Three Themes
Technology - Your ability to plan and manage
1. Enterprise Systems
2. E-Business
3. Internal Control
CHAPTER 1 – UNDERSTANDING INFORMATION
SYSTEMS
LEGAL ISSUES IMPACTING ACCOUNTANTS
The Sarbanes-Oxley Act of 2002
Section 404 – changes for both auditors and the
companies that they audit.
Management must identify, document, and evaluate
significant internal controls.
Auditors must, as part of an integrated audit of financial
statements, report on the effectiveness of the
organization’s system of internal control.
Section 409 – disclosure to the public on a “rapid and
current basis” of material changes in an organization’s
financial condition.
Compliance with this section requires the application of
legal, financial, and technical expertise to ensure that
the organization’s AIS is able to produce financial data
in a timely and accurate manner.
COMPONENTS OF THE STUDY OF AIS
1.
business operations depends partly on your
knowledge of the technology available.
Technology provides the foundation on which
AIS and business operations rest, and
knowledge of technology is critically important
to your understanding of the AIS discipline.
2. Databases - The full accounting cycle, however,
includes data collection and storage, and these
aspects must become part of your knowledge
base. To perform analysis, to prepare
information for management decision making,
and to audit a firm’s financial records, an
accountant must be able to access and use data
from public and private databases.
3. Reporting - To design reports generated by an
information system, the accountant must know
what outputs are required or are desirable.
4. Control - You must develop an understanding of
control that is specific to the situation at hand
yet is adaptable for the future. Control—the
means by which we make sure the intended
actually happens.
Business Processes:
5. Business Operations - Many AIS inputs are
prepared by operating departments—the action
or work centers of the organization— and many
AIS outputs are used to manage these
operations. Therefore, we must analyze and
manage an AIS in light of the work being
performed by the organization.
6. Events Processing - As organizations undertake
their business operations, events, such as sales
and purchases, occur. To design and use the
AIS, an accountant must know what event data
are processed and how they are processed.
7. Management Decision Making - The
information used for a decision must be tailored
to the type of decision under consideration.
Furthermore, the information is more useful if it
recognizes the personal management styles and
preferences of the decision maker.
8. Systems Development and Operation - The
information systems that process business
events and provide information for
management decision making must be
designed, implemented, and effectively
operated.
 9. Communications - To present the results of
their endeavors effectively, accountants must
possess strong oral and written communication
skills.
10. Accounting and Auditing Principles - To design
and operate the accounting system, an
accountant must know the proper accounting
procedures and must understand the audits to
which the accounting information will be
subjected.
elements, such as a database for storage, and can use
decision models to present output information for
decision making.
Accounting Information System (AIS)
collect, process, and report information related to the
financial aspects of business events.
LOGICAL COMPONENTS OF A BUSINESS PROCESS

ACCOUNTING INFORMATION SYSTEM
Systems and Subsystems
System - a set of interdependent elements that
together accomplish specific objectives. A system must
have organization, interrelationships, integration, and
central objectives.
central objectives: natural, biological, or man-
made
1. Information Process
2. Operations Process - a system consisting of the
people, equipment, organization, policies, and
procedures whose objective is to accomplish
the work of the organization.
3. Management Process - a system consisting of
the people, authority, organization, policies,
and procedures whose objective is to plan and
control the operations of the organization.

Subsystem – each part of a system. Within limits, any

subsystem can be further divided into its component
parts or subsystems.

Information System (IS) or Management Information

System (MIS)

a man-made system that generally consists of an

integrated set of computer-based components and
manual components established to collect, store, and
manage data and to provide output information to
users.

The information process facilitates operations by

maintaining inventory and customer data and by
providing electronic signals and paper documents with
which to execute business events.

The information process provides the means by which

management monitors the operations process.

Operations-related processes and accounting-related

processes are integrated.
The IS facilitates these operational functions and
Management designs the operations and information
supports management decision making by providing
processes and implements these processes by providing
information that managers can use to plan and control
people, equipment, other physical components, and
the activities of the firm. The IS may have advanced
policies.
Information process users include operations personnel,
management, and people outside the organization, such
as the customer.

MANAGEMENT USES OF INFORMATION

An IS serves two important functions within an

organization:

1. the IS assists daily operations. It can be used as

“leverage” to improve operational effectiveness
and efficiency.
2. to support managerial activities, including
management decision making.

Data vs. Information
Information - data presented in a form that is useful in a
decision-making activity. It has value to the decision
maker because it reduces uncertainty and increases
knowledge about a particular area of concern.
Simultaneously achieving a maximum level for all the
qualities of information is virtually impossible. In fact,
for some of the qualities, an increased level of one
generally requires a reduced level of another.
Management Decision Making

Data - facts or figures in raw form. Data represent the
measurements or observations of objects and events.
To become useful to a decision maker, data must be
transformed into information.
Decision making is the process of making choices, which
is the central activity of all management. Managers
make decisions or choices that include what products to
sell, in which markets to sell those products, what
organizational structure to use, and how to direct and
motivate employees.

Three-step process:

1. Intelligence. Searching the environment for

conditions calling for a decision.
2. Design. Inventing, developing, and analyzing
possible courses of action.
3. Choice. Selecting a course of action.
Qualities of Information
Operations and information flows are both horizontal
and vertical and that there are several levels of
management. At the level of operations and business
events processing, the flows are horizontal, as the
information moves through operational units
Structure is the degree of repetition and routine in the
decision. Structure implies that you have seen this very
decision before and have developed procedures for
making the decision. You can use the degree of
structure inherent in each decision-making step to
categorize the decisions as structured or unstructured.
Structured decisions are those for which all three
decision phases (intelligence, design, and choice) are
relatively routine or repetitive.
Unstructured decision, one for which none of the
decision phases (intelligence, design, or choice) are
routine or repetitive.
THE ACCOUNTANT’S ROLE IN THE CURRENT BUSINESS
ENVIRONMENT
Regarding the AIS, the accountant can assume three
roles: designer, user, and auditor.
1. Designer - the accountant brings knowledge of
accounting principles, auditing principles, IS
techniques, and systems development
methods.
2. User - Accountants perform a number of
functions within organizations. In all cases,
accountants use the AIS to perform their
functions. Their effectiveness depends on how
well they know the AIS and the technology used
to implement it.
3. Auditor - Auditors are interested in the
reliability of the accounting data and of the
reports produced by the system. They may test
the system’s controls, assess the system’s
efficiency and effectiveness, and participate in
the system design process. To be effective, the
auditor must have knowledge of systems
development techniques, of controls, of the
technology used in the IS, and of the design and
operation of the AIS
CHAPTER 2 - ENTERPRISE SYSTEMS
Enterprise Systems (Enterprise-Wide Information
systems and Enterprise information systems) -
Integrates the business process functionality and
information from all of an organization’s functional
 marketing and sales
 cash receipts
 purchasing
 cash disbursements
 human resources
 production and logistics
 and business reporting
Enterprise Resource Planning (ERP) Systems - software
packages that can be used for the core systems
necessary to support enterprise systems.
ERP products are designed to offer integration of
virtually all of an organization’s major business
functions.
1. Customer Relationship Management (CRM)
software - build and maintain an organization’s
customer-related database.
Supports identification, acquisition and
retention of customer to do business with the
organization and to make customer feel that
they are dealing with one unified organization
2. Customer Self-Service (CSS) software - often an
extension of CRM software.
Allows a customer to inquire, perform a task
(including make a purchase), or troubleshoot
problems without the help of the organization’s
humans (employees).
3. Sales Force Automation (SFA) software -
automates sales tasks such as order processing,
contact management, inventory monitoring,
order tracking, and employee performance
evaluation.
4. Supply Chain Management (SCM) software -
helps enable the steps in an organization’s
 supply chain, including demand planning;
acquiring inventory; and manufacturing,
distributing, and selling the product.
5. Product life-cycle management (PLM) software
- manages product data during a product’s life,
beginning with the design of the product,
continuing through manufacture, and ending in
the disposal of the product at the end of its life.
PLM software integrates data across many areas of an
organization, such as engineering, logistics, and
marketing, and data from partner organizations, such as
vendors, contract manufacturers, and distributors.
6. Supplier Relationship Management (SRM)
software - manages the interactions with the
organizations that supply the goods and
services to an enterprise just as CRM software
streamlines the processes between the
enterprise and its customers.
SRM functionality includes procurement and
contract management.
The goal of SRM is to reduce product costs and
production costs and to enhance product
quality.
7. Other third-party modules extract data from
ERP systems and from legacy systems that may
still exist within an organization (or subsidiary of
the organization).
Best-of-Breed Approach - combines modules from
various vendors to create an information system that
better meets an organization’s needs than a standard
ERP system.
Application Program Interface (API) - which is a means
for connecting to a system or application provided by
the developer of that application. (a type of
middleware)
Middleware - a software product that connects two or
more separate applications or software modules.
Enterprise application integration (EAI) is a chain of
activities performed by the organization to transform
inputs into outputs valued by the customer.
Event-Driven Architecture - uses events to trigger and
communicate between decoupled services and is
common in modern applications built with
microservices.
SAP NetWeaver - a Web Services platform from SAP
used to build applications that integrate business
processes and databases from a number of sources
within and between organization
Business Process Management (BPM) - a concept much
larger than systems integration that provides a
comprehensive method for integrating manual and
automated internal processes, applications, and
systems, as well as integration to external partners and
services.
takes into account modeling, automating, managing,
and optimizing business processes
Value Chain – a chain of activities performed by the
organization to transform inputs into outputs valued by
customers
1. Organization’s Value Chain (Primary: Sales;
Secondary: Support/Back Team)
2. Organization’s Value System
 Supplier Value Chain
 Organizations Value Chain
 Customer/Buyer Value Chain
Enterprise Systems Support for Organizational
Processes
1. Capturing Data During Business Events
4 W’s = who, what, when, where
2. Enterprise Systems Data Facilitate Functioning of the
Organization’s Operations
Basic Type of Data
 Master Data (Entity Type Data)
 Business Event Data (Event Type Data)
Hierarchy of Data
 Character – basic unit of data
 Field – collection of related characters that
comprise and attribute
 Record – collection of related data fields
 Table – collection of related records
Major ERP Modules
 Sales and Distribution
  Materials Management
 Financial Accounting
 Controlling and Profitability Analysis
 Human Resource
Enterprise Systems Support for Major Business Event
Processes
Order-to-Cash - includes the events surrounding the
sale of goods to a customer, the recognition of the
revenue, and the collection of the customer payment.
Purchase-to-Pay - includes the events surrounding the
purchase of goods from a vendor, the recognition of the
cost of those goods, and the payment to the vendor.
CHAPTER 3: ELECTRONIC BUSINESS SYSTEMS
E-Business – Application of electronic networks to
undertake business process between individuals and
organizations
Changing World of Business Processing
 Exponential growth in business processing
 Evolution of business with Internet
Automated Accounting System
Business event data store - known as transaction file is
a book of original entry used for recording business
events. Business events comprise the activities of the
organization, such as purchase of goods, sales,
collection, etc.
Master data - Repositories of relatively permanent data
maintained over an extended period of time.
Information processing - includes data
processing functions related to economic events
such as accounting events, internal operations
such as manufacturing and FS preparation and
adjusting entry.
Data Maintenance - Includes activities related
to adding, deleting, or replacing the standing
data portions of master data.
Standing data include relatively permanent
portions of master data, such as the credit limit
for a customer within the customer master data
or the selling price of an item for an inventory
item within the inventory master data.
Automating AIS
Batch Processing - is the aggregation of several business
events over some period of time with the subsequent
processing of these data as a group by the information
system.
Periodic Mode - is the processing mode in which a delay
exists between the various data processing step.
Immediate mode - the data processing mode in which
little or no delay occurs between any two data
processing steps.
Online Transaction Entry (OLTE)- Use of data entry
devices allows business event data to be entered
directly into the information system at the time and
place that the business occurs.
Online Real-Time (OLRT) Systems- Gathers business
event data at the time of occurrence, update the master
data essentially instantaneously, and provide the results
arising from the business event within a very short
amount of time - real-time.
Commerce through E-Mail
Electronic mail (e-mail) is the electronic transmission of
nonstandardized messages between two individuals
who are linked via a communications network (usually
an intranet or the Internet). E-mail represents a weak
form for E-business because the message format is
nonstandardized.
Electronic document management (EDM)
Electronic document management (EDM) is the
capture, storage, management, and control of
electronic document images for the purpose of
supporting management decision making and
facilitating business event data processing.
Electronic Data Interchange (EDI)
EDM also is becoming an increasingly important
component of electronic data interchange (EDI), the
computer-to-computer exchange of business data (i.e.,
documents) in structured formats that allow direct
processing of those electronic documents by the
receiving computer system.

Internet EDI (IEDI) is the use of secure, structured
messages over the Internet to execute business
transactions. The main difference between traditional
and Internet EDI is the use of a VAN for the traditional
method.
Web Services is a software application that supports
direct interactions with software objects over an
intranet or the Internet.
Service-oriented architecture (SOA) refers to well-
defined, independent functions (or applications) that
can be distributed over a network via Web Services.
Internet commerce is the computer-to-computer
exchange of business event data in structured (such as
IEDI) or semistructured formats via Internet
communication that allows the initiation and
consummation of business events.
Network providers are companies that provide a link to
the Internet by making their directly connected
networks available for access by fee-paying customers.
Internet assurance is a service provided for a fee to
vendors to provide limited assurance to users of the
vendor’s Web site that the site is in fact reliable and
event data security is reasonable.
CHAPTER 4: DOCUMENTING INFORMATION SYSTEMS
READING SYSTEMS DOCUMENTATION
1. Reading Data Flow Diagrams
Data Flow Diagram (DFD) is a graphical representation
of a process. It is developed to provide a top-down look
at a process and improve the efficiency and
effectiveness of implementation of the process.
 Bubble symbol - depicts an entity or a process
within which incoming data flows are
transformed into outgoing data flows. (can be
either an entity on a physical data flow diagram
or a process on a logical data flow diagram.)
 Data flow symbol – pathway for data
 External entity symbol – portrays source or a
destination of data outside the system
 Data store symbol – place where the data are
stored. (may represent a view—a portion—of a
larger enterprise database)
Context Diagram - the least detailed picture of a system
that defines the process being documented and shows
the data flows into and out of the process to external
entities – entities outside the system that send data to,
or receive data from, the system.
Physical Data Flow Diagram – a graphical
representation of a system that shows the system’s
internal and external entities and the flows of data into
and out of these entities. An internal entity is an entity
within the system that transforms data.
Physical DFDs specify where, how, and by whom a
system’s activities are accomplished. A physical DFD
does not tell us what activities are being accomplished.
The physical DFD’s bubbles are labeled with nouns and
that the data flows are labeled to indicate how data are
transmitted between bubbles.
 Systems flowchart - a graphical representation of a
business process, including information processes
(inputs, data processing, data storage, and outputs), as
well as the related operations processes (people,
equipment, organization, and work activities).

These flowcharts depict the sequence of activities

performed as the business events flow through the
process from beginning to end.

Containing both manual and computer activities, the

systems flowchart presents a logical and physical
rendering of the who, what, how, and where of
information and operations processes.
Logical Data Flow Diagram – a graphical representation
In addition, the systems flowchart includes the
of a system that shows the system’s processes, data
operations process and personnel involved in a process.
stores, and the flows of data into and out of the
processes and data stores. Systems flowcharts are used to understand a system
and to analyze a system’s controls.
Logical DFDs are used to document systems because we
can represent the logical nature of a system—what
activities the system is performing—without having to
specify how, where, or by whom the activities are
accomplished.

Over time, what a system is doing will change less than

how the system is doing it.

The processes are labeled with verbs that indicate the

activities being performed.

Another advantage to the logical data flow diagram,

unlike the physical data flow diagram, is that the
bubbles can be broken down into more detail.

All of the bubbles in Figure 4.4 contain numbers

followed by a decimal point and a zero, this diagram is
often called a “level 0” diagram. When two DFDs—in
this case, the context and the level 0—have equivalent
external data flows, we say that the DFDs are balanced.
Only balanced sets of DFDs (i.e., a context diagram, a Common Systems Flowcharting Routines
logical DFD, and a physical DFD) are correct.

We have “exploded” the context diagram in Figure 4.2

into its top-level components. We have looked inside
the context diagram bubble to see the major
subdivisions of the cash receipts process. The successive
subdividing, or “exploding,” of logical DFDs is called top-
down partitioning, and when properly performed, it
leads to a set of balanced DFDs.

2. Reading Systems Flowcharts

Key verification is a control plan for sensitive data in
which two people key in the exact same inputs to
ensure they are proper and accurate. Key verification
might be used for very large dollar value transactions or
transactions that would impact the entire organization.

PREPARING SYSTEMS DOCUMENTATION
1. Preparing Data Flow Diagrams
SQL: A RELATIONAL DATABASE QUERY LANGUAGE
SQL is a powerful database language that can be used to
define database systems, query the database for
information, generate reports from the database, and
access databases from within programs using
embedded SQL commands.
It has become the de facto standard database language
—evidenced by continual efforts by the industry to
provide standardization guidelines for vendors and the
number of variations of the language that exist in
databases from supercomputers to personal computers.
Constructing Relational Databases
CREATE command - used to create the relations that
form the database structure.
1. Assign the relation a name
2. Assign each attribute a name.
3. Specify the data type for each attribute.
Data type descriptions - combination of alphanumeric
or numeric values.
Alphanumeric types
 CHAR (for fixed-length strings)
 VAR-CHAR (for varying length alphanumeric
strings).
Numeric data types
 INTEGER
 FLOAT (which has a floating decimal point).
4. Specify constraints, when appropriate, on the
attributes.
Most notably, we need to make sure that the primary
key values are not left empty (i.e., null); otherwise,
there will be no key value by which to identify and pull
the tuple’s record from the database. We may want to
require that other attributes be assigned some value
rather than having the option of being null. In each of
these cases, we can assign a value of NOT NULL as the
constraint.
ALTER is SQL’s way of recognizing that we may not
always get the permanent design of a relation right the
first time. In this way, additional attributes can be
added to a relation in the future. In our case, we are
adding an attribute column for hours worked
Populating the Database
Data ca be changed in the database in three ways:
INSERT, DELETE, and UPDATE
1. INSERT – used to add a single tuple to an existing
relation.
The INSERT command in its simplest form only requires
the user to specify the SQL table and the values to be
inserted for each attribute if a value is provided for
every attribute.
2. DELETE - method by which we delete a tuple from a
relation.
The DELETE command requires specification of the table
name and inclusion of a WHERE condition, which is used
to identify the unique tuple(s) for deletion.
3. UPDATE - used when we want to change one or more
attribute values for one or more tuples in a table.
To accomplish a change of an attribute value, the
UPDATE command must be able to identify the table
with the value to be updated, the new values to be
placed in the database, and the conditions for
identifying the correct tuple for UPDATE.
To make the change, we identify the tuple using the
WHERE condition we just used for deletion, and we
change the existing values by using a SET command to
set the new values for the database.
Basic Querying Commands
SELECT
SELECT commands retrieve the values for a list of
attributes from the tuples of a single relation.
SELECT commands allow us to join data across
multiple tables to link specific pieces of information
that are of interest
1. a list of attributes that we want to SELECT from the
database (SELECT)
2. a list of tables where these attributes can be found
(FROM)
3. a WHERE clause that sets the conditions under which
attribute values are to be retrieved. (WHERE)
And that’s it for Chapter 6.
Now we move on to Chapter 7 where we will be
discussing the Controlling Information Systems: an
Introduction to Enterprise Risk Management and
Internal Control
After the lesson, we should be able to:
Learning Objectives:
 Summarize the eight elements of COSO’s
Enterprise Risk Management—Integrated
Framework.
 Understand that management employs internal
control systems as part of organizational and IT
governance initiatives.
 Describe how internal control systems help
organizations achieve objectives and respond to
risks.
 Describe fraud, computer fraud, and computer
abuse.
 Enumerate control goals for operations and
information processes.
 Describe the major categories of control plans
Organizational Governance
A process by which organizations select objectives,
establish processes to achieve objectives, and monitor
performances.
Objective setting includes defining mission, vision,
purpose, and strategies to establish relationships.
Internal control and monitoring activities are
implemented to review performance and provide
feedback to provide a reasonable assurance that
objectives are being achieved.
Enterprise Risk Management
A framework that has proven to be an effective process
for organizational governance.
A process, effected by an entity’s board of directors,
management, and other personnel, applied in strategy
settings and across the enterprise, designed to identify
potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
The ERM framework addresses four categories of
management objectives:
Strategic: wherein High-level goals are aligned with
and supporting its mission.
Operations: having Effective and efficient use of its
resources.
Reliability of reporting.
Compliance with applicable laws and regulations.
Components of Enterprise Risk Management
The ERM process starts with the first component, the
1. Internal environment: The internal environment
encompasses the tone of an organization and
sets the basis for how risk is viewed and
addressed by an entity’s people, including risk
management philosophy and risk appetite,
integrity and ethical values, and the
environment in which they operate.
2. Objective setting: Objectives such as mentioned
a while ago, the strategic and related objectives,
must exist before management can identify
potential events affecting their achievement.
ERM ensures that management has a process in
place to set objectives and that the chosen
 objectives support and align with the entity’s management activities, separate evaluations, or
mission and are consistent with its risk appetite. both.
3. Event identification: Internal and external
events affecting achievement of an entity’s
objectives must be identified, distinguishing
between risks and opportunities.

Risks - events that would have a negative impact on the

organization’s objectives – require assessment and
response

Opportunities - events that would have a positive

impact on organization’s objectives – channeled back to
the strategy-setting process

Risk assessment: Risks are analyzed, considering

likelihood and impact, as a basis for determining how
they should be managed. Likelihood is the possibility
that an event will occur, and impact is the effect of an
event’s occurrence. Risks are assessed on an inherent
and a residual basis.

Risk response: Management selects risk responses from

the four response types: avoiding, accepting, reducing,
or sharing risk—developing a set of actions to align risks
with the entity’s risk tolerances and risk appetite.

 We can avoid a risk by leaving the activity that

is giving rise to the risk.
 We can reduce a risk by taking actions that
reduce the likelihood of an event or reduce the
impact
 We can share a risk by, for example, buying
insurance or outsourcing the activity.
 We can accept a risk by taking no action at all
4. Control activities: Policies and procedures are
established and implemented to help ensure
the risk responses are effectively carried out.
5. Information and communication: Relevant
information is identified, captured, and
communicated in a form and time frame that
enable people to carry out their responsibilities.
Effective communication requires that
appropriate, timely, and quality information
from internal and external sources flows down,
up, and across the entity to facilitate risk
management and intelligent decision making.
6. Monitoring: The entirety of ERM is monitored,
and modifications are made as necessary.
Monitoring is accomplished through ongoing