AIS-notes- textbook notes PDF

Preview

Summary

AIS-notes- textbook notes...

Description

ACTG 3P97 FINAL NOTES Chapter 1 Accounting Information System: 

A system that records, processes, and reports on transactions to provide financial and nonfinancial information to make decisions and have appropriate levels of internal controls for those transactions.

Attributes of useful information: 



Relevance o Must be relevant to the decision maker, and have these attributes:  Have predictive value  Have feedback value  Available when needed (Timeliness) Reliability o Users should be able to use the information and depend on it to be free of bias  Can be verified by independent parties  Has representational faithfulness (reports what actually happened)  Is Neutral, information is not biased

Firm Profitability 

A recent study has suggested there was a correlation between the firm’s annual IT investment and the subsequent accounting earnings (measured by ROS, ROA ratios)

Stock Prices and AIS Investments 

With regards to stock prices, when a public firm announces their investment to the public, external members generally analyze whether or not the investment will increase profitability o A study conducted with 315 firms suggested that AIS investments increased the firm market value as they made the businesses more efficient and had the pubic agree with their investment

There are 3 types of AIS investments:

 



Automate (+0.05%): o Replacing human labor by automating business processes Informate (+0.4%): o Up: Providing business activity information to senior management o Down: Providing business activity information to employees across the firm Transform (+1.51%): o Redefining the business processes and relationships Chapter 2

Purpose of Documentation 



Documentation explains how business processes and systems work. o Is a “tool for information transmission and communication” o Includes :  Business Processes:  A defined sequence of business activities that transforms into outputs  Business Analysis:  The process of defining business requirements and evaluating potential improvements.  Business Models:  A representation of one or more business processes. Defined in a graphical sense It is important because of: o It helps employees learn how the business processes and systems operate o Provide an official description of how business systems and AIS work.  Thus supports internal/external audit requirements o Provides audit trails, which help auditors evaluate internal controls o Documentation makes the firm more accountable  Documentation would specify who is authorized to process orders, etc. o Clearly describes the way processes work  Provides a common language for all parties that interact with the system o Documentation makes it easier for businesses to determine what needs to be changed  Major areas include  Effectiveness: are results as expected?  Efficiency: Can we use fewer resources to achieve the same result?  Internal controls: are they working?  Compliance to policies/statutes: does it comply?

Characteristics of Activity Models Activity Models  Describe the sequence of workflow in a business process(es).  They are tools for planning, documenting, discussing, and implementing systems o Are later used to facilitate these processes  Must describe: o Events that start, or stop in the process o Activities and task within the process o The sequence flow between tasks o Decision points that affect the flow o Division of activity depending on organizational roles Chapter 3

Building blocks of UMLs (Unified Modeling Language) Class Diagrams:  Class: o Any separate identifiable collection of things (objects) about which the organization want to collect and store information  Can represent assets, people, events, and conceptual structures



Associations: o Depicts a relationship between two classes o Association names are verbs (owns, serviced by, licensed by)  Eg. Customers participate in sales  Professors teach classes



Multiplicities o Describe the minimum and maximum number of times instances in one class can be associated with instances in another class o For classes, are represented by a pair of numbers ((min:0,1,n),(max:1,n))  Eg: An individual does not need to own a registered vehicle  Or can own a lot of them  Eg: A registered Vehicle is mandatory to be owned by a person



 

Attributes o Data elements that describe the instances in the class o There are 2 types of keys  Primary:  An attribute/combination of attributes that uniquely define each instance in the table o Eg: Orders: Order number, Customer: Customer number  Cannot Change, or be null  Foreign Keys  An attribute/combination of attributes that allows tables to be linked together o It is a primary key of another table linked to another table  Eg. Orders (PK) have foreign key, Customer # (FK) Processes of UML mapping  Map Classes to Tables o Also determine Multiplicities o (refer to associations)  Map Class Attributes to table fields and assign primary keys  Map Associations to foreign keys  Create new tables to implement many-to-many relationships o Have primary keys connected  Eg. Serviced by: AutoID, and DealerID  Implement relationships among tables Chapter 4 Fundamentals of Relational Databases  Entities and Attributes o Attributes  Characteristics, properties or adjectives that describe each class  Eg. Customer ID, Customer Last name, Date, Product number  Keys and Relationships o Logical relationships are created by primary and foreign keys  Primary Key  An attribute that uniquely defines an entity in the specific row of the table  Foreign Key  Is the relational database model serves as an attribute in one table that is a primary key to another o A primary key that is in another table  Eg. Customer ID in the Invoice table Basic Requirements of Tables  Entity Integrity Rule: o The primary key cannot be null  Referential integrity rule o The data value of a foreign key must be null, or match one of the values in its own table  Each Attribute must have its own name  Values of a specific attribute must be of the same type  Each attribute (column) of a record must be single-valued  All non-key attributes must describe a characteristic of the class (table) identified by the primary key

Basics of Microsoft Access  Queries o A tool used to retrieve and display data derived from records stored within the database  Forms o Utilized to enter data into tables and view existing records  Reports o Used to integrate data from one or many queries and tables to provide useful information to decision makers. Chapter 5 Sales and Collections Business Processes Sales

Collections

REA Models Sales

Collections

Chapter 6 Purchases and Payments  Process includes business activities such as o Purchasing inventory from suppliers (purchases) o Maintaining supplier records (accounts payable) o Making payments to suppliers for appropriate A/P (cash disbursements)  Purchase order, Purchase Invoice, Cash Disbursement

Chapter 10 Internal Controls  Involves the processes that an organization implements to o safeguard assets o Provide accurate and reliable information o Promote operational efficiency o Enforce prescribed managerial policies o Comply with applicable laws and regulations  According to SOX, it is the business’ responsible to manage their internal controls Types of Internal Controls  Preventive Controls (Authorization) o Deter Problems before the happen  Detective Controls (Bank Reconciliations, Monthly Trial Balances) o Find problems when they arrive  Corrective Controls (Back up to recover corrupted data) o Fix problems that have been identified

IS Risk and Computerized Controls  General Controls o Pertain to enterprise-wide issues such as  Controls over accessing the network  Developing and maintaining applications  Documenting changes of programs  Application Controls o Are specific to a subsystem/application to ensure validity, completeness and accuracy of transactions COSO Internal Control Framework (COSO 2.0)  Internal Controls is a process of outgoing tasks and activities  It is affected by people  Can provide reasonable assurance  Is geared towards the achievement of objectives in one or more separate overlapping categories  Is adaptable to the entity structure 





Types of Objectives  Operations Objectives  Effectiveness and efficiency of firm operations  Including financial goals and safeguarding assets  Reporting Objectives  Reliable reporting for internal and external users  Compliance Objectives  Adherence to applicable laws and regulations 5 Components of Internal Controls  Control Environment  Sets the tone of a firm, and influences the control and consciousness of the employees  Provides the foundation for the internal control system  Risk Assessment  A process for identifying and analyzing a firm’s external and internal risks  Let’s the firm understand what threats might affect corporate objectives  Are analyzed after considering the probability of occurrence and loss  Control Activities  A firm must establish control policies, procedures, and practices that ensure that these strategies are being carried out  Occurs at all levels of the firm  Information and Communication  Supports all other control components by communication effectively  Ensures that everyone knows their policy positions  Monitoring Activities  The design and effectiveness should be monitored by management on a continuous basis  Findings should be evaluated, deficiencies must be dealt with  Necessary modifications should be made to improve the system Risk Responses  Reduce risks by designing effective business processes and implementing internal controls  Share risks by outsourcing business processes, buying insurances, or hedging transactions  Avoid risks by not engaging in activities that produce risk

Accept risk by relying on natural offsets of the risk within a portfolio, or allowing the likelihood and impact of the risk  Cost Benefit Analysis  The benefits should exceed its cost  Control Activities  Physical Controls  Manually but could involve the physical usage of computing technology  E.g. Authorization, Segregation of duties, Supervision  IT Controls  Processes that provide assurance for information and helps to mitigate risks associated with technology  E.g. IT general controls, Access controls, Computer operations controls  Input controls o Field checks, size checks, range checks, check digit verifications  Process controls o Pre-numbered documents, sequence checks, cross-footing balance tests Business Continuity Plan (BCP)  The creation and validation of a practiced logistical plan on how an organization will recover or restore partial/completely interrupted functions within a predetermined time after a disaster 

Chapter 11 Computer Fraud and Abuse  Fraud Triangle  Three conditions exist for a fraud to be perpetrated  Incentive to commit  Opportunity for fraud to be perpetrated  Rationalize the fraud with their attitude  Common Computer Frauds  Misuse, misappropriation of assets by altering computer-readable data  Misuse, misappropriation of assets by altering computer software and functions  Illegal use of computer-readable information  Corrupting, illegal copying, or destruction of computer software  Misuse, misappropriation of computer hardware (physical devices)  Computer fraud risk assessments steps  Identify relevant IT fraud risk factors  Identify potential IT schemes and prioritize them based on likelihood and impact  Mapping existing controls to potential fraud schemes and identifying gaps  Testing operating effectiveness of fraud prevention and detection controls  Assessing the likelihood and business impact of a control failure and/or fraud incident  Read Pg 227,228 for examples of fraud schemes  Computer Fraud Prevention/Detection  Begins with fraud risk assessment across the whole firm  Management is responsible for fraud risk assessments  Audit committee runs as the supervision to make these provisions work  New employees should sign an acceptance use policy to communicate their acceptable computer use Vulnerabilities Assessment and Management  Vulnerabilities o The characteristics of IT resources that can be exploited by a threat to cause harm Physical IT Environment Vulnerabilities

IS Vulnerabilities

Processes of IT Operations Vulnerabilities

Framework for Vulnerability Assessment  2 Prerequisites for vulnerability management o Must determine the main objectives of its vulnerability management because the firms resources is limited o Must assign roles and responsibilities for vulnerability management Main components of Management Assessment (refer to pg 232 for more details)

System Availability  A key component of IT delivery service and support is making the data available at all times, or when needed  Firms need to continue to monitor system availability o Uninterruptable power supply  Device using battery to enable the system to operate long enough to back up critical data before shutting down during power loss o Fault tolerance  Uses a redundant amount of devices to provide the system when a part of the system fails  Virtualization/Cloud Computing are goof alternatives for back up data and applications o Cloud computing  Uses redundant servers in multiple locations to host virtual machines  Contains system applications and data backups  If the VM fails, it can be installed to any server immediately Disaster Recovery Planning and Business Continuity Management  It is essential to establish a proper plan to recover from a disaster or any disruptive events to continue business  DRP (Disaster Recovery Planning) o Process that identifies significant events that may threaten the firm’s operations and outlines the procedures to ensure business continuity  BCM (Business Continuity Management) o Refers to the activities required to keep a firm running during a period of displacement or interruption of normal operations Chapter 12 Operating Systems (OS) Components Must achieve these controls Most important system software as it  Must protect itself from the users  Ensures integrity of the system  Must protect users from each other  Control the flow of multiprogramming and  Must protect users from themselves tasks of the computer  Must be protected from itself  Allocates computer resources to  Must be protected from the environment users/applications  Manages the interfaces

Database Systems  Is a shared collection of logically related data that the firm needs  Accountants need to understand database systems as provide knowledge on designing internal controls and improving the IT processes in the database environment Database Warehouse  Is a centralized collection of firm wide data for a relatively long period of time o Typically used for storing information o Is updated periodically from the operational database  Operational Database o Used for daily operations  Is updated when a transaction is processed (frequently) Data Mining  Process of searching for patterns in the data from a data warehouse and using the data for decision making

LANs and WANs Local Area Network (LAN) A group of devices connected to the same network in a limited geographical range (think BrockWIFI). Uses hubs and switches Hubs: contains many ports  When a data packet from a computer arrives to one port of the hub, it is copied to all the other ports so that all the other devices can access it (like a broadcast) Switch: Intelligent device that provides a pathway to where the information is passed,  it is more private than a hub as it depends on MAC addresses (media access controls)

Wireless Area Network (WAN) Link different sites together, transmit information access in large locations (international)  Provides remote access to employees and customers  Links 2 or more sites of a firm together  Provides access to the internet  Slower than LAN, but provides quality of service and security Uses routers and firewalls Routers: connects different LANs together Firewall: a security system comprised of hardware and software that is built by routers

Virtual Private Network (VPN)  Connect a firm’s WAN by sending and receiving encrypted packets via outside connections to distant offices, salespeople, and business partners o Take advantage of the public internet infrastructure with authentication technology  Basically is remote access of using internet on someone else’s internet Wireless Networks  Use frequencies and EM signals to transfer data (wireless)  Comprised of two components o Access point  Connects stations with each other in an ad hoc wireless network o Station  End point device that Access points try to connect to  Benefits include o Mobility: Convenient, without using cables o Rapid Deployment: Time saved because there is less set up (no cables) o Flexibility: Easy to set up, easy to remove Security Objectives of WAN and LAN  Confidentiality: cannot be read by unauthorized users

  

Integrity: Detect intentional/unintentional changes to data during transmission Availability: ensure easy access to network from devices when needed Access Control: Restrict the rights of devices/individuals on the network (segregation of duties)

Threats of Wireless LAN  Eavesdropping: Attacker passively monitors networks for data  Man-in-the-Middle: Attacker actively intercepts communications between network and wireless clients  Masquerading: Impersonation of an authorized user  Message Modification: Alters an actual sent message sent via wireless  Message Relay: Monitors transmissions of messages and retransmits it  Misappropriation: Steals or makes unauthorized use of the service  Traffic Analysis: Monitors transmissions to identify communication patterns and participants  Rogue access points: Attacker sets up unsecured wireless network and tries to impersonate the legitimate one (eg. going to Starbucks and setting up a hotspot)

Computer Assisted Audit Techniques (CAATS)  Refers to any automated audit techniques that can be used by an auditor to perform audits in achieving audit objectives in common areas such as: o Test of details of transactions and balances o Analytical review procedures o Compliance tests of IT general and application controls o OS and network vulnerability assessments o Application security testing and source code security scans o Penetration testing (hehe LOL, its 1:37am okay)  Are essential tools for auditors to conduct an audit in accordance with accounting standards o GAAS (Generally Accepted Auditing Standards)  Broad guidelines of auditor responsibilities in three regions 1. General standards, Standards of fieldwork, Standards of reporting  2 Approaches o Audit around the computer (Black box approach)  Auditors test the reliability of the computer generated information by calculating the expected results using transaction data and then compare to the system’s output  Don’t need to know how the framework works  The advantage of this is that it does not interrupt the system  Used when the systems are simple o Auditing through the computer (White box approach)  Requires auditors to understand the internal logical of the system being tested  Uses a variety of approaches: 1. Test data technique o Uses a set of input data to validate system integrity o Need to find invalid data to examine flaws of system 2. Parallel Simulation o Recreates the system and generates simulated results o Compares results to system’s results 3. Integrity test facility o Automated technique that enables test data to be continually evaluated during normal operation  Expensive and time consuming 4. Embedded audit module

Programmed module that is added to the system so auditors can monitor and collect data  Data is then used to e...