Module 5: AIS and Business Processes (e.g.
here can have serious consequences; reporting
revenue cycle, expenditure cycle, general
ledger and financial reporting cycle)
Introduction
This module examines the application of the
concepts introduced in the Midterm period to
specific examples of business cycles or processes
that operate within a wide range of businesses.
These examples of transaction cycles that occur
within a business are central to the business
being able to attain its objectives. Each cycle
operates through a series of activities aimed at
achieving a particular goal or solving a particular
problem within the organization. This module
outlines the particular business process and the
appropriate systems documentation.
The revenue cycle commences when a customer
indicates they want to purchase a product and
ends after the product has been delivered and
payment received. The level of activity within the
revenue cycle drives the activity levels for all the
other business processes. The revenue cycle has
a large number of external interactions with
customers.
The expenditure cycle commences when a
section of the organization reports a need for
goods or services to be provided and ends when
the goods or services have been received and
paid for. The expenditure cycle has a large
number of external interactions with suppliers.
After the transaction cycles have been
successfully completed, details are sent to the
general ledger and financial reporting cycle to
enable updating of the general ledger and
subsequent financial reporting. The revenue
cycle provides details of invoices raised by the
billing system and payments received from
customers, and the expenditure cycle forwards
details of payments established and made. These
data are validated, consolidated, adjusted and
used for reporting and analysis of the
organization’s performance. Any errors made
incorrect values can result in poor internal
decision making, issues with capital markets and
the possibility of regulatory prosecution if
corporate laws are breached.
Data flows between the transaction cycles
Learning Outcomes
• Appreciate the many ways technology is
changing management’s ability to
monitor and control business processes
across the organization.
• Know the objectives, inputs, and outputs
of the revenue, expenditure, and
general ledger processes.
• Understand how business strategy
affects the data that are collected in the
firm’s AIS and how that affects
performance measures
Transaction cycle — the revenue cycle
Revenue cycle overview and key objectives
For an organization to prosper it is essential that
the revenue cycle is well managed and
controlled. Marketing, sales and finance are the
organizational units that have primary
responsibility for the revenue cycle. Sales are the
primary driver of all organizational activity and
the most intensive customer contact point. Sales
are easily lost if consumers are confronted with
an inadequate sales process or improper billing
practices. Losses are likely if deliveries are not
accurate, timely and well controlled. An
inadequate revenue cycle, or failure to collect
revenues, can lead to declining sales, cash flow
difficulties and, in the worst cases, potential
insolvency or cessation of the business.
The revenue cycle is conventionally divided into
two major elements. The front end of the cycle is
client facing and is where the sales transaction
takes place. The objective of the sales phase is to
effectively conduct, record and monitor sales of
goods and services, and arrange the prompt
supply of goods and services. Essentially, staff
involved in the sales phase need to make sure
that the organization provides the right product
at the right time to the right place. To achieve
this objective, customer orders must be properly
recorded and controlled, sales should only be
made to creditworthy customers and delivered
goods must meet the customer’s needs.
Following directly on from sales is the accounts
receivable phase, where the objective is to
ensure payments for goods and services are
correctly received, recorded and banked. This
part of the cycle is sometimes referred to as
‘back-office’ or ‘back-end’ processing. The
activities in this latter part of the cycle are often
carried out by staff who do not have the same
direct contact with customers as the front-end,
or client-facing, staff who process sales. In order
to maintain good client relationships, the
linkages between the front-end and back-end
revenue systems must be well defined. The
accounts receivable phase needs to make sure
that customers are billed the right amounts for
the right products, and that those amounts are
collected at the right time. This involves ensuring
that customer invoices and receipts are prepared
and recorded in an accurate and timely manner,
that cash receipts are protected from fraud and
misuse, that receivables balances are kept to a
minimum level and that the organization collects
amounts owing to it on a timely basis.
Technologies underpinning the revenue cycle
Enterprise resource planning (ERP) systems
assist with enabling and integrating the revenue
cycle. The revenue cycle links into many areas
within the organization; an ERP system not only
improves the integration of enterprise-wide data
but also provides tighter linkages between
relevant modules such as marketing, sales,
production, shipping, billing, accounts receivable
and general ledger.
The revenue cycle can benefit greatly from
technologies that provide an efficient means of
data exchange. It is more efficient, timely and
cost effective to transact electronically. Much of
the paperwork generated by the revenue cycle
(e.g. invoices and shipping documents)
originates in-house and is sent outwards to
customers. The ability to transact online not only
speeds up the revenue transaction cycle, it can
also act to outsource some of the transactional
work, and therefore costs, to the customer.
Technologies such as electronic data
interchange (EDI) (to produce specifically
tailored systems for large repeat customers) and
eXtensible Markup Language (XML) (for online
sales sites) help provide efficient data exchange.
Paper documentation sent into the organization
as part of the revenue cycle (typically remittance
advices and customer purchase orders) can be
handled more efficiently using digital imaging.
Scanning documents speeds up processing by
providing broader immediate access to incoming
documentation.
Improvements in the revenue cycle can be made
by undertaking data mining or trend analysis in
order to improve understanding of markets and
product performance. Providing some form of
revenue data warehouse is necessary in order to
undertake these activities. Revenue data
warehouses typically store summarized
historical revenue data arranged along product
or segment lines, allowing data mining to take
place.
Customer relationship management (CRM)
technologies can support revenue cycle activities
by improving understanding of customers and
their interactions with the organization. CRM
technologies typically store historical revenue
data arranged by customer, in contrast to data
warehouses, which tend to store data arranged
by market segments or chronology.
Online payment facilities such as BPAY provide
a simple and cost-effective way for organizations
to receive payments. In addition to providing
more timely payments, using customer self-
service sys-tems such as BPAY helps cut data
entry costs and reduce error rates. The use of
online banking facilities improves transparency
and reconciliation of transactions and involves
less cash handling, which improves security and
cash flows.
Tracking and recording inventory forms a large
part of the sales process. The efficiency and
accuracy of inventory-related activities can be
improved by the use of barcode scanners.
Barcode scanning not only reduces error levels
by automating data input, it improves timeliness
as scanned data is immediately uploaded and
available for use
Data and decisions in the revenue cycle
• Customer data – revenue cycle activities
require access to customer data, which
contain details of all existing customers, in
order to identify authorized customers.
Customer data is ideally produced by a
dedicated customer management section of
the organization, which has responsibility for
identifying and authorizing new and existing
customers but is not involved in revenue
cycle activities. This customer management
section would also be responsible for
assigning and reviewing customer credit
limits. The revenue cycle uses customer data
in several different activities; for example,
customer credit data helps to decide if a
customer is creditworthy, customer address
data is used to arrange shipment and
invoicing of goods, data relating to customer
demographics and order characteristics is
often collected during revenue cycle
activities for use in future marketing
programs.
• Inventory data – an important data source
for the revenue cycle is inventory data,
which is a record of each item stocked or
regularly ordered. Inventory data is primarily
created by activities within the expenditure
cycle; however, the revenue cycle also
updates inventory data by recording
decreases in stock levels created by
shipment of goods. Inventory data related to
existing stock levels are also accessed by the
sales process when deciding whether there
is sufficient inventory for a potential sale to
occur.
• Accounts receivable data – accounts
receivable data are both created and
updated by activities within the revenue
cycle; invoices created by billing activities
are recorded in accounts receivable, as are
details of payments received during the
accounts receivable process. More detailed
information about customer payments is
recorded in the cash receipts data. The most
detailed data produced by the revenue cycle
are sales data, which contain all details of
each sale made by the organization and the
status of the sale. An additional common
data record is accounts receivable
adjustments data, where any bad or
doubtful debts and sales returns are
recorded. These data are useful when
undertaking analysis of revenue cycle
performance, in addition to forming part of
financial reports.
Objectives of the Revenue Process
Revenues result from an organization’s sale of
goods or services. They may also result from
donations or gifts, as in the case of charitable
organizations. An organization that generates
revenues but fails to collect these revenues
regularly may find it cannot pay its bills. Many
people unfamiliar with accounting make the
incorrect assumption that companies with
positive incomes cannot go out of business. The
reality is that bankruptcy results from
inadequate cash flow, not from insufficient
income. A primary objective in processing
revenues is to achieve timely and efficient cash
collection. To process sales in a timely manner,
an organization must be able to track all
revenues that customers owe the firm. Once the
AIS recognizes these revenues, the system needs
to monitor the resulting cash inflows.
Maintaining customer records is an important
function of the AIS for the revenue process. This
includes validating a customer’s bill-paying
ability and payment history, assigning credit
limits and ratings to customers, and tracking all
customers’ outstanding invoices. Processing
revenues includes filling customers’ orders, and
this requires an interface with the inventory
control function. The AIS should bill customers
only for products shipped. The sales process
must also allow for certain exceptions—for
example, sales returns.
Forecasting is another objective of the AIS to
help management in its planning function—a
future focus. Predictive analytics, using big data,
is increasingly important information that
managers need to make these decisions. The AIS
must support this need by analyzing sales orders,
sales terms, payment histories, and other data.
For example, sales orders can predict future
revenues, and the terms of sale provide
information about likely dates of collection on
accounts.
Events in the Revenue Process
Figure below illustrates an AIS for the sales
process in a systems flowchart. This view
assumes an online sales order. Notice that emails
and electronic images replace many of the paper
documents. The flowchart also assumes that the
AIS uses a centralized database that integrates
all data files. The following fictitious example
describes the sales process shown below.
Example: Hiroshi Ajas needs to purchase books
for his classes this semester. He decides to buy
the books online. In authorizing the order,
Textbooks4U.com’s AIS verifies Hiroshi’s credit
card and checks its inventory to make sure the
books are available. The company then sends
Hiroshi an email confirmation, verifying the
transaction. Textbooks4U.com’s AIS notifies its
warehouse via email to pack and ship the books.
The warehouse processes the shipment
information and creates a packing slip.
Warehouse personnel then package the packing
slip with the books and send them to Hiroshi. The
day that Textbooks4U.com ships the books, it
charges Hiroshi’s credit card.
The major events in Textbooks4U.com’s sales
process are the sales order, the shipment of
goods, and the customer payment. The company
will record information about each of these
events. This information allows them to produce
a variety of reports—such as book sales by
regions of the country.
Inputs to the Revenue Process
Figure shows a data flow diagram of the sales
process, which identifies the data inputs and
information outputs of the process. As noted in
the example, an AIS typically creates a sales
order at the time a customer contracts for goods
or services. In this example, an accounts
receivable clerk uses this sales order to prepare
a sales invoice or the customer might generate
one herself using the web page of an online
retailer.
The sales invoice reflects the product or products
purchased, the price, and the terms of payment.
When the customer makes a payment, a
remittance advice may accompany the payment.
When you pay your Visa or MasterCard bill, for
example, the portion of the bill you return with
your check is a remittance advice.
In addition to sales orders, sales invoices, checks,
and remittance advices, shipping notices are
another input to sales processing. When the
warehouse releases goods for shipment, the
warehouse clerk prepares a shipping notice. A
copy of this notice may serve as a packing slip
and would be included in the package with the
goods. A copy of this document is also sent to the
accounts receivable department and is used as a
prompt for the department to bill the customer.
Debit/credit memoranda are source documents
affecting both the sales and purchasing
processes. An organization issues these
memoranda to denote the return of damaged
goods or discrepancies in the amount owed. For
example, let’s assume that Hiroshi’s package
with the textbooks arrived, but two of the books
were damaged and two were the wrong
textbooks. Hiroshi would return the four books
(worth $400) to Textbooks4U.com. However,
Hiroshi must wait until the company receives the
books and processes the return before he will be
issued a credit to his account (credit card) for the
$400.
If a company finds that it has charged a customer
too little for goods sold, the company would
issue a debit memorandum. This debit
memorandum signifies a debit to the customer’s
account receivable with the company to reflect
the amount not charged originally. The customer
now owes more to the company.
Business organizations use the data they collect
about their customers and sales transactions to
improve customer satisfaction and increase
profitability. As a result, firms are purchasing or
developing customer relationship management
(CRM) software to gather, maintain, and use
customer data to provide better customer
service and enhance customer loyalty. However,
think broadly here about potential uses of CRM
software. For example, many universities are
now purchasing CRM solutions to help them
better manage their current and potential
customers (i.e., students). These software
packages help various schools and colleges
within a university manage course enrollments,
communications, and invoice and payment
processing, and perhaps most importantly help
them stay connected with graduates who will
potentially become donors.
Outputs of the Revenue Process
Processing sales transactions creates several
outputs. An AIS uses some of these outputs to
produce external accounting reports (such as
financial statements) as well as internal reports
(such as management reports). Management
reports can be in any format and contain any
type of information managers need for decision-
making.
One output of the sales process is a customer
billing statement. This statement summarizes
outstanding sales invoices for a particular
customer and shows the amount currently
owed. Other reports generated by the sales
revenue process include aging reports, bad debt
reports, cash receipts forecasts, approved
customer listings, and various sales analysis
reports. The aging report shows the accounts
receivable balance broken down into categories
based on time outstanding (see Figure 10-9). The
bad debt report contains information about
collection follow-up procedures for overdue
customer accounts. In the event that a
customer’s account is uncollectible, the account
is written off to an allowance account for bad
debts. A detailed listing of the allowance account
may be another output of the sales process.
All of the data gathered from source documents
in processing sales transactions serve as inputs
to a cash receipts forecast. Data such as sales
amounts, terms of sale, prior payment
experience for selected customers, and
information from aging analysis reports and cash
collection reports are all inputs to this forecast.
Recall that maintaining customer records is an
important function of the AIS in the sales
process. The billing or accounts receivable
function should approve new customers, both to
ensure that the customers exist and to assess
their bill-paying ability. This may require
obtaining a credit report from a reputable credit
agency. The billing function assigns each new
customer a credit limit based on credit history.
From time to time, the AIS produces an approved
customer listing report. This report is likely to
show such information as customer ID numbers
(for uniquely identifying each customer), contact
name(s), shipping and billing addresses, credit
limits, and billing terms.
If an AIS captures (or converts) appropriate sales
data electronically, it can also produce various
sales analysis reports. These include sales
classified by product line, type of sale (cash,
credit, or debit card), or sales region. However,
the sales process can only produce effective
sales analysis reports if the AIS captures
appropriate sales data. A customer relationship
management solution can help managers take
advantage of this data to maximize revenue and
to provide better customer service.
Transaction cycle — the expenditure cycle
Expenditure-related activities are strategically
and operationally important for all
organizations. The expenditure cycle
commences when a section of the organization
signals a need for goods or services to be
provided and ends when the goods or services
have been paid for. During the cycle, demand for
requested goods or services needs to be
correctly established and any resulting purchase
orders need to be accurate and appropriately
authorized. Delivered goods must be received in
a timely fashion and both the quality and
quantity of goods delivered need to be checked
before acceptance. Payments made to suppliers
must be both timely and accurate.
This topic commences with an overview of the
expenditure cycle and then considers the
strategic implications of that cycle. Technologies
that underpin the cycle are discussed and then
the data produced and consumed during the
cycle activities are identified. Typical business
process decisions are examined, along with
some of the primary considerations related to
those decisions. An expenditure cycle is fully
documented using process maps, data flow
diagrams (DFDs) and flowcharts.
Expenditure cycle overview and key objectives
In order to achieve overall business objectives
and remain profitable, the expenditure cycle
needs to be well designed and tightly controlled.
Poorly controlled expenditure can lead to cash
flow and liquidity problems. An additional
consideration for the expenditure cycle is the
need to balance the supply and demand for
products within the organization. The revenue
cycle sales phase discussed previously
determines the demand for the goods and
services provided by the company. The primary
responsibility of the expenditure cycle
purchasing phase is to ensure the supply of
goods balances this demand.
Similarly to the revenue cycle described
previously, the expenditure cycle is generally
thought of as two separate elements. The first of
these is purchasing. This phase interacts
extensively with external suppliers of goods and
services; the overall objective is to procure the
right goods at the right amount, and to receive
those goods at the right time. In order to achieve
this outcome, initiated purchases need to be
properly approved and authorized; goods and
services need to be obtained from authorized or
pre-vetted suppliers; all purchase commitments
and obligations need to be recorded accurately;
and accepted goods and services must meet
quality and delivery specifications. Errors in the
purchasing phase can lead to a situation where
goods are not available to meet customer needs
if demand is underestimated, or to the
organization incurring unnecessary inventory
holding costs if demand is overestimated.
Following the purchasing phase is the accounts relevant modules such as sales, production,
payable phase, where the objective is to pay the accounts payable, cash budgeting and general
right people the right amount at the right time. ledger. In essence, an ERP system acts to provide
The activities in this phase are typically tighter connections between demand and supply
conducted by back--office staff who will not functions within the organization.
necessarily have had previous contact with the
The expenditure cycle can benefit greatly from
suppliers of the goods. In order to ensure
technologies that provide an efficient means of
ongoing good relationships with suppliers and
data exchange with suppliers of goods and
minimize the risk of improper payments, it is
services. Some of the ‘paperwork’ associated
essential that all relevant information relating to
with the expenditure cycle (e.g. purchase orders,
the purchasing phase is shared with the accounts
purchase requisitions) originates in-house and is
payable phase. Additionally, the quality of the
sent outwards to customers, and the remainder
goods received, although not a data point
is generated externally by suppliers (e.g. price
conventionally thought of as related to
quotes, invoices, delivery dockets). Use of
accounting, is a vital indicator when deciding
technologies such as electronic data
whether a payment should be made to a
interchange (EDI) can provide accurate, timely
supplier. The accounts payable phase needs to
and cost-effective data sharing.
ensure that payments are made by authorized
employees only, and that those payments are The expenditure cycle involves many activities
both accurate and timely, while ensuring that related to the physical handling and movement
favorable settlement terms are used to of goods. Where volumes are sufficiently high to
advantage. In order to ensure the integrity of warrant the use of printed barcodes or radio
financial reporting and financial statements, all frequency identification (RFID) tags, hand-held
accounts payable liabilities must be recorded scanning devices can cut stock handling and
accurately and promptly. recording costs and improve the accuracy and
timeliness of inventory and expenditure data.
Technologies underpinning the expenditure
cycle Specialized supply chain management software
(SCM) can be used to improve both the planning
There are a number of technologies suitable for
(identifying demand for products) and execution
supporting activities within the expenditure
(receiving orders, routing goods) of the supply
cycle and improving the overall functioning of
chain by providing detailed supply chain
the process. A range of inventory management
analytics. SCM can be incorporated as an
tools are available to help improve the ability to
integrated module within an existing ERP
balance supply and demand for goods and
system, or acquired and operated independently
services. Transparency and management of cash
using a best-of-breed supplier such as
payments and cash flows can also be improved
Manhattan Associates or i2 Technologies.
by the use of appropriate technologies.
The ability to make electronic payments provides
Enterprise resource planning (ERP) systems
a fast and comparatively inexpensive way for
assist with enabling and integrating the activities
organizations to settle their accounts with
within the expenditure cycle. The expenditure
suppliers. When using electronic payment
cycle links into many areas within the
facilities such as those provided by the major
organization, and an ERP system can not only
banks it is important to consider the timing and
improve the integration of enterprise-wide data
cash flow implications. A payment made
but also provide tighter linkages between
electronically will take funds from a company
bank account immediately, whereas a payment
made via cheque may take up to ten working
days before any funds are withdrawn from the
company account. In addition to these payment
timing issues, it is vital to consider and
appropriately design access security over online
payment facilities.
Data and objectives in the expenditure cycle
• Inventory data – expenditure cycle activities
require access to data related to inventory to
help identify existing stock levels. In order to
correctly identify how much to purchase it is
important to be familiar with both the
current demand for the goods (which comes
from the sales process) and how much
inventory is currently available for sale.
Expenditure cycle activities ultimately result
in an increase in the amount of inventory on
hand. Inventory data should ideally be
updated regularly by expenditure activities
to indicate the current status code of goods
that have been ordered but not yet received.
Inventory data typically include many non-
financial indicators, such as quality of the
goods received. There are also a number of
dates of significance when analyzing
inventory and supplier performance, such as
date ordered, date confirmed, date
expected, and date delivered.
• Supplier data – the expenditure cycle
requires access to data about suppliers,
including both basic name and address
details and information about preferred
suppliers, including past performance.
• Purchase order data – records details of all
open (incomplete) purchase orders,
including the current status of each of the
items on the order
• Goods received data – lists items received
from suppliers and typically updates the
inventory status of those goods. Goods
received data are also used to verify invoice
validity during the accounts payable phase.
• Accounts payable data – both created and
updated by activities within the expenditure
cycle; invoices received from suppliers are
recorded in accounts payable, as are details
of payments made during the accounts
payable phase. More detailed information
about payments made is recorded in the
cash payments data store.
Objectives of the Expenditure cycle
Credit transactions create accounts payable.
Accounts payable processing closely resembles
accounts receivable processing; it is the flip side
of the picture. With accounts receivable,
companies keep track of amounts owed to them
from their customers. An accounts payable
application tracks the amounts owed by a
company to vendors. The objective of accounts
payable processing is to pay vendors at the
optimal time. Companies want to take
advantage of cash discounts offered and also
avoid finance charges for late payments.
Maintaining vendor records is as important to
the purchasing process as maintaining customer
records is for the sales process. The purchasing
department is responsible for maintaining a list
of authorized vendors to ensure the authenticity
of vendors as well as finding reputable vendors
who offer quality goods and services at
reasonable prices. Vendor shipping policies,
billing policies, discount terms, and reliability are
also important variables in the approval process.
Businesses today are strengthening their
relationships with their vendors or suppliers,
recognizing that they are partners in a supply
chain. One of the most successful supply chain
management “partnerships” is that of Walmart
and Procter & Gamble.
The purchase of goods affects inventory control.
The objective of inventory control is to ensure
that an AIS records all goods purchased for and
dispensed from inventory. The inventory control
component of the purchasing process interfaces
with production departments, the purchasing
department, the vendor, and the receiving
department.
A final objective of the purchasing process is
forecasting cash outflows. The addition of
outstanding purchase requisitions, purchase
invoices, and receiving reports provides an
estimate of future cash requirements. With the
forecast of cash receipts produced by the sales
process, this estimate allows an organization to
prepare a cash budget.
Events in the expenditure cycle
Figure below shows a systems flowchart that
describes the purchasing process. As with the
sales process, the flowchart assumes a
centralized database and a mix of paper
documents and electronic images. The following
fictitious example describes the purchasing
process shown below
Example: Benjamin Controller is an employee at
a large state university. He needs to purchase a
new computer, so he pulls up the purchase
requisition form on the university’s website and
fills in the appropriate information. He sends the
completed form to his supervisor for approval,
who approves the request and clicks the
“Submit” button to forward the request
electronically to the purchasing department. A
purchasing agent creates an electronic purchase
order based on the information provided. The
agent consults the vendor file to locate an
authorized vendor for the requested computer.
The AIS then sends an electronic version of the
order to the receiving department and another
copy to the vendor. When the computer arrives
from the vendor, a receiving clerk consults the
AIS system to verify that a purchase order exists
for the goods received. The clerk then enters
information about the receipt (e.g., date, time,
count, and condition of merchandise) to create
an electronic receiving report. Upon receipt of an
electronic vendor invoice and the receiving
report, the accounts payable system remits
payment to the vendor.
The economic and business events in the
university’s purchasing process are the purchase
request, purchase order, receipt of goods, and
payment to the vendor. The university’s AIS
records information about each of these events
and produces a variety of reports. The next two
sections describe the information inputs and
some of the reports associated with the
purchasing process.
Inputs to the Expenditure cycle
As explained earlier, the purchasing process
often begins with a requisition from a production
department for goods or services. Sometimes, an
AIS triggers purchase orders automatically when
inventories fall below prespecified levels. The
purchase requisition shows the item(s)
requested and may show the name of the vendor
who supplies the goods.
In above about the events of the expenditure
cycle, the accounts payable system matches
three source documents before remitting
payment to the vendor: the purchase order, the
receiving report, and the purchase invoice. A
purchase invoice is a copy of the vendor’s sales
invoice. The purchasing organization receives
this copy as a bill for the goods or services
purchased. The purpose of matching the
purchase order, receiving report, and purchase
invoice is to maintain the best possible control
over cash payments to vendors. For example, the
absence of one of these documents could signify
a duplicate payment. A computerized AIS can
search more efficiently for duplicate payments
than a manual system.
For example, auditors can search for intentional
(or unintentional) errors by instructing an AIS to
print a list of duplicate invoice numbers, vendor
checks for like dollar amounts, and similar
control information.
The purchase requisition initiates the purchase
order. Besides the information on the
requisition, the purchase order includes vendor
information and payment terms. The purchasing
department typically prepares several copies (or
images) of the purchase order. In a paper-based
system, the purchasing clerk sends one copy of
the purchase order to the receiving department
to serve as a receiving report or, preferably, to
prompt the receiving department to issue a
separate receiving report. This copy of the
purchase order is specially coded (or color-
coded) to distinguish it from other copies of the
purchase order if there is no separate receiving
report. The receiving department copy might
leave out the quantities ordered that are
identified in the purchase order. This is done for
control purposes, so that workers receiving the
goods must do their own counts, rather than
simply approving the amounts shown on the
purchase order.
Another source document, a bill of lading,
accompanies the goods sent. The freight carrier
gives the supplier a bill of lading as a receipt,
which means the carrier assumes responsibility
for the goods. It may contain information about
the date shipped, the point of delivery for freight
payment (either shipping point or destination),
the carrier, the route, and the mode of shipment.
The customer may receive a copy of the shipping
notice with the purchase invoice. This is
important to the accounts payable subsystem,
since accounts payable accruals include a liability
for goods shipped free on board (FOB) from the
shipping point. Goods shipped this way have left
the vendor, but the customer has not yet
received them. Another source document, the
packing slip, is usually included in the
merchandise package. This document indicates
the specific quantities and items in the shipment
and any goods that are on back order. The next
time you order goods through a catalog or over
the Internet, look for a packing slip.
Outputs of the Expenditure cycle
Typical outputs of the purchasing process are
vendor checks and accompanying check register,
discrepancy reports, and a cash requirements
forecast. The check register lists all checks issued
for a particular period. Accounts payable
typically processes checks in batches and
produces the check register as a by-product of
this processing step. Discrepancy reports are
necessary to note any differences between
quantities or amounts on the purchase order,
the receiving report, and the purchase invoice.
The purpose of a discrepancy report is to ensure
that no one authorizes a vendor check until the
appropriate manager properly reconciles any
differences. For example, assume that a
receiving report indicates the receipt of 12 units
of product, whereas the purchase order shows
that a company ordered 20 units and the
purchase invoice bills the company for all 20
units. The accounts payable function records the
liability for 20 units and notes the situation on a
discrepancy report for management. This report
would trigger an investigation. For example, it is
possible that the vendor made two shipments of
merchandise, and one shipment has yet to be
received. If this is the case, receipt of the second
shipment clears this discrepancy from the next
report. However, if this is not the case, it is
important for management to determine the
cause of the discrepancy as soon as possible.
The purchasing process produces a cash
requirements forecast in the same manner that
the sales process produces a cash receipts
forecast. By looking at source documents such as
outstanding purchase orders, unbilled receiving
reports, and vendor invoices, an AIS can predict
future cash payments and their dates.
Transaction cycle — the general ledger and
financial reporting cycle
The general ledger and financial reporting cycle
summarizes, adjusts and reports on data from all
the previous operational cycles. During the
general ledger and financial reporting cycle,
budgets are created and agreed upon, and
transactional-level data are accumulated,
summarized, adjusted and, finally, reported to
internal and external users. Most decision
making by managers within the organization is
based on data supplied by the financial reporting
cycle; investors rely on these reports when
making investment decisions; and reports are
also supplied to external regulators for assessing
compliance with relevant corporate legislation.
Assuring the timeliness, validity, accuracy and
completeness of reported data is critical to
organizational success.
General ledger and financial reporting cycle
overview and key objectives
The first part of the financial reporting and
general ledger cycle involves creating an
operational budget for the organization. Budgets
are usually created on an annual basis and
updated monthly or more frequently if required.
The purpose of budgeting is to facilitate
organizational planning and control. Creating
budgets requires careful estimation of future
activity levels and the associated potential costs
and revenues; finalized budgets are then used as
a control measure to help ascertain and monitor
required organizational and individual
performance levels. In order to motivate
desirable behavior by managers within the
organization, budgets should be framed so that
activity targets are achievable but challenging.
When reporting and monitoring using variance
analysis (budget estimates compared to actual
results), it is important to identify the root cause
of any variances observed. As an example, an
unfavorable variance between budgeted and
actual data may be the result of poor
performance, or it is possible that budget
estimates were set at an unrealistic or
unachievable level. It is necessary to identify
which of these circumstances apply, as differing
remedial actions are appropriate. An incorrect
budget estimate should be corrected and
analysis should be undertaken to determine how
the estimation error occurred in order to prevent
recurrence. If the budget is realistic but poor
performance is the underlying cause of the
variance, the poor performance should be
addressed via performance management of the
individual or division involved.
Once budgets have been finalized, the ongoing
work of extracting transactional data generated
during the operational transaction cycles
(revenue, expenditure, production and payroll)
and transferring a summarized version of these
transaction streams into the relevant general
ledger accounts takes place. This initial set of
activities creates a trial balance of the accounts.
It is important to note that this extraction activity
does not provide any assurance that the original
transactions were recorded accurately. If an
operational process has a control weakness that
results in inaccurate data being recorded at a
transactional level, this same flawed data will be
transferred into the general ledger accounts.
At periodic intervals, a bank reconciliation is
performed in order to independently verify the
balances of the cash-based general ledger
accounts. After this reconciliation is successfully
completed, adjusting journal entries are
prepared and input. These adjusting journals
create an adjusted trial balance, where the
values contained in the accounts comply with
the requirements for recognizing revenues and
expenses contained in the accounting standards.
Once the adjusted trial balance has been
finalized, financial reporting can take place.
Typically, we divide reports into two major
categories: management reports, which are
used within the organization, and general
purpose financial statements, which are
distributed externally. Management reports
tend to be far more detailed in terms of content,
and are not intended for sharing outside the
organization. General purpose financial
statements are constructed in accordance with
the requirements of the relevant accounting
standards and contain far less detailed
information, but are freely available to a wider
range of users.
The objective of the general ledger and financial
reporting cycle is to synthesize and report data
that accurately represents business transactions
and activities. In order to achieve this objective,
budgets must be accurately and completely
determined and recorded, and transactions
extracted and posted must be complete and
accurate. In addition, any adjustments that are
required must be made prior to financial
reporting taking place. Any financial report that
is based on accrual accounting assumptions can
only be relied upon if it is generated using
correctly adjusted data.
An exception is where an operational report (e.g.
a simple transaction listing) is required by
management — basic reports can be generated
at any time after a transaction is recorded; it is
not necessary to wait until end-of-period
adjustments have been completed. These types
of detailed reports usually extract and report
data directly from more detailed subsidiary
ledgers (e.g. accounts receivable and cash sales)
rather than the summarized general ledger.
Technologies underpinning the general ledger
and financial reporting cycle
Enterprise resource planning (ERP) systems
assist with integrating the general ledger into the
operational cycles that precede general ledger
and financial reporting processes in the overall
business transaction cycle. The general ledger
links back into most areas within the
organization, so an ERP system acts to improve
enterprise data integration and facilitate
stronger controls over the extraction and posting
of data from subsidiary ledgers.
A robust, user-friendly report-generating tool
such as Cognos or Crystal Reports is essential for
the production of both ad hoc and standard
financial reports. These business intelligence
tools typically provide a simplified user interface
to allow interrogation of the underlying data and
data dictionary, and the creation of reports using
a drag-and-drop-style interface. The deployment
of these user-friendly tools is particularly useful
in an environment where end-users of financial
systems take responsibility for designing and
producing their own financial reports.
Access to online banking is helpful in terms of
being able to monitor and reconcile cash
transactions more easily. Access to online
banking can also be helpful for organizations that
wish to automate bank reconciliations. The
ability to download files in electronic format
directly from a bank website presents an
opportunity to compare bank statement and
cash transaction files electronically, improving
both the timeliness and accuracy of bank
reconciliations.
As described previously, eXtensible Business
Reporting Language (XBRL) is a data standard
used when generating financial reports. The
importance of this standard is that it allows
semantics, or meaning, to be embedded within
strings of financial data, allowing more in-depth
analysis to be conducted by users or recipients of
the data. This meaning is conveyed by inserting
embedded tags that identify where separate
pieces of data start and end within strings of
data. Corporate regulators worldwide are
gradually moving towards mandating XBRL data
for corporate filings and reporting.
Data in the general ledger and financial
reporting cycle
Budget data is often initially created based on
prior year data, then manually adjusted and
entered into the financial system by finance
personnel and operational managers. Budget
data is held in the general ledger chart of
accounts, and is used in reporting, largely as a
target or benchmark level against which actual
results are compared.
The general ledger and financial reporting cycle
initially extracts existing transactional data from
subsidiary ledgers. These subsidiary ledgers
include the accounts receivable ledger (which
contains details of customer invoices raised and
payments received) and the accounts payable
ledger (which contains details of supplier
invoices received and payments approved and
made). The payroll data store provides details of
salary and wage transactions. The raw materials,
labor and overheads data stores from the
production cycle provide details of production
costs incurred. The general ledger uses all this
transactional data to create summarized
transactions in the accounts within the general
ledger. These general ledger accounts are
conventionally referred to as the chart of
accounts for the organization.
A typical general ledger account code will
contain a string of indicators representing items
such as the transaction type (e.g. revenue,
expense or equity), the division or section of the
organization the transaction relates to, and the
nature of the transaction (e.g. chart of accounts).
The only new data created by the general ledger
and financial reporting cycle are general journal
entries. Although small in volume, these
adjusting journals can have a huge financial
impact on the financial results subsequently
reported. General journal data is typically stored
in a separate journal voucher data store, as well
as in the relevant general ledger accounts.
Data produced by the general ledger and
financial reporting cycle are used by all levels of
management within the organization and by
investors, analysts and regulators external to the
organization. Access to financial data usually
occurs by means of paper or electronic reports
for users within the organization. External
reporting has traditionally been paper based
only, with recent augmentation by electronic
reporting.
General ledger and financial reporting
processes
Each of the business processes of an
organization feed financial transactional data
into the general ledger. The general ledger
provides details for all the accounts within the
chart of accounts. Recall from your accounting
courses that the general ledger is the entire set
of T‐accounts for the organization. Each set of
processes affects general ledger accounts. For
example, sales and sales return processes affect
the accounts receivable, sales, inventory, and
cost of goods sold accounts. For manual
accounting systems, the process in which
transactions are posted to the general ledger is
called the accounting cycle. Figure below is a
summary of the processes in the accounting
cycle:
Business processes in an organization consist of
various accounting transactions. When an event
occurs, the accountant must decide whether the
transaction is a regular, recurring transaction. If
the transaction is regular and recurring, it would
be recorded in a special journal. Special journals
are established to record specific types of
transactions. For example, a sale to a customer
would be recorded in a special journal called the
sales journal. The sales journal is the appropriate
place to record all credit sales. A typical sales
journal is formatted with columns to record the
amount of the sale and the corresponding
receivable. That is, one column exists for sales
dollar amounts (a credit), and one column for
accounts receivable amounts (a debit). In
addition, regular, recurring transactions are
posted to subsidiary ledgers. Subsidiary ledgers
maintain the detail information regarding
routine transactions, with an account
established for each entity. For example, a credit
sale to a customer must be recorded in the
accounts receivable subsidiary ledger. This
subsidiary ledger maintains transaction details
and balances for each individual customer. At
regular intervals, such as the end of each day or
end of each week, the totals from the special
journals are posted to general ledger accounts.
Some transactions are not regular, recurring
transactions, and thus are not recorded in
special journals and subsidiary ledgers. The
transactions in capital and investment processes
are examples of nonroutine transactions, which
are entered in the general journal and posted to
the general ledger.
At period end, it is important to ensure that all
revenue, expenditure, payroll, payable, and
receivable transactions have been posted to the
general ledger. After all these transactions are
recorded for the month, accruals and other
adjusting entries are recorded in the general
journal and then posted to the general ledger.
After all transactions are accrued and posted, a
trial balance is prepared from the general ledger
account balances.
The financial statements are prepared from the
adjusted balances in the general ledger. To
prepare the general ledger for the next
accounting period, and to transfer earnings to
retained earnings, closing entries are recorded in
the general journal and posted to the general
ledger. This ends the accounting cycle for the
current fiscal period, and the cycle begins anew
in the next fiscal period.
These examples of accounting records focus only
on sales and receivables. There are similar
special journals and subsidiary ledgers for other
regular, recurring transactions such as
purchases, cash receipts, cash disbursements,
and payroll. Also, there are other subsidiary
ledgers such as accounts payable, inventory,
payroll, and fixed assets. When a transaction
occurs, the accountant must choose the correct
set of special journals and subsidiary ledgers in
which to record the transaction. In an automated
ERP system, when a transaction is entered, the
appropriate special journals and subsidiary
ledgers are automatically updated.
Reporting as an Output of the General ledger
and financial reporting processes
The information in the general ledger accounts
provides important feedback for both internal
and external parties. External parties such as
investors and creditors use summarized
accounting data in the general purpose financial
statements to evaluate business performance.
Internal managers need financial and
nonfinancial feedback for proper planning and
control of operations. Internal managers need
much more frequent and detailed reports than
external users. The sections that follow describe
the external and internal reporting concepts.
External Reporting
The four general purpose financial statements—
balance sheet, income statement, statement of
cash flows, and statement of retained earnings—
are created from general ledger account
balances. These financial statements are
generated at the end of the accounting cycle.
The dollar amounts reported are all derived from
general ledger account balances. Usually,
accounts are combined and summarized when
reported in general purpose financial
statements. External users do not need detailed
balance information on every existing account in
the general ledger. For example, a large
company may have several general ledger
accounts for various types of cash and cash
equivalents. These individual cash accounts are
combined, or “rolled up,” into one dollar amount
reported as Cash on the balance sheet. This same
summary process occurs for all of the line items
on the general purpose financial statements.
Sales revenue as reported on the income
statement may be a combination of many
revenue accounts in the general ledger. There
may be a revenue account for each product or
product line so that managers can track sales of
individual products. However, external users
would be overwhelmed by the detail in several
revenue accounts. Therefore, the revenue
accounts are rolled up into one or a few lines on
the income statement.
The IT accounting systems are programmed to
combine, or roll up, accounts when the system
processes the financial statements. The financial
statements are designed and programmed into
the IT system when the system is implemented.
When these financial statement reports are
needed at the end of the period, they may be
printed by the IT system. Prior to the printing and
distribution of these reports, the CFO and the
accounting staff oversee the closing process to
ensure that the dollar amounts are correct and
complete, usually by printing various reports in
the IT system and reconciling them to ensure
their accuracy.
Internal Reporting
The internal reports to be provided to managers
vary greatly depending on several factors.
Internal reports are usually not general‐purpose
financial statements, but reports that are
tailored to the specific needs of each
management level and function. The many
factors that affect the type of report provided to
internal users can be summarized so that they
fall into three categories: the type of
organization, the underlying function managed,
and the time horizon.
Type of Organization
Although this may seem obvious, the type of
organization affects the type of reports that are
needed to manage the organization. For
example, manufacturing firms need different
reports than retail firms or service firms.
Manufacturing firms must have internal reports
to help manage the flow of raw materials, work
in process, and manufacturing labor. Retail firms
do not have these processes. However, both
retail and manufacturing firms manage
inventories, while service firms do not.
Therefore, service firm internal reports are more
likely to focus on sales and the status of projects.
Certainly, all three types of firms use revenue
and profitability reports. Some organizations,
such as governmental or charitable foundations,
are not profit‐oriented, so their internal reports
tend to focus on cash flows, funding sources, and
expenditures.
Function Managed
The type of business function that a manager
oversees also affects the type of reports needed.
An operations manager needs reports about
operations, such as reports about machine
hours, down time of machines, units produced,
defective units, and material usage. These types
of operational reports may not be prepared from
data in the general ledger. However, as
transactions are recorded in the accounting
processes, financial as well as nonfinancial data
are accumulated. Therefore, the accounting
system often records both financial and
operational data that can be used in reports.
Managers who direct financial aspects of a
business need financial data in reports. For
example, an accounts receivable manager needs
reports that show aged accounts receivable.
Higher‐level managers examine financial reports
regularly to properly manage sales,
expenditures, cash flows, inventories, and many
other financial aspects. These financial reports
are prepared directly from ledgers, journals, and
other accounting records.

Time Horizon

The relevant time horizon impacts the type of

reports needed by management. In day‐to‐day
business activities, managers are likely to use
details such as unit measures, physical counts,
and other non‐financial data. However, as the
time horizon expands, the types of reports that
are useful are likely to involve financial
measures. For example, on a day‐to‐day basis a
purchasing manager is likely to focus on physical
counts such as quantities ordered; yet, as the
time horizon lengthens to a month, financial
data such as purchase price variances become
more useful. Therefore, for time horizons of one
month or longer, reports generated from general
ledger information are likely to be very
important.
Module 6 Internal Controls
Introduction
Setting goals and trying to achieve them are the
role of a sound corporate governance structure.
The corporate governance structure includes the
internal control system. There is a range of
alternatives for how corporate governance and
internal control structures are designed. This
chapter presents some of the concepts about the
structure and operation of such systems. These
structures and systems allow a business to check
whether it is achieving its goals and objectives,
part of which includes making sure that the right
things are being done within the organization.
This chapter also introduces you to the role of
internal controls and how they fit within the
overall management and governance of the
organization. The chapter will take you through
the concepts of corporate governance and IT
governance, introduce you to some well-known
IT governance standards and explain how these
standards fit within a framework of sound
corporate governance. The topic of internal
controls is introduced through a discussion of the
COSO and ERM frameworks.
Definition of Internal Control
Internal control describes the policies, plans, and
procedures implemented by management of an
organization to protect its assets, to ensure
accuracy and completeness of its financial
information, and to meet its business objectives.
Usually, the people involved in this effort are the
entity’s board of directors, the management,
and other key personnel in the firm. The reason
this is important is that these individuals want
reasonable assurance that the goals and
objectives of the organization can be achieved
(i.e., effectiveness and efficiency of operations,
reliability of financial reporting, protection of
assets, and compliance with applicable laws and
regulations).
An internal control system consists of the various
methods implemented within an organization to
achieve the following four objectives: (1)
safeguard assets, (2) check the accuracy and
reliability of accounting data, (3) promote
operational efficiency, and (4) enforce
prescribed managerial policies. An organization
that achieves these four objectives is typically
one with good corporate governance, which
means managing an organization in a fair,
transparent, and accountable manner to protect
the interests of all the stakeholder groups.
COBIT framework and principles
COBIT was originally an acronym for Control
Objectives for Information and related
Technology. It is now used in the short form:
COBIT. COBIT has evolved from a purely audit
focus to a framework that integrates IT
processes and functions to build the business
capability of organizations.
COBIT 5, A business framework for the
governance and management of enterprise IT,
aligns with the standard ISO/IEC 38500:2015.
An important distinction is that ISO/IEC 38500
takes a behavioral stance, that is, it provides
guidance for IT governance behavior. COBIT 5
takes a process stance, that is, it provides
guidance on processes, suggesting auditable
performance metrics.62 COBIT 5 provides a
framework for governing and managing
enterprise (across the organization) IT.
The COBIT 5 framework enables IT to be
governed and managed in a holistic manner for
the entire enterprise (organization). COBIT 5
includes the full end-to-end business and IT
functional areas of responsibility as well as the
IT-related interests of internal and external
stakeholders.
COBIT 5 is based on five key principles:
Principle 1: Meeting stakeholder needs.
Organizations have different goals and
objectives. COBIT 5 provides the resources to
support business value creation using IT. COBIT
5 can be customized to suit each organization’s
business, realizing the benefits of IT and
mitigating the risks. This is important because
COBIT 5 is designed for all organizations, so
each organization needs to articulate how IT
will create value for their organization.
Value creation is a governance value for all
organizations. Realizing benefit value (financial,
public service or other) involves realizing
benefits at an optimal resource cost while
optimizing risk. COBIT 5 recognizes that there
are multiple stakeholders. Each of the
stakeholders in an organization may have
conflicting views on what creating value means.
The questions asked for each decision include:
For whom are the benefits? Who bears the risk?
What resources are required?
Stakeholder needs have to be translated into
actions to achieve organizational objectives.
The COBIT 5 goals cascade is the mechanism for
translating stakeholder needs into specific,
actionable and customized organizational goals,
IT-related goals and enabler goals. It is
important to note that the goals cascade is not
prescriptive.
There are five enablers.
1. Principles, policies and frameworks.
Principles and policies refer to the
communication mechanisms put in
place to convey the governing bodies
and management’s direction and
instructions.
2. Processes. A process is defined as ‘a
collection of practices influenced by the
enterprise’s policies and procedures
that takes inputs from a number of
sources (including other processes),
manipulates the inputs and produces
outputs (e.g., products, services)’.
3. Organizational structures. This includes
the key decision-making entities in an
organization.
4. Culture, ethics and behavior. Culture,
ethics and behavior refers to the set of
individual and collective behaviors
within an enterprise.
5. Information. The information enabler
deals with all information relevant for
enterprises, not only automated
information. Information can be
structured or unstructured, formalized
or informal.
Principle 2: Covering the enterprise end-to-end.
COBIT 5 integrates IT governance of enterprise
IT into enterprise governance (corporate
governance). COBIT 5 does not focus only on
the ‘IT function’, but treats information and
related technologies as assets that need to be
dealt with just like any other asset by everyone
in the enterprise. COBIT 5 considers all IT-
related governance and management enablers
to be enterprise-wide. Business processes are
considered end-to-end, i.e., inclusive of
everything and everyone — internal and
external — that are relevant to governance and
management of enterprise information and
related IT. In addition to the governance
objective, the other main elements of the
-governance approach include enablers; scope;
and roles, activities, and relationships.
Governance enablers are the organizational
resources for governance, such as frameworks,
principles, structures, processes and practices,
through or towards which action is directed and
objectives can be attained. Governance can be
applied to the entire enterprise, an entity, or a
tangible or intangible asset. A last element is
governance roles, activities and relationships. It
defines who is involved in governance, how
they are involved, what they do and how they
interact within the scope of any governance
system.
Principle 3: Applying a single, integrated
framework. COBIT 5 provides an overarching
framework for governance and management of
IT by integrating with other IT-related standards
and good -practices. It aligns with other latest
relevant standards and frameworks, and thus
allows the enterprise to use COBIT 5 as the
overarching governance and management
framework integrator.
Principle 4: Enabling a holistic approach. The
COBIT 5 framework defines seven categories of
enablers: principles, policies and frameworks;
processes; organizational structures; culture,
ethics and behavior; information; services,
infrastructure and applications; and people,
skills and competencies. The seven categories of
enablers are shown below:
Principle 5: Separating governance from
management. COBIT 5 provides a clear
distinction between governance and
management. COBIT 5 defines governance as
follows: Governance ensures that stakeholder
needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise
objectives to be achieved; setting direction
through prioritization and decision making; and
monitoring performance and compliance
against agreed-on direction and objectives.
Management is defined as: Management plans,
builds, runs and monitors activities in alignment
with the direction set by the governance body
to achieve the enterprise objectives.
Good decisions can only be made when a
systematic approach to governance and
management of IT is taken. Stakeholder
requirements need to be evaluated to ensure
they are taken into account.
The five principles enable the enterprise
(organization) to build an effective governance
and management framework under the
leadership of the CEO.
COSO internal control framework
The Committee of Sponsoring Organizations of
the Treadway Commission (COSO) is a joint
initiative of five private sector organizations.
The five organizations are the -American
Accounting Association, American Institute of
CPAs, Financial Executives International, the
Association of Accountants and Financial
Professionals in Business and the Institute of
Internal Auditors. COSO is dedicated to
providing thought leadership through the
development of frameworks and guidance on
enterprise risk management, internal control
and fraud deterrence. COSO released their most
current version of the framework Internal
Control — Integrated Framework in 2013.
The definition of internal control is deliberately
broad and reflects the following fundamental
concepts:
• Geared towards achieving objectives in
one or more categories: operations,
reporting and compliance
• A process of ongoing tasks and activities
— a means to an end, not an end in
itself
• Effected by people — this is not just
about policies and procedures but
about people and their actions
• Able to provide reasonable assurance
(not absolute assurance) to the board
and management
• Adaptable to the organization’s
structure, for the whole organization, a
subsidiary, a division or a business
process.
The COSO framework outlines three key
objectives that provide organizations with
different perspectives on or aspects of internal
control.
 • Operations Objectives. The
effectiveness and efficiency of the
business operations of the organization
including operational and performance
goals and safeguarding against asset
loss.
• Reporting Objectives. The internal and
external financial and non-financial
reporting obligations of an organization.
This includes reliability, timeliness,
transparency or any other requirement
set out by regulators.
• Compliance Objectives. Adherence to
laws and regulations to which the
organization is subject.
COSO New ERM Framework (2017)
The objective of enterprise risk management
(ERM) is to develop a holistic, portfolio view of
the most significant risks to the achievement of
the entity’s most important objectives.
COSO’s new ERM framework now includes five
components or categories with 20 principles
spread throughout each component. Those
components are:
1. Governance and Culture – Forms the
basis of the other components by
providing guidance on board oversight
responsibilities, operating structures,
leadership’s tone, and attracting,
developing, and retaining the right
individuals.
2. Strategy & Objective-Setting – This
component focuses on strategic
planning and how the organization can
understand the effect of internal and
external factors on risk. This section
provides guidance on analyzing
business context, defining risk appetite,
and formulating objectives.
3. Performance – After an organization
develops its strategy, it then moves on
to identify and assess risks that could
affect its ability to achieve these goals.
This section not only helps guide the
organization’s risk identification and
assessment, but also how to prioritize
and respond to risks. After all, an
organization is only as good as its
performance, which is bigger than just
risk management.
4. Review and Revision – At some point
after risks have been prioritized and a
course of action been chosen, the
organization moves into the review and
revision phase where it assesses any
changes that have taken place. This is
also the opportunity to understand how
the ERM process in the organization can
be improved upon.
5. Information, Communication, and
Reporting – The last component of the
COSO ERM framework involves sharing
information from internal and external
sources throughout the organization.
Systems are used to capture, process,
manage, and report on the
organization’s risk, culture, and
performance.
ERM uses an iterative process. Just because an
organization has issued risk reports doesn’t
mean the work is finished. With information
about risk treatments and processes in hand, a
review and refinement of governance, strategy,
and risk management processes can and should
take place.
Evaluation of Control Activities
Australian Auditing Standard ASA 315
Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity
and Its Environment3 classifies controls into five
types:
 1. Authorization
2. performance reviews
3. information processing controls
4. physical controls
5. segregation of duties.
This perspective on control activities focuses on
the risk areas/activities within the organization
and emphasizes a functionalist perspective —
what happens within the organization and how
the controls operate. These control areas
should be remembered, since for each one we
will see different examples of specific control
activities.
Authorization is concerned with the activities
and procedures put in place to reasonably
assure that the transactions and events
occurring are carried out by those with the
appropriate authority and that such events have
been appropriately approved prior to execution.
In other words, it aims to set defined roles and
responsibilities for individuals within the
organization as well as having mechanisms for
ensuring that these are adhered to. Examples of
authorization procedures in action could include
checking a customer’s credit limit before
proceeding with a credit sale, or gaining a
manager’s approval before making an unusually
large purchase or an irregular purchase.
Performance reviews are those activities that
involve some form of review or analysis of
performance, typically looking to compare
actual outcomes with those that were expected
or planned. The classic accounting example is
the comparison of actual and budgeted figures
and the conduct of variance analysis to
determine the source of the variance. Other
types of performance reviews could include
comparing two sets of data to see if they match
(e.g., a bank reconciliation, which compares
bank records to business records to ensure
parity between the two).
Segregation of duties refers to the concept that
certain key functions should not be performed
by the same person. The typical reference point
within a business process is that record keeping
(person who records a transaction), execution
(person who performs a transaction), custody
(person in possession of the assets involved in a
transaction) and reconciliation (person
reconciling transaction data) should be
separated. Segregation of duties also applies
across the IT systems within the organization.
Information Processing Controls
Information processing controls are those that
are put in place within the organization to work
towards the accuracy, completeness and
authorization of transactions. Accuracy is the
aim of making sure that all data that enters the
system are correct and reflect the actual events
that are being recorded. Completeness refers to
the aim of ensuring that all events that occur
are recorded within the system. Authorization,
as described above, is concerned with whether
or not the events that occur are appropriately
approved before being executed. Information
processing controls can be classified as either
general or application controls.
General Controls
Any computerized system should aim to ensure
transactions are properly authorized, recorded
and processed in their entirety in a timely
manner.
General controls are ‘policies and procedures
that relate to many applications and support
the effective functioning of application controls.
General controls operate across the
organization and relate to the overall
environment in which different information
systems are located. Note from the definition
that general controls do not relate to a specific
application or process and, as a result, will not
directly affect the operation of the different
information systems that may exist within the
organization. General controls may provide a
suitable environment in which separation of
duties and restricted access to resources can be
applied, but they do not help to control the
actual operation of the different computer
systems that the organization uses. As such,
general controls provide the environment
within which application controls operate. They
include physical controls, segregation of duties,
user access, systems development procedures,
user awareness of risks, and data storage
procedures.
1. Physical controls
Physical controls are concerned with restricting
access to the physical resources of the
organization. At the most obvious level, the
concern would be who has physical access to
the organization’s computing resources.
Especially for organizations that have large data
processing centers that handle all of the
transactions and information processing
requirements of the organization, the risk of
unauthorized people accessing and damaging
(accidentally or otherwise) the physical
infrastructure is one the organization is not
prepared to take. As a result, organizations will
employ a range of physical controls to restrict
physical access, including the following.
• Locked computing premises. Locking
facilities and restricting the distribution
of keys to the facility works in two
ways. First, locked premises means that
unless you have a key you are unable to
gain access. Second, if the distribution
of keys is controlled it is possible to
narrow down the people who may have
entered the premises at a particular
time. Locking premises is primarily a
preventive control — it stops
unauthorized access to the premises.
Discrete premises that do not attract
attention.
• Discrete premises can be a
consideration when choosing the
location for data processing and
technology headquarters. Organizations
that do not advertise the location of
their information technology centers
are theoretically less exposed to
targeted attacks on the organization’s
physical resources.
• Swipe card access. Controlling physical
entry to buildings and office facilities
through the use of swipe card access
means only those with a swipe card will
be able to gain access. Swipe card
technology also allows for the recording
of data about who enter the premises
and at what time.
• Biometric access controls. A limitation
of swipe cards is that the person with
the card may not necessarily be the
person who is meant to have the card,
since swipe cards may be lost, stolen or
loaned. A way to overcome this is
through the use of biometric controls,
such as fingerprint swipes or retina
scans. The benefit of this technology is
that biometric identification, unlike
swipe cards or passwords, ensures that
the person gaining access is actually
authorized to do so.
• Onsite security. The presence of onsite
security, such as a manned front desk,
can be an effective means of restricting
unauthorized people from accessing a
building.
• Security cameras to record access to
the premises. The presence of security
cameras can act as both a preventive
and a detective access control. From a
preventive perspective, if people know
cameras are there, they are less likely to
attempt unauthorized access.
 Additionally, if the cameras are present,
they can provide a means of detecting
unauthorized access.
2. Segregation of duties
When we look at the operation of the different
transaction cycles, we will see that the
recording, execution, custody, authorization
and reconciliation functions should be
performed by different individuals. When
looking at IT systems, separation of duties is
equally important. Within the IT function,
separation of duties should exist between the
users of IT, the maintainers of the IT systems,
system designers, system testers and those with
access to the data within the systems. The
rationale behind this is that combining any of
these roles creates a conflict for the individual,
places the organization’s resources at risk and
enables an individual to carry out fraud without
being detected. For example, if the person
designing and testing a new application also has
access to the organization’s data resources
there is the possibility that the live data could
be used in the testing process. This exposes the
data to the risk of damage or corruption if the
testing does not work as expected.
Alternatively, if users are also involved in the
design of programs there is the risk that,
because of their intimate knowledge of how the
program was developed, they will be able to
work around any controls that may have been
built into the program.
3. User access
The area of user controls predominantly relates
to the logical access of users to the systems
within the organization. The primary example in
this area is the use of passwords to restrict
system access to authorized user by allocating
users a unique identification code that only they
are aware of, which is one of the most common
access control methods in operation.
Organizations requiring users to have
passwords need to consider the following
aspects of password operation.
Format of the password
Increased sophistication in the development of
algorithms and programs designed to break
passwords means that password strength
becomes an important issue. The strength of
the password is related to its length and format.
For example, a password that is set as ‘CAT’
would be much easier to crack than a password
that has been set as ‘C@9at12#’. Increasingly,
online sites that require passwords will provide
indicators of password strength, with many
advocating a mix of alphanumeric characters-,
upper- and lower-case characters and symbols.
A step beyond this is to have the system
automatically generate a password for the user,
which will ensure that password format
protocols are adhered to on a consistent basis.
The trade-off with this option is that system-
generated passwords may be more difficult for
users to remember, leading to the tendency to
write passwords down and the security risks
that presents.
Life of the password
Increased security comes from passwords that
are required to be changed on a regular basis,
since the more the password is changed the
more the risk of it becoming known is reduced.
As a result, some systems will require users to
change their password on a regular basis (e.g.,
every four weeks). While this has the benefit of
being dynamic because it changes regularly, it
can obviously lead to confusion for the user,
with the regularly changing password leading to
the user forgetting or confusing their password.
Other factors linked to difficult-to-remember
passwords include the composition of the
password and the selection method of the
password (did the user choose it or was it
assigned to them?)
Uniqueness of the password
A user may have access to several different
systems or modules within a system. If each of
these requires a password, the potential exists
for the user to have to remember numerous
passwords. Again, this may lead to confusion for
the user in trying to remember their various
access codes. The temptation for users may be
to use the same password for various systems.
For example, you may use the same password
for your email, eBay, Amazon and YouTube
accounts. Ives, Walsh and Schneider cite
research that found that a typical internet user
may have access to as many as 15 different
accounts, each requiring a user identification
and password. With so many accounts, it makes
sense to use the same password to reduce the
potential for a forgotten password. However,
the risk is that, if your password for one account
is discovered, it can obviously be used to access
multiple accounts. As such, the potential
consequences of the password breach are
magnified.
When a login is unsuccessful
If a user forgets their password, they will not be
able to access their account. A system should be
configured to log unsuccessful login attempts.
Keeping a log of unsuccessful login attempts can
be useful for following up on potential attacks.
Analysis may reveal that attempts happen at a
particular time or through a particular user
name. This could prompt further investigation.
In addition, some systems may freeze an
account after a number of consecutive failed
login attempts. Typically, after three
unsuccessful login attempts, an account may be
frozen. This control works to stop systematic
attempts at determining a user’s password.
Once an account is frozen, the fact should be
logged and the user required to reset their
password.
Security of the password
Given that most system users will have multiple
passwords, the tendency is for these to be
written down. From a control perspective, the
writing down of passwords should raise
questions about where the document
containing the passwords is then stored. For
example, storing the passwords in a notebook
that is locked in a desk drawer or filing cabinet
is preferable to recording them on a post-it
note affixed to the computer screen where
anyone can access them. Security threats and
our responses to those threats are evolving, and
security advice can become obsolete. For
example, users of information systems are
encouraged to use long, complex passwords.
However, accounts are compromised regularly
(see, for example, data breaches discussed later
in this section) through password reuse, which
is a bigger threat today than password cracking.
Therefore, the better advice is to use different
passwords for different sites rather than
creating a complex password, memorizing it and
using it for all the systems you use.
CEB’s 2015 Audit Plan Hot Spots lists
information security to be a key area because of
insecure employee behaviors. For example, 93
per cent of employees admitted to violating
information security policies. Importantly, the
report notes that organizations that focus on
technical controls at the expense of proactively
managing secure employee behaviors (for
example, appropriate password protection) can
lead not only to financial consequences but also
to reputational, operational and legal
consequences. Recent research has suggested
two ways to deter users (or insiders) from
fraudulent behavior. The first is to ensure
employees understand the risk of detection.
Those employees who believe there is a high
chance of being caught will desist from
committing a fraudulent act. The second is to
create a fair work environment where
employees believe they are treated fairly.
4. System development procedures
A number of different information systems can
exist in the organization that will require
maintenance and development at various
points in time. It is important to have in place
set policies and procedures to be followed in
the design and implementation of new software
or systems. These should include designated
procedures and stages as part of the systems
development process as well as restrictions on
who is able to initiate and execute the
development and installation of new programs
within the information system. Within an
organizational network you will see this
represented, at a simple level, by different user
privileges granted across the organization. For
example, the system administrator will have the
ability to install software, whereas a business
user will not have such rights. Restricting users’
ability to install and modify software can be
seen as a preventive control since it provides
reasonable assurance that untested or
incompatible software and software that has
not been appropriately reviewed or licensed will
not be placed on the system.
5. User awareness of risks
Another organizational control strategy is to
ensure that management makes their
employees aware of the various information
system risks by investing in security education
training and awareness (SETA) programs. This
can include briefing sessions about password
policies and computer monitoring.
Management should ensure users of
organizational information systems are aware
of the security threats and issues, and
understand organizational security policies and
the policies for detection of fraud.
6. Data storage procedures
Information is stored on servers about
customers, staff and intellectual property. If a
competitor was able to access this information
it could cause serious consequences for the
organization, both financially and non-
financially (for example, reputational damage).
Increasingly, management in organizations need
to manage the risks associated with data
storage either locally on their premises or in a
data center, or in the cloud. Two major risks are
associated with cloud storage. The first is the
inability to audit and monitor at file level. The
second is the inability to access the internet to
access data.
Being clear on what data is needed by different
parts of the organization, and setting up access
rights accordingly, is also an important control
step. In addition, where data is of a sensitive
nature, logs that record when the data is
accessed and who accesses the data can be an
important resource used by auditors and
investigators.
Another dimension that raises control concerns
related to data and technology resources is
increased mobility. IT executives and Chief
Information Officers may be reluctant to adopt
cloud services, particularly mobile cloud,
because of security and privacy concerns. The
unresolved security issues relating to mobile
cloud environments include data security,
network security, data locality, data integrity,
web application security, data segregation, data
access, authentication, authorization, data
confidentiality, data breach issues, and various
other factors.
Accordingly, control procedures relating to the
access, duplication and sending of data are an
important aspect of general control policies,
particularly as more organizations decide to
adopt cloud-based services for storing data.
Examples of such control policies include, but
are not limited to:
• restriction of user privileges — who can
read data only versus who can also copy
data
• encryption of stored data
• encryption of data being sent between
locations
• access logs for the access and alteration
of data
• firewalls to protect data and systems
from unauthorized external access
• regular updates of virus definitions
• regular system scans
• scanning of attachments before
opening/downloading
• policies on attachments that will be
accepted by the email system
• password/biometric identification in
start-up routines for computing devices
• physical locking of portable computing
devices when left unattended.
Backup policies are also important as backups
may be the only means of recovery in the event
of destruction or corruption of data. The
frequency of backups is an organizational
decision, based on the extent of data and the
extent to which data change on a day-to-day
basis. However, important aspects to keep in
mind when developing a backup policy are:
• keeping multiple backups
• storing backups off site or in the cloud
• keeping multiple versions of backups
• deciding what and how frequently to
back up.
Several organizations now offer services such as
offsite storage and backup facilities, making use
of internet technology as a way of transferring
backup data to remote locations and adding
that extra degree of security should something
go wrong at a main site.
Scheduling of backups is also of consideration.
Traditionally, systems that operated in a batch-
-processing environment would perform
scheduled backups in the evening when the
system was not performing routine
transactions. Of course, once the first
transaction of the new day occurs, the backup is
out of date. In this instance, the backup
mitigates the loss but does not eliminate it.
Movement has been made towards real-time
backups, whereby as transactions occur data is
updated on site as well as at the backup site.
This approach effectively synchronizes the
business’s main site with the backup site, with
processing occurring at both locations and a
backup existing that is as recent as the last
transaction. The potential downside to this
approach is that it obviously places a demand
on communication between the two sites and
will be more costly to maintain.
Application controls
Application controls ‘are manual or automated
procedures that typically operate at a business
process level and apply to the processing of
transactions by individual applications. As this
definition indicates, application controls are
designed around the control objectives of a
specific business process or system (e.g., the
sales process, ordering process, manufacturing
process or cash receipts process) and relate to
processing within individual applications. That
is, application controls are specific to a
particular business process in that they will be
implemented to address the risks and threats
unique to that process. Application controls
operate within the scope of general controls. In
a computerized environment, application
controls will typically be classified as input,
processing or output.
INPUT controls
Standardized forms
The use of standardized forms can help ensure
completeness. The design of the form that users
interact with when entering data into a system
is also an important consideration. There is
benefit in designing the screen to resemble
closely its paper-based equivalent in the real
world. This makes it easier for users to navigate
the screen and ensure completeness in their
input. Proper form design can also ensure
accuracy, since the form will specify the data
that is required, the expected length of the data
(e.g. six boxes for a six-digit customer ID) and
any specific instructions for the data provider.
Standardized forms can be seen as a preventive
control (they work towards ensuring all relevant
data is provided by specifying what must be
completed, reducing the chance of incomplete
forms) and a detective control (a visual
inspection of a completed form will quickly
detect if any key components have not been
filled in or have been filled in inaccurately).
Prenumbering documents
Prenumbering important documents, such as
invoices, purchase orders and cheques, can be a
simple but effective way of helping ensure the
objective of completeness. When documents
are prenumbered, any missing or unaccounted
for documents can easily be identified simply by
looking for a gap in the sequence. For example,
an organization may prenumber its purchase
order forms. If an examination of the purchase
records shows that issued purchase orders on
record go from form number 10 011 to 10 013,
with no record of 10 012, then potentially a
purchase order has gone missing. This missing
document could be explained by honest
misplacement, fraudulent use by an employee
or simple cancellation. However, if documents
were not prenumbered, this missing document
would never have been identified. By
prenumbering the source documents, a control
is built that helps identify any omitted or
unrecorded transactions (the assertion of
completeness) and also provides a control over
the source documents.
Where the source documents are potentially
valuable, for example cheques, it is also useful
to keep a record of cancelled source
documents. Cancelled source documents are
those that are removed from circulation by the
organization. For example, document number
10 012, which may have been previously
identified as missing, could have been cancelled
by the organization because of an error while
filling out the form or cancellation of the order
before sending the purchase order. If a record is
maintained of cancelled source documents,
then reconciling gaps in the sequence of source
documents also becomes easier.
Prenumbering documents can also be a useful
control to address concern about transactions
being classified in the correct reporting period.
As an organization approaches the end of the
financial year it can note the last number of key
source documents, for example, sales invoices,
and set up procedures to make sure that
documents after that number are allocated to
the next period. The use of prenumbering and
classification filters and ranges within
accounting software can work towards this goal.
For example, if we know that the first source
document issued in the period was number 299
and that the last one issued at the end of the
period was 542 then, combining knowledge of
these numbers with the beginning and end
dates for the financial period, we can filter and
sort the documents to check that all documents
before 299 have been recorded in the previous
period and all documents after 542 have been
recorded in subsequent periods. The ability to
filter transactions in this way is present within
various accounting packages, as well as through
the downloading of data into a spreadsheet and
manually sorting the data.
Sequence checks
In a computer-based information system,
prenumbering can be further enforced through
the use of sequence checks. If transactions are
entered directly into the system, with no paper
documentation, then the document number
can be assigned automatically. This will ensure
no missing numbers in sequence checks for
transactions and reduces the risk of incomplete
data (i.e. transactions not being entered). It
could also be argued that sequence checks
contribute towards ensuring the correct
valuation of assets since, for example, if a sale is
not recorded, the associated increase in
accounts receivable will not be recorded.
Turnaround documents
Turnaround documents are documents that
originate as the output of one system and
become the input for another system. There are
literally hundreds of examples of turnaround
documents that you would have been exposed
to. If you have ever flown with a major airline
you will have unwittingly been exposed to
turnaround documents. Think about what
happens when you travel by air. You arrive at
the airport and check your baggage in at the
baggage counter. While there you will also
present the relevant identification, including a
passport if travelling overseas. The attendant
will check your baggage in and allocate you to a
seat, and then issue you with a boarding pass.
The boarding pass contains details of your
flight, departure gate, boarding time, seat
allocation and any other relevant details. When
you then proceed to the boarding gate you
present your boarding pass, which is scanned
through a machine. What is the benefit of using
this document at the boarding point? Airlines
need to keep lists of who actually boards
aircraft, because an aircraft will not take off if a
passenger has checked in luggage but not
boarded the flight. This presents the issue of
how to best capture the data about which
passengers have boarded the flight. One option
could be to have boarding staff rekey data into
the system as passengers present their boarding
pass. However, this is not the most efficient way
— the data have already been captured
elsewhere, so why rekey them? Instead, the
airline magnetizes boarding passes that it
issues, enabling a computer to read the data
that were stored when the passenger checked
in. This has several benefits. The obvious
benefit is that staff members do not have to
rekey passenger data, meaning that boarding
can be completed in less time. Second, the risk
of error is reduced since there is no opportunity
for human error when rekeying the data. The
data are accessed electronically from the
boarding pass, so the risk of inconsistent data
(mismatches between what was captured when
the passenger checked in and when the
passenger boards the plane) are reduced. This
increases the chances of input validity.
The boarding pass is a specific example of a
turnaround document. Another example of a
turnaround document is a remittance advice.
When you receive a bill or a credit card
statement you will often notice that it has a
detachable slip attached at the bottom. This slip
is designed to be returned to the organization
that originally sent you the bill, accompanied by
the payment. Take a closer look at the
remittance slip and you will notice that a lot of
the data are already filled in, for example,
customer number, amount owed and due date.
Why prepare remittance slips? When returned
with the payment to the organization, these
slips allow payments to be linked to customers,
so the organization knows which customer the
cash receipts come from. Additionally, the
details of the cash receipt are on the remittance
slip and just have to be entered by the relevant
person. The benefit is that there is no reliance
on the customer to fill in the slip, reducing the
possibility of errors and helping ensure valid
and complete inputs are entering the system.
Use of turnaround documents helps achieve
completeness of data entry, with all required
data contained in the turnaround document.
Turnaround documents that contain values or
monetary amounts also help contribute
towards the correct valuation and
measurement of transactions (assertion of
accuracy).
Data entry routines
A computerized information system can also
have built-in programs that ensure inputs are
valid and in the correct format. Examples of
such routines are field checks, validity checks,
completeness checks, limit checks, range
checks, reasonableness checks and redundant
data checks.
Validity checks take a given input for a field and
ensure that it is an acceptable value. For
example, if a customer number is being entered
when recording a sale, the program may take
the customer number that is input and check it
against a master list of customers contained in
the customer table of the database. If the
customer number appears on the master list
then the input is valid and the input stage can
proceed. However, if the customer number
does not appear on the list then an invalid
customer number has been entered. Obviously,
this is not acceptable, so the system will alert
the user to this error and refuse the input. This
removes the potential for invalid or nonexistent
customer numbers entering the system, helping
attain existence and occurrence. KPMG’s Fraud,
Bribery and Corruption Survey 2012: Australia
and New Zealand found that false invoicing was
the main fraud category for management,
making the issue of being able to validate
transactions an important one for
organizations. In a relational database
environment, a control of this nature can be
established using primary and foreign keys and
through the enforcement of referential
integrity. Validity checks can contribute towards
data accuracy (e.g. does the customer exist in
our customer table?), ensuring data are entered
correctly.
Completeness checks ensure that all required
data are entered. If a user is entering a sale into
the sales system and the sales screen has ten
different fields to be completed, then it needs
to be ensured that the user completes all ten
fields. Failure to do so will lead to incomplete
data about the transactions being entered. A
completeness check will ensure that all required
data are entered before the user can advance
to later screens or move to a new sale. A
practical example of such a check can be found
in a lot of website store fronts and web-based
forms. If you have ever completed an online
form or made an online purchase, you will have
probably noticed that some of the fields are
marked to designate them as required fields. If
you try to proceed without putting data into the
required fields, the site will return an error
message and not allow you to go any further
until the required fields are completed. This is a
way of trying to enforce input completeness for
online forms and will contribute to the goal of
completeness. Again, this control can contribute
to the accuracy of the data that has been
recorded; if necessary data about a transaction
is not recorded then the details about the
transaction cannot be deemed to be accurate.
Limit checks will check values input into a field
to make sure they fit within a predetermined
upper limit. For example, there may be a firm
policy that orders must be a maximum of 50
reams of paper at any one time. A limit check
will detect any amount greater than 50 entered
in the quantity field and reject it. The
application of limit checks is a technique for
attaining the correct valuation or measurement
of transactions.
Range checks function in a manner similar to
limit checks, with the exception that the checks
apply to both upper and lower limits. Returning
to the paper ordering example, if store policy is
that anywhere between 30 and 50 reams of
paper can be ordered at one time, then the
range check will detect any amount outside
these upper and lower limits. Similarly to limit
checks, range checks help reasonably assure the
correct valuation or measurement of
transactions.
Reasonableness checks operate to check that
the numeric input for a field is within a
reasonable numeric range. For example, if a
field requires you to enter your number of
hours worked for a week and you key in 400
instead of 40, a reasonableness check should
identify this value as outside reasonable values
for weekly hours and prompt you to correct the
value. Once again, this check will contribute
towards the aims that relate to the valuation
and measurement of transactions.
If data are being entered for a critical event or
important transaction, then a control that can
be used to help ensure correctness of inputs is a
redundant data check. This control operates by
having the data entered twice and then
checking the two sets of inputs and making sure
that they are identical. Ideally, different people
will perform the two inputs, making the
system’s comparison of inputs more
meaningful. Obviously, this control has the
disadvantage of being costly to implement,
since data are required to be entered twice.
Accordingly, a key factor in determining
whether to implement this control will be the
cost–benefit principle. If the cost of having the
data entered twice exceeds the benefits, then
this control would not be applied.
Automated form completion
A step forward from the validity checks
mentioned above is to automate part of the
data entry routine. For example, when entering
customer details to record a sale, once the
customer number is entered the computer can
automatically fill in other customer-related data
fields (customer name, address, phone number
and so on). This is done by looking up the
customer number in the customer data table
and retrieving all related data. The benefit of
this control is that it makes data entry more
efficient, since less time is spent keying in
details. In addition, by reducing the amount of
data entry the chances of data entry errors are
reduced (i.e. as long as the customer number is
correct all related data items will be correct). Of
course, this assumes that the customer details
in the database are up to date.
The input controls mentioned above aim to
provide reasonable assurance about the
accuracy and validity of data that is entered into
the system. Data entry errors that make it
through the input stage can have costly
consequences.
Transaction authorization procedures
This control can help to prevent unauthorized
transactions entering the system. Risks
presented by unauthorized transactions can be
quite large, for example, the National Australia
Bank announced a loss of $360 million as a
result of unauthorized foreign currency
transactions executed by staff. The issue of
authorization and access rights has become
important for organizations with the increased
emergence of ERP systems. Because of the
integrated nature of an ERP system, along with
the ‘interconnectivity and automation of
processes’, correctly authorizing employees’
access and privileges is an ongoing, time-
consuming and complex process. Authorization
procedures can also help in the attainment of
the objectives of existence and occurrence,
particularly if a separate person provides the
authorization. They can also include the review
of event data before the execution of the event.
Batch totals
Batch totals are another effective input control.
In a batch environment, transactions are
accumulated and, at some set interval,
processed. In a sales system, for example,
invoices may be accumulated until the end of
the day and then processed upon the
completion of the day’s trading hours. A
concern in this environment is making sure that
all of the invoices are recorded in the system at
the end of the day (completeness). This can be
helped by the use of batch totals. For example,
the sales staff may accumulate their invoices
and at the end of the day count how many
invoices they have. This batch of invoices,
together with a batch header form detailing
who prepared the batch and the number of
documents in the batch, could then be sent to
the data entry staff, where they would be
entered in the system. Staff in data entry should
check to ensure that they received the number
of documents indicated in the batch header
form, and that all these documents were
entered. This is an example of a document
count batch total. It operates to make sure no
documents are missing, but it has limitations.
While the data entry staff may enter all the
invoices, they may key in details different from
those on the invoices, for example, they may
key in sales of $100 instead of $1000. This will
not be detected by the batch totals based on
the number of documents.
An alternative method to help with both
completeness and valuation or measurement
could be to use total sales dollars for all invoices
in the batch. The batch process would operate
as described above, but instead would be
calculated based on the sales value of the
invoices. This overcomes the limitation of the
document count approach.
Independent reviews
An independent review is a useful monitoring
technique that involves the work of one person
being reviewed by a different person to ensure
completeness, accuracy and correctness, and
can potentially make information more
valuable. If the same person performs the work
and checks the work for errors, the review is of
little value. Consider if students were able to
mark their own exam papers — there would be
a chance that errors would not be detected or
that proper marking procedures would not be
followed. For example, data about banking
transactions may be processed into a bank
reconciliation report for review by an
independent person, who then compares it
against cash receipts and payments listings and
bank statements to verify the reliability of the
bank reconciliation process.
PROCESSING controls
Processing controls aim to ensure that data
within the system is correctly and accurately
processed. An example is sales data entered
throughout the day being transferred to
accounts receivable to update the account
balances. Controls relate to how the computer
handles the data in transferring it from one file
to another, and assurance is needed that (1) all
sales have been transferred to accounts
receivable and (2) all sales have been correctly
transferred to accounts receivable.
Run-to-run totals
In a computer processing environment, data
will be gathered, used in a process and stored at
a destination. The idea is that the total of the
data before the process of updating the data
files should match the total of the data after the
update has been performed. If we think of the
sales/accounts receivable discussed in the batch
total example, the closing balance of accounts
receivable (after the sales have been
transferred) should equal the opening balance
(before transfers) plus sales (ignoring any
payments from customers). With this logical
relationship between the opening and closing
data we are able to build in checks to ensure
that updates have been correctly performed. If,
after the computer performs the update, the
closing accounts receivable balance is less than
the check total we calculated prior to the
update (opening balance plus sales), the
possibility exists that (1) not all sales have been
transferred to accounts receivable or (2) all
sales have been transferred but they have been
transferred at the wrong amount or to the
wrong account. Run-to-run totals aim to check
that processing of data has taken place
correctly, no errors have been introduced and
no data has been lost. Notice how this control
does not prevent the error from happening.
Rather, it detects that there has been an error
in processing and alerts the user to the
problem. Run-to-run totals will typically relate
to the accurate processing and updating of data
and, as such, can apply to the correct valuation
of accounts (e.g. accounts receivable), accuracy
of items (have the amounts been correctly
recorded?) and completeness of transactions
(have all transactions affecting an account been
included?).
Reconciliations
You will recall from introductory financial
accounting units that the purpose of a bank
reconciliation is to check business records
against those of the bank, enabling any
inconsistencies between the two to be
identified. This reconciliation process is a
valuable part of an organization’s internal
control activities, providing it with a way to
protect its cash resources. Another example is
reconciliations of control and subsidiary ledger
accounts. Reconciliations allow the comparison
of two sets of information that should
theoretically be the same to identify any
inconsistencies. Reconciliations are more
powerful if the two sets of information are
prepared by two different people and an
independent third person performs the review.
Batch totals
Batch totals, as explained previously, can also
be used as a control for data processing, since if
data is being shifted from one file to another
the data should not change. As such, the total
of the data (be it number of records or dollar
values) should be the same before and after the
processing occurs.
Sequence checks
Sequence checks, as discussed previously, can
also be used during the processing of data. At
the processing stage, these checks can operate
to ensure that no data have gone missing during
processing activities. An example could be in
the transferal of cheque payments from the
cash payments journal to the ledger accounts.
If, in the journal, we are able to identify a
sequence of cheques numbered 1 through to 5
but the ledger contains cheques 1, 2, 3 and 5,
the gap in the sequence tells us that
somewhere in processing the cheque data an
entry has been lost.
Run-to-run totals
Run-to-run totals will help identify whether any
transaction data have gone missing between
when they were first gathered and after their
processing, while accuracy is attained by
checking totals to ensure that they are the same
before and after the processing of data.
Hash totals
Hash totals are batch totals based around
meaningless figures, for example, the sum of all
customer numbers in a batch. Use of hash totals
can help to detect any errors that may have
entered the data during processing (e.g. if a
hash total is taken before and after processing),
as well as attain completeness in updates and
processing.
OUTPUT Controls
Output controls are built around protecting the
outputs of the system. These controls protect
access to outputs as well as the format and
content of outputs. Examples of output controls
include access privileges and the ability to
generate reports, page numbering of reports
and end-of-report footers.
Within any information system there will
generally be users with different responsibilities
and duties. For the principle of segregation of
duties to operate effectively, these different
users should have their access privileges clearly
defined based on the requirements of their job,
which will be contained in their job
descriptions. As an example, for reasons of
confidentiality it is not desirable for all
employees to be able to access payroll data and
reports on annual salary levels and bonuses.
Only those in the human resources department
should be able to access such details.
Alternatively, the salesperson should not be
able to update inventory records and the
inventory manager should not be able to modify
or create sales records. These concerns can be
overcome by correctly establishing user
privileges that relate to the data the user can
add, delete or modify, as well as the reports,
queries, outputs and information the user can
access. In the integrated environment of an ERP
system, the correct definition of user access
privileges is especially important.
Another concern about outputs, apart from
who can access them, includes the physical
control over them once they are generated.
Confidential or privileged information should
not be printed on a printer accessible by all
staff; such output should be printed to a secure
location where only those authorized to access
the information have access to the site. For
example, employee appraisal forms would
probably be best printed to a secure printer in
the HR manager’s office rather than to a general
printer that all staff access for their print needs.
Once reports or information have been
generated, it needs to be ensured that there is
an entire set of information. So for a multipage
output that is printed, a simple but extremely
effective control to ensure completeness of the
output received is to preformat footers to
provide page numbering, for example, ‘Page #
of ##’. With this page numbering system, pages
collected can be identified as well as the
number that there should be in total. So if there
are six pages and the footer says there should
be seven, it is easy to see that this is not the
complete report.
Along similar lines, preformatting reports to
contain a simple message such as ‘END OF
REPORT’ at the completion of the report is
another way to ensure that you have the final
page. This, combined with page numbering, can
be an effective way of ensuring that any missing
pages of output are quickly identified. Database
queries Database queries can also be a powerful
tool for detecting irregularities or anomalies.
For example, if a company suspects that an
employee is posing as a vendor, submitting fake
invoices and receiving payment for these
invoices, a quick crosscheck of employee
addresses and vendor addresses could detect
this. Alternatively, if it is suspected that
accounts staff are keeping cash paid by
accounts receivable customers and reducing
accounts receivable through a sales return or
credit note entry, a query of sales returns by
customers and sales staff could be useful to
detect irregular levels of returns, which could
then prompt further investigation.
Disaster recovery plans business there are several approaches to
choose from, including the establishment of hot
Another crucial aspect of an organization’s
sites, cold sites and autonomic infrastructure.
control system is its ability to recover from any
An organization that can ill afford downtime
accidents or disasters that may occur and to
due to disaster may consider the establishment
minimize the damage to the organization and
of a hot site. This is a separate facility located
its resources. This aspect of the control system
away from the organization’s usual premises
is encompassed in the disaster recovery plan,
and contains offices and the necessary
which is the strategy that the organization will
equipment (such as IT, telecommunications and
put into action in the event of a disaster that
data) to get the business back up and running in
disrupts normal operations in order to resume
the minimal amount of time after a disaster
operations as soon as possible and recover data
occurs. Essentially, it is a standby site ready to
that relate to its processes. The obvious
be called into immediate action should the
example of a disaster is the terrorist attacks of
organization require it. Many different hot-site
11 September 2001 against the World Trade
subscription services are available, with
Center in New York. As the Twin Towers
organizations able to sign up with, for example,
collapsed, businesses were suddenly confronted
HP, which has 44 such sites around the world
with the prospect of immense losses, both in
for lease, or IBM, for the provision of a hot site.
terms of assets and knowledge lost and
downtime in operations. An alternative to the hot site is a cold site.
Unlike a hot site, a cold site does not have the
As a result of the threats of disaster — whether
necessary equipment and data in place for the
they be a result of terrorism, or natural
organization to immediately continue
disasters such as fire, floods, cyclones or
operations. Rather, it is an available office with
earthquakes — organizations must consider
basic telephone and electricity supplies ready
how they can deal with such threats. Their
for use should they be required. However, the
reaction to the threat of disaster can be
organization using the cold site still has to
preventive or corrective. The main aim for an
arrange for the necessary data, technology and
organization in the event of a disaster that
other resources that are required to resume
disrupts business operations is to limit the time
business operations.
the business is out of operation and minimize
the extent of loss to existing business resources Staffing
— particularly information — so that the
Staffing issues in the event of a disaster can be
business can recommence operating as quickly
divided into two categories: the evacuation of
as possible. The way an organization does this is
staff who are present at the location of the
outlined in the disaster recovery plan, which
disaster, and access to staff after the disaster. In
will include provisions for temporary sites, the
the event of a disaster, obviously staff need to
restoration of business networks, staffing and
be familiar with the appropriate evacuation
preserving business relationships.
procedures. After a disaster, organizations need
Temporary sites to be able to contact key employees who are
part of the recovery plan to ensure that the
In the event of a business’s place of operation
disruption to the business is minimal.
being destroyed it needs to be able to resume
Accordingly, plans should be set out for how key
operation in a new location as soon as possible.
staff members such as the CEO and division
This is the role of the temporary site, and for a
managers can be contacted. After all, even the
best planned disaster recovery procedure is organizations have considered their needs and
useless if nobody is present to implement it. developed suitable arrangements for a disaster
recovery plan, they should then ensure that the
If the recovery plan requires the action of staff,
plan can be put into operation. Much as you
it is critical to ensure that they know what their
used to have fire drills when you were a student
role is and how they fit in to the overall plan.
at school, an organization should conduct
This is why regular drills to ‘practice’ the
disaster recovery drills. These involve a mock
recovery plan is important. Additionally, if part
execution of the disaster recovery plan to
of the plan involves switching to a remote site
ensure that those responsible can perform their
in another city, town, state or country, the
required tasks and that the plan actually works.
organization should ensure that the people who
Just as dangerous as not having a disaster
are to operate that remote site are aware of
recovery plan is the organization having a plan
what they are required to do and ready to put
but not testing that it actually works. The risk in
the plan into action at a moment’s notice. There
this case is that, if something goes wrong, staff
is little point having a fully equipped hot site
will not know how to react, since they have
ready to run in the event of a disaster and not
never experienced a drill of the plan.
having people who can staff the site and keep it
Alternatively, an untested plan will very quickly
going.
become out of date or fail to take into account
Staff responsibilities and roles in the disaster changes in the organization or technology.
recovery process should be clearly documented,
Documenting internal controls
as should lines of responsibility and reporting
relationships. There are several ways that an internal control
system can be documented. At an overall level
Restore business relationships
there is the control matrix, which tells us the
The reality for a business operating in today’s control objectives of a control system, how they
environment is that it will typically be involved would ideally be attained, and whether they
in networks or arrangements with other actually exist within a system.
organizations or individuals. Such networks or
Narrative descriptions A narrative description
arrangements may include extranets that link
of internal controls is probably the simplest
the organization to its customers and suppliers,
method for documenting internal controls. This
as well as other arrangements or deals that may
approach involves a written description of the
be in place with external organizations. This
system’s operation and how the controls are
scenario makes it essential that the organization
carried out within the system. Typically, when
consult with such partners and related bodies
carrying out an evaluation of an organization’s
when developing a disaster recovery plan. It is
internal controls, auditors will use the narrative
easy just to think in terms of the business that
in conjunction with an additional
you are involved in when designing a recovery
documentation technique, such as flowcharts or
plan, but the relationships this business has
checklists. The benefit of this approach is the
with other parties will also be affected and, to
flexibility available to the preparer of the
keep the business’s operations running, it may
documentation; however, this comes at the cost
be essential to plan to keep these relationships
of structure and consistency in format.
operating in the event of a disaster.

However, merely having a hot or cold site in

place should disaster strike is not enough. Once
Questionnaires and checklists where controls are in operation and little detail
about the actual operation of such controls.
Questionnaires and checklists are another
Complementing the systems flowchart is a
common and easy-to-use approach for
control flowchart. The control flowchart is
documenting an organization’s internal control
suggested by Deloitte & Touche LLP as a way of
system. The checklist approach for
documenting the operation of individual
documenting controls would be expected to
internal controls. Deloitte & Touche LLP also
take place periodically within the organization,
suggests that any good documentation of
with a staff member — typically a member of
internal control should identify seven key
the internal audit division — walking through
aspects: (1) the risk that the control is
the organization and examining what controls
addressing, (2) how the control addresses the
are present or absent. A checklist approach is
risk, (3) details of monitoring for the control’s
also commonly employed by external auditors
effectiveness, (4) how the performance of the
when evaluating the adequacy of internal
control is assessed, (5) any problems identified
controls for an information system before the
in the operation of the control, (6)
completion of a financial statement audit. The
improvements for the control’s effectiveness
benefit of this approach is that it is a highly
and (7) a sign-off date from the control’s
structured means of documenting controls;
evaluation.
however, the disadvantage is that it can lead to
a one-size-fits-all approach to documentation as Control matrix
well as to the possibility that controls not listed
A matrix is any grid that combines multiple
on the checklist but in place within the
perspectives or attempts to integrate multiple
organization may go undocumented.
perspectives. Control documentation benefits
Flowcharts from a matrix approach given that there are
many perspectives to controls. We may be
Systems flowcharts, illustrate a system and its
interested in the risks within a process and the
inputs, processes and outputs. This includes the
controls in place to address that risk, in which
documents that are part of the system, the
case a matrix linking the two could be prepared.
processes involved in the system, and the
Alternatively, we may be interested in the
entities involved in the system. The benefit of
execution of the various controls within a
the systems flowchart as a source of control
process, in which case a matrix of controls and
documentation is that it contains these
characteristics could be prepared. This leads to
different aspects about a system. Because of
the possibility of numerous matrix possibilities
the detail in the diagram, who does what tasks
for documenting controls. While research has
can be identified, allowing assessment to be
acknowledged that control matrices can be
made as to whether separation of duties has
time-consuming to prepare, the benefits in
been adequately used. It is also possible to see
terms of the perspective they provide on a
the activities that occur, allowing the
system can be useful to those within the
identification of controls operating within the
organization. Accordingly, preparation of a
system. Additionally, by analysing a systems
control matrix was proposed in the COSO report
flowchart, any control weaknesses that may
and provides a way of linking the operation of
exist can be identified. The systems flowchart
the control activities to the control objectives of
provides an overall view of the operation of a
an information system.
system, for example, the credit sales system.
However, it provides only a general view of
Limitations of and threats to controls

An internal control system is not a rock-solid

guarantee that the organization’s objectives will
be attained or that errors and illegal activity will
not occur in the organization. CPA Australia
identifies five reasons an internal control
system does not provide 100 per cent assurance
that an organization’s objectives will be
achieved. These five reasons are judgement
error, unexpected transactions, collusion,
management override and weak internal
controls.

In addition to the factors identified by CPA

Australia, Rogers et al. identify eight factors that
can pose as threats to internal controls. These
factors are: management incompetence;
employee turnover; external factors; fraud;
complexity of transactions; complexity of
organizational structure; regulatory
environments; and information technology.
Module 7: Developing and implementing
effective AIS
Introduction
Developing effective accounting information
systems requires the collaboration of a wide
range of individuals, including analysts, system
designers, and managers. Accountants, both as
auditors and as general information users,
should be part of all IT studies involving
accounting information systems.
Developing effective accounting information
systems requires the collaboration of a wide
range of individuals, including analysts, system
designers, and managers. Accountants, both as
auditors and as general information users,
should be part of all IT studies involving
accounting information systems.
Learning Outcomes
• Understand the roles of accountants,
analysis teams, and steering committees
in systems studies.
• Understand why systems analysts must
identify the strategic and operational
goals of an accounting information
system.
• Become familiar with the deliverables in
systems analysis work, especially the
systems analysis report.
• Be able to help plan and complete the
analysis and design phases of a systems
study.
• Know what a feasibility evaluation is and
how to conduct one.
• Understand some of the costs, benefits,
tools, and techniques associated with
systems design work.
• Be able to evaluate alternative systems
proposals and make a selection or
choose to outsource.
• Be familiar with the activities required to
implement and maintain a large
information system.
THE SYSTEMS DEVELOPMENT LIFE CYCLE
Acquiring, implementing, and training people to
use a large AIS is a difficult task. A systems study
(also called systems development work) begins
with a formal investigation of an existing
accounting information system to identify
strengths and weaknesses.
Who actually performs a systems study? This
varies from organization to organization as well
as from project to project. Many large
organizations have IT professionals to perform
this work. In contrast, smaller organizations with
limited technical expertise as well as larger
organizations with other priorities are more
likely to hire outside consultants for this work.
(Note: The Sarbanes-Oxley Act of 2002 expressly
forbids a CPA firm from performing such systems
work for a client with whom it already has an
audit relationship.) Our discussion assumes that
most of the work is performed by a generic
“study team” of experts who may or may not be
outside consultants.
Four Stages in the Systems Development Life
Cycle
Traditionally, we can identify four major steps or
phases of a systems study:
1. Planning and investigation. This step
involves organizing a systems study
team, performing a preliminary
investigation of the existing system, and
developing strategic plans for the
remainder of the study.
2. Analysis. This step involves analyzing the
company’s current system to identify
the information needs, strengths, and
weaknesses of the existing system.
3. Design and acquisition. In this step, an
organization designs changes that
 eliminate (or minimize) the current
system’s weak points while preserving
its strengths. The organization also
decides what system is best and how to
acquire it.
4. Implementation, follow-up, and
maintenance. This phase includes
installing re- sources for the new system
as well as training new or existing
employees to use it. Companies conduct
follow-up studies to determine whether
the new system is successful and, of
course, to identify any new problems
with it. Finally, organizations must
maintain the system, which means that
they correct minor flaws and update the
system as required.
These four phases are the system development
life cycle (SDLC) of a business information
system. Logically, the activities in these phases
flow from stage to stage in only one direction,
like water flowing in a stream. This is why earlier
descriptions of the SDLC referred to it as the
waterfall model. In practice, there is usually
much overlap between phases in the life cycle
and the steps in a systems study don’t
necessarily occur in sequence. Instead, system
developers often perform two or more stages in
parallel with each other.
Systems Studies and Accounting Information
Systems
A systems study looks at all systems in an
organization’s applications portfolio. This
portfolio may include an integrated enterprise
resource planning (ERP) system, along with other
specialized information systems, or it may
consist of many separate systems for functional
areas such as accounting, marketing, and human
resources. Accounting information systems
(AISs) are prime targets for systems studies—for
example, because older ones may not comply
with new governmental regulations. But in
general, a systems study means more than just
replacing or modifying existing information
systems. Typically, altering an accounting
information system also affects work flows, data
gathering and recording tasks, employee
responsibilities, and even the way an
organization rewards its managers. Thus, one
reason why organizations perform systems
studies is because such studies are part of the
greater task of business process reengineering
(BPR)—that is, the task of making major
modifications to one of an organization’s core
systems. Because the accommodation involves
so many changes, employee resistance is
common and often quite strong—especially
where jobs are at stake. This is also one reason
why so many new systems fail.
SYSTEMS PLANNING
The first phase of a systems study involves
systems planning and an initial investigation.
Think you can skip this phase? Think again. Just
as you would not build a house without first
determining what rooms you’d need in that
house, organizations are well advised to plan
carefully.
Planning for Success
In large organizations, system redesigns (or new
development work) typically involve millions of
dollars, making mistakes very costly. In smaller
organizations, major errors can be catastrophic,
leading a firm to bankruptcy. What else can
happen when organizations do not plan
carefully? Here are some examples:
• Systems do not meet users’ needs,
causing employee frustration,
resistance, and even sabotage.
• Systems are not flexible enough to meet
the business needs for which they were
designed and are ultimately scrapped.
• Project expenditures significantly
overrun what once seemed like very
adequate budgets.
 • The time required to complete the new
system vastly exceeds the development
schedule—often by years.
• Systems solve the wrong problems.
• Top management does not approve or
support the new systems. • Systems are
difficult and costly to maintain.
Studies of unsuccessful information systems
projects suggest that mistakes made at the
outset of a systems study are a common reason
why such projects ultimately fail. Careful systems
planning and an initial investigation can avoid
critical missteps that lead to disaster. “Planning
for success” means beginning a systems study
with a focused investigation that: (1) approaches
specific organizational problems from a broad
point of view, (2) uses an interdisciplinary study
team to evaluate an organization’s information
systems, and (3) makes sure the company’s
study team works closely with a steering
committee (described below) and end users in all
phases of the work.
SYSTEMS ANALYSIS
The basic purpose of the systems analysis phase
is to examine a system in depth. The study team
will familiarize itself with the company’s current
accounting system, identify specific inputs and
outputs, identify system strengths and
weaknesses, and eventually make
recommendations for supplementary work.
Figure 6-2 shows the logical procedures that the
team should follow.
In performing its work, the study team should
avoid overanalyzing a company’s system.
Instead, the team should try to identify and
understand the organization’s goals for the
system, perform a systems survey, and prepare
one or more reports that describe its findings.
Understanding Organizational Goals
For the study team to do an adequate job—for
example, determine the real problems within a
company’s information system—its members
must first understand the system’s goals. Of
special importance is determining which goals
are not being achieved under the present system
and why this happens. Organization goals
include: (1) general systems goals, (2) top
management systems goals, and (3) operating
management systems goals.
General Systems Goals
General systems goals apply to most
organization’s information systems and help an
AIS contribute to an efficient and effective
organization. Principles contributing to these
goals are: (1) awareness that the benefits of a
new system should exceed its costs, (2) concern
that the outputs of the system help managers
make better decisions, (3) commitment to a
system that allows optimal access to
information, and (4) flexibility so that the system
can accommodate changing informational
needs.
The study team must determine whether the
current information system helps to achieve
these general systems goals. For example, if an
AIS has excessive costs associated with using
traditional paper documents (e.g., purchase
orders, receiving reports, and vendor invoices),
this will violate goal number one (cost
awareness), and the study team might
recommend that the company use an online
system instead.
Top Management Systems Goals
AISs typically play key roles in satisfying top
management goals. For instance, AISs usually
provide top managers with long-range budget
planning data so they can make effective
strategic decisions about future product-line
sales or similar business activities. Similarly,
periodic performance reports provide top
management with vital control information
about corporate operations— for example, how
sales of new product lines are doing. Finally, top
management needs to know about the short-
range operating performance of its
organization’s subsystems—for example,
summary information about individual
department operating results and how these
results compare with budgetary projections.
Operating Management Systems Goals
Compared to top management, the information
needs of operating managers (for example,
department heads) are normally easier to
determine. This is because the decision-making
functions of operating managers typically relate
to well-defined and narrower organizational
areas. In addition, the majority of operating
managers’ decisions are for the current business
year (in contrast to top management’s long-
range decision-making functions). As a result,
operating managers need information that helps
them meet daily, weekly, or monthly operating
targets.
Systems Survey Work
The objective of a systems survey is to enable the
study team to obtain a more complete
understanding of the company’s current
operational information system and its
environment. Of special importance is
identifying the strengths and weaknesses of the
current system. The overall objective of any new
system is to retain the system’s strengths while
eliminating the system’s weaknesses, especially
those weaknesses causing problems in the
current system. These weaknesses will likely
relate to specific goals that the current system
does not now accomplish.
Understanding the Human Element and
Potential Behavioral Problems. Because the
appearance of a study team on the work scene
usually signals change, employees are often
resistant to help. Unless the study team deals
directly with this problem at the beginning, there
is a good chance that employees will oppose the
changes that the team recommends. Thus, a
systems study must gain the full cooperation and
support of those employees who are crucial to
the success of a new system.
Data Gathering. A systems survey requires the
study team to gather data about the existing
system. There are several ways of doing this,
including:
• Review existing documentation or create
new materials. This documentation includes
descriptive data such as organizational
charts, strategic plans, budgets, policy and
procedure manuals, job descriptions, and
charts of accounts, as well as technical
documentation such as flowcharts, process
maps, and training manuals.
• Observe the current system in operation.
Visiting various parts of the operation on a
surprise basis and asking employees
questions about their jobs can help team
members learn whether the system works as
described, the morale of employees, the
amount of down-time, and workload cycles.
• Use questionnaires and surveys. These can
be anonymous so that respondents share
their views openly about sensitive issues.
Open-ended questionnaires provide an
unstructured free-flow of ideas that may
bring new issues to light. Close-ended
questionnaires (figure above), on the other
hand, are efficient and allow for easy
tabulation of results.
• Review internal control procedures.
Module 6 discusses the importance of
internal control systems. Weaknesses in
these procedures can cause major problems
for a company. The study team should
identify high risk areas, strengths, and
weaknesses of the specific procedures.
• Interview system participants. Face-to-face
interviews allow the study team to gather
system information in the greatest depth
 and can sometimes reveal surprises. For
example, an interview might reveal that a
manager’s decisions don’t really require
input from several existing reports.
Data Analysis
Once the study team completes its survey work,
it must analyze the results. Often, this means
nothing more than creating summary statistics,
but it can also involve developing flowcharts
and/or process maps that can highlight
bottlenecks in information flows, redundant
reporting, and missing information links.
Systems analysis work necessarily takes longer
than a preliminary investigation, typically
months. Where required, the study team will
provide interim reports to the steering
committee about its progress. The most
important deliverable from the analysis portion
of the systems study, however, is the final
systems analysis report, which signals the end of
the analysis phase of the system study. Like
other reports, the study team submits this report
to the steering committee, which then considers
the report’s findings and debates the
recommendations it contains.
As representatives of top management, the
steering committee has, within limits, the ability
to do whatever it wants. It could abandon the
project, ask for additional analyses and a set of
revised recommendations, or vote to proceed to
the systems design phase of the project.
Evaluating System Feasibility
After obtaining a positive response from the
steering committee, the design team must
perform a detailed investigation of different
potential systems. Figure 6-4 shows that this
work involves five major procedures or activities.
The first of these is a feasibility evaluation in
which the design team determines the
practicality of alternative proposals. Only after
this step is completed can the design team tackle
the other steps. For each system alternative, the
design team must examine five feasibility areas:
(1) technical feasibility, (2) operational
feasibility, (3) schedule feasibility, (4) legal
feasibility, and (5) economic feasibility.
Technical Feasibility. The technical feasibility of
any proposed system attempts to answer the
question, “What technical resources are
required by a particular system?” Hardware and
software are obvious components. A proposed
system that can interface with critical existing
software is more desirable than one requiring
the organization to buy new software. Computer
experts typically work on this phase of the
feasibility evaluation because a thorough
understanding of IT is essential.
In addition to developing a preliminary hardware
or software configuration for a proposed system,
the design team must also determine whether
current employees have the technical skills to
use it. If a specific computerized system is too
sophisticated for a company’s employees, it is
unlikely that requiring employees to use it in
subsequent daily operations will be very
successful.
Operational Feasibility. The operational
feasibility of a proposed system examines its
compatibility with the current operating
environment. This means determining how
consistent the tasks and procedures required by
the new system will be with those of the old
system. The design team must also analyze the
capabilities of current employees to perform the
specific functions required by each proposed
system and determine to what extent employees
will require specialized training.
Operational-feasibility analysis is mostly a
human relations study because it is strongly
oriented towards “people problems.” For this
reason, human-relations specialists participate
heavily in it. As noted earlier, employees
commonly have negative attitudes toward
changes that can affect their organizational
duties. Encouraging employees to attend
briefing sessions, suggest changes, and
understand how a new system will enable them
to perform their jobs more easily can help limit
employee resistance.
Schedule Feasibility. Timeliness is important.
Schedule feasibility requires the design team to
estimate how long it will take a new or revised
system to become operational and to
communicate this information to the steering
committee. For example, if a design team
projects that it will take 16 months for a
particular system design to become fully
functional, the steering committee may reject
the proposal in favor of a simpler alternative that
the company can implement in a shorter time
frame.
Legal Feasibility. Are there any conflicts
between a newly proposed system and the
organization’s legal obligations? Legal feasibility
requires a new system to comply with applicable
federal and state statutes about financial
reporting requirements as well as the company’s
contractual obligations.
Economic Feasibility. Economic feasibility seeks
assurance that the anticipated benefits of the
system exceed its projected costs. This requires
accountants to perform a cost-benefit analysis.
This analysis takes into account all costs,
including indirect costs such as time spent by
current employees on implementing the new
system. It also considers benefits, which are
sometimes difficult to foresee or estimate. A
common mistake is underestimating the costs of
implementation and continuing operations. The
accountants conducting the analysis need to
separately identify one-time costs versus
recurring ones. The point of the economic
feasibility analysis is to get a “best estimate” of
the worthiness of a project.
DETAILED SYSTEMS DESIGN AND ACQUISITION
Once the steering committee approves the
feasibility of a general system plan (project), the
design team can begin work on a detailed
systems design. This involves specifying the
outputs, processing procedures, and inputs for
the new system. Just as construction blueprints
create the detailed plans for building a house,
the detailed design of a new system becomes the
specifications for creating or acquiring a new
information system. Figure 6-5 provides
examples of the detailed requirements that the
design team must create, and these
requirements in turn explain specifically what
the proposed system must produce.
From an accounting standpoint, one of the most
important elements in a new system is its control
requirements. In this matter, the design team
should have a “built- in mentality” when
designing control procedures for a system. In
other words, rather than adding controls after a
system has been developed and installed, the
team should design cost-effective general and
application control procedures into the system
as integrated components.
Designing System Outputs, Processes, and
Inputs
Once the design team determines that a system
is feasible and creates a general design, it can
focus on developing the system’s input,
processing, and output requirements. When
performing design tasks, it is perhaps curious
that the design team first focuses on the
outputs—not the inputs or processing
requirements—of the new system.
The reason for this is that the most important
objective of an AIS is to satisfy users’ needs.
Preparing output specifications first lets these
requirements dictate the inputs and processing
tasks required to produce them.
During the analysis phase and general system
design, the study team must develop boundaries
for the new system that define the project’s
scope. Failing to do so causes scope creep—that
is, expands the scope of a project and costs
money. Outside consultants often handle these
requests by drafting proposals showing the
additional costs associated with them. These
costs can include delays in meeting the schedule
for delivering the project.
System Outputs. The design team will use the
data gathered from the prior systems analysis
work to help it decide what kinds of outputs are
needed as well as the for- mats that these
outputs should have. Although it is possible for
the design team to merely copy the outputs of
an older system, this would make little sense—
the new system would be just like the old one.
Instead, the team will attempt to create better
outputs—that is, design outputs that will better
satisfy their users’ information needs than did
the old system.
Outputs may be classified according to which
functional area uses them (e.g., marketing,
human resources, accounting, or manufacturing)
as well as how frequently they must be produced
(e.g., daily or weekly). Where a specific report is
not needed on a regular basis, the system should
be able to provide it when requested (a demand
report) or triggered when a certain condition is
met (an exception report). For example, an
accounts receivable report on a specific
customer’s payment history might be issued on
demand or generated automatically when a
customer owes more than a specified amount.
Although many organizations still rely heavily on
hard-copy (printed) reports, systems designers
should also consider the possibility of creating
soft-copy (screen) reports as an alternative,
which use less paper and, of course, do not
require a printer for viewing.
Process Design. Until now, the system designers
have focused on what the system must provide
rather than how the system can provide it. After
designing the outputs, their next step is to
identify the processing procedures required to
produce them. This involves deciding which
application programs are necessary and what
data processing tasks each program should
perform.
There are a large number of tools for modeling
computer processes. Among them are the
system flowcharts, data flow diagrams, program
flowcharts, process maps, and decision tables
discussed in Module 4. Another popular tool is
the entity-relationship (E-R) diagram discussed in
Module 2. Common to all these design
methodologies is the idea of structured, top-
down design, in which system designers begin at
the highest level of abstraction and then “drill
down” to lower, more detailed levels until the
system is completely specified.
Designing System Inputs. Once the design team
has specified the outputs and processing
procedures for a new project, its members can
think about what data the system must collect to
satisfy these output and processing
requirements. Thus, the team must identify and
describe each data element in the systems
design (e.g., “alphabetic,” “maximum number of
characters,” and “default value”) as well as
specify the way data items must be coded. This
is no easy task, because there are usually a large
number of data items in even a small business
application. Chapter 7 discusses the subject of
data modeling in detail.
After the design team identifies and describes
the input data, it can determine the source of
each data element. For example, customer
information such as name, address, and
telephone numbers may be gathered directly
from web screens, while the current date can be
accessed from the computer system itself.
Wherever possible, the design team will attempt
to capture data in computer-readable formats.
As noted in Chapter 4, this avoids costly, time-
consuming data transcription as well as the
errors such transcription typically introduce into
the job stream.
The System Specifications Report
After the design team completes its work of
specifying the inputs, outputs, and processing
requirements of the new system, the members
will summarize their findings in a (typically large)
systems specification report. It provides some
representative information in such a report. The
design team submits this report to the steering
committee for review, comment, and approval.
The Make or Buy Decision. The project is now at
a critical juncture. If the steering committee
approves the detailed design work, it now faces
a make-or-buy decision. In large organizations,
one possibility is to use internal IT staff to
develop the system. This choice offers the
tightest control over project development, the
best security over sensitive data, the benefits of
a custom product that has been tailor-made for
the exact requirements of the application, the
luxury of replacing the old system piecemeal as
modules become available, and a vote of
confidence for the organization’s IT staff. But this
choice also uses valuable employee time and can
divert the organization’s resources from its main
objectives—for example, manufacturing
products.
Another possibility is to outsource the project’s
development to a contractor. This choice is
useful when an organization lacks internal
expertise to do the work or simply wishes to
avoid the headaches of internal project
development. Finally, the steering committee
can purchase prewritten software (commonly
called canned software) and perhaps modify it to
suit the organization’s needs. If the organization
requires both hardware and software, the
committee may also choose to shop for a
complete, “ready-to-go” turnkey system. The
steering committee can ask the computer
vendors to submit bid proposals for such a
complete system, or alternatively, can ask each
vendor to provide separate bids for hardware
and software.
Choosing an Accounting Information System
Because internal project management and
systems development are beyond the scope of
this text, we’ll assume here that the steering
committee opts to acquire most of its system
resources from outside vendors. This is the most
common choice today. If the committee takes
this course of action, the systems specifications
report can help them create a request for
proposal (RFP) outlining the specific
requirements of the desired system. Upon
finalizing the systems specifications, the
committee (with the help of the design team and
perhaps outside consultants) will send a copy to
appropriate vendors. Typically, the RFP also
contains a deadline for bidding, the length of
which varies—for example, just a few weeks for
hardware, and longer periods of time for systems
requiring custom development tasks.
After the deadline has passed, an evaluation
committee supervised by the steering
committee will review vendor submissions and
schedule separate meetings with those vendors
who provide viable system proposals. The
participants at each meeting include
representatives from the vendor,
representatives from the steering committee,
and representatives from the evaluation team.
The vendor’s role is to present its proposal and
to answer questions from the other participants.
The evaluation committee’s role is to listen to
the vendor proposals, ask questions, provide
input to the steering committee about the pros
and cons of each one, and perhaps make a
recommendation for a preferred provider.
Selection Criteria. The steering committee’s
responsibility is to make a final selection and is
not restricted in its choices. It can accept one bid
totally or spread its purchases among two or charge extra for enhanced services.
more providers. Here are five key factors that a Although a vendor’s reputation is relative, a
steering committee might consider, listed in buyer can also check with the Better
order of importance according to a recent survey Business Bureau or speak with some of the
of 160 international financial officers: vendor’s other clients.
4. Costs and benefits of each proposed
1. The functionality and performance
system. The accountants on the design team
capabilities of each proposed system. An
will analyze the costs of every vendor’s
accounting system must be able to process
proposed system in relation to the system’s
an organization’s data and provide users
anticipated performance benefits. They will
with the outputs they need. Examples of
also consider the differences between
performance measures include the types of
purchasing and leasing each vendor’s
normal and customizable information the
system. If the steering committee elects to
system can provide, response time, and
purchase a system, the accountants should
maximal number of simultaneous online
then advise the committee on a realistic
users supported.
depreciation schedule for the new system.
2. Compatibility of each proposed system with
5. Maintainability of each proposed system.
existing systems. The new system must
Maintainability means the ease with which a
interface and work with existing computer
system can be modified. For example, a
hardware, software, and operating
flexible system enables a firm to alter a
procedures. In some instances, this comes
portion of a payroll system to reflect new
down to hardware issues—for example, it
federal tax laws. Because the costs of
may not be possible to run the new software
maintaining large systems are typically five
on the company’s older local area networks,
times as much as the costs of initially
which will consequently have to be
acquiring or developing a system, evaluators
upgraded. But compatibility issues can also
should emphasize this dimension in its
involve the operating system, existing
deliberations for custom-built systems.
application software, or operational
concerns—for example, requiring Making a Final Decision. If a company finds
employees to learn new procedures for several software packages that appear to satisfy
inputting data or generating reports. its needs, how should it decide on the best one?
3. Vendor stability and support. Vendor Two methods for this are (1) point scoring
support includes such things as (1) training analysis and (2) hands-on testing.
classes that familiarize employees with the
Point-Scoring Analysis. Figure below illustrates
operating characteristics of the new system,
an example of a point-scoring analysis for an
(2) help in implementing and testing the new
accounts-payable system. Here, an organization
system, (3) assistance in maintaining the
finds three independent vendors whose
new system through a maintenance
packages appear to satisfy current needs.
contract, (4) backup systems and
Because the cost to lease each vendor’s software
procedures, and (5) telephone assistance for
package is about the same, “cost” is not an issue
answering user questions. The availability of
in this selection process.
“business-hours-only” versus “round-the-
clock” support and the avail- ability of To perform a point-scoring analysis, the
domestic versus offshore customer support evaluation committee first assigns potential
are other considerations. Most vendors points to each of the selection criteria based on
its relative importance. In figure above, for
example, the committee feels that “adequate
controls” (10 possible points) is more important
than whether users are satisfied with the
software (8 possible points). After developing
these selection criteria, the evaluation
committee proceeds to rate each vendor or
package, awarding points as it deems fit. The
highest point total determines the winner. In
figure above the evaluation indicates that
Vendor B’s accounts payable software package
has the highest total score (106 points) and the
committee should therefore acquire this
vendor’s system.
Although point-scoring analyses can provide an
objective means of selecting a final system, many
experts believe that evaluating software is more
art than science. There are no absolute rules in
the selection process, only guidelines for
matching user needs with software capabilities.
This is one reason why user input in the selection
process is so important.
Hands-On Testing. Even after selecting a finalist,
an organization might still be hesitant to commit.
With hands-on testing, potential buyers “test
drive” a software package to further evaluate
the system. Figure below provides a list of tests
that AIS shoppers can use for this purpose. Note
especially benchmark testing.
Selecting a Finalist. After each vendor presents
its proposal and perhaps additional hands-on
testing, the steering committee must make its
final selection. If a clear winner emerges from
these activities, the organization can commence
to the implementation stage. But it is also
possible that none of the proposed systems is
satisfactory. At this point, the organization’s
steering committee can (1) request the design
team to obtain additional systems proposals
from other vendors, (2) abandon the project, or
(3) consider outsourcing needed services.
Outsourcing
An alternative to developing and installing
accounting information systems is to out- source
them. Outsourcing occurs when a company hires
an outside organization to handle all or part of
the operations for a specific business function.
Accounting tasks have long been a target for
outsourcing, including accounts payable,
accounts receivable, payroll, general ledger,
accounting for fixed assets, and financial
reporting. Even preparing US income tax returns
are outsourced, typically to English-speaking
countries such as India. Two popular types of
outsourcing are business process outsourcing
(BPO) and knowledge process outsourcing (KPO).
Business Process Outsourcing (BPO). Business
process outsourcing means contracting with
outside firms to perform such normal tasks as
preparing payrolls. Companies commonly sign
such contracts for 5- to 10-year periods. The
annual costs depend on the amount of
processing work required and range from
“thousands” to “millions” of dollars. However,
“outsourcing” does not necessarily mean
“offshoring” as much of such business goes to
domestic consultants or data-processing
concerns.
Knowledge Process Outsourcing (KPO).
Businesses have been outsourcing such
processes as sales order processing for years.
With knowledge process outsourcing (KPO), a
business contracts with an outside company to
perform research or other knowledge-related
work. Four examples are (1) intellectual property
research related to developing and filing a patent
application, (2) data mining of consumer data,
(3) preparing US tax returns, and (4) research
related to medical drugs and biotechnology. The
growth of KPO has been high, with companies in
countries such as India and Ireland doing much
of the work.
IMPLEMENTATION, FOLLOW-UP, AND
MAINTENANCE
Systems implementation is often called the
“action phase” of a systems study because the
recommended changes from the prior analysis,
design, and development work are now put into
operation. Alternatively, the organization
commits to, and now must implement, a new
system.
Systems implementation can be a stressful time.
As the time draws near for installing the new
software, end users and clerical personnel
become nervous about their jobs, middle
managers wonder if the new system will deliver
the benefits as promised, and top managers
become impatient if installations run longer than
anticipated or go over budget. Even if an
organization does a perfect job of analyzing,
designing, and developing a new system, the
entire project can fail if its implementation is
poor.
Implementation Activities
Implementing a new accounting information
system involves many tasks that will vary in
number and complexity depending on the scale
of the system and the development approach.
Some of the steps that may be involved are:
A. Prepare the physical site. An organization
must have physical space for any new hardware
and personnel.
B. Determine functional changes. Whenever a
company makes changes to a major accounting
system, it must also consider the effects of such
changes on its reporting structure and personnel
relationships.
C. Select and assign personnel. Because the
design team has developed detailed
specifications for the new system, the
organization should now have a firm idea about
the job descriptions of system users.
D. Train personnel. Both the implementation
team and computer vendors can help train
company employees to work with the new
system, while seminars can acquaint other
employees with the new system’s advantages
and capabilities. Vendors may provide technical
training for free, or at reduced costs, to
corporate users as incentives to use their
products.
E. Acquire and install computer equipment.
After preparing the physical site location for the
new computer system, the company must
acquire computer equipment such as
microcomputers, web servers, routers, modems,
and printers from outside vendors.
F. Establish internal controls. Organizations
must install control procedures that safeguard
its assets, ensure the accuracy and reliability of
accounting data, promote operating efficiency,
and encourage employee compliance with
prescribed managerial policies. Again, these
controls should be built into a system rather than
added later.
G. Convert data files. When converting to a new
system, an organization may have to convert its
data files to alternate, more-useful formats. This
activity is also common when merging two
systems—for example, when consolidating
formerly separate divisions of a company or
merging the systems from two separate
companies into one.
H. Acquire computer software. The
implementation team must also install the soft-
ware that was acquired or developed for the
project. The software from independent vendors
sometimes comes bundled with hardware in
complete turnkey systems. In general, the
process of acquiring (and possibly making
modifications to) computer software from an
independent vendor takes considerably less time
than developing the programs in-house.
I. Test computer software. Programs must be
tested regardless of where they came from to
ensure day-to-day processing accuracy and
completeness. See again Figure 6-9 for a list of
possible tests.
J. Convert to the new system. In switching to the
new system, the firm may choose to make a
direct conversion by immediately discontinuing
use of the old system and letting the new system
“sink or swim.” An alternative is parallel
conversion, where the organization operates
both the new and the old system for some period
of time. Another choice is modular conversion,
where the new system is implemented in stages,
one process or module at a time. An example
would be first implementing the inventory
module, then order processing, and so on.
The most difficult issue in implementing a new
system is change management. The new system
will bring with it changes to employee job
descriptions and, in some cases, new jobs and no
jobs. Members of the implementation team and
steering committee should communicate openly
with affected workers about how the new
system will impact them. Organizations should
give those employees whose jobs are either
eliminated or materially altered an opportunity
to apply for the new jobs and obtain retraining,
if necessary. Similarly, terminated employees
should receive ample notice to enable them to
apply for other jobs before their employment
ends. Some companies even set up internal
outplacement offices for displaced employees or
create early retirement plans for qualified
employees.
Postimplementation Review
Regardless of which conversion method is used,
the new system will eventually become the sole
system in operation. This brings us to the final,
follow-up and maintenance phase of our systems
development life cycle. The purpose of this
phase is to monitor the new system and make
sure that it continues to satisfy the three levels
of organizational goals discussed at the
beginning of this chapter: (1) general systems
goals, (2) top management systems goals, and
(3) operating management systems goals. When
these goals are not adequately satisfied,
problems normally occur and the system
requires further modifications.
System Maintenance
In practice, implementation teams do not
normally perform follow-up studies of their
company’s new information system. Instead, the
team turns over control of the system to the
company’s IT department, which then shoulders
the responsibility for maintaining it. In effect,
system maintenance continues the tasks created
by the initial follow-up study, except that experts
from the company’s IT subsystem now perform
the monitoring and perhaps modifications. For
example, when users complain about errors or
anomalies in the new system, it becomes the IT
subsystem’s responsibility to respond to these
needs, estimate the cost of fixing them, and
(often) perform the necessary modifications—
or communicate with the vendor to perform
needed modifications. The IT departments of
even medium-size companies typically have
forms for such requests, policies for prioritizing
maintenance tasks, and formulas for allocating
maintenance costs among the various user
departments.
It is common for business systems to require
continuous revisions. Some reasons for this
include competition, new governmental laws or
regulations, or the changing information needs
of top management. Studies show that, over the
life of a typical information system,
organizations only spend about 20 to 30 percent
of the total system costs developing or acquiring
and implementing it. They spend the remaining
70 to 80 percent maintaining it, typically on
further modifications or software updates. In
other words, although “maintenance” may not
be the most glamorous part of a systems
development life cycle, it is almost always the
most expensive part. For this reason,
organizations try to develop or acquire scalable
systems (that can handle larger volumes of
transactions in the future) as well as ones that
are easily modified. Such systems save
businesses money in the long run, even if they
cost more in the short run.
system maintainability, system compatibility
with other systems, and vendor support.
✓ An organization may choose to outsource its IT
operations, accounting processes, or research-
related (knowledge) tasks.
✓ Organizations need to follow-up to find out if
new systems are working as planned.

SUMMARY

✓ The four stages in a systems development life

cycle are (1) planning and investigation, (2)
analysis, (3) design and acquisition, and (4)
implementation, follow-up, and maintenance.

✓ Planning requires creating a team to

investigate the current system and make
recommendations to a steering committee.

✓ Systems analysis requires identifying general

systems goals, top management systems goals,
and operating management systems goals.

✓ A systems survey uses a variety of data

gathering techniques to understand and
document the system.

✓ The systems analysis report contains the study

team recommendations.

✓ The components of a feasibility evaluation are

technical, operational, schedule, legal, and
economic feasibility.

✓ Detailed systems design begins with the

design of outputs, and then inputs and
processes. Designers may choose a prototyping
approach to create the new system.

✓ A systems specification report contains

detailed information about the organization and
its desired system.

✓ Choosing a system requires evaluating system

performance capabilities, costs and benefits,
Module 8: Accounting on the Internet
Introduction
This chapter describes some accounting
applications of the Internet in detail. The first
section describes Internet components such as
Internet addresses and software. This section
also discusses some Internet concepts of special
importance to accountants (i.e., intranets and
extranets). We also discuss XBRL, a financial
reporting language, in this section. One of the
most important uses of the Internet is for
electronic commerce (e-commerce or EC)—the
topic of the next section of this chapter. While
the terms e-commerce and e-business are often
used interchangeably, some experts prefer to
view them as different concepts. E-commerce
involves buying or selling goods and services
electronically. This activity can be between two
businesses, between a profit- seeking company
and a governmental entity, or between a
business and a customer. In contrast, e-business
goes beyond e-commerce and deep into the
processes and cultures of an enterprise. This
could include, for example, email, soliciting
vendor bids electronically, making e-payments,
exchanging data electronically (EDI), and a host
of specialized cloud-computing services. Thus, it
is the powerful business environment that
organizations create when they connect their
critical business systems directly to customers,
employees, vendors, and business partners using
Intranets, Extranets, e-commerce technologies,
collaborative applications, and the web.1 We
discuss some of these topics in the third section
of this chapter. As more organizations conduct at
least some business on the Internet, it is only
natural that managers increasingly recognize the
importance of Internet privacy and security. This
includes protecting consumers’ personal privacy,
protecting proprietary data from hackers, and
safeguarding information that businesses send
to one another over the Internet. The final
section of this chapter discusses these topics in
detail.
Learning Outcomes
• Understand some of the basic concepts
of the Internet, such as TCP/IP, URLs,
and web page addresses.
• Appreciate why electronic
communication and social media are
important to accountants.
• Know why XBRL is important to financial
reporting.
• Understand electronic data interchange
(EDI) and why it is important to AISs.
• Understand some examples of cloud
computing.
• Know the differences between business-
to-consumer and B2B e-commerce.
• Appreciate the privacy and security
issues associated with e-commerce.
• Know why businesses use firewalls,
proxy servers, and encryption
techniques.
• Understand digital signatures and digital
time-stamping techniques
THE INTERNET AND THE WORLD WIDE WEB
The Internet is a collection of local and wide-area
networks that are connected together via the
Internet backbone—i.e., the main electronic
connections of the system. Describing the
Internet as an “information superhighway”
makes sense because over 3 billion people from
around the world now use it, just as a set of
state, interstate, and international highways
connect people physically.2 Almost all univer-
sities are connected to the Internet, as are most
businesses, government agencies, and not-for-
profit organizations. This section of the chapter
discusses Internet basics, including Internet
addresses and software, intranets and extranets,
the World Wide Web, IDEA, groupware,
electronic conferencing, and web logs
3.1. Internet Addresses and Software maps to its correct IP address. In February of
2011, the Internet officially ran out of numbers,
To transmit data over the Internet, computers
and administrators were forced to use
use an Internet address and a forwarding system
workarounds and shared IP addresses to
that works much the same way as the post office
compensate. The new standard is IPv6, which
system. On the Internet, the initial computer
uses 128 bits instead of 32 bits—a version that
transmits a message to other computers along
developers hope will suffice for many years to
the Internet’s backbone, which in turn relay the
come. IP addresses enable Internet computers to
message from site to site until it reaches its final
deliver a specific message to a specific computer
destination. If the message is large, Internet
at a specific computer site—for example, when
computers can divide it into smaller pieces called
you send an email message to a friend at another
data packets and send each of them along
university using the standard Transmission
different routes. The receiving computer then
Control Protocol/ Internet Protocol (TCP/IP). IP
reassembles the packets into a complete
addresses are useful to auditors because they
message at the final destination. An Internet
identify the sender—an important control in e-
address begins as a domain address, which is also
commerce applications.
called a uniform resource locator (URL). This is a
text address such as “www.name.com.uk.” As 3.2. Intranets and Extranets
suggested by this generic example, the lead item
Because Internet software is so convenient to
indicates the World Wide Web. The second entry
use, many companies also create their own
designates the site name, and the third entry
intranets for internal communications purposes.
(“com” for commercial user) is the organization
These computer networks use the same
code. Other organization codes are “edu”
software as the Internet but are internal to the
(education), “gov” (government), “mil”
organization that created them. Thus, outsiders
(military), “net” (network service organization),
cannot access the information on intranet
“org” (miscellaneous organization), and “int”
networks—a convenient security feature. One
(international treaty organization). Finally, a
common use of intranets is to allow users to
domain address can include a country code as
access one or more internal databases.
well—for example, “ca” for Canada, “uk” for the
Advanced search engine technology coupled
United Kingdom, or “nz” for New Zealand. For
with an intranet can deliver user-defined
transmission purposes, Internet computers use
information when needed. Another valuable use
tables of domain names that translate a text-
of an intranet is for gathering and disseminating
based domain address such as www.Wiley.com
information to internal users. Universities offer
into a numeric Internet Protocol (IP) address.
many of the same services to their employees, as
IPv4 is version 4 of this standard and uses 32 bits
well as a similar variety of services and
for this. An example might be 207.142.131.248.
educational opportunities to students. Extranets
The elements in this address contain a
enable selected outside users to access
geographic region (“207”), an organization
corporate intranets. Users connect to internal
number (“142”), a computer group (“131”), and
web servers via the Internet itself using their
a specific computer or web server (“248”). The
assigned passwords. The user can be around the
Internet Corporation for Assigned Names and
corner or around the world.
Numbers (ICANN) maintains the official registry
of domain names, manages the domain name
system (DNS) to ensure that all IP addresses are
unique, and makes sure that each domain name
The World Wide Web, HTML, and Groupware,
Electronic Conferencing, and Blogs
The multimedia portion of the Internet is
commonly called the World Wide Web, or just
“the web.” As you probably already know, you
view these graphics using a web browser such as
Microsoft’s Internet Explorer. A typical entity on
the web is a web page—i.e., a collection of text,
graphics, and links to other web pages stored on
Internet-connected computers.
HTML
Developers typically create web pages in an
editing language such as hypertext markup
language. Web designers store these
instructions in one or more files and use the
Internet to transfer these pages from a source
computer to a recipient computer using a
communications protocol such as hypertext
transfer protocol (HTTP). Your web browser then
deciphers the editing language and displays the
text, graphics, and other items of the web page
on your screen. Because HTML is an editing
language, many of its instructions are simply
pairs of tags that instruct a web browser how to
display the information bracketed by these tags.
Groupware, Electronic Conferencing, and Blogs
Groupware allows users to send and receive
email, plus perform a wide range of other
document-editing tasks. In addition to email
support, these network packages allow users to
collaborate on work tasks, make revisions to the
same document, schedule appointments on
each other’s calendars, share files and
databases, conduct electronic meetings, and
develop custom applications. Examples of such
software include Exchange (Microsoft),
Groupwise (Novell), Lotus Notes (Lotus
Development Corporation), and Outlook
(Microsoft). Instant messaging software enables
remote users to communicate with each other in
real time via the Internet. You are probably
already familiar with such software if you use
MSN Messenger, Yahoo Messenger, or Skype to
chat with distant friends. Many of these
packages also support audio, video, and
electronic conferencing (enabling several users
to join a discussion instead of just two).
Accounting applications include the ability to
interview job applicants remotely, consult with
clients about tax or audit problems, discuss
projects from several remote sites, or plan
corporate budgets.
Large consulting and accounting firms have
access to a wealth of information within their
organizations. Groupware is one of the
technologies behind knowledge management
that many professional service firms (such as
accounting and consulting firms) use to
distribute expertise within the organization
(frequently on its intranet). This information
includes descriptions of clients’ best practices,
research findings, links to business websites, and
customized news. An employee with a client
issue can access the knowledge database to
learn how others handled similar issues. Web
logs, or blogs, are collaboration tools that allow
users with web browsers and easy-to-use
software to publish personalized diaries or
similar information online. A number of them are
published by accountants.
Social Media and Its Value to Accountants
You now probably post comments, pictures, or
videos using some form of social media—for
example, Facebook, YouTube, Pinterest, Twitter,
or Baidu to name a few. At present and around
the world, more than 1.5 billion people have
some type of social media account. In aggregate,
the postings logged on such sites create massive
amounts of commentary that businesses can
also mine for commercial purposes. One use of
social media is to increase organization
recognition—for example, when a company
seeks to attract followers on Facebook and
increase its customer base. This is also useful to
accounting firms seeking new clients. A second
use is to evaluate customer reactions to new
goods or services—a use that applies equally
well to CPA firms. A third use is for accounting
teams to use social media to communicate with
one another on projects at remote sites. Yet a
fourth use is to identify and perhaps manage
problems caused by corporate actions that anger
consumers—before they go viral.
Businesses can also use social media for
recruiting employees—for example, to attract
applicants for new jobs or to screen current
applicants for undesirable traits. Looking for a
new job? Employment counselors say that an
online identity is a “must-have.”
Finally, a company can use social media for
monitoring purposes—for example, to gauge
the effectiveness of a new ad campaign or to
assess customer feelings about the company
itself. Similarly, when accounting firms offer
new services, they can now scan social media
sites in search of honest reactions to the new
offerings. Organizations can also hire outside
firms to perform such monitoring for them. In
total, experts suggest that businesses are just
beginning to tap the value stored in social
media commentary.
4. XBRL—FINANCIAL REPORTING ON THE
INTERNET
While the Internet supports general financial
reporting, exchanging financial information
between trading partners often requires more
detailed specifications. XML, or eXtensible
Markup Language, is similar to HTML in that it
also uses tags to format data. But there are two
important differences between HTML and XML.
One is that XML tags are “extensible,” allowing
users to define their own tags. The other
difference is that the XML tags actually describe
the data rather than simply indicate how to
display it.
The XBRL International Consortium creates XBRL
standards that anyone can use, license-free. In
addition, many accounting software packages
are now XBRL-enabled, meaning that they can
insert appropriate XBRL tags automatically in
user financial files. Because of its growing
importance, some authorities now suggest that
XBRL should become an integral part of the
general accounting curriculum—not just a
subject for AIS students. XBRL Instance
Documents and Taxonomies XBRL documents
are called XBRL instance documents because
they are examples (“instances”) of a class of
documents defined by a standard or
specification.
Benefits and Drawbacks of XBRL
Perhaps the most obvious benefit of XBRL is the
ability to transmit financial information in a
standard format. This facilitates communications
between suppliers and their buyers, companies
and their shippers, and even retailers and their
customers. The same standardization applies to
financial filings. Another important advantage of
XBRL is that it defines data items uniquely.
Consider, for example, how a spreadsheet stores
financial information. The only way we know
that a particular number in a spreadsheet is, say,
“net revenue” is because we also see a label that
identifies it as such. Move the number
somewhere else in the spreadsheet and you also
lose its meaning. In contrast, a “net revenue”
figure remains “net revenue” no matter where it
appears in XBRL instance documents as long as it
remains within its tags. It is for this reason that
some experts predict that some accounting
systems will begin collecting and storing their
data in XBRL formats, redefining XBRL as a
formatting language as much as a reporting
language. XBRL’s standardized tags also make
searching for items in XBRL financial documents
relatively easy. If you know the standard tag for
an item of interest, you can unambiguously find
and extract the information from those
documents. In business environments, the term
semantic meaning refers to the fact that the
financial data are related to one another through
such formulas as “Assets = Liabilities + Equity.”
An additional advantage of XBRL is its ability to
express such relationships in formulas, thereby
making the data self-checking. This is important
because organizations often need to transmit
financial data to others, and XBRL provides a
means of internal control.
Companies using XBRL-enabled software can
save their financial information in standard XBRL
format, thus avoiding the errors that may come
from reentering data multiple times from
multiple sources. Companies can then directly
upload their business information in this format
onto their websites, avoiding costly rekeying
costs. Another advantage is that XBRL permits
the automatic and reliable exchange of financial
information across all software platforms and
technologies, including the Internet. Thus,
anyone interested in comparing the cash and
cash equivalents of several companies can
search for the data and export it to a
spreadsheet for analysis purposes.
XBRL also has several disadvantages. Perhaps the
most important is the fact that a common
reporting language requires its users to learn,
and conform to, the standards of that language.
Usually, accountants achieve this task by
acquiring software that can output data in XBRL
formats. Another problem is that evolving XBRL
standards require users to conform to changing
specifications—a drawback, for example, that
may require organizations to update their
accounting software more often. A third concern
is that, at present, there is no requirement for
auditors to provide assurance on the XBRL filings.
Finally, the transition to XBRL reporting is not
without costs.
5. ELECTRONIC BUSINESS
The term electronic business, or e-business,
refers to conducting business with com- puters
and data communications. Most companies
perform e-business over the Internet, but
businesses can also use virtual private networks
(VPNs) or proprietary data trans- mission lines.
Some general categories of electronic business
are (1) e-accounting, (2) retail sales, (3) e-
payments and e-wallets, (4) electronic data
interchange, and (5) a variety of cloud-
computing services, each of which we examine
briefly in the paragraphs that follow.
5.1. e-Accounting
The term e-accounting means performing
accounting functions on the Internet. This
includes normal accounting tasks such as
processing payroll or accounts receivable data,
as well as preparing financial reports or
completing income tax returns using online
software. Often the web server is not even in the
same country as the user but in Ireland or India
instead of the United States or Canada. At the
personal level, e-accounting allows users to
perform familiar accounting tasks such as
preparing budgets or writing reports that others
can see and modify as desired. The application
moves online, allowing users to share files that
formerly had to be emailed. Hybrid versions of
such processes are also possible, in which users
retain complete control of sensitive data, but
who use the newest and most robust versions of
online software for processing tasks. An
additional accounting use of the Internet is as a
medium for publishing accounting documents
such as financial statements. Posting financial
information on the web is relatively fast and
inexpensive, compared to printing and mailing
them. Such information can also be revised,
replaced, or deleted easily and quickly.
Many e-accounting applications use software as
a service—for example, when an accountant files
a tax return using online software tools. Other
Internet possibilities include online search tools
for performing accounting research or video clips
for training personnel. Such services enable
businesses to avoid the costs of acquiring,
installing, upgrading, or reformatting the data
files required by traditional accounting software.
Backup and disaster recovery also become the
responsibility of the vendor organization instead
of the user organization.
5.2. Retail Sales
The World Wide Web offers businesses the
opportunity to create virtual stores (“shop- ping
cart applications”) for selling merchandise
directly to customers. At the retail level, it is clear
that such websites are really automated AISs
that allow customers to create their own order
forms, shipping forms, and payment documents.
Testimony to the success of such retail e-
commerce abounds. The number of online
shoppers has increased steadily over the past
decade. More than 90 percent of the US
population is now connected to the Internet,
many of whom now purchase items over the
Internet on a regular basis. For example,
consumers now reserve most of their domestic
airline tickets, rental cars, and hotel rooms over
the Internet. Internet retail sales also introduce
special issues. One problem is that customers
usually cannot determine whether a retail
website is legitimate. Similarly, consumers must
usually rely on emails to voice their complaints
(rather than speaking to someone in person),
and returns are sometimes problematic. A third
problem is that online stores frequently rely on
suppliers rather than their own shelves for
merchandise to satisfy orders, creating the
potential for stock-out and backorder problems.
Finally, a growing e-commerce problem is click
fraud. Many businesses are willing to sign pay-
per-click contracts in which they pay a fee every
time a customer clicks on a link to its own
website from another site (such as a search
engine site). Click fraud occurs when dishonest
managers or even a company’s own competitors
inflate the number of clicks on an advertising
link, and therefore bill (or cost) the company for
more referrals than actually occurred.
Internet sales also provide retailers with a wealth
of data about their customers, raising issues
about privacy. For example, you might be
concerned about the fact that your web
purchase also means that a retailer now has (1)
your email address, which it can use to send
additional, annoying emails or sell to others, (2)
your credit card information, which it may or
may not protect as well as you would like, and (3)
sensitive information about your purchase
patterns—for example, prescription drugs.
5.3. E-Payments, E-Wallets and Virtual Currency
E-Payments
Some merchants and auction sites solve these
problems with electronic payments (e-
payments), which proponents claim is a faster,
easier, and safer way for both customers and
sellers to handle online transactions. The e-
payment service acts as a trusted intermediary
because it collects payment from a buyer and
pays that amount to the seller. Businesses are
not the only entities that can enjoy the
convenience of e-payments—many state and
local governments also have websites for e-
payments.
E-Wallets
Another Internet payment option is an e-wallet.
E-wallets are software applications that store a
consumer’s personal information, including
credit card numbers, email addresses, and
shipping addresses. Shoppers pay for online
purchases by providing their e-wallet account
numbers to online vendors that also subscribe to
the system. One advantage of an e-wallet is that
you can use it whenever you visit subscriber
websites. These systems spare you the trouble of
entering your personal information each time
you make an online purchase. Also, because your
e-wallet information is usually stored on your
own hard drive, you control it. This maintains
your email privacy as well. E-wallets may be as
important for retailers as they are for consumers
because many consumers cancel e-commerce
transactions before they complete them, often
because of frustration with online forms.
Virtual Currency
Imagine an international currency that
eliminates the need to exchange one type of
money for another, involves no extra transaction
fees, escapes government scrutiny, and is widely
accepted on the Internet. This is the idea behind
a virtual currency—a medium of exchange that
operates beyond the restrictions of a particular
country or its monetary policies. An example at
the time this book was published is bitcoin,
which allows you set up an e-wallet at
www.bitcoin.com. Retailers have several
reasons why they might accept a virtual currency
when selling merchandise online, including (1)
the ability to do more business, (2) the ease with
which transactions can take place electronically,
(3) no need for credit-card middlemen or check
clearing houses, (4) near-instantaneous credit of
transactions to corporate accounts (like debit
cards), (5) consumer wallets cannot be frozen,
and (6) no transaction fees charged the retailer.
But virtual currencies also operate beyond the
realm of any central bank. This exposes
businesses to risks, including (1) the potential
devaluation of the currency in response to
market forces, (2) the fact that transactions are
not independently auditable, as they would be at
a bank, (3) the observation that all seven earlier
virtual currencies have failed, and (4) the
unwillingness of others to accept it—the
ultimate test of any currency.
Virtual currencies also present challenges to
accountants. Assets purchased with such
currencies have floating cost bases, for example,
and (in the case of bitcoins) no central institution
keeps records. At this time, it is also unclear
whether funds held in a virtual currency are
reportable to the IRS as “offshore funds.” Finally,
there is the question of whether the
appreciation in the value of a virtual currency
qualifies as a long-term asset that is subject to
capital gains taxes, or a short-term currency
swing and therefore subject to ordinary income
taxes.
5.4. Business-to-Business E-Commerce
While there has been tremendous growth in
retail e-commerce, it is dwarfed by business-to-
business (or B2B) e-commerce—i.e., businesses
buying and selling goods and services to each
other over the Internet. Buying materials online
shortens the time from purchase to delivery and
also allows businesses to shop from vendors all
over the world. Like retail consumers, corporate
purchasing agents using B2B e-commerce tools
can select items from online catalogs, confirm
purchases, track shipments, and pay bills
electronically. E-commerce software can also
expedite internal paperwork by first sending
purchase orders to the appropriate managers for
approvals and then forwarding them to the
vendor, thus reducing the costs of processing
purchase requisitions.
Further back in the supply chain, the Internet
affects accounting activities just as strongly.
Another feature of B2B e-commerce is the wider
availability of real-time data that allows
managers to view up-to-the-minute information.
Take, for instance, a distributor whose business
customers in turn sell products to end users.
With current data about its customers’ retail
sales, the supplier can quickly increase or
decrease its operations as required. Similar
online information can determine the location of
specific trucks (using GPS systems), check the
estimated arrival date of incoming cargo ships,
or determine the current status of finished
products, parts inventories, or even working
assembly lines. Even vendors of inexpensive
accounting software now include an e-
commerce interface with their products.
5.5. Electronic Data Interchange (EDI)
According to a recent survey, over 80 percent of
companies continue to use at least some manual
documents—for example, purchase orders,
invoices, payment remittance forms, credit
memos, bills of lading, or shipping notices.
Electronic Data Interchange (EDI) enables
companies to save money by transmitting the
information contained in such documents
electronically. Thus, EDI automates the exchange
of business information and permits
organizations to conduct many forms of
commerce electronically. Government agencies
also depend heavily on EDI.
One potential advantage of EDI compared to
Internet e-commerce is that many business
documents are simply faxed over telephone
lines, avoiding computers completely. This does
not mean that EDI documents are not delivered
via the Internet. Many businesses now have
telephone systems that use Internet lines for
both voice and digital transmissions. Another
advantage is that many EDI documents include
hand- written signatures, providing assurance of
their authenticity. A third advantage is that EDI
includes the exchange of graphic and
photographic documents—media that can be
scanned and captured electronically.
5.6. Cloud Computing
Cloud computing refers to purchasing services
from vendors over the Internet. The term derives
its name from the cloudlike symbol often used to
depict the Internet in networking diagrams. A
host of activities fall into this category, including
web hosting, payroll processing, backup
provisioning, emailing, and even outsourcing
business phone systems. Here, we briefly discuss
some examples of these services.
Processing Services
Companies that access specialized software
(e.g., tax- preparation applications) on the
Internet purchase software as a service (SaaS). In
contrast, web hosting is an example of platform
as a service (PaaS). Examples of cloud vendors
include Amazon.com (data storage), Oracle
(database software), and Intuit (both tax and
payroll processing).
Cloud computing closely resembles other forms
of outsourcing and therefore enjoys the same
advantages. For example, when a hospital
contracts with a second company to do its
payroll, it can then focus on its core mission and
shift the burden- some details of payroll
processing (e.g., how much taxes to withhold for
out-of-state employees) to the contractor. But
cloud computing also differs from traditional
forms of outsourcing. For example, the data
communications in cloud computing takes place
over the Internet and are therefore
instantaneous. Another important difference is
that transaction volumes are usually charged by
the day, hour, or even minute—and are billed
accordingly.
Cloud computing offers many advantages to
companies, which explains why so many
organizations now contract with cloud vendors.
Cloud computing also has several disadvantages.
Perhaps the most important is the loss of control
that client firms experience when another
company assumes responsibility for their data
and data processing—a security concern at the
very least. Language barriers, quality control,
and time differentials are additional potential
concerns when contracting with overseas
vendors. A third concern is that backup service
providers typically require large bandwidths, and
the timing of automatic backups is not always
convenient to individual subscribers. Finally,
cloud computing often promises cost savings but
does not guarantee them.
Storage and Backup Services
One of the most important types of cloud
computing is creating and maintaining copies of
critical data and files for both individuals and
organizations. Vendors include Amazon,
Backblaze, Carbonite, Drop Box, SkyDrive,
JungleDisk, and Mozy. Most of these vendors
provide low cost, and even free, backup services
for individual customers. In commercial, fee-for-
service settings, most backups are synchronized
and therefore occur at the same time a
computerized system gathers and stores the
original data, thereby creating mirror, off-site
copies of vital accounting data. Additional, and
usually optional, services for home computing
applications include encryption, fixed-time
backup schedules, expandable storage options,
and Mac computer support.
Educational Services
You probably already use such web search
engines as Google or Bing to answer personal
questions of interest. Professional accountants
do the same thing, using these same engines to
answer asset classification, depreciation, or tax
questions. In addition, the Internet provides a
host of specialized educational services. One
category is “software tutorials.” For example,
you can find explanations and videos explaining
how to perform a wide variety of spreadsheet
tasks by searching the term “Excel Tutorials.”
Similar tutorials also explain how to use
Microsoft Access, complete specific tax forms, or
create PowerPoint presentations. Another
category of online educational services is
complete degree programs—i.e., institutions of
higher education that offer online courses of
study leading to accounting degrees. You can
earn an associate’s degree, bachelor’s degree,
and even a master’s of science degree in
accounting through such “distance-learning”
offerings. A partial listing of them may be found
at eLearners.com.
6. PRIVACY AND SECURITY ON THE INTERNET
The most important advantage of the Internet
and World Wide Web—accessibility—is also its
greatest weakness—vulnerability. This means
that someone who poses as an authorized user
may be able to access any email, web page, or
computer file that an authorized user can access
on the Internet. This section of the chapter
discusses Internet privacy and security in detail.
6.1. Identity Theft and Privacy
Identity theft refers to crimes in which someone
uses another person’s personal identification
(credit card, social security card, or similar
identifier) in some way that involves fraud or
deception (usually for economic benefit). The
most common complaint related to identity theft
is credit card fraud.
A related issue is personal privacy. Businesses
need to protect the payroll data they send to
service providers electronically. Online shoppers
want to know that their privacy is protected.
None of us wants our emails read by hackers. But
all these needs often conflict with other
objectives. For example, managers feel they
have the right to view all the email messages of
employees who use company computers during
working hours, and companies doing business on
the web are sometimes hard pressed not to use
the wealth of data that online shoppers provide
them. Most websites accessed by online users
collect personal information. What they collect
and how they use it are dictated by their privacy
policies. Because businesses vary widely in the
amount of privacy protection for customers, it is
important to read a company’s policy statements
carefully. State governments, prompted by
concerns over consumer privacy rights,
particularly in the financial and health care
industries, are introducing a variety of privacy
legislation. Groups such as the Electronic
Frontier Foundation and the Online Privacy
Alliance are also working to protect the privacy
of data transmitted over the Internet.
While companies need strong preventive
controls to help protect customer information,
individuals should also exercise reasonable
caution in protecting their personal information.
Unscrupulous individuals, posing as a company
or bank employee, might call or send email
messages to solicit personal information. To
protect yourself, be skeptical. If you are
uncertain about the authenticity of a request for
personal information, ask the person to send the
request in writing on company letterhead. If you
question the authenticity of a particular website,
do more research on the company before
purchasing goods or services through it—
especially if you must give your credit card
number. Social media also pose interesting
privacy concerns because what you post online
is neither private nor retractable. Moreover,
employers often check postings on social
networking sites in search of “red flags”—for
example, substance abuse, large amounts of
debt, criminal activity, or membership in
fanatical groups. Organizations use all this
information to help them evaluate employees or
disqualify job applicants. Like it or not, managers
regularly screen the postings of their
subordinates, and more than one person has lost
his or her job by accidentally posting candid and
offensive materials that the boss could see.
6.2. Security
Security policies and procedures safeguard an
organization’s electronic resources and limit
their access to authorized users. For this reason,
information security has been a high-ranking
technology in each of the last five years in the
AICPA’s survey of the “Top 10 Technologies”
expected to have a powerful influence over
business.
Of special importance to AISs is access security—
for example, restricting access to bona fide
users. Access authentication requires individuals
to prove they are who they say they are. The
three types of authentication are based on: (1)
what you have, (2) what you know, and (3) who
you are. What you have may be a plastic card
that provides you physical access to information
or a restricted area. Examples are your ATM
card, debit card, or employee card that gives you
access to certain premises.
What you know refers to unique information you
possess, such as a password or your mother’s
maiden name. You can authenticate who you are
with a unique physical characteristic such as your
fingerprint or the pattern of the retina in your
eye. As you might guess, using security that
forces a user to prove who they are is the highest
level of authentication. Two-factor
authentication (TFA) systems require a
combination of authentication techniques—for
example, requiring both your debit card and your
password to withdraw cash from an ATM.
6.3. Spam and Phishing
A current Internet problem is the increasing
amount of spam—those annoying, unsolicited
email messages that clog your email inbox.
However, spam is more than a simple bother—it
is distracting, often illegal, and increasingly
costly to organizations. AOL and Microsoft, two
of the biggest Internet service providers,
estimate that they each block over 2 billion spam
emails per day.
Although about 35 percent of spam messages
are harmless advertising, a greater percentage
contains pornographic solicitations, attempts to
steal identities, or fictitious stories asking
recipients for money. Clicking on the
“unsubscribe button” in such messages usually
accomplishes the exact opposite effect because
it tells the sender that you are a legitimate user
who actually reads such emails. Spammers sell
lists of such prized, active email accounts to one
another, furthering the problem.
Although some spam email contains legitimate
sales offers, many more are bogus. In some
cases, the spammers advertise products at “too-
good-to-believe prices,” take credit-card orders,
collect the money, and then quickly fold up shop
before consumers realize they’ve been
victimized. Phishing means tricking users into
providing valuable information such as Social
Security numbers, debit card PIN numbers,
passwords, or similar personal information—for
example, by requesting this information on
bogus websites. Other examples are emails that
request personal information for “routine
security purposes” or even “because we believe
your account has been compromised.” Phishing
activity is growing.
6.4. Firewalls
A firewall guards against unauthorized access to
sensitive file information from external Internet
users. On networked systems, firewalls are often
stand-alone devices with built-in, protective
software. On mainframe or host systems,
firewalls are usually software. The two primary
methods of firewall protection are by inclusion
or by exclusion. When firewalls protect internal
systems by inclusion, the software examines
packets of incoming messages and limits entry to
authorized (“included”) users. To do this, the
software maintains an access control list (ACL) of
bonafide IP addresses that network
administrators create for this purpose. If the
software does not recognize the IP address of an
external user, it refuses that user access to the
files he or she requested. When firewalls protect
internal systems by exclusion, the software
compares the incoming packet IP address to a list
of known threat addresses, rejecting messages
from these sources but accepting all others.
Firewalls are useful Internet security controls,
but (like most security features) are not
foolproof. One problem is that they cannot
protect against denial-of-service attacks, which
overwhelm system resources with a volume of
service requests. Another problem is spoofing
(i.e., masquerading as an authorized user with a
recognizable IP address). A similar, but less
obvious, problem is the ability of a determined
hacker to alter the contents of the access control
list itself—a security breach that is especially
difficult to overcome. A final problem is that
most firewalls can only protect against external
attacks, not internal (authorized) users bent on
mischief.
6.5. Intrusion and Detection Systems
Whereas firewalls simply reject unauthorized
users from access, intrusion detection systems
(IDSs) create records of such events. Passive IDSs
create logs of potential intrusions and alert
network administrators to them either via
console messages, alarms, or beepers. Reactive
IDSs have the ability to detect potential
intrusions dynamically (e.g., by examining traffic
flows), log off potentially malicious users, and
even reprogram a firewall to block further
messages from the suspected source. Perhaps
the most important advantage of an IDS is its
ability to both prevent unauthorized accesses to
sensitive information and to alert system
administrators to potential violations. This may
also increase the perceived risk of discovery,
dissuading would-be hackers. IDSs may also be
able to detect preambles to attacks, fore- stalling
their effectiveness. Finally, an IDS is an important
tool for documenting an attack, thereby
generating invaluable information to both
network administrators and investigators.
6.6. Value Added Networks
Message-routing is important to accountants
because the security of a data transmission
partially rests on the security of all the
intermediate computers along a given
communications pathway. Thus, the greater the
distance between the sending station and the
destination computer, the more intermediary
routing computers there are and the more
vulnerable a message becomes to interception
and abuse. This is one reason why businesses
sometimes prefer to create their own
(proprietary) networks to transmit data But when they attempt to access a web page, the
electronically. initial network server contacts the proxy server
to perform the requested task. One advantage of
Value-Added Networks (VANs) are private,
using a proxy server is the ability to funnel all
point-to-point communication channels that
incoming and outgoing Internet requests
large organizations create for themselves—
through a single server. This can make web
usually for security reasons. When it first
access more efficient because the proxy server is
implements a VAN, the business assigns each
specifically designed to handle requests for
user a unique account code that simultaneously
Internet information. A second advantage is the
identifies the external entity and authenticates
proxy server’s ability to examine all incoming
the organization’s subsequent electronic
requests for information and test them for
transactions. There are at least three ways to
authenticity (i.e., the ability to act as a fire- wall).
create secure networks. One way is to start with
A third advantage is that a proxy server can limit
a blank slate and create everything from
employee Internet access to approved websites
scratch—an approach first used by the military
(i.e., to only those IP addresses contained in an
and later by Wal-Mart. A second way is to lease
access control list). This enables an organization
secure, dedicated transmission lines from
to deny employees access to gambling,
conventional long-distance carriers such as
pornographic, or game-playing websites that are
AT&T—the approach used by IGT’s Megabucks
unlikely to have any productive benefits. A
system. A third alternative is to create a virtual
fourth advantage is the ability to limit the
private network (VPN) on the Internet. As the
information that is stored on the proxy server to
name suggests, a VPN mimics a VAN in many of
information that the company can afford to lose.
its security features, but enjoys the benefit of
If this server fails or is compromised by hackers,
transmitting messages cheaply over existing
the organization is only marginally
Internet connections. A VPN creates secure data
inconvenienced because its main servers remain
transmissions by (1) using “tunneling” security
functional. To recover, the company can simply
protocols embedded in the message frames sent
restart the system and reinitialize the server with
to, and received by, the organization, (2)
backup data. A final advantage of proxy servers
encrypting all transmitted data, and (3)
is the ability to store (“cache”) frequently
authenticating the remote computer, and
accessed web pages on its hard drive—for
perhaps also the individual sender as well,
example, the web pages of preferred vendors.
before permitting further data transmissions.
This enables the server to respond quickly to
Most AIS VANs use this approach.
user requests for information because the web
6.7. Proxy Servers page data are available locally. This feature also
enables managers to obtain some idea of what
Given the large amount of information now information employees need most and perhaps
available on the web, some organizations seek to take steps to provide it internally (rather than
limit the number of sites that employees can through web sources).
access—for example, to ensure that employees
do not use web-access privileges for frivolous or 6.8. Encryption
counterproductive purposes. A proxy server is a
To safeguard transmitted data, businesses often
network server and related software that creates
use data encryption techniques that transform
a transparent gateway to and from the Internet
plaintext messages into unintelligible cyphertext
and controls web access. In a typical application,
ones. The receiving station then decodes the
users log onto their familiar file server as before.
encrypted messages back into plaintext for use.
There are many encryption techniques and
standards. The method that computers use to
transform plaintext into cyphertext is called the
encryption key. This is typically a mathematical
function that depends on a large prime number.
The data encryption standard (DES) system used
by the US government to encode documents
employs such a system. DES uses a number with
56 binary digits to encode information, a value
equal to approximately 72 quadrillion. Thus, to
crack the code, a hacker must guess which of 72
quadrillion values was used to encrypt the
message.
The data encryption method uses a single
cryptographic key that is shared by the two
communicating parties and is called secret key
cryptography. This system derives its name from
the fact that its users must keep the key secret
and not share the key with other parties. The
most common encryption methods today use
public key encryption, a technique that requires
each party to use a pair of public/private
encryption keys. Two examples are Secure
Socket Layer (SSL) and Secure Hypertext Transfer
Protocol (HTTP).
To employ public key encryption, the sending
party uses a public key to encode the message
and the receiving party uses a second, private
key to decode it. A major advantage of public key
encryption is that the same public key cannot
both encode and decode a message. Data
transmissions using public key encryption are
likely to be secure because the transmitted
message itself is scrambled and because neither
party knows the other’s key. This is the main
reason why most web applications use public key
encryption systems.
6.9. Digital Signatures and Digital Time
Stamping
Many businesses want proof that the accounting
documents they transmit or receive over the
Internet are authentic. Examples include
purchase orders, bids for contracts, and
acceptance letters. To authenticate such
documents, a company can transmit a complete
document in plaintext and then also include a
portion of that same message or some other
standard text in an encrypted format—a digital
signature. In 1994, the National Institute of
Standards and Technology adopted Federal
Information Processing Standard 186—the
digital signature standard (DSS). The presence of
the digital signature authenticates a document.
The reasoning is straightforward: if a company’s
private key decodes a message, then an
authentic sender must have created the
message. For this reason, some experts consider
digital signatures even more secure than written
signatures (which can be forged). Further, if the
sender includes a complete message in both
plaintext and cyphertext, the encrypted message
pro- vides assurance that no one has altered the
readable copy. If someone has altered the
plaintext, the two copies will not match. Another
authentication technique is a digital certificate—
an authenticating document issued by an
independent third party called a certificate
authority (e.g., Thawte or VeriSign). The
certificates themselves are signed documents
with sender names and public key information.
Certificates are generally encoded, possibly in a
certificate standard such as the X.509 certificate
format. Customers can also use digital
certificates to assure themselves that a website
is real.
Many important business documents are time
sensitive. Examples include bidding documents
that must be submitted by a deadline, deposit
slips that must be presented to banks before the
close of business, buy orders for stock purchases
that depend on the date and time of issue, and
legal documents that must be filed in a timely
fashion. Then, too, most businesses also want to
know when customers made particular
purchases, when they paid particular bills, or
when specific employees entered or modified reduced capital expenditures (e.g., realized
data items in important databases. Finally, a savings in computer hardware and software).
good way to protect intellectual property such as Experts note that outsourcing also enables
computer software is to clearly establish the clients to reduce in-house labor costs, pay only
date and time it was first created or distributed. for the services they need, and focus on only
What these items have in common is the need their core businesses.
for a time stamp that unambiguously indicates
Perhaps the most commonly cited objection to
the date and time of transmission, filing, or data
outsourcing is a loss of control. In a recent survey
entry. PGP Digital Time Stamping Service and
of over 800 businesses by Accenture, however,
Verisign are two of several digital time-stamping
over 85 percent of the respondents said that
ser- vices (DTSSs) that attach digital time stamps
outsourcing actually gave them more control—
to documents either for a small fee or for free. In
especially in the ability to plan. In addition, over
a typical application, the user sends the
55 percent thought that accounting outsourcing
document to the service’s email address along
enabled them to implement strategic changes
with the Internet address of the final recipient.
faster and at more controlled rates. But the
When the service receives the document, it
biggest benefit of outsourcing may be the
performs its time-stamping task and then
increased business for those accounting
forwards the document as required. Digital time
companies providing these services—yet one
stamping performs the same task electronically
more opportunity made possible by the Internet.
that official seals and other time stamps perform
manually—it authenticates the date, time, and
perhaps place of a business transaction. This can
be important over the Internet. Although most
documents are transmitted almost
instantaneously, time delays can occur when file
servers temporarily falter or power failures
disrupt wide area networks. DTSSs enable
businesses to overcome these problems.

6.10. The Benefits of Online Outsourcing

The advantages of outsourcing such accounting

functions as payroll or tax preparation are well
known, but outsourcing additional accounting
tasks to online providers is a different matter.
Can a cloud provider, perhaps located offshore,
perform general ledger or deprecation
computations as well? A growing number of
businesses say “yes!” The most common reason
why organizations outsource a given business
process is to reduce costs, and this applies to
accounting applications as well. Additional
benefits include faster turnaround, improved
quality, enhanced access to expertise, improved
ability to handle peak processing volumes, and