AIS Final Chapters

Accounting Information Systems
Fifteenth Edition, Global Edition
Chapter 10
Control and Accounting
Information Systems
• Copyright © 2021 Pearson Education Ltd.

Learning Objectives
• Explain basic control concepts and why computer control
and security are important.
• Describe the major elements in the control environment of
a company.
• Explain how to assess and respond to risk using the
Enterprise Risk Management (ERM) model.
• Describe control activities commonly used in companies.
• Describe how to communicate information and monitor
control processes in organizations.

Organizations have not adequately protected data
for several reasons:
• Some companies view the loss of crucial information as a
distant, unlikely threat.
• The control implications of moving from centralized computer
systems to Internet-based systems are not fully understood.
• Many companies do not realize that information is a strategic
resource & that protecting it must be a strategic requirement.
• Productivity and cost pressures motivate management to for
go time-consuming control measures.

• Any potential adverse occurrence or unwanted event that
could be injurious to either the accounting information
system or the organization is referred to as a threat.
• The potential dollar loss should a particular threat become
a reality is referred to as the exposure or impact of the
threat.
• The probability that the threat will happen is the likelihood
associated with the threat.

Internal Controls
• Processes implemented to provide reasonable assurance
that the following objectives are achieved:
– Safeguard assets
– Maintain sufficient records
– Provide accurate and reliable information
– Prepare financial reports according to established criteria
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations

Internal Controls
• Processes implemented to provide “reasonable” assurance
that the following objectives are achieved:
– Safeguard assets
complete assurance is difficult to achieve.
– Maintain sufficient In
records
addition, internal control systems have
– Provide accurate andinherent limitations,
reliable such as susceptibility
information
to simple errors & mistakes, faulty judgmen
– Prepare financial reports according
ts & decision to established
making, management criteria
overrides, and collusion.
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations

Functions of Internal Controls
• Preventive controls
– Deter problems from occurring
• Detective controls
– Discover problems that are not prevented
• Corrective controls
– Identify and correct problems; correct and recover from
the problems

– Discover
E.g.problems
hiring qualified
that arepersonnel,
not prevented
segregating employee duties,
and controlling physical access to assets
and information.
the problems

–E.g.
Discover problems
Transaction that are not
Monitoring: prevented
Regularly monitoring
financial transactions for unusual patterns or anomalies
that may indicate errors, fraud, or other irregularities.
•Internal Audits:
• Corrective controlsConducting periodic internal audits to
review financial records, processes, and controls to
–identify
Identify
anyand correct problems;
discrepancies correct and recover from
or non-compliance.
the problems Procedures: Reconciling bank
•Reconciliation
statements, accounts receivable, and accounts payable
regularly to identify discrepancies and errors.
– Discover problems that are not prevented
the problems
E.g. maintaining backup copies of files,
correcting data entry errors, and resubmitting
transactions for subsequent processing.
Internal controls are typically categorized
into two main types:
1.General Controls: General controls are essential for
ensuring the overall stability and effective management of
an organization's control environment. E.g. security
measures, IT infrastructure oversight, and controls related
to the acquisition, development, and maintenance of
software.
2.Application Controls: preventing, detecting, and correcting
transaction errors and fraudulent activities within application
programs. These controls specifically focus on ensuring the
accuracy, completeness, validity, and authorization of data
throughout its lifecycle, covering processes such as
capture, entry, processing, storage, and reporting.
Creativity vs controls.
Robert Simons, a Harvard Business School professor, has
introduced four levers of control to assist management in
reconciling the conflict between creativity and controls:
1. A belief system articulates how a company generates
value, aids employees in comprehending management’s
vision, communicates core values, and motivates employees
to embody those values.
2. A boundary system guides employees to act ethically by
establishing limits on behavior. Instead of providing explicit
instructions, employees are encouraged to creatively solve
problems, meet customer needs, and avoid actions that may
harm the company's reputation.
Creativity vs controls.
• A diagnostic control system assesses, monitors, and
compares the actual progress of the company to budgets
and performance goals. Feedback from this system
allows management to make adjustments and refine
inputs and processes to align future outputs more closely
with goals.
• An interactive control system assists managers in
directing subordinates’ attention to key strategic issues
and participating more actively in their decisions. Data
from the interactive system are interpreted and discussed
in face-to-face meetings involving superiors,
subordinates, and peers.

Foreign Corrupt Practices (FCPA)
• FCPA is legislation passed (1977)

– To prevent companies from bribing foreign officials to
obtain business
– Requires all publicly owned corporations to maintain a
system of internal accounting controls

Sarbanes–Oxley Acts (S OX)
• SOX is legislation passed (2002) that applies to publicly

held companies and their auditors to
– Prevent financial statement fraud
– Make financial reports transparent
– Protect investors
– Strengthen internal controls
– Punish executives who perpetrate fraud

SOX recommendation: Audit
committee
• Audit committee members must be on the company’s board of
directors and be independent of the company. One member of
the audit committee must be a financial expert.
• Audit committees hire, compensate, and oversee any registered
public accounting firm that is employed
• Auditors report to the audit committee and not management
• Audit committees must pre-approve all audit and non-audit
services provided by its auditor

SOX recommendation: Management
• The CEO and CFO at companies with more than $1.2 billion in
revenue must prepare a statement certifying that their quarterly and
annual financial statements & disclosures are fairly presented, were
reviewed by management, & are not misleading.
• Management must prepare an annual internal control report that
states
– Management is responsible for establishing and maintaining an
adequate internal control structure
– Management assessed the company’s internal controls & attests
to their accuracy,
– Auditors were told about all material internal control
weaknesses and fraud

The Committee of Sponsoring
Organizations (COSO)
• The Committee of Sponsoring Organizations (COSO)
comprises the American Accounting Association, the
AICPA, the Institute of Internal Auditors, the Institute of
Management Accountants, and the Financial Executives
Institute.
• In 1992, COSO released the Internal Control—
Integrated Framework (IC), widely recognized as the
authoritative guide on internal controls. It is extensively
integrated into policies, rules, and regulations governing
business activities.

Components of the C OSO Internal
Control – Integrated Framework
• There are five components of the COSO Internal

Control – Integrated Framework
– Control environment
– Risk assessment
– Control activities
– Information and communication
– Monitoring

The Control Environment
• Management’s philosophy, operating style, and risk
appetite
• Commitment to integrity, ethical values, and competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and responsibility
• Human resource standards

• Management’s philosophy, operating style,
and risk appetite
 An organization possesses a philosophy,

encompassing shared beliefs and attitudes,
regarding risk that significantly influences policies,
procedures, both oral and written
communications, and decision-making.
 Companies define their risk appetite, signifying
the level of risk they are prepared to embrace in
pursuit of their objectives.

• Management’s philosophy, operating style, and
risk appetite
The effectiveness of management can be assessed by
answering questions such as these:
• Does management take undue business risks to achieve its
objectives, or does it assess potential risks and rewards
before taking action?
• Does management manipulate performance measures, such
as net income, to present them in a more favorable light?
• Does management pressure employees to achieve results
regardless of the methods, or does it demand ethical
behavior • Copyright © 2021 Pearson Education Ltd.
• Commitment to integrity, ethical values, and competence
Companies endorse integrity by:
Developing a written code of conduct that explicitly describes h
onest and dishonest behaviors
Avoiding unrealistic expectations or incentives that motivate di
shonest or illegal acts
Consistently rewarding honesty
Requiring employees to report dishonest or illegal acts and dis
ciplining employees who knowingly fail to report them.
Making a commitment to competence

• Internal control oversight by Board of Directors
BoD represents shareholders and provides an independent
review of management that acts as a check and balance on
its actions.
 SOX mandates that public companies establish an audit

committee (AC) consisting of independent directors external
to the organization. The primary responsibilities of the AC
include overseeing financial reporting, ensuring regulatory
compliance, monitoring internal controls, & engaging in the
selection and supervision of both internal and external
auditors.
 Auditors are tasked with reporting all essential accounting
policies and practices to the audit committee.
• Organizational structure
The organizational structure of a company serves as a framework
for planning, executing, controlling, and monitoring operations.
The degree to which decision-making authority is concentrated at
the top (centralization) or distributed across various levels
(decentralization).
The nature of reporting relationships within the organization,
whether they follow a direct line of command or involve a matrix
structure where individuals report to multiple managers.
Organization by Industry, Product Line, Location, or Marketing
Network
Organization and lines of authority
• Methods of assigning authority and responsibility
• Management should ensure that employees have a clear
understanding of the entity's goals and objectives. They
should assign authority and responsibility for these goals
and objectives to specific departments and individuals,
holding them accountable for achievement.
• Authority & responsibility are assigned and communicated
through formal job descriptions, employee training,
operating schedules, budgets, & a code of conduct.

• Human resource standards (To Attracting, Developing,
and Retaining Competent Individuals)
 One of the greatest strengths in control is the honesty of
employees. HR policies and practices can be powerful
forces in promoting honesty, efficiency, and loyal
service.
 HR policies should communicate the necessary levels of
expertise, competence, ethical behavior, and integrity.
The following HR policies and procedures are important.
cont..

• Human resource standards (To Attracting, Developing, and
Retaining Competent Individuals)
The following HR policies and procedures are important:
 Hiring [ensure proper skills & qualifications; reference
letters, background check…etc)
 Compensating, evaluating, and promoting (fair pay and
evaluation are important in reducing the fraud).
 Managing disgruntled employees
 Discharging: Dismissed employees should be removed
from sensitive jobs immediately and denied access
 Vacation and rotation of duties
 Confidentiality agreement • Copyright © 2021 Pearson Education Ltd.
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
– Probability that the event will occur
• Impact
– Estimate potential loss if event occurs
Types of risk
• Inherent
– Risk that exists before plans are made to control it
• Residual
– Risk that is left over after you control it

Risk Response
• Reduce
– This involves taking actions to lessen the impact
or likelihood of a risk occurring. e.g. Implement
preventive internal control procedures
• Accept
– Do nothing, accept likelihood, and impact of risk
• Share
– Buy insurance, outsource, etc.
• Avoid
– Do not engage in the activity • Copyright © 2021 Pearson Education Ltd.
Control Activities
Control procedures fall into the following categories:
• Proper authorization of transactions and activities

• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance

Figure 10.4 Separation of Duties

Information and Communication
• There are three IC principles that apply to the information
and communication process:
– Obtain or generate relevant, high-quality information to
support internal control.
– Internally communicate the information, including
objectives and responsibilities, necessary to support
the other components of internal control.
– Communicate relevant internal control matters to
external parties.

Monitoring
• Perform internal control evaluations (e.g., internal
audit)
• Implement effective supervision
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline

Chapter 11
Controls for Information Security

Trust Services Framework
• Security
– Access to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
– Sensitive organizational data is protected.
• Privacy
– Personal information about trading partners, investors,
and employees is protected.
• Processing integrity
– Data are processed accurately, completely, in a timely
manner, and only with proper authorization.
• Availability
– System and information are available.

Relationships Among the Five Trust
Services Principles for Systems Reliability

Three Fundamental Information
Security Concepts
1. Security is a management issue
– Senior management involvement and support
throughout all phases of the security life cycle is
absolutely essential.

Figure 11.2 The Security Life Cycle

The Security Life Cycle
Senior managers must
choose how to respond to
threat (e.g. reduce, share,
accept or avoid).
Managers must Managers must

periodically re- participate in developing
assess the firm’s risk the policy and
response & make communicate it to
changes where employees, send them
needed periodic reminder ..etc
Managers must authorize
investing the necessary
resources to mitigate the
threat identified • Copyright © 2021 Pearson Education Ltd.
Security Concepts
2. People are the critical factor
– People can either be the “weakest link” in security or
an important asset.
– Employees should have the necessary skills and
competencies, and understand how to follow the
security policy
– Employees should trained to follow safe computing
practices (e.g. increase their awareness of social
engineering tricks).

Security Concepts
3. The time-based model of information security
– It is the implementation of a combination of preventive,
detective, and corrective controls that protect information assets
long enough to enable an organization to recognize that an
attack is occurring and take steps to prevent it before any
information is lost or compromised.
– Time-based model, security is effective if:
P > D + C where
 P is time it takes an attacker to break through preventive controls

 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take corrective action
How to Mitigate Risk of Attack
Preventive Controls Detective Controls
• Physical security • Log analysis
• Process • Intrusion detection
• IT solutions systems
• Honeypots
• Continuous monitoring
Response
• Computer Incident
Response Teams (CIRT)
• Chief Information Security
Officer (CISO)

Physical Security: Access Controls
• Physical security access controls
– Limit entry to building
– Restrict access to network and data

User Access Controls
• Authentication—verifies the person
1. Something person knows (e.g. password)
2. Something person has (e.g. ID card)
3. Some biometric characteristic (e.g. fingerprints)
4. Combination of two or more (multifactor authentication)

• Authorization—determines what a person can access
• Authorization matrix: a table used to implement
authorization control
• Compatibility test: matching the user’s credentials against
authorization matrix
IT Solutions
• Antimalware controls
• Encryption

Detecting Attacks
• Log Analysis—examining logs to identify evidence of

possible attacks
• Honeypots—A decoy system used to provide early
warning that an insider or outsider is attempting to search
for confidential information
• Continuous Monitoring—employee compliance with
organization’s information security policies and overall
performance of business processes

Responding to Attacks
• Computer Incident Response Team (CIRT)
• Chief Information Security Officer (CISO)

Chapter 14
The Revenue Cycle: Sales to Cash
Collections

The Revenue Cycle
• The revenue cycle is a recurring set of business
activities and related information processing operations
associated with providing goods and services to
customers and collecting cash in payment for those
sales.

The Revenue Cycle
• The revenue cycle’s primary objective is to provide the
right product in the right place at the right time for the right
price.
To accomplish that objective, management must make the
following key decisions:
1. To what extent can and should products be customized to
individual customers’ needs and desires?
2. How much inventory should be carried, and where should
that inventory be located?
3. How should merchandise be delivered to customers?
Should the company perform the shipping function itself or
outsource it to a third party that specializes in logistics?
…con’t
4. What are the optimal prices for each product or service?
5. Should credit be extended to customers?
6. How much credit should be given to individual customers?
7. What credit terms should be offered?
8. How can customer payments be processed to maximize
cash flow?

Basic Revenue Cycle Activities
• Sales order entry
• Shipping
• Billing
• Cash collections

General Threats & Controls to Revenue Cycle
Threats
1. Inaccurate or invalid master data
e.g. inaccurate customer master file may result in shipping/or
sending invoices to wrong address, or delay in collecting
payments…etc.
Controls
a. Data processing integrity controls (e.g. segregation

of duties)
b. Restrict access to master data (e.g. authentication
Ch11)
c. Review of all changes to master data

Threats
2. Unauthorized disclosure of sensitive information
(such as pricing policy)
Controls
a. Access controls (e.g. authentication matrix)

b. Encryption of sensitive information

Threats
3. Loss or destruction of data
Controls
Backup and disaster recovery procedures

Threats
4. Poor performance
Controls
Managerial reports (e.g. sales report, customer

satisfaction…etc)

Sales Order Entry Processing Steps
• Take the customer order (sales order, as a source
document, contains information about item numbers,
quantities, prices, and other terms of the sale)
• Approve customer credit
• Check inventory availability
• Respond to customer inquiries

Sales Order Entry Processing
Threats
1. Incomplete/inaccurate orders (e.g. customer
address)
Controls
a. Data entry edit controls (e.g. automatic lookup for reference

data such as entering customer name and all other info appears)
b. Restrict access to master data to maintain accuracy

ERP enforces proper segregation of duties by preventing the
salesperson from altering prices for friends. It also performs
reasonableness tests to compare the quantity ordered with item
numbers and past sales history.

Threats
2. Invalid orders (e.g. customer denies placing an

order)
Controls
Customer signature to authorize sale (paper-based or

digital signature)

Threats
3. Uncollectible accounts
Controls
a. Credit limits checked and if sale exceeds limit, specific

authorization needed
b. Aging of accounts receivable

Threats
4. Stockouts and excess inventory
Controls
a. Perpetual inventory system

b. Bar code technology
c. Physical inventory counts
d. Sales forecast and activity reports

Shipping Process (1 of 2)
• Pick and pack the order
– Source documents: picking ticket
• Ship the order
– Source documents: Packing slip, Bill of lading

Shipping Process (2 of 2)
Threats Controls
1. Picking wrong item or quantity 1. a. Bar code technology

to ship b. Reconcile picking list to
sales order
2. Theft of inventory 2. a. Restrict physical access to

inventory
b. Document inventory transfers
c. Physical counts of inventory
and reconcile to quantities
recorded
3. Shipping errors (fail to ship the
3. a. Reconcile shipping
goods, wrong quantities, wrong
documents to sales orders,
items, ship to wrong address, picking lists, & packing slips
duplication)
Billing Process (1 of 2)
• Invoicing the customer
– Source document: sales invoice
• Updating accounts receivable
– Source document: credit memo and monthly
statements

Billing Process
Threats
1. Failure to bill customer
Controls
1. a.Reconcile invoices with sales orders and shipping

documents
b.Separate shipping and billing functions

Billing Process
Threats
2. Billing errors (e.g. pricing mistakes and billing
customers for items not shipped
Controls
a. Configure system to automatically enter price data

b. Reconciliation of shipping documents to sales orders

Billing Process
Threats
3. Posting errors in accounts receivable
Controls
3. a. Reconcile subsidiary accounts receivable balance to the

amount for accounts receivable in the general ledger
b. Mail monthly statements to customers

Billing Process
Threats
4. Inaccurate or invalid credit memos
Controls
a. Segregation of authorization and recording function for

credit memos

Cash Collection Process
Threats
1. Theft of cash
Controls
1. Proper segregation of duties: The following pairs of duties
should be separated:
- Managing cash & recording remittances in customer accounts.
- Handling cash & approving credit memos.
- Processing cash & reconciling the bank statement.

Cash Collection Process
Threats
2. Cashflow problems
Controls
a. Discounts for early payment

b. Cash flow budgeting

Chapter 15
The Expenditure Cycle: Purchasing
to Cash Disbursements

Basic Expenditure Cycle Activities
• Order materials, supplies, and services
• Receive materials, supplies, and services
• Approve supplier (vendor) invoice
• Cash disbursement

The primary objective of the
expenditure cycle
• The primary objective of the expenditure cycle is
to minimize the total cost of acquiring and
maintaining inventories, supplies, and various
services the organization needs to function.

General Threats and Controls
Threats Controls
1. Inaccurate or invalid 1. a. Data processing
master data integrity controls
2. Unauthorized disclosure of b. Restriction of access to
sensitive information master data
3. Loss or destruction of data c. Review of all changes
4. Poor performance to master data
2. a. Access controls
b. Encryption
3. a. Backup and disaster
recovery procedures
4. a. Managerial reports

1. Order Goods or Services Processing
• Identify what, when, and how much to purchase
– Source document: purchase requisition
• Choose a supplier
– Source document: purchase order
The key objective is to make sure that:

- the purchase is authorized,
- you receive what you ordered when you want it, and
- that the goods are of good quality.
1. Ordering Goods/Services
Threats
1. Stockouts and excess inventory
Controls
1. a. Perpetual inventory system

b. Bar-coding
c. Periodic physical counts

Threats
2. Purchasing items not needed
Controls
2. a. Perpetual inventory systems

b. Review and approval of purchase requisitions
c. Centralized purchasing

Threats
3. Purchasing items at inflated prices
Controls
3. a. Price lists (to be available)

b. Competitive bids
c. Review purchase orders

Threats
4. Purchasing goods of poor quality
Controls
4. a. Use approved suppliers (who are known for delivering

high quality products)
b. Review and approve purchases from new suppliers
d. Hold purchasing managers responsible for rework and
scrap cost

Threats
5. Unreliable suppliers
Controls
5. a. Monitor supplier performance (e.g. track their

performance such as comparing their actual
delivery time with their promise)
b. Require quality certification (e.g. ISO 9000)

Threats
6. Purchasing from unauthorized suppliers
Controls
6. a. Purchase from approved suppliers (ERP systems
should be configured to prevent issuing purchase orders to
suppliers not in the approved master file).
b. Review approval from purchases of new suppliers

Threats
7. Kickbacks
Controls
7. b. Prohibit gifts
c. Job rotation & mandatory vacations
d. Required disclosure of financial and personal
interests in suppliers

2. Receiving Process
• Goods arrive
– Verify goods ordered against the purchase order
(what, how much, quality)
– Source document: receiving report
– Accounting entry?

2. Receiving Goods or Services
Threats
1. Accepting unordered items
Controls
1. a. Authorized purchase orders needed before receiving

goods (Accepting unordered items results in costs associated
with unloading, storing, and later returning those items. So
receiving department should accept only deliveries for which there
is an approved purchase order).

Threats
2. Mistakes in counting of item received
Controls
- Receiving employees sign receiving report (Such
procedures indicate an assumption of responsibility, which
usually results in more diligent work).
- Offer bonus for employee who detect irregularities

Threats
3. Inventory theft
Controls
3. a. Restrict physical access to inventory

b. Document all inventory transfers between departments
c. Segregate of duties (e.g. Those who controlling physical
access to inventory should not be able to adjust inventory
records without review and approval).

3. Approve Supplier Invoice and Cash
Disbursements
• Match the supplier invoice to:
– Purchase order
– Receiving report
supplier invoice + purchase order + receiving report = voucher
• Approve supplier invoice for payment

• Source document:
– disbursement voucher
• Pay vendor
Accounting entry?
3. Approve Supplier Invoice
Threats
1. Errors in supplier invoice
Controls
1. a. Verify invoice accuracy

b. Restrict access to supplier master data

3. Approve Supplier Invoice
Threats
2. Mistakes in posting to accounts payable
Controls
2. a. Reconcile detailed accounts payable records to
the general ledger accounts payable account

4. Cash Disbursements
Threats Controls
1. Failure to take discounts 1. a. File invoices by due date to
take advantage of discounts
2. Pay for items not received 2. a. Match supplier invoice to

supporting documents
(purchase order, receiving report).
3. a. Pay only original invoices

1. Duplicate payments
b. Cancel supporting document
when payment is made

4. Cash Disbursements
Threats Controls
1. Failure to take discounts 1. a. File invoices by due date to take
2. Pay for items not received advantage of discounts
3. Duplicate payments 2. a. Match supplier invoice to
supporting documents (purchase
4. Theft of cash
order, receiving report)
5. Check alteration
3. a. Pay only original invoices
6. Cash flow problems
b. Cancel supporting document
when payment is made
4. a. Physical security of checks
b. Separation of duties
c. Reconcile bank accounts
5. a. Check protection machines
b. Special inks / papers
6. a. Cash flow budget

Chapter 16
The Production Cycle

Production Cycle Process
• Product Design
• Planning and Scheduling
• Production Operations
• Cost Accounting

Figure 16.1 Context Diagram of the
Production Cycle

1. Product Design
• Create a product that meets customer requirements
• Generates two output documents:
– Bill of materials
– Operations list

1. Product Design
Threats Controls
1. Poor product design 1. a. Analysis of costs arising
resulting in excess costs from product design choices
b. Analysis of warranty and
repair costs

2. Planning and Scheduling
• Two types of production planning
– Manufacturing resource planning (MRP-II)-push
manufacturing
– Lean manufacturing- pull manufacturing

Master Production Schedule MPS
• MPS specify how much of each product to be
produced during the planning period and when
that production should occur.

2. Planning and Scheduling
Threats Controls
1. Over and under production 2. a. Production planning
systems
b. Review and approve
production orders and
schedules
c. Restrict access to orders
and schedules

3. Production Operations
Threats Controls
1. Inventory theft 1. a. Restrict physical access
b. Document movement of
inventory
c. Segregation of custody
duties from authorization
and recording
1. Fixed asset theft 2. a. Restrict access to fixed

assets
b. Keep detailed records of
fixed assets including disposals

3. Production Operations
Threats Controls
3. Poor performance 3. a. Training
b. Performance reporting
4. Suboptimal investments in
fixed assets 4. a. Solicit competitive bids
5. Loss of inventory or fixed

assets due to fire or disasters 5. a. Insurance and physical
safeguards

4. Cost Accounting Systems
• Provide information for planning, controlling, and
evaluating the performance of production operations
• Provide accurate cost data about products for use in
pricing and product mix decisions
• Collect and process the information used to calculate the
inventory and cost of goods sold values that appear in
organization’s financials

4. Cost Accounting
Threats Controls
1. Inappropriate allocation of 1. a.Time-driven activity-
overhead costs based costing

Chapter 17
The Human Resources
Management and Payroll Cycle

Human Resource Management
Process
• Recruit new employees
• Training
• Job assignment
• Compensation (payroll)
• Performance evaluation
• Discharge of employees (voluntary or involuntary)

General Issues HRM/Payroll
Threats Controls
1. Inaccurate or invalid data 1. a. Data processing integrity
controls
b. Restrict access to master data
2. Unauthorized disclosure of 2. a. Access controls

sensitive information b. Encryption
3. Loss or destruction of data 3. a. Backup & disaster recovery
4. Hiring unqualified employees 4. a. Robust hiring procedures
5. Violations of employment laws 5. a. Continuing education on

changes to employment laws (e.g.
equal opportunity policy).
Payroll Cycle Activities
1. Update payroll master data
2. Validate time and attendance data

– Source document: time sheets
3. Prepare payroll
4. Disburse payroll
5. Disburse taxes and miscellaneous deductions

1. Update Master Payroll Data
Threats Controls
1. Unauthorized changes to payroll 1. a. Access controls and

master data (e.g. related to new segregation of duties (updating
hire…). mater data vs paying checks)
2. Inaccurate updating of master 2. a. Data processing integrity controls

data (e.g. Validity check, Field format
check, Completeness test)

2. Validate Time and Attendance Data
Threats Controls
1. Inaccurate time and attendance 1. a. Supervisory review

data b. Source data automation for
data capture/and biometric
authentication

3. Prepare Payroll
Threats Controls
a. Data processing integrity controls

1. Errors in processing payroll b. Supervisory review

4. Disburse Payroll
5. Disburse Payroll Taxes
Threats Controls
1. Theft or fraudulent 1. a. Restrict access to blank
distribution of paychecks payroll checks and
check signing machine
2. Failure to make required

payments - Configure system to make
automatic payments on time
- Process integrity controls
3. Untimely payments
- Supervisory review
4. Inaccurate payments

Chapter 18
General Ledger and
Reporting System

General Ledger and Reporting
System Process
• Update general ledger
• Post adjusting entries
• Prepare financial statements
• Produce managerial reports

General Threats Throughout the
General Ledger and Reporting Cycle
Threats Controls
1. Inaccurate or invalid 1. a. Data processing integrity
general ledger data controls
b. Restriction of access to G/L
c. Review of all changes to
G/L data
2. Unauthorized disclosure of 2. a. Access controls

financial statement b. Encryption
3. Loss or destruction of data 3. a. Backup and disaster

recovery procedures
1. Update General Ledger
Threats
1. Inaccurate updating of general ledger
Updating G/L includes the process of posting journal entries

(JEs). JEs can be routine (e.g. summary information of daily
sales posted at the end of the business day to the G/L) or
nonroutine (e.g. issuance of debt).

Threats
Controls
1. a. Data entry processing integrity controls. This includes:
-Validity check: ensures that G/L accounts exist

- Field format check: e.g. only numerical data in amount field
- Zero-balance check: ensures total debits equal total credits
- Completeness test: ensures all data for the JE is entered
- Closed-loop verification: ensures correctness of G/L
account
- Sign check: ensures the balance is appropriate (debit or
credit)
Threats
Controls
1. a. Data entry processing integrity controls
b. Reconciliations (e.g. trial balance) and control

reports (e.g. comparing the sum of individuals customers
balance with AR total).
c. Audit trail (traceable path showing the flows of

transaction from its source document).

Threats
2. Unauthorized journal entries
Controls
2. a. Access controls
b. Reconciliations and control reports
c. Audit trail creation and review

2. Post Adjusting Entries
Adjusting Entries Categories
• Accruals
– Made at end of accounting period to reflect events that have occurred but
are not in the financial statements (e.g., wages payable)
• Deferrals
– Made at end of accounting period to reflect exchange of cash prior to
performance of related event (e.g., rent)
• Estimates
– Portion of expenses expected to occur over a number of accounting
periods (e.g., depreciation)
• Revaluations
– Entries made to reflect differences between actual and recorded value of
an asset or change in accounting principle
• Corrections
– Entries made to counteract effects of errors found in the general ledger.
2. Post Adjusting Entries
Threats Controls
1.a. Data entry processing
1. Inaccurate adjusting entries integrity controls
b. Standard adjusting entries file
c. Reconciliations and control
reports
d. Audit trail
2. Unauthorized adjusting entries 2. a. Access controls

b. Reconciliations & control
reports
c. Audit trail

3. Prepare Financial Statements
Threats
1. Inaccurate financial statements
Controls
1 a. Processing integrity controls
b. Use of packaged software
c. Training and experience in applying I F R S
d. Audits

3. Prepare Financial Statements
Threats
2. Fraudulent financial reporting
Controls
2. Audits

Produce Managerial Reports
Threats
1. Poorly designed reports
Controls
3 a. Responsibility accounting
b. Balanced scorecard

Managerial Reports & Evaluating
Performance
• Responsibility accounting
– Reporting results based upon managerial responsibilities in an
organization
• Flexible budget
– Budget formula based upon level of activity (e.g., production levels)
• Balanced scorecard (BSC)

– Measures financial and nonfinancial performance using four dimensional
goals:
 Financial
 Customer
 Internal Operations
 Innovation and Learning
15
BSC: Four Perspectives
Learning Internal Customer Financial

and business
growth process
Increase in
sales and
profits
Increase in
customer
satisfaction
Improvement
in level of
after-sales
Investment in service
staff
development

AIS Final Chapters

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AIS Final Chapters

Uploaded by

Copyright:

Available Formats

Accounting Information Systems

Fifteenth Edition, Global Edition

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• FCPA is legislation passed (1977)

• Copyright © 2021 Pearson Education Ltd.

• SOX is legislation passed (2002) that applies to publicly

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• There are five components of the COSO Internal

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

 An organization possesses a philosophy,

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

 SOX mandates that public companies establish an audit

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Proper authorization of transactions and activities

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

Managers must Managers must

• Copyright © 2021 Pearson Education Ltd.

 P is time it takes an attacker to break through preventive controls

• Copyright © 2021 Pearson Education Ltd.

– Limit entry to building

– Restrict access to network and data

• Copyright © 2021 Pearson Education Ltd.

2. Something person has (e.g. ID card)

3. Some biometric characteristic (e.g. fingerprints)

4. Combination of two or more (multifactor authentication)

• Copyright © 2021 Pearson Education Ltd.

• Log Analysis—examining logs to identify evidence of

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

a. Data processing integrity controls (e.g. segregation

• Copyright © 2021 Pearson Education Ltd.

a. Access controls (e.g. authentication matrix)

• Copyright © 2021 Pearson Education Ltd.

• Copyright © 2021 Pearson Education Ltd.

Managerial reports (e.g. sales report, customer

• Copyright © 2021 Pearson Education Ltd.