Accounting Information Systems: Essential Concepts more complex.
It can be a manual or
and Applications computerized system.
Chapter 1: The Study of Accounting Information Firms depend on information systems in
Systems order to survive and stay competitive
Accounting
Accounting Information System
It is the principal way of organizing and
An Accounting Information System is a
reporting financial information. It has
unified structure that employs physical
been called the “language of business.”
resources and components to transform
Accounting and information systems
economic data into accounting
comprise the functional area of business
information for external and internal
responsible for providing information to
users.
the other areas to enable them to do
Objectives and Users of AIS
their jobs and for reporting the results
• Support day-to-day operations -
to interested parties.
Transaction processing
Accounting system is used to identify, • Support Internal Decision-Making
analyze, measure, record, summarize, Trend Analyses
and communicate relevant economic Quantitative & Qualitative Data
information to interested parties. Non-transactional sources
System • Help fulfill Stewardship Role
A System is an entity consisting of Resources Required for an AIS
interacting parts that are coordinated to • Processor(s): Manual or Computerized
achieve one or more common • Data Base(s): Data Repositories
objectives. Systems must possess: • Procedures: Manual or Computerized
Organization (Transactions-Journals- • Input/Output Devices
Ledgers-Financial Statements) • Miscellaneous Resources
Interrelationships (The relationship
between Subsidiary ledgers and the
General Ledger)
Integration (Individual transactions to
Financial Statements)
Central Objectives (Financial Reports,
Budgets, Management Reports)
Data VS Information
Data are raw facts and figures that are
processed to produce information.
Information is data that have been
processed and are meaningful and
useful to users. The terms “meaningful”
and “useful” are value-laden terms and
usually subsume other qualities such as
timeliness, relevance, reliability,
consistency, comparability, etc.
Functional Steps in Transforming Data into Reasons for Studying Accounting Information
Information Systems
• Data collection - capturing, recording, • Career accountants will be users, auditors,
validating and editing data for and developers of AIS.
completeness and accuracy. • Modern-day AIS are complex because of
• Data Maintenance/Processing - classifying, new technologies.
sorting, calculating data. • Concepts studied in AIS are integrated into
• Data Management - storing, maintaining every other accounting course
and retrieving data. Roles of Accountants With Respect to an AIS
• Data Control - safeguarding and securing • Financial accountants prepare financial
data and ensuring the accuracy and information for external decision-making in
completeness of the same. accordance with GAAP.
• Information Generation - interpreting, • Managerial accountants prepare financial
reporting, and communicating information information for internal decision-making
Information System Ethical Standards for Consulting
An Information system is a framework • Professional competence
in which data is collected, processed, • Exercise due professional care
controlled and managed through stages • Plan and supervise all work
in order to provide information to users. • Obtain relevant data to support reasonable
It evolves over time and becomes more recommendations
formalized as a firm grows and becomes • Maintain integrity and objectivity
� • Understand and respect the responsibilities 3. Organizational Structure
of all parties The role of the AIS in the Value Chain
• Disclose any conflicts of interest The objectives of most organization is to provide
Accounting Information System defined by VALUE to their customers.
Marshall B. Romney Primary Activities that directly provide value to
• Is a system that collects, records, stores and customers:
processes data to produce information for 1. Inbound Logistics
decision makers. 2. Operations
• Can be very simple paper-and-pencil-based 3. Outbound Logistics
manual system, a very complex system 4. Marketing and Sales
using the very latest in computers & 5. Service
information technology, or something The role of the AIS in the Value Chain
between these two extremes. Support Activities allow five primary activities to
Characteristics of Useful Information be performed efficiently and effectively:
1. Relevant – Information is relevant if it 1. Firm Infrastructure
reduces uncertainty, improve decision 2. Human Resources
makers’ ability to make predictions, or 3. Technology
confirms or corrects their prior 4. Purchasing
expectations. Information for Decision Making
2. Reliable – Information is reliable if it is free • An AIS can provide assistance in all phases
from error or bias & accurately represents of decision making.
the events or activities of the organization. • An AIS provide feedback on the results of
3. Complete – Information is complete if it action.
does not omit important aspects of the • Information can improve decision making in
underlying events or activities that it several ways:
measures. 1. It identifies situations requiring
4. Timely – Information is timely if it is managerial action.
provided in time for decision makers to 2. It provides a basis for choosing
make decisions. among alternative actions by
5. Understandable – Information is reducing uncertainty.
understandable if it is presented in a useful 3. Information about the results of
and intelligent format. previous decisions provides valuable
6. Verifiable – Information is verifiable if two feedback that can be used to
knowledgeable people acting independently improve future decisions
would each produce the same information. 4. An AIS can improve decision making
7. Accessible – Information is accessible if it is by providing accurate information in
available to users when they need it in a a timely manner.
format they can use. Decision Structure
Decisions vary in terms of the degree to which they
What is an AIS by Romney? are structured.
Six (6) components of an AIS • Structured decisions – are repetitive,
1. People who operate the system and routine and understood well enough that
perform various functions. they can be delegated to lower level
2. Procedures & instructions both manual and employees in the organization.
automated, involved in collecting, • Semistructured decisions – are
processing, and storing data about characterized by incomplete decision
organization’s activities. making rules and the need for subjective
3. Data about the organization and its assessments and judgments to supplement
business processes. formal data analysis.
4. Software used to process the organization’s • Unstructured decisions – are nonrecurring
data. and nonroutine decision with no framework
5. Information technology infrastructures, or model exists to solve problems. Instead,
including computers, peripheral devices, & they require considerable judgment and
network communication devices used intuition.
to collect, store process and transmit data Decision Scope
and information. Decisions vary in terms of their scope.
6. Internal controls and security measures that • Operational control – relates to the
safeguard the data in AIS. effective & efficient performance of specific
The impact of the AIS on Corporate Strategy & tasks.
Culture • Management control – relates to the
Three factors that influence the design of an AIS effective and efficient use of resources for
1. Development of Information Technology accomplishing organizational objective.
2. Business Strategy
� • Strategic planning – relates to establishing Types of Governance
organizational objectives and policies for Corporate Governance
accomplishing objectives. Project Governance
Information Technology Governance
Chapter 2: IT and the Audit Profession Environmental Governance
Economic and Financial Governance
Auditing in a CIS Environment
• Information - processed data
• System - set of interacting or
interdependent components forming an
integrated whole
• Information Systems
The study of complementary networks of hardware
and software that people and organizations use to
collect, filter, process, create, and distribute data IT Governance Controls (SOX and COSO)
Encompasses a variety of disciplines such as: the Internal Control Framework:
analysis and design of systems, computer Organizational Structure of the IT
networking, information security, database Function
management, and decision support systems Computer Center Operations
Auditing Disaster Recovery Planning
Systematic process of objectively obtaining and Structuring the IT Function
evaluating evidence regarding assertions about Centralized data processing Organizational Chart
economic activities and events to ascertain the Database Administration
degree of correspondence between assertions and Data processing manager/department
established criteria and communicate results to Data Control
intended users. Data Preparation/Conversion
Complements the course in Auditing Computer Operations
Limited to the areas that have an Data Library
immediate consequence to IT Segregation of Incompatible IT
Discusses the impact of IT on the Functions
auditor’s study and evaluation of Systems Development and Maintenance
internal controls (CRA) Participants are:
Takes into account the audit of IT End Users
function e.g. Separation of duties IS Professionals
Audit of CIS in support of financial Auditors
statement audit. Other Stakeholders
Introduces tools and techniques in
auditing around, auditing through, and Segregation of Incompatible IT Functions
auditing with the computer Objectives:
CAATS Segregate transaction
MS Excel authorization from transaction
IT Governance processing
The exercise of authority, control, Segregate record keeping from
government, and/or arrangement. asset custody
A subset of corporate governance that Divide transaction processing
focuses on the management and steps among individuals to force
assessment of strategic IT resources. collusion to perpetrate fraud
Reduce Risk
Ensure Investment in IT is value Separating systems development from
adding to the Corporation computer operations
Employees and Stakeholders must Separating DBA from other functions
be active participants in key IT DBA is responsible for several
decisions critical tasks:
Process for controlling an organization’s Database Security
information technology resources. Creating Database
Use of IT to promote organization’s schema and user views
objectives and enable business process. Assigning Database
Managing and controlling IT-related access authority to users
risks Monitoring Database
Objectives usage
Set strategies (IT-Business Alignment) Planning for future
Use IT for maximum opportunity but changes
minimum risk. Separating data library from operations
� Physical security of off-line data IT Audit Skills
files Training and Education (CPA, CFE, CIA,
Implications of modern systems AND CSA licenses)
on use of data library: Technical Skills (ERP systems, OS, etc.)
Real-time/Online vs Personal & Business Skills
Batch Processing ○ Knowledge on the most recent
Volume of tape files is developments in the IT industry &
insufficient to justify full- latest tools and trends
time librarian ○ Attention to details to spot errors &
Alternative: rotate on ad mistakes
hoc basis CISA Exam
Custody of on site data CISA (Certified Information Systems Auditor)
backups Min. of 5 years of IS Auditing, control, or
Custody of original security work experience
commercial software and Code of professional ethics (ICOC)
licenses Adhering to IS auditing standards
To maintain certification
20 contact hours of continuing
education each year,
120 contact hours in a three year
period
Exam Topics (7)
Management Planning, and
Organization of IS
COBIT 4.1 vs COBIT 5 Technical infrastructure and
COBIT (Control Objectives for Information and Operational Practices
Related Technologies Protection of Information Assets
- Provides guidance on IT governance by Disaster Recovery and Business
providing the structure that links IT Continuity
processes, IT resources, and Information to Business Application System
Enterprise Strategies and Objectives. Development, Acquisition,
Differences between CobiT 4.1 vs. CobiT 5 Implementation, and
• CobiT 5 now covers the governance for the Maintenance
enterprise as a whole and not just IT Business Process Evaluation and
• It now consolidates RiskIT, ValIT, BMIS, and Risk Management
CobiT 4.1 into a single business framework The IT Audit Process
• Separates governance from management
IT Audit Life Cycle
• Major improvements
• CobiT 4.1 is an IT Process Model whereas Planning
CobiT 5 is now more of an IT Governance & Risk Assessment
Management Framework for Enterprise IT Prepare Audit Program
Works of an IT Auditor Gather Evidence
Evaluating controls over specific Form Conclusions
applications Deliver Audit Opinion
Providing assurance over specific Follow Up
processes
Providing third-party assurance Planning
Penetration testing Establish scope and control objectives
Supporting financial audit (testing Perform preliminary assessment of
reliability of financial reporting system) controls and/or set materiality
Search IT-based fraud Gain an understanding of the client and
Evaluate complexity of IT client’s industry, business risks
Works with Financial Auditors: Identify extent of outsourcing, if any
Develop Audit Plan Develop audit program
Evaluate internal control system Develop audit plan
Determine degree of reliance on Document audit plan in audit work
internal controls papers
Perform data analysis or CAAT routines
Review report and write report with IT Risk Assessment
related recommendations Shift is to risk-based audit approach
Work with management and financial “What can go wrong”
auditors on follow up work High risk areas require more audit effort
�Prepare Audit Program
Includes:
Scope
Audit objectives
Audit procedures
Administrative details such as planning
and reporting
Generic audit programs are customized for Phases of IT Audit
the client and client’s technology
Attestation or Agreed upon audit
Gather Evidence procedures
Evidence includes: Statement on Auditing Standards
Observations IT audits in support of external financial
Documentary evidence audits
Flowcharts, narratives, written policies Findings and recommendation reviews
CAATs procedures
Sampling Attestations (SSAE 10)
Attribute sampling used by most IT process of engaging the CPA to provide
auditors assurance or attestation audit through
Variable sampling – for financial audits services such as:
Form Conclusions Data analytic reviews
Commission agreement reviews
Evaluate evidence Webtrust engagements
Identify reportable conditions Systrust engagements
Management Letter Financial projections
‘No surprises’ Compliance reviews
The Audit Opinion Findings and Recommendations
Per Guidelines 70, should include: consists of consulting or advisory
Name of organization being audited services to improve:
Title, signature, and date Systems implementations
Statement of audit objectives and Enterprise resource planning
whether these were met implementation
Scope of the audit Security reviews
Scope limitations, if any Database application reviews
Intended Audience IT infrastructure and
Standards and criteria used to perform improvements needed
the audit engagement
Detailed explanation of significant Project management
findings IT Internal audit services
Conclusion, including reservations or SAS 70
qualifications
Suggestions for corrective action or Primarily for service organizations that
improvement want to assure clients of existence and
Significant subsequent events effectiveness of internal controls
relating to the services provided
Follow Up Two types of SAS 70 Audits
Provisions to follow-up client on Type I- “walkthrough” describing
reportable conditions or deficiencies company’s internal control only,
no performance of detailed
Agree extent and timing of follow-up
testing for said controls
procedures
Type II- Detailed test of controls
IT Audit Services for services provided
What is it Audit? SAS 94
Evaluation of different aspects of an Consists of:
organization’s information technology Physical and environmental
infrastructure, systems, operations; review
Examines internal control design and Systems administration review
effectiveness Application software
Network security review
Business continuity review
Data Integrity review