CHAPTER 1

THE INFORMATION SYSTEM: AN

ACCOUNTANT’S
PERSPECTIVE

Learning Objectives
• Recognize the primary information flows
within the business environment.

• Understand the difference between

accounting information systems and
management information systems. INFORMATION OBJECTIVES
• Three fundamental objectives that are
• Understand the difference between financial common to all organizations:
transactions and nonfinancial transactions.
• To support the firm’s day-to-day
• Know the principal features of the general operations.
model for information systems.
• To support management decision
• Understand the organizational structure and making.
functional areas of a business.
• To support the stewardship function
• Be able to distinguish between external of management
auditing, internal auditing, and advisory
services as they relate to accounting AN INFORMATION SYSTEMS FRAMEWORK
information systems. • The information system is the set of formal
procedures by which data are collected,
The Information Environment processed into information, and distributed
• Accounting information systems (AIS) are to users.
specialized subset of information systems
that processes financial transactions. • A management information system (MIS)
is a system that processes nonfinancial
• Information flows are the flows of transactions not normally processed by
information into and out of an organization. traditional accounting information systems.
• Trading partners is a category of external • A transaction is an event that affects or is of
user, including customer sales and billing interest to the organization and is processed
information, purchase information for by its information system as a unit of work.
suppliers, and inventory receipts information.
• A financial transaction is an economic event
• Stakeholders are entities either inside or that affects the assets and equities of the
outside an organization that have a direct or organization, is measured in financial terms,
indirect interest in the firm. and is reflected in the accounts of the firm.

• Nonfinancial transactions are events that

do not meet the narrow definition of a
financial transaction.

• The Accounting Information System

 • The transaction processing system Examples of MIS Applications in Functional
(TPS) is an activity composed of three Areas
major subsystems—the revenue
cycle, the expenditure cycle, and the
conversion cycle.

• The general ledger/financial

reporting system (GL/FRS) is a
system that produces traditional
financial statements, such as income
statements, balance sheets,
statements of cash flows, tax returns,
and other reports required by law. AIS SUBSYSTEMS
• Transaction Processing System
• The management reporting system
(MRS) is a system that provides the • General Ledger/Financial Reporting Systems
internal financial information needed
to manage a business. • Nondiscretionary reporting is a
type of reporting in which the
• The Management Information System organization has few or no choices in
the information it provides. Much of
• The Need to Distinguish between AIS and MIS
this information consists of
traditional financial statements, tax
returns, and other legal documents.

• Management Reporting System

• Discretionary reporting is a type of

reporting in which the organization
can choose what information to
report and how to present it.

A GENERAL MODEL FOR AIS

• The general model for AIS is a model that
describes all information systems, regardless
of their technological architecture.

• End Users

• End users are users for whom the

Transactions Processed by the Information Systems system is built.

• External users include creditors,

stockholders, potential investors,
regulatory agencies, tax authorities,
suppliers, and customers.

• Internal users include management

at all levels of the organization as well
as operations personnel.
 • DATA VERSUS INFORMATION: Data • RELEVANCE
are facts, which may or may not be
processed (edited, summarized, or • TIMELINESS
refined) and which have no direct • ACCURACY
effect on the user. Information
causes the user to take an action that • COMPLETENESS
he or she otherwise could not, or
would not, have taken. • SUMMARIZATION

• Data Sources • Feedback

• Data sources are financial • Feedback is a form of output that is

transactions that enter the sent back to the system as a source of
information system from either data.
internal or external sources.

• Data Collection

• Data collection is the first

operational stage in the information
system.

• Data Processing

• Data processing is a group that

manages the computer resources
used to perform the day-to-day
processing of transactions.
The Data Hierarchy
• Database Management

• Database is a physical repository for

financial data.

• DATA ATTRIBUTE

• RECORD

• FILE

• DATABASE MANAGEMENT TASKS:

Organizational Structure and AIS
Database management is a special
• Physical AIS comprise technologies of various
software system that is programmed
types and configurations as well as people
to know which data elements each
and tasks from across the organization.
user is authorized to access.
• The sales processing system, which is a
• Information Generation
subsystem of the revenue cycle, includes the
• Information generation is the following organization functions: sales, credit,
process of compiling, arranging, inventory control, warehousing, shipping,
formatting, and presenting billing, accounts receivable, general ledger,
information to users. and data processing.
FUNCTIONAL SEGMENTATION Functions From Resources
• Segments are functional units of a business
organization.

• Materials Management

• Purchasing

• Receiving
THE ACCOUNTING FUNCTION
• Stores • The Value of Information

• Production • Reliability is the property of

information that makes it useful to
• Production planning involves users.
scheduling the flow of materials,
labor, and machinery to efficiently • Accounting Independence
meet production needs.
• Independence is the separation of
• Quality control monitors the the record-keeping function of
manufacturing process at various accounting from the functional areas
points to ensure that the finished that have custody of physical
products meet the firm’s quality resources.
standards.
INFORMATION TECHNOLOGY
• Maintenance keeps the firm’s • Data Processing
machinery and other manufacturing
• Centralized data processing is a
facilities in running order.
model under which all data
• Marketing processing is performed by one or
more large computers, housed at a
• Distribution central site, that serve users
throughout the organization.
• Personnel
• Distributed data processing (DDP)
• Finance
is reorganizing the IT function into
Functional Areas of a Firm small information processing units
(IPUs) that are distributed to end
users and placed under their control.

• Systems Development and Maintenance

• SYSTEMS DEVELOPMENT:
Commercial software is pre-coded
software that a user purchases from a
software vendor. Commercial
software packages are sometimes
called turnkey systems because they
often can be implemented by the user
with little or no modification.
Turnkey systems are completely
finished and tested systems that are
 ready for implementation. Custom into three categories: software as a
software is software built to service (SaaS), infrastructure as a
individual specifications. Custom service (IaaS), and platform as a
systems are more expensive than service (PaaS).
commercial packages. Systems
development life cycle is the • Software as a service (SaaS) is a
software development process. software distribution model in which
Enterprise resource planning service providers host applications
(ERP) is a system assembled of for client organizations over a private
prefabricated software components. network or the Internet.

• SYSTEMS MAINTENANCE • Outsourcing the IT Function (continued)

• Database Administration • Infrastructure as a service (IaaS) is

the provision of computing power and
• Network Administration disk space to client firms who access
it from desktop PCs. The client firm
• A network is a collection of can configure the infrastructure for
interconnected computers and storage, networks, and other
communications devices that allows computing needs, including running
users to communicate, access data operating systems and data
and applications, and share processing applications.
information and resources.
• Platform as a service (PaaS) enables
• Network administration is being client firms to develop and deploy
responsible for the effective onto the cloud infrastructure
functioning of the software and consumer-generated applications
hardware that constitute the using facilities provided by the PaaS
organization’s network. This involves vendor.
configuring, implementing, and
maintaining network equipment. Centralized Data Processing Model

• Outsourcing the IT Function

• IT outsourcing is contracting with a

third-party vendor to take over the
costs, risks, and responsibilities
associated with maintaining an
effective corporate IT function,
including management of IT assets
and staff and delivery of IT services
such as data entry, data center
operations, applications development,
applications maintenance, and
network management.

• Cloud computing is a location-

independent computing variant of IT
outsourcing whereby shared data
centers deliver hosted IT services
over the Internet. These services fall
 presentation of a client firm’s financial
statement.

• Substantive tests are tests that determine

Distributed Data Processing Model whether database contents fairly reflect the
organization’s transactions.

• Attest Service versus Advisory Services

• Tests of controls are tests that

establish whether internal controls
are functioning properly.

• IT auditing is the review of the

computer-based components of an
organization. The audit is often
performed as part of a broader
financial audit.

• Internal Audits

• Internal auditing is the appraisal

function housed within the
The Role of Accountants in AIS
organization.
• Accountants are involved in both the design
and the audit of AIS. • External versus Internal Auditors

• Accountants play a prominent role on • Fraud Audits

systems development teams as domain
experts. • The Role of the Audit Committee

• The IT professionals on the team are • Designer/Auditor Duality

responsible for the physical system.

ACCOUNTANTS AS SYSTEM DESIGNERS Chapter 2- Introduction to

• Conceptual system is the production of Transaction Processing
several alternative designs for a new system.

• Physical system is the medium and method Learning Objectives

for capturing and presenting the information.
• Understand the broad objectives of
• Data storage is an efficient information transaction cycles.
system that captures and stores data only
once and makes this single source available to • Recognize the types of transactions processed
all users who need it. by each of the three transaction cycles.

• Auditor is an expert who expresses an • Know the basic accounting records used in
opinion about the fairness of a company’s transaction processing systems.
financial statements.
• Understand the relationship between
• Attest function is an independent auditor’s traditional accounting records and their
responsibility to opine as to the fair digital equivalents in computer-based
systems.
 • Be familiar with the documentation Relationship Between Transaction Cycles
techniques used for representing manual
procedures and the computer components of
systems.

• Understand the differences between batch

and real-time processing and the impact of
these technologies on transaction processing.

• Be familiar with data coding schemes used in

accounting information systems.

An Overview of Transaction Processing

• The most common financial transactions are

economic exchanges with external parties. Accounting Records

• These include the sale of goods or services, • Accounting records are documents, journals,
the purchase of inventory, the discharge of or ledgers used in transaction cycles.
financial obligations, and the receipt of cash
MANUAL SYSTEMS
on account from customers.
• Documents
• Financial transactions are common business
events that occur regularly. • Source documents are documents
that capture and formalize
TRANSACTION CYCLES
transaction data needed for
• The Expenditure Cycle processing by their respective
transaction cycles.
• The expenditure cycle is the
acquisition of materials, property, and • Product documents are documents
labor in exchange for cash. that result from transaction
processing.
• The Conversion Cycle
• Turnaround documents are product
• The conversion cycle is the cycle documents of one system that become
composed of the production system source documents for another system.
and the cost accounting system.
• Journals
• The Revenue Cycle
• A journal is a record of a
• The revenue cycle is the cycle chronological entry.
composed of sales order processing
and cash receipts. • SPECIAL JOURNALS

• REGISTER: A register is often used to

denote certain types of special
journals. For example, the payroll
journal is often called the payroll
register.

• GENERAL JOURNALS: Journal

vouchers are accounting journal
 entries into an accounting system for A Turnaround Document
the purposes of making corrections or
adjustments to the accounting data.
For control purposes, all JVs should be
approved by the appropriate
designated authority.

• Ledgers

• A ledger is a book of accounts that

reflects the financial effects of the
firm’s transactions after they are
posted from the various journals.

• GENERAL LEDGERS

• SUBSIDIARY LEDGERS

Creation of a Source Document

Sales Order Recorded in a Sales Journal

Sales Journal

A Product Document

General Journal
Flow of Information from the Economic Event to the Relationship between the Subsidiary Ledger and the
General Ledger General Ledger

General Ledger

THE AUDIT TRAIL

• An audit trail is a set of accounting records

that trace transactions from their source
documents to the financial statements.

• An audit trail is of utmost importance in the

conduct of a financial audit.

• The external auditor’s responsibility involves,

in part, the review of selected accounts and
transactions to determine their validity,
accuracy, and completeness.

DIGITAL ACCOUNTING RECORDS

• Modern accounting systems store data in four

types of digital computer files:

• A master file contains account data.

• A transaction file is a temporary file

that holds transaction records that
will be used to change or update data
in a master file.

• A reference file is a file that stores

the data used as standards for
processing transactions.
 • An archive file is a file that contains THE FLAT-FILE MODEL
records of past transactions that are
retained for future reference.

• The Digital Audit Trail

Digital Accounting Records in a Computer-Based

System

• The flat-file model is an environment in

which individual data files are not related to
other files.

• There are three significant problems in the

File Structures
flat-file environment: data storage, data
• Digital file structures and storage techniques updating, and currency of information.
vary widely among transaction processing
• Data Capture and Storage
systems.
• Data storage is an efficient
• Some structures are effective at processing all
information system that captures and
records in large master files.
stores data only once and makes this
• Some file structures are better for directly single source available to all users
locating and processing a single record in a who need it.
large file.
• Data Updating
• The legacy systems are large mainframe
• Data updating is the periodic
systems implemented in the late 1960s
updating of data stored in the files of
through the 1980s.
an organization.

• Currency of Information

• Currency of information is a
problem associated with the flat-file
model because of its failure to update
all the user files affected by a change
in status; may result in decisions
based on outdated information.
 • Task-Data Dependency • The data flow diagram (DFD) is the
use of a set of symbols in a diagram to
• Task-data dependency is a user’s represent the processes, data sources,
inability to obtain additional data flows, and process sequences of a
information as his or her needs current or proposed system.
change.
• Entity Relationship Diagrams
• Flat Files Limit Data Integration
• An entity relationship (ER) diagram
THE DATABASE MODEL is a documentation technique used to
represent the relationship among data
entities in a system.

• Cardinality is the numeric mapping

between entities such as one-to-one
(1:1), one-to-many (1:M), and many-
to-many (M:M).

• A data model is the blueprint for

what ultimately will become the
• The database model is a symbolic model of
physical database.
the structure of, and the associations
between, an organization’s data entities. • Relationship between ER Diagrams and DFDs

• The database management system (DBMS) Data Flow Diagram Symbol Set
is a software system that controls access to
the data resource.

• The most striking difference between the

database model and the flat-file model is the
pooling of data into a common database that
all organizational users share.

Documentation Techniques

• Visual images convey vital system

information more effectively and efficiently
than words.

• Accountants use system documentation

routinely, as both systems designers and
auditors.

• Five basic documentation techniques are:

data flow diagrams, entity relationship
diagrams, system flowcharts, program
flowcharts, and record layout diagrams.

DATA FLOW DIAGRAMS AND ENTITY

RELATIONSHIP DIAGRAMS

• Data Flow Diagrams

 Data Flow Diagram of Purchases System • Flowcharting Computer Processes

• Transcribe the written facts into

visual format.

Flowchart Showing Areas of Activity

Entity Relationships Diagram Symbols

Symbol Set for Representing Manual Procedures

Data Model

Flowchart Showing Stated Fact 1 Translated into

Visual Symbols
SYSTEM FLOWCHARTS

• A system flowchart is used to show the

relationship between the key elements—
input sources, programs, and output products
—of computer systems.

• Flowcharting Manual Activities

• Lay out the physical areas of activity.

• Transcribe the written facts into

visual format.
 Flowchart Showing Stated Facts 1, 2, and 3 Flowchart Showing the Translation of Facts 1, 2, and
Translated into Visual Symbols 3 into Visual Symbol

Flowchart Showing All Stated Facts Translated into

Visual Symbols
PROGRAM FLOWCHARTS

• A program flowchart is a diagram providing

a detailed description of the sequential and
logical operations of the program.

• Every program represented in a system

flowchart should have a supporting program
flowchart that describes its logic.

• The connector lines between the symbols

establish the logical order of execution.

Flowchart Showing All Facts Translated into Visual

Symbols

Symbol Set for Representing Computer Processes

 Program Flowchart Symbols system failures, analyzing error reports, and
designing tests of computer logic for
debugging and auditing purposes.

Record Layout Diagram for Customer File

Program Flowchart for Edit Programs

Transaction Processing Models

• Alternative transaction processing models fall

broadly into two types: (1) batch processing
and (2) real-time processing.

• Batch processing involves gathering

transactions into groups or batches and then
processing the entire batch as a single event.

• Real-time processing systems process

individual transactions continuously as they
occur.

• Many systems incorporate both real-time and

System Flowchart
batch processing features.

Characteristic Differences between Batch and Real-

Time Processing

DIFFERENCES BETWEEN BATCH AND REAL-TIME

SYSTEMS

RECORD LAYOUT DIAGRAMS • Information Time Frame

• Record layout diagrams are used to reveal • Batch systems are systems that
the internal structure of the records that assemble transactions into groups for
constitute a file or database table. The layout processing.
diagram usually shows the name, data type, • Real-time systems are systems that
and length of each attribute (or field) in the process transactions individually at
record. the moment the economic event
• Detailed data structure information is needed occurs.
for such tasks as identifying certain types of
 • Resources Batch Processing with Real-Time Data Collection

• Operational Efficiency

• Efficiency versus Effectiveness

UPDATING MASTER FILES FROM TRANSACTIONS

• Updating a master file record involves

changing the value of one or more of its
variable fields to reflect the effects of a
transaction.

• Master file backup procedures

• If the current master file becomes corrupted

or is destroyed, corporate IT professionals
can retrieve the most current backed-up file
from the archives.

Record Structures for Sales, Inventory, and

Accounting Receivable Files

REAL-TIME PROCESSING

• Real-time systems process the entire

transaction as it occurs.

• Real-time processing is well suited to systems

that process lower transaction volumes and
those that do not share common records.

• Terminals at distributed sites throughout the

organization are used for receiving,
BATCH PROCESSING USING REAL-TIME DATA
processing, and sending information on the
COLLECTION
status of current transactions.
• A popular data processing approach,
Real-Time Processing of Sales Orders
particularly for large operations, is to digitally
capture and process aspects of the
transaction at the source as they occur, and
process other aspects of the transaction in
batch mode.

• Deadlock or “wait” is a state that occurs

between sites when data are locked by
multiple sites that are waiting for the removal
of the locks from the other sites.
Data Coding Schemes • A chart of accounts is a listing of an
organization’s accounts showing the
• Data coding involves creating simple numeric account number and name.
or alphabetic codes to represent complex
economic phenomena that facilitate efficient • ADVANTAGES
data processing.
• DISADVANTAGES
A SYSTEM WITHOUT CODES
• Group Codes
• Business organizations process large volumes
of transactions that are similar in their basic • Group codes are used to represent
attributes. complex items or events involving
two or more pieces of related data.
• Uncoded entry takes a great deal of recording
space, is time-consuming to record, and is • ADVANTAGES
obviously prone to many types of errors. • DISADVANTAGES
A SYSTEM WITH CODES • Alphabetic Codes
• Advantages of data coding in AIS are: • Alphabetic codes are alphabetic
• Concisely representing large amounts characters assigned sequentially.
of complex information that would • ADVANTAGES: Alphanumeric codes
otherwise be unmanageable. are codes that allow the use of pure
• Providing a means of accountability alphabetic characters embedded
over the completeness of the within numeric codes.
transactions processed. • DISADVANTAGES
• Identifying unique transactions and • Mnemonic Codes
accounts within a file.
• Mnemonic codes are alphabetic
• Supporting the audit function by characters in the form of acronyms
providing an effective audit trail. and other combinations that convey
NUMERIC AND ALPHABETIC CODING SCHEMES meaning.

• Sequential Codes • ADVANTAGES

• Sequential codes are codes that • DISADVANTAGES

represent items in some sequential Chart of Accounts
order (ascending or descending).

• ADVANTAGES

• DISADVANTAGES

• Block Codes

• A numeric block code is a coding

scheme that assigns ranges of values
to specific attributes such as account
classifications.
Appendix - Data Structures large files that require routine batch
processing and a moderate degree of
• Data structures are techniques for physically individual record processing.
arranging records in a database.
• HASHING STRUCTURE
• Organization refers to the way records are
physically arranged on the secondary storage • Hashing structure is a structure
device (e.g., a disk). employing an algorithm that converts
the primary key of a record directly
• Access method is a technique used to locate into a storage address.
records and navigate through the database.
• POINTER STRUCTURE
• Flat-file approach is an organizational
environment in which users own their data • Pointer structure is a structure in
exclusively. which the address (pointer) of one
record is stored in the field on a
• SEQUENTIAL STRUCTURE related record.
• Sequential structure is a data • Types of Pointers: A physical
structure in which all records in the address pointer contains the actual
file lie in contiguous storage spaces in disk storage location (cylinder,
a specified sequence arranged by surface, and record number) that the
their primary key. disk controller needs. A relative
• Sequential access method is a address pointer contains the relative
method in which all records in the file position of a record in the file. A
are accessed sequentially. logical key pointer contains the
primary key of the related record.
• Sequential files are files that are
structured sequentially and must be Typical File Processing Operations
accessed sequentially.

• DIRECT ACCESS STRUCTURES

• Direct access structures is the

storage of data at a unique location,
known as an address, on a hard disk Sequential Storage and Access Method
or floppy disk.

• INDEXED STRUCTURE

• Indexed structure is a class of file

structure that uses indexes for its
primary access method.

• Indexed random file is a randomly

organized file accessed via an index.

• VIRTUAL STORAGE ACCESS METHOD

STRUCTURE

• Virtual storage access method

(VSAM) is a structure used for very
 Indexed Random File Structure Hashing Technique with Pointer to Relocate the
Collision Record

Virtual Storage Access Method (VSAM) Used for

Direct Access A Linked-List File

Inserting a Record into a Virtual Storage Access

Method File
Types of Pointers
 o Ethical responsibility is the
CHAPTER 3- ETHICS, FRAUD, responsibility of organization
AND INTERNAL CONTROL managers to seek a balance between
the risks and benefits to their
constituents that result from their
Learning Objectives
decisions.
 Understand the broad issues pertaining to
o PROPORTIONALITY
business ethics.
 Have a basic understanding of ethical issues Why should we be concerned about ethics in the
related to the use of information technology. business world?
 Be able to distinguish between management
fraud and employee fraud.  Ethics are needed when conflicts arise—the
 Be familiar with common types of fraud need to choose
schemes.  In business, conflicts may arise between:
 Be familiar with the key features of the COSO o employees
internal control framework. o management
 Understand the objectives and application of o stakeholders
both physical and IT control activities.
 Litigation
 Broad issues pertaining to business ethics
 Ethical issues related to the use of Business ethics involves finding the answers
information technology to two questions:
 Distinguish between management fraud and
employee fraud  How do managers decide on what is right
 Common types of fraud schemes in conducting their business?
 Key features of SAS 78 / COSO internal  Once managers have recognized what is
control framework right, how do they achieve it?
 Objects and application of physical controls Four Main Areas of Business Ethics
Ethical Issues in Business

 Ethical standards are derived from societal

mores and deep-rooted personal beliefs
about issues of right and wrong that are not
universally agreed upon.
 Often, we confuse ethical issues with legal
issues.

BUSINESS ETHICS

 Ethics are the principles of conduct that

individuals use in making choices that guide
their behavior in situations involving the
concepts of right and wrong.
 Business ethics pertains to the principles of
conduct that individuals use in making COMPUTER ETHICS
choices and guiding their behavior in
 Computer ethics is the analysis of the nature
situations that involve the concepts of right
and social impact of computer technology and
and wrong.
the corresponding formulation and
 Making Ethical Decisions
 justification of policies for the ethical use of  Loss by position within the company:
such technology. This includes details about
software as well as hardware and concerns
about networks connecting computers as well
as computers themselves.
 concerns the social impact of computer
technology (hardware, software, and  Other results: higher losses due to men,
telecommunications). employees acting in collusion, and
employees with advance degrees
What are the main computer ethics issues?
Enron, WorldCom, Adelphia
 Privacy Underlying Problems
 Security—accuracy and confidentiality  Lack of Auditor Independence: auditing firms
 Ownership of property also engaged by their clients to perform
 Equity in access nonaccounting activities
 Environmental issues  Lack of Director Independence: directors who
 Artificial intelligence also serve on the boards of other companies,
 Unemployment and displacement have a business trading relationship, have a
 Misuse of computer financial relationship as stockholders or have
received personal loans, or have an
Legal Definition of Fraud operational relationship as employees
 False representation - false statement or  Questionable Executive Compensation
disclosure Schemes: short-term stock options as
 Material fact - a fact must be substantial compensation result in short-term strategies
in inducing someone to act aimed at driving up stock prices at the
 Intent to deceive must exist expense of the firm’s long-term health
 The misrepresentation must have  Inappropriate Accounting Practices : a
resulted in justifiable reliance upon characteristic common to many financial
information, which caused someone to act statement fraud schemes
 The misrepresentation must have caused o Enron made elaborate use of special
injury or loss purpose entities.
o WorldCom transferred transmission
line costs from current expense
accounts to capital accounts.

Sarbanes-Oxley Act of 2002

Its principal reforms pertain to:

 Creation of the Public Company

Accounting Oversight Board
(PCAOB)
 Auditor independence—more
separation between a firm’s
attestation and non-auditing
activities

2008 ACFE Study of Fraud

 Loss due to fraud equal to 7% of revenues
—approximately $994 billion
  Corporate governance and B. Corruption
responsibility—audit committee  Examples:
members must be independent o bribery
and the audit committee must o illegal gratuities
oversee the external auditors o conflicts of interest
 Disclosure requirements— o economic extortion
increase issuer and management  Foreign Corrupt Practice Act of 1977:
disclosure o indicative of corruption in business
 New federal crimes for the
world
destruction of or tampering with
o impacted accounting by requiring
documents, securities fraud, and
accurate records and internal controls
actions against whistleblowers
C. Asset Misappropriation
Employee Fraud
 Most common type of fraud and often occurs
 Committed by non-management personnel as employee fraud
 Usually consists of: an employee taking cash  Examples:
or other assets for personal gain by o making charges to expense accounts
circumventing a company’s system of internal to cover theft of asset (especially
controls cash)
o lapping: using customer’s check from
Management Fraud
one account to cover theft from a
 Perpetrated at levels of management above different account
the one to which internal control structure o transaction fraud: deleting, altering,
relates or adding false transactions to steal
 Frequently involves using financial assets
statements to create an illusion that an entity
Internal Control Objectives According to AICPA SAS
is more healthy and prosperous than it
1. Safeguard assets of the firm
actually is
2. Ensure accuracy and reliability of
 Involves misappropriation of assets, it
accounting records and information
frequently is shrouded in a maze of complex
3. Promote efficiency of the firm’s
business transactions
operations
Fraud Schemes 4. Measure compliance with
management’s prescribed policies and
Three categories of fraud schemes according to the procedures
Association of Certified Fraud Examiners:
Modifying Assumptions to the Internal Control
A. fraudulent statements Objectives
B. corruption Management Responsibility
C. asset misappropriation
The establishment and maintenance of a
A. Fraudulent Statements system of internal control is the responsibility of
 Misstating the financial statements to make management.
the copy appear better than it is
 Usually occurs as management fraud Reasonable Assurance
 May be tied to focus on short-term financial The cost of achieving the objectives of
measures for success internal control should not outweigh its benefits.
 May also be related to management bonus
packages being tied to financial statements Methods of Data Processing
 The techniques of achieving the objectives SAS 78 / COSO
will vary with different types of technology. Describes the relationship between the firm’s…

Limitations of Internal Controls  internal control structure,

 auditor’s assessment of risk, and
 Possibility of honest errors
 the planning of audit procedures
 Circumvention via collusion
 Management override How do these three interrelate?
 Changing conditions--especially in
The weaker the internal control structure, the higher
companies with high growth
the assessed level of risk; the higher the risk, the
Exposures of Weak Internal Controls (Risk) more auditor procedures applied in the audit.

 Destruction of an asset Five Internal Control Components: SAS 78 / COSO

 Theft of an asset 1. Control environment
 Corruption of information 2. Risk assessment
 Disruption of the information system 3. Information and
communication
The Internal Controls Shield 4. Monitoring
5. Control activities

1: The Control Environment

 Integrity and ethics of management

 Organizational structure
 Role of the board of directors and the
audit committee
 Management’s policies and philosophy
 Delegation of responsibility and authority
 Performance evaluation measures
 External influences—regulatory agencies
 Policies and practices managing human
resources

2: Risk Assessment

Preventive, Detective, and Corrective Controls  Identify, analyze and manage risks relevant to
financial reporting:
o changes in external environment
o risky foreign markets
o significant and rapid growth that
strain internal controls
o new product lines
o restructuring, downsizing
o changes in accounting policies

3: Information and Communication

 The AIS should produce high quality

information which:
 identifies and records all valid transactions
  provides timely information in appropriate o IT controls—relate specifically to the
detail to permit proper classification and computer environment
financial reporting o Physical controls—primarily pertain
 accurately measures the financial value of to human activities
transactions
 accurately records transactions in the time Two Types of IT Controls
period in which they occurred  General controls—pertain to the entitywide
computer environment
Information and Communication o Examples: controls over the data
center, organization databases,
 Auditors must obtain sufficient knowledge of
systems development, and program
the IS to understand:
maintenance
o the classes of transactions that are
 Application controls—ensure the integrity
material
of specific systems
 how these transactions are
o Examples: controls over sales order
initiated [input]
 the associated accounting processing, accounts payable, and
records and accounts used in payroll applications
processing [input] Six Types of Physical Controls
o the transaction processing steps  Transaction Authorization
involved from the initiation of a  Segregation of Duties
transaction to its inclusion in the  Supervision
financial statements [process]  Accounting Records
o the financial reporting process used  Access Control
to compile financial statements,  Independent Verification
disclosures, and estimates [output]
 [red shows relationship to the general AIS Physical Controls
model]
Transaction Authorization
4: Monitoring
 used to ensure that employees are
The process for assessing the quality of internal carrying out only authorized transactions
control design and operation  general (everyday procedures) or specific
(non-routine transactions) authorizations
[This is feedback in the general AIS model.]
Segregation of Duties
 Separate procedures—test of controls by
internal auditors  In manual systems, separation between:
 Ongoing monitoring: o authorizing and processing a
o computer modules integrated into transaction
routine operations o custody and recordkeeping of the asset
o management reports which highlight o subtasks
trends and exceptions from normal  In computerized systems, separation
performance between:
o program coding
5: Control Activities o program processing
 Policies and procedures to ensure that the o program maintenance
appropriate actions are taken in response to
Supervision
identified risks
 Fall into two distinct categories:
  a compensation for lack of segregation; some  ledger accounts and sometimes source
may be built into computer systems documents are kept magnetically
o no audit trail is readily apparent
Accounting Records
Access Control
 provide an audit trail
 Data consolidation exposes the organization
Access Controls
to computer fraud and excessive losses from
 help to safeguard assets by restricting disaster.
physical access to them

Independent Verification
Independent Verification
 reviewing batch totals or reconciling
 When tasks are performed by the computer
subsidiary accounts with control accounts
rather than manually, the need for an
Nested Control Objectives for Transactions independent check is not necessary.
 However, the programs themselves are
checked.

Physical Controls in IT Contexts

Transaction Authorization

 The rules are often embedded within

computer programs.
o EDI/JIT: automated re-ordering of
inventory without human
intervention

Segregation of Duties

 A computer program may perform many

tasks that are deemed incompatible.
 Thus the crucial need to separate program
development, program operations, and
program maintenance.

Supervision

 The ability to assess competent employees

becomes more challenging due to the greater
technical knowledge required.

Accounting Records