ACCOUNTING VwFORMATION SYSTEMS Controls and Processes

-O LESLIE TURHER

uiEicKGEnnnnr

WILEY John Wiley £t Sons, Inc.

Contents MODULE 1

The Importance of Accounting Information Systems to Accountants

INTRODUCTION Defines business processes, AIS, and all foundational concepts. This module provides the knowledge building blocks to support the remaining chapters.

USERS OF THE AIS 22 DESIGN OR IMPLEMENTATION TEAM AN AUDITOR OF THE AIS

22

22

22

The Relation of Ethics to Accounting Information Systems

22

CHAPTER

Summary of Study Objectives

24

Introduction to AIS

Key Terms

25

End of Chapter Material

26

Overview of Business Processes

2

Overview of an Accounting Information System

4

Business Process Linkage Throughout the Supply Chain

6

IT Enablement of Business Processes

8

Basic Computer and IT Concepts BASIC COMPUTER DATA STRUCTURES 11 FILE ACCESS AND PROCESSING MODES 12 DATA WAREHOUSE AND DATA MINING 13 NETWORKS AND THE INTERNET 14

10

Examples of IT Enablement E-BUSINESS 15 ELECTRONIC DATA INTERCHANGE 15 POINT OF SALE SYSTEM 15 AUTOMATED MATCHING 16 EVALUATED RECEIPT SETTLEMENT 16 E-PAYABLES AND ELECTRONIC INVOICE PRESENTMENT AND PAYMENT 16 ENTERPRISE RESOURCE PLANNING SYSTEMS 16

15

The Internal Control Structure of Organizations ENTERPRISE RISK MANAGEMENT 18 A CODE OF ETHICS 20 COSO ACCOUNTING INTERNAL CONTROL STRUCTURE 20 IT CONTROLS 20 CORPORATE GOVERNANCE 20 IT GOVERNANCE 21

17

CONCEPT CHECK 26 DISCUSSION QUESTIONS 27 BRIEF EXERCISES 28 PROBLEMS 29 CASES 31 CONTINUING CASE: SPATELU'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 37

32

CHAPTER

Foundational Concepts of the AIS Interrelationships of Business Processes and the AIS Types of Accounting Information Systems MANUAL SYSTEMS 43 LEGACY SYSTEMS 44 MODERN, INTEGRATED SYSTEMS

39

41 43

47

Accounting Software Market Segments

48

Input Methods Used in Business Processes SOURCE DOCUMENTS AND KEYING 50 BAR CODES 50 POINT OF SALE SYSTEMS 51 ELECTRONIC DATA INTERCHANGE 52 E-BUSINESS AND E-COMMERCE 52

50

XVIII

Contents

Processing Accounting Data

52

BATCH PROCESSING 53 ONLINE AND REAL-TIME PROCESSING

54

Policies to Assist in the Avoidance of Fraud and Errors

89

Maintenance of a Code Of Ethics

89

Outputs from the AIS Related to Business Processes

55

THE DETAILS OF THE COSO REPORT

Documenting Processes and Systems

55

REASONABLE ASSURANCE OF INTERNAL CONTROLS

PROCESS MAPS 56 SYSTEM FLOWCHARTS 57 DOCUMENT FLOWCHARTS 59 DATA FLOW DIAGRAMS 60 ENTITY RELATIONSHIP DIAGRAMS

Maintenance of Accounting Internal Controls

90

92 100

Key Terms

101 103 105

63

Appendix A: Recent History of Internal Control Standards

105

Ethical Considerations at the Foundation of Accounting Information Systems

65

Appendix B: Control Objectives for Information Technology (COBIT)

Summary of Study Objectives

66

End of Chapter Material

Key Terms

67

Appendix: Resources Events Agents (REA) in Accounting Information Systems

67

End of Chapter Material

69

Maintenance of Information Technology Controls Summary of Study Objectives 62

Client-Server Computing

CONCEPT CHECK 69 DISCUSSION QUESTIONS

71

BRIEF EXERCISES 72 PROBLEMS 73 CASES 74 CONTINUING CASE: SPATELU'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 75

116

CHAPTER 4 Internal Controls and Risks in IT Systems

75

MODULE 2 CONTROL ENVIRONMENT Describes the proper control environment to oversee and control processes.

CHAPTER

Fraud, Ethics, and Internal Control

77

78

Accounting Related Fraud

80

CATEGORIES OF ACCOUNTING-RELATED FRAUD

82

The Nature of Management Fraud

82

The Nature of Employee Fraud

84

The Nature of Customer Fraud

86

The Nature of Vendor Fraud

86

The Nature of Computer Fraud

86 87 87

119

An Overview of Internal Controls for IT Systems

120

General Controls for IT Systems

122

AUTHENTICATION OF USERS AND LIMITING UNAUTHORIZED USERS 123 HACKING AND OTHER NETWORK BREAK-INS 125 ORGANIZATIONAL STRUCTURE 128 PHYSICAL ENVIRONMENT AND SECURITY 129 BUSINESS CONTINUITY 131

General Controls from an AICPA Trust Services Principles Perspective

Introduction to the Need for a Code of Ethics and Internal Controls

INTERNAL SOURCES OF COMPUTER FRAUD EXTERNAL SOURCES OF COMPUTER FRAUD

CONCEPT CHECK 108 DISCUSSION QUESTIONS 110 BRIEF EXERCISES 111 PROBLEMS 111 CASES 113 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 116

106 108

RISKS IN NOT LIMITING UNAUTHORIZED USERS RISKS FROM HACKING OR OTHER NETWORK BREAK-INS 136 RISKS FROM ENVIRONMENTAL FACTORS 136 PHYSICAL ACCESS RISKS 137 BUSINESS CONTINUITY RISKS 137

Hardware and Software Exposures in IT Systems THE OPERATING SYSTEM

139

THE DATABASE 141 THE DATABASE MANAGEMENT SYSTEM LANS AND WANS 143 WIRELESS NETWORKS 143

142

132

133

137

Contents CASES 198 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 198

THE INTERNET AND WORLD WIDE WEB 144 TELECOMMUTING WORKERS 144 ELECTRONIC DATA INTERCHANGE 145

Application Software and Application Controls

CHAPTER 0

IT Governance

Ethical Issues in IT Systems

154 155 156 157

Summary of Study Objectives Key Terms End of Chapter Material

PROBLEMS 161 CASES 163 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 164

Introduction to IT Governance

202

An Overview of the SDLC

206

Elements of the Systems Planning Phase of the SDLC

209

164

Elements of the Systems Analysis Phase of the SDLC

Corporate Governance and the Sarbanes-Oxley Act

212

SYSTEM SURVEY: THE STUDY OF THE CURRENT SYSTEM 213 DETERMINATION OF USER REQUIREMENTS 214 ANALYSIS OF THE SYSTEM SURVEY 215

CHAPTER 169

An Overview of Corporate Governance

170

Participants in the Corporate Governance Process

171

Functions within the Corporate Governance Process

175

176

The History of Corporate Governance

179

The Sarbanes-Oxley Act of 2002

180

The Impact of the Sarbanes-Oxley Act on Corporate Governance

186

The Importance of Corporate Governance in the Study of Accounting Information Systems

189

Ethics and Corporate Governance

190

Summary of Study Objectives

192

Key Terms

193

End of Chapter Material

194

CONCEPT CHECK 194 DISCUSSION QUESTIONS BRIEF EXERCISES 197 PROBLEMS 197

201

THE MATCH OF IT SYSTEMS TO STRATEGIC OBJECTIVES 210 FEASIBILITY STUDY 211 PLANNING AND OVERSIGHT OF THE PROPOSED CHANGES 212

159

MANAGEMENT OVERSIGHT 175 INTERNAL CONTROLS AND COMPLIANCE FINANCIAL STEWARDSHIP 178 ETHICAL CONDUCT 179

198

145

INPUT CONTROLS 146 PROCESSING CONTROLS 152 OUTPUT CONTROLS 153

CONCEPT CHECK 157 DISCUSSION QUESTIONS BRIEF EXERCISES 160

Elements of the Systems Design Phase of the SDLC IN-HOUSE DESIGN 218 CONCEPTUAL DESIGN 219 EVALUATION AND SELECTION DETAILED DESIGN 222

216

220

Elements of the Systems Implementation Phase of the SDLC

224

SOFTWARE PROGRAMMING 224 TRAINING EMPLOYEES 224 SOFTWARE TESTING 224 DOCUMENTING THE SYSTEM 225 DATA CONVERSION 226 SYSTEM CONVERSION 226 USER ACCEPTANCE 227 POST-IMPLEMENTATION REVIEW 227

Elements of the Operation and Maintenance Phase of the SDLC

227

The Critical Importance of IT Governance in an Organization

228

SDLC AS PART OF STRATEGIC MANAGEMENT SDLC AS AN INTERNAL CONTROL 228

228

Ethical Considerations Related to IT Governance 196

XIX

ETHICAL CONSIDERATIONS FOR MANAGEMENT 230 ETHICAL CONSIDERATIONS FOR EMPLOYEES 230 ETHICAL CONSIDERATIONS FOR CONSULTANTS 231

230

XX

Contents

Summary of Study Objectives

232

Key Terms

233

business processes and the internal controls in organizations. With process maps, document flowcharts, and data flow diagrams, the core business processes are described and the necessary controls to manage risk are discussed.

234

End of Chapter Material CONCEPT CHECK

MODULE 3 BUSINESS PROCESSES The sets of

234

236 DISCUSSION QUESTIONS BRIEF EXERCISES 236 PROBLEMS 237 CASES 238 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 239

239

CHAPTER CHAPTER

7

8

Revenue and Cash Collection Processes

Processes

283

and Controls

Auditing Information Technology-Based 241

Introduction to Revenue Processes

284

Sales Processes

287

Risks and Controls in Sales Processes

292

Introduction to Auditing IT Processes

242

Types of Audits and Auditors

242

Information Risk and IT-Enhanced Internal Control

244

Authoritative Literature Used in Auditing

245

Management Assertions and Audit Objectives

246

Phases of an IT Audit

248

Sales Return Processes

296

Audit Planning

249

Risks and Controls in Sales Return Processes

296

Use of Computers in Audits

251

Tests of Controls

252

General Controls

253

Application Controls

256

Tests of Transactions and Tests of Balances

260

Audit Completion/Reporting

262

Other Audit Considerations

263

DIFFERENT IT ENVIRONMENTS 263 CHANGES IN A CLIENT'S IT ENVIRONMENT SAMPLING 266

265

Ethical Issues Related to Auditing

266

Summary of Study Objectives

270

Key Terms

271

End of Chapter Material

272

CONCEPT CHECK

272

DISCUSSION QUESTIONS 275 BRIEF EXERCISES 276 PROBLEMS 277 CASES 278 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 279

279

AUTHORIZATION OF TRANSACTIONS 293 SEGREGATION OF DUTIES 293 ADEQUATE RECORDS AND DOCUMENTS 293 SECURITY OF ASSETS AND DOCUMENTS 294 INDEPENDENT CHECKS AND RECONCILIATIONS 294 COST-BENEFIT CONSIDERATIONS 294

AUTHORIZATION OF TRANSACTIONS 296 SEGREGATION OF DUTIES 296 ADEQUATE RECORDS AND DOCUMENTS 299 SECURITY OF ASSETS AND DOCUMENTS 300 INDEPENDENT CHECKS AND RECONCILIATION 300 COST-BENEFIT CONSIDERATIONS 300

Cash Collection Processes

302

Risks and Controls in Cash Collection Processes

302

AUTHORIZATION OF TRANSACTIONS 302 SEGREGATION OF DUTIES 305 ADEQUATE RECORDS AND DOCUMENTS 306 SECURITY OF ASSETS AND DOCUMENTS 306 INDEPENDENT CHECKS AND RECONCILIATIONS 307 COST-BENEFIT CONSIDERATIONS 307

IT Enabled Systems of Revenue and Cash Collection Processes

309

E-Business Systems and the Related Risks and Controls

311

SECURITY AND CONFIDENTIALITY RISKS PROCESSING INTEGRITY RISKS 313 AVAILABILITY RISKS 314

313

Contents Electronic Data Interchange (EDI) Systems and the Risks and Controls Point of Sale (POS) Systems and the Related Risks and Controls Ethical Issues Related to Revenue Processes Corporate Governance in Revenue Processes Summary of Study Objectives Key Terms End of Chapter Material CONCEPT CHECK 326 DISCUSSION QUESTIONS 329 BRIEF EXERCISES 329 PROBLEMS 330 CASES 337 CONTINUING CASE: SPATELLI'S PIZZERIA SOLUTIONS TO CONCEPT CHECK 344

315 319 320 323 324 325 326

SECURITY OF ASSETS AND DOCUMENTS 373 INDEPENDENT CHECKS AND RECONCILIATIONS COST-BENEFIT CONSIDERATIONS 374

O

xxi

374

IT Systems of Expenditures and Cash Disbursement Processes

375

Computer-Based Matching

377

Risks and Controls in Computer-Based Matching SECURITY AND CONFIDENTIALITY RISKS 379 PROCESSING INTEGRITY RISKS 379

379

Evaluated Receipt Settlement

380

Risks and Controls in Evaluated Receipt Settlement SECURITY AND CONFIDENTIALITY 382 PROCESSING INTEGRITY 382 AVAILABILITY 382

381

E-Business and Electronic Data Interchange (EDI)

382

Risks and Controls in E-Business and EDI SECURITY AND CONFIDENTIALITY 383 PROCESSING INTEGRITY 384 AVAILABILITY 384

383

E-Payables

385

347

Procurement Cards

386

Ethical Issues Related to Expenditures Processes

386

Introduction to Expenditures Processes

348

Corporate Governance in Expenditure Processes

388

Purchasing Processes

351

Summary of Study Objectives

389

Risks and Controls in the Purchasing Process