Professional Documents
Culture Documents
An Overview
Chapter 1
Introduction
Asystemisaset of twoormoreinterrelatedcomponentsthat interact toachieveagoal.
Eachsubsystemisdesignedtoachieveoneormoreorganizational goals.
Changesinsubsystemscannot bemadewithout considering theeffect on other subsystemsand on the
systemasawhole.
Informat ion
data that have been organized and processed to provide meaning and improve the decision-making
process.
As a rule, users make better decisions as the quantity and quality of information increase.
• Relevant
• Reliable
• Complete
Characteristics of
• Timely
Useful Information
• Understandable
• Verifiable
• Accessible
Introduction
Information overload occurs when those limits are passed, resulting in a decline in decision-making
quality and an increase in the cost of providing that information.
Information system designers use information technology (IT) to help decision makers more effectively
filter and condense information
The value of information is the benefit produced by the information minus the cost of producing it.
Accounting information system A system that collects, records stores, and processes data to produce
information for decision makers.
Accounting Information Systems
Component People using the system
of AIS
People give iPad Pro
Procedures and Instructions
with its data and
software to support
Data
IT Infra, Internal
control and
security
in
Manager Software
the office
DIGUNAKAN U/
I) MEMENUAl3
BISNIS IN11
FUNSI
Transform Provide
Collect and
data into adequate
store data
information control
Improve Efficiency
Reduce uncertainty.
IT
Develop
ments
AIS
Organiza
Business
tional
Strategy
Culture
OVERVIEW OF
TRANSACTION PROCESSING
AND ERP SYSTEMS
Chapter 2
Learning Objectives
Process
Stora
ge
The Data Processing Cycle Determines
How can
How is the data unanticipated
organized? information needs
be met?
Data Input—Capture
R esources
E vents
A gents
Paper-Based Source Documents
documents used to capture transaction
-
Data are collected on source documents
• E.g., a sales-order form
• The data from paper-based will eventually need to
be transferred to the AIS
data yang dikirim ke pihak Ketiga, Kemudian dikembalikan
Turnaround
->
0.
↓
• In machine-readable form
• At the time of the business
activity (E.g., ATM’s; POS)
Data Input—Accuracy and Control
• Accurate
• Provide instructions and prompts
• Check boxes
• Drop-down boxes
• Complete
• Internal control support
• Prenumbered documents
Data Storage
↳ bagaimana data diorganisir dan disimpan! -> Simana ngaksesuya
Ledgers
GENERAL Ledgers
Summary level data for each:
Asset, liability, equity, revenue, and expense
SUBSIDIARY Ledgers.
Detailed data for a General Ledger (Control)
Account that has individual sub-accounts
Accounts Receivable dalam control Accounts
3
termasuk
Accounts Payable
&
Journals inputuya
-> sebelum he ledger, pakai ini duln
biasanya.
General
untuk
->
mencatat t
inFrequent
&
=
non-routine transaction
•Infrequent or specialized
transactions e.g. ->
payments, Loan
End-of-Period Adjusting, Closing Entries.
Specialized
•Repetitive transactions
•E.g., sales transactions Cash Disbursement.
An audit trail is a traceable path
of a transaction through a data
processing system
↳ From point of origin s.d. Final output
atan Kebalikannya.
Copyrig
ht ©
2012
Pearso
n
Coding Techniques
4
usmengklasifikasikan dan organize items.
6–7 Optional
Features
1241000 12 = Dishwasher
4 = White
10 = 2010
1241000
00 = No Options
Coding Techniques
• Letters and numbers
Mnemon • Easy to memorize
ic • Code derived from
description of item
Coding Techniques
Chart of accounts
0.
•Type of block coding
File Types
Transaction
• Contains records of a business from a specific period
of time
Master
• Permanent records
• Updated by transaction with the transaction file
Database
• Set of interrelated files
File Types
Transaction
File
Updated
Master
File
Master before
Update
Computer Based Storage
E N T I T Y
↓
Person, place, or adalah sesuate dimana inFormasi DISIMPAN
Yang disimpan
Data Processing
Displayed
Soft on a
copy screen
Printed on Hard
paper copy
Data Output Types
Copyrig
ht ©
2012
Pearso
n
Copyrig
ht ©
2012
Pearso
n
Copyrig
ht ©
2012
Pearso
n
Enterprise Resource Planning (ERP)
I
↳ system yang mengintegrasikan semua aspec dari activitas perusahaan
• Financial
• Human resources and payroll
• Order to cash
• Purchase to pay
• Manufacturing
• Project management
• Customer relationship management
• System tools
Copyright © 2012 Pearson Education 2-28
ERP Advantages
ERP adalah centralized
->
database
Time-consuming to implement
Complex
Resistance to change
SELESAI
5WH
etc flowchart
Narrative
descriptio tables
n
Documentational tools its penting untuk
** INTRODUCTIO
N
The importance of documentation
tools
to read documentation to determine how a system
works
to identify internal control strengths and weaknesses
and recommend improvements
More skill is needed to prepare documentation that
shows how an existing or proposed system operates.
INTRODUCTIO
- DED
3 common system documentation tools: &
IBFlowchart
a
N
documentation
tools
Data Flow Diagram
Flowchart
source
Data Flows
DATA Destination
andSOURCES AND
Data
DATAIFLOWS
DESTINATIONS
↑
BASIC
ELEMENTS
TRANSFORMATION
N
TransFormation
PROCESESS
Data
stores
DATA STORES
process
BASIC DFD DATA FLOW
DIAGRAM
ELEMENTS
• A data flow is the movement of data among processes, DATA FLOW
stores, sources, and destinations. DIAGRAM
• Data that pass between data stores and a source or
destination must go through a data transformation process.
• If two or more data flows move together, a single line is
used.
2 Arrows.
I berubah,
- destinas storage,
Ikut berupan: Update
SPLITTING DATA FLOWS DATA FLOW
DIAGRAM
SPLITTING DATA FLOWS DATA FLOW
DIAGRAM
DATA FLOW
DFD LEVELS DIAGRAM
CONTEXT DIAGRAM
LEVEL 0 DFD
LEVEL 1 DFD
DATA FLOW
DIAGRAM
->
Transformation
N
L storage
->
1)estination
Ising a Kalimat
aktiF.
LEVEL 1 DATA FLOW
DIAGRAM
DFD Creation Guidelines DATA FLOW
DIAGRAM
1. Understand the system
BPD
Identify
and
understa
nd the
Ignore
GUIDELINES business
certain
processe
items.
s.
Decide
how
much
detail to
Organize
include.
diagram.
Enter
each
business
process
Draw a
on the
rough
diagram.
sketch of
the
DrawBPD
a
final
copy of
BUSINESS PROCESS
DIAGRAMS
FLOWCHA
RT
a pictorial,
analytical
technique
used to
record
describe how
some
business
aspect of an
processes
informationare
performed
system in aand
used
clear, to
how concise,
analyze
documents how
and logical
to improve
flow through
manner.
business
FLOWCHA
RT
Input/Ou
tput
Syimbol Processi
ng
Storage
Flow and
Miscella
nous
3-30
3-31
Types of Flowcharts
Document Flowchart
System Flowchart
•depicts the relationships among system input,
processing, storage, and output.
Program Flowchart
•To illustrates the sequence of logical operations
performed by a computer in executing a program.
3-33
Copyright © 2012 Pearson Education 3-34
Copyright © 2012 Pearson Education 3-35
Copyright © 2012 Pearson Education 3-36
Copyright © 2012 Pearson Education 3-37
GUIDELINES FOR PREPARING FLOWCHARTS
7. Draw a final
copy of the
flowchart.
3-38
SELESAI
Chapter 4
Relational Databases
4-1
Copyright © 2012 Pearson Education
Learning Objectives
Describe the difference between database systems and file-based legacy systems.
Explain fundamental concepts of database systems such as DBMS, schemas, the data
dictionary, and DBMS languages.
Field
Attributes
about an
entity
Record
Related group
of fields
File
Related group
of records
Database
Related group
of files
Data Integration
Files are logically combined and made accessible to various systems.
Data Sharing
With data in one place it is more easily accessed by authorized users.
Data Independence
Data is separate from the programs that access it. Changes can be
made to the data without necessitating a change in the programs and
vice versa.
Cross-Functional Analysis
Relationships between data from various organizational departments
can be more easily combined.
Data Dictionary
Information about the structure of the database
Field names, descriptions, uses
Physical View
Depends on explicitly knowing:
How is the data actually arranged in a file
Where is the data stored on the computer
Logical View
A Schema separates storage of data from use of the
data
Unnecessary to explicitly know how and where data is
stored.
Table
Each row, a tuple, contains data about one instance of an
entity.
This is equivalent to a record
Each column contains data about one attribute of an entity.
This is equivalent to a field
Primary Key
An attribute or combination of attributes that can be used
to uniquely identify a specific row (record) in a table.
Foreign Key
An attribute in one table that is a primary key in another
table.
Used to link the two tables
TUTORIAL RINGKAS
MeMbUAT FLOwchART
1. Pegawai di Bagian Penjualan menerima secarik kertas pesanan pelanggan, selanjutnya pegawai tersebut
membuat dokumen pesanan penjualan (sales order) rangkap empat
2. Salinan 1 pesanan penjualan, disampaikan ke bagian kredit untuk persetujuan transaksi kredit, tiga salinan
dokumen beserta pesanan pelanggan diarsip sementara berdasarkan nomor transaksi, menunggu persetujuan
kredit.
3. Pegawai pada Bagian Kredit melakukan validasi pesanan pelanggan dengan catatan kredit pelanggan yang
disimpan. Dalam hal disetujui, pegawai Bagian Kredit tandatangan atas sales order 1, dan mengembalikan
kembali ke pegawai Bagian Penjualan
4. Begitu pegawai Bagian Penjualan menerima persetujuan kredit, Dia mengarsip sales order 1 dan dokumen
pesanan pelanggan berdasarkan nomor transaksi. Selanjutnya, mengirimkan salinan sales order 2 ke pegawai
Bagian Gudang, sisanya, salinan order penjualan 3 dan 4, disampaikan ke Bagian Pengiriman.
5. Pegawai Bagian Gudang, berdasarkan pesanan pelanggan, mengambil barang dari gudang, mencatat
pengambilan barang tersebut pada kartu persediaan, selajutnya mengirimkan barang beserta sales order 2 ke
Bagian Pengiriman
6. Setelah menerima salinan order penjuaalan 3 & 4 dari Bagian Penjualan, barang dan salinan sales order 2 dari
Bagian Gudang, pegawai Bagian Pengiriman mengirimkan barang pesanan pelanggan disertai dengan salinan
sales order 2 sebagai packing slip (slip pengiriman). Selanjutnya mengarsip salinan sales order lembar 3 dan 4
00 | MEMBUAT AREA KEGIATAN
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Sales Order 1
Sales Order 1
Sales Order 1
Sales Order 1
02 | PROSEDUR 1 & 2
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Sales Order 1
Sales Order 2
Sales Order 3
Sales Order 4
Pesanan
N Pelanggan
03 | PROSEDUR 1, 2 & 3
Sales Order 1
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Melakukan Catatan
Cek Kredit Kredit
Sales Order 1
Sales Order 2
Sales Order 3
Sales Order 1
Sales Order 4 (sudah
disetujui)
Pesanan
N Pelanggan
Sales Order 1
(sudah
disetujui)
04 | PROSEDUR 1, 2, 3 & 4
Sales Order 1
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Melakukan Catatan
Cek Kredit Kredit
Sales Order 1
Sales Order 2
Sales Order 3
N Sales Order 4 Sales Order 1
Pesanan (sudah
Pelanggan disetujui)
Sales Order 1
(sudah
disetujui)
B
A
04 | PROSEDUR 1, 2, 3 & 4
N Mendistribu
sikan SO &
mengarsip
Sales Order 2
Sales Order 3
Sales Order 4
Sales Order 1
Pesanan
Pelanggan
C
N
05 | PROSEDUR 1, 2, 3, 4 & 5
N Mendistribu Mengambil
sikan SO & Barang
mengarsip
Sales Order 3
Sales Order 4
Sales Order 1
Pesanan
Pelanggan
C
N
06 | PROSEDUR 1, 2, 3, 4, 5 & 6
N Mendistribu Mengambil
sikan SO & Barang
mengarsip
C
N N
pelanggan
KeGIATAN deNGAN KOMpUTeR
(Computer-Based Activity)
PROSEDUR TRANSAKSI PENJUALAN
1. Pegawai di Bagian Penjualan menerima secarik kertas pesanan pelanggan, selanjutnya pegawai tersebut input
data pesanan pelanggan ke aplikasi penjualan yang terhubung ke jaringan komputer di Bagian Sistem Informasi.
Lembar pesanan pelanggan diarsip berdasarka tanggal transaksi.
2. Program komputer pada Bagian SI melakukan fungsi Edit atas transaksi pesanan pelanggan untuk mengecek
kesalahan entri data, menguji status kredit pelanggan dengan mengacu pada file kredit pelanggan, selanjutnya
menghasilkan file transaksi pesanan penjualan (sales order).
3. Data/file transaksi pesanan penjualan diproses program komputer pada Bagian SI melalui fungsi Update yang
selanjutnya memposting transaksi ke catatan yang berkaitan dengan piutang (A/R) dan file persediaan.
4. Pada Bagian SI, program komputer, melalui fungsi Update menghasilkan 3 lembar salinan pesanan penjualan
(sales order), salinan ke-1 disampaikan ke Bagian Gudang, dua salinan lainnya dsampaikan ke Bagian
Pengiriman barang.
5. Pegawai Bagian Gudang, setelah menerima salinan pesanan penjualan, mengambil barang dari rak,
selanjutnya berdasarkan salinan pesanan penjualan, input data ke file persediaan di komputer Bagian Gudang
untuk memutakhirkan persediaan. Selanjutnya pegawai menyampaikan barang pesanan beserta salinan
pesanan penjualan tersebut (Sales Orde 1) ke Bagian Pengiriman.
6. Petugas pada Bagian Pengirian, setelah menerima barang dan salinan pesanan penjualan ((Sales Orde),
melakukan rekonsiliasi antara barang dengan salinan order penjualan salinan 1, 2 dan 3 untuk selanjutnya
00 | MEMBUAT AREA KEGIATAN
Edit &
Pesanan Pengujian
Pelanggan Kredit
Input
Pesanan Order
Penjualan
Pesanan
Pelanggan
D
02 | PROSEDUR 1 & 2
Edit &
Pesanan Pengujian File Kredit
Pelanggan Kredit Pelanggan
Input
Pesanan Order
Penjualan
Pesanan
Pelanggan
D
03 | PROSEDUR 1, 2 & 3
Edit &
Pesanan Pengujian File Kredit
Pelanggan Kredit Pelanggan
Input
Pesanan Order
Penjualan Piutang (A/R)
Pesanan
Pelanggan
Program
Update Persediaan
D
04 | PROSEDUR 1, 2, 3 & 4
Input
Pesanan Order
Penjualan Piutang (A/R)
Pesanan
Pelanggan
Program
Update Persediaan
D
Order
Penjualan 1
Order
Penjualan 2 A
Order
Penjualan
05 | PROSEDUR 1, 2, 3, 4 & 5
Order
Pesanan Penjualan 1
Pelanggan
Program
Update Persediaan
Updatee
D Catatan
Persediaan
Order
Penjualan 1
Order
Penjualan 2 A Stok
Persediaan
Order
Penjualan
Order
Penjualan 1
06 | PROSEDUR 1, 2, 3, 4, 5 & 6
Order
Pesanan Penjualan 1
Pelanggan
Program Mengirimkan
Update Persediaan Barang
Updatee
D Catatan
Persediaan
Agenda
Order
Order Pengiriman
Penjualan 1
Penjualan 2
Order
Penjualan 2 A Order
Stok
Penjualan 3 Order
Persediaan
Order Penjualan 1
Penjualan 3
Order
Penjualan 1
N
pelanggan
SELESAI
Relational Databases
Chapter 4 4-1
Learning Objectives
Explain the importance and advantages of databases.
Describe the difference between database systems and file-based legacy
systems.
Explain the difference between logical and physical views of a database.
Explain fundamental concepts of database systems such as DBMS, schemas, the
data dictionary, and DBMS languages.
Describe what a relational database is and how it organizes data.
Create a set of well-structured tables to store data in a relational database.
Perform simple queries using the Microsoft Access database.
4-2
DATABASE A set of interrelated, centrally coordinated data files that
are stored with as little data redundancy as possible.
A database consolidates records previously stored in separate files into a common pool and
serves a variety of users and data processing applications.
4-4
Field
Data Hierarchy.
Attributes about an --
entity datagy
a
alan
direcord
Record
File
Database
4-6
Using Data Warehouses for Business Intelligence
A DATA WAREHOUSE is one or more very large databases containing both detailed and summarized data for a
number of years that is used for analysis rather than transaction processing
OLAP
DATA
MINING
Business Intelligence ===> using Data Warehouse for strategic decision making
4-7
Database Terminology
Database Management System (DBMS)
• The program that manages and controls the data and the interfaces
between the data and the application programs that use the data
stored in the database
database system-
• The database, the DBMS, and the application programs that access
the database through the DBMS.
Minimizing Data
Data Integration Data Sharing Redundancy and
Data Inconsistency
Cross-Functional
Data Independence
Analysis
4-9
Logical vs. Physical View of Data
• The way data are physically arranged and stored in the computer
system.
• Depends on explicitly knowing:
Physical View
• How is the data actually arranged in a file
• Where is the data stored on the computer
4-10
A SCHEMA is a description of the data elements in a database, the relationships among them, and the
logical model used to organize and describe the data.
RECORD LAYOUT Document that shows the items stored in a file, including the order and length of the
data fields and the type of data stored.
The conceptual- the organization-wide view of the entire database, lists all data
level schema elements and the relationships among them.
The internal- a low-level view of the database, describes how the data
are stored and accessed, including record layouts,
level schema
definitions, addresses, and indexes.
4-11
4-13
Data Dictionary
data dictionary contains information about the structure of the database.
4-14
DBMS Languages
Data Definition Builds the data dictionary
Language (DDL) Creates the database
Describes the subschema
Specifies record or field security constraints
Data Manipulation Changes the content in the database
Language (DML)
Updates, insertions, and deletions
Data Query Language Enables the retrieval, sorting, and display of data from the database
(DQL)
4-15
Relational Database
Table
• Each row called a tuple, contains data about a specific item in a
database table. This is equivalent to a record
Row (Record)
4-18
Type of Attributes – Relational Database System
4-19
4-20
Database Design Errors
Update Anomaly Changes to existing data are not correctly recorded.
Insert Anomaly there is no way to store information about prospective customers until they
make a purchase.
4-21
Design Requirements for Relational Database
& perpus--pominjam-bukungnapcage
adoid balen, dpeminjan,
Every column in a row must be single valued.
Foreign keys, if not null, must have values that correspond to the value of a
primary key in another table.
4-22
B
Two Approaches to Database Design &
Siyygparat
mysql
php
• Following relational database creation rules to design a
apache relational database that is free from delete, insert, and
Normalization
update anomalies.
• Decomposed set of tables are in third normal form (3NF).
5-2
Threats to Accounting Information Systems
Fire or excessive heat
Natural and Political Floods, earthquakes, landslides, dll
Disaster War and terrorists’ attack
Intentional acts
Sabotage
Misrepresentation, false use, or unauthorized
(computer crime)
disclosure of data
Misappropriation of assets
Financial statement fraud
Corruption
5-3
Computer fraud—attacks, social engineering, malware, etc.
Introduction to Fraud
FRAUD Any and all means a person uses to gain an unfair advantage over another
person.
5-4
Introduction to Fraud
Findings of The Association of Certified Fraud Examiners (ACFE)
A typical organization loses 5% of its annual revenue to fraud, indicating yearly global fraud losses of over $3.7 trillion.
Owner/executive frauds took much longer to detect and were more than four times as costly as manager-perpetrated
frauds and more than 11 times as costly as employee frauds
More than 87% of the perpetrators had never been charged or convicted of fraud.
Small businesses, with fewer and less effective internal controls, were more vulnerable to fraud than large businesses.
Occupational frauds are much more likely to be detected by an anonymous tip than by audits or any other means.
More than 83% of the cases they studied were asset misappropriation frauds with a median loss of $125,000. Billing
schemes and check tampering schemes were the most frequent types of asset misappropriation.
Only 10% of the cases were financial statement fraud, but these cases had a much higher median loss of $975,000.
The most prominent organizational weakness in the fraud cases studied was a lack of internal controls.
The implementation of controls to prevent fraud resulted in lower fraud losses and quicker fraud detection.
In 79% of the fraud cases studied, perpetrators displayed behavioral warning signs, or red flags, such as living beyond
their means, financial difficulties, unusually close association with a vendor or customer, and recent divorce or family
problems that created a perceived need in the perpetrator’s mind..
5-5
Introduction to Fraud
Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources.
Because employees understand a company’s system and its weaknesses, they are better able to commit and
conceal a fraud.
The controls used to protect corporate assets make it more difficult for an outsider to steal from a company.
Fraud perpetrators are often referred to as white-collar criminals.
INVESTMENT FRAUD misrepresenting or leaving out facts in order to promote an investment that promises
fantastic profits with little or no risk. There are many types of investment fraud; examples include Ponzi
schemes and securities fraud.
5-6
Introduction to Fraud
Albert Milano, a manager at Reader’s Digest
responsible for processing bills, embezzled $1
Misappropriation of million over a five-year period. He forged a
assets superior’s signature on invoices for services never
performed, submitted them to accounts payable,
the theft of company forged the endorsement on the check, and
assets by employees deposited it in his account. Milano used the
stolen funds to buy an expensive home, five cars,
and a boat.
Important Fraud
related to businesses
Most have no previous criminal record; they were honest, valued, and respected members of their community.
Many first-time fraud perpetrators that are not caught, or that are caught but not prosecuted,
move from being “unintentional” fraudsters to “serial” fraudsters
5-8
FRAUD TRIANGLE
sebab-
= >
akibat
5-9
FRAUD TRIANGLE | PRESURES
EMPLOYEE PRESURE PRESSURES a person’s incentive or motivation for committing fraud.
5-10
FRAUD TRIANGLE | PRESURES
FINANCIAL STATEMENT PRESURE
5-11
FRAUD TRIANGLE | OPPORTUNITIES
OPPORTUNITY the condition or situation, including one’s personal abilities, that allows a
perpetrator to do three things:
COMMIT CONCEAL
The theft of assets is the most common type of To prevent detection when assets are stolen or
misappropriation. Most instances of fraudulent financial financial statements are overstated, perpetrators
reporting involve overstatements of assets or revenues, must keep the accounting equation in balance by
understatements of liabilities, or failures to disclose inflating other assets or decreasing liabilities or
information. equity.
Convert
Convert the theft or misrepresentation to personal gain. In a
misappropriation, fraud perpetrators who do not steal cash
or use the stolen assets personally must convert them to a
spendable form.
LAPPING.-.Concealing the theft of cash by means of a series of delays in posting collections to accounts
receivable.
5-12
FRAUD TRIANGLE | RATIONALIZATION
RATIONALIZATION allows perpetrators to justify their illegal behavior.
5-13
COMPUTER FRAUD
5-14
COMPUTER FRAUD CLASSIFICATIONS
Input Fraud lteration or falsifying input
• A man used desktop publishing to prepare bills for office supplies that were never ordered or delivered and
mailed them to local companies.
Processor Fraud Unauthorized system use
. . . .
• An insurance company installed software to detect abnormal system activity and found that employees
were using company computers to run an illegal gambling website.
Computer Instructions Fraud
• Modifying software, illegal copying of software, using software in an unauthorized manner, creating
software to undergo unauthorized activities
Data Fraud
• Illegally using, copying, browsing, searching, or harming company data
Output Fraud
• Unless properly safeguarded, displayed or printed output can be stolen, copied, or misused.
5-15
Preventing and Detecting Fraud and Abuse
5-20
SELESAI
5-21
control
and
accounting
information systems
Chapter 7 7-22
Learning Objectives
Explain basic control concepts and explain why computer control and security are
important.
Compare and contrast the COBIT, COSO, and ERM control frameworks.
Describe the major elements in the internal environment of a company.
Describe the control objectives companies need to set and how to identify events that
affect organizational uncertainty.
Explain how to assess and respond to risk using the Enterprise Risk Management
(ERM) model.
Describe control activities commonly used in companies.
Describe how to communicate information and monitor control processes in
organizations.
7-23
WHY THREATS TO ACCOUNTING INFORMATION SYSTEMS ARE INCREASING
Customers and suppliers have access to each other’s systems and data.
For example, Walmart allows vendors to access their databases. Imagine
the confidentiality problems as these vendors form alliances with
Walmart competitors.
Organizations have not adequately protected data for several reasons:
Safeguard assets.
Maintain records in sufficient detail to report company assets accurately
and fairly.
Provide accurate and reliable information.
Prepare financial reports in accordance with established criteria.
Promote and improve operational efficiency.
Encourage adherence to prescribed managerial policies.
Comply with applicable laws and regulations.
7-27
IMPORTANT FUNCTION OF INTERNAL CONTROL
Discover
FUNCTIONS Detective
problems
Identify and
Corrective
correct problems
7-28
CLASSIFICATION OF INTERNAL CONTROL
General Control
Make sure an organization’s control
environtment is stable and well
managed
CATEGORIES
Aplication Control
Prevent & correct transaction
errors and fraud in application
program
7-29
SARBANES-OXLEY
ACTS
7-30
SOX – INTERNAL CONTROL FRAMEWORK
7-33
THE MOST IMPORTANT ASPECTS OF SOX
Public Company
Accounting The PCAOB sets and enforces auditing, quality control,
Oversight Board ethics, independence, and other auditing standards.
(PCAOB)
New Rules for Auditors must report specific information to the company’s audit
Auditor committee, such as critical accounting policies and practices.
7-34
THE MOST IMPORTANT ASPECTS OF SOX
7-35
After SOX was passed, the SEC mandated that
management must:
7-36
Control Frameworks
COSO
COBIT
ERM
COSO
ICIF
7-37
Control Objectives for Information and Related Technology
Business objectives
IT resources
IT processes
7-38
Control Objectives for Information and Related Technology
Enabling a Separating
holistic governance from
approach. management.
7-39
Governance and Management
COBIT 5 Governance
and Management Key
Area
7-40
7-41
COSO - ICIF
OBJECTIVES
7-42
COSO - ICIF
The Committee of Sponsoring Organizations (COSO)
consists of the American Accounting Association, the COSO Internal control cube
AICPA, the Institute of Internal Auditors, the Institute of
Management Accountants,and the Financial Executives
Institute.
7-45
Control Environment
7-46
COSO ERM—Objective Setting
1) Strategic
High-level goals aligned with corporate mission
2) Operational
Effectiveness and efficiency of operations
3) Reporting
Complete and reliable
Improve decision making
4) Compliance
Laws and regulations are followed
7-47
ERM—Event Identification
7-48
Risk Assessment
7-49
ERM—Risk Response
Reduce
Implement effective internal control
Accept
Do nothing, accept likelihood of risk
Share
Buy insurance, outsource, hedge
Avoid
Do not engage in activity that produces risk
Copyright © 2012 Pearson Education 7-50
7-51
Control Activities
7-52
Control Activities
7-53
Information and Communication
• Gather
• Record
information about
• Process
an organization
• Summarize
• Communicate
7-54
Monitoring
The internal control system that is selected or developed must be continuously monitored,
evaluated, and modified as needed. Any deficiencies must be reported to senior management and
the board of directors.
Explain two fundamental concepts: why information security is a management issue, and the time-based
model of information security.
Discuss the steps criminals follow to execute a targeted attack against an organization’s information system.
Describe the preventive, detective, and corrective controls that can be used to protect an organization’s
information.
Describe the controls that can be used to timely detect that an organization’s information system is under
attack.
Discuss how organizations can timely respond to attacks against their information system.
Explain how virtualization, cloud computing, and the Internet of Things affect information security.
TRUST SERVICES PRINCIPLES FOR SYSTEMS RELIABILITY
Confidentia
Security Privacy
lity
Processing
Availability
Integrity
8-3
TWO FUNDAMENTAL INFORMATION SECURITY CONCEPTS
8-4
SECURITY IS A MANAGEMENT ISSUE, NOT JUST A TECHNOLOGY ISSUE
Dengan pengamanan yang diberikan, sistem perusahaan Agar efektif, maka organisasi bisa melakukan langkah sbb:
meningkatkan komponen P, yaitu memperkuat infrastuktur
dapat dibobol dalam durasi 20 menit. Sementara sistem
keamanan, denganmenambah investasi berupa Firewall dll.
keamanan organisasi mampu mendeteksi dalam
Menambah kemampuan deteksi terhadap serangan terhadap
hitungan 15 menit, sedangkan waktu untuk respon 10
sistem, misalnya upgade piranti deteksi (IDS)
menit. Dapat dipastikan sistem keamanan informasi Mempercepat waktu respon terhadap serangan, misalnya
organsiasi tidak efektif <== P < D + R (20<15+10) membentuk unit khusus untuk merespon serangan (CIRT)
UNDERSTANDING TARGETED ATTACKS
Conduct Reconnaissance
Research
Execute Attack
Cover Tracks
8-7
PROTECTING INFORMATION RESOURCES
Anti-malware
IT Solution Network access controls
Configuration controls (Device & Sofware Hardening
Encryption
8-8
PROTECTING INFORMATION RESOURCES
Continuous monitoring
8-9
PROTECTING INFORMATION RESOURCES
1.Creating “security aware” culture COBIT5 specifically identifies an organization’s culture and ethics as
one of the critical enablers for effective information security.
To create a security-conscious culture in which employees comply
with organizational policies, TOP MANAGEMENT must not only
communicate the organization’s security policies, but must also
LEAD BY EXAMPLE
1.USER ACCESS CONTROL Authentication is the process of verifying the identity of the person
or device attempting to access the system
AUTHENTICATION CONTROLS Three types of credentials can be used to verify a person’s identity:
1) Something the person knows, such as passwords or personal
identification numbers (PINs)
2) Something the person has, such as smart cards or ID badges
3) Some physical or behavioral characteristic (referred to as a
biometric identifier) of the person, such as fingerprints or typing
patterns.
3.CHANGE CONTROLS AND CHANGE MANAGEMENT Change control and change management refer to the formal process
used to ensure that modifications to hardware, software, or
processes do not reduce systems reliability
Good change control often results in better operating performance
because there are fewer problems to fix. Companies with good change
management and change control processes also experience lower costs
when security incidents do happen.
PROTECTING INFORMATION RESOURCES
1. ANTI MALWARE CONTROL Malware can damage or destroy information or provide a means for
unauthorized access.
PROTECTION RECOMMENDATION
Malicious software awareness education,
Installation of antimalware protection tools on all devices,
Centralized management of patches and updates to antimalware
software,
Regular review of new malware threats,
Filtering of incoming traffic to block potential sources of malware,
Training employees not to install shared or unapproved software.
2. NETWORK ACCESS CONTROL Most organizations provide employees, customers, and suppliers with
remote access to their
Routers information systems. Usually this access occurs via the Internet, but
Firewalls some organizations still maintain their own proprietary networks or
Intrusion Prevention System provide direct dial-up access by modem.
PROTECTING INFORMATION RESOURCES
1.ACCESS CONTROL Physical access control begins with entry points to the building
itself.
Ideally, there should only be one regular entry point that
remains unlocked during normal office hours.
Once inside the building, physical access to rooms housing
computer equipment must also be restricted.
These rooms should be securely locked and all entry/exit
monitored by closed-circuit television systems.
Access to the wiring used in the organization’s LANs also needs
to be restricted in order to prevent wiretapping.
PROTECTING INFORMATION RESOURCES
TIME-BASED MODEL COMPONENT | DETECTING ATTACKS
Intrusion
Continuous
Log analysis detection
monitoring
systems
Most systems come with extensive capabilities for Network intrusion detection systems (IDSs) consist of a set of
logging who accesses the system and what specific sensors and a central monitoring unit that create logs of network
actions each user performed. These logs form an audit traffic that was permitted to pass the firewall and thenanalyze
trail of system access. Like those logs for signs of attempted or successful intrusions.
any other audit trail, logs are of value only if they are
routinely examined.
Log analysis is the process of examining logs to identify
evidence of possible attacks
COBIT 5 management practice APO01.08 stresses the importance of continuously monitoring both employee
compliance with the organization’s information security policies and overall performance of business
processes.
Such monitoring is an important detective control that can timely identify potential problems and identify
opportunities to improve existing controls. Measuring compliance with policies is straightforward, but
effectively monitoring performance requires judgment and skill.
PROTECTING INFORMATION RESOURCES
TIME-BASED MODEL COMPONENT |RESPONDING TO ATTACKS
CIRT CISO
Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable
employees to use a browser to remotely access software (software as a service), data storage devices (storage as a
service), hardware (infrastructure as a service), and entire application environments (platform as a service).
Although virtualization and cloud computing can increase the risk of some threats, both developments also offer the
opportunity to significantly improve overall security.
The term Internet of Things (IoT) refers to the embedding of sensors in a multitude of devices (lights, heating and air
conditioning, appliances, etc.) so that those devices can now connect to the Internet. The IoT has significant
implications for information security.
The move to the IoT means that many other devices found in work settings now provide a potential means of accessing
the corporate network and, therefore, must be secured.
the net effect of the IoT on an organization’s ability to satisfy the time-based model of security depends upon how well
it addresses and uses this new development.
SELESAI
8-20
CONFIDENTIALITY AND PRIVACY
CONTROL
Chapter 9
9-1
Learning Objectives
9-2
Preserving Confidentiality
S E N S IT IV E IN F O R M AT IO N
Strategic Plan
Process
Trade Secret
Improvement
Legal Cost
Document Information 9-3
Preserving Confidentiality & Privacy
control
encrypt the access to
information the
information
9-4
C O N F ID E N T IA L IT Y
9-5
Preserving Confidentiality
Identify and
Classify identify the confidentiality of intellectual property
Information and other sensitive business information resides
to be
Protected and who has access to it.
Protecting
Confidentiali Encryption is a necessary part of defense-in-
ty with depth to protect information stored on websites or
Encryption
in a public cloud.
9-10
After Citibank’s online credit card application in
Taiwan was hacked and personal customer data
compromised in November 2003, the Taiwanese
government imposed a 1-month moratorium on
issuing new credit cards and a 3-month
suspension of the online
Encryption is a fundamental control for
protecting the privacy of personal information
that organizations collect.
9-11
þ organizations should run data masking
programs that replace such personal
information with fake values before sending
that data to the program development and
testing system.
9-12
Privacy Concern
9-14
Privacy Regulatory Acts
Health Information
Health Insurance
Technology for
Portability and
Economic and
Accountability Act
Clinical Health Act
(HIPAA)
(HITECH)
Financial Services
Modernization Act
9-19
Copyright © 2012 Pearson Education 9-20
Factors That Influence Encryption Strength
Algorithm
The nature of the algorithm used to combine the key
and the plaintext is important
A strong algorithm is difficult, if not impossible, to
break by using brute-force guessing techniques.
9-21
Factors That Influence Encryption Strength
9-22
Types of Encryption
Symmetri One key used to both encrypt and decrypt
c
Pro: fast
Con: vulnerable
9-24
9-25
Digital Signature
þ Digital Signature hash encrypted with the hash creator’s private key
(document creators key)
9-26
Digital Certificate
9-27
Virtual Private Network (VPN)
9-28
Processing Integrity
And Availability Controls
Chapter 10
10-1
Learning Objectives
10-2
PROCESSING INTEGRITY
The Processing Integrity principle of the Trust
Services Framework states that a reliable system is
one that produces information that is accurate,
complete, timely, and valid
accurate
complete
Timely
and valid
10-5
INPUT CONTROL
Data A size check ensures that the input data will fit into
Entry the assigned field. For example, the value
458,976,253 will not fit in an eight-digit field.
Control
A completeness check (or test) verifies that all
required data items have been entered.
10-7
INPUT CONTROL
10-8
INPUT CONTROL Additional Batch ProcessingONTROL
10-10
PROCESSING CONTROL
Data matching.
In certain cases, two or more items of data must be matched
before an action can take place.
File labels.
File labels need to be checked to ensure that the correct and
most current files are being updated.
10-13
OUTPUT CONTROL
10-14
AVA IL A B IL IT Y
10-15
Controls Ensuring Availability
þ Interruptions to business processes can cause significant
financial losses.
þ It is impossible, to completely eliminate the risk of downtime,
but,It is important to minimize the risk of system downtime.
þ Therefore, organizations also need controls designed to enable
quick resumption of normal operations after an event disrupts
system availability.
10-16
Minimize Risks
O B J E C T IV E KEY CONTROL
● Preventive maintenance
To minimize risk of system ● Fault tolerance
downtime ● Data center location and design
● Training
● Patch management and antivirus
software
THE PREVENTIVE CONTROLS can minimize, but not entirely eliminate the
risk of system downtime. Hardware malfunctions, software problems, or
human error an cause data to become inaccessible.
O P T IO N S F O R R E P L A C IN G IT IN F R A S T R U C T U R E
þ COLD SITE, which is an empty building that is prewired for necessary telephone and
Internet access, plus a contract with one or more vendors to provide all necessary
equipment within a specified period of time.
þ HOT SITE, which is a facility that is not only prewired for telephone and Internet
access but also contains all the computing and office equipment the organization
needs to perform its essential business activities.
10-22
CHAPTER
AIS
20
Romney & Steinbart
Explain the five phases of the systems development life cycle, and discuss thepeople involved in
systems development and the roles they play.
Explain the importance of systems development planning, and describe the types of plans and
planning techniques used.
Discuss the various types of feasibility analysis, and calculate economic feasibility sing capital
budgeting techniques.
Explain why system changes trigger behavioral reactions, what form this resistance to change
takes, and how to avoid or minimize the resulting problems.
System age
Productivity Systems
and need to be
gains Integration
replaced
INTRODUCTION
Software Development Problems
Developing quality, error-free software is a difficult, expensive, and time-consuming task.
Most software development projects deliver less, cost more, and take longer than expected.
• 70 percent of software development projects were
late
• 54 percent were over budget
Standish Group • 66 percent were unsuccessful
found that: • 30 percent were canceled before completion
New hardware and software are installed and tested, employees are hired and
trained or existing employees relocated, and processing procedures are tested and
modified.
IMPLEMENTATION
PHYSICAL DESIGN
& CONVERSION The new system is periodically reviewed and modifications are made as
problems arise or as new needs become evident.
SYSTEMS DEVELOPMENT
SYSTEMS DEVELOPMENT
MANAGEMENT |
to emphasize the importance of involving users in the process, to provide support and
encouragement for development projects, and to align systems with corporate
strategies.
THE PLAYERS
• Management
• Users To establish system goals and objectives, selecting system department leadership and
reviewing their performance, establishing policies for project selection and organizational
• IS Steering Committee
structure, and participating in important system decisions
• Project Development Team
• System Analyst and
USERS |
Programmers
AIS users communicate their information needs to system developers.
• External Players
As project development team or steering committee members, they help manage systems
development.
As requested, accountants help design, test, and audit the controls that ensure the accurate
and complete processing of data.
IS STEERING COMMITTEE |
to plan and oversee the information systems function.
highlevel management, such as the controller and systems and user-department management.
The steering committee sets AIS policies; ensures top-management participation, guidance, and control; and facilitates
the coordination and integration of systems activities.
SYSTEMS DEVELOPMENT
• Management
• Users accountants, and users to guide its development
• IS Steering Committee Team members plan each project, monitor it to ensure timely and cost-effective
• Project Development Team completion, make sure proper consideration is given to the human element, and
• System Analyst and Programmers communicate project status to top management and the steering committee.
• External Players They should communicate frequently with users and hold regular meetings to consider
ideas and discuss progress so that there are no surprises upon project completion.
EXTERNAL PLAYERS |
Customers, vendors, external auditors, and governmental entities play a role in systems development. For example, Walmart vendors are
required to implement and use electronic data interchange (EDI).
PLANNING SYSTEMS DEVELOPMENT
Planning has distinct advantages. It enables the system’s goals and
objectives to correspond to the organization’s overall strategic plan.
Systems are more efficient, subsystems are coordinated, and there is a
sound basis for selecting new applications for development.
The system is less costly and easier to maintain.
management is prepared for resource needs, and employees are
prepared for the changes that will occur.
> OBSERVATION
• Observation is used to verify information gathered using other approaches and to
determine how a system actually works, rather than how it should work.
• t is difficult to interpret observations because people may change their normal
behavior or make mistakes when they know they are being observed.
Create a prototype.
SYSTEMS ANALYSIS
4. SYSTEMS ANALYSIS REPORT
systems analysis report.-.Comprehensive report
summarizing systems analysis that documents the
findings of analysis activities.
7. Reexamine 8. Keep
5. Avoid 6. Provide
performance communication
emotionalism training
evaluation lines open
AIS
Development Strategies
Explain why organizations outsource their information systems, and evaluate the
benefits and risks of this strategy.
Development requests are so numerous that projects are backlogged for years.
Users discover that the new AIS does not meet their needs.
Users do not adequately specify their needs because they do not know what they need or they
cannot communicate the needs to systems developers.
Changes are difficult to make after requirements are frozen. If users keep changing requirements,
the AIS may take forever to finish.
WAYS TO OBTAIN AN AIS
Develop software
Purchasing Outsourcing the
in-house IS
Software System
Departments
Organizations develop custom software when doing so provides a Custom software – Software
significant competitive advantage. developed and written in-house
to meet the unique needs of a
The hurdles that must be overcome to develop quality software are the particular company.
significant amounts of time required, the complexity of the system, poor
requirements, insufficient planning, inadequate communication and
cooperation, lack of qualified staff, and poor top-management support.
Sign a contract that rigorously defines the relationship between the company and the developer.
Plan the project in detail and frequently monitor each step in the development.
Control all costs and minimize cash outflows until the project is accepted.
WAYS TO OBTAIN AN AIS
DEVELOPMENT BY IN-HOUSE IS
END-USER-DEVELOPED SOFTWARE
DEPARTMENTS
User creation,
Systems that Logic and Inadequately
control, and Inefficient
meet user Timeliness. development tested
implementation systems
needs errors applications
.
Computer-Aided
Business Process Software
Prototyping
Management Engineering (CASE)
Tools
As organizations seek to improve their information systems and comply with legal and
regulatory reforms, they are paying greater attention to their business processes.
Computer-Aided
Business Process Software
Prototyping
Management Engineering (CASE)
Tools
Fewer errors.
Less costly
Never-ending development.
METHODS FOR IMPROVING SYSTEMS DEVELPOMENT
Computer-Aided
Business Process Software
Prototyping
Management Engineering (CASE)
Tools
an integrated package of tools that skilled designers use to help plan, analyze, design,
program, and maintain an information system
CASE software typically has tools for strategic planning, project and system management,
database design, screen and report layout, and automatic code generation. Many
companies use CASE tools.
METHODS FOR IMPROVING SYSTEMS DEVELPOMENT
Computer-Aided
Business Process Software
Prototyping
Management Engineering (CASE)
Tools
Chapter 22
22-44
Learning Objectives
Discuss the conceptual systems design process and the activities in this
phase.
Discuss the physical systems design process and the activities in this phase.
Discuss the systems implementation and conversion process and the
activities in this phase.
Discuss the systems operation and maintenance process and the activities in
this phase.
22-45
Systems Development Life Cycle (SDLC)
22-46
Conceptual Design
22-47
Conceptual Systems Design
22-48
22-49
Evaluate Design Alternatives
There are many ways to design an AIS, so systems designers must make
many design decisions.
There are many ways organization can approach the systems development
process. It can purchase software, ask in-house information
systems (IS) staff to develop it, or hire an outside company
To develop and manage the system. The company could modify existing
software or redesign its business processes and develop
software to support the new processes.
22-50
standards should how well it meets organizational and
be used to system objectives
evaluate design
alternatives
how well it meets user needs,
22-51
PREPARE DESIGN SPESIFICATION AND REPORT
Output
Data Storage
Input
22-54
During physical design, the broad, user-oriented AIS
REQUIREMENTS of conceptual design are translated into
DETAILED SPECIFICATIONS that are used to code
and test the computer programs.
22-55
Output Design
Determine the nature, format, content, and timing of
reports, documents, and screen displays.
• Types of Output:
• Scheduled reports
• Special-purpose analysis reports
• Triggered exception reports
• Demand reports
22-56
22-57
FILE AND DATABASE DESIGN
Data in various company units should be stored in compatible
formats to help avoid the problem
22-58
INPUT DESIGN
Input design considerations include what types of data will
be input and the optimal input method.
Computer
Form
design
Screen
Design
INPUT
MEDIA
22-59
INPUT DESIGN
CONSIDERATION Medium
Source
Format
Type
Volume
Frequency
etc
22-60
PRINCIPLE OF GOOD FORM DESIGN
22-62
PRINCIPLE OF GOOD FORM DESIGN
22-64
PRINCIPLE OF GOOD FORM DESIGN
Numerical
Security Availability
control
22-69
22-70
Types of Documentation
Development A system description; copies of output, input, and
Documentation file and database layouts; program flowcharts;
test results; and user acceptance forms
22-71
Types of System Testing
Walk-Through Step-by-step reviews of procedures or
program logic to find incorrect logic, errors,
omissions, or other problems
22-74
Factors to Investigate During Postimplementation Review