Accounting Information Systems

INTEGRATED SECURITY FOR
THE ORGANIZATION

ORGANIZATIONS
• ARE DEPENDENT ON NETWORKS FOR TRANSACTIONS,

DATA SHARING, AND COMMUNICATIONS.
• NEED TO GIVE ACCESS TO CUSTOMERS, SUPPLIERS, PARTNERS, AND OTHERS+

SECURITY THREATS FOR ORGANIZATIONS ARISE FROM
• THE COMPLEXITY OF THESE NETWORKS
• THE ACCESSIBILITY REQUIREMENTS PRESENT

INTEGRATED SECURITY FOR
THE ORGANIZATION

KEY SECURITY TECHNOLOGIES THAT CAN BE
INTEGRATED INCLUDE

• INTRUSION DETECTION SYSTEMS
• FIREWALLS AND OTHERS

AN INTEGRATED SECURITY SYSTEM

• REDUCES THE RISK OF ATTACK
• INCREASES THE COSTS AND RESOURCES NEEDED BY
AN INTRUDER

GENERAL CONTROLS WITHIN
IT ENVIRONMENTS

• ORGANIZATIONAL LEVEL CONTROLS
• PERSONNEL CONTROLS
• FILE SECURITY CONTROLS
• FAULT-TOLERANT SYSTEMS, BACKUP,

AND CONTINGENCY PLANNING
• COMPUTER FACILITY CONTROLS
• ACCESS TO COMPUTER FILES

BACKUP

BACKUP

• IS ESSENTIAL FOR VITAL DOCUMENTS
• IS BATCH PROCESSED USING GRANDFATHER-

PARENT-CHILD PROCEDURE
• CAN BE ELECTRONICALLY TRANSMITTED

TO REMOTE SITES (VAULTING)
• NEEDS AN UNINTERRUPTIBLE POWER SYSTEM (UPS)

AS AN AUXILIARY POWER SUPPLY
• BACKUP ON CLOUD

CONTINGENCY PLANNING

CONTINGENCY PLANNING
• INCLUDES THE DEVELOPMENT OF A FORMAL DISASTER

RECOVERY PLAN.
• DESCRIBES PROCEDURES TO BE FOLLOWED IN AN EMERGENCY
• DESCRIBES THE ROLE OF EACH MEMBER OF THE TEAM.
• APPOINT ONE PERSON TO BE IN COMMAND AND ANOTHER

TO BE SECOND-IN-COMMAND
• INVOLVES A RECOVERY SITE THAT CAN EITHER BE

A HOT SITE OR COLD SITE OR WARM SITE

COMPUTER FACILITY CONTROLS

LOCATE THE DATA PROCESSING CENTER IN A
SAFE PLACE WHERE
• THE PUBLIC DOES NOT HAVE ACCESS
• IT IS GUARDED BY PERSONNEL
• THERE ARE LIMITED NUMBER OF

SECURED ENTRANCES
• THERE IS PROTECTION AGAINST

NATURAL DISASTERS

Computer Facility Controls

Limit employee access by
 incorporating magnetic, electronic,

or optical coded identification badges
 Buy insurance

Access to Computer Files

Logical access to data is restricted
Password codes identifications

(encourage strong passwords)
biometric identifications with

voice patterns,
fingerprints, and
retina prints

INFORMATION TECHNOLOGY GENERAL CONTROLS

The objectives of controls is to provide assurance that
• the development of and changes to computer

programs are authorized, tested, and approved before
their usage
• access to data files is restricted
• processed accounting data are accurate and complete

Security for Wireless Technology

•Security for wireless technology involves
• A virtual private network (VPN)
• Data encryption

Security and Controls for
Microcomputers

 General and application control procedures
are important to microcomputers.

 Most risks associated with AISs result from

 errors,
 irregularities or fraud
 general threats to security (such as a computer

virus)

 Some of the risks that are unique to the
microcomputer are

 Hardware - microcomputers can be easily stolen
or destroyed

 Data and software - easy to access, modify, copy
or destroy; therefore are difficult to control

Application Controls for
Transaction Processing

 Application controls are designed to

 prevent,
 detect, and
 correct errors and irregularities

in transactions in

 the input
 processing
 the output stages of data processing

APPLICATION CONTROLS
FOR TRANSACTION PROCESSING

Input Controls

Input controls attempt to ensure the

 validity
 accuracy
 completeness of the data entered into an AIS

The categories of input controls include

 observation, recording, and transcription of data
 edit tests
 additional input controls

Processing Controls

 Processing controls focus on the
manipulation of accounting data after
they are input to the computer
system.

 Key objective is a clear audit trail
 Processing controls are of two kinds:

 Data-access controls
 Data manipulation controls

Output Controls

The objectives of output controls is to ensure
 validity
 accuracy
 completeness
Two major types of output application controls are
 validating processing results by

 Activity (or proof) listings

Chapter 9
Developing and Implementing Effective
Accounting Information Systems

 Introduction
 The System Development Life Cycle: An Introduction
 Systems Planning
 Systems Analysis
 Detailed Systems Design
 Implementation, Follow-up, and Maintenance

The Systems Development
Life Cycle

Organizations study and reengineer accounting systems because
 their current system is inefficient
 two or more accounting systems need to be combined
 the power of the Internet encourages development of a web
presence

A systems development work
 begins with a formal investigation of an existing information

system,
 is performed by

 in-house professionals in large organizations
 a hired team of outside consultants in smaller organizations

The Four Stages in the Systems
Development Life Cycle

Planning and Investigation involves

 a preliminary investigation of the current system
 organizing a systems study team, and
 developing strategic plans.

Analysis involves

 analyzing the company’s current system and
 identifying its needs, strengths, and weaknesses.

The Four Stages in the Systems
Development Life Cycle

Designing involves

 eliminating the current system’s weak points,
and
 preserving its strengths.

Implementation, follow-up, and maintenance includes

 acquiring resources for the new system,
 training new or existing employees,
 identifying any new problems.

System Development Life Cycle
of a Business Information System

Systems Studies and
Accounting Information Systems

Systems studies are part of the greater task of reengineering
one or more of the core systems of an organization.
A systems study looks at

 applications portfolio, which includes

 an enterprise system,
 other specialized information systems,
 many separate systems for functional

areas

Systems Studies and
Accounting Information Systems

A systems study means

 replacing or
 modifying existing information systems

 altering work flows,
 changing data gathering and

recording tasks,
 revamping employee responsibilities, and
 revising ways of rewarding personnel

Systems Planning and
Investigation

 The Study Team and the Steering Committee

 top management personnel critical to the
success of a new system.

 Investigating Current Systems reports

 the problems or objectives the study team identified,
 solutions or alternatives it investigated, and
 further course(s) of action it recommends.

The Steering Committee

The Steering Committee
 interfaces between the company’s management and

the study team
 includes top management personnel like

 the controller,
 the vice president of finance,
 the top-level information systems manager
 one or more staff auditors, and
 the CEO (for very important projects)

 may disband the study team and do nothing,
 perform further preliminary investigations, or
 proceed to the formal systems analysis stage

Data Analysis

Systems analysis work

 takes longer than a preliminary
investigation,

 provides interim reports to the
steering committee

 delivers the final systems
analysis report.

Steps in the Systems Design
Phase

Evaluating System Feasibility

The design team must examine five feasibility
areas:

 technical feasibility

 technical resources - hardware and software components

 operational feasibility

 examines its compatibility with the current operating
environment

 schedule feasibility

 importance of completion on time

 legal feasibility

 system should comply with all applicable federal and state
statutes

 economic feasibility

 anticipated benefits of the system exceed its projected costs

Detailed Systems Design

Prototyping

 is developing a simplified model of a system
 is an iterative process of trial-use-and-

modification
 is not recommended where the inputs,

processing, and outputs are already clearly
defined.

Outsourcing

Outsourcing – two kinds
 Business Process Outsourcing (BPO)

 range from routine assistance with asingle
application

 to almost all the accounting functions of the
organization.

 Knowledge Process Outsourcing (KPO) - three areas
 intellectual property
 data mining of consumer data,
 and research and development related to medical
drugs and biotechnology

Implementation

 Implementation Activities
 Managing IT Implementation Projects
 Post-Implementation Review
 System Maintenance

Post-Implementation Review

Reevaluation of the new system’s effectiveness by
 Checking with personnel about satisfaction

with the new system.
 Talking with end users to ascertain their satisfaction.
 Evaluating the control procedures of the system
 Observing employee work performance to

determine efficiency
 Evaluating effectiveness of computer processing

functions
 Determining schedules for both internal and

external reports are met with the new computer
system.

System Maintenance

System maintenance continues the tasks created by the initial
follow-up study,
 except that experts from the company’s IT subsystem now perform

the modifications
 exclusively.
The IT subsystem is responsible to respond to
 errors and anomalies in the system
 estimate the cost of fixing them, and
 perform the necessary modifications.

Chapter 10

Information Technology Auditing

 Introduction
 The Audit Function
 The IT Auditor’s Toolkit
 Auditing the Computerized AIS
 Information Technology Auditing Today

Introduction

Audits of accounting systems

 ensure that controls are functioning properly
 confirm that additional controls are not needed

The nature of auditing includes

 the distinction between internal and external
auditing

 the relationship between an IT audit and a
financial audit

The Audit Function

The function of an audit

 is to examine and to assure.
 will differ according to the subject under

examination.
 can be internal, or external, and
 concerns information systems also.

Information technology auditing discusses

 internal auditing,
 External auditing, and
 IT auditing.

Information Technology Auditing

Information technology (IT) auditing
 involves evaluating the computer’s role in

achieving

 audit objectives and
 control objectives

 means proving data and information are

 reliable,
 confidential,
 secure, and
 available as needed

 includes attest objectives like

 safeguarding of assets and data integrity,
 operational effectiveness.

The IT Audit

The IT audit function encompasses

Careers in Information Systems
Auditing

Information systems auditors

 may be internal or external
 can obtain professional certification as a Certified Information Systems

Auditor (CISA)
 can also acquire certification as Certified Information Security Managers

(CISM)

Effectiveness of Information
Systems Controls

An external auditor’s objectives are

 to evaluate the risks

 to the integrity of accounting data

 to make recommendations

 to managers
 to improve these controls.

Risk Assessment

A risk-based audit approach involves

 Determining the threats facing the AIS

 errors and irregularities

 Identifying the control procedures

 to prevent or detect the errors
and irregularities

Risk Assessment

 Evaluating the control procedures within the AIS

 observing system operations,
 inspecting documents, records, and reports,
 checking samples of system inputs and outputs,

and
 tracing transactions through the system

 Evaluating weaknesses

 identifying control deficiencies
 determining compensating controls

to make up for the deficiency

Guidance in Reviewing and
Evaluating IT Controls

 Control Objectives for Information and
Related Technology (T) provides guidance in

 assessing business risks,
 controlling for business risks, and
 evaluating the effectiveness of controls

General-Use Software

Auditors use general-use software as productivity tools to improve their work
such as

 spreadsheets and
 database management systems.

Auditors use structured query language (SQL)

 to retrieve a client’s data and
 display these data for audit purposes.

Generalized Audit Software

Generalized audit software (GAS) packages

 enable auditors to review computer files without
rewriting processing programs,

 are specifically tailored to auditor tasks
 have been developed in-house in large firms, or
 are available from various software suppliers
 Examples of GAS are

 Audit Command Language (ACL)
 Interactive Data Extraction
 Analysis (IDEA)

Objectives of an Information
Systems Audit

In an IT audit, auditors should meet the following
objectives

 Checking security provisions, which protect
computer equipment, programs, communications,
and data from unauthorized access, modification, or
destruction.

 Program development and acquisition are
performed
in accordance with management’s authorization.

 Program modifications have authorization and
approval from management.

Objectives of an Information
Systems Audit

 Processing of transactions, files, reports, and other
computer records is accurate and complete.

 Source data that are inaccurate or improperly
authorized are identified and handled according
to prescribed managerial policies.

 Computer data files are accurate, complete,
and confidential.

The Sarbanes-Oxley Act of 2002

The two most important provisions of SOX for auditors are
 Section 302 – requiring CFOs and CEOs to certify

that their company’s financial statements are
accurate and complete
 Section 404 – requiring both the CEO and CFO to
attest to their organization’s internal controls over
financial reporting

Information Systems Reliability Assurance

Auditing electronic commerce is a specialized field because
 of the skill level involved,
 of the many safeguards, inherent in non-e-commerce systems, which do

not exist here,
 of the lack of hard-copy documents for verification, and
 of an electronic transaction, which does not guarantee validity or

authenticity
Auditors need to
 attest this type of format to provide the traditional assurance by

 an audit report or
 digital signature

Third-Party Assurance

Internet systems and web sites
are a source of risk for many companies,
need specialized audits of these systems,
have created a market for third-party assurance

services, which
is limited to data privacy.