.8, 8.9; 8.10; 8.13, 8.18(page 382 – 388 in the textbook)
3.3. Essay questions
1. The value of accounting information is dependent upon its reliability. Internal
controls are developed in order to assure that the information provided by the AIS is
reliable. Describe two internal controls that support the internal control objective of
reliable information

Internal Control:

The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the
achievement of an entity's objective with regard to reliability of financial reporting,
effectiveness and efficiency of operations, safeguarding of assets, and compliance with
applicable laws and regulations.

The two examples of Internal Control policies and procedures that support the internal
control objective of reliable information are:

1.Information Processing controls: The two broad groupings of information systems

control activities are application controls, which apply to processing of individual
applications and general IT controls which are policies and procedures that relate to
many applications and support the effective functioning of application controls by helping
to ensure the continued proper opeartion of information systems. Example of application
controls include checking the arithmetical accuracy of records, maintaining and
reviewing accounts and trial balances, automated controls such as edit checks of input
data and numeric sequence checks and manual follow up exception reports.
Example of general IT controls are program change controls, controls that restrict
access to programs or data, controls over the implementation of new releases of
packaged software applications and controls over system software that restrict access to
or monitor the use of system utilities that could change financial data or records without
leaving an audit trail.

2. Physical Controls: The physical security of assets, including adequate safeguards

such as secured facilities over access to assets and records. The periodic counting and
comparison with amounts ahown on control records.
Example: Comparing the results of cash, security and inventory counts with
accounting records. The extent to which physical controls intend to prevent theft of
assets are relevant to the reliability of financial statement preparation.

2. List the functions that should be separated in order to ensure no single employee is
given too much responsibility. 
3. List the four basic business activities performed in the revenue cycle. A well-designed
AIS should provide adequate controls over the revenue cycle to ensure what
objectives? 
0• Four basic business activities are performed in the revenue cycle:
0– Sales order entry
1– Shipping
2– Billing
3– Cash collection
0• In the revenue cycle (or any cycle), a well-designed AIS should provide adequate
controls to ensure that the following objectives are met:
0– All transactions are properly authorized
1– All recorded transactions are valid
2– All valid and authorized transactions are recorded
3– All transactions are recorded accurately
4– Assets are safeguarded from loss or theft
5– Business activities are performed efficiently and effectively
6– The company is in compliance with all applicable laws and regulations
7– All disclosures are full and fair

4. What are the two major responsibilities of the receiving department?  ist the three
possible exceptions to the receiving process

The two major responsibilities of the receiving department are deciding whether to
accept delivery (based on whether there is a valid purchase order) and verifying the
quantity and quality of delivered goods. Verifying the quantity of delivered goods is
important so the company pays only for goods received and inventory records are
updated accurately.
A receiving report is not typically used for receipt of services. Receipt of services is
typically documented by supervisory approval of the supplier’s invoice. When goods
arrive, a receiving clerk compares the PO number on the packing slip with the open
 PO file to verify the goods were ordered. The receiving clerk counts the goods and
examines them for damage before routing to the warehouse or factory.
Three possible exceptions to this process are:
1. Receiving a quantity of goods different from the amount ordered
2. Receiving damaged goods
3. Receiving goods of inferior quality that fail inspection
In all three cases, the purchasing department must resolve the situation with the
supplier. In the case of damaged or poor quality goods, a debit memo is prepared
after the supplier agrees to take back the goods or grant a price reduction.

5. What are the methods and reports that can be used to reconcile the general
ledger? List the four basic activities performed in the general ledger and reporting
system. 

Additionally, because the general ledger is the source of information for the

four financial statements (the balance sheet, income statement, statement of cash
flows, and statement of shareholder's equity), reconciliation can refer to cross-
checking the balances on these statements with those in the general ledger.

List the four basic activities performed in the general ledger and reporting system. 

1. Update the G/L

2. Post adjusting entries
3. Produce financial reports
4. Produce managerial reports

6. Compare the structure of the COSO and ERM framework? 

Similarities between COSO Internal Control Framework and COSO ERM

Both are the frameworks developed by the Committee of Sponsoring Organizations

(COSO), a private-sector group consisting of the AAA, the AICPA, the IIA, the IMA,
and the FEI to develop a measure to control the internal workings of the company
and require commitment from top management. SOX is use these frameworks to
evaluate the internal control frameworks.

Whereas COSO ERM is an advanced version of COSO Internal Control framework

but it also make sure that risk is kept within the risk apatite of the organization.

Difference between COSO Internal Control Framework and COSO ERM

COSO’s internal control framework has too narrow of a focus and has an inherent
bias toward focusing on past problems and concerns. The ERM framework takes a
risk-based, rather than controls-based, approach to the organization, oriented toward
future and constant change. It incorporates rather than replaces COSO’s internal
control framework and contains three additional elements.
Where as COSO intenral control framework had 5 components to monitor
organization but in ERM framework COSO committee developed a graphical method
that consist of 4 columns and 8 rows which represent objectives and control
components respectively.

Coso:

Control environment / risk assessment / control activities/ information and

communication / monitoring

ERM

Internal environment/ objective setting/ event identification/ risk assessment/ risk

response/ control activities/ information and communication/ monitoring.
 3.4. Exercises on Internal Control
- Sample exercises: 8.8, 8.9; 8.10; 8.13, 8.18(page 382 – 388 in the textbook)
8.8

(a) Entering negative values for order quantity can unreconciled the sales order total
balance with general ledger. This mismatch will result in understatement of sales which
will affect profit for the year. To correct this, the Company might add on automated
control in the system which restricts negative value while entering. Whenever the user
enters negative value, system should give a pop up that this is not allowed. Thus this
control will mitigate the above risk mentioned.

(b) Selling to a customer with an already overdue account can decrease the profit for the
Company and increase the default risk. To mitigate this, the Company must have a
control to check credit worthiness of the customer before making the sales. This control
should also include existing customer who has overdue accounts.

(c) Ordering from a non-existent supplier will lead to financial losses for the Company.
The Company's prospects will give me significantly hampered by entering into
transactions with bogus suppliers. Before on-boarding any vendor the Company must
collect relevant documents and perform due diligence process. After that if vendor is
genuine then only the Company should order goods.

(d) Advance payment blocks the working capital of the capital. However in certain cases
it is very much necessary for the Company for receiving the goods. As a control advance
payments before receiving the goods must be approved by finance controller in the
organization.

(e) Entering alphanumeric customer id is against the policy of the Company. As a good
corporate governance process, the Company must adheres to their own policies and
procedures. Automated control should be introduced in the Company which should
restrict entry of alphanumeric characters.

(f) Misappropriation of goods will lead to financial loss to the Company. As a control the
Company should segregate the duties and inventory records should be maintained by
another person.

(g) Ordering too much of a product will lead to obsolete inventory and also blockage of
working capital. Purchase manager should approve every requisition raised by the
production department. This will result in optimum level of purchases to be made for the
Company.

8.13

Below is a description of a business process.

The computer system requires all users to log on with a user identification (their first initial and the
first six letters of their surname), and a password that is assigned to users when they join the firm
(that is unable to be changed).
The users have access to the internet and several have installed Windows Live Messenger and other
chat programs on their machines.

The main task of John, one of the staff members, is to perform data entry. Each day he receives a
bundle of orders from the customer assistant, with John’s job being to enter the details into the
system.

John first enters the customer name, address and contact number then clicks on the ‘Next’ button to
enter the items and quantities ordered by the customer.

If the customer name is not provided the computer will prompt John to go back and fill in the details
before proceeding to the next screen. In addition, the computer will only accept numeric values for
the quantities ordered.

Once all orders are entered John clicks the ‘Done’ button and the computer displays the number of
orders entered on the screen.

John usually ignores this, because by the time orders have been entered it is usually lunch time.

Required

(a) Identify four risks in the process.

(b) Suggest an internal control for each risk (the control may be mentioned in the case or missing
and you think it should be applied).

(c) Indicate whether the control is present or missing in the case.

(d) Classify the control as general or application.

(e) Classify the control as manual or computerised.

Answer:

Risk 1. Security Breach

Control Use of sophisticated passwords that cannot be easily guessed right to log into the
systems

Present The control is the present; the staff use a complex password to log on the user
identification

Gen/App General: it concerns the security of the entire information system and is applicable
 when accessing all applications.

Man/Comp Computerised

Risk 2. Malware attacks

Control Installation a whitelisting application to allow the use of trusted applications only.
Mitigating the risk of malware from live chat applications.

Present No control has been place to cover the risk of malware from random downloaded
internet applications.

Gen/App Application: focuses on the internet usage specifically

Man/Comp Computerised

Risk 3. Human error

Control Controls set to detect accuracy of data keyed into the machines

Present This control is present in the case for when John fails to enter the name of the
client the computer gives an order to correct the mistake

Gen/App Application: relate to the specific application of data entry.

Man/Comp Computerised

Risk 4. System failure

Control Counter-checking the stability of the power source and capable data backup plans.

Present The organisation has not developed a control to mitigate this risk, from the case
John does not countercheck the final number of orders and if the data was
accurately saved and backed up.

Gen/App General; involved with the environment in which the computer applications are
used.

Man/Comp Manual
8.10

a. the COSO model defines internal control as “a process effected by an entity’s

board of directors, management and other personnel designed to provide
reasonable assurance of the achievement of objectives in the following
categories:

 Operational Effectiveness and Efficiency

 Financial Reporting Reliability
 Applicable Laws and Regulations Compliance
In an effective internal control system, the following five components work to support the
achievement of an entity’s mission, strategies and related business objectives:

1. Control Environment
2. Risk Assessment
3. Control Activities are actions—established through enterprise policies and
procedure that help ensure that management's directives to mitigate risks to
the achievement of objectives are carried out.

 Follow policies and procedures.

 Improve security (application and network).
 Conduct application change management.
 Plan business continuity/backups.
 Perform outsourcing.

b.

1. Information and Communication: Information is necessary for the entity to

carry out internal control responsibilities to support the achievement of its
objectives. Internal communication is the means by which information is
disseminated throughout the organization, flowing up, down, and across the
entity.

 Measure quality of information.

 Measure effectiveness of communication.

1. Monitoring-The entire system of internal control is monitored continuously,

and problems are addressed timely.

 Perform ongoing monitoring.

 Conduct separate evaluations.
 Report deficiencies.

These components work to establish the foundation for sound internal control within the
company through directed leadership, shared values and a culture that emphasizes
accountability for control. The various risks facing the company are identified and
assessed routinely at all levels and within all functions in the organization.

Control activities and other mechanisms are proactively designed to address and
mitigate the significant risks. Information critical to identifying risks and meeting business
objectives is communicated through established channels across the company. The
entire system of internal control is monitored continuously, and problems are addressed
timely.

8.18

CPA Australia's advisory guide on employee traud identifies some typical ways that
fraus carried out. These included:
(a) creating ghost' employees or not deleting ex-employee records and having the
salary these ghost employees paid into the fraudster's bank account
(b) creating bogus suppliers, with payment being made to the fraudster's bark
accaunt
(c) creeting bogus purchase orders of a bona fide supplier and substituting the
supcier bank account details with fraudster's bank account detals (d) obtaining
kickbacks or bribes from suppliers or contractors (as an inducement to puk from
them)
(e) associates of the staff providing services to the business at infiated prices (0
personal use of business resources ) intiated/bogus reimbursement claims th)
manipulation of financial data to receive performance-based bonuses
(j) faking time sheets O private purchases through business accounts/business credit
cards
(K) providing discounted (or free) goods or services to friends and associates.
Required
For each of the above:
(i) Suggest a possible application control that could deal with the fraud.
(ii) Classity the control as preventive, detective or corrective and justify your
classification
. (iii) Explain how the control addresses the fraudulent activity

Answer:

How control
Control Description Control Type addresses
Problem
fraud

Without input of Last

creating ghost' Date, Last salary
employees or not shall not be
This control
deleting ex-employee processed. Once,
ensures that
records and having the Last salary is
(a) Preventive resigned
salary these ghost released, employee
employees are
employees paid into record will move from
not paid
the fraudster's bank current employee to
account ex-employee list
automatially

This control
ensures that
employee
Employee record record is
creatin shall be reviewed for
approved by reviewer ghost
Preventive
and mandatory records employees and
like DOB, PAN is system
required prevents bogus
employees by
requiring
certain details.
 Supplier record
requires compulsory
bank details being
recorded in system
This control
and reviewer
ensures that
(b) creating bogus approves the
payment and
suppliers, with supplier record
supplier details
(b) payment being made creating with Preventive
are reviewed
to the fraudster's bark documents and
and approved.
accaunt cancelled checks.
Also, edit is
Further, supplier
prevented
record cannot be
edited without
approval of Purchase
department head

Creeting bogus Edit is

purchase orders of a Supplier record prevented and
bona fide supplier and cannot be edited requires system
(c) substituting the supcier without approval of Preventive approval by
bank account details Purchase Purchase
with fraudster's bank department head department
account detals head

System
Purchase orders are approver
approved by the ensures that a
Preventive
Purchase department bogus PO
head record cannot
be created

obtaining kickbacks or This ensures

Calling for multiple
bribes from suppliers that company
purchase quotations
(d) or contractors (as an Preventive orders cheap
before order is
inducement to puk and best
placed
from them) product

This ensures
associates of the staff Calling for multiple
that company
providing services to purchase quotations
(e) Preventive orders cheap
the business at infiated before order is
and best
prices placed
product

Monitor usage of This control

personal use of resources and identifies
(f) Detective
business resources perform physical misuse of the
inspection of assets assets

(g) intiated/bogus Require submission Preventive Ensures that all

reimbursement claims of supporting the claims are
documents. Approval based on
 supporting
required for claims
documents and
before payment
are reviewed

manipulation of Ensures no
Financial data cannot
financial data to manipulation of
(h) be edited/ altered by Preventive
receive performance- record at any
anyone
based bonuses level

Attendance to be
mapped by installing
Ensures no
a finger thumb
absentee able
(i) faking time sheets register which Preventive
to mark
automatically
timesheets
registers the entry
and exit time

providing discounted Details of the Ensures that no

(or free) goods or receipeint of goods friends or
(k) Detective
services to friends and or services are associate given
associates. reviewed. these benefits

Ensures that
private purchases
Review of bank genuine
through business
(o) statement and Detective business
accounts/business
requiring explanation purchases are
credit cards
paid