Unit 15 Information Systems and Data Governance

15.1 Accounting Information Systems

The ultimate purpose of designing and executing an accounting information system (AIS) is to
provide relevant and reliable information to decision makers. This is done by creating, recording,
reporting, summarizing a company’s financial transactions. The primary model of AIS is input-
process and output, input (creating data), processing (recording), output (reported). This allows
the data to be summarized in a way that is most useful for the decision maker. Summarized
information includes daily sales report, financial statements, etc.

1. Accounting Information Systems

Management Information Systems (MIS) received input from a transaction processing system,
aggregates (collects) it, and reports it in a format that is useful to middle managers in running the
business.
An information system is an essential part of the company’s value chain. This is why MIS is
classified by function OR activity.
Accounting Information System (AIS) is a sub-system of an MIS that process routine, highly
structured financial and transaction data relevant to both AIS and MIS.
An AIS is composed of the following:
1) General Ledger / Financial Reporting System (GL/FRS)- is related to transactions
with external parties (Ex- customer, suppliers, governments, owners, and creditors) that is
reflected in financial statements prepared with GAAP. (Produces Income Statement,
balance sheet, cash flow statement, etc.)

2) Management Reporting System (MRS)- provides information useful for decision

making and internal management, including internal activities recording in the cost
accounting system and the preparation of reports and analysis. (Produces pro forma
financial statements, budgets cost volume profit analysis, etc.)

3) Transaction Processing System (TPS)- is a system that performs the routine

transactions necessary to conduct business. A transaction is a single discrete (separate)
event that can be stored in an information system.

1|Page
 2. Accounting / Business Cycles
A cycle is a way of organization financial transactions according to their purpose. There are 7
primary cycles including:
❖ Revenue Cycle
❖ Expenditure Cycle
❖ Production Cycle
❖ Human Resource and Payroll Cycle
❖ Financing Cycle
❖ Fixed Assets (PPE) Cycle
❖ General Ledger

1) Revenue Cycle
The revenue cycle OR sales cycle is devoted to processing company sales. The process is as
follows.

2|Page
 2) Expenditure
The expenditure cycle is devoted to purchasing items (mostly inventory) for the operations of the
business, whether purchasing at retail prices OR wholesale prices.

3|Page
 3) Production Cycle (Operations)
The production (operations) cycle varies from one business to the other, however, there is a
pattern for accounting data inputs, processes, and outputs that can be used when considering the
production cycle.
There are 4 major activities in a production cycle:
➢ Product Design
➢ Planning and Scheduling
➢ Production Operations
➢ Cost Management

4|Page
 4) Human Resources and Payroll Cycle
The primary role of the human resource cycle s to make sure the business has the people with the
right skills carry out the mission.
The primary steps in the human resource cycle process are hiring, training, transferring, and
firing employees.
The primary function of the payroll process is to compensate employees for the work done. The
five main steps in the process include:

5) Financing Cycle

6) Property, Plant, and Equipment (PPE) Cycle

The PPE cycle consists of three primary steps:

7) General Ledger and Reporting Process

The general ledger and reporting process consist of four primary steps:

5|Page
 3. Separate Financial and Non-
Financial Systems
The main problem with having separate financial and
non-financial systems is the data maintenance and
ensuring that the data is linked accurately. Financial
and non-financial systems measure the same thing,
but with different tools

4. Enterprise Resource Planning (ERP)

Before the days of relational databases, companies had no choice but to create separate program
and files to manipulate and maintain data. Later on, ERP was introduced. ERP systems store all
of the company data in one central database, Furthermore, ERP stores non-financial data related
to all aspects of the company.
ERP systems can be divided into the following business cycles:

6|Page
 5. Data, Databases, and Database Management Systems (DBMS)
Database- is an organized collection of data in a computer system. The data in the database are
integrated to eliminate redundancy of data item. The integrated data allows for improved
accessibility. If the organization’s data are not integrated, the may contain data that are not
updated and different.

Database Management System (DBMS)- is the interface OR program between the database
and the application programs that access the database.
The DBMS manages and controls the data and the interface between the database and the
application programs. It also provides a centralized view, so that data can be access by many
users from different locations.
The DBMS facilitates creating, retrieving, updating, managing data, and protecting data.
The DBMS controls 2 primary components:
1) Data
2) Database program that allows data to be accessed, retrieved, modified, and locked

The DBMS is an integrated set of computer programs that:

1) Creates database
2) Maintains the elements
3) Safeguards the data from loss OR destruction
4) Makes the data available to applications, programs, and inquiries

7|Page
The database scheme OR blueprint defines the database logical structure OR the way humans
view the data. It is the connection between logical and physical structures of the database.
The DBMS allows programmers and designers to work independently of the technical structure
of the database. DBMS provides a common language for referring to database, easing the design,
and coding of programs.
Ex- DB2 (IBM), Oracle (Oracle Corp.), SQL Server (Microsoft), and Access (Microsoft).

A database administrator (DBA) is an individual who has the overall responsibility for
developing, maintaining the database, and establishing controls to protect its integrity.
The DBA has the ultimate responsibility to update data dictionaries. The DBA is also responsible
for creating, maintaining, securing, restricting access, redefining, and restructuring the database.

Data Dictionary- is a file that describes both physical and logical characteristics of every data
element in a database. The dictionary includes names of data elements, amount of disk space,
etc.

Database Mapping Facility- is a software that is used to evaluate and document the structure of
the database.

An object-oriented database is a response to the need to store not only numbers and characters,
but also graphics and multimedia applications.

6. Two Early Database Structure

Storing all related data on one storage device creates security problems. This is because any
hardware OR software malfunction, unauthorized access maybe disastrous for the business.
There is a great emphasis on the security to provide backup and restrict access to the database.
The entity may use:
❖ Dual Logging- the use of two transaction logs, written simultaneously on separate
storage media.

❖ Snapshot to capture data values before and after transaction processing

❖ The stored files can be used to re-construct the database in the event of data loss OR
corruption

8|Page
 7. Relational Database Structure
A relational structure organizes data in a conceptual arrangement (groups of tables). Data is
stored according to the data hierarchy and the structure of the data in each level.
➢ Field / Attribute / Column is the first level in the data hierarchy. It is information that
describes one attribute of an item OR entity in the database. (Ex- person OR object).

➢ Record is the second level of data. A record contains all information about one item OR
entity in the database. Each item of the information is kept in a separate field within a
record (Ex- employees ID/ address/ name is within the field, but all these details are
within the employee’s record). The data field contained in each record is a part of the
record structure.

➢ File / Table is the third level in the data hierarchy. A table is a set of common records.
(Ex- records of all employees)

➢ Database is the highest level. It is made up of several files OR tables. (Ex- an AIS
contains a collection of tables)

In a relational structure, each data element is stored several times, which is done by
normalization. Normalization prevents inconsistent deletion, insertion, and updating of data
items.

There are 3 basic operations in the relational model:

1) Selecting- creates a subset of records that meet a specific criterion.

2) Joining- is the combining of relational tables based on a common field OR combination

of fields.

3) Projecting- results in the requested subset of columns from the table. This operation
creates new tables containing only the required information.

9|Page
There are 2 features that make the relational data structure standout:
1) Cardinality- refers to how close a given data element is to being unique.

✓ A data element can only exist once a table has high cardinality.
✓ If the data element is not unique, but has a restricted range of information, it has a
normal cardinality.
✓ A data element that has a very small range of values has low cardinality. (Ex-
male OR female / true OR false)

2) Referential Integrity- in order for a record to be entered in a table, there must already be
record in some other tables.

The main advantage of relational data structure is that search for records is greatly facilitated.

Data from a relational database can be displayed in graphs and reports, changes, and controlled
using a program called Query Management Facility (QMF).

A distributed database is stored in two OR more physical sites using:

1) Replication (snapshot)- makes a duplicate to be stored at several locations. Changes are
periodically made and sent to each location.

2) Partitioning (Fragmentation)- stores specific records when they are most needed.

8. Data Warehouse
Data Warehouse- is a set of large databases consisting of detailed and summarized data that is
used primarily foe analysis rather than processing transactions. It is a storage location for all a
company’s data from programs, sources, and database. The data is usually cleaned and organized
before stored so that it can be searched.
Data warehouse contain current operating data and historical information from the organization.
So, the data is integrated, consolidated, and standardized in the organization.

10 | P a g e
 9. Data Cleaning
Data Cleansing- cleans up data in the database that is incorrect, incomplete, or duplicated before
loading it into the database. It improves the quality of data and the need of data cleaning
increasing when multiple data sources are integrated.

10. Data Mining

Data Mining- is the process of analyzing data from different perspectives and summarizing it
into useful information. A software is usually used for data mining. Data mining can be used by
internal auditors to detect fraud and find abnormal patterns.

11. Data Mart

Data Mart is a subsection of data warehouse that can be tailored to user data requirements. It is
mainly created for business lines OR departments.

12. Enterprise Performance Management (EPM)

Enterprise Performance Management (corporate OR business performance management)
consists of monitoring and evaluating business performance, whereas ERP helps to manage day-
to-day operations of a company.
EPM is associated with:
❖ Business Intelligence and ERP
❖ Budgeting and Forecasting
❖ Financial Reporting
❖ Analyzing performance results and identifying ways to improve

11 | P a g e
15.2 Data Governance and Risk

1. Data Governance
Data Governance is the overall management of data within an organization. The organization
must have a well designed and functioning data governance to prevent data corruption,
devaluation, unusuality, lost, and stolen.
Data Governance includes:
❖ Data availability- is the process of making data available to users and applications when
needed.

❖ Data usability- includes accessibility, quality, and accuracy to users of the data.

❖ Data integrity- is the completeness, consistency, reliability, and accuracy of data.

❖ Data security- the protection of data, preventing unauthorized access and protection
from corruption and other loss.

❖ Data privacy- determining who is authorized to access data and which item of data can
be accessed.

❖ Data integration- combining data from different source (internal and external) and
providing users with a unified view of all the data.

❖ System availability- is maximizing the profitability that the system will function as
required and when required.

❖ System maintenance- includes modifying the system to correct a problem, improve

performance, update it, or adapt to change requirements.

❖ Compliance with regulations- laws regulating privacy protection

❖ Roles and responsibilities of managers and employees

❖ Data flow within the organization (internal and external)

12 | P a g e
 2. Control Objectives for Information and relating Technologies
(COBIT)
COBIT is focused on effective internal control as it relates to IT. COBIT 2019 has 6 key
principles for a governance system:
1) Provide value to stakeholder by achieving the required strategy

2) Take a holistic approach, by creating synergies among the components

3) Utilizing a dynamic governance system

4) Keeping governance distinct (separate) from management

5) Tailor governance based on the enterprise needs

6) Achieve end-to-end enterprise coverage

NOTE
Governance system components can be:
➢ Generic- components applied in principle to any circumstances

➢ Variant- components designed for a given purpose OR context in a focus area

3. Data Life Cycle

The data life cycle is the period from the creation of data and its initial storage to the time when
the data becomes no longer needed and purged.
Stages for data life cycle include:
❖ Data Capture- is the process of creating new data that have not existed in the
organization. Data can be captured by:

✓ External Acquisition (Utilizing data)- the organization acquires data from

outside the entity.

✓ Data Entry- new data value can be created within the organization.

✓ Signal Reception- the organization acquires data that has already been created by
control system within the organization; data received by transmission (Ex- data
from sensors)
13 | P a g e
 ❖ Data Maintenance- is the second stage of the life cycle, after the data has been captured,
it is defined as supplying data to the points which data syntheses and data usage occurs.
Data maintenance involves processing the data without deriving any value for the
business. It is often involving cleansing and enrichment of data.

❖ Data Synthesis- involves using statistical methods that combine data from many sources
to obtain a better overall estimate. Data synthesis involves creating values by using
inductive logic, by using other data as inputs.

❖ Data Usage- is how the data is used to support the mission of the business such as
strategic planning, processing invoices, etc. Data usage can also be defined as the
application of data to tasks based on the entity’s needs to run and manage itself.

❖ Data Analytics- is the science of examining raw data with the purpose of creating new
information and generating business insights. Data analytics uses modeling such as risk
modeling, actuarial modeling, and modeling for investment decisions.

❖ Data Publication- is the process of sending data to a location outside the organization.
(Ex- sending monthly statements to customers)

❖ Data Archival- is the process of removing the data from active use to be stored for
potential future use. Therefore, there will be no regular maintenance and probably little
usage.

❖ Data Purging- this occurs at the end of the data life cycle; every copy is removed from
the business; this is usually done from the archives. Disposing all copies is usually a data
governance challenge, as it is difficult to prove a full purge actually occurred.

14 | P a g e
 4. Record Retention Policy
it is important for every organization to have a formal record retention policy (record
management policy), which provides the basis for retention and periodic destruction of
documents and other records.
Keeping and maintaining too many records OR storing them longer than needed can create
unneeded costs for the organization.
For some types of documents, there is a minimum retention periods imposes by law, such as
taxes and employees related documents. (Ex- tax records must be kept for at least 7 years, unless
there is a suspected fraud and, in this case, there is no minimum).
If the records needed for a particular legal case that has been destroyed based on a well-
established record retention policy, then the court may assume the organization was complying
with its duty.

5. Cyberattacks Detention and Prevention

Cybersecurity- is the process OR methods of protecting internet-conducted networks, devices,
or data from attacks. Cyberattacks are usually made to access, change, destroy data, interrupt
business operations.
Cyber-crimes that are personal include:
❖ Social Engineering- an individual may pose as a trustworthy co-worker to asl for
password OR confidential information.

❖ Dumpster Diving- is the act of sifting (examining) through the company’s trash for
information that can be used to break into computers or assist in social engineering.

Defense against cyber-attacks include:

➢ Penetration Testing (Ethical Hacking)- normally involves the company to hire a
consultant to attempt to attack a secured system. This method helps to identify weak
points. Also known as intrusion testing OR vulnerability testing.

➢ Firewalls- help to detect and prevent cyberattacks. They use the concept of defense in
dept so that if one security layer is breached the other can stop an attack.

➢ Biometric Identification- each user must authenticate themselves to the system. The
benefit is that biometric identifiers (fingerprint) are very difficult to lose or steal, and
therefore more restricted.

15 | P a g e
15.3 COSO Framework- Internal Control for Data
Governance

Effective corporate governance relies mainly on effective systems of internal control and
enterprise risk management. COSO has established a widely accepted framework for each
system.
There are 3 objectives of the COSO Model:
1) Operations
2) Reporting
3) Compliance

There are 5 components of the COSO Model:

1) Control Environment
2) Risk Assessment
3) Control Activities
4) Information and Communication
5) Monitoring

There are 4 levels of the organizational structure in the COSO Model:

1) Entity Level
2) Division
3) Operating Unit
4) Function

16 | P a g e
 1. Requirement of Effective Internal Control
A system of internal control is effective if it provides reasonable assurance of achieving the
entity’s objectives (operating, reporting, and compliance). This system can reduce the risks of
not achieving those objectives to an acceptable level.
An effective system of internal control requires that each of the 5 components of internal control
to be:
❖ Present refers to whether the components and principles exist in design and
implementation of internal control

❖ Functioning refers to whether the components and principles continue to exist in the
operation of the system of the internal control.

❖ The 5 components must be operating together in an integrated manner, which means

that all 5 components collectively reduce the risks of not achieving an objective to an
acceptable level.

The use of judgment is required in designing, implementation, and conducting internal control
and assessing effectiveness.

The use of outsourced service providers for certain business processes does not relieve the
organization of its responsibility for the system of internal control.

Despite the fact that technology innovations create opportunities and risks, the principles of
COSO do not change.

The organization’s size may affect how it implements internal controls:

➢ In smaller organization’s the senior management has a wider span on control and greater
direct interaction with personnel, than in larger organizations.
➢ Larger organizations need to rely more on formal mechanisms of control (Ex- reports,
formal meeting, conference calls, etc.)
➢ Larger organizations have more resources than smaller organizations. Consequently
(thus), a smaller organization can outsource the majority of its internal audit functions
OR incur higher costs compared to a large organization, because of the lack of economies
of scale.

17 | P a g e
 2. Roles and Responsibilities Regarding Internal Control
There are 2 parties responsible for the internal control:
✓ Internal Party
✓ External Party

Internal Parties
1) Board of Directors
The BOD has the responsibility for overseeing the internal control system. They define the
expectations about integrity, ethical values, transparency, and accountability through
selection and termination of the CEO.
BOD committees include:
✓ Audit Committee
✓ Compensation Committee
✓ Nomination / Governance Committee
✓ Risk Committee
✓ Finance Committee

2) Senior Management
The senior management sets the tone at the top and has the primary responsibility for
establishing a proper ethical culture. They set the objectives and have the overall
responsibility for designing, implementing, and operating an effective internal control.
The senior management also:
❖ Maintains oversight and control of the risks of the entity
❖ Guides the development and performance of control activities at the entity level
❖ Assigns the responsibility to establish more specific internal controls at different levels of
the entity
❖ Communicates expectations
❖ Evaluates control deficiencies

3) Operational Management
The operational managers provide the first line of defense for effective management of risk and
control. They also develop and implement control and risk management process.

18 | P a g e
 4) Business-Enabled Functions
Business enabled functions provide the second line of defense for effective management of risk
and control. These functions support the entity through specialized skills and include various
risk management and compliance functions.
Furthermore, they are mainly responsible for the ongoing monitoring of control and risk.

5) Internal Auditors
The internal auditors provide the third line of defines for effective management of risk and
control. They evaluate the adequacy and effectiveness of controls in responding risks in the
entity’s oversight, operations, and information systems. To remain independent the internal
auditor can not be responsible for selecting and executing controls.

6) Other Personnel
Everyone in the organization is expected to competently performs their appropriate control
activities and inform those higher in the firm about any ineffective controls.

External Parties
1) External Auditors

2) Legislators and regulators

3) Parties interacting with the Entity

4) Financial Analysts, Bond Rating Agencies, and Media

5) Outsourced Service Providers

19 | P a g e
 3. Limitations of Internal Controls
Internal controls only provide reasonable assurance of achieving objectives. It cannot provide
absolute assurance because any system of internal control has inherent limitations.
Inherent limitations include:
1) Established objectives must be suitable for internal control. (Ex- if an entity has
unrealistic objectives, the internal controls will be ineffective)

2) Human judgment is faulty, and control may fail because of errors OR mistakes.

3) Controls may fail due to breakdowns (Ex- employee misunderstanding, carelessness, OR

fatigue)

4) Management may inappropriately override internal control (Ex- fraudulent achieve

revenues OR hiding liabilities)

5) Manual OR automated controls can be circumvented (bypassed) by collusions.

6) External events are beyond the organization’s’ control.

20 | P a g e