Accounting Information System - its purpose is to assist the management in its responsibility to provide information to

external parties (reporting obligation)

Transaction Processing Cycles - Financial reporting is mandatory
 Financial Transaction
o An economic event that affects the assets and equities of the firm, is reflected
in its accounts, and is measured in monetary terms.
 Transaction Processing Cycles
o Process most of the firm’s economic activity (financial transactions).
3 Transaction Cycles (common to all businesses)
1. The Revenue Cycle
- the direct exchange of finished goods or services for cash in a single transaction
between a seller and a buyer.
2. The Expenditure Cycle (Purchases and Cash Disbursements Procedures; Payroll
Processing and Fixed Asset Procedures)
- The conversion of the organization’s cash into the physical materials and the human Management Reporting System
resources it needs to conduct business. - often called discretionary reporting because it is not mandated as is financial
3. The Conversion Cycle reporting. However, as an exception, it is mandated if covered by SOX.
- transforms (converts) input resources, such as raw materials, labor, and overhead, - provides the internal financial information needed to manage a business.
into finished products or services for sale - directs management’s attention to problems on a timely basis
- promotes effective management and thus supports the organization’s business
objectives

COMMON PRINCIPLES THAT INFLUENCE MANGEMENT REPORTING SYSTEM

1. Formalization of Task
2. Responsibility and Authority
3. Span of Control
4. Management by Exception

General Ledger System

- Sources of inputs for other information

subsystems, such as inventory control.

Financial Reporting System

 3. The Database Model

Information System Objectives (for internal users) - centralizes the organization’s data into a common database that is shared by
other users.
1. To support the stewardship function of management. - “traditional”
2. To support management decision making. - Problem: “Control”
3. To support the firm’s day-to-day operations - Solution: Database Management System
Acquisition of Information Systems, How? - Four Primary Elements of a Database Management
1. Users
 through in-house systems development 2. Database Management System
1. Turnkey systems 3. Database Administrator
2. Backbone systems 4. Physical Database
3. Vendor-supported systems
 by purchase of preprogrammed commercial systems from software vendors. Database Management System
Information System Models  Provides a controlled environment to assist (or prevent) user access to the database
1. The Manual Process Model and to efficiently manage the data resource.
- the oldest and most traditional form of accounting systems.  The most important feature of a DBMS is to permit authorized user access to the
- constitute the physical events, resources, and personnel that characterize many database.
business processes. 4. 3 Software Modules that Facilitate Database Access
- also includes the physical task of record keeping. 1 Data definition language
- is used to teach the principles of accounting to business students (a training aid).  Internal View
2. The Flat-File Model  Conceptual View (Schema)
 User View (Subschema)
- most often associated with so-called legacy systems. 2 Data manipulation language
- environment in which individual data files are not related to other files 3 Query languages
- end users in this environment own their data files rather than share them with Flat-File vs. Database
other users.
- stand-alone applications rather than integrated systems perform data
processing.
- “traditional”
- Problems associated with Flat-File Model
 data storage*
 data updating*
 currency of information*
 task-data dependency
 flat files limit data integration
 Users have two ways to access the database:
- user application program
- direct query

5. The REA Model

- an accounting framework for modeling an organization’s critical resources,

events, and agents (REA) and the relationships between them.
- “relational”
- Elements of a REA Model

R - the assets of the organization. (ex. cash)

E - phenomena that affect changes in resources. (ex. receive cash)
A - individuals and departments that participate in an economic event. (ex. customer)
- Steps in the Process Involved in REA Modeling 6. The Enterprise Resource Planning Systems
Identify the event entities.
2. Identify the resource entities. - an information system model that enables an organization to automate and integrate
3. Identify the agent entities. its key business processes.
4. Determine associations and cardinalities between entities. - facilitating data sharing, information flows, and the introduction of common business
practices among all organizational users.
- Association is the nature of the relationship between two entities, as the - massive and complex.
labeled line connecting them represents. - one system that serves everyone
- “relational”
- Cardinality (the degree of
association between the Client-server
entities) describes the - Most ERP systems are based on the client-server model
number of possible - client-server model
occurrences in one entity - is a form of network topology in which a user’s computer or terminal (the client)
that are associated with a accesses the ERP programs and data via a host computer called the server.
single occurrence in a - one of the 5 basic network topologies
related entity. - network topology is the physical arrangement of the components (for example,
nodes, servers, communications links, and so on) of the network.
Primary Key vs. Foreign Key vs. Attributes - server is a special-purpose computer that manages common resources such as
programs, data, and printers

Two basic architectures of client-server

  Two-Tier Model - the server handles both application and database - system scalability issue
duties. - choosing the wrong consultant
 Three-Tier Model - the database and application functions are separated - high cost and cost overrun
- disruptions to operations

OLTP Versus OLAP Servers (ERP Core Applications)  Scalability is the system’s ability to grow smoothly and economically as user
requirements increase.
 Online analytical processing (OLAP) - includes decision support, modeling,
information retrieval, ad hoc reporting/analysis, and what-if analysis Electronic Commerce Systems
 Online transaction processing (OLTP) - those applications that operationally support
the day-to-day activities of the business. If these applications fail, so does the - involves the electronic processing and transmission of data.
business. Typical core applications include, but are not limited to, sales and
Three aspects of electronic commerce:
distribution, business planning, production planning, shop floor control, and logistics;
also called core applications. 1. the intra-organizational use of networks to support distributed data processing
2. business-to-business transactions conducted via Electronic Data Interchange
(EDI) systems
3. Internet-based commerce including business-to-consumer and business-to-
business relationships.

Some Benefits from Internet Commerce

 Access to a worldwide customer and/or supplier base.

 Reductions in inventory investment and carrying costs.
 The rapid creation of business partnerships to fill market niches as they emerge.
 Advantages
 Reductions in retail prices through lower marketing costs.
- support a smooth and seamless flow of information across the organization
 Reductions in procurement costs.
by providing a standardized environment for a firm’s business processes and
 Better customer service.
a common operational database that supports communications.
- supplies management with real-time information and permits timely
decisions that are needed to improve performance and achieve competitive Risks Associated with Electronic Commerce
advantage.
Intranet Risks
 Disadvantages/Issues
- Interception of Network Messages
- cultural problems within the firm that stand in opposition to the objective of
- Access to Corporate Databases
process reengineering.
- Privileged Employees
- choosing the wrong ERP
- Reluctance to Prosecute
- finding a good functionality fit
- Internet Risks Nonrepudiation - accountants are responsible for assessing the accuracy, completeness,
- Risks to Consumers and validity of transactions
- Risks to Businesses
Data Integrity - accountants must become familiar with the concept of computing a
Security, Assurance, Trust digest of a document and the role of digital signatures in data transmissions.
Assurance techniques that promote trust in electronic commerce:
Access Controls - need to be expert in assessing clients’ access controls
o Encryption - the conversion of data into a secret code for storage in
databases and transmission over networks. A Changing Legal Environment - the public accountant must understand the potential
o Digital Authentication - through digital signature and/or digital certificate legal implications (both domestic and international) of transactions that the client’s
o Firewalls - a system used to insulate an organization’s intranet from the electronic commerce system processes.
Internet.
o Seals of Assurance - a number of trusted third-party organizations are BUSINESS ETHICS
offering seals of assurance that businesses can display on their website home
Ethics pertains to the principles of conduct that individuals use in making choices and
pages.
guiding their behavior in situations that involve the concepts of right and wrong.
Implications for the Accounting Profession
Making Ethical Decisions
Privacy Violation - The growing reliance on Internet technologies for conducting
Business organizations have conflicting responsibilities to their employees, shareholders,
business has placed the spotlight on privacy violation as a factor that is detrimental to a
customers, and the public. Every major decision has consequences that potentially harm
client entity. In response to this threat, several firms have developed assurance services
or benefit these constituents. Seeking a balance between these consequences is the
for evaluating their client’s privacy violation risk.
managers’ ethical responsibility.
Audit Implications of XBRL - Taxonomy Creation; Validation of Instance Documents;
Ethical Principles
Audit Scope and Timeframe
PROPORTIONALITY. The benefit from a decision must outweigh the risks.
Continuous Auditing - continuous auditing techniques need to be developed that will
Furthermore, there must be no alternative decision that provides the same or greater
enable the auditor to review transactions at frequent intervals or as they occur.
benefit with less risk.
Electronic Audit Trails - audit need to be extended to critical systems of all parties
Several issues of concern for students of accounting information systems
involved in the transactions because of how electronic transactions are relayed across a
value-added network (VAN). • Privacy

Confidentiality of Data - accountants need to understand the cryptographic techniques People desire to be in full control of what and how much information about themselves
used to protect the confidentiality of stored and transmitted data. is available to others, and to whom it is available. This is the issue of privacy. The
creation and maintenance of huge, shared databases make it necessary to protect people
Authentication - accountants must develop the skill set needed to understand digital
from the potential misuse of data.
signatures and digital certificate and their application
• Security (Accuracy and Confidentiality)
Computer security is an attempt to avoid such undesirable events as a loss of • CONFLICTS OF INTEREST.
confidentiality or data integrity. Security systems attempt to prevent fraud and other The company’s code of ethics should outline procedures for dealing with actual or
misuse of computer systems; they act to protect and further the legitimate interests of the apparent conflicts of interest between personal and professional relationships.
system’s constituencies. • FULL AND FAIR DISCLOSURES.
This provision states that the organization should provide full, fair, accurate, timely, and
• Ownership of Property understandable disclosures in the documents, reports, and financial statements that it
Laws designed to preserve real property rights have been extended to cover what is submits to the SEC and to the public. Overly complex and misleading accounting
referred to as intellectual property, that is, software. techniques were used to camouflage questionable activities that lie at the heart of many
recent financial scandals. The objective of this rule is to ensure that future disclosures are
• Equity in Access candid, open, truthful, and void of such deceptions.
• LEGAL COMPLIANCE.
Some barriers to access are intrinsic to the technology of information systems, but some Codes of ethics should require employees to follow applicable governmental laws, rules,
are avoidable through careful system design. Several factors, some of which are not and regulations.
unique to information systems, can limit access to computing technology. • INTERNAL REPORTING OF CODE VIOLATIONS.
The code of ethics must provide a mechanism to permit prompt internal reporting of
• Environmental Issues
ethics violations.
Computers with high-speed printers allow for the production of printed documents faster • ACCOUNTABILITY.
than ever before. An effective ethics program must take appropriate action when code violations occur.
This will include various disciplinary measures, including dismissal.
• Artificial Intelligence Fraud and Accountants
A new set of social and ethical issues has arisen out of the popularity of expert systems. Fraud denotes a false representation of a material fact made by one party to another party
Because of the way these systems have been marketed—that is, as decision makers or with the intent to deceive and induce the other party to justifiably rely on the fact to his or
replacements for experts—some people rely on them significantly. her detriment. According to common law, a fraudulent act must meet the following five
conditions:
• Unemployment and Displacement
1. False representation. There must be a false statement or a nondisclosure.
Many jobs have been and are being changed as a result of the availability of computer
2. Material fact. A fact must be a substantial factor in inducing someone to act.
technology. People unable or unprepared to change are displaced.
3. Intent. There must be the intent to deceive or the knowledge that one’s statement is
• Misuse of Computers false.
4. Justifiable reliance. The misrepresentation must have been a substantial factor on
Computers can be misused in many ways. Copying proprietary software, using a which the injured party relied.
company’s computer for personal benefit, and snooping through other people’s files are 5. Injury or loss. The deception must have caused injury or loss to the victim of the fraud.
just a few obvious examples. Employee fraud, or fraud by non-management employees, is generally designed to
directly convert cash or other assets to the employee’s personal benefit. Typically, the
SARBANES-OXLEY ACT AND ETHICAL ISSUES
employee circumvents the company’s internal control system for personal gain. If a
company has an effective system of internal control, defalcations or embezzlements can THE PERPETRATORS OF FRAUDS
usually be prevented or detected. Employee fraud usually involves three steps:
• Fraud Losses by Position within the Organization
(1) stealing something of value (an asset), • Fraud Losses and the Collusion Effect
(2) converting the asset to a usable form (cash), and • Fraud Losses by Gender
(3) concealing the crime to avoid detection. • Fraud Losses by Age
Management fraud is more insidious than employee fraud because it often escapes • Fraud Losses by Education
detection until the organization has suffered irreparable damage or loss. Management Position. Individuals in the highest positions within an organization are beyond the
fraud usually does not involve the direct theft of assets. Management fraud typically internal control structure and have the greatest access to company funds and assets.
contains three special characteristics:
Gender. Women are not fundamentally more honest than men, but men occupy high
1. The fraud is perpetrated at levels of management above the one to which internal corporate positions in greater numbers than women. This affords men greater access to
control structures generally relate. assets.

2. The fraud frequently involves using the financial statements to create an illusion that Age. Older employees tend to occupy higher-ranking positions and therefore generally
an entity is healthier and more prosperous than, in fact, it is. have greater access to company assets.

3. If the fraud involves misappropriation of assets, it frequently is shrouded in a maze of Education. Generally, those with more education occupy higher positions in their
complex business transactions, often involving related third parties. organizations and therefore have greater access to company funds and other assets.

THE FRAUD TRIANGLE Collusion. One reason for segregating occupational duties is to deny potential
(1) situational pressure, which includes personal or job-related stresses that could coerce perpetrators the opportunity they need to commit fraud. When individuals in critical
an individual to act dishonestly; positions collude, they create opportunities to control or gain access to assets that
(2) opportunity, which involves direct access to assets and/or access to information that otherwise would not exist.
controls assets, and;
(3) ethics, which pertains to one’s character and degree of moral opposition to acts of FRAUD SCHEMES
dishonesty. Fraudulent Statements

FINANCIAL LOSSES FROM FRAUD Fraudulent statements are associated with management fraud. Whereas all fraud involves
The actual cost of fraud is, however, difficult to quantify for a number of reasons: some form of financial misstatement, to meet the definition under this class of fraud
(1) not all fraud is detected; scheme the statement itself must bring direct or indirect financial benefit to the
(2) of that detected, not all is reported; perpetrator.
(3) in many fraud cases, incomplete information is gathered;
(4) information is not properly distributed to management or law enforcement authorities; Corruption
and
Corruption involves an executive, manager, or employee of the organization in collusion
(5) too often, business organizations decide to take no civil or criminal action against the
with an outsider.
perpetrator(s) of fraud.
 BRIBERY. Bribery involves giving, offering, soliciting, or receiving things of value higher than market price for the items, but pays only the market price to the legitimate
to influence an official in the performance of his or her lawful duties. vendor.
• pay-and-return scheme is a third form of vendor fraud. This typically involves a clerk
ILLEGAL GRATUITIES. An illegal gratuity involves giving, receiving, offering, or with check writing authority who pays a vendor twice for the same products (inventory or
soliciting something of value because of an official act that has been taken. This is similar supplies) received.
to a bribe, but the transaction occurs after the fact. Check Tampering
CONFLICTS OF INTEREST. Every employer should expect that his or her Check tampering involves forging or changing in some material way a check that the
employees will conduct their duties in a way that serves the interests of the employer. A organization has written to a legitimate payee.
conflict of interest occurs when an employee acts on behalf of a third party during the Payroll Fraud
discharge of his or her duties or has self-interest in the activity being performed. Payroll fraud is the distribution of fraudulent paychecks to existent and/or nonexistent
employees.
ECONOMIC EXTORTION. Economic extortion is the use (or threat) of force Expense Reimbursements
(including economic sanctions) by an individual or organization to obtain something of Expense reimbursement frauds are schemes in which an employee makes a claim for
value. The item of value could be a financial or economic asset, information, or reimbursement of fictitious or inflated business expenses.
cooperation to obtain a favorable decision on some matter under review. Thefts of Cash
Thefts of cash are schemes that involve the direct theft of cash on hand in the
Asset Misappropriation organization.
The most common fraud schemes involve some form of asset misappropriation in which Non-Cash Misappropriations
assets are either directly or indirectly diverted to the perpetrator’s benefit. Ninety percent Non-cash fraud schemes involve the theft or misuse of the victim organization’s non-cash
of the frauds included in the ACFE study fall in this general category. assets.
Skimming .Skimming involves stealing cash from an organization before it is recorded Computer Fraud
on the organization’s books and records. One example of skimming is an employee who Because computers lie at the heart of modern accounting information systems, the topic
accepts payment from a customer but does not record the sale. of computer fraud is of importance to auditors.
Cash Larceny. Cash larceny involves schemes in which cash receipts are stolen from an THE UNDERLYING PROBLEMS.
organization after they have been recorded in the organization’s books and records. An
example of this is lapping, in which the cash receipts clerk first steals and cashes a check • Lack of Auditor Independence.
from Customer A. • Lack of Director Independence.
Billing Schemes • Questionable Executive Compensation Schemes.
Billing schemes, also known as vendor fraud, are perpetrated by employees who causes • Inappropriate Accounting Practices.
their employer to issue a payment to a false supplier or vendor by submitting invoices for Internal Control Concepts and Techniques
fictitious goods or services, inflated invoices, or invoices for personal purchases. The internal control system comprises policies, practices, and procedures employed by
• shell company fraud first requires that the perpetrator establish a false supplier on the the organization to achieve four broad objectives:
books of the victim company • To safeguard assets of the firm.
• pass through fraud is similar to the shell company fraud with the exception that a • To ensure the accuracy and reliability of accounting records and information.
transaction actually takes place. The false vendor charges the victim company a much • To promote efficiency in the firm’s operations.
• To measure compliance with management’s prescribed policies and procedures.
Modifying Assumptions The Control Environment

• MANAGEMENT RESPONSIBILITY. The control environment is the foundation for the other four control components. The
• REASONABLE ASSURANCE. control environment sets the tone for the organization and influences the control
• METHODS OF DATA PROCESSING. awareness of its management and employees.
• LIMITATIONS.
Undesirable Events Risk Assessment
• Access, Fraud, Errors Mischief Organizations must perform a risk assessment to identify, analyze, and manage risks
The absence or weakness of a control is called an exposure. relevant to financial reporting.
Types of risks: Monitoring is the process by which the quality of internal control design and operation
• Destruction of assets (both physical assets and information). can be assessed.
• Theft of assets.
• Corruption of information or the information system. Control Activities
• Disruption of the information system.
Control activities are the policies and procedures used to ensure that appropriate actions
Levels of Control are taken to deal with the organization’s identified risks.
• PREVENTIVE CONTROLS. Prevention is the first line of defense in the control
• IT CONTROLS. IT controls relate specifically to the computer environment. They
structure. Preventive controls are passive techniques designed to reduce the frequency of
fall into two broad groups: general controls and application controls. General controls
occurrence of undesirable events.
pertain to entity-wide concerns such as controls over the data center, organization
• DETECTIVE CONTROLS. Detective controls form the second line of defense. databases, systems development, and program maintenance. Application controls ensure
These are devices, techniques, and procedures designed to identify and expose the integrity of specific systems such as sales order processing, accounts payable, and
undesirable events that elude preventive controls. payroll applications

• CORRECTIVE CONTROLS. Corrective controls are actions taken to reverse the • PHYSICAL CONTROLS. This class of controls relates primarily to the human
effects of errors detected in the previous step. There is an important distinction between activities employed in accounting systems. These activities may be purely manual, such
detective controls and corrective controls. Detective controls identify anomalies and draw as the physical custody of assets, or they may involve the physical use of computers to
attention to them; corrective controls actually fix the problem. record transactions or update accounts. Physical controls do not relate to the computer
logic that actually performs accounting tasks. Rather, they relate to the human activities
Sarbanes-Oxley and Internal Control that trigger and utilize the results of those tasks. In other words, physical controls focus
Sarbanes-Oxley legislation requires management of public companies to implement an on people, but are not restricted to an environment in which clerks update paper accounts
adequate system of internal controls over their financial reporting process. with pen and ink.

SAS 78/COSO INTERNAL CONTROL FRAMEWORK TRANSACTION AUTHORIZATION. The purpose of transaction authorization is to
ensure that all material transactions processed by the information system are valid and in
The SAS 78/COSO framework consists of five components: the control environment, risk accordance with management’s objectives.
assessment, information and communication, monitoring, and control activities.
• General authority is granted to operations personnel to perform day-to-day b. Financial information systems design and implementation
operations. c. Appraisal or valuation services, fairness opinions, or contribution-in-kind reports
d. Actuarial services
• Specific authorizations deal with case-by-case decisions associated with nonroutine e. Internal audit outsourcing services
transactions. f. Management functions or human resources
g. Broker or dealer, investment adviser, or investment banking services
SEGREGATION OF DUTIES. One of the most important control activities is the
segregation of employee duties to minimize incompatible functions. Segregation of duties h. Legal services and expert services unrelated to the audit
can take many forms, depending on the specific duties to be controlled. i. Any other service that the PCAOB determines is impermissible
Whereas SOX prohibits auditors from providing these services to their audit clients, they
SUPERVISION. An underlying assumption of supervision control is that the firm are not prohibited from performing such services for non-audit clients or privately held
employs competent and trustworthy personnel. companies.

ACCOUNTING RECORDS. The accounting records of an organization consist of source 3. Corporate Governance and Responsibility. The act requires all audit committee
documents, journals, and ledgers. These records capture the economic essence of members to be independent and requires the audit committee to hire and oversee the
transactions and provide an audit trail of economic events. external auditors. This provision is consistent with many investors who consider the
board composition to be a critical investment factor. For example, a Thomson Financial
ACCESS CONTROL. The purpose of access controls is to ensure that only authorized survey revealed that most institutional investors want corporate boards to be composed of
personnel have access to the firm’s assets. Unauthorized access exposes assets to at least 75 percent independent directors.
misappropriation, damage, and theft.
Two other significant provisions of the act relating to corporate governance are (1) public
INDEPENDENT VERIFICATION. Verification procedures are independent checks of companies are prohibited from making loans to executive officers and directors, and (2)
the accounting system to identify errors and misrepresentations. Verification differs from the act requires attorneys to report evidence of a material violation of securities laws or
supervision because it takes place after the fact, by an individual who is not directly breaches of fiduciary duty to the CEO, CFO, or the PCAOB. 4. Issuer and Management
involved with the transaction or task being verified. Disclosure. SOX imposes new corporate disclosure requirements, including:
SARBANES-OXLEY ACT AND FRAUD. a. Public companies must report all off-balance-sheet transactions.
1. Accounting Oversight Board. SOX created a Public Company Accounting Oversight b. Annual reports filed with the SEC must include a statement by management asserting
Board (PCAOB). The PCAOB is empowered to set auditing, quality control, and ethics that it is responsible for creating and maintaining adequate internal controls and asserting
standards; to inspect registered accounting firms; to conduct investigations; and to take to the effectiveness of those controls. c. Officers must certify that the company’s
disciplinary actions. accounts ‘‘fairly present’’ the firm’s financial condition and results of operations.
2. Auditor Independence. The act addresses auditor independence by creating more d. Knowingly filing a false certification is a criminal offense.
separation between a firm’s attestation and nonauditing activities. This is intended to
specify categories of services that a public accounting firm cannot perform for its client. 5. Fraud and Criminal Penalties. SOX imposes a range of new criminal penalties for
These include the following nine functions: fraud and other wrongful acts. In particular, the act creates new federal crimes relating to
the destruction of documents or audit work papers, securities fraud, tampering with
a. Bookkeeping or other services related to the accounting records or financial statements documents to be used in an official proceeding, and actions against whistle-blower