Business Processes and AIS Notes PDF
Document Details
Tags
Summary
These notes provide an overview of business processes and accounting information systems (AIS). They discuss interrelationships within an AIS, supply chains, and IT enablement. The notes also cover enterprise risk management and types of risks.
Full Transcript
**CHAPTER 1** **Business Processes and the AIS** **Business Processes --** a prescribed sequence of work steps completed to produce a desired result. **Accounting Information System --** a system that captures, records, processes, and reports accounting information. **Interrelationships in an AI...
**CHAPTER 1** **Business Processes and the AIS** **Business Processes --** a prescribed sequence of work steps completed to produce a desired result. **Accounting Information System --** a system that captures, records, processes, and reports accounting information. **Interrelationships in an AIS System** **General Journal** **Special Journals** **Subsidiary Ledgers** **General Ledger** --------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------------------------- The place of original entry for any transactions that are not recorded in special journals. Established to record specific types of transactions. For example, a sales journal records all sales. Maintain detailed information regarding routine transactions, with an account established for each entity. Provides details on the entire set of accounts used in the organization's accounting system. **Supply Chain --** processes and information flows that involve the movement of materials, funds, and related information through the full logistic process, from the acquisition of raw materials to the delivery of finished products to the end user. The supply chain includes vendors, service providers, customers, and intermediaries. **Supply Chain Management --** the organization & control of all materials, funds & related information in the logistics process, from acquiring raw materials to delivering finished products to the end user (customer). **IT Enablement of Business Processes** **IT Enablement --** using IT systems to enhance the efficiency and effectiveness of internal or supply chain processes. **IT Usage** accomplishes one or more of the following objectives: 1. Increased efficiency 2. Reduced cost 3. Increase accuracy **Business Process Reengineering --** is the purposeful and organized changing of business processes to make them more efficient. **Examples of IT Enablement** **E-business** - Encompasses all forms of online electronic trading, consumer based e-commerce, business to business transactions. For example, a book at Amazon.com. **Electronic data interchange (EDI)** - The intercompany, computer-to0computer transfer of business documents in a standard business format. For example, transmit purchase orders, invoices, and payments electronically between trading partners. **Point of sale system (POS)** - A system of hardware and software that captures retail sales transactions by standard bar coding. For example, customer checks out through the cash register, bar codes are scanned on the items purchased, prices are determined by access to inventory and price list data, sales is recorded and inventory are updated. **Automated matching** - A computer system in which the software matches an invoice to its related purchase order and receiving report. For example, Ford Motor Company described in text illustrated an automated matching system. **Evaluated receipt settlement** - An invoice-less system in which computer software completes an invoice-less match that is a comparison of the purchase order with the goods received. **E-payables & electronic invoice presentment & payment** - Web-enabled receipt and payment of vendor invoices. **Enterprise resource planning system (ERP)** - Multi-module software system designed to manage all aspects of an enterprise. Usually broken down into modules such as financials, sales, purchasing, inventory management, manufacturing, and human resources. **Blockchain technology** **Control Structure** Management should ensure the following types of control structures exist: 1. Enterprise risk management 2. Code of ethics 3. COSO Accounting Internal Control Structure 4. IT Controls 5. Corporate Governance 6. IT Governance **Enterprise Risk Management (ERM) --** defined as a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect entity and mange risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. **Types of Risks** **External Risks:** - Strategic risk - Compliance risk **Internal Risks:** - Operational risk: result from inadequate or failed procedures within the company, priority for AIS. Example, computer system fail, employee fraud, improper procedure steps, delivery failed to arrive, etc. - Financial risk - Reputational risk **Response to Risk** - Accept the risk - Avoid the risk - Mitigate the risk, including use of internal controls - Transfer the risk **Corporate Governance --** is an elaborate system of checks and balances whereby a company's leadership is held accountable for building shareholder value and creating confidence in the financial reporting processes. Including management oversight, internal controls and compliance, financial stewardship, and ethical conduct. **IT Governance -** the leadership, organizational structure, and processes that ensure that the enterprise achieve(s) its goals by adding value while balancing risk versus return over IT and its processes. IT governance provides the structure that links IT processes, IT resources, and information to enterprise strategies and objectives. **Code of Ethics** - A company should develop and adhere to a code of ethics to reduce opportunities for managers or employees to conduct fraud. - A code of ethics is most effective if top management emphasizes this code of ethics and disciplines or discharges those who violate it. - Managers who emphasize and model ethical behaviour are more likely to encourage ethical behaviour in their employees. **Internal Control Structure of Organizations** Risks that impact financial standing: - Assets will be stolen or misused - Errors in accounting data or information - Fraudulent activity Risks inherent in IT systems, such as: - Erroneous input of data - Erroneous processing of data - Computer fraud - Hardware or software failure - Natural disasters **Relation of Ethics to AIS** Examples of potential unethical behaviours: - Fraudulent financial reporting - Revenue inflation - Expense account fraud - Inflating hours worked for payroll purposes - Computer fraud - Hacking - Browsing confidential data **COSO Accounting Internal Control Structure** In addition to its ERM guidance, COSO is well known for its **Internal Controls -- Integrated Framework,** which explains what has become the standard accepted by the accounting and business community as the definition and description of internal control. According to this framework, there are five interrelated components of internal control: the control environment, risk assessment, control activities, information and communication, monitoring. **IT Controls** - General controls - Application controls **Importance of AIS to Accountants** Accountants may be - Users of the AIS, - Part of the design or implementation team of an AIS, and/or - Auditor of an AIS **CHAPTER 2: FUNDAMENTAL CONCEPTS OF THE AIS** **Types of Accounting Information Systems** Three categories of AIS: 1. **Manual Systems** - Generally used by small organizations. Entirely manual system would require: - Source documentation - Paper-based ledgers and journals 2. **Legacy Systems** - Existing system, often based on old technology. **Advantages** are that legacy systems: - Customized to specific needs. - Support unique business processes not inherent in generic accounting software. - Contain invaluable historical data that may be difficult to integrate into a new system. - Well supported and understood by existing personnel. - **Disadvantages** are that legacy system: - Costly to maintain. - Often lack adequate supporting documentation. - Hardware needed to maintain may become obsolete. - Tends to use software written in older computer languages. - Often difficult to modify to make web-based or user-friendly. - Difficult to integrate when companies merge. - **Decision whether to replace or update legacy systems.** - **Screen scrapers:** add modern, user friendly screen to interfaces to legacy systems. - **Enterprise application integration:** - Use software that bridges legacy system to new hardware and software systems and interfaces. - Accomplishing the necessary integration of legacy systems with user friendly and modern processing of data. - **Complete replacement of legacy system** 3. **Modern, integrated IT systems** - New programs sold by software development companies are more user-friendly than legacy accounting systems. - Integrate many or all of the business process within an organization. - Typically utilized the latest technology in data storage and internet interfaces, and offer powerful, technologically advance systems. - **Advantages** to purchasing accounting software: - Lower cost - Shorter implementation time - Fewer bugs - **It usually runs in one of two types of computer architectures, or models.** - Client server model - Cloud computing **Client-Server Computing** **Two types** of computers are networked together to accomplish the application processing. Characteristics: - Client and server computer are networked together. System appears to users to be one integrated whole. - Server manages and stores the large database, extracts data from the database, and runs the large, complex application programs. - Client PC works with a subset of data extracted from the server database to accomplish local processing tasks. **Cloud Computing** Recently, there has been a movement away from a client- server approach toward **cloud** **computing.** It includes: - **Pay for service:** Software and data reside with third party companies (the cloud) and not on company computers. - **Outsourcing of IT to a third party.** - **ADVANTAGES:** - Scalability -- as a company grows, it can easily purchase new capacity from the cloud provider. - Expanded access -- accessed by multiple devices from many different locations. - Infrastructure is reduced -- reduced need for servers and data storage. - Cost savings -- reduced investment in IT hardware and the personnel supporting. **Input Methods Used in Business Processes** Input methods used in organizations: - Source documents and keying - Bar codes - Point of sale systems - Electronic data interchange - E-business and E-commerce **Processing Methods Used in Business Processes** Processing methods used in organizations: - Batch processing -- transactions are grouped - **ADVANTAGES:** - Efficient for large volumes of like transactions. - Generally use less costly hardware and software - Hardware and software systems are not as complicated as online systems - Generally easier to control than other types of computerized systems - **DISADVANTAGES:** - Processing can take longer - Adding or deleting records takes much computer maintenance time - Some data duplication is likely - Integration across business processes is difficult in legacy systems that are batch oriented - Lag while all transactions in a batch are collected - Online and real-time processing - **ADVANTAGES:** - Systems check for input errors - Information provided on a timely basis - All files are constantly up to date - The business processes are integrated into a single database so that a single system is achieved - **DISADVANTAGES:** - Hardware and software are more expensive than a batch systems. - A single database that is shared is more susceptible to unauthorized access of data. - Real-time systems can be difficult to audit **Output of the AIS** **General Categories of Outputs** - Trading partner documents such as checks, invoices, and statements - Internal documents - Internal reports - External reports **Documenting Processes and Systems** **Pictorial Representations** of processes and systems include: - **Process maps -** Pictorial representations of business processes in which the actual flow and sequence of events in the process are presented in diagram form. A diagram of a task Description automatically generated - **Data Flow Diagrams --** used to show the logical design of a system. - **Document flowcharts --** flow of documents and information among departments or units within an organization. - **System flowcharts** - **Entity relationships diagrams** **CHAPTER 3: FRAUD, ETHICS, & INTERNAL CONTROL** **Need for Code of Ethics & Internal Control** When management is unethical, fraud is likely to occur. **Management Obligations:** - Stewardship - Maintain internal controls - Enforce a code of ethics **Internal Control** COSO report defines **Internal Control** as a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness and efficiency of operations - Reliability of financial reporting - Compliance with applicable laws and regulations **Code of Ethics --** is a set of documented guidelines for moral and ethical behaviour within the organization. It is management's responsibility to establish, enforce, and exemplify ethical conduct values in the organization. **Accounting related Fraud** **Misappropriation of Assets --** defalcation or internal theft. **Misstatement of Financial Records --** earnings management or fraudulent financial reporting. For fraud, three conditions must exist. Incentive (Pressure) Opportunity Rationalization (Attitude) - **Incentive to commit fraud:** Financial pressures, market pressures, job-related failures, or addictive behaviours may create the incentive to commit fraud. - **Opportunity to commit fraud:** Circumstances may provide access to the assets or records that are objects of fraudulent activity. Ineffective oversight is often a contributing factor. - **Rationalization of the fraudulent action:** Fraudsters typically justify their actions because of their lack of moral character. **Fraud Category** **Example** **Can Internal Control be effective in preventing or detecting?** **An example of an Internal Control that can be effective** -------------------- ---------------------------------------------- ------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------- Management Fraud Misstating FS Usually not, due to management override n/a Employee Fraud Inflating hours worked on timecard Yes Require supervisor to verify & sign timecard Customer Fraud Returning stolen merchandise for cash Yes Provide refund only if proper sales receipt exist Vendor Fraud Requesting duplicate payment for one invoice yes Pay only those invoices that have a matching purchase order and receiving report, and mark documents as paid or cancelled. **The Nature of Management Fraud** **Management Fraud** is usually in the form of fraudulent financial reporting. Managers misstate financial statements to: - Increased stock price - Improve financial statements - Enhanced chances of promotions, or avoidance of firing or demotion. - Increased incentive-based compensation. - Delayed cash flow problems or bankruptcy. **Management Fraud** may involve: - Overstating revenues and assets. - Understating liabilities and expenses. - Misapplying accounting principles. The most effective measure to prevent or detect management fraud is to establish a professional **internal audit** staff that periodically checks up on management activities and **reports to the audit committee** of the board of directors. **The Nature of Employee Fraud** **Employee Fraud** usually means that an employee **steals cash or assets** for personal gain. Kinds of Employee Fraud: - Inventory theft - Cash receipts theft - Accounts payable fraud - Payroll fraud - Expense account fraud - Kickback scheme - Skimming - Collusion **The Nature of Customer Fraud** **Customer Fraud** occurs when a customer improperly obtains cash or property from a company or avoids liability through deception. Kinds of Customer Fraud: - Credit card/check fraud - Refund/sales return fraud **The Nature of Vendor Fraud** **Vendor Fraud** occurs when vendors obtain payment to which they are not entitled. Vendors may: - Submit duplicate or incorrect invoices - Send shipments in which the quantities are short - Send lower-quality goods than ordered **Vendors Audits --** involve the examination of vendor records in support of amounts charged to the company. **The Nature of Computer Fraud** **Computer Fraud** may include: - **Internal Sources of Computer Fraud** - **Input manipulation:** involves altering data that is input into the computer. Example, altering payroll timecards. - **Program manipulation:** - Salami Technique -- alter a program to slice a small amount from several accounts then credit those small amounts to the perpetrator's benefit. - Trojan horse programs -- small unauthorized program within a larger program, used to manipulate the computer system. - Trap door alterations -- a valid programming tool that is misused to commit fraud. - **Output manipulations:** involves alternation of the system's checks or reports to commit fraud. - **External Sources of Computer Fraud** In most cases conducted by someone outside the company who has gained unauthorized access to the computer. **Two common types:** - Hacking - Denial of service attack (DoS) - Spoofing: occurs when a person, through a computer system, pretends to be someone else. **Policies to Assist in the Avoidance of Fraud and Errors** Actions to assist in prevention or detection of fraud and errors: - Maintain and enforce a **code of ethics** - Maintain a system of **accounting internal controls** - Maintain a system of **information technology controls** **Maintenance of a Code of Ethics** Establishing and maintaining a culture where ethical conduct is recognized, valued, and exemplified by all employees. This includes: - Obeying applicable laws and regulations - Conduct that is honest, fair and trustworthy - Avoiding all conflicts of interest - Creating and maintaining a safe work environment - Protecting the environment **Maintenance of Accounting Internal Controls** Three types of controls: 1. **Preventive Controls --** intend to stop undesirable acts before they occur. For example, keeping cash locked in a safe is intended to prevent theft. 2. **Detective Controls --** help employees to uncover or discover errors, fraud, or unauthorized events. Examples include matching physical counts to inventory records, reconciling bank statements to company records, and matching an invoice to its purchase order before payment. 3. **Corrective Controls --** are steps undertaken to correct an error or problem uncovered via detective controls. For example, if an error is detected in an employee\'s timecard, there must be an established set of steps to follow to assure that it is corrected. **COSO Internal Control Framework** COSO report 5 components of internal control: 1. **Control Environment** - the foundation for all other components of internal control, and it provides the discipline and structure of all other components. Control environment factors include the following:\ Demonstrates commitment to integrity and ethical values\ Management\'s oversight responsibility, including its philosophy and operating style\ The way management establishes the structure and assigns authority and responsibility\ The way management develops its people and demonstrates a commitment to competence\ The board of directors demonstrates independence from management and exercises oversight of internal control\ The organization holds individuals accountable for their internal control responsibilities. 2. **Risk assessments -** Management must develop a way to:\ Specify the relevant objectives to enable the identification and assessment of risks relating to objectives.\ Identify the risks (both internal and external, and due to both fraud and error), and determine how the risks should be managed.\ Consider the potential for fraud in assessing risks.\ Identify and assess changes that could significantly affect the system of internal control. 3. **Control activities -** Control Activities Categories:\ Authorization of transactions (Authorization, Recording, Custody)\ Segregation of duties\ Adequate records and documents\ Security of assets and documents\ Independent checks and reconciliation 4. **Information and communication -** The organization create and use information and communication system that includes the following factors:\ The system obtains or generates and uses relevant quality information to support the functioning of internal control.\ The system internally communicates information, including objectives and responsibilities for internal control.\ The system communicates with external parties regarding matters affecting the functioning of internal control. 5. **Monitoring activities -** Any system of control must be constantly monitored to\ assure that it continues to be effective. To be most effective, both continuous and periodic\ monitoring should take place.\ The computerized accounting system may include modules within the software that review the system on\ an ongoing basis.\ In addition, some monitoring, such as internal and external audits, occurs on a regular periodic basis. **Objectives of an internal control system are:** ** Operations objectives:** Safeguard assets (from fraud or errors). Promote operational efficiency. ** Reporting objectives:** Maintain accuracy and integrity of accounting data. ** Compliance objectives:** Ensure compliance with management directives. **Reasonable Assurance of Internal Controls**\ Controls achieve a sensible balance of reducing risk when compared with the cost of the control.\ Not possible to provide absolute assurance, because:\ Flawed judgments are applied in decision-making.\ Human error exists in every organization.\ Controls can be circumvented or ignored.\ Controls may not be cost-beneficial. **Maintenance of Information Technology Controls**\ For any business process, there should be both - accounting internal controls as in COSO, and - IT controls as in the Trust Principles. Risk and controls in IT are divided into five categories ( to becovered in Chapter 4)\ Security\ Availability\ Processing integrity\ Online Privacy\ Confidentiality **CHAPTER 4: INTERNAL CONTROL & RISKS IN IT SYSTEM** **Hardware and Software Exposures** Typical IT system components that represent "entry points" where the risk must be controlled. - Operating system - Database and database management system (DBMS) - Local area networks (LANs) and wireless networks - E-business conducted via the Internet - Telecommunication worker - Application software **Operating System -- Unauthorized access** would allow an authorized user to: - Browse disk files or memory for sensitive data or passwords - Alter data through the operating system - Alter access tables to change access levels of users - Alter application programs - Destroy data or programs Proper authentication can reduce the risk. **The Database** A large disk storage for accounting and operating data. **Controls** such as: - User IDs, passwords - Authority tables - Firewalls - Encryption These are examples of controls that can limit exposure. **The Database Management System** Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS. **LANS and WANS** Controls: - Limit unauthorized users, firewalls, encryption, virtual private networks (VPN) **The Internet and the World Wide Web** The use of **dual firewalls** can help prevent hackers or unauthorized users from accessing the organization's internal network of computers. **Telecommuting Workers and Mobile Workers** - The organization's security policy should address the security expectations of workers who telecommute - Such workers should connect to the company network via a virtual private network. **Electronic Data Interchange** Company-to-company transfer of standard business documents in electronic form. EDI controls include: - authentication, - computer logs, and - network break-in controls. **Internal Controls for IT Systems** **Accounting Information System** - collects, processes, stores, and reports accounting information.\ Internal controls for computer-based systems have been described as being of two types: - **General controls** -- apply overall the IT system; they are not restricted to any particular accounting\ application. - **Application controls** -- are used specifically in accounting applications to control inputs, processing, and outputs. **General Controls for IT Systems** **Five categories** of general controls: 1. **Authentication of users and limiting unauthorized access** - Log-in, User IDs, Password, Smart Card, Biometrics devices, Two-factor authentication. - **User ID and Password** - Computer log: Nonrepudiation - **Access limited to user profile** - Authority table: a list of valid, authorized users and the access level granted to each one. 2. **Hacking and other network break-ins** - VPN, Firewall, Encryption, Antivirus Software - Vulnerability assessment - Intrusion detection - Penetration testing 3. **Organizational structure** - **IT governance committee** - Align IT investments to business strategy - **Budget** funds and personnel for the most effective use of the IT systems - Oversee and prioritize changes to IT systems - Develop, monitor, and review security policies - **Duties to be segregated in the IT system are:** - System analysts - Programmers - Operations personnel - Database administrator 4. **Physical Environment and Security** - Controls for an IT system should include controls over the physical environment of the system which includes: - Location locate in areas that are least at risk of natural disasters such as floods, earthquakes, hurricanes, and fires. - Operating Environment properly controls dust, temperature, and humidity. The location should also have a fire protection system. - Back-up Systems systems should also have both an uninterruptible power supply and an emergency power supply. 5. **Business Continuity** - Business Continuity, Business Continuity Planning (BCP) - A strategy for **backup and restoration** of IT systems, including redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups. - A **disaster recovery plan.** **AICPA Trust Services Principles categorize IT controls and risks into five categories:** a. **Security** The** **system is protected against unauthorized (physical and logical) access. b. **Availability** The system is available for operation and use as committed or agreed. c. **Processing Integrity** the system processing is complete, accurate, timely and authorized d. **Online Privacy** e. **Confidentiality** **Cloud Computing Controls** **Risks associated with cloud computing:** - **Security:** the third-party provider must have good user authentication, firewalls, encryption, and\ virtual private network connections. - **Availability:** Any interruptions in service cause the software and data to be unavailable. - **Processing integrity:** All control of software installation, testing, and upgrading is transferred to the third-\ party provider of cloud computing services to ensure processing is accurate and complete. - **Confidentiality:** Risk that employees of the third-party provider can browse and misuse company data. **Application Software and Application Controls**\ Applications software accomplishes end-user tasks such as: - word processing, - spreadsheets, - database maintenance, and - accounting functions. **Applications controls** - intended to improve the accuracy, completeness, and security of input, process, and output: - Input control - Process control - Output control **Application Controls 1 -- Input Controls** Input controls are of four types: - **Source document** controls - **Standard procedures** for data preparation and error handling - **Programmed input checks** - **Control totals and reconciliation** **Input Controls -- Source document controls\ Form Design -** The source document and the input screen well well-designed, and easy to understand and use, logically organized into groups of related data. **Form Authorization and Control:** - Area for authorization by the appropriate manager - Prenumbered and used in sequence - Blank source documents should be controlled **Retention of Source Documents:** - Retained and filed for easy retrieval - Part of the audit trail **Input Controls -- Standard procedures\ Data Preparation --** standard data collection procedures reduce the chance of lost, misdirected, or incorrect data\ collection from source documents.**\ Error Handling:** - Errors should be logged, investigated, corrected, and resubmitted for processing - An appropriate manager should regularly review error log **Input Controls -- Validation checks** **Programmed Input Validation Checks**\ Data should be validated and edited to be as close to the source of data as possible. Input validation checks include: - **[Field check:]** A field check examines a field to determine whether **the appropriate type (alpha or numeric) of data** was entered. - **[Validity check:]** examines a field to ensure that the data entry in the field is **valid compared with a preexisting list of acceptable values.** - **[Limit checks and range checks:]** Both check field input against a pre-established limit or limits - **[Reasonableness check:]** compares the value in a field with those fields to which it is related to determine whether the value is reasonable. - [**Completeness check**:] assesses the critical fields in an input screen to make sure that a value is in those fields. - **[Sign check]**: examines a field to determine that it has the appropriate sign, positive or negative. - **[Sequence check]**: ensures that the batch of transactions is sorted in order **Input Controls -- Control totals and reconciliation\ Control totals:** Reconciliation of manually generated subtotals to computer-generated subtotals should result in the same total from both sources.\ **Three types:** - **[Record counts]**: simple count of the number of records processed. - **[Batch totals]**: totals of financial data - **[Hash totals]**: totals of fields that have no apparent logical reason\ to be added **Application Controls 2 -- Processing Controls**\ Intended to prevent, detect, or correct errors that occur during processing. - **Ensure that application software has no errors:** software is tested prior to implementation; and regularly tested thereafter. - Control totals, limit and range tests, and reasonableness and sign tests: **many input controls also serve as processing controls**. - Computer logs of transactions processed, production run logs, and error listings**: to be regularly examined** to prevent, detect, and correct other errors **Application Controls 3 -- Output Controls**\ **Two primary objectives** of output controls: - To ensure accuracy and completeness: - output can be **reconciled to control totals.** - **users of the reports examine the reports** for completeness and reasonableness. - To properly manage the **safekeeping of output reports** to ascertain security and confidentiality. **CHAPTER 5: IT GOVERNANCE** **Introduction to IT Governance** **IT Governance is defined as:** - A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes. Management must focus on the following activities: - Aligning IT strategy with the business strategy - Cascading strategy and goals down into the enterprise - Provide organizational structures that facilitate the implementation of strategy and goals - Insisting that an IT control framework be adopted and implemented - Measuring IT performance The company should have an: - IT governance committee, and - A formal process to select, design, and implement IT systems (system development life cycle, or SDLC). The board and top management must ensure that the organization has processes to accomplish the following: - Continually evaluate the match of strategic goals to the IT systems in use. - Identify changes or improvements to the IT system. - Prioritize the necessary changes to IT systems. - Develop the plan to design and implement those IT changes that are of high priority. - Implement and maintain the IT systems. - Continually loop back to step 1. - This needs to match IT systems to organizational objectives highlights the need for the IT governance committee to include top management such as the CEO, CFO, CIO, and other high-level managers as its members. **An Overview of SDLC** ![](media/image2.png)The **systems development life cycle (SDLC)** is a systematic process to manage the acquisition, design, implementation, and use of IT systems. **Systems Planning Phase of S D L C** IT governance committee should consider: - the assessment of IT systems and their **match to strategic organizational objectives**, and - the **feasibility** of each of the requested modifications or upgrades. **Match of IT Systems to Strategic Objectives** - The IT governance committee must evaluate proposed changes to IT systems in terms of their usefulness in assisting the organization to achieve its objectives. **Feasibility Study**\ IT governance committee should evaluate the feasibility of each competing proposal.\ **Four feasibility aspects:** - **Technical feasibility**---assessment of the realistic possibility that technology exists to meet the needs identified in the proposed change to the IT system. - **Operational feasibility**---assessment of the realistic possibility that current employees will be able to operate the proposed IT system. The assessment should evaluate the feasibility of providing training to existing employees. - **Economic feasibility**---assessment of the costs and benefits associated with the proposed IT system. Is it realistic to conclude that the benefits of the proposed IT system outweigh the costs? - **Schedule feasibility**---assessment of the realistic possibility that the proposed IT system can be implemented within a reasonable time. - Formally announce the project. - Assign the project team that will begin the next phase, the systems analysis. - Budget the funds necessary to complete the SDLC. - Continue oversight and management of the project team and proposed IT changes. **Systems Analysis Phase of SDLC** **Preliminary Investigation\ **The purpose of the preliminary investigation is to determine whether the problem or deficiency\ in the current system exists. "go" or "no-go" decision. System Survey: Study of the Current System\ A systems survey requires collecting data about the current system, including the following: - Inputs - Outputs - Processes: manual and computerized - Internal Controls - Data storage - Transaction volumes - Errors **Determination of User Requirements:** - To gain a complete understanding of the system under study, the project team should not only observe and review documentation but also seek the opinions and thoughts of those who use the system. - Interviews - Questionnaires **Analysis of the System Survey** - The analysis phase is the critical-thinking stage. In many cases, the analysis phase may lead to business process reengineering (BPR). - BPR has been defined as "fundamental rethinking and radical redesign of business processes to bring about dramatic improvements" in performance. **System Analysis Report**\ The report is to inform the IT governance committee of the results of the systems survey, user needs determination, and BPR. **Systems Design Phase of SDLC** When evaluating each proposal, the I T governance committee should consider: - Price of software or software modules - Match of system and user needs to features of the software - Technical, operational, economic, and schedule feasibility - Technical support provided by the vendor - Reputation and reliability of the vendor - Usability and user friendliness of the software In general**, purchased software** is less costly and more reliable and has a shorter implementation\ time than software designed in-house. **Conceptual Design**\ "[Brainstorming]" to generate the different conceptual design approaches in a system design that will meet the identified needs\ **Evaluation and Selection**\ Feasibility assessments are: - Technical, operational, economic, and schedule feasibility **Detailed Design**\ The **purpose of the detailed design phase** is to create the entire set of specifications necessary to build and implement the system once the best alternative design is selected. The various parts of the system that must be designed are the - Inputs, - Outputs, - Processes, - Internal controls, and - Data storage **Systems Implementation Phase of S D L C** **Software Programming** - Using the design specifications developed in the detailed design phase, the programming staff would write the program code for the new or revised system. - In the case of purchased software, the programming staff would modify the program code as necessary to meet the design specifications. **Employees Training** - Employees may need training in the use of new input screens, output reports, and processes. **Software Testing** - As programmers complete the programming of the new system, the programs and the modules that make up the programs must be tested using test data, which are specially created and entered into the software. **Documenting the system** - Write the documentation that matches the new inputs, outputs, and processes. - Lack of up-to-date documentation makes it much more difficult for new employees to understand the system and makes future revisions to the system more complicated. **Data Conversion** - A new or revised system may require data to be converted to a new format. - Accountants should oversee the data conversion process to make sure that all accounting data are completely and correctly converted. - To check the accuracy of the conversion, accountants can reconcile\ control totals from the old data set to control totals from the\ converted data. **System Conversion** - **Parallel Conversion** - Old and new systems operated simultaneously for a short period - Requires operating staff to operate two systems and input all data twice - Advantage is the least risky - Disadvantage is the most costly and time-consuming method - **Direct Cutover Conversion** - On chosen data the old operation is terminated - All processing begins on the new system immediately - Most risky - Least costly and time-consuming - **Phase-in Conversion** - System broken into modules and phased in incrementally and over a longer period - Low-risk and does not disrupt large parts of the organization - Time consuming - **Pilot Conversion** - System operated in only one or a few subunits of the organization **User Acceptance** - Enforcement of user acceptance ensures that project teams will seek user input and meet user needs. **Post-implementation Review**\ A few months after implementation, the project team should review the SDLC steps\ Review of the feasibility assessments and other estimates made during the process.\ Learn from any mistakes that were made. Management should receive regular reports regarding the performance of the IT system.\ Examples of reports are: - IT performance - IT load usage and excess capacity - Downtime of IT systems - Maintenance hours on I T systems - IT security and number of security breaches or problems - IT customer satisfaction, from both internal and external customers. Three major purposes are served by the continual and proper use of IT governance committee and the SDLC: - The strategic management process of the organization - The internal control structure of the organization - The fulfillment of ethical obligations **Management** has an ethical obligation to maintain a set of processes and procedures that assure accurate and complete records and protection of assets.\ **Employees** should not subvert the process.\ **Consultants** have at least four ethical obligations: - Bid the engagement fairly, and completely disclose the terms of potential cost increases. - Bill time accurately to the client. - Do not oversell unnecessary services or systems. - Do not disclose confidential or proprietary information. **CHAPTER 6: ENTERPRISE RESOURCE PLANNING (ERP) SYSTEM** **Overview of ERP Systems** **Enterprise Resource Planning (ERP)** system integrates all business processes and functions into a single software system, using a **single database**.\ ERP system components: 1. Financials 2. Human resources 3. Procurement and logistics 4. Product development and manufacturing 5. Sales and services 6. Analytics **Data in a(n)** 1. **Operational database** - Contains data transaction processing necessary to conduct day-to-day operations and produce management reports - Data continually updated as transactions are processed 2. **Data warehouse** - An integrated collection of enterprise-wide data pulled from many different systems for meaningful data analysis over a long period - Data is periodically copied to the data warehouse so that data can be\ analyzed over time **History of ERP Systems**\ ERP systems: - Developed during the 1960s and 1970s. - First generation was materials requirements planning (MRP) software. - MRP evolved into manufacturing resource planning (MRP II). - ERP software did not become popular with large corporations until the 1990s. **Current ERP System Characteristics** - **EDI, Internet EDI**, or **extranets** are used to connect a company's ERP system to the IT systems of its suppliers **(SCM)** and customers (CRM). - **Companies cannot allow their ERP systems to become outdated.** - Need to improve customer service through standardizing and combining business processes. - Global companies may have separate ERP systems in different countries. - Aging ERP systems need replacement. - Many companies needed upgraded systems to comply with the Sarbanes--Oxley Act. - Many companies wanted to take advantage of new technologies such as cloud-based ERP systems. **ERP Modules 1**\ The top-selling ERP system for large corporations and organizations is **SAP**. - **Procurement and Logistics:** Keeping track of purchasing and movement of goods and materials - **Product Development and Manufacturing**: Planning and scheduling of conversion activities - **Sales and Services:** Taking customer orders and preparing for the impending revenue and cash collection - **Human Capital Management**: Incorporates all human resources and payroll activities. - **Financials**: Maintenance of the general ledger and supporting journals and subledgers. Accounting data from all other modules flows to the financial module for reporting. - **Analytics:** Data mining and analytical tools for obtaining\ feedback and supporting managerial decision-making - **Supply Chain Management (SCM):** - Encompasses the planning and management of all activities involved in procurement, conversion, and logistics management activities, from purchasing of raw materials and supplies to inventory management and warehousing. - It also includes coordination and collaboration with channel\ partners, which can be suppliers, intermediaries, third party\ service providers, and customers. - **Customer Relationship Management (CRM):** - CRM is a term for software solutions that help businesses manage customer relationships in an organized way. - A database of detailed customer information that management and salespeople can reference. - Includes information regarding customers' purchases, which can be used to do things such as match customer needs with products, inform customers of service requirements, and analyze customer buying behaviour. **Market Segments of ERP Systems 1\ Tier One Software** - Usually implemented in very large organizations. - Minimum cost to purchase is approximately \$350,000. Often, the cost exceeds \$1 million. - The three most popular ERP systems in tier one are: SAP, Oracle, and Microsoft Dynamics 365 (formerly Dynamics AX) **Tier Two Software** - Intended for organizations in the range of approximately \$25-\$250 million in sales - Price range between \$30,000 and \$250,000. - Some of the popular ERP systems are Microsoft Dynamics GP (Great Plains), Microsoft Dynamics NAV (Navision), Epicor ERP®, Sage 300®, Sage 500 ERP®, NetSuite, and Infor®. **Cloud-Based ERP** All ERP vendors have developed ERP products for cloud computing. For example, - SAP offers a cloud-based E-R P system for small to medium-sized entities (SMEs) called SAP Business By Design. - Oracle has an Oracle Fusion Cloud ERP system. - Customers who use cloud-based software need only a small I T system. - ERP system can be used through a computer with Internet access and a Web browser. ---------------------------------------------------------------------------- **Benefits and Risks of ERP Systems** -------------------------------------------------- ------------------------- Benefits of ERP Systems\ Risks of ERP Systems\ 1. Interactive nature of the modules.\ Implementation Risks\ 2. Real-time nature of processing.\ Operation Risks\ 3. "Best Practices" nature of the processes.\ Security\ 4. A single database enhances the sharing of\ Availability\ information.\ Processing integrity\ 5. Capability to analyze large amounts of data.\ Online privacy\ 6. Capability to enhance e-commerce and e-\ Confidentiality business\ 7. Capability to interact in real-time.\ 8. ERP systems are scalable. ---------------------------------------------------------------------------- **Implementation of ERP Systems**\ Important factors and issues to consider when implementing an ERP system. - Hiring a consulting firm - The best fit ERP system - Which modules to implement - Best of breed, verses ERP modules - Business process reengineering (BPR) **Best of Breed:** - ERP modules are built around standard, generic business processes. - Some expert believes that an organization is better served by using one brand of ERP system for many processes, but by selecting some modules from other vendors that are "best of breed." - **Best of breed means the best software on the market for the particular type of business process for this size of an organization.** - Those processes that may be unique or a little more specialized might be better handled by a best of breed rather than the ERP module. **Business Process Reengineering:** - Since most organizations\' processes do not match the processes in the ERP system for any individual module, BPR is usually undertaken to make the business processes more compatible with the ERP modules. - First, the underlying processes are reengineered to be conducted more efficiently. - Second, the IT systems improve the efficiency of the underlying processes through automation. - By rethinking and redesigning processes, the organization may be able to improve, and thereby enhance, the process - Costs of hardware and software - Testing the ERP system - Data conversion - Training of employees - Method of conversion - Big Bang: all functional areas of the company are ready to make the change at the same time - Location-Wise (Pilot) - Modular **ERP Systems and the Sarbanes-Oxley Act**\ **Enhanced ERP systems** Provide feedback information to management regarding internal control.\ Steps the company must accomplish: - Establish and maintain a list of incompatible or conflicting duties. - Assign user access and authority only to those parts of the system required - Review the user profile and change any access and authority levels as necessary. - Track and report any instances with conflicting abilities Examples of Accounts Payable Internal Control Reports Report Purpose ------------------------------------------------ --------------------------------------------------------------------------------- Purchase orders without a requisition Ensure all purchases are requisitioned before the purchase takes place Purchase orders created after the invoice date To prevent the creation of a purchase order after the invoice date Blocked Invoice Report To resolve discrepancies on invoices so that they can be paid on a timely basis **CHAPTER 13: DATA AND DATABASES** **Data Type** - **Structured data** easily fit into rows and columns. These columns usually are fields of fixed length. - **Unstructured data** do not easily fit into rows and columns of fixed length. An example of unstructured data would be the free-form text of a customer's online review of a product. **Typical storage and processing techniques** The storage media types for data: **sequential and random access** - **Sequential access** Data are stored in sequential or chronological order. Early days of mainframe computers. - **Random/Direct Access** Any data item on the storage media can be directly accessed without reading in sequence. Modern IT System. Methods of processing data: **batch and real-time** Characteristic Batch Processing Real-Time Processing ---------------- -------------------------------------------------- ------------------------------------------------------- Response Time Slow Rapid Efficiency Very efficient for large volumes of transactions Less efficient for large volumes of transactions Complexity Simple Complex Control Easier to control and to maintain an audit trail More difficult to control and maintain an audit trail storage Data can be stored sequentially Data must be random access **Databases and relational databases** **Data stored** in a form that allows the data to be easily accessed, retrieved, manipulated, and stored - **Data Redundancy** occurs when the same data are stored in more than one file. Errors in updating the data are much more likely to occur. - **Concurrency** problems arise when a company has difficulty updating data at its various locations at the same time. Shared database eliminates data redundancy and concurrency problems. **Database Management System (DBMS)** is software that manages the database and controls the access and use of data by individual users and applications. **Data Relationships:** - One-to-one - Those where one entity in the data is related to only one other entity - Example: employees and social security number - One-to-Many - Are those where one entity in the data is related to more than one other entity - Example: vendor to many invoices - Many-to-Many - Are those in which one entity is related to many other entities and the reverse is also true - Example: vendor to items and items to vendors **The History of Databases** **Flat File Database Model** - 1950s and 19 60s - Data are stored in **large**, two-dimensional tables with rows and columns - **No relationships** are defined between records - Systems must use batch processing only, and batches must be processed in sequence - Single record not easily retrieved or stored **Hierarchical Database Model** - Inverted tree structure - Parent--child, represent **one-to-many relationships** - Hierarchical databases are efficient in processing large volumes of transactions, but they do not allow for easy retrieval of records except for those within an explicit linkage. **Relational Database Model** - Developed in 1969 - Stores data in a **series of small**, two-dimensional tables that are joined in ways to represent **many different kinds of relationships** in the data - Most widely used database structure today - Relational database has flexibility in retrieving data from queries. **Relational Database** Relational databases consist of a series of small tables. **Small tables can be joined in ways that represent relationships among the data.** - **SQL**: English-like query language that could be used to directly access data from the relational database. If a manager wished to know which customers had placed orders that have been shipped, the Customers and Orders tables can be joined to extract the information **The Need for Normalized Data** - **To obtain this flexibility, the tables within a relational database must be designed according to specific rules.** - **The process of converting data into tables that meet the definition of a relational database is called data normalization.** - Seven rules of data normalization - Most relational databases are in third normal form, which means they met the first three rules of data normalization. - The first three rules of data normalization are: - **Eliminate repeating groups** - **Eliminate redundant data** - **Eliminate columns not dependent on the primary key.** **Trade-offs of Data Storage\ The trade-off of Transaction Processing vs. Flexibility** - Hierarchical model - The quickest way to access and process records from a database when their intended use is the processing of a large volume of transactions -- batch processing - Relational database - Superior if the major usage of the data is to answer queries - Most organizations are **willing to accept less transaction processing efficiency for better query opportunities.** Data warehouses, **data mining**, and **online analytical** **processing (OLAP)** **Use of a Data Warehouse to Analyze Data\ **Management often needs data from several fiscal periods from across the whole organization. - **Data warehouse** is an integrated collection of enterprise-wide data that includes five to ten years\ of non-volatile data used to support management in decision-making and planning. - **Operational database** is the data that are continually updated as transactions are processed. Includes data for the current fiscal year - Build the data warehouse - Identify the data - Standardize the data - Cleanse, or scrub, the data - Upload the data **Data Analysis Tool** **Data mining** is the process of searching for identifiable patterns in data that can be **used to predict future behaviour.** - Descriptive analysis: What has happened? - Diagnostic analytics: Why did it happen? - Predictive analytics: What is likely to happen? - Prescriptive analytics: How should we act? **Online Analytical Processing (OLAP)** is a set of software tools that allow online analysis of the data within a data warehouse.\ Analytical methods in OLAP usually include: - **Drill down** - **Consolidation**: roll up, aggregation of similar data - **Pivoting**: rotating, examining data from different perspectives - **Time series analysis**: identify trends over several time periods - **Exception** **reports**: present variances - **What-if simulations** **Big Data and Data Analytics**\ **Big Data** - Volume - Variety of structured and unstructured data - Velocity of change **Data Visualization** - The combination of big data and data visualization have enabled many companies to more easily outline data trends utilizing these tools. Distributed data processing and **distributed databases** **Early days** - Centralized processing - Centralized databases **Today's IT Environment** - Distributed data processing (DDP) - Distributed databases (DDB): - A collection of smaller databases dispersed to different locations of the organization on a computer network - Distributing the processing and data offers the following advantages and disadvantages. -------------------------------------------------------------------------------------------------------------------------------------- Advantages Disadvantages ---------------------------------------------------------------- --------------------------------------------------------------------- Reduced hardware cost (smaller computers rather than single\ Increased difficulty in managing, controlling, and maintaining\ mainframe computer)\ integrity of data.\ Improved responsiveness\ Concurrency control rises when data is located at several sites.\ Easier incremental growth\ Organizations that use distributed data processing and\ Increased user control and user involvement\ distributed databases must have better controls in place to\ Automatic integrated backup ensure the security and concurrency of the data. -------------------------------------------------------------------------------------------------------------------------------------- **Cloud-Based Databases** - Providers like Amazon (Amazon Elastic Compute Cloud), Google (Google Cloud\ Storage), Microsoft (Windows Azure), and IBM (IBM Smart-Cloud). - A company can buy data storage from cloud-based data services providers. - Arrangement is **Database as a Service (DaaS)**. - Cloud provider generally provides - data storage space and - software tools to manage and control the database. Advantages of cloud-based databases: 1. Scalability 2. Expanded access 3. Reduced infrastructure 4. Cost savings (a cost-benefit analysis is required) **IT Controls for Data and Databases**\ To ensure integrity (completeness and accuracy) of data in the database, IT application controls should be used. These controls are - Input, - Processing, and - Output controls such as - data validation, - control totals and reconciliation, and - reports that are analyzed by managers. **Ethical Issues Related to Data Collection**\ **Ethical Responsibilities of the Company**\ Data collected and stored in databases in many instances consist of information that is private between the company and its customer.\ **Ten privacy practices** for online companies: - Management - Notice - Choice and consent - Collection - Use and retention - Access - Disclosure to third parties - Security for privacy - Quality - Monitoring and enforcement