First Semester: Midterm Reviewer

Chapter 1: Introduction to Accounting Information Systems

◼​ The underlying technology is a
◼​ Technology improves information critical part of every accountant’s
available for decision-making. job.
◼​ All decision makers within an
Legal issues impacting accountants
organization benefit from accounting Sarbanes-Oxley Act of 2002
technology. Section 404 and PCAOB Auditing Standard
◼​ Accountants with technology skills No. 5
are using technology to be more
efficient in their jobs. ◼​ Management must identify,
document, and evaluate significant
1.​ Enterprise Systems integrate internal controls.
business processes and information ◼​ Auditors must report on the
from all of an organization’s
functional areas (marketing and effectiveness of the organization’s
sales, cash receipts, purchasing, system of internal controls.
cash disbursements, human
resources, production and logistics, Section 409 of SOX
and business and financial ◼​ Requires disclosure to the public on
reporting).
a “rapid and current” basis of
2.​ E-business is the application of
material changes in an
electronic networks (including the
organization’s financial condition.
Internet) to undertake business
processes between individuals and Challenges and Opportunities for the
organizations. Accountant
3.​ Internal Control is a process
effected by the board of directors, Historically, auditors have performed test
management, and other personnel functions to determine the reliability of
to provide reasonable assurance financial statements. This expanding role
that organizational objectives will be includes:
achieved in efficiency and
effectiveness of operations, reliability ◼​ Nonfinancial information not
of reporting, and compliance with measured in monetary units
laws and regulations.
◼​ Use of information technology to

Beyond debits and credits create or summarize information

from databases
◼​ The Internet presents a different set
◼​ Evaluating information for the
of control issues.
assessment of risk
◼​ Enterprise systems store almost all
information about business events
for an organization.

~1~
R.R.B.S
 First Semester: Midterm Reviewer

WHAT IS AN ACCOUNTING INFORMATION SYSTEM?

-​ Systems and Subsystems
-​ The Accounting Information System
(AIS)
-​ The Information System (IS)

Systems and subsystems

◼​ System: A set of interdependent
◼​ An accounting information system
elements that together accomplish
(AIS) is a specialized subsystem of
specific objectives. A system must
the IS that collects, processes, and
have organization, interrelationships,
reports information related to the
integration, and central objectives.
financial aspects of business events.
◼​ Subsystem: A part of a system.
◼​ Often integrated and
Within limits, any subsystem can be
indistinguishable from the overall IS.
further divided into its component
parts or subsystems. ◼​ May be divided into components
◼​ A system’s central objectives based on the operational functions
supported. Components are called
depend on its type—natural,
business processes or AIS
biological, or man-made—and on
subsystems.
the particular system.

Logical components of a business process:

◼​ Operations process: A system

consisting of the people, equipment,
organization, policies, and
procedures whose objective is to
accomplish the work of the
organization.
◼​ Management process: A system

The information system (is) consisting of the people, authority,

organization, policies, and
◼​ An information system (IS) or procedures whose objective is to
management information system plan and control the operations of
(MIS): a man-made system that the organization.
generally consists of an integrated
set of computer-based and manual
components established to collect,
store, and manage data and to
provide output information to users.

~2~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Information: Data presented in a

form that is useful in a
decision-making activity. It has value
◼​ Flow 1: Management hires to the decision maker because it
personnel and establishes the reduces uncertainty and increases
means for accomplishing the work of knowledge about a particular area of
the organization. concern.
◼​ Flow 2: Management establishes ◼​ Data: Facts or figures in raw form.
broad marketing objectives and Represents the measurements of
assigns specific sales quotas. observations of objects and events.
In addition, management designs the IS’s To be useful to a decision maker, it
procedures for facilitating operations. must be transformed into
information.
◼​ Flow 3: Normal operations begin
with the IS receiving a customer’s
order to purchase goods.
◼​ Flow 4: The IS acknowledges the
customer’s purchase order.
◼​ Flow 5: The IS sends a request to
the warehouse to ship goods to the Qualities of information:
customer. The effectiveness of information can be
measured in many ways:
◼​ Flow 6: A document identifying the
customer and the goods is attached ◼​ Understandability: Enables users
to the goods. to perceive significance and permits
application by the user in a
◼​ Flow 7: The goods are shipped to
decision-making situation.
the customer.
◼​ Relevance: Capable of making a
MANAGEMENT USES OF INFORMATION difference in a decision-making
situation by reducing uncertainty or
◼​ An IS serves two important functions increasing knowledge.
within an organization: ◼​ Timeliness: Available to a decision
◼​ The IS assists daily maker before it loses relevance.
operations. ◼​ Predictive or feedback value:
◼​ The IS supports managerial Improves the decision maker’s
activities, including capacity to predict, confirm, or
management decision correct earlier expectations.
making. ◼​ Verifiability: High degree of
consensus about the information
Data versus information among independent measurers

~3~
R.R.B.S
 First Semester: Midterm Reviewer

using the same measurement inventory items. This information is

methods. narrow in scope, detailed, accurate,
and comes largely from within the
◼​ Neutrality or freedom from bias:
organization.
Objective.
◼​ Vertical information flows service a
◼​ Comparability: Enables users to
multi-level management function
identify similarities and differences from operations and transaction
between two pieces of information. processing through tactical,
◼​ Accuracy: Correspondence or operations, and strategic
management.
agreement between the information
and the actual events or objects it
represents.
◼​ Completeness: Degree to which
information includes data about
every relevant object or event
necessary to make a decision and
◼​ Structured decisions: Those for
includes that information only once.
which all three decision phases
(intelligence, design, and choice) are
relatively routine or repetitive. Some
decisions are so routine that a
computer can be programmed to
make them.
◼​ Unstructured decisions: Those for
which none of the decision phases
Management decision-making (intelligence, design, or choice) are
1.​ Intelligence: Searching the routine or repetitive.
environment for conditions calling for
a decision. THE ACCOUNTANT’S ROLE IN THE CURRENT BUSINESS ENVIRONMENT
2.​ Design: Inventing, developing, and
analyzing possible courses of action. ◼​ Designer: Application of accounting
3.​ Choice: Selecting a course of principles, auditing principles, IS
action. techniques, and systems
development methods to design an
AIS.
◼​ User: Accounts perform various
functions within organizations that
use the AIS. As a user, the
accountant should be involved in the
AIS design process.
◼​ Horizontal information flows relate
◼​ Auditor: Provide audit and
to specific business events, such as
one shipment, or to individual assurance services.

~4~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ A business event includes any

change in the state of an enterprise,
such as the purchase of goods and
services.
◼​ ERP systems have received an
exponential boost in importance for
businesses in the era of Big Data
and business analytics.
Gartner defines:
◼​ Big Data as “high-volume,
high-velocity and/or high variety
information assets that demand
cost-effective, innovative forms of
information processing that enable
enhanced insight, decision making,
and process automation.”
◼​ Business analytics as “solutions
used to build analysis models and
simulations to create scenarios,
understand realities and predict
future states...”

ENTERPRISE RESOURCE PLANNING (ERP) SYSTEMS

◼​ Enterprise resource planning
(ERP) systems are software
packages that can be used for the
core systems necessary to support
enterprise systems.
◼​ Best-of-breed approach combines
modules from various vendors to
create an information system that
better meets an organization’s
Chapter 2: enterprise systems needs than a standard ERP system.
INTRODUCTION Third-party add-on modules:

◼​ Enterprise systems ◼​ Customer relationship

(enterprise-wide information management (CRM) software:

systems and enterprise Builds and maintains
information systems) integrate and customer-related database.
automate business process ◼​ Customer self-service (CSS)
functionality and information from all
software: Allows customers to
of an organization’s functional areas.

~5~
R.R.B.S
 First Semester: Midterm Reviewer

complete tasks without the help of optimizing business processes,

an organization’s employees. including:
-​ A design environment for modeling
◼​ Sales force automation (SFA)
and documenting business
software: Automates sales tasks processes targeted at
such as order processing and improvements.
tracking. -​ Conversion of manual processes to
◼​ Supply Chain Management (SCM) automated processes.
-​ Implementation of data entry forms
software: Enables the steps in the
that prevent error.
supply chain including demand
-​ Engine to facilitate change.
planning, inventory acquisition,
-​ Monitoring to enable process
manufacturing, distributing and
improvement and optimization.
selling.
◼​ Product Lifecycle Management Enterprise systems value chain
(PLM) software: Manages product
◼​ A value chain is a chain of activities
data from design through
manufacturing and ending in the performed by an organization that
disposal of a product. transform inputs into outputs valued
by the customer.
◼​ Supplier Relationship
◼​ An organization creates a
Management (SRM) software:
Manages the interactions with competitive advantage to creating
organizations that supply the goods more value for customers than its
and services to an enterprise; competitors.
includes procurement and contract ◼​ Organizations create value by
management.
performing activities at lower cost or
◼​ Third-party modules are connected enhancing differentiation of products
to ERP systems using middleware or services.
(software for connecting two or more
software applications or modules):
◼​ Application programming
interface (API) is provided by the
application developer.
◼​ Enterprise application integration
(EAI) combines processes, software,
standards, and hardware to link two
or more systems together, allowing
them to act as one.
◼​ Business process management
(BPM)
The value of systems integration
◼​ Takes into account modeling,
automating, managing, and

~6~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ The what relates to all

resources exchanged due to
the event.
◼​ The where relates to the
locations at which (1) the
Additional value event takes place, (2)
exchanged resources reside
◼​ Integrated information systems before and after the event,
provide additional value by and (3) the agents are during
improving consistency, the event.
completeness, and accuracy. ◼​ The when relates to the time
◼​ Without integrated information periods involved in
systems, organizations have completion of the event
difficulty managing on a day-to-day including future exchanges of
basis and being successful in the resources.
long run.
Major erp modules:
ENTERPRISE SYSTEMS SUPPORT FOR ORGANIZATIONAL PROCESSES ◼​ Modules that are part of the SAP
◼​ An information system supports the Business Suite include:
functioning of an organization in 1.​ Sales and Distribution (SD)
several ways: 2.​ Materials Management (MM)
3.​ Financial Accounting (FI)
◼​ It facilitates the functioning of 4.​ Controlling (CO)
the organization’s operations. 5.​ Human Capital Management (HCM)
◼​ The information system
Sales and distribution:
retains records about
business events that have ◼​ Three major steps in the SD
occurred. process:
◼​ The information system ◼​ Order entry
stores data that is useful for
decision making. ◼​ Shipment
◼​ Billing
CAPTURING DATA DURING BUSINESS EVENTS
◼​ Connections to:
◼​ Data collected and stored should
relate to the four W’s: ◼​ Materials management
◼​ The who relates to all module (MM)
individuals and organizations ◼​ Financial accounting module
that are involved in the event (FI)
(sometimes called agents).
◼​ Controlling module (CO)

~7~
R.R.B.S
 First Semester: Midterm Reviewer

Materials management: ◼​ Managed in SAP by the Human

◼​ Acquisition of goods from vendors Capital Management (HCM) module.
and management of the goods while ◼​ Module includes functions related to:
they are in stock:
-​ Preparing and recording a purchase ◼​ Recruitment
order
◼​ Management and
-​ Recording the vendor’s invoice
administration of personnel
◼​ Interacts with:
◼​ Payroll processing
-​ Sales and distribution module (SD)
-​ Financial accounting module (FI) ◼​ Personnel training
-​ Controlling module (CO)
◼​ Travel
Financial accounting
◼​ Maintains data related to benefits,
◼​ Plays a central role in the SAP
training, and work shifts.
system.
◼​ Incorporates data from other ENTERPRISE SYSTEMS SUPPORT FOR MAJOR BUSINESS EVENT PROCESSES

modules into general ledger ◼​ Most organizations group their major

accounts and external financial business events into two processes:
statements.
◼​ The order to-cash (or
◼​ Includes accounts receivable and
revenue) process.
accounts payable functions to record
and manage that data directly and to ◼​ The purchase-to-pay (or
complete events begun in the SD expenditure) process.
and MM modules.
Order-to-cash

CONTROLLING AND PROFITABILITY ANALYSIS

◼​ Often called Controlling and
Profitability Analysis (CO/PA).
◼​ Handles internal accounting,
including:
◼​ Cost center accounting

◼​ Profitability analysis for

sales, activity-based
accounting
◼​ Budgeting

HUMAN CAPITAL MANAGEMENT

~8~
R.R.B.S
 First Semester: Midterm Reviewer

Purchase-to-pay

◼​ Enterprise systems achieve quality

of information goals by:
-​ Collecting data about business
events.
-​ Making that data available for use by
interested and authorized parties.
◼​ Data should:
-​ Help all users (relevance,
understandability).
-​ Make decisions (decision
usefulness).
-​ Analyze past events to make
predictions about future events
(predictive/feedback value).

◼​ An enterprise system’s central

database:
-​ Retains one version of data
elements.
-​ Uses data to verify the accuracy of
new data elements.
-​ Permits only authorized changes to
the database.
-​ Improves reliability, validity, and
accuracy of the database.
◼​ Enforcement of data standards and
business rules means:
-​ Business events are handled
consistently.

~9~
R.R.B.S
 First Semester: Midterm Reviewer

-​ All relevant data is collected -

completeness.
-​ Collected data is verifiable and
neutral.
-​ All data is available in a timely
manner.
◼​ The system facilitates the sharing of
services for efficiency and
consistency.

Chapter 3: electronic business (e-business) systems

INTRODUCTION
◼​ The shift towards automated
business processes and
communications is based on transfer
of electronic data is designed to
achieve greater efficiencies in
business processing.

~ 10 ~
R.R.B.S
 First Semester: Midterm Reviewer

4.​ Summarize the business events by

◼​ When an organization engages in
preparing a trial balance.
E-business, it completes
electronic-based business events.
◼​ Electronic-based business events
entail the interconnection of the
underlying back-office processes of
organizations.

APPLYING E-BUSINESS TO THE VALUE CHAIN

◼​ [Link] has grown because it
uses technology to enhance the
company’s value chain and to satisfy
customer needs.
◼​ Another innovation from
[Link] is the collection and
analysis of customer purchase data.
◼​ Companies and consumers have
included social networking
applications as part of their value
chain.

THE CHANGING WORLD OF BUSINESS PROCESSING

◼​ Evolution of information technology
has provided for alternative forms of
business processes and business
event data processing.
◼​ Enables some organizations to ◼​ Master data are repositories of
become more efficient and effective relatively permanent data
by changing the traditional means by maintained over an extended period
which they have done business. of time.

A COMPARISON OF MANUAL AND AUTOMATED ACCOUNTING ◼​ Two types of updates can be made:
INFORMATION SYSTEMS: -​ Information processing includes
data processing functions related to
Activities in the manual accounting process:
economic events.
1.​ Journalize the business event.
-​ Data maintenance includes
2.​ Post the business event from the
activities related to adding, deleting,
journal to a subsidiary ledger.
or replacing standing data
3.​ Post the total from the journal to the
(relatively permanent portions of
general ledger.
master data).

~ 11 ~
R.R.B.S
 First Semester: Midterm Reviewer

ONLINE TRANSACTION ENTRY (OLTE)

AUTOMATING AN ACCOUNTING INFORMATION SYSTEM ◼​ Online transaction entry (OLTE)
◼​ Batch processing: The aggregation system: Use of data entry devices
to enter business event data directly
of several business events over
into the information system at time
some period of time with the
and place that business event
subsequent processing of these data
occurs.
as a group by the information
system. ◼​ Merges the traditional subprocesses
◼​ Periodic mode: Processing mode of business event occurrences and
records business event data into a
with delay between the various data
single operation.
processing steps. Heavily dependent
on the use of batch processing. ◼​ Considered online because the data
◼​ Immediate mode: Processing mode entry device is connected to the
computer.
in which little or no delay occurs
between any two data processing ◼​ Data entry is completed using bar
steps. code readers, scanners, or
radio-frequency identification (RFID)
readers.

ONLINE real-time (olrt) processing

◼​ Online real-time (OLRT) systems:
Gathers and records business event
data at time of occurrence.
◼​ Updates master data
Subprocesses instantaneously.
◼​ Business event occurs: Information ◼​ Provides results in real time.
is recorded on a source document.
◼​ Also known as immediate mode in
◼​ Record business event data: A batch
which little or no delay occurs
of source documents is entered in a between any two data processing
computerized format using an steps.
offline device.
◼​ OLRT systems require three basic
◼​ Update master data: The computer
subprocesses to be completed:
processes the entered information
◼​ Business event occurs;
and updates the master data.
record business event data.
◼​ Generate outputs: After the update,
◼​ Update master data.
periodic outputs (i.e., reports) are
generated for management. ◼​ Generate reports (and
support queries).

~ 12 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Processing methods requires data ◼​ From a sales standpoint, a

communications pathways among targeted market can be
PCs, terminals, or other systems. identified by an e-mail list.
◼​ Communication Networks ◼​ General objectives of
e-business are not achieved.
◼​ Client/server technology

◼​ Local area networks (LANs) ELECTRONIC DOCUMENT MANAGEMENT (EDM)

◼​ Wide area networks (WANs) ◼​ Electronic Document

Management (EDM): Capture,
◼​ Internet storage, management, and control of
document images.
◼​ Web browsers
◼​ Applications fall into two categories:
◼​ Intranet
◼​ Document storage and
◼​ Extranet
retrieval.

Methods for conducting e-business: ◼​ Business event data

processing.
◼​ Methods of E-business include:
◼​ Benefits include:
◼​ Electronic mail (e-mail)
◼​ Reduced cost of handling
◼​ Electronic document and storing paper.
management (EDM) ◼​ Improved productivity and
◼​ Electronic data interchange customer service.
(EDI) ◼​ Enhanced management of
◼​ Internet commerce workflow.
◼​ Faster processing.
Commerce through e-mail:

◼​ Electronic mail (e-mail): ELECTRONIC DATA INTERCHANGE (EDI)

Non-standardized messages ◼​ Electronic Data Interchange (EDI):
between individuals linked via a
communications network. Computer-to-computer exchange of
business data in structured formats
◼​ Weak form for e-business that allow direct processing of those
because of non-standardized electronic documents by the
format. receiving computer system.
◼​ Data capture is difficult due
◼​ Application Software (circles 1
to unstructured nature.
and 7): Originating application
software prepares an electronic
business document (PO).

~ 13 ~
R.R.B.S
 First Semester: Midterm Reviewer

Destination application processes

◼​ By eliminating VANs it is possible for
the business data.
a company to have a significant
◼​ Translation Software (circles 2 reduction in costs.
and 6): Application’s electronic
◼​ It is expected that Internet EDI will
business document must be
translated to the structured EDI dominate B2B e-commerce.
format that will be recognized by the ◼​ Web Services: A software
receiving computer.
application that supports direct
◼​ Communications Network (circles interactions with software objects
3 and 5): The trading partners must over an intranet or the Internet.
have a method of communicating ◼​ Service-oriented architecture
the electronic messages to each
(SOA): Refers to well-defined,
other. Organizations may use either
independent functions (or
EDI service bureaus or the Internet.
applications) that can be distributed
◼​ Value-Added Network (VAN) over a network via Web Services.
Service (circle 4): Rather than
connecting to each trading partner,
an organization can connect to a
value-added network (VAN) service
that acts as an EDI “post office.”

EDI over the internet

Internet commerce
◼​ Internet EDI (IEDI): Use of secure,
structured messages over the ◼​ Internet commerce:
Internet to execute business Computer-to-computer exchange of
transactions. business event data via Internet
communication that allows the
◼​ Main difference between traditional
initiation and consummation of
and Internet EDI is use of a VAN for business events.
the traditional method.
◼​ Network providers: Provide a link
◼​ It is expected that IEDI will replace
to the Internet by making their
traditional EDI. directly connected networks
available for access by fee-paying
EDI AND BUSINESS EVENT DATA PROCESSING customers
◼​ Main advantage of EDI is reduction ◼​ Client/Server Relationship (circles
in the need for interaction between 1 and 7): Customer connects to
humans and OLTE. vendor in an extended form of
client/server application.
◼​ EDI is moving to the Internet,
◼​ Network Providers (circles 2 and
allowing companies to save the cost
of the VANs. 5): Connection to Internet through

~ 14 ~
R.R.B.S
 First Semester: Midterm Reviewer

direct connection or network

◼​ Electronic storefronts: The
provider.
creation of Internet-located
◼​ Assurance Providers (circles 4 resources for displaying goods and
and 6): Internet assurance services services for sale and for conducting
provide limited assurance that Web related sales events.
site is reliable and secure.
◼​ Internet market exchanges: Brings
◼​ Internet Connection (circle 3): The together a variety of suppliers in a
network diagram of a cloud, given industry with one or more
displayed at circle 3, pictorially buyers in the same industry to
represents how the Internet provide Internet commerce through
operates. organized markets.

Summary:

◼​ Future of E-business will see an

increased merging of technologies
as the lines between EDI and
Internet continue to blur.
◼​ The major impediment to conducting
business over the Internet is the
concern about security.
◼​ Advances in Internet security have
been significant in the past few
years.
◼​ Internet assurance: Service
◼​ Evolution of EDI practices toward
provided for a fee to vendors to
the Internet facilitated by use of
provide limited assurance to users of
corporate extranets.
the vendor’s Web site that the site is
in fact reliable and event data ◼​ Extranet environment simplifies
security is reasonable. Examples processing and higher levels of
include WebTrust. control and security.
◼​ Cloud computing: The use of the ◼​ Extranets open to business partners
Internet to provide scalable using programs that limit access to
services—such as software, selected business partners.
resources, hardware, and data
storage—to users. Examples include ◼​ Increases in security will:
Gmail.
◼​ Allow the Internet to become the
◼​ Internet auction markets: Provide
communication infrastructure of
an Internet base for companies to choice.
put products up for bid or for buyers
◼​ Help fuel the growth of Internet
to put proposed purchases up for
bid. commerce.

~ 15 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Web Services and service-oriented

architectures will allow:
◼​ Opportunities for reaching
customers.
◼​ New globalization of the customer
base.
◼​ New competition from distant
companies.
◼​ E-business is a fundamental change
in the way organizations do
business, and a driver of
organizational change. Chapter 4: DOCUMENTING INFORMATION SYSTEMS
◼​ To succeed in an E-business
INTRODUCTION
environment, an organization must
recognize the need to embrace ◼​ Documentation is:
change and must effectively plan ▪​ Used to understand, explain,
and manage change. evaluate, and improve
complex business processes,
◼​ Management must take a proactive information systems, and
stance and lead. internal control.
▪​ Needed to comply with
Section 404 of SOX.
◼​ To use a graphical documentation
tool, these steps are followed:
1.​ Define symbols and rules that
will be used.
2.​ See symbols that are used in
each method.
3.​ Outline how to read diagrams in
each method.
4.​ Prepare diagrams and
flowcharts.

READING SYSTEMS DOCUMENTATION

◼​ Two types of systems

documentation:
▪​ Data flow diagrams.

▪​ Systems flowcharts.

~ 16 ~
R.R.B.S
 First Semester: Midterm Reviewer

READING DATA FLOW DIAGRAMS ◼​ External entities: Those entities

◼​ Data flow diagrams (DFDs): (i.e., persons, places, or things)

outside the system that send data to,
▪​ Show business processes, flows or receive data from, the system.
of data within those processes,
and the sources and storage of
the data required for the process.
▪​ Depict systems components.

▪​ Data flows among components,

and the sources.
▪​ Destinations.
Physical Data Flow Diagram
▪​ Storage of data.
◼​ Physical data flow diagram (DFD):
▪​ Use a limited number of
Graphical representation of a system
symbols. showing the system’s internal and
external entities, and the flows of
data into and out of these entities.
◼​ Specifies where, how, and by whom
a system’s processes are
accomplished.
◼​ Internal entity: An entity within the
system that transforms data.

Context Diagram

◼​ Context diagram: Least detailed

Logical Data Flow Diagram
picture of a system that defines the
process being documented and
◼​ Logical data flow diagram (DFD):
shows the data flows into and out of
the process to external entities. Graphical representation of a system
showing the system’s processes (as
bubbles), data stores, and the flows

~ 17 ~
R.R.B.S
 First Semester: Midterm Reviewer

of data into and out of the processes where of information and operations
and data stores. processes.
◼​ Specifies what activities the system ◼​ Depicts the sequence of activities
is performing. performed as business events flow
through the process.
◼​ Logical DFDs portray a system’s
activities.

Common Systems Flowcharting Routines

◼​ Balanced: When two DFDs have
equivalent external data flows. ◼​ The following slides show several
common ways of showing
◼​ Only balanced sets of DFDs (i.e., a
processing using system
context diagram, a logical DFD, and flowcharting.
a physical DFD) are correct.
◼​ Note the way the columns are set up
◼​ Top-down partitioning: The
to communicate the flow of activities
successive subdividing (exploding) between processing entities.
of logical DFDs.
Enter document into computer via keyboard,
READING SYSTEMS FLOWCHARTS edit input, record input.

◼​ Systems flowchart: Graphical

representation of a business
process, including information
processes, as well as the related
operations processes (people,
equipment, organization, and work
activities).
◼​ Presents a logical and physical
rendering of the who, what, how, and

~ 18 ~
R.R.B.S
 First Semester: Midterm Reviewer

User queries the computer. Enter journal in manual accounting system.​

Update data store.

Pick and ship goods.​

Key and key verify data.​

PREPARING SYSTEMS DOCUMENTATION

◼​ How to prepare data flow diagrams

and systems flowcharts.
◼​ Guidelines for creating DFDs and
systems flowcharts.
◼​ Relevant process narrative.

PREPARING DATA FLOW DIAGRAMS

◼​ Analyze narrative.
Enter document via scanning.​
◼​ Create a table of entities and
activities.
◼​ An activity is any action being
performed by an internal or external
entity.

~ 19 ~
R.R.B.S
 First Semester: Midterm Reviewer

The Narrative​

◼​ Information processing activities:

Retrieve data from storage,
transform data, or file data.
1.​ DFD guidelines:​
Table of Entities and Activities Include within the system context
(bubble) any entity that performs
◼​ Activity: one or more information
processing activities.
▪​ Actions related to data (send 2.​ For now, include only normal
data, transform data, file or processing routines (not
store data, retrieve data from exception routines or error
storage, or receive data). routines) on context diagrams,
physical DFDs, and logical level
▪​ Operations process activities 0 DFDs.
include picking goods, 3.​ Include in the process
inspecting goods at a documentation all (and only)
receiving dock, or counting activities and entities described
cash. in the systems narrative.
4.​ When multiple entities operate
DRAWING THE CONTEXT DIAGRAM identically, depict only one to
represent all.​

~ 20 ~
R.R.B.S
 First Semester: Midterm Reviewer

Drawing the Current Physical Data Flow

Diagram
5.​ For clarity, draw a data flow for
each flow into and out of a data
store. Label each flow with the
activity number that gives rise to
the flow or with a description of
the flow.
6.​ If a data store is logically
necessary, include a data store
in the diagrams, even if it not
mentioned in the narrative.

Summary of Drawing Data Flow Diagrams

11.​A data flow should go to an
operations entity square when
DRAWING THE CURRENT LOGICAL DATA FLOW only operations process
DIAGRAM functions are to be performed by
that entity. A data flow should
7.​ Group activities if they occur in
enter an entity bubble if the
the same place and at the same
operations process entity is to
time.
perform an information
8.​ Group activities if they occur at
processing activity.
the same time but in different
12.​On a physical DFD, reading
places.
computer data stores and writing
9.​ Group activities that seem to be
to computer data stores must go
logically related.
through a computer bubble.
10.​To make the DFD readable, use
13.​On a logical DFD, data flows
between five and seven bubbles.
cannot go from higher- to
lower-numbered bubbles.

~ 21 ~
R.R.B.S
 First Semester: Midterm Reviewer

8.​ Documents or reports printed by a

◼​ Processes called exception
centralized computer facility on
routines or error routines handle equipment located in another
required actions for organizational unit should not be
out-of-the-ordinary (exceptional) or shown within the computer facility.
erroneous events data. 9.​ Processing within an organizational
◼​ Documented below the level 0 DFD unit on devices such as a PC,
laptop, or computerized cash
with reject stubs that indicate
register should be shown within the
exceptional processing must be
unit or as a separate column next to
performed.
that unit, but not in the central
◼​ A reject stub is a data flow computer facility column.
assigned the label “Reject” that 10.​Sequential processing steps with no
leaves a bubble but does not go to delay between them (and resulting
any other bubble or data store. from the same input) can be shown
Shown only in lower-level diagrams. as one process or as a sequence of
processes.
11.​The only way to get data into or out
PREPARING SYSTEMS FLOWCHARTS
of a computer data storage unit is
1.​ Divide the flowchart into columns; through a computer processing
one column for each internal entity rectangle or offline process square.
and one for each external entity. 12.​A manual process is not needed to
Label each column. show the sending of a document. It
2.​ Flowchart columns should be laid should be apparent from the
out so that the flowchart activities movement of the document.
flow from left to right. Minimize 13.​Do not use manual processes to file
crossed lines and connectors. documents. Show documents going
3.​ Flowchart logic should flow from top into files.
to bottom and from left to right. For
clarity, put arrows on all flow lines. DRAWING SYSTEMS FLOWCHARTS
4.​ Keep the flowchart on one page, if
possible. Use off-page connectors if
multiple pages are required.
5.​ Within each column, there must be
at least one manual process, keying
operation, or data store between
documents.
6.​ When crossing organizational lines
show a document at both ends of
the flow line unless the connection is
so short that the intent is
unambiguous.
7.​ Documents or reports printed in a
computer facility should be shown in
that facility’s column first. You can
then show the document or report
going to the destination unit.

~ 22 ~
R.R.B.S
 First Semester: Midterm Reviewer

SUMMARY OF SYSTEMS FLOWCHARTING ◼​ Common techniques used to

describe and analyze business
◼​ Strike a balance between clarity and processes are documentation tools,
such as:
clutter by using annotation
judiciously and on-page connectors ▪​ Narratives.
whenever flow lines create clutter. ▪​ Tables of entities and
◼​ Avoid crossing lines whenever activities.
▪​ DFDs.
possible. If you must, use a “bridge.”
▪​ Systems flowcharts.
◼​ Document only normal routines and ◼​ Each technique has its own purpose,
leave exception routines for another strengths, and weaknesses.
page of the flowchart.

DOCUMENTING ENTERPRISE SYSTEMS

◼​ Moving from a file-based system to
an enterprise database changes the
systems flowchart.
◼​ The central computer would have
one data store (enterprise
database), not the current five
computer data stores.
◼​ Other changes would depend on the
organization’s system
implementation.

SUMMARY

~ 23 ~
R.R.B.S
 First Semester: Midterm Reviewer

Chapter 5: CONTROLLING INFORMATION SYSTEMS: INTRODUCTION

TO ENTERPRISE RISK MANAGEMENT AND INTERNAL CONTROL

INTRODUCTION

◼​ Organizational governance
processes can improve risk
ENTERPRISE RISK MANAGEMENT
assessment and fraud detection,
while simultaneously increasing
organization performance and value. ◼​ “Enterprise Risk Management
◼​ COSO’s Enterprise Risk (ERM):
Management - Integrated ▪​ Process effected by an
Framework can guide an entity’s board of directors,
organization’s governance management, and other
processes, especially entity-wide personnel.
risk assessment.
▪​ Applied in strategy settings
◼​ Internal control—a key component of
and across the enterprise.
governance and risk
management—helps organizations ▪​ Designed to identify potential
achieve objectives, identify and events that may affect the
respond to risks, prevent fraud, and entity, manage risk to be
provide a means to detect fraud. within its risk appetite, and
provide reasonable
ORGANIZATIONAL GOVERNANCE
assurance regarding the
achievement of entity
◼​ Organizational governance: objectives.”
Process by which organizations ◼​ ERM framework addresses four
select objectives, establish
processes to achieve objectives, and categories of management
monitor performance. objectives:

◼​ Objective setting includes defining ▪​ Strategic: High-level goals

mission, vision, purpose, and aligned with and supporting

strategies to establish relationships. its mission.

◼​ Processes to achieve objectives ▪​ Operations: Effective and

including essential internal controls efficient use of its resources.

and monitoring activities are ▪​ Reporting: Reliability of
designed and implemented.
reporting.

~ 24 ~
R.R.B.S
 First Semester: Midterm Reviewer

▪​ Compliance: Compliance
with applicable laws and
regulations.
◼​ Risks: Events that would have a
negative impact on the
organization’s objectives.
▪​ Require assessment and
response.
◼​ Opportunities: Events that would
have a positive impact on objectives.
▪​ Opportunities are channeled
THE SARBANES-OXLEY ACT OF 2002
back to the strategy-setting
process.
Sarbanes-Oxley Act of 2002 (SOX):

◼​ Created accounting oversight board

(PCAOB).
◼​ Strengthened auditor independence
rules.
◼​ Increased accountability of company
officers and directors.
◼​ Mandated upper management to
take responsibility for the company’s
internal control structure.
◼​ Enhanced the quality of financial
reporting.
◼​ Increased white collar crime
penalties.
◼​ Section 201: Prohibits audit firms
from providing a wide array of
nonaudit services to audit clients.
The act prohibits consulting
engagements involving the design
and implementation of financial
information systems.
▪​ Nonaudit engagements swap
around among CPA firms.

~ 25 ~
R.R.B.S
 First Semester: Midterm Reviewer

that company during the prior

◼​ Section 404: Mandates the annual
one-year period.
filing of an internal control report with
the SEC. ◼​ Title III—Corporate Responsibility:
Company’s CEO and CFO must
◼​ Section 404, the SEC’s Interpretive
certify quarterly and annual reports
Guidance, and PCAOB Auditing stating:
Standard No. 5 require that
management of each publicly traded ▪​ They reviewed the reports
company: and the reports are not
materially untruthful or
▪​ Evaluate company controls
misleading.
to determine if they
adequately address the risk ▪​ The financial statements
that a material misstatement fairly reflect in all material
of the financial statements respects the financial
would not be prevented or position of the company.
detected in a timely manner.
▪​ They are responsible for
▪​ Gather and evaluate establishing, maintaining,
evidence about the operation and reporting on the
of its controls. effectiveness of internal
controls, including significant
▪​ Present a written
deficiencies, frauds, or
assessment of internal changes in internal controls.
control effectiveness.
◼​ Title IV—Enhanced Financial
▪​ Company’s independent
Disclosures: Requires each annual
auditor must test and report report filed with the SEC to include
on the effectiveness of the an internal control report. The report
system of internal controls. shall state:
SOX titles and key sections: ▪​ Responsibility of
management for establishing
◼​ Title I—Public Company Accounting and maintaining an adequate
Oversight Board: Establishes the internal control structure and
PCAOB and assigns oversight and procedures for financial
enforcement authority over the reporting.
board to the SEC.
▪​ Management’s assessment,
◼​ Title II—Auditor Independence: as of the end of the
Prohibits audit firm from engaging in company’s fiscal year, of the
certain nonaudit services with the effectiveness of the internal
same client, requires audit partner control structure and
rotation, and states that company procedures of the company
CEO, CFO, controller, or chief for financial reporting.
accountant cannot have been
◼​ Title IV— (cont’d):
employed by the company’s audit
firm and participated in an audit of

~ 26 ~
R.R.B.S
 First Semester: Midterm Reviewer

who knowingly execute, or attempt

▪​ Requires that companies
to execute, securities fraud.
disclose whether or not they
have adopted a code of ◼​ Title IX—White-Collar Crime Penalty
ethics for senior financial Enhancements: Requires CEOs and
officers. CFOs certify information contained
in periodic reports fairly presents, in
▪​ Requires that companies
all material respects, the financial
disclose whether or not their condition and results of company
audit committee contains at operations. Sets criminal penalties
least one member who is a for knowing or willful false
financial expert. certification.
▪​ Section 409 requires that ◼​ Title X—Corporate Tax Returns:
companies disclose Conveys a “sense of the Senate”
information on material that the corporate federal income tax
changes in their financial returns are signed by the CEO.
condition or operations on a
rapid and current basis. ◼​ Title XI—Corporate Fraud and
Accountability: Provides for fines
◼​ Title V—Analysts Conflicts of
and imprisonment of up to 20 years
Interests: Requires financial analysts to individuals who corruptly alter,
to properly disclose any conflicts of destroy, mutilate, or conceal
interest they might hold with the documents with the intent to impair
companies they recommend. the document’s integrity or
◼​ Title VI—Commission Resources availability for use in an official
proceeding, or to otherwise obstruct,
and Authority: Authorizes the SEC to
influence, or impede any official
censure or deny any person the
proceeding. Authorizes the SEC to
privilege of appearing or practicing
prohibit anyone from serving as an
before the SEC if deemed to be
officer or director if the person has
unqualified, acted in an unethical
committed securities fraud.
manner, or aided and abetted in the
violation of federal securities laws DEFINING INTERNAL CONTROL
◼​ Title VII—Studies and Reports:
◼​ For organizational governance,
Authorizes the GAO to study the
consolidation of public accounting internal controls are implemented to
firms since 1989 and offer solutions help ensure that risk responses are
to any recognized problems. effectively carried out, or the controls
themselves are the responses to
◼​ Title VIII—Corporate and Criminal
risks.
Fraud Accountability: Makes it a
◼​ Internal control is the subject of SOX
felony to knowingly destroy, alter, or
create documents with the intent to Section 404. Definitions of internal
impede, obstruct, or influence a control are found in the authoritative
federal investigation. Offers literature.
protection to whistleblowers.
Provides criminal penalties for those

~ 27 ~
R.R.B.S
 First Semester: Midterm Reviewer

THE COSO 1992 DEFINITION OF INTERNAL CONTROL ◼​ Identification, capture, and exchange

◼​ COSO 1992 definition: Internal of information to carry out their

responsibilities.
control is a process—effected by an
entity’s board of directors, ◼​ Monitoring activities: Process that
management, and other assesses the quality of internal
personnel—designed to provide control.
reasonable assurance regarding the
◼​ Seventeen principles provide
achievement of objectives in the
following categories: further guidance and detail to the
▪​ Effectiveness & efficiency of five components. From COSO 2013,
operations these principles are:
▪​ Reliability of financial
Control Environment
reporting
▪​ Compliance with applicable 1.​ The organization demonstrates a
laws & regulations commitment to integrity and
ethical values.
2.​ The board of directors
demonstrates independence
from management and exercises
oversight of the development
and performance of internal
control.
3.​ Management establishes, with
board oversight, structures,
reporting lines, and appropriate
authorities and responsibilities in
the pursuit of objectives.
4.​ The organization demonstrates a
commitment to attract, develop,
and retain competent individuals
in alignment with objectives.
◼​ COSO 1992 and 2013 describe five 5.​ The organization holds
interrelated components of internal individuals accountable for their
control: internal control responsibilities in
the pursuit of objectives.
◼​ Control environment: Sets the tone
of an organization. Risk Assessment

◼​ Risk assessment: Identification and 6.​ The organization specifies

objectives with sufficient clarity to
analysis of relevant risks.​
enable the identification and
Control activities: Policies and
assessment of risks relating to
procedures that help ensure that
objectives.
directives are carried out.​
7.​ The organization identifies risks
Information and communication:
to the achievement of its
objectives across the entity and

~ 28 ~
R.R.B.S
 First Semester: Midterm Reviewer

analyzes risks as a basis for 16.​The organization selects,

determining how the risks should develops, and performs ongoing
be managed. and/or separate evaluations to
8.​ The organization considers the ascertain whether the
potential for fraud in assessing components of internal control
risks to the achievement of are present and functioning.
objectives. 17.​The organization evaluates and
9.​ The organization identifies and communicates internal control
assesses changes that could deficiencies in a timely manner
significantly impact the system of to those parties responsible for
internal control. taking corrective action, including
senior management and the
Control Activities
board of directors, as
10.​The organization selects and appropriate.
develops control activities that
contribute to the mitigation of
risks to the achievement of
objectives to acceptable levels.
11.​The organization selects and
develops general control
activities over technology to
support the achievement of
objectives.
12.​The organization deploys control
activities through policies that
establish what is expected and
procedures that put policies into
action.
WORKING DEFINITION OF INTERNAL CONTROL

Information and Communication ◼​ Internal control: Process designed

13.​The organization obtains or to provide reasonable assurance
generates and uses relevant, regarding the achievement of
quality information to support the objectives in the following
functioning of internal control. categories:
14.​The organization internally ▪​ Effectiveness and efficiency
communicates information,
including objectives and of operations.
responsibilities for internal ▪​ Reliability of reporting.
control, necessary to support the
functioning of internal control. ▪​ Compliance with applicable
15.​The organization communicates laws and regulations.
with external parties regarding
matters affecting the functioning ◼​ Process: Series of actions or
of internal control. operations leading to a particular
and usually desirable result.
Monitoring Activities

~ 29 ~
R.R.B.S
 First Semester: Midterm Reviewer

United States, a 39% increase

from 2010.
◼​ One-fifth of losses were at least
$1 million.
◼​ Typical fraud was underway 18
months before detection.
FRAUD AND ITS RELATIONSHIP TO CONTROL ◼​ Frauds were more likely detected
by tips than through audits or
internal controls.
◼​ Fraud:
◼​ 75% of the frauds were
▪​ Deliberate act or untruth committed by employees.
intended to obtain unfair or ◼​ Most fraudsters were first-time
unlawful gain.
offenders with previously clean
▪​ Entails manipulating employment records.
information for criminal ◼​ Common red flags of
purposes.
perpetrators were living beyond
◼​ Management has legal responsibility their means (44%) and
to prevent fraud and other experiencing financial difficulties
irregularities. (39%).
◼​ Accounting profession has been ◼​ Small businesses are
proactive in dealing with corporate disproportionately victimized by
fraud. fraud (32% of cases) due to
weaker antifraud controls.
◼​ SAS No. 99 emphasizes
brainstorming fraud risks, increasing COSO on Fraudulent Financial Reporting,
professional skepticism, using 1998–2007:
unpredictable audit test patterns,
and detecting management override ◼​ There were 347 cases of public
of internal controls. company fraudulent financial
◼​ Fraud controls are necessary but reporting investigated by the SEC
from 1998 to 2007, compared to 294
must be backed by a strong ethical cases from 1987 to 1997.
culture, a broad risk management
program, the right “tone at the top,” ◼​ A total of $120 billion was misstated
and zero tolerance for any fraud, or misappropriated across 300
regardless of the perpetrator. cases. This mean was almost $400
million per case versus $25 million in
2012 ACFE Report to the Nation on
COSO’s earlier study.
Occupational Fraud and Abuse:
◼​ Median assets and revenues were
◼​ From fraud cases investigated in almost $100 million, compared to
96 nations, 57.2% were from the under $16 million in the 1999 report.

~ 30 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Most common fraud schemes were

improper revenue recognition,
followed by overstatement of assets
or capitalization of expenses.
◼​ CEOs and CFOs were involved in
89% of the cases, up from 83% in
1987-1997. Over 60% of those
indicted were convicted.
◼​ Stock prices of an accused company
declined an average of 16.7% within
the first two days of the news
release.
◼​ Subsequent news of an investigation
resulted in an average 7.3% stock
price decline.
◼​ Companies engaged in fraudulent
activities frequently went bankrupt,
were delisted from the stock
exchange, or were required to sell
their assets. IMPLICATIONS OF COMPUTER FRAUD AND ABUSE
◼​ Of the fraud companies, 26%
◼​ Computer-related crimes referred to
switched auditors between the last
as computer fraud, computer abuse,
pre-fraudulent financial statements
or computer crime.
and the fraudulent financial
statements. Only 12% of non-fraud ◼​ Two basic types:
companies changed auditors during
that same time.​ ▪​ The computer is used as the
tool of the criminal to
accomplish the illegal act.
▪​ The computer or the
information stored in it is the
target of the criminal.
◼​ Computer crime includes crime in
which the computer is the target of
the crime or the means used to
commit the crime.
◼​ Malware—short for malicious
software— is software designed
specifically to damage or disrupt a
computer system.

~ 31 ~
R.R.B.S
 First Semester: Midterm Reviewer

happens and which rules are

◼​ A computer virus is a program
obeyed, bent, or ignored.
code that can attach itself to other
programs, thereby “infecting” those ◼​ Control environment reflects the
programs and macros. organization’s awareness of and
commitment to the importance of
Malware
control throughout the organization.
◼​ Salami slicing: Instructions inserted A FRAMEWORK FOR ASSESSING THE DESIGN OF AN INTERNAL
in programs to steal very small CONTROL SYSTEM
amounts of money.
◼​ Control matrix: Tool designed to
◼​ Back door: Special code that allows
assist in evaluating the potential
a programmer to bypass its security
effectiveness of controls in a
features and can be used to attack
business process by matching
the program.
control goals with relevant control
◼​ Trojan horse: Module of plans.
unauthorized code that performs a ◼​ Control goals: Business process
damaging, unauthorized act. Often
objectives that an internal control
used in phishing e-mails.
system is designed to achieve.
◼​ Logic bomb: Code secretly inserted
◼​ Control plans: Reflect
in a program that is designed to
information-processing policies and
execute or explode at a specific date
procedures that assist in
or event.
accomplishing control goals.
◼​ Worm: Computer virus that
replicates itself on disks, in memory,
and across networks.
◼​ Zombie: Program that secretly takes
over another Internet-attached
computer and uses that computer to
launch untraceable attacks.

ETHICAL CONSIDERATIONS AND THE CONTROL ENVIRONMENT

◼​ COSO (1992 and 2013) places

integrity and ethical values at the
heart of the control environment
(internal environment) and states
that ethical behavior and
management integrity are products CONTROL GOALS OF OPERATIONS PROCESSES
of the “corporate culture.” Such
culture determines what actually

~ 32 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Control goals of operations

processes:
▪​ Ensure effectiveness of
operations
CONTROL PLANS
▪​ Ensure efficient employment
of resources
▪​ Ensure security of resources

CONTROL GOALS OF INFORMATION PROCESSES

◼​ Control goals of information

processes:
▪​ Ensure input validity,
completeness, and accuracy
▪​ Ensure update completeness
and accuracy

◼​ Pervasive control plans relate to a

multitude of goals and processes.
They are broad in scope and apply
equally to all business processes.
◼​ General controls (also known as IT
general controls) are applied to all
IT service activities.
◼​ Business process control plans
are applied to a particular business

~ 33 ~
R.R.B.S
 First Semester: Midterm Reviewer

process, such as billing or cash

receipts.
◼​ Application controls are
automated business process
controls contained within IT
application systems (i.e., computer
programs).
◼​ Preventive control plans stop
problems from occurring.
◼​ Detective control plans discover
that problems have occurred.
◼​ Corrective control plans rectify
problems that have occurred.
SUMMARY
◼​ In light of recent business and audit
failures, managers must confront
fraud and computer crime
incidences.
◼​ Managers must question how
technological changes affect the
system of internal controls and
implement an effective system of
internal control.
◼​ Stakeholders have raised a number
of organizational governance issues
over how well organizations are
being managed.

~ 34 ~
R.R.B.S
 First Semester: Midterm Reviewer

▪​ Function 1: Authorizing
Chapter 6: CONTROLLING INFORMATION SYSTEMS: INTRODUCTION events.
TO PERVASIVE CONTROLS
▪​ Function 2: Executing
INTRODUCTION events.
▪​ Function 3: Recording
◼​ The second highest level of control
events.
plans are pervasive control plans.
▪​ Function 4: Safeguarding
◼​ Pervasive controls are particularly
resources resulting from
important because they relate to a
consummating events.
multitude of control goals and
processes, not just one.
◼​ Pervasive control plans influence the
effectiveness of the control plans at
lower levels of the control hierarchy:
business process control plans and
application control plans

ORGANIZATIONAL DESIGN CONTROL PLANS.

◼​ Organizational design:

▪​ Involves the creation of roles,

processes, and formal
reporting relationships in an
organization.
▪​ Includes establishing ◼​ Segregation of duties control
departmental relationships, prevents unauthorized execution of
including the degree of events and helps prevent fraud by
centralization in the ensuring that only valid events are
organization. recorded.
▪​ Involves personnel reporting ◼​ Ideal segregation of duties requires
structures, such as chain of that different units (departments)
command and approval carry out each of the four phases of
levels. event processing.
◼​ In this way, collusion would need to
THE SEGREGATION OF DUTIES CONTROL PLAN
occur between one or more persons
◼​ Segregation of duties: Separates the (or departments) to exploit the
system and conceal abuse.
four basic functions of event
processing:

~ 35 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ An organization must be large

enough to support at least four
independent units to implement
segregation of duties effectively.
◼​ Alternative control plans are
commonly called compensatory
controls.
◼​ To increase internal control,
authorization, execution, and ​
record-keeping functions within a ​
software program are consolidated.
PERSONNEL POLICY CONTROL PLANS
◼​ Large companies can install
◼​ A policy is a plan or process put in
segregation of duties (SOD)
software, e.g.: place to guide actions and achieve
goals.
▪​ Symantec Corp.’s Security
◼​ Unlike laws which can compel
Information Manager (SSIM)
and Control Compliance. behaviors and enforce penalties,
policies guide behavior towards
▪​ Suite and Approva’s
actions that achieve desired goals.
Authorization Insight.
◼​ Personnel control plans help protect
◼​ Software:
an organization against certain types
▪​ Works with major ERP of risks (Figure 8.2).

systems (e.g. SAP, Oracle,

PeopleSoft).
▪​ Monitors user access levels
across the system to prevent,
detect, and correct SOD
conflicts and inappropriate
access to sensitive
transactions.

~ 36 ~
R.R.B.S
 First Semester: Midterm Reviewer

SELECTION AND HIRING CONTROL PLANS ▪​ Evaluation of current

performance to determine
◼​ Selection and hiring policies: Job
where training is needed.
candidates should be carefully
◼​ Two types of performance
screened, selected, and hired.
evaluation:
◼​ Many control plans exist for
▪​ Informal day-to-day
selection and hiring.
comments by supervisors.
◼​ Companies choose which plans to
▪​ Formal performance review.
employ based on the salary level
and job duties for the position for
which the candidate is applying.
PERSONNEL MANAGEMENT CONTROL PLANS
RETENTION CONTROL PLANS
◼​ Personnel management control
◼​ Retention plans: Aimed at keeping plans:
qualified personnel. ▪​ Personnel planning control
▪​ Once an appropriate plans: Identify the skill
employee has been hired, requirements needed in
organizations want to retain employees to accomplish the
them. firm’s goals.
▪​ Companies develop policies ▪​ Management controls plans:
to provide creative and Forecast the number of
challenging work employees needed in each
opportunities and, when position, take turnover into
possible, to offer open consideration, and develop a
channels to strategy for filling necessary
management-level positions. positions.
▪​ Salary and benefit ◼​ Personnel security control plans:
techniques are also used Help prevent the organization’s own
extensively to retain personnel from committing acts of
employees. fraud or theft of assets.

PERSONNEL DEVELOPMENT CONTROL PLANS ▪​ Rotation of duties:

Requires an employee to
◼​ Personnel development plans: alternate jobs periodically.
Training and evaluation. ▪​ Forced vacations:
▪​ Training must be adequate Requires an employee to
take leave from the job and
so that employees have the
substitutes another
appropriate skills to perform
employee in his or her place.
their work functions.

~ 37 ~
R.R.B.S
 First Semester: Midterm Reviewer

housed within the

▪​ Fidelity bond: Indemnifies a
organization’s headquarters.
company in case it suffers ▪​ Computer is connected to
losses from defalcations clients located within the
committed by its employees. building and to PCs located
in the organization’s other
PERSONNEL TERMINATION CONTROL PLANS
facilities.
▪​ Connections are via
◼​ Personnel termination control plans: networks, often referred to as
Address the policies in place when local area networks (LANs)
an employee leaves the organization or wide area networks
either voluntarily or involuntarily. (WANs).
▪​ Computer facilities operated
▪​ Voluntary termination: When
by other organizations are
an employee retires or connected, perhaps via the
leaves to pursue other Internet and through
opportunities. firewalls.
▪​ Involuntary termination:
When an employee is laid off
or fired for cause.
◼​ Important because employees fired
for cause might do damage to the
organization.

IT GENERAL CONTROLS AND THE COBIT FRAMEWORK

◼​ Organizational governance:
Processes employed by
organizations to select objectives,
establish processes to achieve
objectives, and monitor INFORMATION SYSTEMS ORGANIZATIONAL DESIGN
performance.
◼​ IT governance: Process that ◼​ IT department:
ensures the enterprise’s IT sustains
▪​ Charged with developing,
and extends the organization’s
strategies and objectives and operating, and controlling an
protects the organizations assets. organization’s information
systems.
A HYPOTHETICAL COMPUTER SYSTEM
▪​ Crucial to provide the

◼​ IT resources are typically configured technology required for a

modern company to support
with some or all of these elements: organizational objectives and
▪​ One or more servers are to provide an environment in
clustered together and which business process

~ 38 ~
R.R.B.S
 First Semester: Midterm Reviewer

control plans can be

effective.
▪​ Also known as Information
Systems Department, the IS
Department, the Information
Technology Department, the
IT Department, the
Information Systems
Services Department, the
Information Technology
Group, etc.

◼​ The CEO:

▪​ Sets the tone of the company

and sets the strategic vision
for the company.
▪​ Ensures that an IT steering
committee exists, hiring a
qualified CIO, and making

~ 39 ~
R.R.B.S
 First Semester: Midterm Reviewer

sure that the CIO puts in

◼​ Systems development life cycle
place an appropriate IT
organization and technology (SDLC): Covers the progression of
infrastructure. an information system through the
systems development process,
◼​ The steering committee guides the through implementation, to ongoing
IT organization in establishing and use and modification.
meeting user information
◼​ Project-management framework:
requirements and in ensuring the
effective and efficient use of its Helps ensure that project selection is
resources. in line with plans and budgets and
◼​ The CIO: that the framework is applied to each
project undertaken.
▪​ The most senior executive
◼​ Program change controls: Provide
responsible for the
information technology that assurance that all modifications to
supports the organization’s programs are authorized and
goals. documented and that changes are
completed, tested, and properly
▪​ Designs the IT department to implemented.
ensure that IT services are
delivered in an efficient and
effective manner.
▪​ Responsible for monitoring
the performance of IT
services and controls.
◼​ IT budget control is important as
CIOs must justify IT expenditures
compared to IT performance and
risks.
◼​ Requirements walkthrough: Key
◼​ To ensure the achievement of IT control processes for the Business
process objectives, the CIO Analyst along with a finalized and
establishes a system for defining key approved requirements definition
performance indicators, gathering document.
data about processes, and
◼​ Service-level agreement: Includes
generating performance reports.
such items as the vendor’s
◼​ Monitoring of IT may be performed responsibility with respect to system
by an entity’s internal/IT audit group, availability, reliability, performance,
by an external organization such as capacity for growth, levels of user
a public accounting firm, or by an IT support, disaster recovery, security,
security company. minimal system functionality, and
service charges.
Implementation of software changes
◼​ Testing Quality Assurance Analyst:

~ 40 ~
R.R.B.S
 First Semester: Midterm Reviewer

▪​ Ensures the new system ▪​ Involved in IT risks

works properly and prepares assessment and the risk
the system for turnover to the action plan.
users.
◼​ The risk action plan includes: risk
▪​ Creates a testing plan, which identification, risk measurement,
includes the development of action plans, and the formal
test data, follow-up acceptance and communication of
procedures related to testing the residual risk.
failures, and the preparation
◼​ IT security functional positions:
of documentation.
▪​ Uses and reviews the ▪​ Policies and compliance.
documentation as testing ▪​ Physical security and
occurs and has the final
disaster recovery.
sign-off on whether the
documentation is completed. ▪​ Access control.

◼​ Policies and Compliance Officer:

◼​ Application documentation includes:
▪​ Responsible for preparing
▪​ Systems documentation.
policies related to IT that
▪​ Program documentation. conform to management
wishes and organizational
▪​ Operations run manual. goals.

▪​ User manual. ▪​ Prepares policies to meet

regulatory, legal, contractual,
◼​ Post-implementation review: and industry obligations.
Conducted after installation to ▪​ Has a control plan to ensure
determine that the new system has that all employees have been
met users’ needs in a cost-effective made aware of the
manner. appropriate policies.
◼​ Structural Security/Disaster
◼​ Security Supervisor:
Recovery Manager:
▪​ Charged with safeguarding ▪​ Protects the IT assets and
the organization’s IT by: gets the company up and
▪​ Making sure the IT is secure running again in the event of
a disaster.
from physical threats (natural
and man-made). ◼​ To protect the IT facilities against
▪​ Controlling access to data natural and man-made hazards, the
organization must install and
and programs.
regularly review suitable
environmental and physical controls.

~ 41 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Steps in continuity planning models

are developed by the Business
Continuity Institute:
1.​ Define the scope of the BCP
and assign the BCP team
responsibilities under the
direction of the Disaster
Recovery Manager.
2.​ Prioritize the activities and
Man-made hazards
processes and specify the
order and the time frame in
◼​ Controls for restricting physical which they need to be
access to computer facilities: restored if they are
▪​ Restrict access to the facility. interrupted.
3.​ Define the recovery facilities.
▪​ Restrict access to the 4.​ Formalize and document a
response plan.
building.
5.​ Periodically rehearse the
▪​ Restricting access to the plan with affected parties and
computer facility or the update as needed to make
computer. sure that the plan is
operating effectively.
◼​ Biometric identification systems 6.​ Train employees so that they
use some physical part of the body, are prepared to respond to
unique to the individual, as the any business interruption in
password. an effective manner.
◼​ Business continuity planning ◼​ Backup: Making a copy of data.
(disaster recovery planning, ◼​ Recovery: Use the backup to
contingency planning, and
business interruption planning): restore lost data and resume
operations.
▪​ Process that identifies events
◼​ Continuous Data Protection
that may threaten an
organization and provides a (CDP): All data changes are date
plan to ensure that the stamped and saved to secondary
organization will either systems as the changes are
continue to operate, or will happening
resume operations promptly, ◼​ Mirror site: Site that maintains
when the threatened event
copies of the primary site’s programs
occurs.
and data.
▪​ Disaster Recovery Manager
is in charge of the business ◼​ Electronic vaulting: Service
continuity plan (BCP). whereby data changes are
automatically transmitted over the
Internet on a continuous basis to an

~ 42 ~
R.R.B.S
 First Semester: Midterm Reviewer

off-site server maintained by a third

party.
◼​ Hot site: Fully equipped data center
that can accommodate many
businesses and is made available to
subscriber companies for a monthly
fee.
◼​ Cold site: Facility usually with
air-conditioned space, a raised floor,
telephone connections, and
computer ports into which a
subscriber can move equipment.
◼​ Access Control Officer: Monitors
employees’ network access and
grants security clearances for
programs and data. ◼​ A firewall filters information coming
through the Internet connection.
◼​ Access control software ensures:
◼​ Intrusion-detection systems (IDS)
▪​ Only authorized users gain
log and monitor who is on or trying
access to a system through to access a network.
identification and
authentication. ◼​ Intrusion-prevention systems
(IPS) actively block unauthorized
▪​ Restricts authorized users to
traffic using rules specified by an
specific data they require and organization.
sets action privileges for
data. ◼​ Data encryption is a process that
employs mathematical algorithms
▪​ Monitors access attempts
and encryption keys to encode data
and violations. so that it is unintelligible in its
◼​ Physical control plans such as encrypted form.
biometric identification or a ◼​ Public-key cryptography employs
smartcard are combined with a pair of matched keys for each
passwords and user IDs.​ system user, one private (i.e., known
only to the party who possesses it)
and one public. The public key
corresponds to (but is not the same
as) the user’s private key.
◼​ Hacking and cracking:
Unauthorized break-ins to
information systems.

~ 43 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ Hacker: Breaks into a computer ◼​ Much cloud communication

system but does not hold malicious occurs over the Internet which
intentions to destroy or steal. has security risks unless a
secure network connection or
◼​ Cracker: Has malicious intent.
encrypted line is used.
◼​ Antivirus software: Used to defeat ◼​ Cloud users commonly use
technical hacking. browsers with known security
vulnerabilities.
◼​ Cloud service providers’
employees might have loosely
controlled access to sensitive
data stored on their servers.
◼​ Cloud services have been known
to go down for up to an hour and
some start-up cloud vendors
◼​ In addition to relying on the have failed.

controls contained within the ◼​ To effectively use IT resources,

computer hardware, users often require advice and
organizations should perform may require assistance to
regular preventative overcome problems
maintenance (periodic cleaning, encountered.
testing, and adjusting of
▪​ Help desks provide
computer equipment) to ensure
the equipment’s continued advice and assistance to
efficient and correct operation. users with problems
encountered in using IT
resources so that they
can effectively use those
resources.
▪​ Key controls include
hiring qualified
employees, monitoring
service calls, tracking
service requests to
Main control concerns with cloud ensure timely closure of
computing: problems, tracking
recurring problems, and
◼​ Support and control of the cloud mitigating them with
software or training
computing services are largely in solutions.
the hands of third-party cloud
service providers. THE COBIT FRAMEWORK

~ 44 ~
R.R.B.S
 First Semester: Midterm Reviewer

◼​ COBIT (Control Objectives for

Information and Related
Technology):
▪​ Frameworks to manage and
audit IT.
▪​ Was developed by ISACA, a
nonprofit professional
association.
▪​ Previously known as the
Information Systems Audit
and Control Association.

COBIT 5

◼​ COBIT 5: Consolidates, integrates,

and expands on the previous
versions of COBIT.
◼​ COBIT 5 changes the overall IT COBIT 5’S DOMAINS AND THE GOVERNANCE PROCESSES WITHIN
EACH DOMAIN
control objective from “managing
information technology” to the
“overall governance of IT” which is ◼​ COBIT 5’s five domains:
called governance of enterprise IT 1.​ Evaluate, Deliver, and Monitor
(GEIT). (EDM).
2.​ Align, Plan, and Organize (APO).
COBIT 5’S FIVE GEIT PRINCIPLES AND SEVEN ENABLERS 3.​ Build, Acquire, and Implement
(BAI).
◼​ Principle 1: Meeting Stakeholder 4.​ Deliver, Service, and Support
Needs (DSS).
5.​ Monitor, Evaluate, and Assess
◼​ Principle 2: Covering the Enterprise (MEA).
End-to-End
◼​ Principle 3: Applying a Single,
Integrated Framework
◼​ Principle 4: Enabling a Holistic
Approach
◼​ Principle 5: Separating Governance
from Management

~ 45 ~
R.R.B.S
 First Semester: Midterm Reviewer

SUMMARY

◼​ Important categories of pervasive

control plans are:
▪​ Organization design.

▪​ Policies.

▪​ Monitoring.

▪​ IT general controls.

◼​ Pervasive control plans:

▪​ Provide a second umbrella of

protection over AIS business
processes.
▪​ Operate across all business
processes and affect a
company’s capability to meet
control goals.

~ 46 ~
R.R.B.S