Sia Merged Fix-1

Accounting Information Systems:
An Overview
Chapter 1
Introduction
 Asystemisaset of twoormoreinterrelatedcomponentsthat interact toachieveagoal.
 Eachsubsystemisdesignedtoachieveoneormoreorganizational goals.
 Changesinsubsystemscannot bemadewithout considering theeffect on other subsystemsand on the
systemasawhole.
 Goal Conflict Process1

Occurs when components act in their own interest without
regard for overall goal
Goal
 Goal Congruence
Occurs when components acting in their own interest Process2
contribute toward overall goa

Introduction
Data
 Data are facts that are collected, recorded, stored, and processed by an information system.
 Businesses need to collect several kinds of data, such as the activities that take place, the resources
affected by the activities, and the people who participate in the activity
Informat ion
 data that have been organized and processed to provide meaning and improve the decision-making
process.
 As a rule, users make better decisions as the quantity and quality of information increase.
• Relevant
• Reliable
• Complete
Characteristics of
• Timely
Useful Information
• Understandable
• Verifiable
• Accessible
Introduction
 Information overload occurs when those limits are passed, resulting in a decline in decision-making
quality and an increase in the cost of providing that information.
 Information system designers use information technology (IT) to help decision makers more effectively
filter and condense information
 The value of information is the benefit produced by the information minus the cost of producing it.
“Walmart has over 500 terabytes (trillions of bytes)

of data in its data warehouse. That is equivalent to
2,000 miles of bookshelves, or about 100 million
digital photos. Walmart has invested heavily in IT so
BENEFITS COSTS it can effectively collect, store, analyze, and manage
• Reduce Uncertainty • Time & Resources to data to provide useful information.”
• Improve Decisions Produce Information
• Improve Planning and distribute
• Improve Scheduling Information
Information Needs and Business Process
BUSINESS PROCESS KEY DECISIONS INFORMATON NEEDS
Sell Merchandise Markup Percentage Pro forma I/S
Hire and train Experience Job descriptions

employees requirements
Acquire capital How much Cash flow projections

 A transaction is an agreement between two entities to exchange goods or services or any other event
that can be measured in economic terms by an organization. Examples include selling goods to
customers, buying inventory from suppliers, and paying employees.
 The process that begins with capturing transaction data and ends with informational output, such as the
financial statements, is called transaction processing
sering terradi
 Give-get exchange - Transactions that happen a great many times, such as giving up cash to get inventory
from a supplier and giving employees a paycheck in exchange for their labor
 Business processes or transaction cycles - The major give-get exchanges that occur frequently in most
companies.
Transaction Cycles/Major business processes
• The revenue cycle

• The expenditure cycle
• The production or conversion cycle
• The human resources/payroll cycle
• The financing cycle
Common Cycle Activities
Revenue Receive and answer customer inquiries
Take customer orders and enter them into the AIS
Approve credit sales
Etc
Expenditure Request goods and services be purchased
Prepare, approve, and send purchase orders to vendors
Receive goods and services and complete a receiving report
Etc
Human Resources/Payroll Evaluate employee performance and promote employees
Recruit, hire, and train new Discharge employees
employees
Update payroll records
Etc
Production Design Forecast, plan, and schedule production
products
Request raw materials for production
Manufacture products
Financing Forecast cash Sell stock/securities to investors
needs
Borrow money from lenders
etc
Accounting Information Systems
 It has often been said that accounting is the language of business. If that is the case, then an accounting
information system (AIS) is the intelligence—the information-providing vehicle of that language.
 Accounting is a data identification, collection, and storage process as well as an information
development, measurement, and communication process.
 By definition, accounting is an information system, since an AIS collects, records, stores, and processes
accounting and other data to produce information for decision makers
Accounting information system A system that collects, records stores, and processes data to produce
information for decision makers.
Accounting Information Systems
Component People using the system
of AIS
People give iPad Pro
Procedures and Instructions
with its data and
software to support
Data
IT Infra, Internal
control and
security
in
Manager Software
the office
Information Technology (IT) Infrastructure

Internal Control and Security Measures
AIS and Business Functions
momakan
Manonepersian,
Yang
soPaOpWrGoMed u
SIA
These six components enable an AIS to fulfill three 6 Komponen
important business functions:

Internal dan security Measures
DIGUNAKAN U/
I) MEMENUAl3
BISNIS IN11
FUNSI
Transform Provide
Collect and
data into adequate
store data
information control
3 FUNGSI BISNK ->

In contr
HOW AN AIS CAN ADD VALUE TO AN ORGANIZATION
Improve: QuCrost FFEl Salamank Eiffels' Chain IDM (1DC M)
Improve Quality and Reduce Costs
Improve Efficiency
Improve Sharing Knowledge
Improve the efficiency and effectiveness of its Supply Chain
Improve Internal Control Structure
Improve Decision Making

HOW AN AIS CAN ADD VALUE TO AN ORGANIZATION
An AIS can help improve decision making in several ways:
Identify situations that require action.

-
Provide alternative choices.

-
Reduce uncertainty.
Provide feedback on previous decisions.

- . . . -
Provide accurate and timely information.

-
- -
AIS and Value Chain
The set of activities a product or service moves along before as output it is sold to a customer
supply chain - An extended system that includes an orga-
nization’s value chain as well as its suppliers, distributors, and
customers.
AIS and Corporate Strategy
Factors Influencing Design of the AIS
IT
Develop
ments
AIS
Organiza
Business
tional
Strategy
Culture
OVERVIEW OF
TRANSACTION PROCESSING
AND ERP SYSTEMS
Chapter 2
Learning Objectives
1) Describe the four major steps in the data processing cycle.

 Describe the major activities in each cycle.
- .
2) Describe documents and procedures used to collected and

process data.
3) Describe the ways information is stored in computer-based
information systems.
4) Discuss the types of information that an AIS can provide.
5) Discuss how organizations use ERP systems to process
transactions and provide information.
Data Processing Cycle
SECTION 1> Bagaimana Data Processing cycle berperan dalam merorganisin
activitas bisnis dan menyediakan informasi kepada users.
Process
Stora
ge
The Data Processing Cycle Determines
What data is Who has access to

stored? the data?
How can
How is the data unanticipated
organized? information needs
be met?
Data Input—Capture
As a business • Each activity of interest

activity occurs
• The resources affected
data is
collected • The people who are
about: participating
R esources
E vents
A gents
Paper-Based Source Documents
documents used to capture transaction
-
Data are collected on source documents
• E.g., a sales-order form
• The data from paper-based will eventually need to
be transferred to the AIS
data yang dikirim ke pihak Ketiga, Kemudian dikembalikan
Turnaround
->
Kepada sistem sebagai input! -> E.G. Utility Bill->dikembalik an
• Usually paper-based dengan bukti

bayar oleh
• Are sent from organization to customer customer
0.
↓
• Same document is returned by customer to

dibaca secara
knusus oleh
organization mesic Ketiga

dikembalikan
Source Data Automaton
Source data is captured
• In machine-readable form
• At the time of the business
activity (E.g., ATM’s; POS)
Data Input—Accuracy and Control
Well-designed source documents can

ensure that data captured is
• Accurate
• Provide instructions and prompts
• Check boxes
• Drop-down boxes
• Complete
• Internal control support
• Prenumbered documents
Data Storage
↳ bagaimana data diorganisir dan disimpan! -> Simana ngaksesuya
Ledgers
GENERAL Ledgers
Summary level data for each:
 Asset, liability, equity, revenue, and expense
SUBSIDIARY Ledgers.
Detailed data for a General Ledger (Control)
Account that has individual sub-accounts
Accounts Receivable dalam control Accounts
3
termasuk
Accounts Payable
&
Journals inputuya
-> sebelum he ledger, pakai ini duln
biasanya.
General
untuk
->
mencatat t
inFrequent
&
=
non-routine transaction
•Infrequent or specialized
transactions e.g. ->
payments, Loan
End-of-Period Adjusting, Closing Entries.
Specialized
•Repetitive transactions
•E.g., sales transactions Cash Disbursement.
An audit trail is a traceable path
of a transaction through a data
processing system
↳ From point of origin s.d. Final output
atan Kebalikannya.
It is used to check the accuracy

and validity of ledger postings
Copyrig
ht ©
2012
Pearso
n
Coding Techniques
4
usmengklasifikasikan dan organize items.
• Items numbered consecutively to

Sequence account for all items (prenumbered
checks, invoices)
• Specific range of numbers are

Block associated with a category
Coding Techniques
Digit Position Meaning
1–2 Product Line,

size, and so on
• Positioning
of digits in 3 Color
code provide 4–5 Year of

Group meaning Manufacture
6–7 Optional
Features
1241000 12 = Dishwasher
4 = White
10 = 2010
1241000
00 = No Options
Coding Techniques
• Letters and numbers
Mnemon • Easy to memorize
ic • Code derived from
description of item
Coding Techniques
Chart of accounts
0.
•Type of block coding
File Types
Transaction
• Contains records of a business from a specific period
of time
Master
• Permanent records
• Updated by transaction with the transaction file
Database
• Set of interrelated files
File Types
Transaction
File
Updated
Master
File
Master before
Update
Computer Based Storage
E N T I T Y
↓
Person, place, or adalah sesuate dimana inFormasi DISIMPAN
thing (Noun) e. g. Employees, Inventory items, customer
Something an ·setiap entity punya

organization wishes to
store data about
Entitas
*
Y
punya:
Attributes •Facts about the entity

Data disimpan d':
Atribut
Fields •Where attributes are stored
Kumpular
•Group of related attributes
Atribut
Records
about an entity
File •Group of related Records
Computer Based Storage
-> Karakteristic of Interest
Yang disimpan
Data Processing
Four Main Activities
Create Read Updat Delete

records or
new existing e existing data from
records records records records
Data Output Types
InFormation Output.
Displayed
Soft on a
copy screen
Printed on Hard
paper copy
Data Output Types
Copyrig
ht ©
2012
Pearso
n
Copyrig
ht ©
2012
Pearso
n
Copyrig
ht ©
2012
Pearso
n
Enterprise Resource Planning (ERP)
I
↳ system yang mengintegrasikan semua aspec dari activitas perusahaan
Integrate an organization’s information into one overall AIS

↳ ERP systems are modular
ERP modules: to automate

->
a standard business process.
• Financial
• Human resources and payroll
• Order to cash
• Purchase to pay
• Manufacturing
• Project management
• Customer relationship management
• System tools
Copyright © 2012 Pearson Education 2-28
ERP Advantages
ERP adalah centralized
->
database
Integration of an organization’s data and financial information
Data is captured once
Greater management visibility, increased monitoring
Better access controls
Standardizes business operating procedures
Improved customer service
More efficient manufacturing

ERP Disadvantages
Cost
Time-consuming to implement
Changes to an organization’s existing business processes

can be disruptive
Complex
Resistance to change
SELESAI

ACCOUNTING INFORMATION SYSTEM
Systems documentation techniques

Romney & Steinbart| Chapter 3
LEARNING
OBJECTIVES
Prepare and use data flow diagrams to understand, evaluate,

and document information systems.
Prepare and use flowcharts to understand, evaluate, and

document information systems.
Prepare and use business process diagrams to understand,

evaluate, and document information systems..
INTRODUCTIO
N
Documentation explains how a system works, including

the who, what, when, where, why, and how of data entry, data
processing, data storage, information output, and system
controls.
diagram
5WH
etc flowchart
Narrative
descriptio tables
n
Documentational tools its penting untuk
** INTRODUCTIO
N
The importance of documentation
tools
to read documentation to determine how a system
works
to identify internal control strengths and weaknesses
and recommend improvements
More skill is needed to prepare documentation that
shows how an existing or proposed system operates.
INTRODUCTIO
- DED
3 common system documentation tools: &
IBFlowchart
a
N
documentation
tools
Data Flow Diagram
Flowchart
Business Process Diagrams

The Sarbanes-Oxley Act (SOX) of INTRODUCTIO
2002 N
SOX requires an > management is responsible

internal control for establishing and
report in public maintaining an adequate
company annual internal control structure
reports that
> assesses the effectiveness of
the company’s internal
controls.
DATA FLOW
DIAGRAM
A data flow diagram (DFD) graphically

describes the flow of data within an organization.
source
Data Flows
DATA Destination
andSOURCES AND
Data
DATAIFLOWS
DESTINATIONS
↑
BASIC
ELEMENTS
TRANSFORMATION
N
TransFormation
PROCESESS
Data
stores
DATA STORES
process
BASIC DFD DATA FLOW
DIAGRAM
ELEMENTS
• A data flow is the movement of data among processes, DATA FLOW
stores, sources, and destinations. DIAGRAM
• Data that pass between data stores and a source or
destination must go through a data transformation process.
• If two or more data flows move together, a single line is
used.
2 Arrows.
I berubah,
- destinas storage,
Ikut berupan: Update
SPLITTING DATA FLOWS DATA FLOW
DIAGRAM
SPLITTING DATA FLOWS DATA FLOW
DIAGRAM
DATA FLOW
DFD LEVELS DIAGRAM
Highest level (most general)

CONTEXT Purpose: show inputs and outputs into system
Characteristics: one process symbol only, no data
store
Purpose: show all major activity steps of a system
LEVEL 0 Characteristics: processes are labeled 1.0, 2.0, and so

on
Purpose: provide more detail about the data processes to

show a greater level of detail
LEVEL 1 Characteristics: proesses are labeled 2.1, 2.2, 2.3 and so
on
CONTEXT DIAGRAM DATA FLOW
DIAGRAM
Subdividing the DFD DATA FLOW
DIAGRAM
CONTEXT DIAGRAM
LEVEL 0 DFD
LEVEL 1 DFD
DATA FLOW
DIAGRAM
The narrative in Table 3-1 describes five data processing

activities:
• Updating the employee/payroll master file

• Handling employee compensation
• Generating management reports
• Paying taxes
• Posting entries to the general ledger
LEVEL 0 origin
④ DATA FLOW
Data DIAGRAM
Flow
&
->
Transformation
N
L storage
->
1)estination
Ising a Kalimat
aktiF.
LEVEL 1 DATA FLOW
DIAGRAM
DFD Creation Guidelines DATA FLOW
DIAGRAM
1. Understand the system
2. Ignore certain aspects of the system
3. Determine system boundaries
4. Develop a context DFD
5. Identify data flows
6. Group data flows
7. Identify transformational processes
8. Group transformation process

DFD Creation Guidelines DATA FLOW
DIAGRAM
9. Identify all files or data stores
10. Identify all data sources and destination
11. Name all DFD elements
12. Subdivide the DFD
13. Give each process a sequential number
14. Refine the process
15. Prepare a final copy

BUSINESS PROCESS
DIAGRAMS
BPD
• BPDs is a visual way to describe the different steps or

activities in a business process.
• BPDs can describe interactions within an entity as well as

interactions between entities
• Object Management Group (OMG) set standard Business

Process Model and Notation (BPMN). Currently BPMN
v2.0 released in January 2011
BUSINESS PROCESS
DIAGRAMS
BUSINESS PROCESS
DIAGRAMS
BUSINESS PROCESS
DIAGRAMS
BUSINESS PROCESS
DIAGRAMS
Identify
and
understa
nd the
Ignore
GUIDELINES business
certain
processe
items.
s.
Decide
how
much
detail to
Organize
include.
diagram.
Enter
each
business
process
Draw a
on the
rough
diagram.
sketch of
the
DrawBPD
a
final
copy of
BUSINESS PROCESS
DIAGRAMS
FLOWCHA
RT
a pictorial,
analytical
technique
used to
record
describe how
some
business
aspect of an
processes
informationare
performed
system in aand
used
clear, to
how concise,
analyze
documents how
and logical
to improve
flow through
manner.
business
FLOWCHA
RT
Input/Ou
tput
Syimbol Processi
ng
Storage
Flow and
Miscella
nous
3-30
3-31
Types of Flowcharts
Document Flowchart
•to illustrate the flow of documents and data among

areas of responsibility within an organization.
System Flowchart
•depicts the relationships among system input,
processing, storage, and output.
Program Flowchart
•To illustrates the sequence of logical operations
performed by a computer in executing a program.
3-33
GUIDELINES FOR PREPARING FLOWCHARTS
1. Understand 2. Identify the

entities to be
the system. flowcharted.
3. Organize 4. Clearly label

flowchart. all symbols
Design
5. Page 6. Draw a rough

connectors sketch of the
flowchart.
7. Draw a final
copy of the
flowchart.
3-38
SELESAI
Chapter 4
Relational Databases
4-1
Copyright © 2012 Pearson Education
Learning Objectives
 Explain the importance and advantages of databases.
 Describe the difference between database systems and file-based legacy systems.
 Explain the difference between logical and physical views of a database.
 Explain fundamental concepts of database systems such as DBMS, schemas, the data
dictionary, and DBMS languages.
 Describe what a relational database is and how it organizes data.
 Create a set of well-structured tables to store data in a relational database.
 Perform simple queries using the Microsoft Access database.

Data Hierarchy
 Field
 Attributes
about an
entity
 Record
 Related group
of fields
 File
 Related group
of records
 Database
 Related group
of files

Advantages of Database Systems
 Data Integration
 Files are logically combined and made accessible to various systems.
 Data Sharing
 With data in one place it is more easily accessed by authorized users.
 Minimizing Data Redundancy and Data Inconsistency

 Eliminates the same data being stored in multiple files, thus reducing
inconsistency in multiple versions of the same data.
 Data Independence
 Data is separate from the programs that access it. Changes can be
made to the data without necessitating a change in the programs and
vice versa.
 Cross-Functional Analysis
 Relationships between data from various organizational departments
can be more easily combined.

Database Terminology
 Database Management System (DBMS)

 Interface between software applications and the data in
files.
 Database Administrator (DBA)

 Person responsible for maintaining the database
 Data Dictionary
 Information about the structure of the database
 Field names, descriptions, uses

Logical vs. Physical
 Physical View
 Depends on explicitly knowing:
 How is the data actually arranged in a file
 Where is the data stored on the computer
 Logical View
 A Schema separates storage of data from use of the
data
 Unnecessary to explicitly know how and where data is
stored.

Schemas
 Describe the logical structure of a

database
 Conceptual Level
 Organization wide view of
the data
 External Level
 Individual users view of the
data
 Each view is a subschema
 Internal Level
 Describes how data are
stored and accessed
 Description of: records,
definitions, addresses,
and indexes

DBMS Languages
 Data Definition Language (DDL)

 Builds the data dictionary
 Creates the database
 Describes the subschema
 Specifies record or field security constraints
 Data Manipulation Language (DML)

 Changes the content in the database
 Updates, insertions, and deletions
 Data Query Language (DQL)

 Enables the retrieval, sorting, and display of data from the
database

Relational Database
 Relational data model represents the conceptual and

external level schemas as if data are stored in tables.
 Table
 Each row, a tuple, contains data about one instance of an
entity.
 This is equivalent to a record
 Each column contains data about one attribute of an entity.
 This is equivalent to a field

Row (Record) A Relational Table
Each row contains multiple Same type of data

attributes describing an instance
Column (Field)
of the entity. In this case,
inventory.

Attributes
 Primary Key
 An attribute or combination of attributes that can be used
to uniquely identify a specific row (record) in a table.
 Foreign Key
 An attribute in one table that is a primary key in another
table.
 Used to link the two tables

Database Design Errors
 If database is not designed properly data errors can

occur.
 Update Anomaly
 Changes to existing data are not correctly recorded.
 Due to multiple records with the same data attributes
 Insert Anomaly
 Unable to add a record to the database.
 Delete Anomaly
 Removing a record also removes unintended data from
the database.

Design Requirements for Relational
Database
1. Every column must be single valued.
2. Primary keys must contain data (not null).
3. Foreign keys must contain the same data as the primary

key in another table.
4. All other attributes must identify a characteristic of the

table identified by the primary key.

Normalizing Relational Databases
 Initially, one table is used for all the data in a database.
 Following rules, the table is decomposed into multiple

tables related by:
 Primary key–foreign key integration
 Decomposed set of tables are in third normal form (3NF).

Microsoft Access Query #1





SISTEM INFORMASI AKUNTANSI
TUTORIAL RINGKAS
MeMbUAT FLOwchART
POLITEKNIK KEUANGAN NEGARA STAN

JURUSAN AKUNTANSI | PROGRAM DIII AKUNTANSI
KeGIATAN MANUAL
(Paper-Based Activity)
PROSEDUR TRANSAKSI PENJUALAN
1. Pegawai di Bagian Penjualan menerima secarik kertas pesanan pelanggan, selanjutnya pegawai tersebut
membuat dokumen pesanan penjualan (sales order) rangkap empat
2. Salinan 1 pesanan penjualan, disampaikan ke bagian kredit untuk persetujuan transaksi kredit, tiga salinan
dokumen beserta pesanan pelanggan diarsip sementara berdasarkan nomor transaksi, menunggu persetujuan
kredit.
3. Pegawai pada Bagian Kredit melakukan validasi pesanan pelanggan dengan catatan kredit pelanggan yang
disimpan. Dalam hal disetujui, pegawai Bagian Kredit tandatangan atas sales order 1, dan mengembalikan
kembali ke pegawai Bagian Penjualan
4. Begitu pegawai Bagian Penjualan menerima persetujuan kredit, Dia mengarsip sales order 1 dan dokumen
pesanan pelanggan berdasarkan nomor transaksi. Selanjutnya, mengirimkan salinan sales order 2 ke pegawai
Bagian Gudang, sisanya, salinan order penjualan 3 dan 4, disampaikan ke Bagian Pengiriman.
5. Pegawai Bagian Gudang, berdasarkan pesanan pelanggan, mengambil barang dari gudang, mencatat
pengambilan barang tersebut pada kartu persediaan, selajutnya mengirimkan barang beserta sales order 2 ke
Bagian Pengiriman
6. Setelah menerima salinan order penjuaalan 3 & 4 dari Bagian Penjualan, barang dan salinan sales order 2 dari
Bagian Gudang, pegawai Bagian Pengiriman mengirimkan barang pesanan pelanggan disertai dengan salinan
sales order 2 sebagai packing slip (slip pengiriman). Selanjutnya mengarsip salinan sales order lembar 3 dan 4
00 | MEMBUAT AREA KEGIATAN
BAGIAN PENJUALAN BAGIAN KREDIT BAGIAN GUDANG BAGIAN PENGIRIMAN

01 | PROSEDUR 1

pelanggan
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Sales Order 1
Sales Order 1
Sales Order 1
Sales Order 1
02 | PROSEDUR 1 & 2

pelanggan
Sales Order 1
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Sales Order 1
Sales Order 2
Sales Order 3
Sales Order 4
Pesanan
N Pelanggan
03 | PROSEDUR 1, 2 & 3

pelanggan
Sales Order 1
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Melakukan Catatan
Cek Kredit Kredit
Sales Order 1
Sales Order 2
Sales Order 3
Sales Order 1
Sales Order 4 (sudah
disetujui)
Pesanan
N Pelanggan
Sales Order 1
(sudah
disetujui)
04 | PROSEDUR 1, 2, 3 & 4

pelanggan
Sales Order 1
Pesanan
Pelanggan
Menyiapkan
Sales Order
(SO)
Melakukan Catatan
Cek Kredit Kredit
Sales Order 1
Sales Order 2
Sales Order 3
N Sales Order 4 Sales Order 1
Pesanan (sudah
Pelanggan disetujui)
Sales Order 1
(sudah
disetujui)
B
A
04 | PROSEDUR 1, 2, 3 & 4

A
Sales Order 2
C
Sales Order 1
B (sudah
disetujui) Sales Order 3
Sales Order 4
N Mendistribu
sikan SO &
mengarsip
Sales Order 2
Sales Order 3
Sales Order 4
Sales Order 1
Pesanan
Pelanggan
C
N
05 | PROSEDUR 1, 2, 3, 4 & 5

A
Sales Order 2
C
Sales Order 1
B (sudah
Sales Order 4
N Mendistribu Mengambil
sikan SO & Barang
mengarsip
Sales Order 2 Sales Order 2

Kartu
Sales Order 2 Persediaan
Sales Order 3
Sales Order 4
Sales Order 1
Pesanan
Pelanggan
C
N
06 | PROSEDUR 1, 2, 3, 4, 5 & 6

A
Sales Order 2
C
Sales Order 1
B (sudah
Sales Order 4
N Mendistribu Mengambil
sikan SO & Barang
mengarsip
Sales Order 2 Sales Order 2

Kartu
Persediaan
Sales Order 2
Sales Order 3
Mengirim
Sales Order 4 Barang
Sales Order 1
Sales Order 3
Pesanan
Sales Order 4
Pelanggan
Sales Order 2
C
N N
pelanggan
KeGIATAN deNGAN KOMpUTeR
(Computer-Based Activity)
PROSEDUR TRANSAKSI PENJUALAN
1. Pegawai di Bagian Penjualan menerima secarik kertas pesanan pelanggan, selanjutnya pegawai tersebut input
data pesanan pelanggan ke aplikasi penjualan yang terhubung ke jaringan komputer di Bagian Sistem Informasi.
Lembar pesanan pelanggan diarsip berdasarka tanggal transaksi.
2. Program komputer pada Bagian SI melakukan fungsi Edit atas transaksi pesanan pelanggan untuk mengecek
kesalahan entri data, menguji status kredit pelanggan dengan mengacu pada file kredit pelanggan, selanjutnya
menghasilkan file transaksi pesanan penjualan (sales order).
3. Data/file transaksi pesanan penjualan diproses program komputer pada Bagian SI melalui fungsi Update yang
selanjutnya memposting transaksi ke catatan yang berkaitan dengan piutang (A/R) dan file persediaan.
4. Pada Bagian SI, program komputer, melalui fungsi Update menghasilkan 3 lembar salinan pesanan penjualan
(sales order), salinan ke-1 disampaikan ke Bagian Gudang, dua salinan lainnya dsampaikan ke Bagian
Pengiriman barang.
5. Pegawai Bagian Gudang, setelah menerima salinan pesanan penjualan, mengambil barang dari rak,
selanjutnya berdasarkan salinan pesanan penjualan, input data ke file persediaan di komputer Bagian Gudang
untuk memutakhirkan persediaan. Selanjutnya pegawai menyampaikan barang pesanan beserta salinan
pesanan penjualan tersebut (Sales Orde 1) ke Bagian Pengiriman.
6. Petugas pada Bagian Pengirian, setelah menerima barang dan salinan pesanan penjualan ((Sales Orde),
melakukan rekonsiliasi antara barang dengan salinan order penjualan salinan 1, 2 dan 3 untuk selanjutnya
00 | MEMBUAT AREA KEGIATAN
BAGIAN PENJUALAN BAGIAN SI BAGIAN GUDANG BAGIAN PENGIRIMAN

01 | PROSEDUR 1

pelanggan
Edit &
Pesanan Pengujian
Pelanggan Kredit
Input
Pesanan Order
Penjualan
Pesanan
Pelanggan
D
02 | PROSEDUR 1 & 2

pelanggan
Edit &
Pesanan Pengujian File Kredit
Pelanggan Kredit Pelanggan
Input
Pesanan Order
Penjualan
Pesanan
Pelanggan
D
03 | PROSEDUR 1, 2 & 3

pelanggan
Edit &
Input
Pesanan Order
Penjualan Piutang (A/R)
Pesanan
Pelanggan
Program
Update Persediaan
D
04 | PROSEDUR 1, 2, 3 & 4

pelanggan
Order A
Edit & Penjualan 1
Order Order
Penjualan 2 Penjualan
Input
Pesanan Order
Penjualan Piutang (A/R)
Pesanan
Pelanggan
Program
Update Persediaan
D
Order
Penjualan 1
Order
Penjualan 2 A
Order
Penjualan
05 | PROSEDUR 1, 2, 3, 4 & 5

pelanggan
Order A
Edit & Penjualan 1
Order Order
Penjualan 2 Penjualan
Mengambil
Barang
Input
Pesanan Order Order
Penjualan Piutang (A/R) Penjualan 1
Order
Pesanan Penjualan 1
Pelanggan
Program
Update Persediaan
Updatee
D Catatan
Persediaan
Order
Penjualan 1
Order
Penjualan 2 A Stok
Persediaan
Order
Penjualan
Order
Penjualan 1
06 | PROSEDUR 1, 2, 3, 4, 5 & 6

pelanggan
Order A
Edit & Penjualan 1
Order Order
Penjualan 2 Penjualan 3
Mengambil
Barang
Input
Pesanan Order Order
Penjualan Piutang (A/R) Penjualan 1
Order
Pesanan Penjualan 1
Pelanggan
Program Mengirimkan
Update Persediaan Barang
Updatee
D Catatan
Persediaan
Agenda
Order
Order Pengiriman
Penjualan 1
Penjualan 2
Order
Penjualan 2 A Order
Stok
Penjualan 3 Order
Persediaan
Order Penjualan 1
Penjualan 3
Order
Penjualan 1
N
pelanggan
SELESAI
Relational Databases
Chapter 4 4-1
Learning Objectives
 Explain the importance and advantages of databases.
 Describe the difference between database systems and file-based legacy
systems.
 Explain the difference between logical and physical views of a database.
 Explain fundamental concepts of database systems such as DBMS, schemas, the
data dictionary, and DBMS languages.
 Describe what a relational database is and how it organizes data.
 Create a set of well-structured tables to store data in a relational database.
 Perform simple queries using the Microsoft Access database.
4-2
DATABASE A set of interrelated, centrally coordinated data files that
are stored with as little data redundancy as possible.
A database consolidates records previously stored in separate files into a common pool and
serves a variety of users and data processing applications.
4-4
Field
Data Hierarchy.
Attributes about an --
entity datagy
a
alan
direcord
Record
Related group of fields
File
Related group of records
Database
Related group of files 4-5

File-Oriented Systems versus Database Systems
4-6
Using Data Warehouses for Business Intelligence
A DATA WAREHOUSE is one or more very large databases containing both detailed and summarized data for a
number of years that is used for analysis rather than transaction processing
OLAP
DATA
MINING
Business Intelligence ===> using Data Warehouse for strategic decision making
4-7
Database Terminology
Database Management System (DBMS)
• The program that manages and controls the data and the interfaces
between the data and the application programs that use the data
stored in the database
database system-
• The database, the DBMS, and the application programs that access
the database through the DBMS.
Database Administrator (DBA)

• Person responsible for coordinating, controlling, and managing the
database
4-8
Advantages of Database Systems
Minimizing Data
Data Integration Data Sharing Redundancy and
Data Inconsistency
Cross-Functional
Data Independence
Analysis
4-9
Logical vs. Physical View of Data
• The way data are physically arranged and stored in the computer
system.
• Depends on explicitly knowing:
Physical View
• How is the data actually arranged in a file
• Where is the data stored on the computer
• How people conceptually organize, view, and understand the

relationships among data items.
• Unnecessary to explicitly know how and where data is stored.
Logical View • For example, a sales manager views all customer information as
being stored in a table.
4-10
A SCHEMA is a description of the data elements in a database, the relationships among them, and the
logical model used to organize and describe the data.
RECORD LAYOUT Document that shows the items stored in a file, including the order and length of the
data fields and the type of data stored.
The conceptual- the organization-wide view of the entire database, lists all data
level schema elements and the relationships among them.
The external- an individual user’s view of portions of a database

level schema
The internal- a low-level view of the database, describes how the data
are stored and accessed, including record layouts,
level schema
definitions, addresses, and indexes.
4-11
4-13
Data Dictionary
data dictionary contains information about the structure of the database.
4-14
DBMS Languages
Data Definition Builds the data dictionary
Language (DDL) Creates the database
Describes the subschema
Specifies record or field security constraints
Data Manipulation Changes the content in the database
Language (DML)
Updates, insertions, and deletions
Data Query Language Enables the retrieval, sorting, and display of data from the database
(DQL)
4-15
Relational Database
Relational data model represents conceptual- and external-level schemas as if

data are stored in two-dimensional tables
Table
• Each row called a tuple, contains data about a specific item in a
database table. This is equivalent to a record
• Each column contains data about an attribute of of an entity. This is

equivalent to a field
4-16
4-17
A Relational Table
Row (Record)
Each row contains multiple

attributes describing an instance
of the entity. In this case,
inventory. Column (Field)
4-18
Type of Attributes – Relational Database System
• the database attribute, or combination of attributes, that

uniquely identifies a specific row in a table.
Primary Key
• an attribute in a table that is also a primary key in another

table and is used to link the two tables.
Foreign Key
4-19
4-20
Database Design Errors
Update Anomaly Changes to existing data are not correctly recorded.
Due to multiple records with the same data attributes
Insert Anomaly there is no way to store information about prospective customers until they
make a purchase.
Unable to add a record to the database.
Delete Anomaly occurs when deleting a row has unintended consequences.
removing a record also removes unintended data from the database.
4-21
Design Requirements for Relational Database
& perpus--pominjam-bukungnapcage
adoid balen, dpeminjan,
Every column in a row must be single valued.
Primary keys cannot be null
Foreign keys, if not null, must have values that correspond to the value of a
primary key in another table.
All nonkey attributes in a table must describe a characteristic of the object

identified by the primary key
4-22
B
Two Approaches to Database Design &
Siyygparat
mysql
php
• Following relational database creation rules to design a
apache relational database that is free from delete, insert, and
Normalization
update anomalies.
• Decomposed set of tables are in third normal form (3NF).
• Using knowledge of business processes and

semantic data information needs to create a diagram that shows
modeling what to include in a fully normalized database (in
3NF).
4-23
SELESAI
FRAUD
Chapter 5
5-1
Learning Objectives
 Explain the threats faced by modern information systems.

 Define fraud and describe both the different types of fraud and the
auditor’s responsibility to detect fraud.
 Discuss who perpetrates fraud and why it occurs, including the
pressures, opportunities, and rationalizations that are present in most
frauds.
 Define computer fraud and discuss the different computer fraud
classifications.
 Explain how to prevent and detect computer fraud and abuse.
5-2
Threats to Accounting Information Systems
 Fire or excessive heat
Natural and Political  Floods, earthquakes, landslides, dll
Disaster  War and terrorists’ attack
 Hardware or software failure

 Software errors or bugs
Software errors and  Operating system crashes
equipment malfunctions 

Power outages and fluctuations
Undetected data transmission errors
THREATS TO AIS  Accidents caused by human carelessness, failure to

follow established procedures,
 and poorly trained or supervised personnel
Unintentional acts 

Innocent errors or omissions
Logic errors
 Systems that do not meet company needs or cannot
handle intended tasks

Intentional acts
Sabotage
 Misrepresentation, false use, or unauthorized
(computer crime) 
disclosure of data
Misappropriation of assets
 Financial statement fraud
 Corruption
5-3
 Computer fraud—attacks, social engineering, malware, etc.
Introduction to Fraud
FRAUD Any and all means a person uses to gain an unfair advantage over another
person.
• A false statement, representation, or disclosure

• A material fact, which is something that induces a
person to act
Legally, for an act to be
• An intent to deceive
fraudulent there must be:
• A justifiable reliance; that is, the person relies on the
misrepresentation to take an action
• An injury or loss suffered by the victim
5-4
Findings of The Association of Certified Fraud Examiners (ACFE)
 A typical organization loses 5% of its annual revenue to fraud, indicating yearly global fraud losses of over $3.7 trillion.
 Owner/executive frauds took much longer to detect and were more than four times as costly as manager-perpetrated
frauds and more than 11 times as costly as employee frauds
 More than 87% of the perpetrators had never been charged or convicted of fraud.
 Small businesses, with fewer and less effective internal controls, were more vulnerable to fraud than large businesses.
 Occupational frauds are much more likely to be detected by an anonymous tip than by audits or any other means.
 More than 83% of the cases they studied were asset misappropriation frauds with a median loss of $125,000. Billing
schemes and check tampering schemes were the most frequent types of asset misappropriation.
 Only 10% of the cases were financial statement fraud, but these cases had a much higher median loss of $975,000.
 The most prominent organizational weakness in the fraud cases studied was a lack of internal controls.
 The implementation of controls to prevent fraud resulted in lower fraud losses and quicker fraud detection.
 In 79% of the fraud cases studied, perpetrators displayed behavioral warning signs, or red flags, such as living beyond
their means, financial difficulties, unusually close association with a vendor or customer, and recent divorce or family
problems that created a perceived need in the perpetrator’s mind..
5-5
 Most fraud perpetrators are knowledgeable insiders with the requisite access, skills, and resources.
 Because employees understand a company’s system and its weaknesses, they are better able to commit and
conceal a fraud.
 The controls used to protect corporate assets make it more difficult for an outsider to steal from a company.
 Fraud perpetrators are often referred to as white-collar criminals.
WHITE-COLLAR CRIMINALS Typically, businesspeople who commit fraud. White-

collar criminals usually resort to trickery or cunning, and their crimes usually involve
a violation of trust or confidence.
CORRUPTION Dishonest conduct by those in power which often involves actions
that are illegitimate, immoral, or incompatible with ethical standards Examples
include bribery and bid rigging.
INVESTMENT FRAUD misrepresenting or leaving out facts in order to promote an investment that promises
fantastic profits with little or no risk. There are many types of investment fraud; examples include Ponzi
schemes and securities fraud.
5-6
Albert Milano, a manager at Reader’s Digest
responsible for processing bills, embezzled $1
Misappropriation of million over a five-year period. He forged a
assets superior’s signature on invoices for services never
performed, submitted them to accounts payable,
the theft of company forged the endorsement on the check, and
assets by employees deposited it in his account. Milano used the
stolen funds to buy an expensive home, five cars,
and a boat.
Important Fraud
related to businesses
Fraudulent financial  Enron Scandal and Arthur Andersen

Accounting Firm
reporting  Kasus Laporan Kueangan PT Gaaruda
Intentional or reckless Indonesia
conduct, whether by act or  Kasus Rekayasa Laporan Keuangan Jiwasraya
omission, that results in
materially misleading financial
5-7
statements.
Who Perperates Fraud and Why
Some fraud perpetrators are disgruntled and unhappy with their jobs and seek revenge against employers.
Others are dedicated, hard-working, and trusted employees.
Most have no previous criminal record; they were honest, valued, and respected members of their community.
Typically younger and possess more computer experience and skills.
Some are motivated by curiosity, a quest for knowledge
Some view their actions as a game rather than as dishonest behavior.
Many first-time fraud perpetrators that are not caught, or that are caught but not prosecuted,
move from being “unintentional” fraudsters to “serial” fraudsters
5-8
FRAUD TRIANGLE
sebab-
= >
akibat
5-9
FRAUD TRIANGLE | PRESURES
EMPLOYEE PRESURE PRESSURES a person’s incentive or motivation for committing fraud.
FINANCIAL pressures often motivate EMOTIONAL. Many employee

misappropriation frauds by employees frauds are motivated by greed.
Soe employees turn to fraud
because they have strong
feelings of resentment or
believe they have been treated
unfairly. They may feel their pay
is too low, their contributions
are not appreciated, or the
company is taking advantage of
them.
LIFESTYLE. The person may

need funds to support a
gambling habit or support a
drug or alcohol addiction.
5-10
FRAUD TRIANGLE | PRESURES
FINANCIAL STATEMENT PRESURE
5-11
FRAUD TRIANGLE | OPPORTUNITIES
OPPORTUNITY the condition or situation, including one’s personal abilities, that allows a
perpetrator to do three things:
COMMIT CONCEAL
The theft of assets is the most common type of To prevent detection when assets are stolen or
misappropriation. Most instances of fraudulent financial financial statements are overstated, perpetrators
reporting involve overstatements of assets or revenues, must keep the accounting equation in balance by
understatements of liabilities, or failures to disclose inflating other assets or decreasing liabilities or
information. equity.
Convert
Convert the theft or misrepresentation to personal gain. In a
misappropriation, fraud perpetrators who do not steal cash
or use the stolen assets personally must convert them to a
spendable form.
LAPPING.-.Concealing the theft of cash by means of a series of delays in posting collections to accounts
receivable.
5-12
FRAUD TRIANGLE | RATIONALIZATION
RATIONALIZATION allows perpetrators to justify their illegal behavior.
The most frequent rationalizations include the following:
 I am only “borrowing” it, and I will repay my “loan.”

 You would understand if you knew how badly I needed it.
 What I did was not that serious.
 It was for a good cause (the Robin Hood syndrome: robbing the rich to give to the
poor).
 In my very important position of trust, I am above the rules.
 Everyone else is doing it.
 No one will ever know.
 The company owes it to me; I am taking no more than is rightfully mine.
5-13
COMPUTER FRAUD
Computer Fraud is any fraud that requires computer

technology to perpetrate it
Unauthorized theft, use, access, modification, copying, or destruction of software, hardware,

or data
Theft of assets covered up by altering computer records
Obtaining information or tangible property illegally using computers
5-14
COMPUTER FRAUD CLASSIFICATIONS
Input Fraud lteration or falsifying input
• A man used desktop publishing to prepare bills for office supplies that were never ordered or delivered and
mailed them to local companies.
Processor Fraud Unauthorized system use
. . . .
• An insurance company installed software to detect abnormal system activity and found that employees
were using company computers to run an illegal gambling website.
Computer Instructions Fraud
• Modifying software, illegal copying of software, using software in an unauthorized manner, creating
software to undergo unauthorized activities
Data Fraud
• Illegally using, copying, browsing, searching, or harming company data
Output Fraud
• Unless properly safeguarded, displayed or printed output can be stolen, copied, or misused.
5-15
Preventing and Detecting Fraud and Abuse
Make fraud less likely to occur
Increases the difficulty of committing fraud
Improves detection methods
Reduces fraud losses.

5-16
MAKE FRAUD LESS LIKELY TO OCCUR
 Create an organizational culture that stresses integrity and commitment to ethical values and competence.
 Adopt an organizational structure, management philosophy, operating style, and risk appetite that minimizes the likelihood of
fraud.
 Require oversight from an active, involved, and independent audit committee of the board of directors.
 Assign authority and responsibility for business objectives to specific departments and individuals, encourage them to use initiative
to solve problems, and hold them accountable for achieving those objectives.
 Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or accept that risk.
 Develop a comprehensive set of security policies to guide the design and implementation of specific control procedures, and
communicate them effectively to company employees.
 Implement human resource policies for hiring, compensating, evaluating, promoting, and discharging employees that send
messages about the required level of ethical behavior and integrity.
 Develop a comprehensive set of anti-fraud policies that clearly set forth the expectation for honest and ethical behavior andexplain
the consequences of dishonest and fraudulent acts.
 Effectively supervise employees, including monitoring their performance and correcting their errors.
 Provide employee support programs; this provides a place for employees to turn to when they face pressures they might be
inclined to resolve by perpetrating a fraud.
 Maintain open communication lines with employees, customers, suppliers, and relevant external parties (banks, regulators, tax
authorities, etc.).
 Create and implement a company code of conduct to put in writing what the company expects of its employees.
 Train employees in integrity and ethical considerations, as well as security and fraud prevention measures.
 Require annual employee vacations and signed confidentiality agreements; periodically rotate duties of key employees.
 Implement formal and rigorous project development and acquisition controls, as well as change management controls.
 Increase the penalty for committing fraud by prosecuting fraud 5-17
perpetrators more vigorously.
INCREASES THE DIFFICULTY OF COMMITTING FRAUD
 Develop and implement a strong system of internal controls.
 Segregate the accounting functions of authorization, recording, and custody.
 Implement a proper segregation of duties between systems functions.
 Restrict physical and remote access to system resources to authorized personnel.
 Require transactions and activities to be authorized by appropriate supervisory personnel. Have the
system authenticate the person, and their right to perform the transaction, before allowing the transaction
to take place.
 Use properly designed documents and records to capture and process transactions.
 Safeguard all assets, records, and data.
 Require independent checks on performance, such as reconciliation of two independent sets of records,
where practical.
 Implement computer-based controls over data input, computer processing, data storage, data
transmission, and information output.
 Encrypt stored and transmitted data and programs to protect them from unauthorized access and use.
 When disposing of used computers, destroy the hard drive to keep criminals from mining recycled hard
drives.
 Fix software vulnerabilities by installing operating system updates, as well as security and application
programs.
5-18
IMPROVE DETECTION METHODS
 Develop and implement a fraud risk assessment program that evaluates both the likelihood and the
magnitude of fraudulent
 activity and assesses the processes and controls that can deter and detect the potential fraud.
 Create an audit trail so individual transactions can be traced through the system to the financial
statements and financial statement
 data can be traced back to individual transactions.
 Conduct periodic external and internal audits, as well as special network security audits; these can be
especially helpful if
 sometimes performed on a surprise basis.
 Install fraud detection software.
 Implement a fraud hotline.
 Motivate employees to report fraud by implementing whistleblower rewards and protections for those
who come forward.
 Employ a computer security officer, computer consultants, and forensic specialists as needed.
 Monitor system activities, including computer and network security efforts, usage and error logs, and all
malicious actions. Use
 intrusion detection systems to help automate the monitoring process.
5-19
REDUCES FRAUD LOSSES
 Maintain adequate insurance.
 Develop comprehensive fraud contingency, disaster recovery, and business
continuity plans.
 Store backup copies of program and data files in a secure off-site location.
 Use software to monitor system activity and recover from fraud
5-20
SELESAI
5-21
control
and
accounting
information systems
Chapter 7 7-22
Learning Objectives
 Explain basic control concepts and explain why computer control and security are
important.
 Compare and contrast the COBIT, COSO, and ERM control frameworks.
 Describe the major elements in the internal environment of a company.
 Describe the control objectives companies need to set and how to identify events that
affect organizational uncertainty.
 Explain how to assess and respond to risk using the Enterprise Risk Management
(ERM) model.
 Describe control activities commonly used in companies.
 Describe how to communicate information and monitor control processes in
organizations.
7-23
WHY THREATS TO ACCOUNTING INFORMATION SYSTEMS ARE INCREASING
 Information is available to an unprecedented number of workers.

Chevron, for example, has over 35,000 PCs.
 Information on distributed computer networks is hard to control. At

Chevron, information is distributed among many systems and thousands
of employees worldwide. Each system and each employee represent a
potential control vulnerability point.
 Customers and suppliers have access to each other’s systems and data.
For example, Walmart allows vendors to access their databases. Imagine
the confidentiality problems as these vendors form alliances with
Walmart competitors.
Organizations have not adequately protected data for several reasons:
 Some companies view the loss of crucial information as a distant, unlikely

threat.
 The control implications of moving from centralized computer systems to
Internet-based systems are not fully understood.
 Many companies do not realize that information is a strategic resource
and that protecting it must be a strategic requirement. For example, one
company lost millions of dollars because it did not protect data
transmissions. A competitor tapped into its phone lines and obtained faxes
of new product designs.
 Productivity and cost pressures motivate management to forgo time-
consuming controlmeasures.
CONCEPT AND DEFINITION
SPI merupakan suatu proses yang dipengaruhi oleh dewan

komisaris suatu entitas, manajemen, dan personel lain, yang
dirancang untuk memberikan keyakinan memadai
mengenai pencapaian tujuan terkait dengan operasi,
pelaporan dan ketaatan (COSO: 2013).
7-26
CONCEPT AND DEFINITION
Internal Control ==> The processes implemented to provide reasonable assurance that the following
control objectives are achieved:
 Safeguard assets.
 Maintain records in sufficient detail to report company assets accurately
and fairly.
 Provide accurate and reliable information.
 Prepare financial reports in accordance with established criteria.
 Promote and improve operational efficiency.
 Encourage adherence to prescribed managerial policies.
 Comply with applicable laws and regulations.
7-27
IMPORTANT FUNCTION OF INTERNAL CONTROL
Preventive Deter problems
Discover
FUNCTIONS Detective
problems
Identify and
Corrective
correct problems
7-28
CLASSIFICATION OF INTERNAL CONTROL
General Control
Make sure an organization’s control
environtment is stable and well
managed
CATEGORIES
Aplication Control
Prevent & correct transaction
errors and fraud in application
program
7-29
SARBANES-OXLEY
ACTS
7-30
SOX – INTERNAL CONTROL FRAMEWORK
In the late 1990s and early 2000s, news stories were

reporting accounting frauds at Enron,WorldCom, Xerox, Tyco,
and other companies.
When Enron, with $62 billion in assets, declared bankruptcy

in December 2001, it was the largest bankruptcy in U.S.
history.
The Enron bankruptcy was dwarfed when WorldCom,

with over $100 billion in assets, filed for bankruptcy in
July 2002.
In response to these frauds, Congress passed

the Sarbanes–Oxley Act (SOX) of 2002.
SOX applies to publicly held companies and their

auditors
• designed to prevent financial statement fraud

• make financial reports more transparent
• protect investor
• strengthen internal controls
• punish executives who perpetrate fraud
7-33
THE MOST IMPORTANT ASPECTS OF SOX
Public Company
Accounting The PCAOB sets and enforces auditing, quality control,
Oversight Board ethics, independence, and other auditing standards.
(PCAOB)
New Rules for Auditors must report specific information to the company’s audit
Auditor committee, such as critical accounting policies and practices.
Prohibited from performing certain non-audit services to

companies if top management was employed by the auditing firm
and worked on the company’s audit in the preceding 12 months
7-34
THE MOST IMPORTANT ASPECTS OF SOX
New Roles for Be part of board of directors and be independent

Audit One member must be a financial expert
Committees
The audit committee hires, compensates, and oversees the auditors, who
report directly to them.
New rules for Certify that financial statements and disclosures are fairly presented
management.
The auditors were told about all material internal control weaknesses and
fraud.
New Internal Control Management is responsible for establishing and maintaining an adequate internal
Requirements control system
7-35
After SOX was passed, the SEC mandated that
management must:
SEC mandated Base evaluation of internal control on a recognized framework

that
management (COSO ICIF, COBIT)
must:
Disclose all material internal control weaknesses
Conclude a company does not have effective financial reporting

internal controls of material weaknesses.
7-36
Control Frameworks
COSO
COBIT
ERM
COSO
ICIF
7-37
Control Objectives for Information and Related Technology
Control Objectives for Information and Related Technology (COBIT) --->

Developed by ISACA
Business objectives
IT resources
IT processes
COBIT consolidates control standards into a single framework that allows:

 management to benchmark security and control practices of IT environments,
 users to be assured that adequate IT security and controls exist, and (
 auditors to substantiate their internal control opinions and to advise on IT security and control
matters.
7-38
Control Objectives for Information and Related Technology
Meeting Covering the Applying a

stakeholder enterprise end- single, integrated
needs. to-end. framework.
Enabling a Separating
holistic governance from
approach. management.
7-39
Governance and Management
COBIT 5 Governance
and Management Key
Area
7-40
7-41
COSO - ICIF
OBJECTIVES
Operations Compliance Reporting

Objectives – Objectives – Objectives –
related related to related
7-42
COSO - ICIF
The Committee of Sponsoring Organizations (COSO)
consists of the American Accounting Association, the COSO Internal control cube
AICPA, the Institute of Internal Auditors, the Institute of
Management Accountants,and the Financial Executives
Institute.
In 1992, COSO issued Internal Control—

Integrated Framework (IC), which is widely accepted as
the authority on internal controls and is incorporated into
policies, rules, and regulations used to control business
activities.
In 2013, the IC framework was updated to better deal with

current business processes and technological
advancements
The new IC framework keeps the five components of the

original framework and adds 17 principles that build on
and support the concepts
7-43
PRINCIPLES OF COSO ICIF (2013)

COSO ERM (Enterprise Risk Management)
ERM cube
 The more comprehensive ERM framework takes a

risk-based rather than a controls-based approach.
 ERM adds three additional elements to COSO’s IC
framework: setting objectives, identifying events that
may affect the company, and developing a response
to assessed risk.
 As a result, controls are flexible and relevant because
they are linked to current organizational objectives.
 The ERM model also recognizes that risk, in addition
to being controlled, can be accepted, avoided,
diversified, shared, or transferred.
7-45
Control Environment
Management’s philosophy, operating style, and risk appetite

The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
7-46
COSO ERM—Objective Setting
1) Strategic
High-level goals aligned with corporate mission
2) Operational
Effectiveness and efficiency of operations
3) Reporting
Complete and reliable
Improve decision making
4) Compliance
Laws and regulations are followed
7-47
ERM—Event Identification
EVENT - A positive or negative incident or occurrence from

internal or external sources that affects the implementation
of strategy or the achievement of objectives.
 Positive or negative impacts (or both)

 Events may trigger other events
 All events should be anticipated
7-48
Risk Assessment
>> Identify Risk

Identify likelihood of risk
Identify positive or negative impact
>> Types of Risk

 Inherent
Risk that exists before any plans are made to control it
Residual
Remaining risk after controls are in place to reduce it
7-49
ERM—Risk Response
Reduce
Implement effective internal control
Accept
Do nothing, accept likelihood of risk
Share
Buy insurance, outsource, hedge
Avoid
Do not engage in activity that produces risk
7-51
Control Activities
Control Activities: Policies and procedures to provide reasonable assurance that

control objectives are met and risk response are carried out.
Management must make sure that:

1. Controls are selected and developed to help reduce risks to an acceptable level.
2. Appropriate general controls are selected and developed over technology.
3.Control activities are implemented and followed as specified in company policies
and procedures.
7-52
Control Activities
Control procedures fall into the following categories:

1. Proper authorization of transactions and activities
2. Segregation of duties
3. Project development and acquisition controls
4. Change management controls
5. Design and use of documents and records
6. Safeguarding assets, records, and data
7. Independent checks on performance
7-53
Information and Communication
Primary purpose of an AIS
• Gather
• Record
information about
• Process
an organization
• Summarize
• Communicate
7-54
Monitoring
The internal control system that is selected or developed must be continuously monitored,
evaluated, and modified as needed. Any deficiencies must be reported to senior management and
the board of directors.
Perform Internal Control Evaluation

KEY
Implement Effective supervision.
METHOD Use Responsibility accounting system.
Monitor system activities.
Track purchased software and mobile devices.
Conduct periodic audits.
Employ a security officer and compliance officer.
Engage forensic specialists.
Install fraud detection software.
7-55
Implement a fraud hotline.
SELESAI
7-56
CONTROLS
FOR INFORMATION SECURITY
Chapter 8

PROGRAM D3 AKUNTANSI | TAHUN AKADEMIK 2020/2021
LEARNING OBJECTIVES
Explain how security and the other four principles in the Trust Services Framework affect systems reliability.
Explain two fundamental concepts: why information security is a management issue, and the time-based
model of information security.
Discuss the steps criminals follow to execute a targeted attack against an organization’s information system.
Describe the preventive, detective, and corrective controls that can be used to protect an organization’s
information.
Describe the controls that can be used to timely detect that an organization’s information system is under
attack.
Discuss how organizations can timely respond to attacks against their information system.
Explain how virtualization, cloud computing, and the Internet of Things affect information security.
TRUST SERVICES PRINCIPLES FOR SYSTEMS RELIABILITY
Confidentia
Security Privacy
lity
Processing
Availability
Integrity
8-3
TWO FUNDAMENTAL INFORMATION SECURITY CONCEPTS
Security is a Management issue, The Time Based Model of

not just a technology issue Information Security
 Although effective information security  Implementing a combination of preventive,

requires the deployment of technological detective, and corrective controls that
tools such as firewalls, antivirus, and protect information assets long enough to
encryption, senior management involvement enable an organization to recognize that an
and support throughout all phases of the attack is occurring and take steps to thwart it
security life cycle before any information is lost or
compromised.
8-4
SECURITY IS A MANAGEMENT ISSUE, NOT JUST A TECHNOLOGY ISSUE
Information security professionals possess the expertise to

identify potential threats and to estimate their likelihood and
impact
 Senior management must participate in developing policies because

they must decide the sanctions they are willing to impose for
noncompliance.
 The active support and involvement of top management is necessary
to ensure that information security training and communication are
taken seriously
Senior management must authorize investing the necessary

resources to mitigate the threats identified and achieve the
desired level of security
Management must periodically reassess the organization’s risk response

and, when necessary, make changes to information security policies and
invest in new solutions to ensure that the organization’s information
security efforts support its business strategy in a manner that is consistent
with management’s risk appetite. 8-5
TIME-BASED MODEL OF SECURITY
For the effectiveness of organization’s information

security procedures P>D+R
Organizations attempt to satisfy the objective of the time-
• P = the time it takes an attacker to break through the various
based model of security by employing the strategy of
controls that protect the organization’s information assets
defense-in-depth
• D = the time it takes for the organization to detect that an attack
is in progress
• R = the time it takes to respond to and stop the attack
• No control can be 100% effective, the use of overlapping,

complementary, and redundant controls increases overall
effectiveness because if one control fails or gets circumvented,
another may succeed.
• the use of overlapping, complementary, and redundant controls
increases overall effectiveness
Dengan pengamanan yang diberikan, sistem perusahaan Agar efektif, maka organisasi bisa melakukan langkah sbb:
 meningkatkan komponen P, yaitu memperkuat infrastuktur
dapat dibobol dalam durasi 20 menit. Sementara sistem
keamanan, denganmenambah investasi berupa Firewall dll.
keamanan organisasi mampu mendeteksi dalam
 Menambah kemampuan deteksi terhadap serangan terhadap
hitungan 15 menit, sedangkan waktu untuk respon 10
sistem, misalnya upgade piranti deteksi (IDS)
menit. Dapat dipastikan sistem keamanan informasi  Mempercepat waktu respon terhadap serangan, misalnya
organsiasi tidak efektif <== P < D + R (20<15+10) membentuk unit khusus untuk merespon serangan (CIRT)
UNDERSTANDING TARGETED ATTACKS
Steps in an IS System Attack
Conduct Reconnaissance
Attempt Social Engineering
Scan & Map Target
Research
Execute Attack
Cover Tracks
8-7
PROTECTING INFORMATION RESOURCES
TIME-BASED MODEL COMPONENT EXAMPLES

Poeple creating “security aware” culture
PROTECTION Training
User access control

Process Penetration Testing
Change controls and change management
Anti-malware
IT Solution Network access controls
Configuration controls (Device & Sofware Hardening
Encryption
Physical access controls (locks, guards, etc.)

security
8-8
TIME-BASED MODEL COMPONENT EXAMPLES
DETECTION Log analysis
Intrusion detection systems
Continuous monitoring
RESPONSE Computer incident response teams (CIRT)
Chief information security officer (CISO)
8-9
TIME-BASED MODEL COMPONENT | PROTECTION POEPLE
1.Creating “security aware” culture  COBIT5 specifically identifies an organization’s culture and ethics as
one of the critical enablers for effective information security.
 To create a security-conscious culture in which employees comply
with organizational policies, TOP MANAGEMENT must not only
communicate the organization’s security policies, but must also
LEAD BY EXAMPLE
2.Training  COBIT 5 identifies employee skills and competencies as another critical

enabler for effective information security.
 Employees must understand how to follow the organization’s security
policies.
 All employees should be taught why security measures are important to
the organization’s long-run survival.
 They also need to be trained to follow safe computing practices
 An organization’s investment in security training will be effective only if
management clearly demonstrates that it supports employees who
follow prescribed security policies.
8-10
TIME-BASED MODEL COMPONENT | PROTECTION PROCESS
1.USER ACCESS CONTROL  Authentication is the process of verifying the identity of the person
or device attempting to access the system
AUTHENTICATION CONTROLS  Three types of credentials can be used to verify a person’s identity:
1) Something the person knows, such as passwords or personal
identification numbers (PINs)
2) Something the person has, such as smart cards or ID badges
3) Some physical or behavioral characteristic (referred to as a
biometric identifier) of the person, such as fingerprints or typing
patterns.
multifactor authentication ==> The use of two or Kartu ATM + PIN

more types of authentication credentials in
conjunction to achieve a greater level of security.
multimodal authentication ==> The use of multiple Finger Print + Voice

authentication credentials of the same type to achieve a
Recognition
greater level of security. 8-11
USER ACCESS CONTROL  Authorization is the process of restricting access of

authenticated users to specific portions of the system and
AUTHORIZATION CONTROLS limiting what actions they are permitted to perform.
 Authorization controls are often implemented by creating an access
control matrix
 It is important to regularly update the access control matrix to reflect
changes in job duties due to promotions or transfers.
 Otherwise, over time an employee may accumulate a set of rights and
privileges that is incompatible with proper segregation of duties.
2.PENETRATION TEST  A penetration test is an authorized attempt by either an internal

audit team or an external security consulting firm to break into the
organization’s information system.
 Penetration testing provides a more rigorous way to test the effectiveness of an
organization’s information security.
3.CHANGE CONTROLS AND CHANGE MANAGEMENT  Change control and change management refer to the formal process
used to ensure that modifications to hardware, software, or
processes do not reduce systems reliability
 Good change control often results in better operating performance
because there are fewer problems to fix. Companies with good change
management and change control processes also experience lower costs
when security incidents do happen.
TIME-BASED MODEL COMPONENT | PROTECTION IT SOLUTION
1. ANTI MALWARE CONTROL  Malware can damage or destroy information or provide a means for
unauthorized access.
PROTECTION RECOMMENDATION
 Malicious software awareness education,
 Installation of antimalware protection tools on all devices,
 Centralized management of patches and updates to antimalware
software,
 Regular review of new malware threats,
 Filtering of incoming traffic to block potential sources of malware,
 Training employees not to install shared or unapproved software.
2. NETWORK ACCESS CONTROL  Most organizations provide employees, customers, and suppliers with
remote access to their
Routers  information systems. Usually this access occurs via the Internet, but
Firewalls some organizations still maintain their own proprietary networks or
Intrusion Prevention System provide direct dial-up access by modem.
TIME-BASED MODEL COMPONENT | PROTECTION IT SOLUTION
3. DEVICE AND SOFTWARE HARDENING CONTROLS User management

COBIT 5 management practice DSS05.04 stresses the need to carefully
Endpoint configuration manage all user accounts, especially those accounts that have unlimited
 Endpoints can be made more secure by modifying (administrative) rights on that computer
their configurations. Default configurations of most
devices typically turn on a large number of optional Software design
settings that are seldom, if ever, used.  As organizations have increased the effectiveness of their perimeter
security controls, attackers have increasingly targeted vulnerabilities in
 This process of modifying the default onfiguration of application programs.
endpoints to eliminate unnecessary settings and  Buffer overflows, SQL injection, and cross-site scripting are common
services is called hardening. examples of attacks against the software running on websites.
 These attacks all exploit poorly written software
 that does not thoroughly check user-supplied input prior to further
processing.
4.ENCRYPTION  Encryption provides a final layer of defense to prevent unauthorized

access to sensitive information.
TIME-BASED MODEL COMPONENT | PROTECTION PHYISCAL SECURITY
1.ACCESS CONTROL  Physical access control begins with entry points to the building
itself.
 Ideally, there should only be one regular entry point that
remains unlocked during normal office hours.
 Once inside the building, physical access to rooms housing
computer equipment must also be restricted.
 These rooms should be securely locked and all entry/exit
monitored by closed-circuit television systems.
 Access to the wiring used in the organization’s LANs also needs
to be restricted in order to prevent wiretapping.
TIME-BASED MODEL COMPONENT | DETECTING ATTACKS
Intrusion
Continuous
Log analysis detection
monitoring
systems
 Most systems come with extensive capabilities for Network intrusion detection systems (IDSs) consist of a set of
logging who accesses the system and what specific sensors and a central monitoring unit that create logs of network
actions each user performed. These logs form an audit traffic that was permitted to pass the firewall and thenanalyze
trail of system access. Like those logs for signs of attempted or successful intrusions.
 any other audit trail, logs are of value only if they are
routinely examined.
 Log analysis is the process of examining logs to identify
evidence of possible attacks
 COBIT 5 management practice APO01.08 stresses the importance of continuously monitoring both employee
compliance with the organization’s information security policies and overall performance of business
processes.
 Such monitoring is an important detective control that can timely identify potential problems and identify
opportunities to improve existing controls. Measuring compliance with policies is straightforward, but
effectively monitoring performance requires judgment and skill.
TIME-BASED MODEL COMPONENT |RESPONDING TO ATTACKS
CIRT CISO
 computer incident response team (CIRT ) - A team that

is responsible for dealing with major security incidents.
 The CIRT should include not only technical specialists but
also senior operations management, because some  Chief Information Security Officer/CISO is especially important
potential responses to security incidents have significant that organizations assign responsibility for information
economic consequences. security
 CISO who should be independent of other information
Recognition systems functions and should report to either the chief
operating officer (COO)
Containment
 The CISO must understand the company’s technology
environment and work with the chief information officer (CIO)
to design, implement, and promote sound security policies
Recovery
and procedures.
 the CISO should have responsibility for ensuring that
Follow-up vulnerability and risk assessments are performed regularly
Security Implications of Virtualization, Cloud
Computing, and the Internet of Things
 Virtualization takes advantage of the power and speed of modern computers to run multiple systems simultaneously
on one physical computer.
 This cuts hardware costs, because fewer servers need to be purchased. Fewer machines mean lower maintenance
costs. Data center costs also fall because less space needs to be rented, which also reduces utility costs.
Cloud computing takes advantage of the high bandwidth of the modern global telecommunication network to enable
employees to use a browser to remotely access software (software as a service), data storage devices (storage as a
service), hardware (infrastructure as a service), and entire application environments (platform as a service).
Although virtualization and cloud computing can increase the risk of some threats, both developments also offer the
opportunity to significantly improve overall security.
 The term Internet of Things (IoT) refers to the embedding of sensors in a multitude of devices (lights, heating and air
conditioning, appliances, etc.) so that those devices can now connect to the Internet. The IoT has significant
implications for information security.
 The move to the IoT means that many other devices found in work settings now provide a potential means of accessing
the corporate network and, therefore, must be secured.
 the net effect of the IoT on an organization’s ability to satisfy the time-based model of security depends upon how well
it addresses and uses this new development.
SELESAI
8-20
CONFIDENTIALITY AND PRIVACY
CONTROL
Chapter 9
9-1
Learning Objectives
þ Identify and explain controls designed to protect the

confidentiality of sensitive corporate information.
þ Identify and explain controls designed to protect the privacy
of customers’ personal information.
þ Explain how the two basic types of encryption systems work.
9-2
Preserving Confidentiality
S E N S IT IV E IN F O R M AT IO N
Strategic Plan
Process
Trade Secret
Improvement
Legal Cost
Document Information 9-3
Preserving Confidentiality & Privacy
control
encrypt the access to
information the
information
identify and Train

classify the employees to
information properly
to be preserve the
handle the
protected confidentiality information.
of sensitive
information:
9-4
C O N F ID E N T IA L IT Y
9-5
Identify and
Classify identify the confidentiality of intellectual property
Information and other sensitive business information resides
to be
Protected and who has access to it.
classify the information in terms of its value

to the organization

Protecting
Confidentiali Encryption is a necessary part of defense-in-
ty with depth to protect information stored on websites or
Encryption
in a public cloud.
Protecting confidentiality requires application of the

principle of defense-in-depth, supplementing
encryption with the two of the other components
in( access controls and training.

Controlling Access to Sensitive Information

• Authentication and authorization controls, are not sufficient to protect
confidentiality
• organizations need to protect sensitive information throughout its entire
life cycle, regardless of whether it is stored digitally or physically
• Information rights management (IRM) software provides an additional
layer of protection to sensitive information
• data loss prevention (DLP) software, one tool for protecting
confidentiality over outbound communications.
• DLP software is a preventive control. It can and should be supplemented
by embedding code called a digital watermark in documents.

Training Training is arguably the most important control for

protecting confidentiality.
Employees also need to be taught how to protect

confidential data.
With proper training, employees can play an

important role in protecting the confidentiality of an
organization’s information and enhance the
effectiveness of related controls.
9-9
P R IVA C Y
9-10
After Citibank’s online credit card application in
Taiwan was hacked and personal customer data
compromised in November 2003, the Taiwanese
government imposed a 1-month moratorium on
issuing new credit cards and a 3-month
suspension of the online
Encryption is a fundamental control for
protecting the privacy of personal information
that organizations collect.
9-11
þ organizations should run data masking
programs that replace such personal
information with fake values before sending
that data to the program development and
testing system.
þ Organizations also need to train employees

on how to manage and protect personal
information collected from customers.
9-12
Privacy Concern
SPAM Unsolicited e-mail that contains either advertising or

offensive content
Spam is a privacy-related issue because recipients

are often targeted as a result of unauthorized
access to e-mail address lists and databases
containing personal information.
Spam not only reduces the efficiency benefits of e-

mail but also is a source of many viruses, worms,
spyware programs, and other types of malware.
9-13
Privacy Concern
Identity Theft
þ The unauthorized use of someone’s personal information
for the perpetrator’s benefit.
þ Often, identity theft is a financial crime.
þ a growing proportion of identity theft cases involve
fraudulently obtaining medical care and services
þ Organizations have an ethical and moral obligation to
implement controls to protect the personal information that
they collect
9-14
Privacy Regulatory Acts
Health Information
Health Insurance
Technology for
Portability and
Economic and
Accountability Act
Clinical Health Act
(HIPAA)
(HITECH)
Financial Services
Modernization Act

Generally Accepted Privacy Principles
The American Institute of Certified Public

Accountants (AICPA) and the Canadian Institute
of Chartered Accountants (CICA) jointly
developed a framework called Generally Accepted
Privacy Principles (GAPP).
GAPP
1) Management. Organizations need to establish a set of procedures
and policies for protecting the privacy of personal information they
collect from customers, as well as information about their
customers obtained from third parties such as credit bureaus.
2) Notice. An organization should provide notice about its privacy
policies and practices at or before the time it collects personal
information from customers, or as soon as practicable thereafter.
9-16
GAPP
3 ) C h o ic e a n d c o n s e n t. Organizations should explain the choices
available to individuals and obtain their consent prior to the
collection and use of their personal information.
4 ) C o lle c tio n . An organization should collect only the information
needed to fulfill the purposes stated in its privacy policies.
5 ) U s e a n d r e t e n t i o n . Organizations should use customers’
personal information only in the manner described in their stated
privacy policies and retain that information only as long as it is
needed to fulfill a legitimate business purpose.
6 ) A c c e s s . An organization should provide individuals with the
ability to access, review, correct, and delete the personal
information stored about them 9-17
GAPP
7 ) D is c lo s u re to th ird p a rtie s . Organizations should disclose

their customers’ personal information to third parties only in
the situations and manners described in the organization’s
privacy policies and only to third parties who provide the
same level of privacy protection as does the organization that
initially collected the information.
8 ) S e c u r ity . An organization must take reasonable steps to
protect its customers’ personal information from loss or
unauthorized disclosure.
9 ) Q u a lity . Organizations should maintain the integrity of their
customers’ personal information and employ procedures to
ensure that it is reasonably accurate.
1 0 ) M o n i t o r i n g a n d e n f o r c e m e n t . An organization should
assign one or more employees to be responsible for ensuring
compliance with its stated privacy policies. 9-18
ENCRYPTION
þ Encryption is the process of transforming normal content,
called plaintext, into unreadable gibberish, called ciphertext.
þ Decryption reverses this process
þ The algorithm is a formula for using the key to transform the
plaintext into ciphertext (encryption) or the ciphertext back into
plaintext (decryption)
9-19
Factors That Influence Encryption Strength
Key length Longer keys provide stronger encryption by

reducing the number of repeating blocks in the
ciphertext.
Number of bits (characters) used to convert text into
blocks.
Algorithm
The nature of the algorithm used to combine the key
and the plaintext is important
A strong algorithm is difficult, if not impossible, to
break by using brute-force guessing techniques.
9-21
Factors That Influence Encryption Strength
Policies The management of cryptographic keys is often the

for most vulnerable aspect of encryption systems.
Managing
Cryptogra
phic Keys
Cryptographic keys must be stored securely and

protected with strong access controls.
9-22
Types of Encryption
Symmetri One key used to both encrypt and decrypt
c
Pro: fast
Con: vulnerable
Asymmetr Different key used to encrypt than to decrypt

ic (publilc and private keys)
Pro: very secure
Con: very slow

9-23
Hashing
Process that takes plaintext of any length and creates a short code
The code can not be converted back to the text.
This property of hashing algorithms provides a means to test the integrity of

a document, to verify whether two copies of a document, each stored on a
different device, are identical
9-24
9-25
Digital Signature
þ Digital Signature  hash encrypted with the hash creator’s private key
(document creators key)
þ The resulting encrypted hash is a digital signature that provides

assurance about two important issues:
(1) that a copy of a document or file has not been altered
(2) who created the original version of a digital document or file.
þ Thus, digital signatures provide assurance that someone cannot enter

into a digital transaction and then subsequently deny they had done so
and refuse to fulfill their side of the contract.
9-26
Digital Certificate
Electronic document that contains an entity’s public key
Certifies the identity of the owner of that particular public key
Issued by Certificate Authority
9-27
Virtual Private Network (VPN)
Private communication channels, often referred to as

tunnels, which are accessible only to those parties
possessing the appropriate encryption and decryption
keys.
9-28
Processing Integrity
And Availability Controls
Chapter 10
10-1
Learning Objectives
Identify and explain controls designed to ensure processing

integrity.
Identify and explain controls designed to ensure systems
availability.
10-2
PROCESSING INTEGRITY
The Processing Integrity principle of the Trust
Services Framework states that a reliable system is
one that produces information that is accurate,
complete, timely, and valid
accurate
complete
Timely
and valid
QUALIFIED OUTPUT 10-3

INPUT CONTROL
The phrase “garbage in, garbage out”
highlights the importance of input
controls. If the data entered into a
system are inaccurate, incomplete, or
invalid, the output will be too.
FORM Source documents and other forms should be
designed to minimize the chances for errors and
DESIGN omissions.
Two particularly important forms design controls

involve sequentially prenumbering source
documents and using turnaround documents.
10-4
INPUT CONTROL
Cancellati Source documents that have been entered into

on and the system should be canceled so they cannot be
Storage inadvertently or fraudulently reentered into the
of Source system.
Document
s
Original source documents (or their electronic

images) should be retained for as long as needed
to satisfy legal and regulatory requirements and
provide an audit trail.
10-5
INPUT CONTROL
Data A field check determines whether the

Entry characters in a field are of the proper type.
Control
A sign check determines whether the data in a field have
the appropriate arithmetic sign. For example, the quantity-
ordered field should never be negative.
A limit check tests a numerical amount against a fixed

value. For example, the regular hours-worked field in
weekly payroll input must be less than or equal to 40 hours.
A range check tests whether a numerical amount falls between

predetermined lower and upper limits. For example, a marketing
promotion might be directed only to prospects with incomes
between $50,000 and $99,999.
10-6
INPUT CONTROL
Data A size check ensures that the input data will fit into
Entry the assigned field. For example, the value
458,976,253 will not fit in an eight-digit field.
Control
A completeness check (or test) verifies that all
required data items have been entered.
A validity check compares the ID code or account

number in transaction data with similar data in the
master file to verify that the account exists.
A reasonableness test determines the correctness

of the logical relationship between two data items.
10-7
INPUT CONTROL
Data Authorized ID n u mbe r s ( su ch as e mpl o ye e

Entry numbers) can contain a check digit that is
Control computed from the other digits. For example, the
system could assign each new employeea nine-
digit number, then calculate a tenth digit from the
original nine and append that calculated number
to the original nine to form a 10-digit ID number.
10-8
INPUT CONTROL Additional Batch ProcessingONTROL
Data A sequence check tests whether a batch of

Entry input data is in the proper numerical or
Control alphabetical sequence
Batch totals summarize numeric values for a
batch of input records.
A financial total sums a field that contains

monetary values, such as the total dollar amount of
all sales for a batch of sales transactions.
A hash total sums a nonfinancial numeric field,
such as the total of the quantity-ordered field in a
batch of sales transactions.
A record count is the number of records in a
batch.
10-9
INPUT CONTROL Additional Online ProcessingONTROL
Data Prompting, in which the system requests each

Entry input data item and waits for an acceptable
Control response, ensures that all necessary data are
entered (i.e., prompting is an online
completeness check).
Closed-loop verification checks the

accuracy of input data by using it to
retrieve and display other related
information.
10-10
PROCESSING CONTROL
Data matching.
In certain cases, two or more items of data must be matched
before an action can take place.
File labels.
File labels need to be checked to ensure that the correct and
most current files are being updated.
Recalculation of batch totals.

Batch totals should be recomputed as each transaction record
is processed, and the total for the batch should then be
compared to the values in the trailer record.
10-11
PROCESSING CONTROL
Cross-footing and zero-balance tests. Often totals can be calculated in
multiple ways. For example, in spreadsheets a grand total can be
computed either by summing a column of row totals or by summing a row
of column totals. These two methods should produce the same result.
cross-footing balance test compares the results produced by each
method to verify accuracy. A zero-balance test applies this same logic to
verify the accuracy of processing that involves control accounts
Write-protection mechanisms. These protect against
overwriting or erasing of data files stored on magnetic media.
Concurrent update controls. Errors can occur when two or more

users attempt to update the same record simultaneously. Concurrent
update controls prevent such errors by locking out one user until the
10-12
system has finished processing the transaction entered by the other.
OUTPUT CONTROL
User review of output. Users should carefully examine system

output to verify that it is reasonable, that it is complete, and that
they are the intended recipients.
Reconciliation procedures. Periodically, all transactions and

other system updates should be reconciled to control reports, file
status/update reports, or other control mechanisms.
External data reconciliation. Database totals should periodically

be reconciled with data maintained outside the system.
10-13
OUTPUT CONTROL
Data transmission controls. controls designed to

minimize the risk of data transmission errors.
Checksums. When data are transmitted, the sending device can

calculate a hash of the file, The receiving device performs the
same calculation and sends the result to the sending device. If the
two hashes agree, the transmission is presumed to be accurate.
Otherwise, the file is resent.
10-14
AVA IL A B IL IT Y
10-15
Controls Ensuring Availability
þ Interruptions to business processes can cause significant
financial losses.
þ It is impossible, to completely eliminate the risk of downtime,
but,It is important to minimize the risk of system downtime.
þ Therefore, organizations also need controls designed to enable
quick resumption of normal operations after an event disrupts
system availability.
10-16
Minimize Risks
O B J E C T IV E KEY CONTROL
● Preventive maintenance
To minimize risk of system ● Fault tolerance
downtime ● Data center location and design
● Training
● Patch management and antivirus
software
Quick and complete ● Backup procedures

r e c o v e r y a n d ● Disaster recovery plan (DRP)
esumption of normal
operations
● Business continuity plan
(BCP)
10-17
RECOVERY AND RESUMPTION OF NORMAL OPERATIONS
THE PREVENTIVE CONTROLS can minimize, but not entirely eliminate the
risk of system downtime. Hardware malfunctions, software problems, or
human error an cause data to become inaccessible.
A BACKUP is an exact copy of the most current version of a database, file, or

software program that can be used in the event that the original is no longer
available.
An organization’s backup procedures, DRP and BCP reflect management’s

answers to two fundamental questions:
1) How much data are we willing to recreate from source documents (if they
exist) or potentially lose (if no source documents exist)?
2) How long can the organization function without its information system?
RECOVERY POINT OBJECTIVE (RPO), which represents the maximum
amount of data that the organization is willing to have to reenter or potentially
lose.
RECOVERY TIME OBJECTIVE (RTO), which is the maximum tolerable time to

restore an information system after a disaster.
DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING
A DISASTER RECOVERY PLAN (DRP) outlines the procedures to

restore an organization’s IT function in the event that its data
center is destroyed.
O P T IO N S F O R R E P L A C IN G IT IN F R A S T R U C T U R E
þ COLD SITE, which is an empty building that is prewired for necessary telephone and
Internet access, plus a contract with one or more vendors to provide all necessary
equipment within a specified period of time.
þ HOT SITE, which is a facility that is not only prewired for telephone and Internet
access but also contains all the computing and office equipment the organization
needs to perform its essential business activities.
þ REAL-TIME MIRRORING, which involves maintaining two copies of the database at

two separate data centers at all times and updating both databases in real-time as
each transaction occurs.
DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING
A business continuity plan (BCP) specifies how to

resume not only IT operations, but all business processes,
including relocating to new offices and hiring temporary
replacements, in the event that a major calamity destroys
not only an organization’s data center but also its main
headquarters.
SELESAI
10-22
CHAPTER
AIS
20
Romney & Steinbart
Introduction to Systems Development

and Systems Analysis

Semester Ganjil TA 2022/2023 | D3 Akuntansi
LEARNING OBJECTIVES
Explain the five phases of the systems development life cycle, and discuss thepeople involved in
systems development and the roles they play.
Explain the importance of systems development planning, and describe the types of plans and
planning techniques used.
Discuss the various types of feasibility analysis, and calculate economic feasibility sing capital
budgeting techniques.
Explain why system changes trigger behavioral reactions, what form this resistance to change
takes, and how to avoid or minimize the resulting problems.
Discuss the key issues, objectives, and steps in systems analysis.

INTRODUCTION
Why Companies Change Their Systems
Change in user improved

Technology Competitive
or business business
changes advantage
needs processes
System age
Productivity Systems
and need to be
gains Integration
replaced
INTRODUCTION
Software Development Problems
 Developing quality, error-free software is a difficult, expensive, and time-consuming task.
 Most software development projects deliver less, cost more, and take longer than expected.
• 70 percent of software development projects were
late
• 54 percent were over budget
Standish Group • 66 percent were unsuccessful
found that: • 30 percent were canceled before completion
• 75 PERCENT of all large systems are

• not used
NIKE implemented a forecasting system that did not • Not used as intended, or
work and had to take a multimillion-dollar inventory American
Management
• Generate meaningless reports or inaccurate
writedown The system told NIKE to order $90 million of data
shoes that did not sell, while it had $100 million of Systems Study
orders on popular models that it could not meet.
SYSTEMS DEVELOPMENT
Systems Development Life Cycle (SDLC)
A five-step process used to design and implement a new system
The information needed to purchase, develop, or modify a system is gathered.

ANALYSTS decide how to meet user needs, identify and evaluate design
SYSTEMS ANALYSIS
alternatives, and develop detailed specifications for what the system is to
accomplish
TRANSLATING the broad, user-oriented conceptual design requirements into the
OPERATIONS & CONCEPTUAL
MAINTENANCE DESIGN detailed specifications used to code and test computer programs, design input and
output documents, create files and databases, develop procedures, and build
controls into the new system.
New hardware and software are installed and tested, employees are hired and
trained or existing employees relocated, and processing procedures are tested and
modified.
IMPLEMENTATION
PHYSICAL DESIGN
& CONVERSION The new system is periodically reviewed and modifications are made as
problems arise or as new needs become evident.
SYSTEMS DEVELOPMENT
SYSTEMS DEVELOPMENT
MANAGEMENT |
 to emphasize the importance of involving users in the process, to provide support and
encouragement for development projects, and to align systems with corporate
strategies.
THE PLAYERS
• Management
• Users  To establish system goals and objectives, selecting system department leadership and
reviewing their performance, establishing policies for project selection and organizational
• IS Steering Committee
structure, and participating in important system decisions
• Project Development Team
• System Analyst and
USERS |
Programmers
 AIS users communicate their information needs to system developers.
• External Players
 As project development team or steering committee members, they help manage systems
development.
 As requested, accountants help design, test, and audit the controls that ensure the accurate
and complete processing of data.
IS STEERING COMMITTEE |
 to plan and oversee the information systems function.
 highlevel management, such as the controller and systems and user-department management.
 The steering committee sets AIS policies; ensures top-management participation, guidance, and control; and facilitates
the coordination and integration of systems activities.
SYSTEMS DEVELOPMENT
PROJECT DEV. TEAM |

 Each development project has a team of systems analysts and specialists, managers,
THE PLAYERS
• Management
• Users accountants, and users to guide its development
• IS Steering Committee  Team members plan each project, monitor it to ensure timely and cost-effective
• Project Development Team completion, make sure proper consideration is given to the human element, and
• System Analyst and Programmers communicate project status to top management and the steering committee.
• External Players  They should communicate frequently with users and hold regular meetings to consider
ideas and discuss progress so that there are no surprises upon project completion.
SYSTEMS ANALYSTS AND PROGRAMMERS |

 help users determine their information needs, study existing systems and design new ones, and prepare the
specifications used by computer programmers.
 ANALYSTS interact with employees throughout the organization to bridge the gap between the user and technology.
 ANALYSTS are responsible for ensuring that the system meets user needs
 COMPUTER PROGRAMMERS write and test programs using the specifications developed by systems analysts. They also
modify and maintain existing computer programs.
EXTERNAL PLAYERS |
Customers, vendors, external auditors, and governmental entities play a role in systems development. For example, Walmart vendors are
required to implement and use electronic data interchange (EDI).
PLANNING SYSTEMS DEVELOPMENT
 Planning has distinct advantages. It enables the system’s goals and
objectives to correspond to the organization’s overall strategic plan.
Systems are more efficient, subsystems are coordinated, and there is a
sound basis for selecting new applications for development.
 The system is less costly and easier to maintain.
 management is prepared for resource needs, and employees are
prepared for the changes that will occur.
 When development is poorly planned, a company must

often return to a prior phase and correct errors and
design flaws
 This is costly and results in delays, frustration, and low
morale.
Project Development Plan
• prepared by the project team
• Contain Cost/benefit analysis
• Developmental and operational requirements (people, hardware, software, and financial)
• Schedule of the activities required to develop and operate the new application
Master Plan
• prepared by the information systems steering committee
• What the system will consist of
• How it will be developed
• Who will develop it
• How needed resources will be acquired
• Where the AIS is headed
• It describes the status of projects in process, prioritizes planned projects, describes the criteria
used for prioritization, and provides development timetables
PLANNING TECHNIQUES
PERT The program evaluation and review technique
A way to plan, develop, coordinate, control, and schedule

systems development activities; all activities, and precedent and
subsequent relationships among activities, are identified and
shown on a PERT diagram.
The activities and relationships are used to draw a PERT diagram,

which is a network of arrows and nodes representing project
activities that require an expenditure of time and resources and the
completion and initiation of activities.
Completion time estimates are made, and the critical path—the

path requiring the greatest amount of time—is determined. If any
activity on the critical path is delayed, then the whole project is
delayed. If possible, resources can be shifted to critical path activities Sumber: Wikipedia, 2020
to reduce project completion time.
PLANNING TECHNIQUES
GANTT CHART .A bar graph used for project planning
It shows project activities on the left, units of time

across the top, and the time each activity is expected
to take as a horizontal bar.
 The primary advantage of the Gantt chart is the

ability to show graphically the entire schedule for a
large, complex project, including progress to date
and status.
 A disadvantage is that the charts do not show the

relationships among project activities.
SYSTEMS ANALYSIS
When a new or improved system is needed, a written request for
systems development is prepared. The request describes the
current problems, the reasons for the change, the proposed
system’s objectives, and its anticipated benefits and costs.
REQUEST FOR SYSTEMS DEVELOPMENT A written request for a

new or improved system that describes the current system’s
problems, the reasons for the change, and the proposed system’s
objectives, benefits, and costs.
1. INTIAL INVESTIGATION
 An initial investigation is conducted to screen the requests
for systems development.
 The project’s scope (what it should and should not accomplish) is
determined
 A new AIS is useful when problems result from lack of
information, inaccessibility of data, and inefficient data
processing.
 The initial investigation should also determine a project’s viability
and preliminary costs and benefits,
 A proposal to conduct systems analysis is prepared for approved
projects. The project is assigned a priority and added to the
master plan.
SYSTEMS ANALYSIS
2. SYSISTEMS SURVEY
an extensive study of the current AIS  objectives
 Gain an understanding of company operations, policies,

procedures, and information flow; AIS strengths and
weaknesses; and available hardware, software, and
personnel.
 Make preliminary assessments of current and future
processing needs, and determine the extent and nature of the
changes needed.
 Develop working relationships with users, and build support
for the AIS.
 Data about the current AIS is gathered from  Collect data that identify user needs, conduct a feasibility
employees and from documentation such as analysis, and make recommendations to management.
organizational charts and procedure manuals.
 External sources include consultants, customers and
suppliers, industry associations, and government
agencies.
SYSTEMS ANALYSIS
2. SYSISTEMS SURVEY
> INTERVIEW
An interview gathers answers to “why” questions. Care must be taken to ensure that
personal biases, self-interest, or a desire to say what the employee thinks the
interviewer wants to hear does not produce inaccurate information.
> QUESTIONNAIRES
Questionnaires are used when the amount of information to be gathered is small and
well defined, is obtained from many people or from those who are located
elsewhere, or is intended to verify data from other sources.
> OBSERVATION
• Observation is used to verify information gathered using other approaches and to
determine how a system actually works, rather than how it should work.
• t is difficult to interpret observations because people may change their normal
behavior or make mistakes when they know they are being observed.
> SYSTEMS DOCUMENTATION

A complete description of how the system is supposed to work, including
questionnaire copies, interview notes, memos, document copies, and models.
SYSTEMS ANALYSIS
2. SYSTEMS SURVEY
SYSTEMS ANALYSIS
3. FEASIBILITY STUDY
An investigation to determine whether it is practical to

develop a new application or system.
• At major decision points, the steering committee

reassess feasibility to decide whether to terminate a
project, proceed unconditionally, or proceed if specific
problems are resolved.
• Early go/no-go decisions are particularly important
because each subsequent SDLC step requires more time
and monetary commitments.
• The further along a development project is, the less
Economic Feasibility likely it is to be canceled if a proper feasibility study has
been prepared and updated.
Technical Feasibility
Legal Feasibility
Scheduling Feasibility
Operational Feasibility
SYSTEMS ANALYSIS
ECONOMIC FEASIBILITY 3. FEASIBILITY STUDY
CAPITAL BUDGETING: CALCULATING ECONOMIC FEASIBILITY techniques:
During systems design, alternative approaches to meeting system
Payback A return-oninvestment technique
requirements are developed. Too often, companies overspend on Period
technology because IT costs and payoffs are not measured and used to calculate the number of years
evaluated like other corporate investments. required for the net savings of a
system to equal its initial cost.
• Many organizations now use capital budgeting return-on-investment
techniques to evaluate the economic merits of the alternatives.
• In a capital budgeting model, benefits and costs are estimated and Net A return-on-investment technique
compared to determine whether the system is cost beneficial. Present that discounts all estimated future
Value cash flows back to the present using a
• Benefits and costs that are not easily quantifiable are estimated and (NPV)
included. discount rate that reflects the time
value of money.
• If they cannot be accurately estimated, they are listed, and their
likelihood and expected impact on the organization evaluated.
Internal A return-on-investment technique
• Tangible and intangible benefits include cost savings, improved Rate of that calculates the interest rate that
customer service, productivity increases, improved data processing, Return makes the present value of total costs
better decision making, greater management control, increased job (IRR) equal to the present value of total
satisfaction, and increased employee morale. savings.
SYSTEMS ANALYSIS
4. INFORMATION NEEDS AND SYSTEMS REQUIREMENTS
Once a project is deemed feasible, the company identifies
the information needs of users and documents systems
requirements.
• Determining information needs is a challenging process
because of the sheer quantity and variety of information
that must be specified. In addition, it may be difficult for
employees
• to articulate their information needs, or they may identify
them incorrectly. According to CIO magazine, 70% of
project failures are due to insufficient, inaccurate, or
outdated systems requirements
• It is difficult for a system to satisfy every objective. For
example, designing adequate internal controls is a trade-
off between the objectives of economy and reliability.
SYSTEMS ANALYSIS
SYSTEMS ANALYSIS
strategies are used to determine AIS requirements:
Ask users what they need
Analyze external systems.
Examine existing systems.
Create a prototype.
SYSTEMS ANALYSIS
4. SYSTEMS ANALYSIS REPORT
systems analysis report.-.Comprehensive report
summarizing systems analysis that documents the
findings of analysis activities.
A go/no-go decision is made up to three times during systems analysis:

1) first, during the initial investigation, to determine whether to conduct a
systems survey;
2) second, at the end of the feasibility study, to determine whether to
proceed to the information requirements phase;
3) and third, at the completion of the analysis phase, to decide whether to
proceed to conceptual systems design.
SYSTEMS ANALYSIS
4. SYSTEMS ANALYSIS REPORT
BEHAVIOUR ASPECT OF CHANGE
 Individuals participating in systems development are change agents
who are continually confronted by resistance to change.
 The behavioral aspects of change are crucial, because the best system
will fail without the support of the people it serves.
 Organizations must be sensitive to and consider the feelings and
reactions of persons affected by change.
WHY BEHAVIORAL PROBLEMS OCCUR How People Resist Change
Top- Aggression Behavior that destroys, cripples, or weakens

Fear Experience with
management Communication system effectiveness, such as increased error
prior changes
support rates, disruptions, or deliberate sabotage
Projection Blaming the new system for everything that
Disruptive Manner in Personal
Biases and goes wrong
nature of which change is characteristics
emotions
change introduced. and background
Avoidance Ignoring a new AIS in the hope that the
problem (the system) will eventually go away
BEHAVIOUR ASPECT OF CHANGE
PREVENTING BEHAIOUR PROBLMS
1. Obtain 4. Allay fears,

2. Meet user
management 3. Involve users and stress new
needs
support opportunities
7. Reexamine 8. Keep
5. Avoid 6. Provide
performance communication
emotionalism training
evaluation lines open
10. Keep the 11. Control

9. Test the
system simple, users
system.
and humanize it. expectations
SELESAI
CHAPTER
AIS
21
Romney & Steinbart
AIS
Development Strategies

Semester Ganjil TA 2022/2023 | D3 Akuntansi
LEARNING OBJECTIVES
Describe how organizations purchase application software, vendor services, and

hardware.
Explain how information system departments develop custom software.
Explain why organizations outsource their information systems, and evaluate the
benefits and risks of this strategy.
Explain how business process management, prototyping, agile development, and

computer-aided software engineering can help improve system development.
INTRODUCTION
Companies have experienced the following difficulties when developing an accounting
information system (AIS)
Development requests are so numerous that projects are backlogged for years.
Users discover that the new AIS does not meet their needs.
Development takes so long the system no longer meets company needs.
Users do not adequately specify their needs because they do not know what they need or they
cannot communicate the needs to systems developers.
Changes are difficult to make after requirements are frozen. If users keep changing requirements,
the AIS may take forever to finish.
WAYS TO OBTAIN AN AIS
Develop software
Purchasing Outsourcing the
in-house IS
Software System
Departments
Canned sold to users with similar requirements

software
Turnkey Software and hardware sold as a package

System
Application Software is provided to user via the Internet

Service
Provider
(ASP)
Purchasing Software Evaluate
Proposals
Acquiring and Selecting
 Vendors are found by referrals, at conferences, in industry Hardware a System
magazines, and on the Internet. Selecting a and Software
 Choosing must be done carefully because vendors with little Vendor
experience, insufficient capital, or a poor product.
 Companies that buy large or complex systems send vendors a request

for proposal (RFP), asking them to propose a system that meets their
needs.  Proposals that lack important information, fail to
 The best proposals are investigated to verify that company meet minimum requirements, or are ambiguous
requirements can be met. are eliminated.
 Proposals passing this preliminary screening are
Using an Saves time compared with system requirements to determine
RFP is Simplifies the decision-making process whether all mandatory requirements are met and
how many desirable requirements are met.
important Reduces errors
 Top vendors are invited to demonstrate their
because it: Avoids potential for disagreement system using company-supplied data to measure
system performance and validate vendor’s claims.
Purchasing Software
Evaluate
Proposals BENCHMARK PROBLEM Comparing systems by
Acquiring executing an input, processing, and output task on
and Selecting
Hardware different computer systems and evaluating the results.
Selecting a a System
and Software POINT SCORING Evaluating the overall merits of
Vendor
vendor proposals by assigning a weight to each
evaluation criterion based on its importance.
REQUIREMENTS COSTING Comparing systems based on the cost of all
required features; when software does not meet all requirements, the
cost of developing unavailable features is estimated and added to its cost.
DEVELOPMENT BY IN-HOUSE IS
DEPARTMENTS
Organizations develop custom software when doing so provides a Custom software – Software
significant competitive advantage. developed and written in-house
to meet the unique needs of a
The hurdles that must be overcome to develop quality software are the particular company.
significant amounts of time required, the complexity of the system, poor
requirements, insufficient planning, inadequate communication and
cooperation, lack of qualified staff, and poor top-management support.
Custom software is created in-house or by an outside company hired to

write the software or assemble it from its inventory of program modules.
DEPARTMENTS
When using an outside developer, a company maintains

control over the development process as follows:
Carefully select a developer that has experience in the company’s industry and an in-depth understanding
of how the company conducts its business.
Sign a contract that rigorously defines the relationship between the company and the developer.
Plan the project in detail and frequently monitor each step in the development.
Communicate frequently and effectively.
Control all costs and minimize cash outflows until the project is accepted.
END-USER-DEVELOPED SOFTWARE
DEPARTMENTS
End-user computing (EUC) is the hands-on development, use, and

control of computer based information systems by users.
EUC is people using IT to meet their information needs rather than

relying on systems professionals.
End-user development is inappropriate for complex systems

The following are examples of appropriate end-user development:
 Retrieving information from company databases to produce simple
reports or to answer one-time queries
 Performing “what-if,” sensitivity, or statistical analyses
 Developing applications using software such as a spreadsheet or a
database system
 Preparing schedules, such as depreciation schedules and loan
amortizations
END-USER-DEVELOPED SOFTWARE
DEPARTMENTS
ADVANTAGES OF EUC DISAVANTAGES OF EUC
User creation,
Systems that Logic and Inadequately
control, and Inefficient
meet user Timeliness. development tested
implementation systems
needs errors applications
.
Freeing up of Poorly controlled

Versatility and System
systems and documented Increased costs
ease of use. incompatibilities.
resources systems
OUTSOURCING THE SYSTEM  Outsourcing is hiring an outside company to handle all or part of an
organization’s data processing activities.
 Outsourcing was initially used for standardized applications such as

payroll and accounting or by companies who wanted a cash infusion
from selling their hardware.
ADVANTAGES OF OUTSOURCING DISAVANTAGES OF OUTSOURCING
Access to greater Reduced

A business
solution
Asset utilization expertise and Inflexibility Loss of control competitive
better technology advantage.
Less Elimination of Locked-in Unfulfilled

Lower costs development peaks-and-valleys Poor service
time usage. system. goals.
Facilitation of Increase risk

downsizing.
METHODS FOR IMPROVING SYSTEMS DEVELPOMENT
Computer-Aided
Business Process Software
Prototyping
Management Engineering (CASE)
Tools
As organizations seek to improve their information systems and comply with legal and
regulatory reforms, they are paying greater attention to their business processes.
Business process reengineering (BPR) is a drastic, one-time-event approach to improving

and automating business processes.
Business process management (BPM), a systematic approach to continuously improving

and optimizing an organization’s business processes.
Computer-Aided
Prototyping
Tools
Prototyping is a systems design approach in which a simplified

working model of a system is developed.
Prototyping helps capture user needs and helps developers and

users make conceptual and physical design decisions.
Advantages Better definition of user needs
Higher user involvement and satisfaction
Faster development time
Fewer errors.
More opportunity for change
Less costly
Disadvantages Significant user time.
Less efficient use of system resources.
Inadequate testing and documentation.
Negative behavioral reactions.
Never-ending development.
Computer-Aided
Prototyping
Tools
an integrated package of tools that skilled designers use to help plan, analyze, design,
program, and maintain an information system
CASE software typically has tools for strategic planning, project and system management,
database design, screen and report layout, and automatic code generation. Many
companies use CASE tools.
Computer-Aided
Prototyping
Tools
Advantages Improved productivity. Disdvantages/ Incompatibility.

Problems
Improved program quality
Cost
Cost savings
Improved control procedure
Unmet expectations
Simplified documentation
SELESAI
Systems Design,
Implementation, and Operation
Chapter 22
22-44
Learning Objectives
Discuss the conceptual systems design process and the activities in this
phase.
Discuss the physical systems design process and the activities in this phase.
Discuss the systems implementation and conversion process and the
activities in this phase.
Discuss the systems operation and maintenance process and the activities in
this phase.
22-45
Systems Development Life Cycle (SDLC)
System Conceptual Physical

Analysis Design Design
Implementation Operations &

& Conversion Maintenance
22-46
Conceptual Design
22-47
Conceptual Systems Design
In conceptual design, the developer creates a

general framework for implementing
user requirements and solving the problems identified
in the analysis phase.
22-48
22-49
Evaluate Design Alternatives
There are many ways to design an AIS, so systems designers must make
many design decisions.
There are many ways organization can approach the systems development
process. It can purchase software, ask in-house information
systems (IS) staff to develop it, or hire an outside company
To develop and manage the system. The company could modify existing
software or redesign its business processes and develop
software to support the new processes.
22-50
standards should how well it meets organizational and
be used to system objectives
evaluate design
alternatives
how well it meets user needs,
whether it is economically feasible
how advantages weigh against

disadvantages
22-51
PREPARE DESIGN SPESIFICATION AND REPORT
Output
Data Storage
Input
Processing procedures and operations.
A conceptual systems design report summarizes conceptual design

activities, guides physical design activities, communicates how all
information needs will be met, and helps the steering committee
assess feasibility.
22-52
22-53
Physical System Design
22-54
During physical design, the broad, user-oriented AIS
REQUIREMENTS of conceptual design are translated into
DETAILED SPECIFICATIONS that are used to code
and test the computer programs.
22-55
Output Design
Determine the nature, format, content, and timing of
reports, documents, and screen displays.
• Types of Output:
• Scheduled reports
• Special-purpose analysis reports
• Triggered exception reports
• Demand reports
22-56
22-57
FILE AND DATABASE DESIGN
Data in various company units should be stored in compatible
formats to help avoid the problem
22-58
INPUT DESIGN
Input design considerations include what types of data will
be input and the optimal input method.
Computer
Form
design
Screen
Design
INPUT
MEDIA
22-59
INPUT DESIGN
CONSIDERATION Medium
Source
Format
Type
Volume
Frequency
etc
22-60
PRINCIPLE OF GOOD FORM DESIGN
General Are preprinted data used as much as

Considerations possible?
Are the weight and grade of the paper

appropriate for the planned use?
Do bold type, lines, and shading highlight

different parts of the form?
Is the form a standard size?
Is the form size consistent with filing,

binding, or mailing requirements?
22-61
General Is the form size consistent with filing,

Considerations binding, or mailing requirements?
If the form is mailed, will the address show

in a window envelope?
Are copies printed in different colors to

facilitate proper distribution?
Do clear instructions explain how to

complete the form?
22-62
Introduction Does the form name appear at the top

in bold type?
Is the form consecutively

prenumbered?
Is the company name and address

preprinted on forms sent to external
parties?
22-63
Main Body Is logically related information (e.g., customer

name, address) grouped together?
Is there sufficient room to record each data

item?
Is data entry consistent with the sequence the

data is acquired?
Are codes or check-offs that are used instead

of written entries adequately explained?
22-64
Conclusion Is space provided to record the final

disposition of the form?
Is space provided for a signature(s) to indicate

transaction approval?
Is space provided to record the approval date?
Is space provided for a dollar or numeric

total?
Is the distribution of each copy of the form

clearly indicated?
22-65
Program Design
Determine user needs.
Create and document development plan.
Write program instructions (computer code).
Test the program (debug for errors).
Document the program.
Train the users.
Install the system.
Use and modify the system.
22-66
Procedures and Controls
Procedures Input preparation
for who, Transaction processing
what, where, Error detection and correction
why, when:
Controls
Reconciliation of balances
Database access
Output preparation and distribution
Computer operator instructions
22-67
Control considerations:
Validity Authorization Accuracy
Numerical
Security Availability
control
Maintainability Integrity Audit control

22-68
Implementation and Conversion
>> An implementation plan consists of implementation
tasks, expected completion dates, cost estimates,
and who is responsible for each task.
>> The plan specifies when the project should be
complete and when the AIS is operational.
>> The implementation team identifies factors that
decrease the likelihood of successful implementation,
and the plan contains a strategy for coping with each
factor.
22-69
22-70
Types of Documentation
Development A system description; copies of output, input, and
Documentation file and database layouts; program flowcharts;
test results; and user acceptance forms
Operations Includes operating schedules; files and databases

Documentation accessed; and equipment, security, and file-
retention requirements
User Teaches users how to operate the AIS; it includes

Documentation a procedures manual and training materials
22-71
Types of System Testing
Walk-Through Step-by-step reviews of procedures or
program logic to find incorrect logic, errors,
omissions, or other problems
Processing Test Using both valid transactions and all possible

Data error conditions
Acceptance Real transactions and files rather than

Tests hypothetical ones, users develop the
acceptance criteria and make the final
decision whether to accept the AIS
22-72
Types of Conversions
Direct Terminates the old AIS when the new
one is introduced
Parallel Operates the old and new systems

simultaneously for a period
Phase-in Gradually replaces elements of the old AIS

with the new one
Pilot Implements a system in one part of the

organization, such as a branch location
22-73
Operations and Maintenance
Post- Determines whether the system meets its

Implementati planned objectives
on Review
Problems uncovered during the review

are brought to management’s attention,
and the necessary adjustments are made
22-74
Factors to Investigate During Postimplementation Review
 Goals and objectives

 Satisfaction
 Benefits
 Costs
 Reliability
 Accuracy
 Timeliness
 Compatibility
 Controls and security
 Errors
 Training
 Communications
 Organizational changes
 Documentation
22-75
SELESAI
22-76

Sia Merged Fix-1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sia Merged Fix-1

Uploaded by

Copyright:

Available Formats

Accounting Information Systems:

 Goal Conflict Process1

contribute toward overall goa

“Walmart has over 500 terabytes (trillions of bytes)

Sell Merchandise Markup Percentage Pro forma I/S

Hire and train Experience Job descriptions

Acquire capital How much Cash flow projections

Transaction Cycles/Major business processes

• The revenue cycle

Information Technology (IT) Infrastructure

important business functions:

3 FUNGSI BISNK ->

Improve Quality and Reduce Costs

Improve Sharing Knowledge

Improve the efficiency and effectiveness of its Supply Chain

Improve Internal Control Structure

Improve Decision Making

An AIS can help improve decision making in several ways:

Identify situations that require action.

Provide alternative choices.

Provide feedback on previous decisions.

Provide accurate and timely information.

1) Describe the four major steps in the data processing cycle.

2) Describe documents and procedures used to collected and

What data is Who has access to

As a business • Each activity of interest

Kepada sistem sebagai input! -> E.G. Utility Bill->dikembalik an

• Usually paper-based dengan bukti

• Are sent from organization to customer customer

• Same document is returned by customer to

organization mesic Ketiga

Source data is captured

Well-designed source documents can

It is used to check the accuracy

• Items numbered consecutively to

• Specific range of numbers are

1–2 Product Line,

code provide 4–5 Year of

thing (Noun) e. g. Employees, Inventory items, customer

Something an ·setiap entity punya

Attributes •Facts about the entity

Four Main Activities

Create Read Updat Delete

Integrate an organization’s information into one overall AIS

ERP modules: to automate

Integration of an organization’s data and financial information

Data is captured once

Greater management visibility, increased monitoring

Better access controls

Standardizes business operating procedures

Improved customer service

More efficient manufacturing

Changes to an organization’s existing business processes

Copyright © 2012 Pearson Education 2-31

Systems documentation techniques

Prepare and use data ﬂow diagrams to understand, evaluate,

Prepare and use ﬂowcharts to understand, evaluate, and

Prepare and use business process diagrams to understand,

Documentation explains how a system works, including

Business Process Diagrams

SOX requires an > management is responsible

A data ﬂow diagram (DFD) graphically

Highest level (most general)