ACCOUNTING

INFORMATION
SYSTEMS
A20
 A20
1ST SEMESTER
CHAPTER 1 : Accounting Information Systems : An Overview
 What is a System?
- A set of two or more interrelated components interacting to achieve a goal.
- Composed of larger subsystems that supports the larger system. Ex: College Department
 Goal conflict
- when components act in their own/inconsistent w/o regard for overall goal/ as a whole
 Goal Congruence
- Occurs when components acting in their own interest contribute toward overall goal.
- Larger organization+more complicated system = more difficult to achieve goal
 Data
- Are facts that are collected, recorded, and stored. Insufficient for decision making.
 Information
- is processed data used in improving decision making
 Too much information however, will make it more, not less, difficult to make
decisions. When limits are passed, resulting in decline is known as information
overload.
 Information Technology
- helps decision makers filter and condense information
 Value of information
- benefit produced by the information minus the cost of producing it. (Benefits $’s > cost
$’s)
Benefits Costs
 Reduce uncertainty  Time and resources
 Improve decision Produce information
 Improve planning Distribute
 Improve scheduling information
What makes information useful: Necessary characteristics
 Relevant Information is free from error or bias.
Helps users to form predictions about Represents what it purports to represent.
outcomes. It reduces uncertainty, improves  Complete
decision making, or correct prior Faithful representation of the relevant
expectations phenomena/ doesn’t omit important aspects.
 Reliable  Timely
1
 A20
1ST SEMESTER
Having information available to a
decision maker before it loses its cpacity to  Verifiable
influence decisions. Provided in time. Two independent, knowledgeable
 Understandable people produce the same information.
Enables users to perceive its  Accessible
significance. Presented in useful and Available when needed
intelligent format.
 Business process
- Systems working toward organization goals. Set of related, coordinated, and structured
activities and tasks that are performed by a person or a computer that help accomplish a specific
organizational goal.
 Business transactions
- An agreement between two entities to exchange goods or services or any other event that
can be measured in economic terms by an organization
 Transaction processing
- the process that begins with capturing transaction data and ends with informational
output, such as the financial statements.
 Give-get exchange
- transactions that happen a great many times, such as giving up cash to get inventory
from a supplier and giving employees a paycheck in exchange for their labor.

2
 A20
1ST SEMESTER
Figure 1: Transaction cycle

 Business Process Cycles

1. Revenue cycle 4. Human resources/ payroll cycle
- selling goods and services for cash - activities such as hiring, training,
2. Expenditure cycle compensating, evaluating, promoting,
- companies purchase inventory for and terminating
resale or raw materials to use in production 5. Financing cycle
3. Production or conversion cycle - selling shares in the company to
- raw materials are transformed into investors and borrowers as well as paying
finished goods. dividends

 Accounting information systems

 Accounting is an AIS since it collects, processes, stores, and reports data and
information
 The intelligence-the information providing vehicle- of that language
 Components of AIS
1. People using the system 5. Information Technology (IT)
2. Procedures and instructions - for infrastructure - computers, peripherals,
collecting, processing, and storing data networks, and so on
3. Data 6. Internal control and security
4. Software - used to process data measure
- safeguard the system and its data
 AIS and Business Functions
1. Collect and store data about organizational activitiies, resources, and personnel
2. Transform data into information enabling
 Management to:
 Plan, execute, control, and evalute activites, resources, and personnel
3. Provide adequate control to safeguard assets and data
 AIS add value to an organization
 Improve quality and reduce costs  Imrpove Supply chain
 Improve efficiency  Improve Internal control
 Improve sharing knowlege
3
 A20
1ST SEMESTER
 Improve Decision making(below)
 Identify situations that require action  Provide accurate and timely
 Reduce uncertainty and choose alter information
 Provide feedback/store information  Analyze sales data

 AIS and corporate strategy

 Organizations have limited resources, thus investments to AIS should have greatest
impact on ROI
 Organizations need to understand
 IT Developments
 Business strategy
 Organizational culture
 Will effect and be effected by new AIS
 Predictive analysis
- the use of data warehouses and complex algorithms to forecast future events, based on
historical trends and calculated probabilities.
 Value chain
- The set of activities a product or service is created and delivered to customers.
 Primary activities
- value chain activities that produce, market, and deliver products and services to
customers and provide post-delivery service and support
1. Inbound logistics - receiving, storing, and distributing materials to create the products
2. Operations - transform inputs into final products
3. Outbound logistics - distribute finished products to customers ex: shipping automobiles
4. Marketing and sales - help customers buy products ex: advertising
5. Service - post-sale support to customers ex: repair and maintenance services
 Support activities
- enables primary activities to be performed efficiently and effectively.
1. Firm infrastructure - accounting, finance, legal, and general administrative activities
2. Human resources - recruiting, hiring, training, and compensating employees
3. Technology - improve produc or service ex: reasearch and development
4. Purchasing - procure raw materials, supplies, machineries, and buildings to carry out primary
activities
4
 A20
1ST SEMESTER
 Supply chain
- an extended system that includes an organization’s value chain as well as its suppliers,
distributors, and customers. Raw materials, manufacturer, distributor, retailer, and
consumer

CHAPTER 2 : Overview of Transactions Proocessing and ERP Systems

 Data processing cycle
- performed on data to generate meanigful and relevant information. Has 4 operations
1. Data input
 first step is to captures transaction data and enter them into the system.
Data input capture three facets:
a) Each activity of interest
b) The resources affected by each activity
c) The people who participate in each activity
 Source documents - used to capture transaction data at its source. Ex: sales orders,
purchase orders, and employee time cards
 Turnaround documents - records of company data sent to an external party and then
returned to the system as input.
- in machine readable form to facilitate their subsequent processing as input
records. Ex: utility bill
 Source data automation - the collection of transaction data in machine-readable form at
the time and place of origin. Ex: point-of-sale terminals and ATMs
 Second step is to make sure captured data are accurate and complete. Use source
data automation or well designed turnaround documents and data enry screens.
Improve Accuracy Complete
 Provide insrtuctions and prompts  Internal control support
 Check boxes  Prenumbered documents
 Drop down boxes
 Third step is to make sure company policies are followed such as approving or
verifying transactions. Prevented by programming the system to check customer’s
credit lemit and history.

5
 A20
1ST SEMESTER
2. Data storage
Types of AIS storage
A. Paper-based
a) Ledgers
 General ledger - summary level of data for each: asset, liability, equity,
revenue, and expense
 Subsidiary ledger - detailed data for a general ledger (control) account that
has individual sub accounts. AR and AP
 Control account - a general ledger summarizes the total amounts of
subsidiary ledger.
 Coding techniques - used to organize data logically. Is a systematic
assignment of numbers or letter to items to classify and organize them.
I. Sequence codes - Items numbered consecutively ex: checks,
invoices
II. Block codes- specific range of numbers are associated with a
category (ex: 1000000-1999999 electric range, 22000000-2999999
refrigerator)
III. Group codes- positioning of digits in code provide meaning
i. Mnemonic - letters and numbers that are interspensed
ex: Dry300W05 - low end (300), white (W), dryer
(Dry), made by Sears (05)
IV. Chart of accounts - type of block coding. A listing of all the
numbers assigned to balance sheet and income statement accounts.
Ex: yung sa number sa journal per account (120 AR, 300 AP)
b) Journals
 General journal - used to recod infrequent or nonroutine transactions, such
as loan payments and adjusting and closing entries.
 Specialized journal - records large numbers of repetitive transactions such as
sales, cash receipts and cash disbursements.
 Audit trail - path of transaction through a data processing system from
point of origin to output vice versa. Used to check accuracy and
validity of ledger postings.
B. Computer based
6
 A20
1ST SEMESTER

 Entity - information is stored, such as employees, inventory items, and

customers.
 Attributes - Facts about the entity. Characteristics of interest.
 Fields - where attributes are stored. Ex: row- customers, colums-attribute
 Records - data values describe specific attributes of an entity such as
payroll of a single employee. Group of fields Ex: a row in excel
 Data value - actual value stored in field. Particuar attribute of an
entity. Ex: zyx company if it is a customer
 File - Group of records
1. Transaction file - Contains records of a business from a specific
period
2. Master file - Permanent records. Stores cumulative information and it is updated by
transaction with the transaction file.
3. Database - Set of interrelated files. Consolidates records previously stored in separate files.

3. Data processing
 Four main activities (CRUD)
1. Creating new records - adding newly hired employee to the payroll database
2. Reading existing records - retrieving or viewing aexisting data
3. Updating existing records - done periodically
4. Deleting records or data from records - purging the vendor master file of all
vendors
7
 A20
1ST SEMESTER
 Batch processing - accumulating transactions into group or batches for processing at a
regular interval or done periodically. Usually sorted into some
sequence such as numerically or alphabetically)
 Online, real-time processing - the computer system processes data immediately after
capture and provides updated information to users on a timely basis.
Errors can be easily corrected and it increases decision making .

4. Information output
- when displayed on a monitor, output is referred to as “soft copy” and when printed
“hard copy”. Information is presented as document, report, or a query.
 Document - a record of a transaction or other company data. Ex: checks, invoices,
receiving reports, and purchase requisitions.
 Reports - used by employees to control operational activities and by managers to
make decisions and to formulate business strategies
 Query - provide information needed to deal with a problem or answer a question.
The information is retrieved, displayed, or printed.
Enterprise Resource Planning (ERP) system - a system that integrates all aspects of an
organization’s activities such as accounting, finance, marketing, and human resources.
- modularized and facilitates information flow among various business
functions
ERP modules
 Financial - general ledger & report  Manufacturing (production cycle)
sys  Project management
 Human resources and payroll  Customer relationship management
 Order to cash (revenue cycle)  System tools
 Purchase to pay (disbursement
cycle)
8
 A20
1ST SEMESTER
ERP ADVANTAGES
 Integration of data and financial  More efficient manufacturing
information ERP Disadvantages
 Data is captured once  Cost
 Greater management visibility  Time consuming to implement
 Better access controls  Changes to business processes
 Standardizes operating procedures  Complex
 Improved customer service  Resistance to change
CHAPTER 3 : Systems Documentation Techniques
Documentation - explains how a system works. Includes 5H of data entry, data processing,
data storage, information output, and system controls.
- Popular means of documenting a system include narratives, diagrams,
flowcharts, tables, and other graphical representations of data and information.
Narrative Description - a written step-by-step
explanation of system components and interactions.
Importance of Documentation tools
1. Must be able to read
2. Evaluate documentation to identify
strengths an weaknesses
3. Prepare documentation that shows how it
operates
Sarbanes-Oxley Act of 2002 - must evaluate management’s assessment. It requires
(1) management is responsible for establishing and maintaining an adequate
internal control structure;
(2) assesses the effectiveness of the company’s internal controls.
- the company and its auditors must be able to prepare, evaluate, and read
Three types of documentation tools:
1. Data Flow diagram (DFD) - a graphical description of the flow of data
Data flow diagram symbol
Data sources and destination - send data to and receive data from the
system represented by square boxes. Destination is also called data sinks
Data flows - the flow of the data into or out of a process represented by
arrows
9
 A20
1ST SEMESTER
Transformation process - transform data from inputs to outputs represented
by circle and often referred to bubbles

10
 A20
1ST SEMESTER
Data storage - repository of data and a 2 horizontal lines. Data at rest.
Context diagram - the highest level of DFD. It is the summary-level view of a system.
Depicts data processing system and the entities that are the sources and destinations.
- To show inputs and outputs into system. One process symbol only no data stores.
DFD are subdivided into lower levels to provide increasing amount of details.
Level 0 Data Flow Diagram - show all major activity and break down the cash disbursements
into 5 major functions. The processes are labeled 1.0, 2.0, and so on.
1. Receive vendor invoice and record payable
2. Prepare the check
3. Sign and send the check and cancel the invoice
4. Record the cash disbursement
5. Post the cash disbursements to the accounts payable ledger
Level 1 Data Flow Diagram - does not contain of no more than seven process bubbles
2. Flowchart - graphical description of a system. Uses standard set of symbols to
describe pictorially. It records how business process are performed and how it flows. Also
used to analyze how to improve business processes.
Four categories of Flowchart
1. Input/output symbols 3. Storage symbols
2. Processing symbols 4. Flow and miscellaneous symbols

Types of flowchart
11
 A20
1ST SEMESTER
A. Documentation Flowchart - flow of documents and info between departments
a) Internal control flowchart - a special type and used to describe, analyze, and
evaluate internal controls. Identifies system weaknesses or inefficiencies such as inadequate
communication flows, insufficient segragation, unnecesary complexity, or procedures
responsible for causing delays.
B. System flowchart - relationship among the input, processing, and output. Useful in
systems analysis and design.
C. Program flowchart - sequece of logical operations a computer perform. It describes
the specific program logic used to perform a process.
3. Business process diagram (BPD) - describe the different steps or activities business
processes used by a company. The Business Process Modeling Initiative Notation
Working Group (BPMI) established the standards for drawing BPDS
a) Activities in revenue cycle : receiving an order, checking customer
credit, verifying inventory availability, confirming customer order.
b) Activities in expenditure cycle : shipping the goods ordered, billing the
customer, and collecting customer payments.
Cancelled invoice is used to record cash disbursement
Context diagram is an overview of the data processing
being documented. It includes a single transformation process and the data sources and
destination

12
 A20
1ST SEMESTER

CHAPTER 4 : Relational Databases

File - a set of related records such as all customer records
Database - a set of interrelated, centrally coordinated data files. It consolidates records
previously stored in separate files. It was developed to address the proliferation of master files.
Database management system (DBMS) - a program that manages and controls the data and
the interfaces between the data.
Database system - it is where the database, DBMS, and the application programs are accessed.
Database ADministrator (DBA) - responsible for coordinating, controlling, maintaining
database.
Data warehouse - one/more very large databases contains detailed and summarized data
Business Intelligence - analyzing large amounts of data for strategic decision making
2 main techniques:
1. Online analytical processing (OLAP) - uses queries to investigate
2. Data mining - uses sophisticated statistical analysis including artificial intelligence
techniques such as neutral networks to discover unhypothesized relationships.
Proper control - to reap significant benefits from data warehousing
Date validation control - to ensure that data warehouse input is accurate
Verifying the accuracy or scrubbing the data - time-consuming and expensive steps
Backup data - to store backups securely

Advantages of Database Systems

A. Data integration - files are logically combined and accessible to various systems
B. Data sharing - easily accessed by authorized users
C. Minimal data redundancy and data inconsistencies - same data stored in multiple
files
D. Data independence - data is separate from the programs
13
 A20
1ST SEMESTER
E. Cross-functional analysis - relationship between data from various org. easily
combined
Logical and Physical views of data
Record layout - shows the items stored in a file including the order and length of the data
Two separate views of data
Logical view - how people understand the relationships among data items. Separates
storage of data unnecesary to know how and where data is stored.
Physical view - the way data are physically arranged and stored in the computer system.
How is data arranged in a file and where it is stored?
Database management Softwar (DBMS) - links the way data are physically stored. It allows
users to access, query, or update the database without reference to how or where data are
physically stored. It uses mapping to translate user’s request.
Schema - a description of the data elements in a database and the logical model used to
organize
Three levels of schemas
1. Conceptual-level schema - the organization-wide view of data
2. External-level schema - individual user’s view, each are referred as subschema
3. Internal-level schema - low-level view, describes how data are stored including layouts,
definitions, addresses, and indexes
DBMS Languages
1. Data definitions language (DDL) - builds the data dictionary, creates the database,
describes logical views, and specifies record or field security constraints.
2. Data manipulation language (DML) - changes database content, including data element
creations, updates and insertions, and deletions.
3. Data query language (DQL) - high-level english-like language that contains powerful,
easy-to-use commands that enable users to retrieve, sort, order, and display data
4. Report writer - simplifies report creation.
The DQL and report writer is for users. The DDL and DML is restricted to administrators
and programmers.
RELATIONAL DATABASES
Data model - it characterizes DBMS. It is an abstract representation of database contents.
Relational data model - represents conceptual-and external level schemas as if data are
stored in two-dimensional tables.
14
 A20
1ST SEMESTER
Tuple - the each row in a table and contains data about specific item in a database table.
TYPES OF ATTRIBUTES
Primary key - attribute or combination of attributes that uniquely identifies a specific row
Foreign key - a primary key in another table and is used to link the two tables.
Effects of storing information
1. Store all data in one uniform table - it has two advantages which are it stores lots of
redundant data and problems occur when invoice data are stored in these type of Improper
database org.
a) Update anomaly - a non-primary key item is stored in multiple times; updating the
item in one location and not the others causes inconsistensies
b) Insert anomaly - inability/unable to add records to a database
c) Delete anomaly - loss of all information about an entity when a row is deleted
2. Vary the number of columns - reduces redundancy and eliminates some anomalies but it has
drawbacks.
3. The solution: a set of tables - the storage problems are solved using relational database (a
database built using the relational data model)
BASIC REQUIREMENTS OF A RELATIONAL DATABASE
1. Every column in a row must be single valued
2. Primary keys cannot be null
a) Entity integrity rule - a non null primary key ensures that every row in a
table represents something and can be identified
3. Foreign keys, if not null, must have values that correspond to the value of a primary key
a) Referential integrity rule - link rows in one table to rows in another table
must have values that correspond to the value of a primary key in another
table.
4. All nonkey attributes in a table must describe a characteristic of the object
TWO APPROACHES TO DATABASE DESIGN
Normalization - initially stored in one large table. Free from delete, insert, and update
anomalies. Rules are followed to decompose initial table into set of tables called third
normal form (3NF)
Semantic data modeling - alternative design approach. Using knowledge of business
processes to create a diagram that shows what to include in a fully normalized database.

15
 A20
1ST SEMESTER
Used to create a diagram that shows what to include in a fully normalized database in
3NF.
Advantages:
1. Facilitates the efficient design of transaction
2. Represents the organization’s business processes and policies
QUERY 1 - what are the invoice numbers of all sales and who was the salesperson for each
sale?
QUERY 2 - how many televisions were sold in october?
QUERY 3 - what are the names and addreses of customers buying televisions in october?
QUERY 4 - what are the sales invoice numbers, dates, and invoice totals, arranged in
descending
QUERY 5 - what are total sales by salesperon?
When starting with an unnormalized table, the steps in normalization process are:
1. Remove all repeating groups of data to create 1NF
2. Remove partial dependencies (attributes dependent on primary key) to create the 2NF
3. Remove all transitive dependencies (nonprimary, data fields, dependent) to create 3NF
CHAPTER 5 : Computer Fraud
Four types of AIS threats
a) Natural and political disasters - fire, floods, earthquakes, hurricanes
b) Software errors & equipment malfunctions - os crash, hardware failure, power
outage
c) Unintentional acts - accidents, innocent errors, omissions
d) Intentional acts - computer crime, fraud, sabotage (destroy a system or harm
system)
a) Cookie - a text file created by a web site and stored on a visitor’s hard drive.
Fraud - to gain an unfair advantage over another person. There must be:
1. A false statement 4. Justifiable reliance
2. Material fact 5. Injury or loss
3. Intent to deceive
White-collar criminals - fraud perpetrators and resort to trickery involve violation of
trust
Corruption - dishonest conduct by those in power involves actions that are illegitimate.

16
 A20
1ST SEMESTER
Investment fraud - misrepresenting or leaving out facts in order to promote an
investment
Misappropriation of assets - theft of company assets by employees. Important elements are:
1. Gains the trust of the entity 5. Sees how easy to get the money
2. Uses trickery, or false information 6. Spends the ill gotten gains
3. Conceals the fraud 7. Gets greedy and takes larger amounts
4. Rarely terminates the fraud 8. Grows careless as time passes
Fraudulent financial reporting - reckless conduct results in materially misleading fs. 4 actions
to:
1. Establish org environment 3. Asses the risk
2. Identify and understand the factors 4. Design and implement
SAS NO. 99 CONSIDERATION OF FRAUD IN FS : THE AUDITOR’S
RESPONSIBILITY TO DETECT FRAUD
1. Understand fraud 5. Evaluate the results
2. Discuss the risks 6. Document and communicate findings
3. Obtain information 7. Incorporate a technology focus
4. Identify, assess, and respond to risks
The Fraud Triangle
1. Employee Pressure - incentive or motivation for commiting fraud.
a) Financial pressure - motivate misappropriation frauds by employees
b) Emotional pressure - strong feelings of resentment and been treated unfairly
c) Lifestyle - to support their gambling, drug or alcohol addiction
2. Opportunity - commit and conceal a dishonest act and convert it to personal gain. Allows:
a) Commit the fraud
b) Conceal the fraud
i. Lapping scheme - concealing by series of delay in posting collections
ii. Check kitting - creating cash using the lag bet the time a check is
deposit
c) Convert the theft or misrepresentation to personal gain
3. Rationalization - allows perpetrators to justify their illegal behavior. Rationalization triad:
a) Justification - “i only took what they owed me”
b) Attitude - “the rules do not apply to me”

17
 A20
1ST SEMESTER
c) Lack of personal integrity - “get what I want is more important than to be
honest”
Computer fraud - requires computer technology to perpetrate it. Time magazine labeled it as
growth industry.
Reasons why it increases rapidly:
1. Not everyone agrees on what constitutes 5. Internet sites offer step-by-steo
computer fraud instructions on how to perpetrate computer
2. Many instance of computer fraud go fraud and abuse
undetected 6. Law enforcement cannot keep up with the
3. A high percentage of frauds is not growth of computer fraud
reported 7. Calculating losses its difficult
4. Many networks are not secure
COMPUTER FRAUD CLASSIFICATIONS
Processor fraud - unauthorized system use including theft of
computer time and services
Input fraud - the simplest to commit computer fraud is to alter or
falsify computer input
Computer instructions fraud - tampering with company software,
copying software illegally
Data fraud - illegally using, copying, browsing, searching, or harming company and the cause
is employee negligence
Output fraud - the printed or displayed output can be stole, copied, or misused.

18
 A20
1ST SEMESTER
CHAPTER 6 : Computer Fraud and Abuse Techniques
Hacking - unauthorized access, modification, or use of an electronic device
Hijacking - gaining control of a comp to carry out illicit activities w/o user’s knowledge ex:
spam
Botnet - short for robot network is a powerful network of hijacked computers called zombies
that are used to attack systems or spread malware
Bot herders - installed software tht responds to the bot herder’s electronic instructions
Denial-of-service (DOS) attack - designed to make a resource unavailable to its users. The
attacker sends so many e-mail bombs from randomly generating false addresses.
Spamming - simultaneously sending the same unsolicited message to many people at same
time
Dictionary attacks - also called direct harvesting attacks and also stage by spammers. They
use software to guess e-mail adresses at a company and send blank email messages.
Blog - short for web log is a website containing online journals or commentary. Hackers create
splogs (spam and blog) with links to websites they own to increase their google page rank
Spoofing - electronic communication look as if someone else sent it to gain the trust
E-mail spoofing - making sender address appear as if the e-mail originated from diff source
caller ID spoofing - displaying an incorrect number of the recipient’s called ID to hide
identity
IP address spoofing - forged IP address to hide sender’s identity
Address resolution protocol (ARP) spoofing - sending fake ARP messages to an
Ethernet Lan. Determining network host’s hardware address when only IP is know
Mac address - media access control address is uniquely identifies each node on a network
- Man in the middle attack - the attacker modify the data before attacking
SMS Spoofing - using short message service to change the namenumber a tect message
Web-page spoofing - also called phising
DNS spoofing - sniffing the ID of a domain (the phonebook of the internet) name system
Zero-day attack (zero hour attack) - an attack between the time a new software
vulnerability is discovered and released
Patch - code released by software developers that fixes a particular software
- patch Tuesday - cybercrooks timing new attacks
- zero Wednesday - describes this strategy

19
 A20
1ST SEMESTER
Cross-site scripting (XSS) - vulnerability in dynamic web pages that allows an attacker to
bypass
Buffer overflow attack - the amount of data entered is greater than the amount of the input
buffer. Hackers exploit this by crafting the input so that the overflow contains code that
tells computer what to do next. Could open a backdoor of system
SQL injection (insertion) attack - convince the application to run SQL code that it was not
intended
Man-in-the-middle attack - a hacker placing himself between a client and a host to intercept
Masquerading/impersonation - pretending to be an authorized user and it’s possible when
they know the user’s ID and password.
Piggybacking - (1) tapping into communications line, (2) use of a negihbor’s wifi network, (3)
unauthorized person following an authorized person through bypass
Password cracking - penetrate a system’s defense
War dialing - programming a computer to dial thousands of phone lines searching for dial-up
modem lines.
War driving - driving around looking for unprotected home
War rocketing - using rockets to let loose wireless access points attached to parachutes
Phreaking - attacking phone systems to obtain free phone line access
Data diddling - changing data before or during entry into a computer
Data leakage - unauthorized copying of company data, w/o leaving indication that it was
copied
Podslurping - using small device with storage capacity
Salami technique - stealing tiny slices of money from different accounts
Round-down fraud - round down all interest calculations to two decimal place
Economic espionage - theft of information, trade secrets, and intellectual property
Cyber extortion - threatening to harm a company if a specified amount of money is no paid.
Cyber bullying - support deliberate, repeated, and hostlie behaviour that torment/ harrass a
person
Sexting - exchangeing sexually explicit text messages and revealing pictures
Internet terrorism - using internet to disrupt electronic commerce and harm computers
Internet misinformation - using internet to spread false or misleading information
Email threats - threats sent to email and requires some follow up action
Internet auction fraud - using auction site to defraud another person
20
 A20
1ST SEMESTER
Internet pump-and-dump fraud - using internet to pump up the price of a stock then sell it
Click fraud - manipulating the number of times an ad is clicked
Web cramming - offers free website for a month
Software piracy - unauthorized copying or distribution of copyrighted software
Software engineering - techniques or psychological tricks used to get people to comply with
the perpetrator’s wishes in order to gain physical or logical access to a building

Seven Human Traits according to Cisco

1. Compassion - desire to help others
2. Greed - they cooperate if they get something free
3. Sex appeal - cooperate with someone who is flirtatious or viewed as “hot”
4. Sloth - few want to do things in a hard way and fraudsters take advantage of lazy habits
5. Trust - cooperate with people who gain their trust
6. Urgency - immediate need to be more cooperative
7. Vanity - by telling them they are going to be more popular or successful
SOCIAL ENGINEERING TECHNIQUES
Identity theft - assuming someone’s identity for economic gain by illegally obtaining
information
Pretexting - invented scenario (pretext) that creates legitimacy in the target’s mind
Posing - creating a seemingly legitimate business, collecting personal information
Phishing - sending an electronic message pretending to be a legitimate company requesting
information or verification. The request is bogus
Spear phising - targeted version of phishing
Vishing - voice phishing and the victim enters confidential data by phone
Carding - performed on stoled credit cards
Pharming - redirecting website traffic to a spoofed website
Evil twin (Service set identifier or SSID) - wireless network with same name as a legitimate
wireless access point
Typosquatting/URL hijacking - similar named websites so users makes typographical errors
QR barcode replacement - cover valid quick response codes with stickers
Tabnapping - changing an already opened browser tab

21
 A20
1ST SEMESTER
Scavenging/ dumpster diving - searching documents and records to gain access include
searching garbage cans, communal trash bins, and city dumps
Shoulder surfing - they look over a person’s shoulders in a public place such as ATM pin
Lebanese loping - capturing ATM pin and card numbers
Skimming - double swiping a credit card
Chipping - device to read credit card info
Eavesdropping - private communications

TYPES OF MALWARE
Malware - software that is used to do harm
Spyware - secret monitors that collects information and send to someone
Adware - pops banner ads and forward to adware creator
Torpedo software - destroys competing malware and results to malware warfare
Scareware - no benefit that is sold using scare tactics
Ransomware - encrypts programs and data until a ransom is paid to remove it
Keylogger - records computer activity such as keystrokes
Trojan horse - set of unauthorized computer instructions in an authorized
Time bomb/ logic bomd - idle until triggered by specific data or time
Trap door/ back door - allows users to bypass the system’s normal controls
Packet sniffers - capture data from information packets
Stenography - can merge confidential information with a harmless file
Rootkits - concealing system components and malware
Superzapping - bypass regular system control and perform illegal acts. Written to handle
emergencies
Virus - segment of executable code that attaches itself to a file
Worm - similar to virus and it is a program rather than a code.
Bluesnarfing - stealing(snarfing) contact lists using bluetooth
Bluebugging - taking control of someone else’s phone to make or listen to calls.

22
 A20
1ST SEMESTER
CHAPTER 7 : Control and Accounting Information Systems
Threat/ event - any potential adverse occurence
Exposure/ impact - dollar loss from a threat
Likelihood - probability that it will happen
Internal controls - processes and procendures implemented to provide assurance to the
following objectives:
1. Safeguard assets 5. Promotes and improve efficiecy
2. Maintain records 6. Encourage adherence
3. Provide accurate information 7. Comply
4. Prepare financial reports
Funtions of internal controls Internal controls are segregated into:
1. Preventive controls - deter problems 1. General controls - make sure that info
before they arise system and control environ are stable and
2. Detective controls - discover control well managed
problems that were not prevented 2. Application controls - prevent, detect,
3. Corrective controls - identify and correct and correct errors
problems
Four levels of control to help management reconcile
1. Belief system - how company creates value 3. Diagnostic control system - measures,
2. Boundary system - helps employees act monitors, and compares progress
ethically 4. Interactive control system - helps
managers to focus attention
Foreign Corrupt Practices Act (FCPA) - prevent companies from bribing
Sarbanes Oxley Act of 2002 - prevent financial statement fraud
Aspects of SOX 2002
1. Public Company Accounting Oversight 3. New rules for audit committees
Board (PCAOB) - control the auditing prof 4. New rules for management
2. New rules for auditors 5. New internal control requirements

Control Frameworks
1. COBIT FRAMEWORK - Control Objectives for Information and Related Technology is a
security and control framework that allows:
a) Management to benchmark b) Users to be assured
23
 A20
1ST SEMESTER
c) Auditors to substantiate
Five key principles/ Four domains
1. Meeting stakeholder needs 1. Align, plan, and organize (APO)
2. Covering the enterprise end-to-end 2. Build, acquire, and implement (BAI)
3. Applying a single, integrate framework 3. Deliver, service, and support (DSS)
4. Enabling a holistic approach 4. Monitor, evaluate, and assess (MEA)
5. Separating governance from management

2. COSO’S INTERNAL CONTROL FRAMEWORK - Committee of Sponsoring

Organizations is a private sector consisting of American Accounting Associations, AICPA,
Institue of Internal Auditors
a) Internal Control-Integrated Framework (IC)- issued by COSO and widely
accepted as the authority on internal controls and incorporated into policies, rules,
regulations
FIVE COMPONENTS AND 17 PRINCIPLES OF COSO’S INTERNAL CONTROL
MODEL
I. Control environment - foundation for all III. Control activities - help ensure the
the components actions identified
1. Commitment to integrity 1. Selecting and developing controls
2. Internal control oversight 2. Selecting and developing general controls
3. Structures, reporting lines over technology
4. Commitment to attract 3. Deploying control activities
5. Holding individuals accountable IV. Information and communication -
II. Risk assessment - must identify, analyze capture and exchange information
and manage its risks 1. Obtain/ generate relevant information
1. Specify objectives 2. Internally communicating information
2. Identifying and analyzing risks 3. Communicating relevant internal control
3. Considering fraud V. Monitoring - modifications are made
4. Assessing changes 1. Selecting, developing and performing
2. Evaluating and communicating
3. COSO’S ENTERPRISE RISK MANAGEMENT (ERM) FRAMEWORK - improves the
risk management process by expanding internal control
Basic principle
24
 A20
1ST SEMESTER
I. Companies are formed to create values III. Uncertainty result in risk
II. Management must decide how much IV. Uncertainty result in opportunities
uncertainty V. Can manage uncertainty

8 COSO ERM COMPONENTS

1. INTERNAL ENVIRONMENT - it influences how organizations establish strategies and
objectives. It consists of:
1. Management’s philosophy, operating 4. Organizational structure
style, and risk appetite 5. Methods of assigning authority and
2. Commitment to integrity, ethical values, responsibility
and competence 6. Human resource standards that attract,
3. Internal control oversight by the board of develop, and retain competent
directors 7. External influences

Risk appetite - the amount of risk a company is willing to accept

Audit committee - independent board of director members responsible for financial reporting
Organizational structure - provides a framework for planning, executing, controlling, and
monitoring. Important aspects are:
1. Centralization or decentralization 4. How allocation of responsibility affects
2. Direct or matrix info requirements
3. Organization by industry 5. Organization of and line of authority
6. Size and nature
Policy and procedures manual - explains proper business practices and describes needed
knowledge and experience
Human resources Standards
1. Hiring 5. Discharging
Background check - talking to 6. Vacation and rotation of duties
2. references, checking criminal record 7. Confidentiality agreements and fidelity
3. Compensating, Evaluating, and Promoting bond insurance
4. Managing disgruntled employees 8. Prosecute and incarcerate perpetrators

2. OBJECTIVE SETTING - what the company hopes to achieve

a) Strategic objectives - high-level goals aligned with company’s mission
25
 A20
1ST SEMESTER
b) Operations objectives - deal with effectiveness and efficiency
c) Reporting objectives - helps ensure accuracy, completeness, and reliability
d) Compliance objectives - helps the company comply with all applicable laws
3. EVENT IDENTIFICATION - incident or occurence emanating from internal or external
sources
4. RISK ASSESSMENT AND RISK RESPONSE
a) Inherent risk - set of accounts or transactions to significant control problems
b) Residual risk - remains after management implements internal controls
c) Can respond risk in 4 ways
i. Reduce iii. Share
ii. Accept iv. Avoid
d) Risk assessment and strategy
i. Even identification vi. Determining cost/benefit
ii. Estimate likelihood effectiveness
iii. Estimate impact vii. Implement conrol or
iv. Identify controls accept, share, or avoid the
v. Estimate the costs risk
5. CONTROL ACTIVITIES - policies, procedures, and rules that provide reasonable
assurance
a) Following categories:
I. Proper authorization of transactions and IV. Change management controls
activities V. Design and use of documents and records
II. Segregation of duties VI. Safeguarding assets, records and data
III. Project development and acquisition VII. Independent checks on performance
controls
b) violation of specific control activities
1. Proper Authorization of transaction and activities
I. Authorization - establishing policies to employees to follow and empowering them to
perform certain org functions. Documented by signing, initializing, or entering an
authorization code.
II. Digital signature - electronically signing a document
III. Specific authorization - special approval an employee needs to be allowed to handle
IV. General authorization - to handle routine transactions without special approval
26
 A20
1ST SEMESTER
2. segragation of duties
I. authorization - approving transactions and decisions
II. Recording - preparing souce documents, entering data
III. Custody - handling cash, tools, inventory
IV. Collusion - cooperations between two or more people in an effort

3. Segragation of systems - implementing control procedures to clearly divide authority

a) Dividing into 10 functions
i. System administration - all info are operating smoothly and efficiently
ii. Network management - devices are linked to the internal and external
network
iii. Security management - systems are secure and protected
iv. Change management - don’t negatively affect systems reliability and security
v. Users - record transactions, authorize data
vi. System analysis - helps users determine their information needs
vii. Programming - take the analysts’ design and develop code
viii. Computer operations - run the software on the company
ix. Information system library - maintains custody of corporate databases
x. Data control - ensures that source data have been properly approved
b) Project development and acquisition controls
i. Steering committee - guides and oversees systems
ii. Strategic master plan - a multiple year plan that lays out projects
iii. Project development plan - shows how a project will be completed
1. Project milestones - significant point when progress is reviewed
iv. Data processing schedule - shows when each data processing task should be
performed
v. System performance measurements - ways to evaluate and assess a system
1. Throughput - output per unit of time
2. Utilization - percentage of time the system is used
3. Response time - how long it takes for the system to respond
vi. Postimplementation review - performed after a development project is
complete

27
 A20
1ST SEMESTER
Systems integrator - manage systems development effort involving its own personnel, its
client, and other vendors.
c) Change management controls
d) Design and use of documents and records - help ensure accurate and complete
data
e) Safeguard assets, records, and data
f) Independent checks on performance
i. Top-level reviews - (1) planned performance; (2) period performance; (3)
competitors’ performance
ii. Analytical reviews - examination of the relationships between diff set of data
iii. Reconciliation of independently maintained records
iv. Comparison of actual quantities with recorded amounts
v. Double entry accounting
vi. Independent review
6. INFORMATION AND COMMUNICATIONS - should capture and exchange information
needed to conduct, manage, and control operations.
a) Primary purpose is to gather, record, process, store, summarize, and communicate
b) audit trail - allows transaction to be traced through a data processing system
7. MONITORING
a) Key methods of monitoring performance
i. Perform internal control evaluations - measured using formal or self
assessment
ii. Implement effective supervision - involves training and assisting employees
iii. Use responsibility accounting systems - includes budgets, quotas, schedules
iv. monitor system activities
v. Track purchased software and mobile devices - the Business software
alliance (BSA) tracks down and fines companies that violate software license
agreement
vi. Conduct periodic audits
vii. Employ a computer security officer (CSO) and a chief compliance officer
(CCO)
1. CSO - in chare of system security and an employee independent who
monitors the system, disseminates info about improper system
28
 A20
1ST SEMESTER
2. CCO - responsible for all compliance tasks associated with SOX
viii. Engage forensic specialists
1. Forensic investigators - individuals who specializes in fraud who have
especialized training with law enforcement
2. Computer forensics specialists - computer experts who discover,
extract, safeguard documents
ix. Install fraud detection software
1. Neural networks - computing systems that imitate the brain’s learning
process using network of interconnected processors.
x. Implement a fraud hotline
1. Fraud hotline - a phone number employees can call to anonymously
report fraud and abuse

29
 A20
1ST SEMESTER
CHAPTER 8 : CONTROLS FOR INFORMATION SECURITY
I. Trust Services Framework
 - Trust Services Framework was developed jointly by the AICPA and the CICA to provide
guidance for assessing the reliability of information systems.
 - This framework organises IT-related controls into 5 principles:
 Security - Access to system and data is controlled and restricted to legitimate users
 Confidentiality - Sensitive organizational data is protected
 Privacy - information about trading partners, investors, and employees are protected
 Processing integrity - Data are processed accurately, completely, in a timely manner,
and only with proper authorization
 Availability - System and information are available
II. Two Fundamental Information Security Concepts
1. Security Life Cycle - Security is a management issue
 Asses threats & select risk response
 Develop and communicate policy
 Acquire & implement solutions
 Monitor performance
2. Security Approaches
 Defense-in-depth Multiple layers of control (preventive and detective) to avoid a
single point of failure
 Time-based model, security is effective if: P > D + C
 where P is time it takes an attacker to break through preventative controls
 D is time it takes to detect an attack is in progress
 C is time it takes to respond to the attack and take corrective action
 If the equation is satisfied (if P > D +R is true), the organisation’s information
security procedures are effective. Otherwise, security is ineffective.
III. Targeted attacks.
 Untargeted (random) attacks: such as viruses, worms, natural disasters, hardware failures,
and human errors
 Basic steps criminals use to attack an organisation’s information system:
1. Conduct reconnaissance (Reconnaissance: Military observation of a region to locate an
enemy or ascertain strategic features)—criminals will try to learn as much as possible
about the target and to identify potential vulnerabilities.
30
 A20
1ST SEMESTER
2. Attempt social engineering (Social engineering: Using deception to obtain unauthorised
access to information resources)—criminals will use deception to try and “trick” an
unsuspecting employee into granting them access.
a) Example: Social engineering attacks often take place over the phone. One
common technique is for the attacker to impersonate an executive who cannot obtain
remote access to important files. Another common ruse (an action intended to
deceive someone; a trick) is for the attacker to pose as a clueless temporary worker
who cannot log onto the system and calls the help desk for assistance.
- Spear phishing: sending e-mails purportedly from someone that the victim knows.
The spear phishing e-mail asks the victim to click on an embedded link or open an
attachment. If the recipient does so, a Trojan horse program is executed.
 - Another social engineering tactic is to spread USB drives in the targeted
organisation’s parking lot. An unsuspecting or curious employee who picks up the
drive and plugs it into their computer will load a Trojan horse program that
enables the attacker to gain access to the system.
3. Scan and map the target—the attacker uses a variety of automated tools to identify
computers that can be remotely accessed and the types of software they are running.
4. Research—attackers conduct research to find known vulnerabilities for those programs
and learn how to take advantage of those vulnerabilities.
5. Execute the attack—criminal takes advantage of a vulnerability to obtain unauthorized
access to the target’s information system.
6. Cover tracks—most attackers attempt to cover their tracks and create “back doors” that
they can use to obtain access if their initial attack is discovered and controls are
implemented to block that method of entry.
IV. How to Mitigate Risk of Attack
A. Preventive Controls
i. People:
 Creation of a ‘security-conscious’ culture which employees comply with
organisational policies, top management must not only communicate the
organisation’s security policies but must also lead by example.
 Training:
 Follow safe computing practices:

31
 A20
1ST SEMESTER
 Never open unsolicited (not asked for; given or done voluntarily)
e-mail attachments.
 Use only approved software.
 Do not share passwords.
 Physically protect laptops/cell phones.
 Protect against social engineering.
ii. Process:
 Authentication - verifies the person
 Multifactor authentication: The use of two or more types of authentication
credentials in conjunction to achieve a greater level of security.
 Multimodal authentication: The use of multiple authentication credentials of
the same type to achieve a greater level of security.
 Both multifactor authentication and multimodal authentication are examples of
applying the principle of defence-in-depth. However, multifactor
authentication is better than multimodal because the credentials are
independent of one another.
 Authorisation controls: Authorisation is the process of restricting access of
authenticated users to specific portions of the system and limiting what actions they
are permitted to perform.
 Compatibility test: matching the user’s authentication credentials against the
access control matrix (a table used to implement authorisation controls) to
determine whether that employee should be allowed to access that resource
and perform the requested action.
 Penetration test: An authorised attempt to break into the organisation’s information
system. This test is attempted by either an internal audit team or an external security
consulting firm to break into the organisation’s information system. Because there
are numerous potential attack vectors, penetration tests almost always succeed.
 Change controls and change management: The formal process used to ensure that
modifications to hardware, software, or processes do not reduce systems reliability.
iii. IT Solutions:
 Antimalware controls : Malware includes viruses, worms, keystroke logging
software
 Recommendations to tackle malware:
32
 A20
1ST SEMESTER
 Network access controls:
 Perimeter Defence: Routers, Firewalls, and Intrusion prevention Systems
 Border Router: A device that connects an organisation’s information
system to the Internet.
 Firewall: running a general-purpose computer that controls both inbound
and outbound communication between the system behind the firewall
and other networks.
 Demilitarised zone (DMZ):A separate network located outside the
organisation’s internal information system that permits controlled access
from the Internet to selected resources, such as the organisation’s e-
commerce web server.
 Routers:Special purpose devices that are designed to read the source and
destination address fields in IP packet headers to decide where to send
(route) the packet next.
 Controlling Access by Filtering Packets:
 Access Control Lists (ACLs): A set of IF-THEN rules used to determine
what to do with arriving packets.
 Packet filtering: A process that uses various fields in a packet’s IP
(Internet Protocol) and TCP (Transmission Control Protocol) headers to
decide what to do with the packet.
 Deep packet inspection: A process that examines the data in the body of
a TCP packet to control traffic, rather than looking only at the
information in the IP and TCP headers.
 Intrusion prevention systems (IPS): Software and hardware that monitors
patterns in the traffic flow to identify and automatically block attacks. A
network IPS consists of a set of sensors and a central monitor unit that
analyses the data collected. Sensors must be installed on each network
segment over which real-time monitoring is desired.
 Device and software hardening controls:
 Endpoints: Collective term for the workstations, servers, printers, and other
devices that comprise an organisation’s network.
 3 areas deserve special attention:
1. Endpoint configuration:
33
 A20
1ST SEMESTER
 Vulnerabilities: Flaws in programs (that are activated through
default installation, which consequently turns on unnecessary
features and extra services) that can be exploited to either crash the
system or take control of it.
 Vulnerability scanners: Automated tools designed to identify
whether a given system possesses any unused and unnecessary
programs that represent potential security threats.
 Exploit: A program designed to take advantage of a known
vulnerability.
 Patch: Code released by software developers that fixes a particular
vulnerability.
 Patch management: The process of regularly applying patches and
updates to software.
 Hardening: The process of modifying the default configuration of
endpoints to eliminate unnecessary settings and services.
2. User account management: COBIT 5 management practice stresses the need
to carefully manage all user accounts, especially those accounts that have
unlimited (administrative) rights on that computer.
3. Software design: Buffer overflows, SQL injection, and cross-site scripting
are common examples of attacks against the software running on websites.
These attacks all exploit poorly written software that does not thoroughly
check user-supplied input prior to further processing.
 Encryption: Provides a final layer of defense to prevent
unauthorized access to sensitive information.
iv. Physical Security
 Access Controls:
 Physical security access controls:
 Limit entry to building.
 Restrict access to network and data.
b. Detective Controls:
i. Log Analysis: The process of examining logs to identify evidence of possible attacks.

34
 A20
1ST SEMESTER
ii. Intrusion Detection Systems (IDS): A system that creates logs of all network traffic that
was permitted to pass the firewall and then analyses those logs for signs of attempted or
successful intrusions.
iii. Continuous Monitoring: Employee must comply with organisation’s information
security policies and overall performance of business processes.
c. Response to attacks:
i. Computer Incident Response Team (CIRT): A team that is responsible for dealing with
major security incidents. The CIRT should include not only technical specialists but also
senior operations management, because some potential responses to security incidents
have significant economic consequences.
ii. Chief Information Security Officer (CISO): Senior position for the department of IT. It
is important that organisations assign responsibility for information security to someone at
an appropriate senior level of management. The reason is that COBIT 5 identifies
organisational structure as a critical enabler to achieve effective controls and security. CISO
should report to either the chief operating officer (COO) or the chief executive officer
(CEO).
V. Security Implications of Virtualisation, Cloud Computing, and the Internet of Things:
 Virtualisation: Running multiple systems simultaneously on one physical computer.
 Cloud computing: Using a browser to remotely access software, data storage,
hardware, and applications.
 Virtualisation’s and Cloud Computing’s positive and negative impact on security:
i. Positive: Implementing strong access controls is good security over all the
systems.
ii. Negative: Unsupervised physical access in virtualization environment exposes the
entire virtual network to risk of theft or destruction
Public clouds may have reliability issues because the organization is outsourcing
control of its data and computing resources to a third party
 Internet of Things (IoT): refers to the embedding of sensors in a multitude of
devices (lights, heating and air conditioning, appliances, etc.) so that those devices
can now connect to the Internet.

35
 A20
1ST SEMESTER
Chapter 9 Confidentiality and Privacy Controls
 Protecting Confidentiality and Privacy of Sensitive Information
 Identify and classify information to protect
 Where is it located and who has access?
 Classify value of information to organization
 Encryption
 Protect information in transit and in storage
 Access controls
 Controlling outgoing information (confidentiality)
 Digital watermarks (confidentiality)
 Data masking (privacy)
 Training
Generally Accepted Privacy Principles
 Management - Procedures and policies with assigned responsibility and accountability
 Notice - Provide notice of privacy policies and practices prior to collecting data
 Choice and consent - Opt-in versus opt-out approaches
 Collection - Only collect needed information
 Use and retention - Use information only for stated business purpose
 Access - Customer is able to review, correct, or delete information collected on them
 Disclosure to third parties
 Security - Protect from loss or unauthorized access
 Quality Monitoring and enforcement - Procedures in responding to complaints;
Compliance
Encryption
• Preventative control
• Factors that influence encryption strength:
 Key length (longer = stronger)
 Algorithm
 Management policies - Stored securely
Encryptions Steps
 Takes plain text and with an encryption key and algorithm converts to unreadable
ciphertext (sender of message)
 To read cipher text, encryption key reverses process to make information readable
36
 A20
1ST SEMESTER
(receiver of message)
Types of Encryption

Virtual Private Network

 Securely transmits encrypted data between sender and receiver
 Sender and receiver have the appropriate encryption and decryption keys

37
 A20
1ST SEMESTER
CHAPTER 10 Processing Integrity and Availability Controls
Input Controls
The following source data controls regulate the integrity of input:
1. Forms design. Source documents and other forms should be designed to help ensure
that errors and omissions are minimized.
a) Prenumbered forms. Prenumbering forms improves control by making it
possible to verify that none are missing. 
b) Turnaround documents. A turnaround document is a record of company data
sent to an external party and then returned by the external party to the system
as input.
2. Cancellation and storage of documents. Documents that have been entered into the system
should be cancelled so they cannot be inadvertently or fraudulently reentered into the system.
a) Paper documents should be defaced, e.g., by stamping them “paid.”
b) Electronic documents can be similarly “cancelled” by setting a flag field to
indicate that the document has already been processed.
3. Authorization and segregation of duties. Source documents should be prepared only by
authorized personnel acting within their authority.
4. Visual scanning. Source documents should be scanned for reasonableness and propriety
before being entered into the system.
Data Entry Controls
The following tests are used to validate input data:
1. A field check determines if the characters in a field are of the proper type.
2. A sign check(+/-) determines if the data in a field have the appropriate arithmetic sign.
3. A limit check tests numerical amnt ensure that it doesn’t exceed a predetermined value.
4. A range check is similar to a limit check except that it has both upper and lower limits.
5. A size check ensures that the input data will fit into the assigned field.
6. A completeness check determines if all required data items have been entered.
7. A validity check compares the ID code or account number in transaction data with
similar data in the master file to verify that the account exists.
8. A reasonableness test is the correctness of logical relationship between two data items.
9. Check digit verification. Authorized ID numbers (such as an employee number) can
contain a check digit that is computed from the other digits.

38
 A20
1ST SEMESTER
Data entry devices can be programmed to perform check digit verification by using
the first nine digits to calculate the tenth digit each time an ID number is entered. If
an error is made in entering any of the 10 digits, the calculation made on the first nine
digits will not match the tenth, or check digit.
The above tests are used for both batch processing and online real-time processing.

Additional Batch Processing Data Entry Controls:

1. Batch processing works correctly only if the transactions are presorted to be in the same
sequence as records in the master file. A sequence check tests if a batch of input data is in the
proper numerical or alphabetical sequence.
2. Information about data input or data processing errors (date they occurred, cause of the error,
date corrected, and resubmitted) should be entered in an error log.
3. Batch totals. Three commonly used batch totals are: 
a) A financial total sums a field that contains dollar values, such as the total dollar
amount of all sales for a beach of sales transactions. 
b) A hash total sums a nonfinancial numeric field, such as the total of the quantity
ordered field in a batch of sales transactions. 
c) A record count sums the number of records in a batch.
Other Online Processing Data Entry Controls
1. Prompting, in which the system requests each input data item and waits for an
acceptable response. This ensures that all necessary data are entered
2. Preformatting, system displays a document with highlighted blank spaces
3. Closed-loop verification checks the accuracy of input data by using it to retrieve and
display other related information.
4. Creation of a transaction log that includes a detailed record of all transaction data; a
unique transaction identifier; the date and time of entry; terminal, transmission line, and
operator identification; and the sequence in which the transaction was entered.
5. Error messages should indicate when an error has occurred, which items are in error,
and what the operator should do to correct it.
Processing Controls
Controls are also needed to ensure that data are processed correctly.
1. Data matching. In certain cases, two or more items of data must be matched before an
action can take place.
39
 A20
1ST SEMESTER
2. File labels. File labels need to be checked to ensure that the correct and most current
files are being updated.
a) Two important types of internal labels are header and trailer records.
i. The header record is located at the beginning of each file and contains
the file name, expiration date, and other identification data.
ii. The trailer record is located at the end of the file and contains the batch
totals calculated during input.
3. Recalculation of batch totals. Batch totals can be recomputed as each transaction record
is processed and compared to the values in the trailer record. If financial or total discrepancy is
evenly divisible by nine, the likely cause is a transposition error, in which two adjacent digits
were inadvertently reversed (e.g., 46 instead of 64).
4. Cross-footing and zero-balance test. totals can be calculated in multiple ways. For
example, in spreadsheets a grand total can often be computed either by summing a column of
row totals or by summing a row of column totals.
a) A cross-footing balance test compares the results produced by each method to
verify accuracy. For example, the totals for all debit columns are equal to the totals for all
credit columns.
b) A zero-balance test applies the same logic to control accounts. For example,
adding the balance for all customers in an accounts receivable subsidiary ledger and
comparing to the balance in the accounts receivable general control account should be the
same; the difference should be zero.
5. Write-protection mechanisms. These protect against the accidental writing over or
erasing of data files stored on magnetic media.
6. Concurrent update controls protect records from errors that occur when two or more
users attempt to update the same record simultaneously. This is accomplished by locking
out one user until the system has finished processing the update entered by the other.
Output Controls
Important output controls include:
1. User review of output. Users should carefully examine system output for
reasonableness, completeness, and that they are the intended recipient.
2. Reconciliation procedures. Periodically, all transactions and other system updates
should be reconciled to control reports. In addition, general ledger accounts should be
reconciled to subsidiary account totals on a regular basis.
40
 A20
1ST SEMESTER
3. External data reconciliation. Database totals should periodically be reconciled with data
maintained outside the system.
4. Data transmission controls. Parity checking and message acknowledgement techniques
are two basic types of data transmission controls (Checksums and parity bits).
Checksums use a hash of a file to verify accuracy.

Parity Checking
 Computers represent characters as a set of binary digits (bits).
 When data are transmitted, some bits may be lost or received incorrectly due to media
disruptions or failures.
 To detect these types of errors, an extra digit, called a parity bit, is added to every
character. For example, the digits 5 and 7 can be represented by the seven-bit patterns
0000101 and 0000111, respectively. An eighth bit could be added to each character to
serve as the parity bit.
 Two basic schemes are referred to as even parity and odd parity. In even parity, the parity
bit is set so that each character has an even number of bits with the value 1; in odd parity,
the parity bit is set so that an odd number of bits in the character have the value 1.
Message Acknowledgment Techniques
Techniques can be used to let the sender of an electronic message know that a message was
received:
1. Echo check. When data are transmitted, the system calculates a summary statistic, such
as the number of bits in the message. The receiving unit performs the same calculation—a
procedure known as an echo check—and sends the result to the sending unit.
2. Trailer record. The sending unit stores control totals in a trailer record. The receiving
unit uses that information to verify that the entire message was received.
3. Numbered batches. If a large message is transmitted in segments, each can be
numbered sequentially so that the receiving unit can properly assemble the segments.
Example: Credit Sales Processing

The following is an example of processing integrity controls using a credit sale as an example.
The following transaction data are used: sales order number, customer account number,
inventory item number, quantity sold, sale price, and delivery date.

41
 A20
1ST SEMESTER
Processing these transactions includes the following steps:
1. Entering and editing the transaction data.
2. Updating the customer and inventory records (the amount of the credit purchase is added to
the customer’s balance; for each inventory item, the quantity sold is subtracted from the
quantity on hand).
3. Preparing and distributing shipping or billing documents.

Processing Controls
Updating files includes the customer and inventory database records.
Additional validation tests are performed by comparing data in each transaction record with data
in the corresponding database record. These tests often include the following:
1. Validity checks on the customer and inventory item numbers.
2. Sign checks on inventory-on-hand balance (after subtracting quantities sold).
3. Limit checks that compare each customer’s total amount due with the credit limit.
4. Range checks on the sale price of each item sold relative to the permissible range of
prices for that item.
5. Reasonableness tests on the quantity sold of each item relative to normal sales
quantities for that customer and that item.

Output Controls
Output controls that can be utilized are as follows:
1. Billing and shipping documents are forwarded electronically to only preauthorized
users.
2. Users in the shipping and billing departments perform a limited review of the
documents by visually inspecting them for incomplete data or other obvious errors.
3. The control report is sent automatically to its intended recipients, or they can query the
system for the report.

Voting software could use completeness checks to ensure that voters made choices in all races.
This would eliminate the “hanging” problem created by failing to completely punch out the hoe
on a paper ballot.
Limit checks could identify and prevent voters from attempting to select more candidates than
permitted in a particular race.
42
 A20
1ST SEMESTER

Some security experts suggest that election officials adopt the methods used by the state of
Nevada to ensure that electronic gambling machines operate honestly and accurately, which
include the following:
1. The Gaming Control Board keeps copies of all software. It is illegal for casinos to use
any unregistered software. For electronic voting, the government should keep copies of the
source code.
2. Frequent on-site spot checks of the computer chips in gambling machines are made to
verify compliance with the Gaming Control Board’s records. Similar tests should be done to
voting machines.
3. Extensive tests are conducted of the machine’s physical security, such as how it reacts
to stun guns and large electric shocks. Voting machines should be similarly tested.
4. All gambling machine manufacturers are carefully scrutinized and are registered.
Similar checks should be performed on voting machine manufacturers, and software developers.

Availability
Reliable systems and information are available for use whenever needed.
Threats to system availability originate from many sources, including:
1. Hardware and software failures. 4. Worms and viruses.
2. Natural and man-made disasters. 5. Denial-of-service attacks and other
3. Human error. acts of sabotage.
Minimizing Risk of System Downtime
The loss of system availability can cause significant financial losses. Organizations can take a
variety of steps to minimize the risk of system downtime.
The physical and logical access controls can reduce the risk of successful denial-of-service
attacks. Good computer security reduces the risk of system downtime due to the theft or
sabotage of information system resources.
The use of redundant components, such as dual processors and redundant arrays of independent
hard drives (RAID), provides fault tolerance, enabling a system to continue functioning in the
event that a particular component fails.
Surge protection devices provide protection against temporary power fluctuation that might
otherwise cause computers and other network equipment to crash.

43
 A20
1ST SEMESTER
An uninterruptible power supply (UPS) system provides protection in the event of a prolonged
power outage.
Data Backup Procedures
A backup is an exact copy of the most current version of a database, file, or software program.
The process of installing the backup copy for use is called restoration.
Several different backup procedures exist:
A full backup is an exact copy of the data recorded on another physical media (tape,
magnetic disk, CD, DVD, and so on). Full backups are time-consuming, so most organizations
only do full backups weekly and supplement them with daily backups. Two types of partial
backups are: 1. An incremental backup involves copying only the data items that have
changed since the last backup.
2.Differential backup copies all changes made since the last full backup.
Management must establish a RPO, which represents the maximum length of time for which it
is willing to risk the possible loss of transaction data.
Real-time mirroring involves maintaining two copies of the database at two separate data
centers at all times and updating both copies in real-time as each transaction occurs.
Periodically, the system makes a copy of the database at that point in time, called a checkpoint,
and stores it on backup media.
An archive is a copy of a database, master file, or software that will be retained indefinitely as
an historical record, usually to satisfy legal and regulatory requirements.

Infrastructure Replacement
A second key component of disaster recovery includes provisions for replacing the necessary
computer infrastructure: computers, network equipment and access, telephone lines, other office
equipment (e.g., fax machines), and supplies.
The RTO represents the time following a disaster by which the organization’s information
system must be available again.
Organizations have three basic options for replacing computer and networking equipment:
1. The least expensive approach is to create reciprocal agreements with another
organization that uses similar equipment to have temporary access to and use of their
information system resources.
2. Another solution involves purchasing or leasing a cold site, which is an empty building
that is prewired for necessary telephone and Internet access, plus a contract with one or more
44
 A20
1ST SEMESTER
vendors to provide all necessary computers, and other office equipment within a specified
period of time.
3. A more expensive solution for organizations, such as financial institutions and airlines,
which cannot survive any appreciable time period without access to their information system, is
to create what is referred to as a hot site. A hot site is a facility that is not only prewired for
telephone and Internet access but also contains all the computing and office equipment the
organization needs to perform its essential business activities.

Documentation is an important, but often overlooked, component of disaster recovery and

business continuity plans. The plan itself, including instructions for notifying appropriate staff
and the steps to be taken to resume operations, needs to be well documented.

Testing and revision are probably the most important component of effective disaster recovery
and business continuity plans. Most plans fail their initial test because it is impossible to
anticipate everything that could go wrong. Disaster recovery and business continuity plans need
to be tested on at least an annual basis.

45
 A20
1ST SEMESTER

CHAPETR 12 : The Revenue Cycle: Sales to Cash Collections

Control Objectives and Transactions Cycles
 Most organizations experience the same types of economic events which generate
transactions that can be grouped according to four common cycles:
 Revenue cycle  Production cycle
 Expenditure cycle  Finance cycle
 Control objectives should be developed for each transaction cycle
 Revenue Cycle control objectives:
 Customers should be authorized in accordance with management's criteria
 Prices and terms of goods and services provided should be authorized in accordance
with management's criteria
 All shipments of goods and services provided should result in a billing to the
customer
 Billings to customers should be accurately and promptly classified, summarized, and
reported
Sales Business Process
 The sales business process is the primary revenue cycle application in many organizations
and includes the following:
 Inquiry (optional)  Shipping
 Contract creation (optional)  Billing
 Order entry
Basic Revenue Cycle Activities
 Sales order entry  Shipping  Cash Collections
 Sales order entry  Billing

Sales Order Entry Processing Steps

 Take the customer order
 Source document: sales order
 Approve customer credit
 Check inventory availability
 Respond to customer inquiries
46
 A20
1ST SEMESTER

Shipping
Process
 Pick and pack the order - Source documents: picking ticket
 Ship to order- Source documents: packing slip, bill of lading
Shipping activity is initiated with the preparation of a shipping document (delivery)
 Other documents prepared during shipping:
 Picking list: prepared to guide picking activities
 Packing list: prepared for each shipment and one copy included in the shipment
 Bill of lading: prepared to document the loading of goods for transportation
 Goods issue notice: posted when goods have shipped (shipping Goods issue notice:
posted when goods have shipped (shipping advice)
Shipping Process

Billing Process
 Invoice the customer -
Source document: sales
invoice
 Updating accounts
receivable - Source
document: credit memo and monthly statements

Cash Collection Process

47
 A20
1ST SEMESTER
 Process customer payment and update their account balance - Remittance
 Deposit payments to the bank

Customer Master Records

 new sold-to-customer master record is created, the other three master records are created
 Customer master records should be unique
 SAP ERP requires that a customer has been approved for sales prior to the creation of
master records
Data Fields
 Customer master records are created by inputting information into SAP ERP
 SAP ERP guides the input process by displaying a series of screens that prompt the user to
input the necessary data:

One-Time Customers
 SAP ERP allows for the creation of a single master record dummy for onetime customers
 All these customers are passed through this one-time record
 The master record has minimal information
 Saves trouble of creating detailed records for one-time customers
Customer Account Management Business Process
 The customer account management business process includes accounts receivable
processing through the collection of customer payments on account
 Accounts receivable also maintains customer credit and payment history information
 This information is essential in the sales business process
 There are two basic approaches to an accounts receivable application:
 Open-item processing: a separate record is maintained in the accounts receivable
system for each of the customer's unpaid invoices. As customer remittances are
received, they are matched to unpaid invoices
 Balance-forward processing: a customer's remittances are applied to the customer's
total outstanding balance rather than against the customer's individual invoices
48
 A20
1ST SEMESTER
 A subsidiary ledger of individual accounts is maintained with control account in the
general l
 Remittance advices are routed from the cash receipts functions Credit memos and other
invoice adjustments are routed from billing department
 Periodically, statements that summarize amounts due are prepared and sent to customers
 Periodic preparation of again schedules

Sales Returns and Allowances

 Sales returns/allowances require careful control
 Allowances:
 Allowances should be reviewed and approved by an independent party (credit
department)
 A credit memo is issued by billing once it has been authorized and approved
 Returns:
 Receiving conducts an independent count
 Credit approves the sales return upon receipt of sales return memo from
receiving
 Billing issues a credit memo upon receipt of approved sales return from credit
Write-off of Accounts Receivable
 Separation of functions is essential to write-off accounts receivable
 Central feature is an analysis of past-due accounts (aged trial balance)
 Credit department initiates write-off by preparing a write-off memo which is
approved by the treasurer.
 Accounts receivable is authorized to write off an account upon receipt of the
approved write-off memo.
 A copy of approved write-off also sent to internal audit so that the write-off can be
directly confirmed with the customer to ensure no subsequent collections have been
made.

49