Instructor Solution Manual For Accountin
User Manual:
Open the PDF directly: View PDF .
Page Count: 746
Download | |
Open PDF In Browser | View PDF |
CHAPTER 1 ACCOUNTING INFORMATION SYSTEMS: AN OVERVIEW SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 1.1 The value of information is the difference between the benefits realized from using that information and the costs of producing it. Would you, or any organization, ever produce information if its expected costs exceeded its benefits? If so, provide some examples. If not, why not? Most organizations produce information only if its value exceeds its cost. However, there are two situations where information may be produced even if its cost exceeds its value. a. It is often difficult to estimate accurately the value of information and the cost of producing it. Therefore, organizations may produce information that they expect will produce benefits in excess of its costs, only to be disappointed after the fact. b. Production of the information may be mandated by either a government agency or a private organization. Examples include the tax reports required by the IRS and disclosure requirements for financial reporting. 1.2 Can the characteristics of useful information listed in Table 1-1 be met simultaneously? Or does achieving one mean sacrificing another? Several of the criteria in Table 1.1 can be met simultaneously. For example, more timely information is also likely to be more relevant. Verifiable information is likely to be more reliable. However, achieving one objective may require sacrificing another. For example, ensuring that information is more complete may reduce its timeliness. Similarly, increased verifiability and reliability may reduce its timeliness. The decision maker must decide which trade-offs are warranted in a given situation. 1-1 Ch. 1: Accounting Information Systems: An Overview 1.3 You and a few of your classmates decided to become entrepreneurs. You came up with a great idea for a new mobile phone application that you think will make lots of money. Your business plan won second place in a local competition, and you are using the $10,000 prize to support yourselves as you start your company. a. Identify the key decisions you need to make to be successful entrepreneurs, the information you need to make them, and the business processes you will need to engage in. b. Your company will need to exchange information with various external parties. Identify the external parties, and specify the information received from and sent to each of them. The author turns this question into an in-class group activity. Students are divided up in groups, told to close their books, and given 15 minutes to: a. Think through the business processes, key decisions, and information needs issues in their group. b. Identify the external users of information and specify the information received from and sent to each of them. One group is selected to present their answers to the class. The other groups are told to challenge the group’s answers, provide alternative answers, and chip in with additional answers not provided by the selected group. Since the group that presents is not selected until after the time has expired, students are motivated to do a good job, as they will be presenting to their peers. The value of this activity is not in arriving at a “right answer” as there are many right answers and student answers will vary. Instead, it is in thinking through the issues presented in Table 1-2 (business processes, key decisions, and information needs) and Figure 1-1 (interactions with external parties). Student answers should contain many of the things in Table 1-2 and Figure 1-1 as well as others not shown, as a retail operation differs from an application development enterprise. The author concludes the exercise by having the students turn to Table 1-2 and Figure 1-1 while he emphasizes the need for owners, managers, and employees of organizations to identify the information needed to make key decisions in the company’s business processes and the key information interchanges with external parties. All of the data needed to produce this information must be entered into the AIS, processed, stored, protected, and made available to the appropriate users. While this active learning activity takes more time than a lecture does, it drives the point home much better than a lecture would. It also keeps the students more engaged in the material. 1-2 Accounting Information Systems 1.4 How do an organization’s business processes and lines of business affect the design of its AIS? Give several examples of how differences among organizations are reflected in their AIS. An organization’s AIS must reflect its business processes and its line of business. For example: • • • • • • 1.5 Manufacturing companies will need a set of procedures and documents for the production cycle; non-manufacturing companies do not. Government agencies need procedures to track separately all inflows and outflows from various funds, to ensure that legal requirements about the use of specific funds are followed. Financial institutions do not need extensive inventory control systems. Passenger service companies (e.g., airlines, bus, and trains) generally receive payments in advance of providing services. Therefore, extensive billing and accounts receivable procedures are not needed; instead, they must develop procedures to account for prepaid revenue. Construction firms typically receive payments at regular intervals, based on the percentage of work completed. Thus, their revenue cycles must be designed to track carefully all work performed and the amount of work remaining to be done. Service companies (e.g., public accounting and law firms) do not sell physical goods and, therefore, do not need inventory control systems. They must develop and maintain detailed records of the work performed for each customer to provide backup for the amounts billed. Tracking individual employee time is especially important for these firms because labor is the major cost component. Figure 1-4 shows that organizational culture and the design of an AIS influence one another. What does this imply about the degree to which an innovative system developed by one company can be transferred to another company? Since people are one of the basic components of any system, it will always be difficult to transfer successfully a specific information systems design intact to another organization. Considering in advance how aspects of the new organizational culture are likely to affect acceptance of the system can increase the chances for successful transfer. Doing so may enable the organization to take steps to mitigate likely causes of resistance. The design of an AIS, however, itself can influence and change an organization’s culture and philosophy. Therefore, with adequate top management support, implementation of a new AIS can be used as a vehicle to change an organization. The reciprocal effects of technology and organizational culture on one another, however, mean that it is unrealistic to expect that the introduction of a new AIS will produce the same results observed in another organization. 1-3 Ch. 1: Accounting Information Systems: An Overview 1.6 Figure 1-4 shows that developments in IT affect both an organization’s strategy and the design of its AIS. How can a company determine whether it is spending too much, too little, or just enough on IT? There is no easy answer to this question. Although a company can try to identify the benefits of a new IT initiative and compare those benefits to the associated costs, this is often easier said than done. Usually, it is difficult to measure precisely the benefits of new uses of IT. Nevertheless, companies should gather as much data as possible about changes in market share, sales trends, cost reductions, and other results that can plausibly be associated with an IT initiative and that were predicted in the planning process. 1.7 Apply the value chain concept to S&S. Explain how it would perform the various primary and support activities. The value chain classifies business activities into two categories: primary and support. The five primary activities at S&S: a. Inbound logistics includes all processes involved in ordering, receiving, and temporarily storing merchandise that is going to be sold to S&S customers. b. S&S does not manufacture any goods, thus its operations activities consists of displaying merchandise for sale and protecting it from theft. c. Outbound logistics includes delivering the products to the customer. d. Sales & marketing includes ringing up and processing all sales transactions and advertising products to increase sales. e. Service includes repairs, periodic maintenance, and all other post-sales services offered to customers. The four support activities at S&S: a. Firm infrastructure includes the accounting, finance, legal, and general administration functions required to start and maintain a business. b. Human resource management includes recruiting, hiring, training, evaluating, compensating, and dismissing employees. c. Technology includes all investments in computer technology and various input/output devices, such as point-of-sale scanners. It also includes all support activities for the technology. d. Purchasing includes all processes involved in identifying and selecting vendors to supply goods and negotiating the best prices, terms, and support from those suppliers. 1-4 Accounting Information Systems 1.8 Information technology enables organizations to easily collect large amounts of information about employees. Discuss the following issues: These questions involve traditional economic cost/benefit issues and less well-defined ethical issues. a. To what extent should management monitor employees’ e-mail? Generally, the courts have held that organizations have the right to monitor employees’ email. Such monitoring can have disastrous effects on employee morale, however. On the other hand, it might provide legitimate information about group members’ individual contributions and productivity. b. To what extent should management monitor which Web sites employees visit? Students are likely to argue whether or not this should be done. One potential benefit that could be argued is the likelihood that if employees are aware that they will be monitored they will be less prone to surf the Web for non-work-related uses. c. To what extent should management monitor employee performance by, for example, using software to track keystrokes per hour or some other unit of time? If such information is collected, how should it be used? Arguments pro and con can be generated about the effects of such monitoring on performance and on morale. Clearly, the specifics of any incentive schemes tied to such metrics are important. d. Should companies use software to electronically “shred” all traces of e-mail? Arguments can be raised on both sides of this issue. Try to get students to go beyond the legal ramifications of recent news stories and to explore the ethical implications of destroying different kinds of email. e. Under what circumstances and to whom is it appropriate for a company to distribute information it collects about the people who visit its Web site? Direct students to the guidelines followed by organizations that certify how various web sites use the information they collect. Students are likely to make the argument that personal information is inherently private and sacrosanct. To challenge that view, ask them about the legitimacy of developing and maintaining a reputation. Doesn’t that involve the divulgence and sharing of personal information among strangers? Ask the class if it is feasible (or undesirable) to totally prevent or prohibit such sharing of information. The instructor should also refer the students to Generally Accepted Privacy Principles (GAPP), as one of its criteria concerns sharing information with 3rd parties. The instructor and the students could read the GAPP criterion about sharing data together, and then discuss what they think. Remind the students that GAPP is not regulatory law – just recommended best practice. 1-5 Ch. 1: Accounting Information Systems: An Overview SUGGESTED ANSWERS TO THE PROBLEMS 1.1 Information technology is continually changing the nature of accounting and the role of accountants. Write a two-page report describing what you think the nature of the accounting function and the accounting information system in a large company will be like in the year 2020. Numerous answers are possible. Several articles addressing this topic have appeared in Strategic Finance and the Journal of Accountancy. 1.2 Adapted from the CMA Examination a. Identify and discuss the basic factors of communication that must be considered in the presentation of the annual report. The annual report is a one-way communication device. This requires an emphasis on clarity and conciseness because there is no immediate feedback from the readers as to what messages they are receiving. The preparer must attempt to identify the users/audience of the report, and to determine their values, beliefs, and needs. Then the preparer can determine the language, i.e., words and phrases that would be appropriate and familiar to the users/audience. The preparer must also consider the organization of the material in the report. Logical ordering and attractive formatting facilitate the transmission of ideas. b. Discuss the communication problems a corporation faces in preparing the annual report that result from the diversity of the users being addressed. The different users of annual reports have differing information needs, backgrounds, and abilities. For some users, the annual report may serve as an introduction to the company and/or the only significant information about the company. By using the report to communicate to all users, the problems the corporation faces include the following. • In an attempt to reach several audiences, a company may include information for each audience. Consequently, the annual report may grow in size and complexity to the point where it contains more information than many users want to receive or are able to comprehend, i.e., information overload. In some cases, technical concepts may be reduced to concepts that are more common; this reduces precision and conciseness thereby leading to more generalizations. • Care must be taken in the presentation of information. Words and phrases familiar to one user group may not be understood by those in other user groups. Graphic displays that are meaningful to some may be meaningless to others. c. Select two types of information found in an annual report, other than the financial statements and accompanying footnotes, and describe how they are helpful to the users of annual reports. 1-6 Accounting Information Systems Other than the financial statements and accompanying footnotes, an annual report provides information concerning • • • • • • Management's discussion and analysis of results. Organizational objectives, strategies, and management's outlook for the future. Board of Directors members and the officers and top management of the organization. Segment data and performance information. New initiatives and research information. Recent stock price history and stock information. Students will have many and varied answers as to how the information is helpful, which should lead to a rich class discussion. This discussion can be combined with the discussion of part e. d. Discuss at least two advantages and two disadvantages of stating well-defined corporate strategies in the annual report. Stating well-defined corporate strategies in a company's annual report accomplishes the following: Advantages: • Communicates the company's plan for the future and resolves any disparate issues. • Provides a vehicle for communicating the company's strengths. • Builds investor confidence and portrays a positive image. Disadvantages: • Locks management into fulfilling stated objectives and strategies, causing inflexibility. • Communicates to unintended users who could put the company at risk (i.e., competitors). e. Evaluate the effectiveness of annual reports in fulfilling the information needs of the following current and potential users: shareholders, creditors, employees, customers, and financial analysts Annual reports fulfill users' information needs as discussed below. 1. Shareholders. Annual reports meet the statutory requirement that publicly held corporations are to report annually to stockholders and report on the stewardship of management to both current and potential stockholders. The annual report gives shareholders financial and operating information such as income from operations, earnings per share, the Balance Sheet, Cash Flow Statement, and related footnote disclosure that potential shareholders need to evaluate the risks of and potential returns on investment. However, the volume of data presented in annual reports can result in information overload that reduces the value of the reports. Confusion can result from reducing technical concepts to common concepts or by the presentation of duplicate messages by different forms of media. 1-7 Ch. 1: Accounting Information Systems: An Overview 2. Creditors. The annual report of public companies provides financial information as well as trend information. This allows creditors to project financial solvency and to evaluate the company’s ability to repay loans. 3. Employees. The annual report gives the employees information such as a description of the company's pension plan and the employee stock incentive plan. This gives employees a base from which to compare their benefits program to those of other companies. Annual reports also provide employees with a year-end review of the results to which they have contributed during the year. In this sense, the annual report provides reinforcement and rewards. The annual report also informs or reminds employees of the organization's values and objectives and sensitizes them to the aspects of the organization with which they are not familiar. On the other hand, the employee already knows how the organization is performing so the annual report does not provide any substantive additional information. 4. Customers. The annual report provides customers with trend information and management performance information. They can use this to assess the company's past and current performance. 5. Financial analysts. The set of audited comparative financial statements provides the basis for analysis done by financial analysts. Notes, which are an integral part of the statements, describe or explain various items in the statements, present additional detail, or summarize significant accounting policies. Financial analysts are the most sophisticated class of users of annual reports. However, some data may be too condensed. Analysts may also need information in addition to that provided in annual reports to facilitate their analyses. f. Annual reports are public and accessible to anyone, including competitors. Discuss how this affects decisions about what information should be provided in annual reports. Management may omit information entirely from the annual report or disguise it because competitors have access to annual reports. The objective of reporting should be to reveal as much as possible without giving away proprietary information or a competitive edge. 1-8 Accounting Information Systems 1.3 The use of IT at USAA a. Why should USAA collect data on which auto parts are fixed most frequently? What could it do with this data? Companies should gather and store data if the benefits received from the data are greater than the cost of collecting it. The data regarding the auto parts that get fixed most frequently is probably not costly to gather. It would probably be part of the claims information submitted by the insured parties. Therefore, the only significant cost would be to store the data and process it. USAA passes the data on the parts to parts manufacturers, suppliers, and the Big Three automobile manufacturers. These companies use the data to improve their parts. Some use the data to determine which new products to offer. For example, one supplier may see that other suppliers are producing low quality products and determine that they could produce a better product for the same or a lower price. b. Even though USAA offered to waive the deductible, the repair shops still managed to convince 95% of the owners to replace rather than repair their damaged windshields. How could USAA use its AIS to persuade more shop owners to repair rather than replace their windows? USAA began capturing data on the repair records of the various shops that worked for them. They published this information in the newsletter sent to repair shops. The shops noticed how they compared to other shops and began repairing more windshields. Over a four-year period, the number of repaired windshields rose from 5% to 28%. c. How does the image-processing system at USAA add value to the organization? The system adds value by streamlining business processes and making them more effective and efficient. Before the image-processing system was installed, policy service representatives had to work with paper documents. Customer files were often missing or incomplete and documents were misfiled. The result was delays, multiple phone calls, and an inability to bring problems to timely closure. Now the documents are never missing or misplaced and service representatives have all the information they need to make a decision on the first phone call. d. How do the remote deposit capture and mobile banking system at USAA add value to the organization? USSA’s customers are widely scattered and USAA does not have local offices everywhere there are military personnel. In addition, military personnel also are deployed in areas where they have ready access to cell phones but not personal computers. Therefore, USAA needs a way to deposit funds on a timely basis and to interact by phones that are able to access the internet. The new applications meet these needs. e. Do an Internet search and find out what other advancements USAA has introduced. Write a brief paragraph on each new application or other newsworthy item you find (maximum limit of three applications or items). 1-9 Ch. 1: Accounting Information Systems: An Overview Students should be able to find numerous applications or newsworthy items. Here is a sampling of articles that may be of interest. You should make sure the links are still active before telling the students about them. http://www.americanbanker.com/printthis.html?id=20090624LXHZ1DW7&btn=true http://www.cio.com/article/print/32260 http://pirp.harvard.edu/pubs_pdf/mosco/mosco-p94-9.pdf Harvard Business School Case 9-190-155 1.4 Match the description in the right column with the information characteristic in the left column. F 1. Relevant a. The report was carefully designed so that the data contained on the report became information to the reader E, C 2. Reliable b. The manager was working one weekend and needed to find some information about production requests for a certain customer. He was able to find the report on the company’s network. D c. The data on a report was checked by two clerks working independently 3. Complete G, B 4. Timely d. An accounts receivable aging report that included all customer accounts A 5. Understandable e. A report checked by 3 different people for accuracy C 6. Verifiable f. An accounts receivable aging report used in credit granting decisions B 7. Accessible g. An accounts receivable aging report was received before the credit manager had to make a decision whether to extend customer credit 1-10 Accounting Information Systems 1.5 The Howard Leasing Company Student solutions will vary based on their background and education. The following is one possible solution. a. What is an accounts receivable aging report? An accounts receivable aging report lists customer account balances by length of time outstanding. b. Why is an accounts receivable aging report needed for an audit? An accounts receivable aging report is needed during an audit to determine whether the company’s accounts receivable balance is properly valued. c. What is an accounts receivable aging report used for in normal company operations? An accounts receivable aging report is used in normal company operations to provide information for: − Evaluating current credit policies − Determining appropriate credit limits for new customers − Deciding whether to increase or decrease the credit limit for existing customers − Estimating bad debts − Initiating collection procedures for overdue accounts d. What data will you need to prepare the report? To prepare an accounts receivable aging report, credit sales and cash collections data is needed for each customer granted credit. e. Where will you collect the data you need to prepare the report? The data needed to prepare the accounts receivable aging report can be collected from the sales transaction and cash collections files or tables f. How will you collect the necessary data for the report? If the data is in machine-readable form, it can be collected by preparing and running programs or queries that will extract the sales and cash receipts data. If the data is maintained on paper, it can be collected from daily or monthly sales reports and daily or monthly cash receipts reports 1-11 Ch. 1: Accounting Information Systems: An Overview g. What will the report look like (i.e., how will you organize the data collected to create the information your supervisor needs for the audit)? Prepare an accounts receivable aging report in Excel or another spreadsheet package. The accounts receivable aging report should look something like the following, whether it is prepared on paper or in Excel : Customer Number Customer Name 0-30 Days Outstanding 31-60 Days Outstanding 61-90 Days Outstanding 91+ Days Outstanding h. How will you distribute the report? How many copies will you make? Who should receive the copies? What security features will you implement? The accounts receivable aging report should be restricted to employees with operational or authoritative responsibility for customer accounts, such as the accounts receivable clerk, the credit manager, and the controller. If the report is in an electronic form, access to the report should be restricted to appropriate authorized personnel. If the report is distributed on paper, only as many copies as necessary should be produced and they should be delivered in a manner that ensures the confidentiality of the data. Security features could include placing the report on a password-protected server or encrypting the file prior to emailing it or placing it on a server. 1-12 Accounting Information Systems 1.6 The use of IT at Tesco a. What kind of information do you think Tesco gathers? • The Clubcard application filled out in the store captures data such as customer names, addresses, household size, ages of children, dietary preferences, and income levels. • When the Clubcard is used to qualify for the discounts, Tesco computers record everything a customer purchases. b. How do you think Tesco has motivated over 12 million customers to sign up for its Clubcard program? • It offers merchandise discounts to customers who sign up and gives card users a point for every pound spent. Points can be used to reduce the price of future purchases or exchanged for frequent flier miles. • Big spenders are sent special promotions c. What can Tesco accomplish with the Clubcard data it collects? Think in term of strategy and competitive advantage. • Customized Coupons and promotions. Tesco analyzes customer purchases and customizes its marketing based on the results. Quarterly, Tesco mails active Clubcard customers three coupons for frequently purchased items and three coupons for items they are likely to buy or that Tesco wants them to try. Tesco is so good at understanding their customer’s tastes and preferences that their coupons are 10 to 15 times more likely to be used than other coupons. The quarterly mailing also contains vouchers that allow members to redeem their accumulated points. Some 95% of all vouchers are redeemed. • Cross marketing. Analysis of customer data allows Tesco to discover unique buying habits. For example, men who purchased diapers for newborns buy more beer than the normal male – presumably because they are more likely to stay at home and less likely to go out. • Improved decision-making. Tesco has been able to make better decisions and set better company goals than ever before. Using data on purchases and the ethnic makeup of the neighborhoods surrounding the stores, Tesco is able to stock goods that have greater customer appeal. For example, Tesco noticed that customers in a small store in a South Asian and Arab part of town were not buying complete meals. They went elsewhere to buy certain staple foods and Asian brands. Further analysis led to the decision to replace the small store with a Supercenter that offered more than 800 foreign products. It included a halal butcher shop, the latest movies from India, Arabic and Asian newspapers, and an Indian jewelry counter. Tesco also redesigned its shopping carts to handle the bulk purchases of its customers more easily. • Customer loyalty. Tesco used Clubcard data to neutralize Wal-Mart’s most significant advantage. Tesco identified 300 items that price-sensitive shoppers frequently purchased 1-13 Ch. 1: Accounting Information Systems: An Overview and lowered their prices. This kept the customers most likely to shop at Wal-Mart from defecting. • New product rollouts. Analysis of Clubcard data showed that affluent customers were not buying certain products like fruit, cheese, and wine. This led to the introduction of a premium quality brand, “Tesco’s Finest,” that successfully attracted affluent customers. Customer data also allows Tesco to figure out quickly how new initiatives are working. For example, when Tesco rolled out ethnic foods for Indians and Pakistanis, data analysis showed that white affluent customers were also buying the products. The rollout was quickly expanded to include them. • Improved supplier relationships. Outside companies are taking advantage of Tesco’s data to improve their decision-making. When Kimberly-Clark introduced a premium toilet paper, it used Clubcard data to track who purchased it and who continued to purchase it. Further analysis showed that those who bought the toilet paper also were big buyers of skin-care products. This allowed Kimberly-Clark to develop a marketing program that offered free beauty treatments to those who continued to buy the toilet paper. d. What are some of the disadvantages to the Clubcard program? Some critics believe that loyalty card programs • Are too expensive to maintain and that companies can buy data to achieve similar results for less than the loyalty program costs. • Slows down checkout lines • Are a threat to the customer’s privacy e. Do an Internet search to find out how Tesco is doing in comparison to Wal Mart and other grocers and retailers. Write a few paragraphs explaining your findings. Students should easily be able to find information that updates the competition between these two powerhouse retail companies. Source: Rohwedder, Cecille. “No.1 Retailer in Britain Uses ‘Clubcard’ to thwart Wal-Mart,” Wall Street Journal, June 6, 2006, pg A1. http://online.wsj.com/article_print/SB114955981460172218.htm 1-14 Accounting Information Systems 1.7 Have you ever imagined having one electronic device that does everything you would ever need? Mobile phone makers in Japan have gone beyond the imagining phase. Cell phones in Japan are becoming more versatile than ever. Newer models of cell phones contain a myriad of applications and can do many of the things that a personal computer (PC) can do. PCs are also able to function as phones. A small but growing number of professionals are trading in their laptops for handheld computers. Cell phone manufacturers in the United States and elsewhere are quickly catching up to their Japanese counterparts. As technology is moving so quickly, there are no right answers to this question. There are thousands of new cell phone applications are created each year. The author does not usually collect this problem. Instead, he has the students describe the different things they do with their phones. He then adds other things that he and others he knows use them for. The point is to discuss how fast technology is changing, the need to keep up with the changes, and the use of technology as a competitive advantage. Some things to consider mentioning are: a. What commercial activities can be done with a cell phone? With a cell phone/PC combination device? What do you do when you’re on your cell phone? What do you expect to be doing in five years? Newer models of cell phones contain a myriad of applications, including video cameras, digital music players, television remote features, and digital recording. For example: 1. The E-wallet function virtually turns a cell phone into a credit card or debit card. Such a cell phone can buy items from a vending machine or convenience store, pay for train tickets and cab fares, and purchase and sell stocks and bonds. Businesses cater to this new technology by including bar codes in their catalogues or on street advertisements. Users can then use their phone to scan the barcode that brings the user to that company’s website. Users may then proceed to learn more about the item and order it with a click of the button. 2. The Japanese now use cell phones to watch up to 7 free television stations. Newer models can digitally record up to 30 minutes of those television programs. 3. SONY has a hard disk recorder that can be programmed via mobile phone to record TV shows. 4. Cell phones are also being used as a remote for televisions and karaoke players. 5. The Japanese also use cell phones as video cameras and music players. 6. Users everywhere use cell phones to navigate to their destination. 1-15 Ch. 1: Accounting Information Systems: An Overview b. How can businesses utilize this technology to attract more customers, sell more products, advertise their products, facilitate the sale of products, and conduct and manage their businesses more efficiently and effectively? In order to make products and services available to the consumers using cell phones, an infrastructure must be in place. Such things as bar coded products and vending machines that accept e-wallet transactions from cell phones are necessary for the device to be of use to the consumer. Businesses that can provide this infrastructure will be well positioned to take advantage of the cell phone/PC revolution. Indeed, auction sites have noticed heavier volume from mobile users buying and selling items. Brokerages are reporting that 20% - 30% of trades are coming from mobile devices. c. What are some problems or drawbacks you can see with using these devices in business? The problems and drawbacks of these new devices include a relatively high sales price, short battery life, limited performance, having to drill down several menu layers to reach desired functions, and theft. 1-16 Accounting Information Systems 1.8 Classify each of the following items as belonging in the revenue, expenditure, human resources/payroll, production, or financing cycle. a. Purchase raw materials – Expenditure cycle b. Pay off mortgage on factory – Financing cycle c. Hire a new assistant controller – Human resources/payroll cycle d. Establish a $10,000 credit limit for a new customer – Revenue cycle e. Pay for raw materials – Expenditure cycle f. Disburse payroll checks to factory workers - Human resources/payroll cycle g. Record goods received from vendor – Expenditure cycle h. Update the allowance for uncollectible accounts – Revenue cycle i. Decide how many units to make next month – Production cycle j. Complete picking ticket for customer order – Revenue cycle k. Record factory employee timecards - Human resources/payroll cycle l. Sell concert tickets – Revenue cycle m. Draw on line-of-credit – Financing cycle n. Send new employees to a business ethics course - Human resources/payroll cycle o. Pay utility bills – Expenditure cycle p. Pay property taxes on office building – Expenditure cycle q. Pay federal payroll taxes - Human resources/payroll cycle r. Sell DVD player – Revenue cycle s. Collect payment on customer accounts – Revenue cycle t. Obtain a bank loan – Financing cycle u. Pay sales commissions - Human resources/payroll cycle v. Send an order to a vendor – Expenditure cycle w. Put purchased goods into the warehouse – Expenditure cycle 1-17 Ch. 1: Accounting Information Systems: An Overview SUGGESTED ANSWERS TO THE CASES 1-1 The Web site for this book contains an adaption of Russell L. Ackoff’s classic article “Management Misinformation Systems” from Management Science. In the article, Ackoff identified five common assumptions about information systems and then explained why he disagreed with them. Read the five assumptions, contentions, and Ackoff’s explanations. For each of the five assumptions, decide whether you agree or disagree with Ackoff’s contentions. Prepare a report in which you defend your stand and explain your defense. The exact nature of the answers will vary. Grading should be based on how well students defend the positions they take. If you plan on discussing the case in class, be sure to cover these key points: Assumption 1: If the problem is too much information, the solution involves filtering information. You may want to compare and contrast the effectiveness of different Internet search engines to illustrate this point. The value of data mining in using data warehouses is also relevant here. Assumption 2: If decision makers do not really need all the information they want, then the solution may involve asking decision makers to explain exactly how and why they use various data items. Assumption 3: Is the key providing more data, or more information? Identifying the difference in a given decision setting may be difficult, but is crucial to solving this problem. Assumption 4: Ackoff presents a nice example of how sometimes too much communication hurts. Other topics that could be discussed to clarify this issue might include asking students to identify situations in inter-personal relationships when it might not be appropriate to follow the general adage about telling the truth. Also, discuss the interaction of performance measurement and communications. Assumption 5: The key point is to get the class to consider the degree to which the analogy about how much the average driver needs to know about how a car works applies to information systems. Ask them to identify situations when lack of knowledge about how a car works can harm the average driver. Are there any analogous situations with information systems? 1-18 CHAPTER 2 OVERVIEW OF BUSINESS PROCESSES SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 2.1 Table 2-1 lists some of the documents used in the revenue, expenditure, and human resources cycle. What kinds of input or output documents or forms would you find in the production (or conversion) cycle? Students will not know the names of the documents but they should be able to identify the tasks about which information needs to be gathered. Here are some of those tasks: • • • • • • • • • • • • 2.2 Requests for items to be produced Documents to plan production Schedule of items to be produced List of items produced, including quantity and quality Form to allocate costs to products Form to collect time spent on production jobs Form requesting raw materials for production process Documents showing how much raw materials are on hand Documents showing how much raw materials went into production List of production processes List of items needed to produce each product Documents to control movement of goods from one location to another With respect to the data processing cycle, explain the phrase “garbage in, garbage out.” How can you prevent this from happening? When garbage, defined as errors, is allowed into a system that error is processed and the resultant erroneous (garbage) data stored. The stored data at some point will become output. Thus, the phrase garbage in, garbage out. Data errors are even more problematic in ERP systems because the error can affect many more applications than an error in a nonintegrated database. Companies go to great lengths to make sure that errors are not entered into a system. To prevent data input errors: • • • • Data captured on source documents and keyed into the system are edited by the computer to detect and correct errors and critical data is sometimes double keyed. Companies use turnaround documents to avoid the keying process. Companies use source data automation devices to capture data electronically to avoid manual data entry with its attendant errors. Well-designed documents and screens improve accuracy and completeness by providing instructions or prompts about what data to collect, grouping logically related pieces of information close together, using check off boxes or pull-down menus to 2-1 Ch. 2: Overview of Business Processes • • • 2.3 present the available options, and using appropriate shading and borders to clearly separate data items. Data input screens are preformatted to list all the data the user needs to enter. Prenumbered source documents are used or the system automatically assigns a sequential number to each new transaction. This simplifies verifying that all transactions have been recorded and that none of the documents has been misplaced. The system is programmed to make sure company policies are followed, such as approving or verifying a transaction. For example, the system can be programmed to check a customer’s credit limit and payment history, as well as inventory status, before confirming a sale to a customer. What kinds of documents are most likely to be turnaround documents? Do an internet search to find the answer and to find example turnaround documents. Documents that are commonly used as turnaround documents include the following: • Utility bills • Meter cards for collecting readings from gas meters, photocopiers, water meters etc • Subscription renewal notices • Inventory stock cards • Invoices • Checks (banks encode account info on the bottom of checks) • Annual emissions inventory forms (http://www.deq.state.ok.us/aqdnew/Emissions/TurnAroundDocs.htm) • Adult Literary Information and Evaluation System forms (http://www.lacnyc.org/ALIES/tech_support/manual/Section4Chapter2.pdf) Students will find many other turnaround documents. Here are some URLs for turnaround document definitions and examples: http://en.wikipedia.org/wiki/Turnaround_document http://www.pcmag.com/encyclopedia_term/0,2542,t=turnaround+document&i=53248,00.asp http://www.answers.com/topic/turnaround-document-1 Here are some turnaround document images (1 long URL): http://images.google.com/images?q=turnaround+document&oe=utf-8&rls=org.mozilla:enUS:official&client=firefox-a&um=1&ie=UTF8&ei=N7yBSpbAF4KiswO39JnwCA&sa=X&oi=image_result_group&ct=title&resnum=4 2.4 The data processing cycle in Figure 2-1 is an example of a basic process found throughout nature. Relate the basic input/process/store/output model to the functions of the human body. There are a number of ways to relate the input/process/store/output model to the human 2-2 Accounting Information Systems body. Here are a few of them • • Brain. We read, see, hear, and feel things. We process that input in order to understand what it is and how it relates to us. We store that data in our brains and then process it again in order to produce solve problems, make decisions, etc., which represent output. Stomach. We take food in as input. It is processed to produce energy to fuel all bodily functions. If we eat more food than the body needs at any one time it is stored as fat. The output is walking, talking, thinking – all functions fueled by the energy produced. Human waste is also an output of that process. Students will come up with other examples of how the input/process/store/output model applies to the human body 2.5 Some individuals argue that accountants should focus on producing financial statements and leave the design and production of managerial reports to information systems specialists. What are the advantages and disadvantages of following this advice? To what extent should accountants be involved in producing reports that include more than just financial measures of performance? Why? There are no advantages to accountants focusing only on financial information. Both the accountant and the organization would suffer if this occurred. Moreover, it would be very costly to have two systems rather than one that captures and processes operational facts at the same time as it captures and reports financial facts. The main disadvantage of this is that accountants would ignore much relevant information about the organization’s activities. To the extent that such nonfinancial information (e.g., market share, customer satisfaction, measures of quality, etc.) is important to management, the value of the accounting function would decline. Moreover, accountants have been trained in how to design systems to maximize the reliability of the information produced. If relevant information is not produced by the AIS, there is danger that the information may be unreliable because the people responsible for its production have not been trained in, or adequately aware of, the potential threats to reliability and the best measures for dealing with those threats. 2-3 Ch. 2: Overview of Business Processes SUGGESTED ANSWERS TO THE PROBLEMS 2.1 The chart of accounts must be tailored to an organization’s specific needs. Discuss how the chart of accounts for the following organizations would differ from the one presented for S&S in Table 2-2. Some of the changes in the chart of accounts for each type of entity include the following: a. b. c. University • No equity or summary drawing accounts. Instead, have a fund balances section for each type of fund. • Several types of funds, with a separate chart of accounts for each. The current fund is used for operating expenses, but not capital expenditures. Loan funds are used to account for scholarships and loans. Endowment funds are used to account for resources obtained from specific donors, generally with the objective that principal be preserved and that income be used for a specific purpose. Plant funds are used for major capital expenditures. Most fund categories would be further divided into restricted and unrestricted categories. • Unlikely to have Notes Receivable, but may have Accounts Receivable for students who pay tuition in installment payments. • Tuition and fees would be one source of revenue. Others include gifts, investment income, sales of services, and, for public universities, state appropriations. • Student loans are an asset; student deposits are a liability. Bank • Loans to customers would be an asset, some current others noncurrent, depending upon the length of the loan. • No inventory • Customer accounts would be liabilities. • Classification of revenue would be among loans, investments, service charges, etc. • No cost of goods sold. Government Unit • No equity or summary drawing accounts. Instead, have fund balances. • Balance sheet shows two major categories: (1) assets and (2) liabilities and fund equity. 2-4 Accounting Information Systems d. • Separate chart of accounts for each fund (general fund, special revenue fund, capital projects fund, and debt service fund). • Revenue and expenditure accounts would be grouped by purpose (e.g., police, highways, sanitation, education, etc.). • Encumbrance accounts • Revenues would include taxes, licenses and permits, fines, and charges for specific services. • Taxes receivable as a separate category due to importance. • No cost of goods sold. Manufacturing Company • Several types of inventory accounts (raw materials, work-in-process, and finished goods). • e. Additional digits to code revenues and expenses by products and to code assets/liabilities by divisions. Expansion of S&S • Additional digits to code: − Revenues and expenses by products and by stores − Assets/liabilities by stores. 2-5 Ch. 2: Overview of Business Processes 2.2 Design a chart of accounts for SDC. Explain how you structured the chart of accounts to meet the company’s needs and operating characteristics. Keep total account code length to a minimum, while still satisfying all of Mace’s desires. (Adapted from the CMA Exam) A six-digit code (represented by letters ABCDEF) is sufficient to meet SDC’s needs: A This digit identifies the 4 divisions plus the corporate office. One digit can accommodate up to 9 different divisions, assuming that no division would be zero. Thus, the number of divisions would have to more than double before the chart of accounts would have to be revised. B This digit represents major account types (asset, liability, equity, revenue, expense). There are only 6 categories, so one digit is sufficient. C This digit represents the major classification within account type: • For balance sheet accounts, this represents specific sub-categories (current assets, plant and equipment, etc.), as only six categories are needed. • For expense and revenue accounts, this digit represents the product group, as again there are only five products plus general costs. D This digit represents specific accounts or cost centers: • For balance sheet accounts, this is the control account; one digit is adequate because the problem says no more than 10 categories. • For expense accounts, this is the cost center; one digit is adequate because the problem indicates no more than 6 cost centers. EF These two digits represent the subsidiary accounts and natural expense categories: • For expense accounts, these represent the 56 natural expense categories and variances for each cost center. • For the balance sheet, these two digits accommodate up to 100 subsidiary accounts. 2-6 Accounting Information Systems 2.3 An audit trail enables a person to trace a source document to its ultimate effect on the financial statements or work back from amounts in the financial statements to source documents. Describe in detail the audit trail for the following: a. The audit trail for inventory purchases includes linking purchase requisitions, purchase orders, and receiving reports to vendor invoices for payment. All these documents would be linked to the check or EFT transaction used to pay for an invoice and recorded in the Cash Disbursements Journal. In addition, these documents would all be linked to the journal entry made to record that purchase. There would be a general ledger account number at the bottom of each column in the journal. The journal reference would appear in the General Ledger, Inventory Ledger, and Accounts Payable ledger. Purchase Requisition Purchase Order Receiving Report Invoice Accounts Payable Ledger Cash Disbursements Journal Payment General Ledger Trial Balance Financial Statements 2-7 Ch. 2: Overview of Business Processes b. The audit trail for the sale of inventory links the customer order, sales order, and shipping document to the sales invoice. These documents are linked to the journal entry recording the sale of that merchandise. The invoice would also be linked to the cash received from the customer and to the journal entry to record that receipt. Customer Order Sales Order Shipping Documents Sales Journal Invoice Accounts Receivable Ledger Payment Cash Receipts Journal General Ledger Trial Balance Financial Statements 2-8 Accounting Information Systems c. The audit trail for employee payroll links records of employee activity (time cards, time sheets, etc.) to paychecks and to the journal entry to record payment of payroll. In a manufacturing company, there would also be links to the job-time tickets used to allocate labor costs to specific products or processes. Employee Paycheck Employee Time Card Cash Disbursements Journal Payroll Journal General Ledger Trial Balance Financial Statements 2-9 Ch. 2: Overview of Business Processes 2.4 Your nursery sells various types and sizes of trees, bedding plants, vegetable plants, and shrubs. It also sells fertilizer and potting soil. Design a coding scheme for your nursery. Grading depends upon the instructor’s judgment about the quality of the coding scheme. The coding scheme should be either a group or block coding. In addition, the student’s solutions should provide sufficient detail in order to determine whether the solution represents a group or block coding scheme. An example block code is as follows (under each major heading the student would list the specific products offered for sale, such as 701 – Fuji apple tree). Four digits instead of three would allow the nursery to list more products for sale. 100 200 300 400 500 600 700 Flowers - Annual Flowers – Perennial Vegetables Fruits Shrubs Trees- Flowering Trees – Fruit and Nut If the nursery had four locations, a group code could be used with the first digit indicating the location (2 location digits would allow for more growth). Other digits could be added to the group code to indicate other ways of identifying products. 2-10 Accounting Information Systems 2.5 Match the following terms with their definitions TERM DEFINITION _10_ a. data processing 1. Contains summary-level data for every asset, liability, equity, revenue, and expense account _23_ b. source documents 2. Items are numbered consecutively to account for all items; missing items cause a gap in the numerical sequence _7_ c. turnaround documents 3. Path of a transaction through a data processing system from point of origin to final output, or backwards from final output to point of origin _16_ d. source data automation 4. List of general ledger account numbers; allows transaction data to be coded, classified, and entered into proper accounts; facilitates preparation of financial statements and reports _1_ e. general ledger 5. Contents of a specific field, such as “George” in a name field _13_ f. subsidiary ledger 6. Portion of a data record that contains the data value for a particular attribute, like a cell in a spreadsheet _26_ g. control account 7. Company data sent to an external party and then returned to the system as input _21_ h. coding 8. Used to record infrequent or non-routine transactions _2__ i. sequence code 9. Characteristics of interest that need to be stored _25_ j. block code 10. The steps a company must follow to efficiently and effectively process data about its transactions _19_ k. group code 11. Something about which information is stored _22_ l. mnemonic code 12. Stores cumulative information about an organization; like a ledger in a manual AIS. __4_ m. chart of accounts 13. Contains detailed data for any general ledger account with many individual subaccounts __8_ n. general journal 14. Contains records of individual business transactions that occur during a specific time period _17_ o. specialized journal 15. Updating each transaction as it occurs __3_ p. audit trail 16. Devices that capture transaction data in machine-readable form at the time and place of their origin _11_ q. entity 17. Used to record large numbers of repetitive transactions __9_ r. attribute 18. Set of interrelated, centrally coordinated files __6_ s. field 19. Two or more subgroups of digits are used to code items 2-11 Ch. 2: Overview of Business Processes _24_ t. record 20. Updating done periodically, such as daily __5_ u. data value 21. Systematic assignment of numbers or letters to items to classify and organize them _12_ v. master file 22. Letters and numbers, derived from the item description, are interspersed to identify items; usually easy to memorize _14_ w. transaction file 23. Initial record of a transaction that takes place; usually recorded on preprinted forms or formattted screens _18_ x. database 24. Fields containing data about entity attributes; like a row in a spreadsheet _20_ y. batch processing 25. Sets of numbers are reserved for specific categories of data _15_ z. online, real-time processing 26. The general ledger account corresponding to a subsidiary ledger, where the sum of all subsidiary ledger entries should equal the amount in the general ledger account 2-12 Accounting Information Systems 2.6 For each of the following scenarios identify which data processing method (batch or online, real-time) would be the most appropriate. Some students will respond that all can and ought to be done with online-real time processing. While all can certainly be done that way, batch processing does have its advantages (cheaper, more efficient, etc.). In making the decision between batch and online-real time processing, designers must consider the need for current and accurate data. Batch processing is often used for data that does not need frequent updating and naturally occurs or is processed at fixed times. For example, while employee check in and checkout times may be gathered in real time, payroll is usually only processed at a fixed interval such as weekly, biweekly, or monthly. 2.7 a. Make an airline reservation online-real time b. Register for a university course online-real time c. Prepare biweekly payroll checks batch d. Process an order through an e-commerce Web site online-real time e. Prepare a daily bank deposit batch f. Preparation of customer bills by a local utility batch g. Accumulate daily costs from a production run of a single automobile part batch h. Identify the replacement drill bit size for a bit broken during a recent production run on-line real time After viewing the Web sites, and based on your reading of the chapter, write a 2 page paper that describes how an ERP can connect and integrate the revenue, expenditure, human resources/payroll, and financing cycles of a business. Student solutions will vary depending on the demonstrations they observe. However, the demonstrations should give the students a more concrete and visual understanding of what an ERP system is and does. Student solutions should at least discuss how an ERP could integrate all of the various cycle activities of a business into one integrated system. 2-13 Ch. 2: Overview of Business Processes 2.8 Which of the following actions update a master file and which would be stored as a record in a transaction file? a. b. c. d. e. f. g. h. i. j. k. l. Update customer address change Update unit pricing information Record daily sales Record payroll checks Change employee pay rates Record production run variances Record Sales Commissions Change employee office location Update accounts payable balance Change customer credit limit Change vendor payment discount terms Record purchases 2-14 – Master file – Master file – Transaction file – Transaction file – Master file – Transaction file – Transaction file – Master file – Master file – Master file – Master file – Transaction file Accounting Information Systems 2.9 You were hired to assist Ashton Fleming in designing an accounting system for S&S. Ashton has developed a list of the journals, ledgers, reports, and documents that he thinks S&S needs (see Table 2-6). He asks you to complete the following tasks: No single answer exists with this case. Indeed, solutions will vary depending upon student ingenuity and creativity. Student answers can be compared to examples of these documents found in chapters 12, 13, and 15. a. Specify what data you think should be collected on each of the following four documents: sales invoice, purchase order, receiving report, employee time card A sample invoice is presented in the Revenue Cycle chapter. A sample purchase order is presented in the Expenditure Cycle chapter. A sample receiving report also appears in the Expenditure Cycle chapter. Although student designs will vary, each document should contain the following data items: Sales Invoice Customer name and address Customer account number Customer order number Salesperson code Shipping Address Shipper and date shipped Terms of sale Total Amount due Purchase Order Ship to address Bill to address Purchasing agent number Quantity of parts ordered Prices of parts ordered Taxes, if any Receiving Report Vendor name Vendor address Shipper Quantity received Description/quality remarks Inspected by Product code or number Product description Quantity ordered Quantity shipped Unit price Extended price Taxes, if applicable Item numbers ordered Payment terms Shipping instructions Supplier name or number Date of purchase Total amount of purchase Vendor number Date received Receiving clerk number Part number received Purchase order number Employee Time Card 2-15 Ch. 2: Overview of Business Processes Employee name Employee number Pay period Department number Employee signature b. Total regular hours Time in/ Time out Total overtime hours Approved by Design a report to manage inventory The report to manage inventory should contain the following information: • • • • • • • • • c. Preferred vendor Product number Description Reorder point Quantity on Hand Quantity Available Vendor performance history Quantity on order Lead time Design a report to assist in managing credit sales and cash collections. The report to manage credit sales and cash collections should include: • • • • • d. Credit sales per period Cash collections per period Aging of accounts receivable Customers by geographic region Uncollectible accounts per period Visit a local office supply store and identify what types of journals, ledgers, and blank forms for various documents (sales invoices, purchase orders, etc.) are available. Describe how easily they could be adapted to meet S&S’s needs. The answers to this will vary depending upon the types of documents carried in the office supplies stores visited by the students. A fruitful topic for class discussion, or a possible additional case assignment, is to compare the design of paper documents to the data entry screen layouts used in various popular accounting packages. 2-16 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 2.1 Bar Harbor Blueberry Farm Data from Case Date Supplier Invoice Supplier Name Supplier Address Amount March 7 AJ34 Bud’s Soil Prep, Inc. PO Box 34 $2,067.85 March 11 14568 Osto Farmers Supply 45 Main $ March 14 893V Whalers Fertilizer, Inc. Route 34 $5,000.00 March 21 14699 Osto Farmers Supply 45 Main $3,450.37 March 21 10102 IFM Package Wholesale 587 Longview $4,005.00 March 24 10145 IFM Package Wholesale 587 Longview $ 267.88 67.50 Purchases Journal Page 1 Date Supplier Supplier Invoice Account Number Post Ref Amount March 7 Bud’s Soil Prep, Inc. AJ34 23 √ $2,067.85 March 11 Osto Farmers Supply 14568 24 √ $ March 14 Whalers Fertilizer, Inc. 893V 36 √ $5,000.00 March 21 Osto Farmers Supply 14699 24 √ $3,450.37 March 21 IFM Package Wholesale 10102 38 √ $4,005.00 March 24 IFM Package Wholesale 10145 38 √ $ 267.88 March 31 TOTAL 67.50 14,858.60 2-17 Ch. 2: Overview of Business Processes General Ledger Accounts Payable Date Description March 1 Balance Forward Account Number: 300 Post Ref Debit 14,858.60 Purchases 33,594.15 Account Number: 605 Date Description March 1 Balance Forward March 31 Balance $18,735.55 √ March 31 Credit Post Ref Debit Credit Balance $54,688.49 √ 14,858.60 2-18 69,547.09 Accounting Information Systems Account Payable Subsidiary Ledger Account No: 23 Bud’s Soil Prep, Inc. Date Description March Balance Forward 1 March Mulch 7 PO Box 34 Debit Account No: 24 Osto Farmers Supply Date Description March Balance Forward 1 Mar 11 Seedling Heat Mat Mar 21 Medium Portable Greenhouse 45 Main Debit Account No: 36 Route 34 Date March 1 March 14 Whalers Fertilizer, Inc. Description Balance Forward 2,067.85 Debit 587 Longview Debit 2-19 2,067.85 Terms: 2/10, Net 30 Credit Balance 0.00 67.50 3,450.37 Premium Leaf-Blend Fertilizer Account No: 38 IFM Package Wholesale Date Description March Balance Forward 1 Mar 21 Peat Pots Mar 24 Labels Terms: 2/10, Net 30 Credit Balance 0.00 67.50 3,517,87 Terms: 2/10, Net 30 Credit Balance 0.00 5,000.00 5,000.00 Terms: 2/10, Net 30 Credit Balance 0.00 4,005.00 267.88 4,005.00 4,272.88 CHAPTER 3 SYSTEMS DEVELOPMENT AND DOCUMENTATION TECHNIQUES SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 3.1 Identify the DFD elements in the following narrative: A customer purchases a few items from a local grocery store. Jill, a salesclerk, enters the transaction in the cash register and takes the customer’s money. At closing, Jill gives both the cash and the register tape to her manager. Data Flows: merchandise, payment, cash and register tape Data Source: customer Processes: capture sales and payment data and collect payment, give cash and register tape to manager Storage: sales file (register tape), cash register 3.2 Do you agree with the following statement: “Any one of the systems documentation procedures can be used to adequately document a given system”? Explain. It is usually not sufficient to use just one documentation tool. Every tool documents a uniquely important aspect of a given information system. For example, system flowcharts are employed to understand physical system activities including inputs, outputs, and processing. In contrast, data flow diagrams provide a graphic picture of the logical flow of data within an organization. Each alternative is appropriate for a given aspect of the system. As a result, they work together to fully document the nature and function of the information system. 3-1 Ch. 3: Systems Development and Documentation Techniques 3.3 Compare the guidelines for preparing flowcharts and DFDs. What general design principles and limitations are common to both documentation techniques? Similar design concepts include the following: • Both methods require an initial understanding of the system before actual documentation begins. This insures that the system is properly represented by the diagram. • Both measures require the designer to identify the elements of the system and to identify the names and relations associated with the elements. • Both methods encourage the designer to show only the regular flows of information and not to be concerned with unique situations. • Both approaches require more than one “pass” through the diagramming or flowcharting process to accurately capture the essence of the system. The product of both methods is a model documenting the flow of information and/or documents in an information system. Both documentation methods are limited by the nature of the models they employ, as well as by the talents and abilities of the designer to represent reality. 3-2 Accounting Information Systems 3.4 Your classmate asks you to explain flowcharting conventions using real-world examples. Draw each of the major flowchart symbols from memory, placing them into one of four categories: input/output, processing, storage, and flow and miscellaneous. For each symbol, suggest several uses. The major flowcharting symbols and their respective categories are shown in Fig. 3.8 in the text. With respect to how the symbols are used, student answers will vary. Possible examples include the following: Input/Output Symbols • Document: an employee time card, a telephone bill, a budget report, a parking ticket, a contract • Display: student information monitors, ATM monitors, the monitor on your microcomputer. • Manual input: cash registers, ATM machines Processing Symbols • Processing: processing a student payroll program, assessing late fees • Manual operation: writing a parking ticket, preparing a paper report, collecting and entering student payments Storage Symbols • Magnetic disk: alumni information data base, a report stored on your PC hard disk • Magnetic tape: archival student information • On-line storage: a student information data base or an airline reservation data base stored on-line. • File: purchase order file for a department, a student housing contract file Flow (Miscellaneous) • Communication link: a telephone linkage that connects you to an on-line data base. 3-3 Ch. 3: Systems Development and Documentation Techniques SUGGESTED ANSWERS TO THE PROBLEMS Prepare flowcharting segments for each of the following operations: 3.1 Assorted Flowcharting Segments: a. processing transactions stored on magnetic tape to update a master file stored on magnetic tape Transactions Old Master File b. File Update New Master File processing transactions stored on magnetic tape to update a database stored on a magnetic disk Transactions File Update Data base c. converting source documents to magnetic tape using a computer-based optical character reader (OCR) OCR Source Documents Conversion of Documents to Tape by OCR Source Data d. processing OCR documents online to update a database on magnetic disk OCR Source Documents Update Data base 3-4 Data base Accounting Information Systems 3.1 (continued) Assorted Flowcharting Segments e. reading data from a magnetic disk into the computer to be printed on a report Data File f. Report Report Generation using a computer or terminal to key data from source documents to a file stored on a magnetic disk Terminal Data File Source Documents Key Data g. manually sorting and filing invoices numerically Invoices Sort Numerically Invoices N 3-5 Ch. 3: Systems Development and Documentation Techniques 3.1 (continued) Assorted Flowcharting Segments h. using a terminal to enter source document data and send it to a remote location where an online processing system records it in a database stored on magnetic disk Terminal Online Processing System Data base Source Data i. a scheduled automatic backup of an internal hard drive to an external hard drive Internal Hard Drive j. Scheduled Automatic Backup External Hard Drive using a terminal to query customer sales data maintained on a magnetic disk Display Query Customer Sales Data Enter Query 3-6 Database Accounting Information Systems 3.1 (continued) Assorted Flowcharting Segments k. enter employee hours recorded on time cards in the payroll transaction file maintained on disk and update wage data maintained on the payroll master file Payroll Transaction File Terminal Time Card Record time card data on the payroll transaction file and update wage data maintained on the payroll master file Enter Time Card Data Payroll Master File 3-7 Ch. 3: Systems Development and Documentation Techniques 3.1 (continued) Assorted Flowcharting Segments l. use a terminal to access a price list maintained on disk to complete a purchase order. An electronic copy of the purchase order is sent to the vendor and a backup copy is printed and filed by vendor name Purchase Order (electronic) To Vendor Access Price List, create electronic purchase order & print a paper backup copy Price Data Purchase Order (paper) A m. update an airline reservation on a Web-based airline reservation system from a home computer Request, complete, and submit an online reservation change form Revise reservation data on web-based airline reservation system 3-8 Reservation File Accounting Information Systems 3.2 Happy Valley Utility Company a. Draw a system flowchart of the billing operations, commencing with the computer preparation of the meter reading forms and ending with the mailing of customer bills. Customer Master File Meter Form Preparation Meter Forms Sort By Cust # Enter Current Reading Completed Meter Forms Mark-Sense Document Reader Customer Meter Data Customer Meter Data Customer Master File File Update and Billing Error List & Summary Report Customer Bills Mail to Customers 3-9 Ch. 3: Systems Development and Documentation Techniques 3.2 b. Draw a system flowchart depicting customer payments processing, starting with the mail room operations and ending with the two printed reports. Checks Remittance Stubs Correct Stubs OCR Document Reader Compare & Separate Checks To Cashier Incorrect Stubs List of Other Receipts Type Correct Stubs Type Correct Stubs Corrected Stubs Corrected Stubs Payments Posting Run Report of Past-Due Accounts Error List & Summary Report Customer Master File 3-10 Accounting Information Systems 3.3 Prepare a system flowchart of the process described. Payroll Processing for Dewey Construction Company: Job Time Tickets Key to Tape Encodings Job Time Records Tape Work in Process Master File Payroll Processing System Payroll Master File Earnings Statement Payroll Register Paycheck 3-11 Error Transactions and Summary Prepare a document flowchart to reflect how ANGIC Insurance Company processes its casualty claims. 3.4 ADJUSTER CLAIMS DEPARTMENT DATA PROCESSING Notice of Loss START From Claimant 1 Proof of Loss Form Prepare proof of loss, claim recored From Claimant 2 3 4 1 Proof of Loss Form Notice of Loss Notice of Loss 2 Claim Record 3 Claim Record 4 Prepare Separate Report Assist Claimant with Form 2 Proof of Loss N Adjuster's Report To Claimant Adjuster's Report 1 1 Proof of Loss Proof of Loss 2 2 Authorize Claim Payment 3 2 Proof of Loss Prepare Check & Disbursement list Disbursement List 4 To Accounting 1 Adjuster's Report Proof of Loss To Claimant Check A To Claimant 3-12 N 3.5 a. Prepare a document flowchart that indicates the interaction and use of these documents among all departments at Beccan Company’s central facility. It should provide adequate internal control over the receipt, issuance, replenishment, and payment of tires and supplies. You may assume that there is a sufficient number of document copies to ensure that the perpetual inventory system has the necessary basic internal controls. b. Using the flowcharting conventions discussed in Focus 3.2, critique the instructor provided CMA solution. List all the ways the CMA solution violates those flowcharting guidelines. Adapted from the CMA Exam. Note: the CMA solution shown does not follow the flowcharting conventions discussed in the chapter. When the authors use this problem they have the students critique the CMA exam solution (assignment 3.5b), based upon the conventions discussed in Focus 3.2. 3-13 Ch. 3: Systems Development and Documentation Techniques 3.6 a. Prepare a context diagram and level 0 DFD to document the payroll processing system at No-Wear Products. Context Diagram for the payroll processing system at No-Wear Products Employee Time Card Data Operating Documents Payroll Processing System Employee Paychecks Internal Reports Management Human Resources Department Personnel Data Withholding Reports 3-14 Governmental Agencies Accounting Information Systems 3.6 a. (continued.) Level 0 Data Flow Diagram for the payroll processing system at No-Wear Products. Operating Departments Time Card Data Human Resources Department Personnel Changes 1.0 Process Employee Timecards 2.0 Update Payroll File Payroll File 4.0 Generate Payroll Reports 3.0 Generate Paycheck Internal Reports Employee Withholding Reports Pay check Management 3-15 Governmental Agencies Ch. 3: Systems Development and Documentation Techniques 3.6 b. Prepare a document flowchart to document the payroll processing system at No- Wear Products. No-Wear Products-Payroll Employees in Functional Department Payroll Time Card Record Time Data Record Time Completed Time Card Enter Time Data Process Payroll Changes Completed Time Card Enter Payroll Changes Payroll File From Human Resource Dept Payroll Changes N Process Payroll, Prepare Checks and Reports Paycheck N Employee Management Report Management Federal Tax Report Stat Tax Report 3-16 Goverrnment Accounting Information Systems 3.7 a. Prepare a context diagram and a level 0 DFD to document accounts payable processing at S&S. Receiving Purchasing Purchase Order Receiving Report S&S Accounts Payable Invoice Vendor Accounts Payable Report Payment & Remittance Advice 3-17 Management Ch. 3: Systems Development and Documentation Techniques 3.7 a. (continued.) Level 0 Data Flow Diagram of S&S Accounts Payable Vendor Receiving Purchasing Invoice Purchase Order 1.0 Record Payable 2.0 Collect & Store Purchase Orders & Receiving Reports Receiving Report Purchase Orders Accounts Payable Vendor Invoices Receiving Reports Cash Disbursements Journal 3.0 Make Payment Accounts Payable Report 4.0 Prepare Management Reports Payment & Remittance Advice Paid Invoices Management 3-18 Vendor Accounting Information Systems 3.7 b. Prepare a document flowchart to document accounts payable processing at S&S. S&S Accounts Payable Accounts Payable From Purchasing From Receiving Controller From Vendor A Owner/Manager Purchase Order B Receiving Report Purchase Order Receiving Report Invoice Purchase Order Vendor Invoice Receiving Report Check 2 Invoice A A Record Accounts Payable Check 1 Accounts Payable Ledger Review and Sign Checks Prepare Vendor Checks Vendor Invoice Match Purchase Order, Receiving Report, Invoice Check 1 Prepare Monthly Accounts Payable Cash Disbursements Journal A To Vendor Accounts Payable Report Purchase Order Receiving Report D C Purchase Order Invoice Receiving Report Check 1 Invoice Purchase Order Purchase Order Check 1 Receiving Report Receiving Report Invoice C Check 2 Invoice Accounts Payable Report Check D B A A Review Accounts Payable Report 3-19 D Ch. 3: Systems Development and Documentation Techniques 3.8 a. Develop a context diagram and a level 0 DFD of the acquisition/payment system at Oriental Trading. Purchase Requisition Purchase Order Vendor Vendor Acknowledgement Inventory System Acquisition/ Payment System Receiving Report Purchase Invoice Vendor Payment 3-20 Accounting Information Systems 3.8 a. (continued) Level 0 Data Flow Diagram: Acquisition/Payment System at Oriental Trading: Inventory File Vendor File 1.0 Prepare Purchase Order & Notification Purchase Order Purchase Requisition Vendor Vendor Acknowledgement Inventory System P.O. Notification Vendor Invoice Receiving Report Receiving Reports 2.0 Update Accounts Payable Purchase Orders Vendor Invoices Accounts Payable Master File Check Payment Authorization 3.0 Pay Vendor General Ledger 3-21 Ch. 3: Systems Development and Documentation Techniques 3.8 Prepare a document flowchart to document the acquisition/payment system at Oriental Trading. b. Oriental Trading Acquisition/Payment System Purchasing Accounts Payable B From Inventory Purchase Requisition Accounting Department D Inventory File Prepare Purchase Order A From Receiving Department From Vendor Purchase Order Notification Receiving Report Invoice D D D Enter Purchase Requisition Payment Authorization Enter payment Authorization Vendor File Purchase Order Match Purchase Order, Receiving Report, and Invoice. Prepare Payment Authorization D Prepare Check, Update Accounts Payable and General Ledger Payment Authorization B To Vendor Check From Vendor Purchase Order D Vendor Acknowledgment Enter Accounts Payable Data for Update Receiving Report Invoice Enter Vendor Acknowledgment Prepare Purchase Order Notification Purchase Order Notification To Vendor Update Accounts Payable Master File D Accounts Payable Master File A 3-22 General Ledger Master File Accounting Information Systems 3.9 a. Develop a context diagram and a level 0 DFD for the cash receipts system at S&S. Bank Deposit Payment at Sale Cash Receipts System Customers Remitances on Account Cash Receipts Report Management Aged Trial Balance Credit and Collections 3-23 Ch. 3: Systems Development and Documentation Techniques 3.9 a. (continued) Level 0 Data Flow Diagram of the Cash Receipts System at S&S: Customers Remittance File Payments at Sale Remittances on Account 1.0 Process Payments Remittance Slips 2.0 Update Customer Accounts Endorsed Checks & Cash, Deposit Slip Bank Accounts Receivable Ledger 3.0 Prepare Reports Aged Trial Balance Cash Receipts Report Management 3-24 Credit and Collections Accounting Information Systems 3.9 Prepare a document flowchart to document the cash receipts system at S&S. b. S&S Cash Receipts System Treasurer Accounts Receivable Clerk From Customer A B Cash and Checks Cash and Checks Remittance Slip Remittance Slip B Deposit Slip Update Accounts Receivable Ledger/File To Bank Accounts Receivable Ledger/File Endorse Checks and Prepare Deposit Slip for Cash & Checks Remittance Slips Generate Weekly Reports Cash and Checks D Deposit Slip Cash Receipts Report Aged Trial Balance A To Management To Credit & Collections 3-25 Ch. 3: Systems Development and Documentation Techniques 3.10 Draw a context diagram and at least two levels of DFDs for the preceding operations. Invoice Coupon Order Phone Order Cancellation Payment Shipping Notice Cancellation Response Mail Order System Customer Customer Order Inquiry Response Order Inquiry Product Inquiry Response Payment Inquiry Response Product Inquiry Payment Inquiry 3-26 Accounting Information Systems 3.10. Level 0 Data Flow Diagram for a mail order company: phone order coupon order cancellation response order inquiry 1.0 Process Order Transaction Customer product inquiry response Customer order inquiry response order cancellation product inquiry valid order invoice Order File product details Customer shipping notice valid order customer details 2.0 Process Shipment Product File product details billed order Customer File Accounts Receivable File payment inquiry Customer billed order payment 3.0 Process Payment Transaction 3-27 payment inquiry response Ch. 3: Systems Development and Documentation Techniques 3.10. Level 1 Data Flow Diagram for a mail order company: Customer order cancellation 1.1 Process Order valid order cancelled order order 1.2 Process order cancellation cancellation response Order File Customer order details Product File order inquiry product details 1.4 Process product inquiry 1.3 Process order inquiry product inquiry response product inquiry inquiry response Customer 3-28 Accounting Information Systems 3.11 a. Prepare a context diagram and at least two levels of DFDs for this operation. Registration request Course enrollment reports Course Registration System Student Instructor Fees notice Prerequisite notice Course closed notice Student acceptance notice Level 0 Data Flow Diagram for a course registration system: accounts receivable file Instructor student records file Registration details Student fees notice class lists file 1.0 Register student course records file prerequisite notice course closed notice student acceptance notice 3-29 course enrollment report 2.0 Prepare course enrollment reports Ch. 3: Systems Development and Documentation Techniques 3.11 a. (continued) Level 1 Data Flow Diagram for a registration system: accounts receivable file 1.1 Check fees due student record file paid registration details course file fees notice registration details 1.2 Check prerequisites prerequisite notice class list file valid registration details 1.3 Check class availability closed course notice Student student acceptance notice 3-30 accepted registration details 1.4 Register student Accounting Information Systems 3.11 Prepare a document flowchart to document this operation. b. Registration System Registrar From Student Registration Request Form N Enter Registration Request Check for unpaid fees Accounts Receivable Check Course Prerequisites Student Transcripts Check course availability and add student to class Class Enrollment Course Enrollment Report Instructors Print Student Registration Report, Update Accounts Receivable, Print Course Enrollment Reports If fees are owed, registration is cancelled and the registration report becomes a bill for unpaid fees. If a requested class is full, the report indicates “course closed.” If the student is accepted into the course(s): course day, time, and room are printed next to the course. Fees and tuition are printed on the report. Student Registration Report To Student 3-31 Ch. 3: Systems Development and Documentation Techniques 3.12 You recognize weaknesses in the existing system and believe a document flowchart would be beneficial in evaluating this client’s internal control in preparing for your examination of the financial statements. a. Complete the flowchart given in Figure 3-12, for sales and cash receipts of Charting, Inc., by labeling the appropriate symbols and indicating information flows. Adapted from the 1969 CPA Exam 3-32 Accounting Information Systems 3.12a (Continued) 3-33 Ch. 3: Systems Development and Documentation Techniques 3.12 b. Using the guidelines for preparing flowcharts in Focus 3-2 and the flowcharting symbols shown in Figure 3-8, critique the flowchart shown in Figure 3-12. List the ways the flowchart violates the guidelines or uses improper symbols. The flowchart in Fig. 3.12 violates the General Guidelines for Preparing Flowcharts in the following ways. 1. 2. The text uses the Terminal symbol (the oval) to indicate an external party. Figure 3.12 uses a large arrow to indicate items coming into the system (mail, cash, and items received from the bank). It uses a line with an arrow that stops in a small vertical line, accompanied by To customer (or To Bank), to indicate items exiting the system. The solution has the mail clerk, the sales clerk, and the inventory control clerk in one column. Three columns would be better. 3. Additional comments (Prepare remittance advice if needed) are not enclosed in an annotation box. 4. Each manual processing symbol does not have an input and an output. For example, the symbols under mail clerk and sales clerk do not have an input. 5. The file symbol (the triangle) does not need the word File in it. The symbol itself conveys that it is a file. 3-34 Accounting Information Systems 3.13 a. Bottom Manufacturing Corporation Charge Sales System List the procedures or the internal documents that are labeled letters c to r in the flowchart of Bottom Manufacturing Corporation’s charge sales system. Organize your answer as follows (Note that the explanations of the letters a and b in the flowchart are entered as examples): Flowchart Symbol Letter Procedures or Internal Document a Prepare six-part sales order. b File by order number. FLOWCHART SYMBOL LETTER a. b. c. d. e. f. g. h. i. j. k. l. m. n. o. p. q. r. INTERNAL CONTORL PROCEDURE OR INTERNAL DOCUMENT Prepare six-part sales order. File by order number. Approve customer credit and terms. Release merchandise to shipping department. File by sales order number. File pending receipt of merchandise. Prepare bill of lading. Copy of bill of lading to customer. Ship merchandise to customer. File by sales order number. Customer purchase order and sales order. File pending notice of shipment. Prepare three-part sales invoice. Copy of invoice to customer. Post to (or enter in) sales journal. Account for numerical sequence. Post to customer accounts. File by (payment due) date. (CPA Examination, adapted) 3-35 Ch. 3: Systems Development and Documentation Techniques b. Using the guidelines for preparing flowcharts in Focus 3-2 and the flowcharting symbols shown in Figure 3-8, critique the flowchart shown in Figure 3-13. List the ways the flowchart violates the guidelines or uses improper symbols. Fig. 3.13 violates the General Guidelines for Preparing Flowcharts in the following ways: 1. The text uses the Terminal symbol (the oval) to indicate an external party. Figure 3.13 uses the off page connector symbol. 2. Document numbers should be placed in the top right hand corner of the document symbol. 3. Sales order 2 is not shown passing through manual symbols labeled g and i so that it can end up in the file shown at the bottom of the shipping column. The same thing happens in the other columns. 4. Sales order 4 is filed in the finished goods department, yet the shipping column (third set of symbols in the column) shows sales order 4. This should be sales order 2, not 4. 5. The line showing information being posted to the accounts received ledger should come out of symbol q and should be a dotted line. The line to the sales journal (below symbol o) should also be a dotted line. 6. In the shipping column, when the three Bills of Lading are created, the arrow downward to symbol i should come from copy 2 of the Bill of Lading, not copy 3. The same applies to the sales invoice in the Billing Column (arrow from copy 1). 7. Instead of using annotation symbols to tell how documents are filed, use the letter D for date, N for numerically, and A for alphabetically. When more than one document is being filed (symbols j, l, and bottom of Billing Column) or the method of filing is unclear (symbol r, file sales invoice by payment due date) an annotation symbol can be used. Additional items to improve efficiency of flowchart 1. Symbols p and q could be combined into one symbol. 3-36 Accounting Information Systems 3.14 a. Prepare and file a tax return with the tax owed to the Internal Revenue Service. Context Withholding Form Prepare Taxes IRS 1040 Form Employer IRS Level 0 Withholding Form 1.0 Collect Tax Documents IRS Tax Documents Employer IRS Payment and Form 1040 2.0 Prepare IRS Form 1040 3-37 Ch. 3: Systems Development and Documentation Techniques 3.14 (continued) b. A customer pays an invoice with a check. Accounts receivable is updated to reflect the payment. The check is recorded and deposited into the bank. Context Deposit Payment Cash Receipts Customer Bank Level 0 Payment Data 2.0 Record Customer Payment Accounts Receivable 1.0 Record Cash Receipts Payment Payment Customer Bank 3-38 De 3.0 Prepare Deposit po sit Cash Receipts Accounting Information Systems 3.14 (continued) c. A customer places an online order to purchase merchandise. The order is approved, filled, and sent to the customer with an invoice. Context Purchase Order Customer Order Entry System Merchandise Invoice Level 0 Purchase Order 1.0 Receive Order Open Orders Customer Invoice 2.0 Approve Order Sent Invoice Copies 4.0 Prepare Invoice Approved Orders Shipped Orders 3.0 Fill and Ship Order 3-39 Ch. 3: Systems Development and Documentation Techniques 3.14 (continued) An inventory request is received by the purchasing department. The purchasing department prepares and sends a purchase order to the appropriate vendor. d. Context Inventory Department Inventory Request Purchasing System Vendor Purchase Order Level 0 Inventory Request Inventory Department 1.0 Record Purchase Request Inventory Purchase Order 2.0 Prepare Purchase Order Open Purchase Requests 3-40 Vendor Approved Vendor List Accounting Information Systems 3.14 (continued) e. A vendor invoice is received, reviewed, and compared against the appropriate purchase order, then paid and filed. Context Invoice Vendor Cash Disbursements Payment Level 0 Invoice 1.0 Receive Invoice Open Invoices Vendor 2.0 Approve Invoice Payment Payment approval 3.0 Prepare Payment 3-41 Open Purchase Orders Ch. 3: Systems Development and Documentation Techniques 3.14 (continued) f. A bill of lading for ordered inventory is received from a vendor, recorded, checked against the appropriate purchase order, and filed. Context Bill of Lading Receiving System Vendor Level 0 Bill of Lading 2.0 Compare Bill of Lading with Purchase Order 1.0 Record Bill of Lading Vendor Bill of Lading Open Purchase Orders 3-42 Accounting Information Systems 3 .15 Prepare a program flowchart to help Melanie program this process. Start Input Weight (W), Height (H) Body Mass Index (BMI) = W/H^2 BMI < 18.5 Yes Weight Status (WS) = Underweight No WS = Normal No BMI > 25 Print W, H, BMI, WS End 3-43 Yes WS = Overweight Ch. 3: Systems Development and Documentation Techniques 3.16 1. Statements are prepared and sent to customers from data contained in the accounts receivable data store. K 2. A customer sends a sales invoice to the accounts payable process. D 3. A check is manually prepared from data on a vendor invoice. G 4. The cash receipt process updates the cash receipts data store. H 5. A sales invoice is manually prepared and sent to a customer. I 6. A report is prepared from data stored on magnetic tape. C 7. Billing data are entered online and used to update the sales order file and the customer master file. A 8. Data from a cancelled invoice are used to update the cash disbursements ledger. J 9. A sales order is prepared manually. Copy 1 is sent to the warehouse and copy 2 is filed. B 10. An accounts receivable aging report is prepared from the accounts receivable master file and the cash receipts master file, both stored on disk. E 11. An error listing and batch total are compared and filed. F 3.17 Students are to replicate the flowchart presented in the problem using documentation software such as Visio, Microsoft Word, Microsoft Excel, etc. 3.18 Students are to replicate the data flow diagram presented in the problem using documentation software such as Visio, Microsoft Word, Microsoft Excel, etc. 3-44 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 3-1 You are the systems analyst for the Wee Willie Williams Widget Works (also known as Dub 5, which is a shortened version of 5 Ws). Dub 5 produces computer keyboard components. It has been producing keyboards for more than 20 years and has recently signed an exclusive 10-year contract to provide the keyboards for all Dell personal computers. As the systems analyst, you have been assigned the task of developing a level 0 DFD for Dub 5’s order processing system. You have finished gathering all the information you need to develop the first-pass DFD and now want to complete the diagram. Level 0 DFD for Dub 5: Order 1.0 Credit Review Customer Credit file Order Rejection Approved orders 2.0 Enter customer orders Customer Inventory Open Orders 3.0 Check Inventory & Prepare Packing Slip Warehouse Packing Slip Shipping Notice 4.0 Prepare Invoice Invoice Copy Accounting Invoice Invoice Customer 3-45 Ch. 3: Systems Development and Documentation Techniques 3-2 Level 1 DFD for Dub 5: Customer Order Credit File 1.1 Check Credit Customer Account Approved Order Rejected Order Customer 1.2 Check Current Order against Credit Limit Over Credit Limit Notice Credit Application Rejected Order Lacking Credit Approval 1.3 Prepare Credit Application Note: The Order Rejection notice shown on the context level diagram and the level 0 diagram can take two forms: The Over Credit Limit Notice or the Credit Application. These two items are shown on the level 1 DFD. 3-46 CHAPTER 4 RELATIONAL DATABASES SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 4.1 Contrast the logical and the physical view of data and discuss why separate views are necessary in database applications. Describe which perspective is most useful for each of the following employees: a programmer, a manager, and an internal auditor. How will understanding logical data structures assist you when designing and using database systems? Databases are possible because of their database management system (DBMS). As shown in Figure 4.2, the DBMS is a software program that sits between the actual data stored in the system and the application programs that use the data. As shown in Figure 4.4, this allows users to separate the way they view the data (called the logical view) from the way the data is actually stored (the physical view). The DBMS interprets the users' requests and retrieves, manipulates, or stores the data as needed. The two distinct views separate the applications from the physical information, providing increased flexibility in applications, improved data security, and ease of use. In a database system, the manager will rarely need to understand or be familiar with the physical view of the data. Nor, in most instances, will the internal auditor and the programmer as most everything they do involves the logical view of the data. If accountants understand logical data structures and the logical view of the data, they are better able to manage, use, and audit a database and its data. 4.2 The relational data model represents data as being stored in tables. Spreadsheets are another tool that accountants use to employ a tabular representation of data. What are some similarities and differences in the way these tools use tables? How might an accountant’s familiarity with the tabular representation of spreadsheets facilitate or hinder learning how to use a relational DBMS? A major difference between spreadsheets and databases is that spreadsheets are designed primarily to handle numeric data, whereas databases can handle both text and numbers. Consequently, the query and sorting capabilities of spreadsheets are much more limited than what can be accomplished with a DBMS that has a good query language. Accountants’ familiarity with spreadsheets might hinder their ability to design and use relational DBMS because many links in spreadsheets are preprogrammed and designed in, whereas a welldesigned relational database is designed to facilitate ad-hoc queries. Accountants’ familiarity with spreadsheets sometimes leads them to use a spreadsheet for a task that a database could handle much better. Over the years, the Journal of Accountancy has published a number of very good articles on how to use databases and when to use databases and when to use spreadsheets. These articles can be found on the Journal’s website: http://www.journalofaccountancy.com/ Ch. 4: Relational Databases 4.3 Some people believe database technology may eliminate the need for double-entry accounting. This creates three possibilities: (1) the double-entry model will be abandoned; (2) the doubleentry model will not be used directly, but an external-level schema based on the double-entry model will be defined for accountants’ use; or (3) the double-entry model will be retained in database systems. Which alternative do you think is most likely to occur? Why? There is no correct answer to this question because it is asking the student to express his opinion on what will happen in the future. Therefore, the quality of his answer depends on the justifications provided. Good answers should address the following: 4.4 • Database technology does permit abandonment of double entry, but there will likely be great resistance to such a radical change. Thus, students choosing this option need to present reasons why they think such a radical change would succeed. • The use of a schema for accountants seems quite plausible. It does eliminate the redundancy of double entry from the database system, yet it still provides a framework familiar and useful to accountants and financial analysts. • There is a good possibility that double entry will remain, even in databases, due to inertia. Indeed, many modern AIS, such as ERP systems, use databases but also retain the principles of double entry. Relational DBMS query languages provide easy access to information about the organization’s activities. Does this mean that online, real-time processing should be used for all transactions? Does an organization need real-time financial reports? Why or why not? On-line real-time processing is not necessary for every business transaction. For example, batch processing is adequate for payroll: there is little need for the data to be current except on payday. Real-time financial statements are useful for planning and provide management with better ability to react to changes in the environment. Nevertheless, real-time financial statements may present distorted pictures of reality if accruals have been ignored or not properly recognized. 4.5 Why is it so important to have good data? Bad data costs businesses over $600 billion a year. Some people estimate that over 25% of business data is inaccurate or incomplete. In addition, incorrect database data can lead to bad decisions, embarrassment, and angry users. The text illustrated this with the following examples: • For quite some time, a company sent half its catalogs to incorrect addresses. A manager finally investigated the large volume of returns and customer complaints and corrected the customer addresses in the database. He saved the company $12 million a year. • Valparaiso, Indiana used the county database to develop its tax rates. After mailing the tax notices, it was discovered that a $121,900 home was valued at $400 million. Due to the $3.1 million property tax revenue shortfall, the city, the school district, and governmental agencies had to make severe budget cuts. Managing data is not going to get any easier as the quantity of data generated and stored doubles every 18 months. 4-2 Accounting Information Systems 4.6 What is a data dictionary, what does it contain, and how is it used? A data dictionary contains information about the structure of the database. Table 4-1 shows that there is a record in the dictionary describing each data element. The DBMS maintains the data dictionary, whose inputs include new or deleted data elements and changes in data element names, descriptions, or uses. Outputs include reports for programmers, designers, and users. These reports are used for system documentation, database design and implementation, and as part of the audit trail. 4.7 Compare and contrast the file-oriented approach and the database approach. Explain the main advantages of database systems. Information about the attributes of a customer, such as name and address, are stored in fields. Fields contain data about one entity (e.g., one customer). Multiple fields form a record. A set of related records, such as all customer records, forms a file (e.g., the customer file). A set of interrelated, centrally coordinated files forms a database. Figure 4-2 illustrates the differences between file-oriented and database systems. In the database approach, data is an organizational resource that is used by and managed for the entire organization, not just the originating department. A database management system (DBMS) is the interface between the database and the various application programs. The database, the DBMS, and the application programs that access the database through the DBMS are referred to as the database system. Database systems were developed to address the proliferation of master files. This proliferation created problems such as the same data stored in two or more master files. This made it difficult to integrate and update data and to obtain an organization-wide view of data. It also created problems because the data in the different files was inconsistent. Databases provide organizations with the following benefits: • Data integration. Master files are combined into large “pools” of data that many application programs access. An example is an employee database that consolidates payroll, personnel, and job skills master files. • Data sharing. Integrated data is more easily shared with authorized users. Databases are easily browsed to research a problem or obtain detailed information underlying a report. The FBI, which does a good job of collecting data but a poor job of sharing it, is spending eight years and $400 million to integrate data from their different systems. • Minimal data redundancy and data inconsistencies. Because data items are usually stored only once, data redundancy and data inconsistencies are minimized. • Data independence. Because data and the programs that use them are independent of each other, each can be changed without changing the other. This facilitates programming and simplifies data management. • Cross-functional analysis. In a database system, relationships, such as the association between selling costs and promotional campaigns, can be explicitly defined and used in the preparation of management reports. 4-3 Ch. 4: Relational Databases SUGGESTED ANSWERS TO THE PROBLEMS 4.1 a. Identify three potential users and design a subschema for each. Justify your design by explaining why each user needs access to the subschema data elements. • To fill out a sales order, the sales order entry clerk needs access to the following data: − item number − description − quantity-on-hand − price − customer name − shipping address − credit limit − account balance • To create and mail a bill (invoice), the billing clerk needs access to the following data stored in the database: − customer name − customer number − billing address − item numbers − quantity sold − price − terms • To manage inventory, the inventory control department needs access to the following data stored in the database: − item number − description − quantity on hand • To purchase inventory, the purchasing department needs access to the following data stored in the data base: − item number − description − quantity on hand − cost 4-4 Accounting Information Systems b. Use Microsoft Access or some other relational database product to create the schema tables. Specify the primary key(s), foreign key(s), and other data for each table. Test your model by entering sample data in each table. Table Name Inventory Primary Key Item Number Foreign Keys Sales Invoice number Customer number Sales-Inventory Item number Invoice number Customer number Customer 4-5 Other Attributes Cost (standard or list) Description Quantity on Hand Price (standard or list) Date of sale Terms Quantity sold Price (actual sales price) Customer name Shipping address Billing address Credit Limit Account Balance Ch. 4: Relational Databases 4.2 Most DBMS packages contain data definition, data manipulation, and data query languages. For each of the following, indicate which language would be used and why. 1. A database administrator defines the logical structure of the database The DDL - this is the language used to define the database. b. The controller requests a cost accounting report containing a list of all employees being paid for more than 10 hours overtime in a given week. The DQL - this is an example of a query. c. A programmer develops a program to update the fixed-assets records stored in the database. The DML - this is the language used to actually process transaction data and update the database. d. The human resources manager requests a report noting all employees who are retiring within five years. The DQL - another example of a task that involves querying the database. e. The inventory serial number field is extended in the inventory records to allow for recognition of additional inventory items with serial numbers containing more than 10 digits. The DDL and the DML - the former to alter the structure, the latter to make the change. f. A user develops a program to print out all purchases made during the past two weeks. The DQL – this listing can be produced by a query. g. An additional field is added to the fixed-asset records to record the estimated salvage value of each asset. The DDL and the DML - the former to add the field, the latter to enter data in it. 4-6 Accounting Information Systems 4.3 Ashton wants to store the following data about S&S’s purchases of inventory: item number date of purchase vendor number vendor address vendor name purchase price quantity purchased employee number employee name purchase order number description quantity on hand extended amount total amount of purchase a. b. c. Design a set of relational tables to store this data. Do all of the data items need to be stored in a table? If not, which ones do not need to be stored and why do they not need to be stored? Identify the primary key for each table. Identify the foreign keys needed in the tables to implement referential integrity. Table Name Inventory Primary Key Item Number Foreign Keys Purchases Purchase order number Vendor number Purchasing Agent (employee number) PurchasesInventory Item number Purchase order number Vendor Vendor number Employees Employee number Other Attributes Description Quantity on Hand Date of purchase Total amount of purchase Quantity purchased Unit cost (actual) Extended amount Vendor name Vendor address Employee name Extended amount and Total amount of purchase do not have to be stored in the database as they can be calculated from other values. Extended amount is Quantity purchased x Unit cost. Total amount of purchase is the sum of all the extended amounts for all items on a particular purchase order, d. e. f. Implement your tables using any relational database product to which you have access. Test your specification by entering sample data in each table. Create a few queries to retrieve or analyze the data you stored. There is no solution to parts d through f as students will select different software packages and come up with different queries. 4-7 Ch. 4: Relational Databases 4.4 Retrieve the S&S In-Chapter Database (in Microsoft Access format) from the text’s Web site (or create the tables in Table 4-5 in a relational DBMS product). Write queries to answer the following questions. Note: For some questions, you may have to create two queries—one to calculate an invoice total and the second to answer the question asked. Answers depend upon the specific DBMS and query language used. Here are suggested answers in QBE (Query By Example) prepared in Microsoft Access. a. How many different kinds of inventory items does S&S sell? Query Query Result 4-8 Accounting Information Systems b. How many sales were made during October? Query Query Result 4-9 Ch. 4: Relational Databases c. What were total sales in October? Query Query Result 4-10 Accounting Information Systems d. What was the average amount of a sales transaction? This question requires the use of a total invoice calculation, thus, a total invoice table is prepared as a Microsoft “Make Table Query” in Microsoft Office. A Make Table Query is prepared the same as a normal query except that the user selects the Make Table Query option in the Query Type portion of the Query Design Tools ribbon. Make Table Query Table Result 4-11 Ch. 4: Relational Databases Query Query Result 4-12 Accounting Information Systems e. Which salesperson made the largest sale? Make Table Query Query Result 4-13 Ch. 4: Relational Databases Query Query Result 4-14 Accounting Information Systems f. How many units of each product were sold? Query Query Result 4-15 Ch. 4: Relational Databases g. Which product was sold most frequently? Query Query Result 4-16 Accounting Information Systems 4.5 Enter the tables in Table 4-15 into a relational DBMS package. Write queries to answer the following questions. Note: For some questions, you may have to create two queries—one to calculate a total and the second to answer the question asked. Answers depend upon the specific DBMS and query language used. Here are suggested answers in QBE (Query By Example) prepared in Microsoft Access. a. Which customers (show their names) made purchases from Martinez? Query Query Result 4-17 Ch. 4: Relational Databases b. Who has the largest credit limit? Query Query Result 4-18 Accounting Information Systems c. How many sales were made in October? Query Query Result 4-19 Ch. 4: Relational Databases d. What were the item numbers, price, and quantity of each item sold on invoice number 103? Query Query Result 4-20 Accounting Information Systems e. How much did each salesperson sell? Query Query Result 4-21 Ch. 4: Relational Databases f. How many customers live in Arizona? Query Query Result 4-22 Accounting Information Systems g. How much credit does each customer still have available? Questions g and i require the use of a total customer sales calculation; thus, a customer total sales table is prepared as a Microsoft “Make Table Query” in Microsoft Office. A Make Table Query is prepared the same as a normal query except that the user selects the Make Table Query option under the Query Design menu tab. Make-Table Query Table Result Query 4-23 Ch. 4: Relational Databases Query Result NOTE: The above query only includes customers that have actually purchased items. There are customers in the database who have not purchased items and consequently were not included in the query results. 4-24 Accounting Information Systems h. How much of each item was sold? (Include the description of each item in your answer.) Query Query Result 4-25 Ch. 4: Relational Databases i. Which customers still have more than $1,000 in available credit? Query Query Result 4-26 Accounting Information Systems j. For which items are there at least 100 units on hand? Query Query Result 4-27 Ch. 4: Relational Databases 4.6 The BusyB Company wants to store data about employee skills. Each employee may possess one or more specific skills and several employees may have the same skill. Include the following facts in the database: date hired date skill employee date of birth acquired number employee name pay rate a. b. Design a set of relational tables to store these data. Identify the primary key for each table, and identify any needed foreign keys. The necessary tables, with their attendant primary and foreign keys, are as follows: Table Name Employee Primary Key Employee Number Skills Employees-Skills Skill number Skill number Employee number c. Foreign Keys Supervisor number (another employee number) Other Attributes Employee name Pay rate Date hired Date of birth Skill name Date skill acquired Implement your schema using any relational DBMS. Specify primary and foreign keys, and enforce referential integrity. Demonstrate the soundness of your design by entering sample data in each table. There is no single solution to part c as students will select different software packages and enter different data in the tables. 4-28 Accounting Information Systems 4.7 You want to extend the schema shown in Table 4-16 to include information about customer payments. Some customers make installment payments on each invoice. Others write a check to pay for several different invoices. a. b. Modify the set of tables in Table 4-16 to store this additional data. Identify the primary key for each new table you create. The following additional tables, with their attendant primary keys, are needed to store the other new attributes. Note that customer name is already stored in the customer table Table Name Cash Receipts Primary Key Cash Receipt Number Cash ReceiptsSales Invoice payment applies to (Invoice number) Cash Receipt number c. Foreign Keys Customer number Employee processing payment (employee number) Other Attributes Date of receipt Total amount received Amount applied to a specific invoice Implement your schema using any relational DBMS package. Indicate which attributes are primary and foreign keys, and enter sample data in each table you create. There is no solution to part c as students will select different software packages and enter different data in the tables. 4-29 Ch. 4: Relational Databases 4.8 Create relational tables that solve the update, insert, and delete anomalies in Table 4-17. To avoid the update, insert, and delete anomalies, four separate relational tables are created. TABLE 4-17 Invoice Date # 52 6-19-15 52 6-19-15 52 6-19-15 52 6-19-15 57 6-20-15 57 6-20-15 57 6-20-15 Order Date 5-25-15 5-25-15 5-25-15 5-25-15 6-01-15 6-01-15 6-01-15 Customer ID 201 201 201 201 305 305 305 INVOICE TABLE Invoice# Date Customer Name Johnson Johnson Johnson Johnson Henry Henry Henry Item# Description Quantity 103 122 10 71 535 115 122 Trek 9000 Nimbus 4000 Izzod 3000 LD Trainer TR Standard NT 2000 Nimbus 4000 5 8 11 12 18 15 5 OrderDate CustomerID (FK) 5-25-15 6-01-15 201 305 (PK) 52 57 6-19-15 6-20-15 INVOICE-INVENTORY TABLE Invoice# (PK/FK) Item# (PK/FK) 52 103 52 122 52 10 52 71 57 535 57 115 57 122 Quantity 5 8 11 12 18 15 5 CUSTOMER TABLE CustomerID (PK) CustomerName 201 305 Item Table Item# (PK) 10 71 103 115 122 535 Johnson Henry Description Izzod 3000 LD Trainer Trek 9000 NT 2000 Nimbus 4000 TR Standard 4-30 Accounting Information Systems Note: PK-Primary Key, FK – Foreign Key, PK/FK – Primary Key/Foreign Key 4-31 Ch. 4: Relational Databases 4.9 Create relational tables that solve the update, insert, and delete anomalies in Table 4-18. TABLE 4-18 Purchase Purchas Order # e Order Date 2 3/9/15 2 3/9/15 2 3/9/15 3 4/5/15 Par t# Description Unit Price Quantity Ordered Vendor # Vendor Name Vendor Address 334 231 444 231 XYZ PDQ YYM PDQ $30 $50 $80 $50 3 5 6 2 504 504 504 889 KL Supply KL Supply KL Supply Oscan Inc 75 Stevens Dr. 75 Stevens Dr. 75 Stevens Dr. 55 Cougar Cir. PART TABLE Part # (PK) Description Unit Price 334 231 444 30 50 80 XYZ PDQ YYM PURCHASE ORDER TABLE Purchase Order # (PK) Vendor # (FK) Purchase Order Date 2 3 3/9/15 4/5/15 504 889 VENDOR TABLE Vendor # (PK) Vendor Name Vendor Address 504 889 KL Supply Oscan Inc. 75 Stevens Dr. 55 Cougar Cir. PURCHASE-PART TABLE Purchase Order # (PK/FK) 2 2 2 3 Part # (PK/FK) Quantity Ordered 334 231 444 231 3 5 6 2 Note: PK-Primary Key, FK – Foreign Key, PK/FK – Primary Key/Foreign Key 4-32 Accounting Information Systems 4.10 From the database created in the comprehensive problem, perform queries based on the tables and query grid shown in Table 4-19. The queries and the answers to the queries for the questions about the comprehensive problem data (Table 4-19) are shown below. a. Which borrowers use Advent Appraisers? Query Query Result 4-33 Ch. 4: Relational Databases b. What is the average amount borrowed from National Mortgage? Query Query Result 4-34 Accounting Information Systems c. List all of the property appraisers. Query Query Result 4-35 Ch. 4: Relational Databases d. List all of the lenders. Query Query Result Query 4-36 Accounting Information Systems e. List the lenders that lent more than $100,000. NOTE: In order to get a list of lenders without duplicates the property sheet of the query needs to be modified by setting the value of the Unique Values property to Yes. This can be seen in the screenshot below. The property sheet is found under the Design tab of the ribbon. Setting Unique Values to Yes is the equivalent of entering the DISTINCT keyword in SQL select statements. 4-37 Ch. 4: Relational Databases Query Result 4-38 Accounting Information Systems f. Which borrower requested the largest mortgage? Query Notice that in the Design section on the ribbon, you must set the Return value to 1 (located in the Query Setup group). This indicates to Access to only return the top result. See the image below for a screenshot of this. Query Result 4-39 Ch. 4: Relational Databases g. Which borrower requested the smallest mortgage? Query Query Result As with problem 4-10-f, you must set the Return value to 1 in the Design section of the ribbon (located in the Query Setup group). This indicates to Access to only return the top result. See the image below for a screenshot of this. 4-40 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 4.1 As in all areas of information technology, DBMSs are constantly changing and improving. Research how businesses are using DBMSs, and write a report of your findings. Address the following issues: 1. Which popular DBMS products are based on the relational data model? 2. Which DBMS products are based on a logical model other than the relational data model? 3. What are the relative strengths and weaknesses of the different types (relational versus other logical models) of DBMSs No single answer exists with this case; indeed, solutions will vary depending upon student ingenuity and creativity. Reports should be graded in terms of how well each issue was addressed and in terms of writing quality. Students should be able to find the following information: • Relational DBMSs include DB2, Oracle, SQL Server and Access. • Many newer products are based on the object-oriented data model, or are a hybrid of the relational and object-oriented approaches. Older mainframe DBMS are based on hierarchical or network logical models. • Hierarchical and network DBMSs often provide performance advantages--especially in terms of processing speed. Those advantages, however, usually come at the cost of making it much more difficult for end users to do ad-hoc queries of the database. Relational databases support easy to use, yet powerful query languages like SQL and graphical query-by-example languages such as that provided by Microsoft Access. Object-oriented databases are especially effective for including multimedia, whereas hierarchical, network, and relational databases are better suited for alphanumeric data (although the relational model can be extended to include multimedia data). Pure object-oriented databases are more often designed for special purpose scientific use when graphical images and sound need to be stored in the database. Relational and hybrid object-relational DBMSs are commonly used in newer transaction processing systems, although older systems are based on the hierarchical or network data models. 4-41 Accounting Information Systems CHAPTER 5 COMPUTER FRAUD SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 5.1 Do you agree that the most effective way to obtain adequate system security is to rely on the integrity of company employees? Why or why not? Does this seem ironic? What should a company do to ensure the integrity of its employees? The statement is ironic because employees represent both the greatest control strength and the greatest control weakness. Honest, skilled employees are the most effective fraud deterrent. However, when fraud occurs, it often involves an employee in a position of trust. As many as 90% of computer frauds are insider jobs by employees. Employers can do the following to maintain the integrity of their employees. (NOTE: Answers are introduced in this chapter and covered in more depth in Chapter 7) • Human Resource Policies. Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity • Hiring and Firing Practices: Effective hiring and firing practices include: o Screen potential employees using a thorough background checks and written tests that evaluate integrity. o o Remove fired employees from all sensitive jobs and deny them access to the computer system to avoid sabotage. • Managing Disgruntled Employees: Some employees who commit a fraud are disgruntled and they are seeking revenge or "justice" for some wrong that they perceive has been done to them. Companies should have procedures for identifying these individuals and helping them resolve their feelings or removing them from jobs that allow them access to the system. One way to avoid disgruntled employees is to provide grievance channels that allow employees to talk to someone outside the normal chain of command about their grievances. • Culture. Create an organizational culture that stresses integrity and commitment to both ethical values and competence • Management Style. Adopt an organizational structure, management philosophy, operating style, and appetite for risk that minimizes the likelihood of fraud • Employee Training: Employees should be trained in appropriate behavior, which is reinforced by the corporate culture. Employees should be taught fraud awareness, security measures, ethical considerations, and punishment for unethical behavior. 5-1 Ch. 5: Computer Fraud 5.2 You are the president of a multinational company where an executive confessed to kiting $100,000. What is kiting and what can your company do to prevent it? How would you respond to the confession? What issues must you consider before pressing charges? In a kiting scheme, cash is created using the lag between the time a check is deposited and the time it clears the bank. Suppose a fraud perpetrator opens accounts in banks A, B, and C. The perpetrator “creates” cash by depositing a $1,000 check from bank B in bank C and withdrawing the funds. If it takes two days for the check to clear bank B, he has created $1,000 for two days. After two days, the perpetrator deposits a $1,000 check from bank A in bank B to cover the created $1,000 for two more days. At the appropriate time, $1,000 is deposited from bank C in bank A. The scheme continues, writing checks and making deposits as needed to keep the checks from bouncing. Kiting can be detected by analyzing all interbank transfers. Since the scheme requires constant transferring of funds, the number of interbank transfers will usually increase significantly. This increase is a red flag that should alert the auditors to begin an investigation. When the employee confesses, the company should immediately investigate the fraud and determine the actual losses. Employees often "underconfess" the amount they have taken. When the investigation is complete, the company should determine what controls could be added to the system to deter similar frauds and to detect them if they do occur. Employers should consider the following issues before pressing charges: • How will prosecuting the case impact the future success of the business? • What effect will adverse publicity have upon the company's well being? Can the publicity increase the incidence of fraud by exposing company weaknesses? • What social responsibility does the company have to press charges? • Does the evidence ensure a conviction? • If charges are not made, what message does that send to other employees? • Will not exposing the crime subject the company to civil liabilities? Accounting Information Systems 5.3 Discuss the following statement by Roswell Steffen, a convicted embezzler: “For every foolproof system, there is a method for beating it.” Do you believe a completely secure computer system is possible? Explain. If internal controls are less than 100% effective, why should they be employed at all? The old saying "where there is a will, there is a way" applies to committing fraud and to breaking into a computer system. It is possible to institute sufficient controls in a system so that it is very difficult to perpetrate the fraud or break into the computer system, but most experts would agree that it just isn't possible to design a system that is 100% secure from every threat. There is bound to be someone who will think of a way of breaking into the system that designers did not anticipate and did not control against. If there were a way to make a foolproof system, it would be highly likely that it would be too cost prohibitive to employ. Though internal controls can't eliminate all system threats, controls can: • • Reduce threats caused by employee negligence or error. Such threats are often more financially devastating than intentional acts. Significantly reduce the opportunities, and therefore the likelihood, that someone can break into the system or commit a fraud. 5-3 Ch. 5: Computer Fraud 5.4 Revlon hired Logisticon to install a real-time invoice and inventory processing system. Seven months later, when the system crashed, Revlon blamed the Logisticon programming bugs they discovered and withheld payment on the contract. Logisticon contended that the software was fine and that it was the hardware that was faulty. When Revlon again refused payment, Logisticon repossessed the software using a telephone dial-in feature to disable the software and render the system unusable. After a three-day standoff, Logisticon reactivated the system. Revlon sued Logisticon, charging them with trespassing, breach of contract, and misappropriation of trade secrets (Revlon passwords). Logisticon countersued for breach of contract. The companies settled out of court. Would Logisticon’s actions be classified as sabotage or repossession? Why? Would you find the company guilty of committing a computer crime? Be prepared to defend your position to the class. This problem has no clear answer. By strict definition, the actions of Logisticon in halting the software represented trespassing and an invasion of privacy. Some states recognize trespassing as a breach of the peace, thereby making Logisticon's actions illegal. However, according to contract law, a secured party can repossess collateral if the contract has been violated and repossession can occur without a breach of the peace. The value of this discussion question is not in disseminating a “right answer” but in encouraging students to examine both sides of an issue with no clear answer. In most classes, some students will feel strongly about each side and many will sit on the fence and not know. Accounting Information Systems 5.5 Because improved computer security measures sometimes create a new set of problems—user antagonism, sluggish response time, and hampered performance— some people believe the most effective computer security is educating users about good moral conduct. Richard Stallman, a computer activist, believes software licensing is antisocial because it prohibits the growth of technology by keeping information away from the neighbors. He believes high school and college students should have unlimited access to computers without security measures so that they can learn constructive and civilized behavior. He states that a protected system is a puzzle and, because it is human nature to solve puzzles, eliminating computer security so that there is no temptation to break in would reduce hacking. Do you agree that software licensing is antisocial? Is ethical teaching the solution to computer security problems? Would the removal of computer security measures reduce the incidence of computer fraud? Why or why not? Answers will vary. Students should consider the following conflicting concepts: Software licensing encourages the development of new ideas by protecting the efforts of businesses seeking to develop new software products that will provide them with a profit and/or a competitive advantage in the marketplace. This point is supported by the following ideas: • • • The prospect of a financial reward is the primary incentive for companies to expend the time and money to develop new technologies. If businesses were unable to protect their investment by licensing the software to others, it would be much more difficult for them to receive a reward for their efforts in the research and development of computer software. Economic systems without such incentives are much more likely to fail in developing new products to meet consumer needs. The only way to foster new ideas is to make information and software available to all people. The most creative ideas are developed when individuals are free to use all available resources (such as software and information). Many security experts and systems consultants view proper ethical teaching as an important solution to most security problems. However, no single approach is a complete solution to the problem of computer fraud and abuse. Proper ethical teachings can reduce but not eliminate the incidents of fraud. Though no security system is impenetrable, system security measures can significantly reduce the opportunity for damages from both intentional and unintentional threats by employees. Controls can also make the cost (in time and resources) greater than the benefit to the potential perpetrator. 5-5 Ch. 5: Computer Fraud Ultimately, the reduction in security measures will increase opportunities for fraud. If the perpetrator has sufficient motive and is able to rationalize his dishonest acts, increased opportunity will probably lead to an increase in computer crimes. Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 5.1 You were asked to investigate extremely high, unexplained merchandise shortages at a department store chain. Classify each of the five situations as a fraudulent act, an indicator of fraud, or an event unrelated to the investigation. Justify your answers. Adapted from the CIA Examination a. The receiving department supervisor owns and operates a boutique carrying many of the same labels as the chain store. The general manager is unaware of the ownership interest. This is an indication of possible fraud. This conflict of interest is a fraud symptom that alerts auditors to the possibility of fraud. The receiving department supervisor’s ownership of the boutique may also be in conflict with the organization's code of ethics and conduct. b. The receiving supervisor signs receiving reports showing that the total quantity shipped by a supplier was received and then diverts 5% to 10% of each shipment to the boutique. This is a fraudulent act because there is a theft accompanied by: 1. A false statement, representation, or disclosure (signing the receiving report) 2. A material fact, (the signature on the receiving report causes the company to act; that is, to pay the vendor) 3. An intent to deceive (The supervisory deceives the company so that it will pay for the goods he steals) 4. A justifiable reliance (The store relies on the misrepresentation to pay the vendor) 5. An injury or loss (The supervisor steals goods the store pays for) c. The store is unaware of the short shipments because the receiving report accompanying the merchandise to the sales areas shows that everything was received. This is a weakness in internal control. Sales personnel should count the goods received and match their counts to the accompanying receiving report. Failure to do so allows the theft to go undetected. d. Accounts Payable paid vendors for the total quantity shown on the receiving report. 5-7 Ch. 5: Computer Fraud Proper internal control says that Accounts Payable should match the vendor’s invoice to both the purchase order and the receiving report. Because this matching would not detect the theft, some may argue that this is a weakness in internal control. However, the weakness lies in the sales department not counting (independently verifying) the receiving department count. (see parts c and e) Therefore, accounts payable paying the vendor the total amount due is not a fraud or an indicator of fraud or an internal control weakness. It has no bearing on the investigation. e. Based on the receiving department supervisor’s instructions, quantities on the receiving reports were not counted by sales personnel. This is the same internal control weakness described in part c. The receiving department supervisor gave those instructions to facilitate his or her fraud In addition, sales personnel’s following the receiving department supervisor’s instructions is another internal control weakness. The receiving department supervisor should not have control over or manage sales personnel. There should be a clear-cut segregation of duties between sales and receiving. The receiving department supervisor having control over or supervising sales personnel is also a fraud symptom that should alert auditors to the possibility of fraud. Accounting Information Systems 5.2 A client heard through its hot line that John, the purchases journal clerk, periodically enters fictitious acquisitions. After John creates a fictitious purchase, he notifies Alice, the accounts payable ledger clerk, so she can enter them in her ledger. When the payables are processed, the payment is mailed to the nonexistent supplier’s address, a post office box rented by John. John deposits the check in an account he opened in the nonexistent supplier’s name. Adapted from the CIA Examination. a. Define fraud, fraud deterrence, fraud detection, and fraud investigation. Fraud is gaining an unfair advantage over another person. Legally, for an act to be fraudulent there must be: 1. 2. 3. 4. A false statement, representation, or disclosure A material fact, which is something that induces a person to act An intent to deceive A justifiable reliance; that is, the person relies on the misrepresentation to take an action 5. An injury or loss suffered by the victim Fraud can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well as inside the organization. Fraud deterrence is the actions taken to discourage the perpetration of fraud. Fraud detection is using any and all means, including fraud symptoms (also called red flags of fraud) to determine whether fraud is taking place Fraud investigation is performing the procedures needed to determine the nature and amount of a fraud that has occurred. b. List four personal (as opposed to organizational) fraud symptoms, or red-flags, that indicate the possibility of fraud. Do not confine your answer to this example. • • • • • • • • • • • High personal debts or significant financial or investment losses. Expensive lifestyle; living beyond your means. Extensive gambling, alcohol, or drug problems. Significant personal or family problems. Rewriting records, under the guise of neatness. Refusing to leave custody of records during the day. Extensive overtime. Skipping vacations. Questionable background and references. Feeling that pay is not commensurate with responsibilities. Strong desire to beat the system. 5-9 Ch. 5: Computer Fraud • • • • • • • • • • • c. Regular borrowing from fellow employees. Personal checks returned for insufficient funds. Collectors and creditors appearing at the place of business. Placing unauthorized IOUs in petty cash funds. Inclination toward covering up inefficiencies or "plugging" figures. Pronounced criticism of others. Association with questionable characters. Annoyance with reasonable questions; replying to questions with unreasonable answers. Unusually large bank balance. Bragging about exploits. Carrying unusually large amounts of cash. List two procedures you could follow to uncover John’s fraudulent behavior. 1. Inspecting the documentation supporting the release of a check to a vendor. There would be no receiving report. There might be a fake PO (not clear from the problem if John documents the fake purchase or if it is just oral). 2. Tracing all payments back to the supporting documentation. The receiving department would have no record of the receipt of the goods. The purchasing department would have no record of having ordered the materials or of having such materials requested. Accounting Information Systems 5.3 The computer frauds that are publicly revealed represent only the tip of the iceberg. Although many people perceive that the major threat to computer security is external, the more dangerous threats come from insiders. Management must recognize these problems and develop and enforce security programs to deal with the many types of computer fraud. Explain how each of the following six types of fraud is committed. Using the format provided, also identify a different method of protection for each and describe how it works Adapted from the CMA Examination. Type of Fraud Explanation Identification and Description of Protection Methods Input manipulation This requires the least amount of technical skill and little knowledge of how the computers operate. Input data are improperly altered or revised without authorization. For example, payroll time sheets can be altered to pay overtime or an extra salary. Program alteration Program alteration requires programming skills and knowledge of the program. Program coding is revised for fraudulent purposes. For example: − Ignore certain transactions such as overdrafts against the programmers' account − Grant excessive discounts to specified customers 5-11 Documentation and Authorization − Data input format authorized and properly documented. − Control over blank documents. − Comprehensive editing − Control source of data Programmed Terminal/User protection − Programs that only accept inputs from certain designated users, locations, terminals, and/or times of the day. Programmers should not be allowed to make changes to actual production source programs and data files. Segregation of Duties − Programmers should not have access to production programs or data files. Periodic Comparisons − Internal Audit or an independent group should periodically process actual data, and compare the output with output from normal operations. Differences indicate unauthorized program changes. − Periodic comparisons of on-line programs to off-line backup copies to detect changes. − Independent file librarian function who controls custody/access to programs Ch. 5: Computer Fraud File alteration Defrauder revises specific data or manipulates data files. For example: − Using program instructions to fraudulently change an employee’s pay rate in the payroll master file − Transferring balances among dormant accounts to conceal improper withdrawals of funds. Data theft Smuggling out data on: - Hard copies of reports/files. - Magnetic devices in briefcases, employees' pockets, etc. Restrict Access to Equipment/Files − Restrict access to computer center. − Programmers and analysts should not have direct access to production data files. − Have a librarian maintain production data files in a library. − Restrict computer operator access to applications documentation, except where needed to perform their duties, to minimize their ability to modify programs and data files. Electronic sensitization of all library materials to detect unauthorized removals. Encrypt sensitive data transmissions. Tap or intercept data transmitted by data communication lines Sabotage Physical destruction of hardware or software. Theft of Computer Time Unauthorized use of a company's computer for personal or outside business activities. This can result in the computer being fully utilized and lead to unnecessary computer capacity upgrades. Terminated employees immediately denied access to all computer equipment and information to prevent them from destroying or altering equipment or files. Maintain backup files at secure off-site l Assigning blocks of time to processing jobs and using the operating system to block out the user once the allocated time is exhausted. Any additional time would require special authorization. Accounting Information Systems 5.4 Environmental, institutional, or individual pressures and opportune situations, which are present to some degree in all companies, motivate individuals and companies to engage in fraudulent financial reporting. Fraud prevention and detection require that pressures and opportunities be identified and evaluated in terms of the risks they pose to a company. Adapted from the CMA Examination. a. Identify two company pressures that would increase the likelihood of fraudulent financial reporting. • • • • • • • • • • • • • b. Sudden decreases in revenue or market share Financial pressure from bonus plans that depend on short-term economic performance Intense pressure to meet/exceed earnings expectations or improve reported performance Significant cash flow problems; unusual difficulty collecting receivables or paying payables Heavy losses, high or undiversified risk, high dependence on debt, or unduly restrictive debt covenants Heavy dependence on new or unproven product lines Severe inventory obsolescence or excessive inventory buildup Highly unfavorable economic conditions (inflation, recession) Litigation, especially management vs. shareholders Impending business failure or bankruptcy Problems with regulatory agencies Unusual spikes in interest rates Poor or deteriorating financial position Identify three corporate opportunities that make fraud easier to commit and detection less likely. • • • • • • • • • • • • • Weak or nonexistent internal controls Failure to enforce/monitor internal controls Management not involved in control system or overriding controls Unusual or complex transactions such as the consolidation of two companies Accounting estimates requiring significant subjective judgment by management Managerial carelessness, inattention to details Dominant and unchallenged management Ineffective oversight by board of directors Nonexistent or ineffective internal auditing staff Insufficient separation of authorization, custody, and record-keeping duties Inadequate supervision or too much trust in key employees Unclear lines of authority Lack of proper authorization procedures 5-13 Ch. 5: Computer Fraud • • • • • No independent checks on performance or infrequent third-party reviews Inadequate documents and records Inadequate system for safeguarding assets No physical or logical security system No audit trails The list show here can be augmented by the items in Table 5-4 listed in the Other Factors column. c. For each of the following, identify the external environmental factors that should be considered in assessing the risk of fraudulent financial reporting • The company’s industry o Specific industry trends such as overall demand for the industry's products, economic events affecting the industry, and whether the industry is expanding or declining. o Whether the industry is currently in a state of transition affecting management's ability to control company operations. • The company’s business environment o The continued viability of the company's products in the marketplace. o Sensitivity of the company's operations and profits to economic and political factors. • The company’s legal and regulatory environment o The status of the company's business licenses or agreements, especially in light of the company's record of compliance with regulatory requirements. o The existence of significant litigation. d. What can top management do to reduce the possibility of fraudulent financial reporting? • • • • • Set the proper tone to establish a corporate environment contributing to the integrity of the financial reporting process. Identify and understand the factors that can lead to fraudulent financial reporting. Assess the risk of fraudulent financial reporting that these factors can cause within the company. Design and implement internal controls that provide reasonable assurance that fraudulent financial reporting is prevented, such as establishing an Internal Audit Department that reports to the Audit Committee of the Board of Directors. Enforce the internal controls Accounting Information Systems NOTE: Most fraudulent financial reporting fraud is perpetrated by top management, often by overriding internal controls. While some of the above controls in part d are more likely to prevent misappropriation of assets, they can still be useful for preventing or deterring fraudulent financial reporting. 5-15 Ch. 5: Computer Fraud 5.5 For each of the following independent cases of employee fraud, recommend how to prevent similar problems in the future. Adapted from the CMA Examination a. Due to abnormal inventory shrinkage in the audiovisual department at a retail chain store, internal auditors conducted an in-depth audit of the department. They learned that a customer frequently bought large numbers of small electronic components from a certain cashier. The auditors discovered that they had colluded to steal electronic components by not recording the sale of items the customer took from the store. While collusion is difficult to prevent, the store could improve its control system by: • • • • Implementing job rotation so that the same employees are not always performing the same duties. Separating the payment for expensive items from the pickup of these items at a separate location. Videotaping the cashiers and periodically reviewing the tapes looking for fraud and collusion. More specifically, they could determine whether or not a sale was rung up. Tagging each item with an electronic tag that can only be deactivated by scanning it into a cash register. This may cost more (and be more hassle) than it is worth. b. During an unannounced audit, auditors discovered a payroll fraud when they distributed paychecks instead of department supervisors. When the auditors investigated an unclaimed paycheck, they discovered that the employee quit four months previously after arguing with the supervisor. The supervisor continued to turn in a time card for the employee and pocketed his check. The payroll fraud could be prevented with better internal controls, including: • • • Separation of duties. A supervisor with the authority to approve time cards should not be allowed to distribute paychecks. An individual with no other payroll-related duties should distribute checks. Periodic floor checks for employees on the payroll. Electronically depositing paychecks in employee accounts, thereby eliminating their physical distribution. c. Auditors discovered an accounts payable clerk who made copies of supporting documents and used them to support duplicate supplier payments. The clerk deposited the duplicate checks in a bank account she had opened using a name similar to the supplier’s. The accounts payable fraud could be prevented with better internal controls, including: Accounting Information Systems • • • • Implement and enforce a policy that prohibits the payment of invoices based on copies of supporting documents. Require all vendors to submit a numbered electronic invoice. The computer could match the invoice to the supporting documents, automatically looking for duplicate invoices or duplicate supporting documents. Make all payments to the vendor’s bank account using electronic funds transfers (EFT). Require specific authorization if a situation arises where payment on the basis of copies of supporting documents is necessary. 5-17 Ch. 5: Computer Fraud 5.6 An auditor found that Rent-A-Wreck management does not always comply with its stated policy that sealed bids be used to sell obsolete cars. Records indicated that several vehicles with recent major repairs were sold at negotiated prices. Management vigorously assured the auditor that performing limited repairs and negotiating with knowledgeable buyers resulted in better sales prices than the sealedbid procedures. Further investigation revealed that the vehicles were sold to employees at prices well below market value. Three managers and five other employees pleaded guilty to criminal charges and made restitution. Adapted from the CIA Examination a. b. List the fraud symptoms that should have aroused the auditor’s suspicion. • Failure to follow the established policy of requiring sealed bids to dispose of vehicles being salvaged. • Management's vigorous justification for departing from established policy. • Repairing vehicles before they were sold for salvage. What audit procedures would show that fraud had in fact occurred. • Review thoroughly the sales documentation that identifies the people who bought the vehicles at negotiated prices, including comparing the buyers to a list of company employees. • Determine whether the company received fair value when the vehicles were sold. This could be accomplished by one or more of the following: o Compare the sales price to "blue book" prices or to proceeds of sales of comparable vehicles made based on sealed bids o Locate the actual vehicles and have their values appraised. • Review maintenance records for salvaged vehicles looking for recent charges that indicate the vehicle might have been fixed before it was sold.. Accounting Information Systems 5.7 A bank auditor met with the senior operations manager to discuss a customer’s complaint that an auto loan payment was not credited on time. The customer said the payment was made on May 5, its due date, at a teller’s window using a check drawn on an account in the bank. On May 10, when the customer called for a loan pay-off balance so he could sell the car, he learned that the payment had not been credited to the loan. On May 12, the customer went to the bank to inquire about the payment and meet with the manager. The manager said the payment had been made on May 11. The customer was satisfied because no late charge would have been assessed until May 15. The manager asked whether the auditor was comfortable with this situation. The auditor located the customer’s paid check and found that it had cleared on May 5. The auditor traced the item back through the computer records and found that the teller had processed the check as being cashed. The auditor traced the payment through the entry records of May 11 and found that the payment had been made with cash instead of a check. What type of embezzlement scheme does this appear to be, and how does that scheme operate? Adapted from the CIA Examination The circumstances are symptomatic of lapping, which is a common form of embezzlement by lower-level employees in positions that handle cash receipts. In a lapping scheme, the perpetrator steals cash, such as a payment on accounts receivable by customer A. Funds received at a later date from customer B are used to pay off customer A's balance. Even later, funds from customer C are used to pay off B, and so forth. Since the time between the theft of cash and the subsequent recording of a payment is usually short the theft can be effectively hidden. However, the cover-up must continue indefinitely unless the money is replaced, since the theft would be uncovered if the scheme is stopped. 5-19 Ch. 5: Computer Fraud 5.8 AICPA adapted a. Prepare a schedule showing how much the cashier embezzled. Balance per Books, November 30 18,901.62 Add: Outstanding Checks Number 62 183 284 8621 8622 8632 Amount 116.25 150.00 253.25 190.71 206.80 145.28 Add Bank credit Total additions to balance per books 1,062.29 100.00 Subtract: Deposits in transit Balance per bank Balance per bank (according to the bank) Amount of theft b. 1,162.29 (3,794.41) 16,269.50 15,550.00 719.50 Describe how the cashier attempted to hide the theft. The cashier used several methods to attempt to hide the theft: 1. The cashier did not include 3 outstanding checks in the reconciliation: § No. 62 – 116.25 § No. 183 – 150.00 § No. 284 – 253.25 519.50 2. Error in totaling (footing) the outstanding checks. The total of the checks listed on the reconciliation is actually 542.79 not 442.79. 3. Deducting instead of adding the bank credit (100) after the balance per bank is calculated. 4. The total is 719.50 (519.50 + 100 + 100) Accounting Information Systems 5.9 An accountant with the Atlanta Olympic Games was charged with embezzling over $60,000 to purchase a Mercedes-Benz and to invest in a certificate of deposit. Police alleged that he created fictitious invoices from two companies that had contracts with the Olympic Committee: International Protection Consulting and Languages Services. He then wrote checks to pay the fictitious invoices and deposited them into a bank account he had opened under the name of one of the companies. When he was apprehended, he cooperated with police to the extent of telling them of the bogus bank account and the purchase of the Mercedes-Benz and the CD. The accountant was a recent honors graduate from a respected university who, supervisors stated, was a very trusted and loyal employee. a. How does the accountant fit the profile of a fraudster? The accountant fit the fraud profile in that he was • Young • Possessed knowledge, experience, and skills • A dedicated, loyal and trusted employee • An honest, valued, and respected members of the community. How does he not fit the profile? He invested a portion of his ill-gotten gains instead of spending it like the typical fraudster. b. What fraud scheme did he use to perpetrate his fraud? The accountant prepared fake invoices from legitimate contractors, wrote checks to pay the invoices, and then deposited the checks into a bank account he had opened under the name of one of the companies c. What controls could have prevented his fraud? All the accountant had to do was create fictitious invoices, as he had custody of checks before and after they were signed and he had the authorization to approve payments and sign checks. The fraud could have been prevented by separating accounting duties • Restrict access (custody) to company checks and the check signing machine to someone that does not have recording or authorization responsibilities. 5-21 Ch. 5: Computer Fraud • Do not permit the person that prepares the check to disburse the check (mail it to the recipient, etc) • Have someone familiar with the contractors authorize payments – someone who would have known that the goods and services were never ordered or performed. This should be someone other than the preparer of the check; that is, someone without custody or recording functions. • Require that someone other than the people with custody and authorization responsibilities record the payments. d. What controls could have detected his fraud? • A bank reconciliation prepared by someone else. An Olympic Committee official should have reviewed bank statements and cancelled checks. • Periodic confirmations of invoices with vendors. • Analytical reviews designed to detect an abnormal increase in expenses Accounting Information Systems 5.10 Lexsteel, a manufacturer of steel furniture, has facilities throughout the United States. Problems with the accounts payable system have prompted Lexsteel’s external auditor to recommend a detailed study to determine the company’s exposure to fraud and to identify ways to improve internal control. Lexsteel’s controller assigned the study to Dolores Smith. She interviewed Accounts Payable employees and created the flowchart of the current system shown in Figure 5-3. Lexsteel’s purchasing, production control, accounts payable, and cash disbursements functions are centralized at corporate headquarters. The company mainframe at corporate headquarters is linked to the computers at each branch location by leased telephone lines. The mainframe generates production orders and the bills of material needed for the production runs. From the bills of material, purchase orders for raw materials are generated and e-mailed to vendors. Each purchase order tells the vendor which manufacturing plant to ship the materials to. When the raw materials arrive, the manufacturing plants produce the items on the production orders received from corporate headquarters. The manufacturing plant checks the goods received for quality, counts them, reconciles the count to the packing slip, and e-mails the receiving data to Accounts Payable. If raw material deliveries fall behind production, each branch manager can send emergency purchase orders directly to vendors. Emergency order data and verification of materials received are e-mailed to Accounts Payable. Since the company employs a computerized perpetual inventory system, periodic physical counts of raw materials are not performed. Vendor invoices are e-mailed to headquarters and entered by Accounts Payable when received. This often occurs before the branch offices transmit the receiving data. Payments are due 10 days after the company receives the invoices. Using information on the invoice, Data Entry calculates the final day the invoice can be paid, and it is entered as the payment due date. Once a week, invoices due the following week are printed in chronological entry order on a payment listing, and the corresponding checks are drawn. The checks and payment listing are sent to the treasurer’s office for signature and mailing to the payee. The check number is printed by the computer, displayed on the check and the payment listing, and validated as the checks are signed. After the checks are mailed, the payment listing is returned to Accounts Payable for filing. When there is insufficient cash to pay all the invoices, the treasurer retains certain checks and the payment listing until all checks can be paid. When the remaining checks are mailed, the listing is then returned to Accounts Payable. Often, weekly check mailings include a few checks from the previous week, but rarely are there more than two weekly listings involved. When Accounts Payable receives the payment listing from the treasurer’s office, the expenses are distributed, coded, and posted to the appropriate cost center accounts. Accounts Payable processes weekly summary performance reports for each cost center and branch location. Adapted from the CMA Examination 5-23 Ch. 5: Computer Fraud 1. Discuss three ways Lexsteel is exposed to fraud and recommend improvements to correct these weaknesses. Weakness There are no controls over branch managers issuing emergency purchase orders. The branch manager can decide when an "emergency" exists and she is permitted to choose a vendor subjectively. This opens the door to fraud and errors. Invoices are paid without agreeing them to purchase orders and receiving reports. Making payments without this comparison could result in payments for goods that were not ordered or that were not received. There is no supporting documentation attached to the checks when they are forwarded to the treasurer for payment. The supporting documents are not canceled after payment, allowing the possibility of a second payment of the same invoice. Recommendation A procedure for expediting emergency orders should be developed for the purchasing department that contains appropriate controls. Require proper authorizations and verification documentation (agreement of invoices, purchase orders, and receiving report) prior to payment. Checks sent to the Treasurer for signature should be accompanied by all original supporting documents (invoice, purchase order and receiving report) so the Treasurer can verify that the payment is valid and appropriate. The invoices and other supporting documents should be canceled after the checks are signed. Accounting Information Systems 2. Describe three ways management information could be distorted and recommend improvements to correct these weaknesses. Weakness 1. Cash balances are distorted when checks are drawn when due but are not mailed until sufficient cash is available. Cash management will also be affected by inaccurate due dates, lack of procedures for taking vendor discounts, and inaccurate information for EOQ calculations. 2. Accounts payable information is distorted by drawing checks and then holding them for future payment, by entering invoices without supporting documentation, and by inaccurate receiving documentation. 3. Inventory balances are likely to be misstated because of no physical counts. 4. Calculating due dates by hand and using the invoice date instead of the date the goods are received could lead to inaccurate due dates that could damage vendor relations. The lack of control over emergency orders could distort inventory balances and cause duplicate purchases. 3. Recommendation Checks should be drawn only when cash is available and mailed immediately. Procedures should be established for taking advantage of vendor discounts when appropriate. Invoices should not be entered into the system until matched with supporting documents, and receiving documents should be matched against original purchase orders. Periodically count inventory and reconcile the counts to inventory records. The system should calculate due dates from the date goods are received, not based on the date they are invoiced. Implement appropriate controls to prevent duplicate purchases, such as immediate entry of emergency orders so the system has a record of them. Identify and explain three strengths in Lexsteel’s procedures • • • The company has a centralized EDP system and database in place. This eliminates duplication of effort and data redundancy while improving data integrity, efficiency, productivity, and timely management information. Most purchase orders are issued by the centralized purchasing department from computerized production orders or bills of material. This limits overstocking of materials inventory and employs the specialized expertise in the purchasing function. The functions of purchasing, production control, accounts payable, and cash disbursements are centralized at the corporate headquarters. This improves management control and avoids a duplication of efforts. The separated departments help maintain internal control by the segregation of duties for authorization, payment, and coding. 5-25 Ch. 5: Computer Fraud 5.11 The Association of Certified Fraud Examiners periodically prepares an article called “What Is Your Fraud IQ?” It consists of 10 or more multiple choice questions dealing with various aspects of fraud. The answers, as well as an explanation of each answer, are provided at the end of the article. Visit the Journal of Accountancy site (http://www.journalofaccountancy.com) and search for the articles. Read and answer the questions in three of these articles, and then check your answers. There should be 5 or 6 of these articles on the Journal of Accountancy web site. No solution is provided here as the solutions are at the end of each article. Most questions are thought provoking and the answers informative. 5.12 Explore the Anti-Fraud and Forensic Accounting portion of the AICPA Web site (http://www.aicpa.org/INTERESTAREAS/FORENSICANDVALUATION/RESOUR CES/Pages/default.aspx), and write a two-page report on the three most interesting things you found on the site. Solutions will vary. The purpose of the problem is to expose the students to the website contents. The author grades the report on a pass/fail basis based on whether the student gave an honest effort in exploring the site and writing up the report. Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 5.1 1. How does Miller fit the profile of the average fraud perpetrator? • • • • Like many fraud perpetrators, David Miller was not much different than the general public in terms of education, values, religion, marriage, and psychological makeup. Like Miller, many white-collar criminals are regarded as ideal employees until they are caught. Like him, they are dedicated and work long hours. He was well respected, occupied a position of trust, and was viewed as an honest, upstanding citizen. Most fraud perpetrators spend all that they steal. Few invest it. Miller was no exception. How does he differ? § • Miller was not disgruntled and unhappy, nor was he seeking to get even with his employer. Though David Miller was never convicted of fraud, he was involved in a number of schemes. In contrast, most fraud perpetrators are first time offenders. How did these characteristics make him difficult to detect? It is often difficult to detect fraud perpetrators because they possess few characteristics that distinguish them from the public. Most white-collar criminals are talented, intelligent, and well educated. Many are regarded as the ideal employee that occupies a position of trust, is dedicated, and works hard for the company. They are otherwise honest, upstanding citizens that have usually never committed any other criminal offense. 2. Explain the three elements of the opportunity triangle (commit, conceal, convert) and discuss how Miller accomplished each when embezzling funds from Associated Communications. What specific concealment techniques did Miller use? There are three elements to the opportunity triangle: 1. The perpetrator must commit the fraud by stealing something of value, such as cash, or by intentionally reporting misleading financial information. Miller was able to steal cash by undermining the internal controls that required two signatures on checks. He asked company officials to sign checks before they went on vacation "just in case" the company needed to disburse funds while they were gone. 5-27 Ch. 5: Computer Fraud 2. To avoid detection, the perpetrator must conceal the crime. Perpetrators must keep the accounting equation in balance by inflating other assets or decreasing liabilities or equity. Concealment often takes more effort and time and leaves behind more evidence than the theft or misrepresentation. Taking cash requires only a few seconds; altering records to hide the theft is more challenging and time-consuming. To conceal the theft, Miller retrieved the canceled check from the bank reconciliation and destroyed it. The amount stolen was then charged to an expense account of one of the units to balance the company's books. Miller was able to work himself into a position of trust and influence. Because he occupied this position his actions were not questioned and he was able to subvert some of the internal controls intended to prevent the type of actions he was able to take. 3. The perpetrator must convert the stolen asset into some form usable by the perpetrator if the theft is of an asset other than cash. For example, stolen inventory and equipment must be sold or otherwise converted into cash. In financial statement fraud, the conversion is more indirect, such as in undeserved pay raises, promotions, more stock options, etc. Miller was able to convert the check to cash by writing himself checks and depositing them in his personal account. 3. What pressures motivated Miller to embezzle? How did Miller rationalize his actions? Motivation. After David Miller had undergone therapy, he believed his problem with compulsive embezzlement was an illness, just like alcoholism or compulsive gambling. He stated that the illness was driven by a subconscious need to be admired and liked by others. He thought that by spending all of that money others would like him. Ironically, he was universally well liked and admired at each job and it had nothing to do with money. In fact, one associate at Associated was so surprised at the news of the thefts that he said that it was like finding out that your brother was an ax murderer. Miller also claimed that he is not a bad person, that he never intended to hurt anyone, but once he got started he just could not stop. Rationalization. The case does not specify what Miller's rationalizations were. He may, in fact, have had a number of different rationalizations. The case suggests that he "needed it" to pay back the money he stole from previous employers. He was always "just borrowing" the money and intended to pay it back. Miller may have also been convinced that he would never be prosecuted for his crimes. Many of the rationalizations listed in the text are also possibilities. 4. Miller had a framed T-shirt in his office that said, “He who dies with the most toys wins.” What does this tell you about Miller? What lifestyle red flags could have tipped off the company to the possibility of fraud? Accounting Information Systems Miller's life seemed to be centered on financial gain and the accumulation of material goods or, as the quote says, "toys." Such gain, he felt, would lead to prestige and recognition among his friends in the business community. The wealth and extravagant spending in relation to Miller's salary was the primary red flag that most companies never questioned. Consider that on his $130,000 a year salary he was able to afford two Mercedes-Benz sedans; a lavish suburban house; a condominium at Myrtle beach; expensive suits; tailored and monogrammed shirts; diamond, sapphire, ruby, and emerald rings for his wife; and a new car for his fatherin-law. 5. Why do companies hesitate to prosecute white-collar criminals? • Negative publicity. Companies are reluctant to prosecute fraud because of the financial damage that could result from negative publicity. A highly visible fraud is a public relations disaster. The company could lose a lot of business due to the adverse publicity. • Exposes system weaknesses. Reporting and prosecuting fraud may reveal vulnerabilities in a company's system. This could attract even more acts of fraud. • Concern for the perpetrator's family. If an employee is willing to make retribution, companies may not press charges to protect the employee’s family and reputation. • Society is more concerned with "real" crime. Political considerations motivate enforcement officials to focus their resources on more violent and visible crimes such as rape, murder, and robbery. Some people see fraud as an internal problem and not as a serious crime that demands prosecution. • Unclear definition of computer fraud. One reason computer fraud is not prosecuted more is that the definition of computer fraud is so vague. As a result, no one really knows how much it really costs and there isn't as much motivation to go after computer fraud cases. • Prosecution difficulties. It is difficult, costly, and time consuming to investigate fraud. It is even harder to prove. As a result, it can be hard to prosecute fraud cases successfully and get convictions. • Lack of expertise. Many law enforcement officers, lawyers, and judges lack the skills necessary to investigate, prosecute and evaluate fraud, especially computer fraud. 5-29 Ch. 5: Computer Fraud • Light sentences. When fraud cases are prosecuted and a conviction is obtained, the sentences received are sometimes very light. This discourages prosecution. What are the consequences of not prosecuting? When fraud is not prosecuted, it sends a message to employees and to the public that enforcing laws is not important to the company. A reputation for being "soft" on fraud may result in the companies becoming increasingly vulnerable to additional fraud. Failure to report and prosecute a fraud also means that the perpetrator goes free and can repeat his or her actions at another company, as David Miller did. If the perpetrator does not have to pay the consequences of his actions, she is more likely to repeat them because she "got away with it" and was not punished. How could law enforcement officials encourage more prosecution? To encourage more fraud prosecution, law enforcement officials must take actions to solve each of the problems mentioned above. In addition, they must encourage more effective reporting of such crimes. The public should be educated to recognize and report fraud as a serious offense. 6. What could the victimized companies have done to prevent Miller’s embezzlement? Not much is said in the case about how Miller committed many of the frauds. In each of the frauds, it is likely that the theft of cash could have been prevented by tighter controls over access to cash and blank checks and to the means of writing and signing checks. Some could have been prevented or at least detected by better control over monthly bank statements and their reconciliation. In retrospect, Miller was given too much trust and authority and that led to a breakdown of internal controls. However, companies have to trust their top level employees, such as the CFO. Even though this trust is necessary, a greater separation of duties and more supervision of Miller's work would have made it more difficult for him to perpetrate the frauds. In all but the first fraud, a more thorough background check of Miller may have revealed his past fraudulent activities and the company could have avoided the problems that arose after he was hired. Accounting Information Systems 5.2 1. Figure 5-4 shows the employees and external parties that deal with Heirloom. Explain how Heirloom could defraud the bank and how each internal and external party except the bank could defraud Heirloom. 2. What risk factor, unusual item, or abnormality would alert you to each fraud? 3. What control weaknesses make each fraud possible? 4. Recommend one or more controls to prevent or detect each means of committing fraud. There are many ways to perpetrate fraud. Some of the more easily recognizable ways are the following: 1. Ways to Commit Fraud Receivables employees could 1. Steal cash receipts by lapping. Payments are made by sending in a coupon and a $25 payment. Any of the three receivables employees could pocket the payment, save the coupon, put a subsequent payment with the “saved” coupon, and run the payment through the system. 2. Steal cash receipts and allow accounts to be written off. It is difficult to collect from some customers because they only have a PO Box address and do not have a phone. Receivables employees could steal cash receipts from these customers each month and allow the accounts to be written off. 2. Indication Something is Wrong 3. Weaknesses Allowing Fraud Lag between customer payments No separation of and the posting of the payments. duties between cash receipts, posting If the appropriate controls are in receivables, and place, customers listed on the pre- preparing bank listing of cash would not match deposit. the names on the bank deposit or those credited for payment on the No independent same day. checks on performance. Increase in the number of accounts written off. No monthly If the perpetrator did not get statements. greedy, this might not be easily detected since 35-40% of No work or family accounts are defaulted on already. secondary addresses Even a slow steady increase in the and phone numbers. number of defaulting-due-tofraud customers might not be easily detected. 5-31 4. Controls to Minimize Fraud Separate custody of cash (opening cash receipts) from recording (posting payments to receivables records). Have 2 people open all cash receipts and prepare a pre-listing of cash receipts. Compare customer names on the pre-listing to customer names on the receivables posting and the bank deposits. Send monthly statements. Bank financing, credit card payments, or automatic withdrawals from checking or savings accounts. Involve sales agent in tracking down customers that cannot be reached before writing them off. Ch. 5: Computer Fraud Sales agents could 3. Falsify sales to reach an incentive level. Agents can book fictitious contracts, pay with a money order, send correspondence to a PO Box they control, and let the contract default with no more payments. An agent selling 81 contracts can break even by falsifying 20 sales. ($250 down $125 commission = $2500 cost. $2500 bonus / $125 cost = 20 contracts) An agent selling 151 contracts can break even on 50 sales. 4. Defer yearend sales Sales that will not qualify for a new incentive level could be held and put in next year’s sales. Sales agents could 5. Steal part of a customer’s payment. An agent could send in $250 of a $900 sale and pocket the difference. The agent could then make payments for a while and let the contract lapse. Not a big risk as virtually all customers choose financing. Customer complaints. Abnormally large number of sales just before year end, combined with agent barely reaching an incentive level Increase in the number of accounts written off, especially for agents barely reaching an incentive level. Few and steep incentive levels that motivate unwanted behavior. Inability to effectively follow -up on collections (addresses and phone numbers). See #2 Customer complaints. Decrease in the number of customers paying the $900, which will be hard to detect since, so few use that option. Base sales incentives on customer collections, not on original sales. Analysis of December sales for sales agents who barely reach an incentive level, especially on last day or two of the year. Customer credit not checked. Analysis of default rates per sales agent for those who barely reach an incentive level, especially on last day or two of the year. Address and phone numbers not verified. Check customer credit, addresses, and phone numbers. Photographers don’t verify if customers are current before a sitting, so $250 is as good as $900. Require photographers to verify that customers are current before each sitting. Customer complaints. Do most customers finance because agents are already doing this? More graduated incentives that do not provide such strong incentives. Customers don’t sign, initial photography plan order forms Require customers to sign photography plan order forms and initial the amount paid and financing arrangements. Accounting Information Systems 6. Management can bleed the company or engage in non-armslength transactions with owners. Both owners are paying their spouses exorbitant salaries and have extravagant expense accounts and perks. Company perpetually short of cash Expense accounts and perks unusually high No apparent controls to prevent one owner from defrauding the other owner. An external, independent audit. Full disclosure of all payments, perks, or nonarms-length transactions to a qualified tax preparer to ensure full compliance with applicable tax laws. Inflated salary expenses Abnormally high prices for the assets purchased. Buildings, equipment, and furnishings could be purchased from/by the owners at inflated or deflated prices. This is not fraud, as long as what occurs is reported properly for tax purposes and financial statement given to the bank properly disclose any needed items. It is fraud if one owner authorizes payments, perks, or non-arms length transactions to himself or his family that the other partner is not aware of. 7. Customers can use photo coupons without completing their payments. There are no controls to prevent customers who have stopped paying on their note from taking their coupon to their photographer for a sitting and getting their picture taken. Increase in the number of sittings per current customer. Coupons submitted for customers that have been written off. Photographer complaints. Require all payments, perks, or non-armslength transactions to an owner to be approved by the other owner. Photographers are not required to verify if customers are current before a sitting. Customer given all their coupons at initial purchase. 5-33 Set up automatic withdrawals from checking accounts or automatic charges to credit cards. Require photographers to verify that customers are current before each sitting. Keep a list of customer payments; do not pay for customers that are no longer current. Ch. 5: Computer Fraud 8. Photographers could send in unused coupons or fake coupons. Photographers have exclusive rights to customers in their specified areas. They could encourage customers to leave the coupons at the photo studio so they are not lost or misplaced. If a customer did not come in during the 6-month period, the photographer could submit his unused coupon. Abnormally high rate of customers using their coupons Coupons that do not look authentic. Customer complaints. Customers not signing coupons or otherwise verifying they had a sitting. Abnormally high number of customers 30-60 days overdue. Photographers could send in coupons for non-current customers as they are not required to verify if customers are current before a sitting. Nor does the company verify that submitted coupons are for a current customer. Bank does not verify data from Heirloom. If the coupon book is not left for safekeeping, the photographer could scan a coupon, change the name to a customer who did not use their coupon, print it, and send it in. 9. Heirloom can defraud the bank by misstating the maximum amount Heirloom can borrow. Notes payable are in the borrowing base until they are 60 days overdue. To maximize that base, Heirloom could lap customer payments. They could take a monthly payment on a current account and apply it to an account that is just about to go 60 days overdue. The inflated list could be used to support a higher than justified loan. Photographers given an exclusive area. Do credit checks on all potential customers. Pre-number coupons. Have a code on the coupon that the photographer has to call in to the company (or enter on a website) before authorization is granted to take the photo. For each photographer, analyze what percent of customers use their coupons looking for abnormally high usage rates. Require photographers to verify that customers are current before each sitting. Do not pay for customers that are no longer current. Analysis of the list, such as • An increase in the number or percentage of accounts on the list submitted to the bank with no comparable increase in sales. • Comparison of monthly lists to see if the same names appear month after month. Accounting Information Systems 10. Heirloom can defraud the bank by misstating its financial statements in many ways. For example: - Understating its allowance and bad debt expense (not writing off uncollectible receivables and lowballing the bad debt expense). - Creating fictitious sales and notes receivables. - Intentionally under or over stating the sales commission estimates. Unusual decrease in the allowance or bad debt amounts. There is no mention of an external audit by independent CPAs. Sales increase without a comparable increase in receivables; inventory; cost of goods sold; and applicable expenses such as photographer and album expenses, embossing and shipping, and commissions. Sales commissions out of line with those of the industry or past years. 5-35 An external, independent audit. Financial statement analysis, such as • Analysis of bad debt to sales and allowance to sales ratios to see if they are below those of past years and those of comparable customers in the same industry. • Analysis of sales ratios, comparing sales to receivables; inventory; gross margin, cost of goods sold; and applicable expenses such as album and photographer expenses, embossing and shipping, and commissions. Accounting Information Systems CHAPTER 6 COMPUTER FRAUD AND ABUSE TECHNIQUES SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 6.1 When U.S. Leasing (USL) computers began acting sluggishly, computer operators were relieved when a software troubleshooter from IBM called. When he offered to correct the problem they were having, he was given a log-on ID and password. The next morning, the computers were worse. A call to IBM confirmed USL’s suspicion: Someone had impersonated an IBM repairman to gain unauthorized access to the system and destroy the database. USL was also concerned that the intruder had devised a program that would let him get back into the system even after all the passwords were changed. What techniques might the impostor have employed to breach USL’s internal security? The perpetrator may have been an external hacker or he may have been an employee with knowledge of the system. It seems likely that the perpetrator was responsible for the sluggishness, as he called soon after it started. To cause the sluggishness, the perpetrator may have: • Infected the system with a virus or worm. • Hacked into the system and hijacked the system, or a large part of its processing capability. To break into the system, the perpetrator may have: • Used pretexting, which is creating and using an invented scenario (the pretext) to increase the likelihood that a victim will divulge information or do something they would not normally do. In this case, the perpetrator pretended to be an IBM software troubleshooter to get a log-on ID and password. • Used masquerading or impersonation, which is pretending to be an authorized user to access a system. This was possible in this case once the perpetrator obtained the log-on ID and password. Once inside the system, the perpetrator has all the privileges attached to the user ID and password given to him. • Infected it with a Trojan horse, trap door, logic or time bomb, or some other malware. 6-1 Ch. 6: Computer Fraud and Abuse Techniques • Made unauthorized use of superzap, a software utility that bypasses regular system controls. What could USL do to avoid these types of incidents in the future? • Determine how the perpetrator caused the sluggishness and implement the controls need to prevent it from happening again. • Conduct a complete security review to identify and rectify and security weaknesses. • Only reveal passwords and logon numbers to authorized users whose identities have been confirmed. When someone calls and indicates they are an IBM employee, verify their identity by calling IBM back on their known and published service number. Even better would be to call and talk to the IBM representative assigned to USL. • Provide employee training aimed at helping them not fall victim to the many forms of social engineering. • After providing outsiders with temporary user IDs and passwords, block their use as soon as the need for them is passed. Other control considerations that could reduce the incidence of unauthorized access include: • Improved control of sensitive data. • Alternate repair procedures. • Increased monitoring of system activities. Accounting Information Systems 6.2 What motives do people have for hacking? Why has hacking become so popular in recent years? Do you regard it as a crime? Explain your position. Hacking is the unauthorized access, modification, or use of an electronic device or some element of a computer system. Hacking represents illegal trespassing and is punishable as a federal crime under the 1986 Computer Fraud and Abuse Act. Hacking has increased significantly in popularity for several reasons. Perhaps the most important is the increasing use of personal computers and the Internet and the corresponding rise in the number and the skill level of the users. In other words, there are more systems to break into, and there are more people capable of breaking in. Most hackers are motivated by monetary rewards. Hackers have found many ways to profit handsomely from their hacking activities. Others hackers seek to destroy data, to make unauthorized copies of the data, or to damage the system in some way. Some hackers are motivated by the challenge of breaking and entering a system and many do so with no intent to do harm. They may feel that hacking is a "right" enjoyed by computer users in a "free information" society. Many of these benign hackers also argue that hacking rarely does any harm to a computer system and is acceptable behavior. 6-3 Ch. 6: Computer Fraud and Abuse Techniques 6.3 The UCLA computer lab was filled to capacity when the system slowed and crashed, disrupting the lives of students who could no longer log into the system or access data to prepare for finals. IT initially suspected a cable break or an operating system failure, but diagnostics revealed nothing. After several frustrating hours, a staff member ran a virus detection program and uncovered a virus on the lab’s main server. The virus was eventually traced to the computers of unsuspecting UCLA students. Later that evening, the system was brought back online after infected files were replaced with backup copies. What conditions made the UCLA system a potential breeding ground for the virus? • • • • Many computers, providing numerous potential hosts. Users are allowed to create and store programs. Users share programs regularly. Numerous external data storage devices are used each day by students without adequate controls over their contents. • University students send lots of emails and download lots of software, music, and videos from the Internet, all of which are excellent ways to pass viruses to others. What symptoms indicated that a virus was present? • Destroyed or altered data and programs. • The inability to boot the system or to access data on a hard drive. • Clogged communications. • Hindered system performance. However, the system did not print disruptive images or messages on the screen. Some people who write viruses cause some sort of message or image to appear to give some indication that the system has been compromised. Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 6.1 A few years ago, news began circulating about a computer virus named Michelangelo that was set to “ignite” on March 6, the birthday of the famous Italian artist. The virus attached itself to the computer’s operating system boot sector. On the magical date, the virus would release itself, destroying all of the computer’s data. When March 6 arrived, the virus did minimal damage. Preventive techniques limited the damage to isolated personal and business computers. Though the excitement surrounding the virus was largely illusory, Michelangelo helped the computer-using public realize its systems’ vulnerability to outside attack. a. What is a computer virus? Cite at least three reasons why no system is completely safe from a computer virus. A computer virus is a segment of executable code that attaches itself to an application program or some other executable component. When the hidden program is triggered, it makes unauthorized alterations in the way a system operates. There are a number of reasons why no one is completely safe from a virus: b. • Viruses are contagious and are easily spread from one system to another. A virus spreads when users share programs or data files, download data from the Internet, or when they access and use programs from external sources such as suppliers of free software. • Viruses can spread very quickly. In a network environment, a virus can spread to thousands of systems in a relatively short period. When the virus is confined to a single machine or to a small network, it will soon run out of computers to infect. • Many viruses lie dormant for extended periods without doing any specific damage except propagating itself. The hidden program leaves no external signs of infection while it is reproducing itself. • Many computer viruses have long lives because they can create copies of themselves faster than the virus can be destroyed. Why do viruses represent a serious threat to information systems? What damage can a virus do to a computer system? Viruses are a significant threat to information systems because they make unauthorized alterations to the way a system operates and cause widespread damage by destroying or altering data or programs. If adequate backup is not maintained, viral damage may also mean permanent loss of important or unique information, or time-consuming reentry of the lost information. A virus can cause significant damage when it takes control of the computer, destroys the hard disk's file allocation table, and makes it impossible to boot (start) the system or to access data on a hard drive. They can also intercept and change transmissions, print disruptive images or messages on the screen, or cause the screen image to 6-5 Ch. 6: Computer Fraud and Abuse Techniques disappear. As the virus spreads, it takes up space, clogs communications, and hinders system performance. c. How does a virus resemble a Trojan horse? A virus is like a Trojan horse in that it can lie dormant for extended periods, undetected until triggered by an event or condition. d. What steps can be taken to prevent the spread of a computer virus? Focus 6-1 lists the following steps individuals can take to keep their computers virus free: • Install reputable and reliable antivirus software that scans for, identifies, and destroys viruses. Only use one antivirus program, as multiple programs conflict with each other. • Do not fall for ads touting free anti-virus software, as much of it is fake and contains malware. Some hackers create websites stuffed with content about breaking news so that the site appears on the first page of search results. Anyone clicking on the link is confronted with a pop-up with a link to fake anti-virus software. • Do not fall for pop-up notices that warn of horrible threats and offer a free scan of your computer. Although no scan actually takes place, the program reports dozens of dangerous infections and tells you to purchase and download their fake antivirus program to clean it up. • Make sure that the latest versions of the antivirus programs are used. National City Bank in Cleveland, Ohio, installed some new laptops. The manufacturer and the bank checked the laptops for viruses but did not use the latest antivirus software. A virus spread from the laptop hard drives to 300 network servers and 12,000 workstations. It took the bank over two days to eradicate the virus from all bank systems. • Scan all incoming e-mail for viruses at the server level as well as when it hits users’ desktops. • Do not download anything from an email that uses noticeably bad English, such as terrible grammar and misspelled words. Real companies hire people to produce quality writing. Many viruses come from overseas. English is obviously not their first language. • All software should be certified as virus-free before loading it into the system. Be wary of software from unknown sources, as they may be virus bait—especially if their prices or functionality sound too good to be true. • Deal with trusted software retailers. • Some software suppliers use electronic techniques to make tampering evident. Ask if the software you are purchasing has such protection. Accounting Information Systems • Check new software on an isolated machine with virus detection software. Software direct from the publisher has been known to have viruses. • Have two backups of all files. Data files should be backed up separately from programs to avoid contaminating backup data. • If you use flash drives, diskettes, or CDs, do not put them in strange machines as they may become infected. Do not let others use those storage devices on your machine. Scan all new files with antiviral software before any data or programs are copied to your machine. 6-7 Ch. 6: Computer Fraud and Abuse Techniques 6.2 The controller of a small business received the following e-mail with an authenticlooking e-mail address and logo: From: To: Subject: Big Bank [antifraud@bigbank.com] Justin Lewis, Controller, Small Business USA Official Notice for all users of Big Bank! Due to the increased incidence of fraud and identity theft, we are asking all bank customers to verify their account information on the following Web page: www.antifraudbigbank.com Please confirm your account information as soon as possible. Failure to confirm your account information will require us to suspend your account until confirmation is made. A week later, the following e-mail was delivered to the controller: From: To: Subject: Big Bank [antifraud@bigbank.com] Justin Lewis, Controller, Small Business USA Official Notice for all users of Big Bank! Dear Client of Big Bank, Technical services at Big Bank is currently updating our software. Therefore, we kindly ask that you access the website shown below to confirm your data. Otherwise, your access to the system may be blocked. web.da-us.bigbank.com/signin/scripts/login2/user_setup.jsp We are grateful for your cooperation. a. What should Justin do about these e-mails? This is an attempt to acquire confidential information so that it can be used for illicit purposes such as identity theft. Since the email looks authentic and appears authoritative, unsuspecting and naïve employees are likely to follow the emails instructions. Justin should: • Notify all employees and management that the email is fraudulent and that no information should be entered on the indicated website. • Delete the email without responding to its sender. • Launch an education program for all employees and management about computer fraud practices that could target their business. Accounting Information Systems • b. c. Notify Big Bank regarding the email. What should Big Bank do about these e-mails? • Immediately alert all customers about the email and ask them to forward any suspicious email to the bank security team. But this needs to be done via the bank’s web site, not by an email message. Banks need to consistently never use email in ways similar to this type of attack. • Establish a quick and convenient method that encourages customers and employees to notify Big Bank of suspicious emails. • The warnings received by customers and employees should be investigated and remedial actions should be taken. • Notify and cooperate with law enforcement agencies so the perpetrator can be apprehended. • Notify the ISP from which the email originated, demanding that the perpetrator’s account be discontinued. Identify the computer fraud and abuse technique illustrated. This computer fraud and abuse technique is called phishing. Its purpose is to get the information need to commit identity theft. The perpetrator probably also used brand spoofing of Big Bank’s web site. 6-9 Ch. 6: Computer Fraud and Abuse Techniques 6.3 A purchasing department received the following e-mail. Dear Accounts Payable Clerk, You can purchase everything you need online—including peace of mind—when you shop using Random Account Numbers (RAN). RAN is a free service for Big Credit Card customers that substitutes a random credit card number in place of your normal credit card number when you make online purchases and payments. This random number provides you with additional security. Before every online purchase, simply get a new number from RAN to use at each new vendor. Sign up for an account at www.bigcreditcard.com. Also, take advantage of the following features: • Automatic Form automatically completes a vendor’s order form with the RAN, its expiration date, and your shipping and billing addresses. • Set the spending limit and expiration date for each new RAN. • Use RAN once or use it for recurring payments for up to one year. Explain which computer fraud and abuse techniques could be prevented using a random account number that links to your corporate credit card. Banks actually offer a service like this. For example, Citi Bank offers a program called Virtual Account Numbers. Students will likely present many different solutions to this problem. Table 6-1 in the text provides a comprehensive list of computer fraud and abuse techniques that the students may draw upon. Potential solutions should at least include: • identity theft • packet sniffing • Spyware • eavesdropping to capture the card number. Using RAN can limit the amount of money stolen. If the card or card number is stolen, it can only be used for the specific vendor and time for which it is issued. In addition, it can only be used for one purchase or only a set number of purchases identified when the card number was issued. At any rate, restricting the card to only a specific merchant and for a specific time and number of transactions severely restricts the thief's ability to steal. Using RAN can help prevent identity fraud. Since the card is only linked to the actual customer at the bank, the identity of the customer is shielded to anyone who steals the card or the card number. The thief would need to hack into the bank’s system to find the identity of the RAN cardholder since it would not be printed on the card itself. Accounting Information Systems Also, RAN can frustrate those who capture card numbers through packet sniffing, spyware, and eavesdropping. These techniques may capture the card number, but once the thieves have it, their ability to exploit the card for monetary gain is severely restricted. PERHAPS MORE IMPORTANT: even though banks offer these types of services, this email may be a clever Phishing expedition and a recipient should not respond to the email or click on the indicated link. This prevents the recipient from being the victim of an attack or malicious malware. If a person was interested in the service, he should contact his bank and ask about it. Alternatively, he could research the service and call those who offer it. 6-11 Ch. 6: Computer Fraud and Abuse Techniques 6.4 Match the internet related computer fraud and abuse technique in the left column with the scenario in the right column. Terms may be used once, more than once, or not at all. 1. Adware 2. Botnet 3. Bot herder 4. Click fraud 5. DoS 6. E-mail threats 7. Hijacking 8. Internet misinformation 9. Internet terrorism 10. Key logger 11. Pharming 12. Phishing 13. Spamming 14. Splog 15. Spyware 16. Spoofing 17. Typosquatting i. Software that collects consumer surfing and purchasing data. o. A network of hijacked computers. r. Hackers that control hijacked computers. u. Inflating advertising revenue by clicking online ads numerous times. t. Overloading an Internet service provider’s e-mail server by sending hundreds of e-mail messages per second from randomly generated false addresses. c. Sending an e-mail instructing the recipient to do something or they will suffer adverse consequences. l. Gaining control of a computer to carry out unauthorized illicit activities. s. Circulating lies or misleading information using the world’s largest network. m. Using the Internet to disrupt communications and e-commerce. q. Use of spyware to record a user’s keystrokes. n. Diverting traffic from a legitimate Web site to a hacker’s Web site to gain access to personal and confidential information. j. E-mails that look like they came from a legitimate source but are actually from a hacker who is trying to get the user to divulge personal information. e. E-mailing an unsolicited message to many people at the same time. h. A spam blog that promotes affiliated Web sites to increase their Google PageRank. a. Software that monitors and reports a user’s computing habits. k. Making an e-mail look like it came from someone else. f. Creating Web sites with names similar to real Web sites so users making errors while entering a Web site name are sent to a hacker’s site. Accounting Information Systems 6. 5 Match the data communications-related computer fraud and abuse technique in the left column with the scenario in the right column. Terms may be used once, more than once, or not at all. 1. Bluebugging 2. Bluesnarfing 3. Eavesdropping 4. Evil twin 5. Packet sniffing 6. Phreaking 7. Piggybacking 8. Vishing 9. War dialing 10. War driving i. Making phone calls and sending text messages using another user’s phone without physically holding that phone. k. Capturing data from devices that use Bluetooth technology. f. Intercepting and/or listening in on private voice and data transmissions. m. A rogue wireless access point masquerading as a legitimate access point. a. Intercepting Internet and other network transmissions. j. Using telephone lines to transmit viruses and to access, steal, and destroy data. d. Gaining access to a protected system by latching on to a legitimate user. b. E-mails instructing a user to call a phone number where they are asked to divulge personal information. h. Searching for modems on unprotected phone lines in order to access the attached computer and gain access to the network(s) to which it is attached. c. Searching for unprotected wireless networks in a vehicle. 6-13 Ch. 6: Computer Fraud and Abuse Techniques 6.6 Match the data related computer fraud and abuse technique in the left column with the scenario in the right column. Terms may be used once, more than once, or not at all. 1. Chipping 2. Data diddling 3. Data leakage 4. Identity theft 5. Round-down 6. Salami technique 7. Scavenging e. Inserting a chip that captures financial data in a legitimate credit card reader. i. Altering data during the IPO (Input-Process-Output) cycle. f. Copying company data, such as computer files, without permission. a. Illegally obtaining confidential information, such as a Social Security number, about another person so that it can be used for financial gain. j. Placing truncated decimal places in an account controlled by the perpetrator. d. Embezzling small fractions of funds over time. b. Searching through garbage for confidential data. Accounting Information Systems 6.7 Match the data security computer fraud and abuse technique in the left column with the scenario in the right column. Terms may be used once, more than once, or not at all. 1. Dictionary attack j. Using software to guess company addresses, send them blank e-mails, and adding unreturned messages to spammer e-mail lists. w. Gaining access to a computer system without permission. 2. Hacking s. Software that sits idle until a specified circumstance or time triggers it. 3. Logic bomb l. Software used to do harm. 4. Malware n. Pretending to be a legitimate user, thereby gaining access to a system 5. Masquerading and all the rights and privileges of the legitimate user. c. Capturing and decrypting passwords to gain access to a system. 6. Password cracking e. Using a wireless network without permission. 7. Piggybacking x. Creating a seemingly legitimate business, collecting personal 8. Posing information while making a sale, and never delivering the item sold. u. Acting under false pretenses to gain confidential information. 9. Pretexting q. Software that conceals processes, files, network connections, and 10. Rootkit system data from the operating system and other programs. v. Observing or listening to users as they divulge personal information. 11. Shoulder surfing f. Covertly swiping a credit card in a card reader that records the data for 12. Skimming later use. r. Methods used to trick someone into divulging personal information. 13. Social engineering 14. Software piracy p. Unauthorized copying or distribution of copyrighted software. g. Concealing data within a large MP3 file. 15. Steganography a. Special software used to bypass system controls. 16. Superzapping i. Entering a system using a back door that bypasses normal system 17. Trap door controls. k. Unauthorized code in an authorized and properly functioning program. 18. Trojan horse b. A segment of executable code that attaches itself to software. 19. Virus m. A program that can replicate itself and travel over networks. 20. Worm 21. Zero-day attack h. Attack between the time a software vulnerability is discovered and a patch to fix the problem is released. 6-15 Ch. 6: Computer Fraud and Abuse Techniques 6.8 Match the data security computer fraud and abuse technique in the left column with the scenario in the right column. Terms may be used once, more than once, or not at all. 1 Address Resolution Protocol (ARP) 2 Buffer overflow attack 3 Carding 4 Caller ID spoofing 5 Cyber extortion 6 Cyber bullying 7 Economic espionage 8 E-mail spoofing 9 IP address spoofing 10 Internet auction fraud 11 Internet pumpand-dump fraud 12 Lebanese looping 13 Man-in-themiddle (MITM) attack 14 Podslurping 15 Ransomware 16 Scareware 17 Sexting 18 SQL Injection 19 SMS spoofing 20 XSS attack m. Fake computer networking protocol messages sent to an Ethernet LAN to determine a network host's hardware address when only its IP address is known. j. So much input data that storage is exceeded; excess input contains code that takes control of the computer. x. Verifying credit card validity. r. Displaying an incorrect phone number to hide the caller’s identity. u. A demand for payment to ensure a hacker does not harm a computer. q. Using social networking to harass another person v. Theft of trade secrets and intellectual property. k. Making an electronic communication appear as though it originated from a different source. l. Creating packets with a forged address to impersonate another computing system. w. Using a site that sells to the highest bidder to defraud another person g. Using the Internet to inflate a stock price so it can be sold for a profit. a. Inserting a sleeve to trap a card in an ATM, pretending to help the owner to obtain a PIN, and using the card and PIN to drain the account. t. A hacker placing himself between a client and a host to intercept network traffic. c. Using a small storage device to download unauthorized data from a computer. s. Software that encrypts programs and data until a payment is made to remove it. e. Malicious software that people are frightened into buying. h. Exchanging explicit messages and pictures by telephone. i. Inserting a malicious database query in input in a way that it can be executed by an application program. n. Changing the name or number a text message appears to come from. p. A link containing malicious code that takes a victim to a vulnerable Web site. Once there, the victim’s browser executes the malicious code embedded in the link. 21 Tabnapping y. Secretly changing an already open browser tab. Accounting Information Systems 6.9 Identify the computer fraud and abuse technique used in each the following actual examples of computer wrongdoing. Each of these real-world scenarios were taken from news accounts of computer fraud and abuse. There may be other valid answers, but the answers shown below are what the news accounts and experts investigating the case said were used to perpetrate the fraud. a. A teenage gang known as the “414s” broke into the Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank. One gang member appeared in Newsweek with the caption “Beware: Hackers at play.” b. Daniel Baas was the systems administrator for a company that did business with Acxiom, who manages customer information for companies. Baas exceeded his authorized access and downloaded a file with 300 encrypted passwords, decrypted the password file, and downloaded Acxiom customer files containing personal information. The intrusion cost Acxiom over $5.8 million. c. Cyber-attacks left high-profile sites such as Amazon.com, eBay, Buy.com, and CNN Interactive staggering under the weight of tens of thousands of bogus messages that tied up the retail sites’ computers and slowed the news site’s operations for hours. d. Susan Gilmour-Latham got a call asking why she was sending the caller multiple adult text messages per day. Her account records proved the calls were not coming from her phone. Neither she nor her mobile company could explain how the messages were sent. After finding no way to block the unsavory messages, she changed her mobile number to avoid further embarrassment by association. e. A federal grand jury in Fort Lauderdale claimed that four executives of a rental-car franchise modified a computerbilling program to add five gallons to the actual gas tank capacity of their vehicles. Over three years, 47,000 customers who returned a car without topping it off ended up paying an extra $2 to $15 for gasoline. f. A mail-order company programmer truncated odd cents in sales-commission accounts and placed them in the last record in the commission file. Accounts were processed alphabetically, and he created a dummy sales-commission account using the name of Zwana. Three years later, the holders of the first and last sales-commission accounts were honored. Zwana was unmasked and his creator fired. 6-17 Hacking Password cracking Denial of service attack SMS spoofing Salami technique Round-down fraud Ch. 6: Computer Fraud and Abuse Techniques g. MicroPatent, an intellectual property firm, was notified that their proprietary information would be broadcast on the Internet if they did not pay a $17 million fee. The hacker was caught by the FBI before any damage was done. h. When Estonia removed a Russian World War II war memorial, Estonian government and bank networks were knocked offline in a distributed DoS attack by Russian hackers. A counterfeit letter of apology for removing the memorial statue was placed on the Web site of Estonia’s prime minister. i. eBay customers were notified by e-mail that their accounts had been compromised and were being restricted unless they re-registered using an accompanying hyperlink to a Web page that had eBay’s logo, home page design, and internal links. The form had a place for them to enter their credit card data, ATM PINs, Social Security number, date of birth, and their mother’s maiden name. Unfortunately, eBay hadn’t sent the e-mail. j. A teenager hijacked the eBay.de domain name and several months later the domain name for a large New York ISP. Both hijacked Web sites pointed to a site in Australia. k. Travelers who logged into the Alpharetta, Georgia, airport’s Internet service had personal information stolen and picked up as many as 45 viruses. A hacker had set up a rogue wireless network with the same name as the airport’s wireless access network. l. Criminals in Russia used a vulnerability in Microsoft’s server software to add a few lines of Java code to users’ copies of Internet Explorer. The code recorded the users’ keyboard activities, giving the criminals access to usernames and passwords at many banking Web sites. The attacks caused $420 million in damage. m. America Online subscribers received a message offering free software. Users who opened the attachments unknowingly unleashed a program hidden inside another program that secretly copied the subscriber’s account name and password and forwarded them to the sender. n. Rajendrasinh Makwana, an Indian citizen and IT contractor who worked at Fannie Mae’s Maryland facility, was terminated at 1:00 P.M. on October 24. Before his network access was revoked, he created a program to wipe out all 4,000 of Fannie Mae’s servers on the following January 31. o. A man accessed millions of ChoicePoint files by claiming in writing and on the phone to be someone he was not. Cyber-extortion Denial-of-service attack used to perpetrate cyberterrorism Phishing Pharming Evil twin Key logging Trojan horse Time/logic bomb Pretexting Accounting Information Systems p. A 31-year-old programmer unleashed a Visual Basic program by deliberately posting an infected document to an alt.sex Usenet newsgroup using a stolen AOL account. The program evaded security software and infected computers using the Windows operating system and Microsoft Word. On March 26, the Melissa program appeared on thousands of e-mail systems disguised as an important message from a colleague or friend. The program sent an infected e-mail to the first 50 e-mail addresses on the users’ Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The program spread rapidly and exponentially, causing considerable damage. Many companies had to disconnect from the Internet or shut down their e-mail gateways because of the vast amount of e-mail the program was generating. The program caused more than $400 million in damages. q. Microsoft filed a lawsuit against two Texas firms that produced software that sent incessant pop-ups resembling system warnings. The messages stated “CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED” and instructed users to visit a Web site to download Registry Cleaner XP at a cost of $39.95. r. As many as 114,000 Web sites were tricked into running database commands that installed malicious HTML code redirecting victims to a malicious Web server that tried to install software to remotely control the Web visitors’ computers. s. Zeus records log-in information when the user of the infected computer logs into a list of target Web sites, mostly banks and other financial institutions. The user’s data is sent to a remote server where it is used and sold by cybercriminals. The new version of Zeus will significantly increase fraud losses, given that 30% of Internet users bank online. t. It took Facebook 15 hours to kill a Facebook application that infected millions of PCs with software that displays a constant stream of pop-up ads. The program posted a “Sexiest Video Ever” message on Facebook walls that looked like it came from a friend. Clicking the link led to a Facebook installation screen, where users allowed the software to access their profiles and walls. Once approved, the application told users to download an updated, free version of a popular Windows video player. Instead, it inserted a program that displayed pop-up ads and links. A 6-19 Worm/virus. Although it was called the Melissa virus, it was actually a worm Scareware SQL injection attack inserted code that redirected victims to malicious Web servers. A Trojan virus inserted a keystroke logger on computers. These computers created a botnet that captured and sent bank data to hackers who sold it. The program that caused the pop-ups was Hotbar adware. Ch. 6: Computer Fraud and Abuse Techniques week later a “Distracting Beach Babes” message did the same thing. u. Robert Thousand, Jr. discovered he lost $400,000 from his Ameritrade retirement account shortly after he began receiving a flood of phone calls with a 30-second recording for a sex hotline. An FBI investigation revealed that the perpetrator obtained his Ameritrade account information, called Ameritrade to change his phone number, created several VoIP accounts, and used automated dialing tools to flood the dentist’s phones in case Ameritrade called his real number. The perpetrator requested multiple monetary transfers, but Ameritrade would not process them until they reached Thousand to verify them. When the transfers did not go through, the attacker called Ameritrade, gave information to verify that he was Thousand, claimed he had been having phone troubles, and told Ameritrade he was not happy that the transfers had not gone through. Ameritrade processed the transfers, and Thousand lost $400,000. v. The Internet Crime Complaint Center reports a “hit man” scam. The scammer claims that he has been ordered to assassinate the victim and an associate has been ordered to kill a family member. The only way to prevent the killings is to send $800 so an Islamic expatriate can leave the United States. w. In an economic stimulus scam, individuals receive a phone call from President Obama telling them to go to a Web site to apply for the funds. To receive the stimulus money, victims have to enter personal identification information, complete an online application, and pay a $28 fee. • Fraudsters used identity theft tactics (such as phishing) to get victim’s Ameritrade account information. • Social engineering tactics were used to get Ameritrade to process the transfers. • A telephone denial of service attack gave the attacker time to drain the victim’s financial accounts. Cyber-extortion. The email threat was sent to extort $800 from the victim and his family. This is vishing (phishing done by voice instead of email). Accounting Information Systems 6.10 On a Sunday afternoon at a hospital in the Pacific Northwest, computers became sluggish, and documents would not print. Monday morning, the situation became worse when employees logged on to their computers. Even stranger things happened—operating room doors would not open, pagers would not work, and computers in the intensive care unit shut down. By 10:00 A.M., all 50 IT employees were summoned. They discovered that the hospital was under attack by a botnet that exploited a Microsoft operating system flaw and installed pop-up ads on hospital computers. They got access to the first computer on Sunday and used the hospital’s network to spread the infection to other computers. Each infected computer became a zombie that scanned the network looking for new victims. With the network clogged with zombie traffic, hospital communications began to break down. The IT staff tried to halt the attack by shutting off the hospital’s Internet connection, but it was too late. The bots were inside the hospital’s computer system and infecting other computers faster than they could be cleaned. Monday afternoon IT figured out which malware the bots were installing and wrote a script, which was pushed out hourly, directing computers to remove the bad code. The script helped to slow the bots down a bit. This case is based on an actual attack. The solution represents the actual events of the attack and the hospital's response. a. What could the hospital do to stop the attack and contain the damage? By Monday afternoon, IT figured out which malware the bots were installing and wrote a script, which was pushed out hourly, directing computers to remove the bad code. The script helped to slow the bots down a bit. The problem does not state how the problem was finally fixed. What actually happened is that on Tuesday the hospital's antivirus vendor figured out which malware the hackers had used to get into the network and wrote a virus signature that blocked new code from coming in. Together with the code the internal IT staff wrote, the hospital was able to clean up its computers. All of the infected computers had to have their hard drives wiped clean and their software reinstalled, at an estimated cost of $150,000. b. Which computer fraud and abuse technique did the hackers use in their attack on the hospital? The primary attack used was a Zero-day attack that exploited a newly found weakness in Microsoft’s operating system that did not yet have a patch written to correct the weakness. The perpetrators hacked into the hospital's network and used various forms of malware, including adware (pop-up ads) and worms. 6-21 Ch. 6: Computer Fraud and Abuse Techniques c. What steps should the hospital have taken to prevent the damage caused by the attack? The hospital's network is now protected by Computer Associate's Pest Patrol, which blocks adware and spyware, and Cisco MARS, an intrusion detection system. Northwest's I.T. staffers no longer wait for vendors, particularly Microsoft, to certify software patches before applying fixes—they evaluate and test patches themselves. In the case of the attack, the Windows flaw that the attack slipped through had not yet been patched on the hospital's PCs. Fortunately, the hospital's servers escaped the attack because they had been patched. Aftermath: The hackers were a 19-year old California man, Christopher Maxwell, and two juveniles. Based in part on evidence supplied by the hospital, Maxwell pleaded guilty to conspiracy and intentionally causing damage to a protected computer. He was sentenced to 37 months in federal prison and ordered to pay $112,500 in restitution to the hospital. Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 6.1 1. How did Shadowcrew members concealed their identities? • • • Used aliases when working online Communicated via proxy servers Rented commercial mailboxes under false names How can average citizens protect their identities while interacting online? • • 2. Use discretion in revealing personal information online. Individuals who use chat rooms, for instance, should avoid identifying themselves with their actual names, birthdays, or other identifying information. Do not give out personal information online unless absolutely necessary. How has the Internet made detecting and identifying identity fraudsters difficult? By using aliases, fraudulent email accounts, and proxy servers, thieves make it difficult to detect and punish deviant behavior. 3. What are some of the most common electronic means of stealing personal information? • • • • • • 4. Accessing public and victim-provided data Phishing and spoofing Pharming Posing Spyware and keylogging Skimming and chipping What is the most common way that fraudsters use personal data? The most common way that fraudsters use personal data is to commit credit card fraud. This may include abuse to existing accounts or the opening of new, fraudulent accounts. Credit card fraud accounts for 26% of identity fraud cases. 5. What measures can consumers take to protect against the online brokering of their personal data? • • • Avoid giving out their personal data – online or otherwise – whenever possible. Avoid filling out online surveys or polls that request identifying information. Make sure that websites are secure before submitting any personal information. 6-23 Ch. 6: Computer Fraud and Abuse Techniques • 6. If store clerks request information like name, phone number, or address when you are making a purchase, question the necessity of providing such information. What are the most effective means of detecting identity theft? • • • Regularly monitoring credit reports Checking account statements thoroughly Review the annual Social Security Personal Earnings and Benefits Estimate Statement See Focus 9-1 for more information of detecting identity theft 7. What pieces of personal information are most valuable to identity fraudsters? • • • • • • • • • • • • • Name Address Date of birth Social Security number (SSN) Driver’s license number Mother’s maiden name Account numbers Card expiration dates Internet passwords Personal Identification Numbers (PIN) User IDs for online account access Security numbers from back of credit and debit cards Other identifying information The rest of the story: One of the results of Operation Firewall was the convictions of Andrew Mantovani, Chad Hatten, and James Ancheta. • • • Mantovani, a 24-year-old college student and a Shadowcrew co-founder, was sentenced to 32 months in federal prison, a $5,000 fine, and three years of probation. Hatten, a 36-year-old, received 90 months in federal prison, 24 months for “aggravated identity theft” and 66 months for access device fraud. Hatten must also endure three years of supervised release. James Ancheta, a 21-year-old “bot” creator that seized control of more than 400,000 computers to install revenue-generating adware and sold his bots to other users, was sentenced to 57 months in federal prison for his crimes. Ancheta was ineligible for parole and restricted from touching a computer until three years after his release. Accounting Information Systems CHAPTER 7 CONTROL AND ACCOUNTING INFORMATION SYSTEMS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 7.1 Answer the following questions about the audit of Springer’s Lumber & Supply a. What deficiencies existed in the internal environment at Springer’s? The "internal environment" refers to the tone or culture of a company and helps determine how risk consciousness employees are. It is the foundation for all other ERM components, providing discipline and structure. It is essentially the same thing as the control environment in the internal control framework. The internal environment also refers to management's attitude toward internal control, and to how that attitude is reflected in the organization's control policies and procedures. At Springer's, several deficiencies in the control environment are apparent: 1. 2. 3. 4. b. Management authority is concentrated in three family members, so there are few, if any, checks and balances on their behavior. In addition, several other relatives and friends of the family are on the payroll. Since the company has a "near monopoly" on the business in the Bozeman area, few competitive constraints restrain prices, wages, and other business practices. Lines of authority and responsibility are loosely defined, which make it difficult to identify who is responsible for problems or decisions. Management may have engaged in "creative accounting" to make its financial performance look better, which suggests a management philosophy that could encourage unethical behavior among employees. Do you agree with the decision to settle with the Springers rather than to prosecute them for fraud and embezzlement? Why or why not? Whether or not to settle with the Springers is a matter of opinion, with reasonable arguments on both sides of the issue. • The reasons for reaching a settlement are clearly stated: the difficulty of obtaining convictions in court, and the possible adverse effects on the company's market position. 7-1 Ch. 7: Control and Accounting Information Systems • On the other hand, the evidence of fraud here seems strong. If this kind of behavior is not penalized, then the perpetrators may be encouraged to do it again, with future adverse consequences to society. c. Should the company have told Jason and Maria the results of the high-level audit? Why or why not? Whether or not Jason and Maria should have been told the results of the high-level audit is also a matter of opinion. The investigative team is apparently trying to keep its agreement to maintain silence by telling as few people as possible what really happened. On the other hand, Jason and Maria were the ones who first recognized the problems; it seems only right that they be told about the outcome. Many lessons may be drawn from this story. 1. 2. 3. 4. 5. 6. Auditors should view the condition of an organization's control environment as an important indicator of potential internal control problems. Fraud is more easily perpetrated and concealed when many perpetrators are involved, and especially when management is involved. Purchasing and payroll are two areas that are particularly vulnerable to fraud. Determining whether fraud has actually occurred is sometimes quite difficult, and proving that it has occurred is even more difficult. Frauds do occur, so auditors must always be alert to the possibility of fraud. Auditors should not accept management's explanations for questionable transactions at face value, but should do additional investigative work to corroborate such explanations. Accounting Information Systems 7.2 Effective segregation of duties is sometimes not economically feasible in a small business. What internal control elements do you think can help compensate for this threat? Small companies can do the following things to compensate for their inability to implement an adequate segregation of duties: • • • • • • Effective supervision and independent checks performed by the owner/manager may be the most important element of control in situations where separation of functions cannot be fully achieved. In very small businesses, the owner-manager may find it necessary to supervise quite extensively. For example, the manager could reconcile the bank account, examine invoices, etc. Fidelity bonding is a second form of internal control that is critical for persons holding positions of trust that are not entirely controlled by separation of functions. Document design and related procedures are also important to internal control in this situation. Documents should be required with customer returns to encourage customer audit. Document design should include sequential prenumbering to facilitate subsequent review. Where appropriate, employees should be required to sign documents to acknowledge responsibility for transactions or inventories. In small organizations, management can use computers to perform some of the control functions that humans perform in manual systems. For example, the computer can: − Check all customer numbers to make sure they are valid − Automatically generate purchase orders and have a member of management or a designated buyer authorize them. 7-3 Ch. 7: Control and Accounting Information Systems 7.3 One function of the AIS is to provide adequate controls to ensure the safety of organizational assets, including data. However, many people view control procedures as “red tape.” They also believe that, instead of producing tangible benefits, business controls create resentment and loss of company morale. Discuss this position. Well-designed controls should not be viewed as “red tape” because they can actually improve both efficiency and effectiveness. The benefits of business controls are evident if one considers the losses that frequently occur due to the absence of controls. Consider a control procedure mandating weekly backup of critical files. Regular performance of this control prevents the need to spend a huge amount of time and money recreating files that are lost when the system crashes, if it is even possible to recreate the files at all. Similarly, control procedures that require workers to design structured spreadsheets can help ensure that the spreadsheet decision aids are auditable and that they are documented well enough so that other workers can use them. It is probably impossible to eliminate resentment or loss of morale among all employees, but these factors may be minimized if controls are administered fairly and courteously. Of course, there is a cost-benefit tradeoff in implementing internal controls. If an organization has too many controls, this may justifiably generate resentment and loss of morale among employees. Controls having only marginal economic benefit may be rejected for this reason. Another factor is the obtrusiveness of the controls. When the user sees no clear need or purpose to a control it can appear to be there only to control them and little more than that. When the user does not understand their purpose, controls can often provoke resentment. Accounting Information Systems 7.4 In recent years, Supersmurf’s external auditors have given clean opinions on its financial statements and favorable evaluations of its internal control systems. Discuss whether it is necessary for this corporation to take any further action to comply with the Sarbanes–Oxley Act. The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud. SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on CPAs of publicly held companies and the audits of those companies. As a result of SOX, Supersmurf’s management and their audit committee must take a more active role in the financial disclosure process. Some of the more prominent roles include: Audit Committee • Audit committee members must be on the company’s board of directors and be independent of the company. One member of the audit committee must be a financial expert. • Audit committees hire, compensate, and oversee any registered public accounting firm that is employed Auditors report to the audit committee and not management Audit committees must pre-approve all audit and non-audit services provided by its auditor • • Management • • The CEO and CFO at companies with more than $1.2 billion in revenue must prepare a statement certifying that their quarterly and annual financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading. Management must prepare an annual internal control report that states o Management is responsible for establishing and maintaining an adequate internal control structure o Management assessed the company’s internal controls and attests to their accuracy, including notations of significant defects or material noncompliance found during their internal control tests. o Auditors were told about all material internal control weaknesses and fraud 7-5 Ch. 7: Control and Accounting Information Systems • • 7.5 o Significant changes to controls after management’s evaluation were disclosed and corrected Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The report must contain a statement identifying the framework used by management to evaluate internal control effectiveness. The most likely framework is one of those formulated by COSO and discussed in the chapter. SOX also specifies that a company’s auditor must attest to as well as report on management’s internal control assessment. When you go to a movie theater, you buy a prenumbered ticket from the cashier. This ticket is handed to another person at the entrance to the movie. What kinds of irregularities is the theater trying to prevent? What controls is it using to prevent these irregularities? What remaining risks or exposures can you identify? There are two reasons for using tickets. 1. 2. The theater is trying to prevent cashiers from stealing cash by providing greater control over cash receipts. You cannot get into the theater without a ticket so you never give cash to a cashier without insisting on a ticket. That makes it much harder for a cashier to pocket cash. Prenumbered tickets are also used so cashiers cannot give tickets to their friends. The number of tickets sold at the cashier counter can be reconciled with the number of tickets taken by the usher letting patrons into the theater. Reconciling the cash in the register to the tickets sold and then reconciling the number of tickets sold to the number collected by the ticket-taker helps prevent the theft of cash and giving tickets away to friends. Despite these controls, the following risks still exist: • • • The ticket-taker can let friends into the theater without tickets. The ticket-taker may take money from theater patrons, pocketing the cash and letting them enter without a ticket. The cashier and the ticket-taker may collude in selling admittances without issuing tickets and then split the proceeds. Accounting Information Systems 7.6 Some restaurants use customer checks with prenumbered sequence codes. Each food server uses these checks to write up customer orders. Food servers are told not to destroy any customer checks; if a mistake is made, they are to void that check and write a new one. All voided checks are to be turned in to the manager daily. How does this policy help the restaurant control cash receipts? The fact that all documents are prenumbered provides a means for accounting for their use and for detecting unrecorded transactions. Thus, a missing check indicates a meal for which a customer did not pay. Since each server has his or her own set of checks, it is easy to identify which server was responsible for that customer. This policy may help to deter theft (e.g., serving friends and not requiring them to pay for the meal, or pocketing the customer’s payment and destroying the check) because a reconciliation of all checks will reveal that one or more are missing. 7.7 Compare and contrast the following three frameworks: COBIT, COSO Integrated Control, and ERM. The COBIT Framework consolidates systems security and control standards into a single framework. This allows management to benchmark security and control practices of IT environments, users to be assured that adequate IT security and control exist, and auditors to substantiate their internal control opinions and to advise on IT security and control matters. The framework addresses control from three vantage points: 1. Business objectives, to ensure information conforms to and maps into business objectives. 2. IT resources, including people, application systems, technology, facilities, and data. 3. IT processes, including planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. COSO’s Internal Control Framework is widely accepted as the authority on internal controls and is incorporated into policies and regulations that control business activities. However, it examines controls without looking at the purposes and risks of business processes and provides little context for evaluating the results. It makes it hard to know which control systems are most important, whether they adequately deal with risk, and whether important controls are missing. In addition, it does not adequately address Information Technology issues. It has five components: 1. Control environment, which are the individual attributes, (integrity, ethical values, 7-7 Ch. 7: Control and Accounting Information Systems competence, etc.) of the people in the organization and and the environment in which they operate. 2. Control activities, which are control policies and procedures that help ensure that the organization addresses risks and effectively achieves its objectives. 3. Risk assessment, which is the process of identifying, analyzing, and managing organizational risk 4. Information and communication, which is the system that captures and exchanges the information needed to conduct, manage, and control organizational operations. 5. Monitoring company processes and controls, so modifications and changes can be made as conditions warrant. COSO’s Enterprise Risk Management Frameworkis a new and improved version of the Integrated Control Framework. It is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM are: • Companies are formed to create value for their owners. • Management must decide how much uncertainty it will accept as it creates value. • Uncertainty results in risk and opportunity, which are the possibilities that something negatively or positively affects the company’s ability to create or preserve value. • The ERM framework can manage uncertainty as well as create and preserve value. ERM adds three additional elements to COSO’s IC framework: 1. Setting objectives 2. Identifying events that may affect the company 3. Developing a response to assessed risk. The ERM framework takes a risk-based rather than a controls-based approach. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred. Because the ERM model is more comprehensive than the Internal Control framework, it will likely become the most widely adopted of the two models. Accounting Information Systems 7.8 Explain what an event is. Using the Internet as a resource, create a list of some of the many internal and external factors that COSO indicated could influence events and affect a company’s ability to implement its strategy and achieve its objectives. An event is “an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.” An event can have a positive or a negative impact. By their nature, events represent uncertainty. An event may or may not occur. If it does occur, it is hard to know when it will occur. Until it occurs, it may be difficult to determine its impact on the company. When it occurs, it may trigger another event. Events may occur individually or concurrently. Therefore, management must anticipate all possible events, whether positive or negative, that might affect the company. It must also determine which events are most and least likely to occur, and it must understand the interrelationship of events. The following table lists some of the many internal and external factors that COSO indicated could influence events and affect a company’s ability to implement its strategy and achieve its objectives. Lists like these help management identify factors, evaluate their importance, and examine those that can affect objectives. Identifying events at the activity and entity levels allows companies to focus their risk assessment on major business units or functions and helps align the company’s risk tolerance and risk appetite. COSO’s Nine ERM Event Categories EVENT CATEGORIES External Factors Internal Factors ECONOMIC INFRASTRUCTURE • Availability of capital; lower or higher costs • Inadequate access to or poor allocation of of capital capital • Rising or declining unemployment rates • Availability and capability of company assets • Price movements upward or downward • Complexity of systems • Ability to issue credit and possibility of default • Concentration of competitors, customers, or vendors • Presence or absence of liquidity • Movements in the financial markets or currency fluctuations • Lower barriers to competitive entry, resulting in new competitors • Mergers or acquisitions • Potential regulatory, contractual, or criminal 7-9 Ch. 7: Control and Accounting Information Systems legal liability NATURAL ENVIRONMENT • Natural disasters such as fires, floods, or earthquakes • Emissions and waste • Energy restrictions or shortages • Restrictions limiting development POLITICAL • Election of government officials with new political agendas • New laws and regulations • Public policy, including higher or lower taxes • Regulation affecting the company’s ability to compete SOCIAL • Privacy • Terrorism • Corporate citizenship • Human resource issues causing production shortages or stoppages • Changing demographics, social mores, family structures, and work/life priorities • Consumer behavior that changes products and services demand or creates buying opportunity TECHNOLOGICAL • New e-business technologies that lower infrastructure costs or increase demand for IT-based services • Emerging technology • Increased or decreased availability of data • Interruptions or downtime caused by external parties PERSONNEL • Workplace accidents, health or safety concerns • Employees acting dishonestly or unethically • Employee skills and capability • Strikes or expiration of labor agreements PROCESS • Process modification without proper change management procedures • Process execution errors • Poorly designed processes • Suppliers cannot deliver quality goods on time TECHNOLOGY • Insufficient capacity to handle peak IT usages • Data or system unavailability • Poor systems selection/development • Inadequately maintained systems • Security breaches • Inadequate data integrity Accounting Information Systems 7.9 Explain what is meant by objective setting and describe the four types of objectives used in ERM. Objective setting, the second ERM component, is determining what the company hopes to achieve. It is often referred to as the corporate vision or mission. The four types of objectives used in ERM are: 1. Strategic objectives are high-level goals that align with the company’s mission, support it, and create shareholder value. Management should identify alternative ways of accomplishing the strategic objectives, identify and assess the risks and implications of each alternative, and formulate a corporate strategy. 2. Operations objectives deal with the effectiveness and efficiency of company operations and determine how to allocate resources. They reflect management preferences, judgments, and style and are a key factor in corporate success. They vary significantly - one company decides to be an early adopter of technology, another adopts technology when it is proven, and a third adopts it only after it is generally accepted. 3. Reporting objectives help ensure the accuracy, completeness, and reliability of company reports; improve decision-making; and monitor company activities and performance. 4. Compliance objectives help the company comply with all applicable laws and regulations. Most compliance and many reporting objectives are imposed by external entities due to laws or regulations. ERM provides reasonable assurance that reporting and compliance objectives are achieved because companies have control over them. However, the only reasonable assurance ERM can provide about strategic and operations objectives is that management and directors are informed on a timely basis of the progress the company is making in achieving them. 7-11 Ch. 7: Control and Accounting Information Systems 7.10 Discuss several ways that ERM processes can be continuously monitored and modified so that deficiencies are reported to management. 1. Have a special team or internal auditing perform a formal or a self-assessment ERM evaluation. 2. Supervise effectively, including training and assisting employees, correcting errors, and overseeing employees who have access to assets. 3. Use Responsibility Accounting Systems such as budgets, quotas, schedules, standard costs, and quality standards; reports comparing actual and planned performance; and procedures for investigating and correcting significant variances. 4. Use risk analysis and management software packages to review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements. 5. Track purchased software to comply with copyrights and protect against software piracy lawsuits. Companies should periodically conduct software audits. Employees should be informed of the consequences of using unlicensed software. Track and monitor mobile devices, as their loss could represent a substantial exposure. Also, track who has them, what tasks they perform, the security features installed, and what software is needed to maintain adequate system and network security. 6. Have periodic external, internal, and network security audits to assess and monitor risk as well as detect fraud and errors. 7. Have a chief security officer (CSO), who is independent of the information system function, be in charge of system security and report to the chief operating officer (COO) or the CEO. Have a chief compliance officer (CCO), who reports to the same people, be responsible for all compliance issues 9. Use forensic investigators, who specialize in fraud detection and investigation, help with the financial reporting and corporate governance process. Most forensic investigators received specialized training with the FBI, IRS, or other law enforcement agencies. Investigators with the computer skills to ferret out fraud perpetrators are in great demand. 10. Install fraud detection software to help ferret out fraud, such as illegal credit card use, and notify forensic investigators when it is found. 11. Use a fraud hotline so people witnessing fraudulent behavior can report it anonymously. Accounting Information Systems SUGGESTED SOLUTIONS TO THE PROBLEMS 7.1 You are an audit supervisor assigned to a new client, Go-Go Corporation, which is listed on the New York Stock Exchange. You visited Go-Go’s corporate headquarters to become acquainted with key personnel and to conduct a preliminary review of the company’s accounting policies, controls, and systems. During this visit, the following events occurred: a. You met with Go-Go’s audit committee, which consists of the corporate controller, treasurer, financial vice president, and budget director. b. You recognized the treasurer as a former aide to Ernie Eggers, who was convicted of fraud several years ago. c. Management explained its plans to change accounting methods for depreciation from the accelerated to the straight-line method. Management implied that if your firm does not concur with this change, Go-Go will employ other auditors. d. You learned that the financial vice president manages a staff of five internal auditors. e. You noted that all management authority seems to reside with three brothers, who serve as chief executive officer, president, and financial vice president. f. You were told that the performance of division and department managers is evaluated on a subjective basis, because Go-Go’s management believes that formal performance evaluation procedures are counterproductive. g. You learned that the company has reported increases in earnings per share for each of the past 25 quarters; however, earnings during the current quarter have leveled off and may decline. h. You reviewed the company’s policy and procedures manual, which listed policies for dealing with customers, vendors, and employees. i. Your preliminary assessment is that the accounting systems are well designed and that they employ effective internal control procedures. j. Some employees complained that some managers occasionally contradict the instructions of other managers regarding proper data security procedures. k. After a careful review of the budget for data security enhancement projects, you feel the budget appears to be adequate. l. The enhanced network firewall project appeared to be on a very aggressive implementation schedule. The IT manager mentioned that even if he put all of his personnel on the project for the next five weeks, he still would not complete the project in time. The manager has mentioned this to company management, which seems unwilling to modify the schedule. m. Several new employees have had trouble completing some of their duties, and they 7-13 Ch. 7: Control and Accounting Information Systems do not appear to know who to ask for help. n. Go-Go’s strategy is to achieve consistent growth for its shareholders. However, its policy is not to invest in any project unless its payback period is no more than 48 months and yields an internal rate of return that exceeds its cost of capital by 3%. o. You observe that company purchasing agents wear clothing and exhibit other paraphernalia from major vendors. The purchasing department manager proudly displays a picture of himself holding a big fish on the deck of a luxury fishing boat that has the logo of a major Go-Go vendor painted on its wheelhouse. The information you have obtained suggests potential problems relating to Go-Go’s internal environment. Identify the problems, and explain them in relation to the internal environment concepts discussed in this chapter The underlined items correspond to one of the 7 elements of the internal environment covered in the text. a. You met with Go-Go’s audit committee, which consists of the corporate controller, treasurer, financial vice president, and budget director. PROBLEM: Section 301 of the Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their auditors. It requires audit committee members to be on the company’s board of directors and to be independent of the company. That is not the case at Go-Go Corporation. SOLUTION: All members of the audit committee should be members of the Board of Directors. They must also be independent of the company – meaning none of the audit committee can be employees. The audit committee is responsible for overseeing the corporation’s internal control structure, its financial reporting process, and its compliance with related laws, regulations, and standards. The committee works closely with the corporation’s external and internal auditors. SOX requires audit committees to be responsible for hiring, compensating, and overseeing the auditors and for auditors to report all critical accounting policies and practices to the audit committee. b. You recognized the treasurer as a former aide to Ernie Eggers, who was convicted of fraud several years ago. PROBLEM: Because the position of corporate treasurer involves managing cash and other financial assets, it is critical that the position be filled with someone of unquestioned commitment to integrity and ethical values. This question presents somewhat of a dilemma. Here are the two sides of that dilemma. Accounting Information Systems On the one hand, just because the treasurer worked for someone that turned out to be dishonest does NOT mean the treasurer is dishonest as well. Everyone should be judged on his or her own merits, not those of someone else. Therefore, you need to be careful not to assume automatically that the treasurer is dishonest. On the other hand, the fact that the treasurer has been an aide to someone convicted of fraud should raise questions in your mind. You should approach all audits with the requisite skeptical attitude. That skeptical attitude should be heightened due to his past associations. SOLUTION: Though you may not have specific information linking the corporate treasurer to the prior fraud, this information should indicate a need to examine carefully the corporation's human resource standards and personnel policies and practices with respect to hiring. c. Management explained its plans to change accounting methods for depreciation from the accelerated to the straight-line method. Management implied that if your firm does not concur with this change, Go-Go will employ other auditors. PROBLEM: Why would a company want to move from an accelerated depreciation method to one with a lower depreciation write-off? One reason is that it reduces depreciation expense, thereby increasing net income and, potentially, the company’s stock price. Alternatively, they may be looking for a way to mask, or hide, other company problems that will affect net income. SOLUTION: The company should have a logical and defensible reason for changing accounting methods, other than just to increase net income and the stock price. The company may be willing to go to great lengths to "get their own way" with respect to an important financial reporting matter. The commitment to ethics issue involves questionable practices, desire to make the numbers, etc. If management does not have a good reason for the desired change, company management’s commitment to integrity and ethical values should be carefully evaluated. It is also possible that there is a problem with management's philosophy and operating style. Management’s philosophy and operating style relates to risk-taking propensity and problems with philosophy and operating style are similar to carelessnessn or recklessness. It is important to note that management can be careless, yet ethical; they can also be careful, yet unethical. d. You learned that the financial vice president manages a staff of five internal auditors. 7-15 Ch. 7: Control and Accounting Information Systems PROBLEM: The internal audit function is not organizationally independent of the accounting and finance functions. SOLUTION: Organization structure and board of director requirements dictates that internal audit should report directly to the audit committee of the board of directors rather than the financial vice president. e. You noted that all management authority seems to reside with three brothers, who serve as chief executive officer, president, and financial vice president. PROBLEM: The dominance of an organization's management by one or a few individuals is an aspect of management's philosophy and operating style that might indicate a problem with the internal environment, in that there may be a potential for this small group to override the internal control system. Just because a family is run by family members does not indicate there is a problem such as fraud – but it does make it easier to commit and that should be take into consideration. SOLUTION: It is important to evaluate carefully this situation to determine if it indeed presents an internal control weakness. f. You were told that the performance of division and department managers is evaluated on a subjective basis, because Go-Go’s management believes that formal performance evaluation procedures are counterproductive. PROBLEM: This indicates a possible problem with management's human resource standards and their methods of monitoring performance. Subjective evaluation methods are often not be as effective in detecting problems or in identifying good performance as objective measures, such as formal performance evaluation procedures, that have been communicated to employees. SOLUTION: It is important to evaluate carefully this situation to determine if it indeed presents an internal control weakness. g. You learned that the company has reported increases in earnings per share for each of the past 25 quarters; however, earnings during the current quarter have leveled off and may decline. PROBLEM: Management's philosophy and operating style, as well as their commitment to integrity and ethical values, can be tested when a company faces declining earnings. When earnings per share decrease or when they do not meet expectations, company stock can take a dive, sometimes a significant one. As a result, a company may try and avoid earnings decreases when possible. The problem comes when management uses questionable or even illegal means to prop up their earnings. Accounting Information Systems SOLUTION: Because many frauds have been perpetrated to prop up earnings, this significant fraud “red flag” must be investigated. h. You reviewed the company’s policy and procedures manual, which listed policies for dealing with customers, vendors, and employees. PROBLEM: One of the methods of assigning authority and responsibility is a written and comprehensive policies and procedures manual. Go-Go has a written policy and procedures manual, but it is incomplete. It is limited to only three areas: policies for dealing with customers, vendors, and employees. SOLUTION: A policies and procedures manual should contain much more than what is indicated. The manual should explain proper business practices, describe the knowledge and experience needed by key personnel, and list the resources provided to carry out specific duties. It should spell out management policy with respect to handling specific transactions and documents and the systems and procedures employed to process those transactions. It includes the organization’s chart of accounts and sample copies of forms and documents. The manual should be a helpful on-the-job reference for employees and a useful tool in training new employees. i. Your preliminary assessment is that the accounting systems are well designed and that they employ effective internal control procedures. PROBLEM: Even though you believe that the accounting systems are well designed, and that they employ effective internal control procedures, you cannot rely on that belief. The most effective internal control systems and procedures can be negated by a weak internal control environment, such as top management overriding the internal controls. In other words, there is no evidence that the controls are effective or that employees use and follow them. SOLUTION: You cannot rely on the internal controls procedures being effective until you test the controls. j. Some employees complained that some managers occasionally contradict the instructions of other managers regarding proper data security procedures. PROBLEM: It does not appear that there is a clear line of authority and responsibility for data security policies and procedures. SOLUTION: Achieving adequate security and control over an organization’s data should be a top management priority. A company’s organizational structure defines 7-17 Ch. 7: Control and Accounting Information Systems its lines of authority, responsibility, and reporting and provides the overall framework for controlling and monitoring its operations. Management should assign authority and responsibility for business objectives, such as data security, to specific departments and individuals and then hold them accountable for achieving those objectives. Authority and responsibility are assigned through formal job descriptions; employee training; and operating plans, schedules, and budgets. A written policy and procedures manual can be an important tool for assigning authority and responsibility. k. After a careful review of the budget for data security enhancement projects, you feel the budget appears to be adequate. PROBLEM: This item does not appear to be a problem. Your careful review indicates that the company appears to be allocating sufficient budget dollars to fund the data security enhancement projects. l. The enhanced network firewall project appeared to be on a very aggressive implementation schedule. The IT manager mentioned that even if he put all of his personnel on the project for the next five weeks, he still would not complete the project in time. The manager has mentioned this to company management, which seems unwilling to modify the schedule. PROBLEM: The firewall implementation schedule is not feasible. SOLUTION: Management’s philosophy and operating style should be carefully evaluated. Is management taking undue business risks to achieve its objectives? Is management pressuring employees to achieve the desired results regardless of the methods used to achieve them? m. Several new employees have had trouble completing some of their duties, and they do not appear to know who to ask for help. PROBLEM: Employee training and support appear to be rather weak. Companies that shortchange training are more likely to have more fraud and more security breaches. If the employees do not know who to turn to for help, the company’s organizational structure and methods of assigning authority and responsibility appear to be lacking or unexplained. SOLUTION: Good human resource standards require that training programs familiarize new employees with their responsibilities; expected levels of performance and behavior; and the company's policies and procedures, history, culture, and operating style. On going training is needed to help employees tackle new Accounting Information Systems challenges, stay ahead of the competition, adapt to changing technologies, and deal effectively with the evolving environment. n. Go-Go’s strategy is to achieve consistent growth for its shareholders. It also has a policy not to invest in any project unless its payback period is no more than 48 months and yields an internal rate of return that exceeds its cost of capital by 3%. PROBLEM: Go-Go's risk appetite, although aggressive, appears to be grounded in solid capital budgeting principles. This item, therefore, does not appear to be a problem o. You observe that company purchasing agents wear clothing and exhibit other paraphernalia from major vendors. The purchasing department manager proudly displays a picture of himself holding a big fish on the deck of a luxury fishing boat that has the logo of a major Go-Go vendor painted on its wheelhouse. PROBLEM: Gifts from vendors can unduly influence purchasing agents to buy more goods from the gifting vendors. Purchasing decision should be free of this sort of bias. SOLUTION: Part of management’s philosophy and operating style should be the creation of an organizational culture that stresses integrity and commitment to ethical values and competence. In doing so, management should develop clearly stated human resource standards and policies that explicitly describe honest and dishonest behaviors, often in the form of a written code of conduct (methods of assigning authority and responsibility), and communicate them to employees. These policies should especially cover issues that are uncertain or unclear, such as conflicts of interest and the acceptance of gifts. For example, most purchasing agents would agree that accepting a $5,000 bribe from a supplier is dishonest, but a weekend fishing trip or clothing is not as clear-cut. The observations in the purchasing department indicated that there could be a problem with favoring certain vendors. 7-19 Ch. 7: Control and Accounting Information Systems 7.2 Explain how the principle of separation of duties is violated in each of the following situations. Also, suggest one or more procedures to reduce the risk and exposure highlighted in each example. a. A payroll clerk recorded a 40-hour workweek for an employee who had quit the previous week. He then prepared a paycheck for this employee, forged her signature, and cashed the check. PROBLEM: Segregation of duties is violated here because the payroll clerk had the ability to record time worked and to prepare the payroll check (custody). This allowed the payroll clerk to both commit and conceal the fraud. The payroll clerk ignored the authorization process or had the authority to authorize the payment. SOLUTION: These three functions should be segregated. One person should authorize payments, another should record the payments, a third should prepare the check, and a fourth should sign it. b. While opening the mail, a cashier set aside, and subsequently cashed, two checks payable to the company on account. PROBLEM: The cashier who opened the mail had custody of the cash. The cashier opening the mail can pocket the checks and forge a signature, never giving the authorized endorser a chance to be involved. For this reason, many companies have the mail opened by two people or have those opening the mail videotaped. SOLUTION: While the cashier can get away with this fraud for a few weeks or months, the missing checks will eventually be noticed – usually when the customer complains – because the cashier has no way to conceal the fraud (recording function). An investigation would include an examination of the stolen checks and that could lead to the cashier as the person cashing the checks. To be successful in the long term, the cashier needs access to the recording function to indicate that customer accounts are paid so that their complaints do not start an investigation. c. A cashier prepared a fictitious invoice from a company using his brother-inlaw’s name. He wrote a check in payment of the invoice, which the brother-inlaw later cashed. PROBLEM: Segregation of duties is violated here because the cashier had the ability to both write the check (custody) and approve the invoice for payment (authorization). SOLUTION: The functions of authorizing invoices for payment and preparing checks for signature should be organizationally independent. Accounting Information Systems d. An employee of the finishing department walked off with several parts from the storeroom and recorded the items in the inventory ledger as having been issued to the assembly department. PROBLEM: Employees can commit and conceal fraud when they have access to physical inventory (custody) and to inventory records (recording). SOLUTION: This can be prevented by restricting storeroom access to authorized employees. Likewise, access to inventory records should be limited to authorized employees. Where possible, no storeroom employee should have access to both the physical inventory and the inventory records. e. A cashier cashed a check from a customer in payment of an account receivable, pocketed the cash, and concealed the theft by properly posting the receipt to the customer’s account in the accounts receivable ledger. PROBLEM: The cashier had custody of the checks and was responsible for posting (recording) to the accounts receivable ledger. SOLUTION: Custody of the checks and posting to the Accounts Receivable Ledger should be organizationally independent. In addition, there should be an independent reconciliation of the three items: 1. dollar amounts of the checks received 2. dollar amounts of the checks deposited in the bank 3. dollar amounts credited to customer accounts. f. Several customers returned clothing purchases. Instead of putting the clothes into a return bin to be put back on the rack, a clerk put the clothing in a separate bin under some cleaning rags. After her shift, she transferred the clothes to a gym bag and took them home. PROBLEM: The clerk was authorized to accept the return, grant credit, and had custody of the inventory. It is also possible that the clerk may have had responsibility to record the returns, but did not do so to cover the theft. SOLUTION: All purchase returns should be documented by preparing a customer receipt and recording the return in a purchase returns journal. No cash or credit can be given without the return being authorized by a supervisor and recorded in the data files recorded in the cash register. The purchase returns area should be kept clean and orderly so that returns cannot be "hid" among excess returns. Employees should not be allowed to have gym bags or other personal items that could conceal stolen items in work areas. 7-21 Ch. 7: Control and Accounting Information Systems g. A receiving clerk noticed that four cases of MP3 players were included in a shipment when only three were ordered. The clerk put the extra case aside and took it home after his shift ended. PROBLEM: The receiving clerk had custody of arriving goods, counted the goods, and compared the count to a purchase order. The problem is that, while the receiving clerk did not record the purchase order, she did have access to a document that showed the amount ordered. This allows her to steal any excess items shipped without having to record anything to conceal it. SOLUTION: Purchase orders sent to the receiving area should not indicate how many items or cases were ordered, thus helping ensure that all shipments are counted and recorded. The purchasing department should reconcile items received against items ordered. h. An insurance claims adjuster had check signing authority of up to $6,000. The adjuster created three businesses that billed the insurance company for work not performed on valid claims. The adjuster wrote and signed checks to pay for the invoices, none of which exceeded $6,000. PROBLEM: The adjuster had authorization to add vendors to vendor master file, authorization to write checks up to $6,000, and had custody of the signed the checks. Apparently, the adjuster also had some recording duties (maintaining the vendor master file). SOLUTION: The functions of signing checks for invoices, approving vendors, and maintaining the vendor master file should be organizationally independent. Payments should not be made to anyone that is not on the approved vendor list. Controls should be put into place to endure that employees cannot add an unauthorized or unapproved vendor to the vendor master file. i. An accounts payable clerk recorded invoices received from a company that he and his wife owned and authorized their payment. PROBLEM: The accounts payable clerk had recording duties and he authorized payments. SOLUTION: The functions of recording invoices and authorizing payments should be organizationally independent. In addition, vendors should only be allowed to purchase goods and services from approved vendors. Controls should be put into place to endure that employees cannot add an unauthorized or unapproved vendor to the vendor master file. The company needs to establish policies and a code of conduct that prohibits conflicts of interest Accounting Information Systems and related party transactions, such as buying goods from a company in which you have ownership interest. j. A cashier created false purchase return vouchers to hide his theft of several thousand dollars from his cash register. PROBLEM: The cashier had recording (creating return vouchers), custody (cash in the cash register), and authorization (authorize the return of goods) duties. SOLUTION: These three duties should be performed by three separate people. A cashier should only have custody duties. Cashiers and others with access to cash should not be allowed to have recording or authorization duties. Cashiers should not pay out on cash on purchase return vouchers until they are authorized by a supervisor. k. A purchasing agent received a 10% kickback of the invoice amount for all purchases made from a specific vendor. PROBLEM: The purchasing agent has both recording (prepare the purchase order) and authorization (select a vendor from a list of authorized vendors) duties. The purchasing agent gets custody to cash when the vendor gives her the kickback. SOLUTION: Purchasing agents should only be allowed to purchase goods and services from approved vendors. Controls should be put into place to ensure that employees cannot add an unauthorized or unapproved vendor to the vendor master file. Vendor performance with respect to reliability, quality of goods, and prices charged should be tracked and periodically reviewed. Prices should periodically be compared to those charged by other vendors to make sure they are fair, competitive, and reasonable. Analytical procedures can be performed to track the percentage of business a purchasing agent gives to vendors. The company needs to establish policies and a code of conduct that prohibits conflicts of interest, related party transactions, and kickbacks. 7-23 Ch. 7: Control and Accounting Information Systems 7.3 The following description represents the policies and procedures for agent expense reimbursements at Excel Insurance Company. Agents submit a completed expense reimbursement form to their branch manager at the end of each week. The branch manager reviews the expense report to determine whether the claimed expenses are reimbursable based on the company’s expense reimbursement policy and reasonableness of amount. The company’s policymanual states that agents are to document any questionable expense item and that the branch manager must approve in advance expenditures exceeding $500. After the expenses are approved, the branch manager sends the expense report to the home office. There, accounting records the transaction, and cash disbursements prepares the expense reimbursement check. Cash disbursements sends the expense reimbursement checks to the branch manager, who distributes them to the agents. To receive cash advances for anticipated expenses, agents must complete a Cash Advance Approval form. The branch manager reviews and approves the Cash Advance Approval form and sends a copy to accounting and another to the agent. The agent submits the copy of the Cash Advance Approval form to the branch office cashier to obtain the cash advance. At the end of each month, internal audit at the home office reconciles the expense reimbursements. It adds the total dollar amounts on the expense reports from each branch, subtracts the sum of the dollar totals on each branch’s Cash Advance Approval form, and compares the net amount to the sum of the expense reimbursement checks issued to agents. Internal audit investigates any differences. Identify the internal control strengths and weaknesses in Excel’s expense reimbursement process. Look for authorization, recording, safeguarding, and reconciliation strengths and weaknesses. (CMA Examination adapted) Accounting Information Systems Strengths Weaknesses Authorization Excel has a formal statement of policies There is no limit on the agent’s total weekly and procedures for agent reimbursements. expenditures or cash advances. Expense reports must be approved by the Branch Manager prior to payment. Accounting receives approved expense reports and cash advance forms. This facilitates the correct recording of all authorized transactions. Expense reimbursement checks are sent to the Branch Manager for distribution rather than to the agent. This allows the Branch Manager to submit a fictitious expense reimbursement for a former agent or one on vacation and then cash the check. Recording The Branch Manager does not retain a copy of expense reports or cash advances for audit purposes. The expense report is not checked for mathematical accuracy. Safeguarding Expense reimbursement checks are issued A copy of the Cash Advance Approval form should by the cash disbursements department. be sent to the Branch Office Cashier so it can compare it with the one submitted by the agent. Cash disbursements are made only after receipt of an approved expense report or Cash Advance Approval form. Supporting documentation is not required for all expenditures. Reconciliation Internal Audit compares reimbursement There is no reconciliation of Branch Office checks with expense report totals less cash Cashier disbursements with Cash Advance advances in the home office. Approval forms. Reconciliation differences are investigated. 7-25 Ch. 7: Control and Accounting Information Systems 7.4 The Gardner Company, a client of your firm, has come to you with the following problem. It has three clerical employees who must perform the following functions: a. Maintain the general ledger b. Maintain the accounts payable ledger c. Maintain the accounts receivable ledger d. Prepare checks for signature e. Maintain the cash disbursements journal f. Issue credits on returns and allowances g. Reconcile the bank account h. Handle and deposit cash receipts Assuming equal abilities among the three employees, the company asks you to assign the eight functions to them to maximize internal control. Assume that these employees will perform no accounting functions other than the ones listed. a. List four possible unsatisfactory pairings of the functions All five of the unsatisfactory pairings below involve custody of cash and a recording function that would allow a fraud perpetrator to conceal a theft. b. 1. General ledger - cash receipts. With custody to cash, this person could steal cash receipts and conceal the theft by recording a fictitious entry in the General Ledger to credit (reduce) the balance of the cash account by the amount stolen. 2. Accounts receivable ledger - cash receipts. With custody to cash, this person could steal cash receipts and conceal the theft by recording a fictitious entry in the Accounts Receivable Subsidiary Ledger to reduce a customer’s accounts receivable balance by the amount stolen. 3. Bank reconciliation - cash receipts. With custody to cash, this person could steal cash receipts and conceal the theft by falsifying (recording) the bank reconciliation. 4. Credits on returns and allowances - cash receipts. This person could authorize (authorization) or record false credit memos (recording) to customers who are making a payment and steal the customer payments (custody). 5. Accounts payable ledger - prepare checks for signature. A person with both of these responsibilities could create fictitious payables (recording) and then write and cash checks to pay them (custody). 6. Maintain accounts receivable - issue credit memos – this combines authorization and recording. A person with both of these responsibilities could write off accounts for friends. State how you would distribute the functions among the three employees. Assume that with the exception of the nominal jobs of the bank reconciliation Accounting Information Systems and the issuance of credits on returns and allowances, all functions require an equal amount of time. Any distribution that avoids all of the above unsatisfactory combinations and spreads the workload evenly is acceptable. The key is not to have anyone with both custody and a recording function that could be used to conceal a theft. One such combination is: First employee accounts payable ledger, accounts receivable ledger, bank reconciliations Second employee general ledger, disbursements journal, credits on returns and allowances Third employee prepare checks for signature, cash receipts 7-27 Ch. 7: Control and Accounting Information Systems 7.5 During a recent review, ABC Corporation discovered that it has a serious internal control problem. It is estimated that the impact associated with this problem is $1 million and that the likelihood is currently 5%. Two internal control procedures have been proposed to deal with this problem. Procedure A would cost $25,000 and reduce likelihood to 2%; procedure B would cost $30,000 and reduce likelihood to 1%. If both procedures were implemented, likelihood would be reduced to 0.1%. a. What is the estimated expected loss associated with ABC Corporation’s internal control problem before any new internal control procedures are implemented? Expected Loss = Risk * Exposure = 0.05 * $1,000,000 = $50,000 b. Compute the revised estimate of expected loss if procedure A were implemented, if procedure B were implemented, and if both procedures were implemented. Control Procedure Risk Exposure Revised Expected Loss Reduction in Expected Loss Cost of Control(s) Net Benefit (Cost) A 0.02 $1,000,000 $20,000 $30,000 $25,000 $ 5,000 B 0.01 $1,000,000 $10,000 $40,000 $30,000 $10,000 0.001 $1,000,000 $ 1,000 $49,000 $55,000 $(6,000) Both c. Compare the estimated costs and benefits of procedure A, procedure B, and both procedures combined. If you consider only the estimates of cost and benefit, which procedure(s) should be implemented? Considering only the estimated costs and benefits, procedure B should be implemented because its net benefit is greater than A; it is also greater than both A and B together. Care must be taken with these discussions, however, because the numbers used are estimates. The net benefit figures are only as good as the estimates used to produce them. d. What other factors might be relevant to the decision Another important factor to consider is how critical the $1,000,000 loss would be to ABC Corporation. • If ABC is a multi-billion dollar corporation, then they can afford to evaluate this matter strictly on the basis of estimated costs and benefits. • However, if ABC is a small corporation then a loss of this magnitude could threaten their continued existence, and it may be worthwhile to incur extra costs Accounting Information Systems (as a form of insurance premium) to reduce the risk of loss to the smallest possible level. e. Use the Goal Seek function in Microsoft Excel to determine the likelihood of occurrence without the control and the reduction in expected loss if the net benefit/cost is 0. Do this for procedure A, procedure B, and both procedures together Control Procedure A - Goal Seek-setup. Control Procedure A - Goal Seek - solved. 7-29 Ch. 7: Control and Accounting Information Systems Control Procedure B - Goal Seek-setup. Control Procedure B - Goal Seek - solved. Control Procedure Both - Goal Seek-setup. Accounting Information Systems Control Procedure Both - Goal Seek - solved. 7-31 Ch. 7: Control and Accounting Information Systems 7.6 The management at Covington, Inc., recognizes that a well-designed internal control system provides many benefits. Among the benefits are reliable financial records that facilitate decision making and a greater probability of preventing or detecting errors and fraud. Covington’s internal auditing department periodically reviews the company’s accounting records to determine the effectiveness of internal controls. In its latest review, the internal audit staff found the following eight conditions: 1. Daily bank deposits do not always correspond with cash receipts. 2. Bad debt write-offs are prepared and approved by the same employee. 3. There are occasional discrepancies between physical inventory counts and perpetual inventory records. 4. Alterations have been made to physical inventory counts and to perpetual inventory records. 5. There are many customer refunds and credits. 6. Many original documents are missing or lost. However, there are substitute copies of all missing originals. 7. An unexplained decrease in the gross profit percentage has occurred. 8. Many documents are not approved. For each of the eight conditions detected by the Covington internal audit staff: a. Describe a possible cause of the condition. b. Recommend actions to be taken and/or controls to be implemented that would correct the condition. Adapted from the CMA Examination Accounting Information Systems # a. Possible Cause b. Recommendation to Correct Condition 1 Daily bank deposits do not always correspond with cash receipts. Timing difference between when cash is received and when deposited in the bank - Cash is received after the day’s bank deposit is prepared and sent to the bank. - Bank credits bank deposits received after a certain hour on the next day. Cash receipts are being stolen Make two deposits for each day’s receipts. An employee who does not handle cash receipts daily reconciles each day’s cash receipts per book with deposits per bank List cash received each day; compare it to daily cash deposits. Have 2 people involved in cash receipts if practical. If only one can be involved, video tape the receipts process. Have an employee who does not handle receipts do all reconciliations. 2 Bad debt write-offs are prepared and approved by the same employee. Collusion between customers and the employee writing off the bad debts. Require all bad debt write-offs to be approved by a second employee. 3 Occasional discrepancies between physical inventory counts and perpetual inventory records. Unauthorized access to physical inventory and/or inventory records. Limit physical and logical access to the inventory records to authorized employees. Require that all adjustments to inventory records be approved by a responsible official. Inventory theft by employees Count all inventory when received at the warehouse and at the storeroom; reconcile the counts. 7-33 Ch. 7: Control and Accounting Information Systems Count inventory to be shipped before it is removed from the storeroom, when received by shipping, and when shipped; reconcile counts. Bar codes and RFID tags to facilitate counts Hold storeroom employees responsible for all inventory losses. 4 Alterations to physical inventory counts and perpetual inventory records Unauthorized access to inventory records. Limit physical and logical access to the inventory records to authorized employees. Require that all adjustments to inventory records be approved by a responsible official. Fraud Examine physical inventory counts and perpetual inventory records for evidence of fraud Terminate any employees that commit fraud 5 Many customer refunds and credits. Collusion among customers, salespersons, common carriers, and the shipping and accounting departments of Covington. Segregate duties so refunds and credits are authorized by responsible employees not otherwise involved in sales, shipping, or maintaining accounts receivable. Poor product quality Fix production problems 6 Many original documents are missing or lost. However, there are substitute copies of all missing originals. Failure to use pre-numbered documents. Fraud was perpetrated, original copies of the documents were destroyed, and they were replaced by photocopies. Use pre-numbered documents to facilitate the control and identification of documents. Investigate all instances where originals are missing and photocopies are used. Accounting Information Systems 7 An unexplained decrease in the gross profit percentage has occurred. Granting unauthorized discounts or credits to customers. Require the approval of a responsible party before granting customer discounts or credits. Theft of inventory Count all inventory when received at the warehouse and at the storeroom; reconcile the counts. - Count inventory to be shipped before it is removed from the storeroom, when received by shipping, and when shipped; reconcile counts. Bar codes and RFID tags to facilitate counts Hold storeroom employees responsible for all inventory losses. Customers given lower, preferential sales prices Require the approval of a responsible party before granting preferential sales prices Unrecorded sales Require the use of pre-numbered sales documents and do not allow inventory to leave the warehouse without an accompanying sales document. 8 Many documents are not approved. Lack of, misunderstanding of, or failure to comply with written procedures. Prepare or update written procedures and train employees using the procedures Hold employees responsible for not approving documents Fraud committed by bypassing the approval process Examine unapproved documents for evidence of fraud Terminate any employees that commit fraud 7-35 Ch. 7: Control and Accounting Information Systems 7.7 Consider the following two situations: For the situations presented, describe the recommendations the internal auditors should make to prevent the following problems. Adapted from the CMA Examination Situation 1: Many employees of a firm that manufactures small tools pocket some of the tools for their personal use. Since the quantities taken by any one employee are immaterial, the individual employees do not consider the act as fraudulent or detrimental to the company. The company is now large enough to hire an internal auditor. One of the first things she did was to compare the gross profit rates for industrial tools to the gross profit for personal tools. Noting a significant difference, she investigated and uncovered the employee theft. • Implement and communicate through proper training a policy regarding the theft of company goods and services and the repercussions associated with theft. • Allow employees to purchase tools at cost from the company. • Continue to compare the gross profit rates for industrial tools to the gross profit for personal tools until the problem is resolved. • Discipline or terminate any employees not following the new policy • Institute better physical access controls over the tools to prevent theft Situation 2: A manufacturing firm’s controller created a fake subsidiary. He then ordered goods from the firm’s suppliers, told them to ship the goods to a warehouse he rented, and approved the vendor invoices for payment when they arrived. The controller later sold the diverted inventory items, and the proceeds were deposited to the controller’s personal bank account. Auditors suspected something was wrong when they could not find any entries regarding this fake subsidiary office in the property, plant, and equipment ledgers or a title or lease for the office in the realestate records of the firm • Implement a better segregation of duties. The company controller should not be able to order goods, specify shipment locations, and authorize payment for inventory. • Require all inventory purchases to be initiated by the purchasing department. • Require all inventory payments to be supported by proper supporting documents such as receiving reports signed by authorized personnel. • Require special authorization for shipments to locations not typically used. Accounting Information Systems 7.8 Tralor Corporation manufactures and sells several different lines of small electric components. Its internal audit department completed an audit of its expenditure processes. Part of the audit involved a review of the internal accounting controls for payables, including the controls over the authorization of transactions, accounting for transactions, and the protection of assets. The auditors noted the following items: 1. Routine purchases are initiated by inventory control notifying the purchasing department of the need to buy goods. The purchasing department fills out a prenumbered purchase order and gets it approved by the purchasing manager. The original of the five-part purchase order goes to the vendor. The other four copies are for purchasing, the user department, receiving for use as a receiving report, and accounts payable. 2. For efficiency and effectiveness, purchases of specialized goods and services are negotiated directly between the user department and the vendor. Company procedures require that the user department and the purchasing department approve invoices for any specialized goods and services before making payment. 3. Accounts payable maintains a list of employees who have purchase order approval authority. The list was updated two years ago and is seldom used by accounts payable clerks. 4. Prenumbered vendor invoices are recorded in an invoice register that indicates the receipt date, whether it is a special order, when a special order is sent to the requesting department for approval, and when it is returned. A review of the register indicated that there were seven open invoices for special purchases, which had been forwarded to operating departments for approval over 30 days previously and had not yet been returned. 5. Prior to making entries in accounting records, the accounts payable clerk checks the mathematical accuracy of the transaction, makes sure that all transactions are properly documented (the purchase order matches the signed receiving report and the vendor’s invoice), and obtains departmental approval for special purchase invoices. 6. All approved invoices are filed alphabetically. Invoices are paid on the 5th and 20th of each month, and all cash discounts are taken regardless of the terms. 7. The treasurer signs the checks and cancels the supporting documents. An original document is required for a payment to be processed. 8. Prenumbered blank checks are kept in a locked safe accessible only to the cash disbursements department. Other documents and records maintained by the accounts payable section are readily accessible to all persons assigned to the section and to others in the accounting function. Review the eight items listed and decide whether they represent an internal control strength or weakness 7-37 Ch. 7: Control and Accounting Information Systems a. b. For each internal control strength you identified, explain how the procedure helps achieve good authorization, accounting, or asset protection control. For each internal control weakness you identified, explain why it is a weakness and recommend a way to correct the weakness Adapted from the CMA Examination # a. Why it is a strength b. Why it is a weakness b. Recommendation to correct weakness 1 User authorization means the right materials and quantities will be ordered. A purchase order copy should not be used as a receiving report unless the quantities have been blanked out. The receiving report is prepared after an independent count and identification. The user/purchaser may not be trained in purchasing techniques and could be overcharged in the transaction. Both the user and the purchasing agent should be involved in negotiating with the company. It increases the potential for collusive agreements. The purchasing department should approve orders before the purchase, not before payment is made. Failure to properly maintain the list of authorized signatories renders it useless Update the list as soon as a change in purchase authorization occurs. The use of pre-numbered purchase orders allows all POs to be accounted for. 2 2 3 Payables clerk should be required to use the list. 4 Numbering and recording process establishes good control over invoices and helps ensure their recording in accounting records. 5 The transaction audit helps Failure to follow-up on open invoices indicates an ineffective control due to a lack of follow-up. A periodic review and follow-up of all open items. Accounting Information Systems minimize errors and helps ensure that only properly authorized transactions are recorded. 6 Paying monthly on only the 5th or 20th prevents payment of any invoice due on another date. Approved, unpaid invoices should be filed by payment due date first, and then alphabetically. 6 Taking unearned cash discounts causes additional paperwork when disputed by suppliers and creates animosity. This policy may lead to fewer discounts being offered. Pay suppliers on or before the discount date. Unlimited access to cash disbursement documents (other than blank checks) permits unauthorized alteration of payables documents. This could result in a loss of control, a loss of accountability, or a loss of assets - as well as improper or inaccurate accounting or destruction of records. A policy limiting access to and physical protection of accounts payable documents and records should be established and monitored. Lost discounts should be analyzed for cause and future avoidance. 7 Proper separation of duties exists Requiring original documents and cancelling them after payment reduces duplicate payments. 8 Proper protection of blank checks (locked safe only accessible to cash disbursements department 7-39 Ch. 7: Control and Accounting Information Systems 7.8 Lancaster Company makes electrical parts for contractors and home improvement retail stores. After their annual audit, Lancaster’s auditors commented on the following items regarding internal controls over equipment: 1. The operations department that needs the equipment normally initiates a purchase requisition for equipment. The operations department supervisor discusses the proposed purchase with the plant manager. If there are sufficient funds in the requesting department’s equipment budget, a purchase requisition is submitted to the purchasing department once the plant manager is satisfied that the request is reasonable. 2. When the purchasing department receives either an inventory or an equipment purchase requisition, the purchasing agent selects an appropriate supplier and sends them a purchase order. 3. When equipment arrives, the user department installs it. The property, plant, and equipment control accounts are supported by schedules organized by year of acquisition. The schedules are used to record depreciation using standard rates, depreciation methods, and salvage values for each type of fixed asset. These rates, methods, and salvage values were set 10 years ago during the company’s initial year of operation. 4. When equipment is retired, the plant manager notifies the accounting department so the appropriate accounting entries can be made. 5. There has been no reconciliation since the company began operations between the accounting records and the equipment on hand. Identify the internal control weaknesses in Lancaster’s system, and recommend ways to correct them. Adapted from the CMA Examination Weakness 1. No authorization form describing the item to be acquired, why it is needed, expected costs, and benefits. Recommendation The purchase requisition should include an item description, why the item is needed, estimated costs and benefits, account code, useful life, depreciation method, and management approval. 2. Equipment purchases over a certain amount are not reviewed and approved by top management. Large sums of money can be spent on equipment. Large purchases should be approved by top management 3. Purchase requisitions for fixed Authorized equipment acquisitions should be Accounting Information Systems assets are intermingled with requisitions for inventory, even though they are very different purchases. This results in a lack of control over the much more expensive equipment acquisitions. processed using special procedures and purchase orders. Copies of equipment purchase orders should be distributed to all appropriate departments so they can be monitored. 4. No mention of pre-numbered purchase requisitions or purchase orders. Pre-numbered purchase requisitions and purchase orders should be used so that all documents can be accounted for. 5. Plant engineering is not inspecting machinery and equipment upon receipt. Machinery and equipment should be subject to normal receiving routines. In addition, plant engineering should inspect the machines to make certain the correct item was delivered and that it was not damaged in transit. 6. Equipment is not tagged and controlled to prevent theft. All new machinery and equipment should be assigned a control number and tagged at the time of receipt. 7. Plant engineering is not helping with the equipment installations. Plant engineering should help with the equipment installations to ensure expensive equipment is not damaged. 8. Machinery and equipment accounting policies, including depreciation, have not been updated to make certain that the most desirable methods are being used. Machinery and equipment accounting procedures, including depreciation, must be updated periodically to reflect actual experience, changes in accounting pronouncements, and income tax legislation. 9. Equipment retirement schedules are Equipment retirement schedules, which provide not reconciled periodically to information on asset cost and accumulated general ledger control accounts. depreciation, should be reconciled to general ledger control accounts at least yearly. Periodically, a physical inventory of fixed assets should be taken and reconciled to the equipment retirement schedule and the general ledger control account. 7-41 Ch. 7: Control and Accounting Information Systems 7.10 The Langston Recreational Company (LRC) manufactures ice skates for racing, figure skating, and hockey. The company is located in Kearns, Utah, so it can be close to the Olympic Ice Shield, where many Olympic speed skaters train. Given the precision required to make skates, tracking manufacturing costs is very important to management so it can price the skates appropriately. To capture and collect manufacturing costs, the company acquired an automated cost accounting system from a national vendor. The vendor provides support, maintenance, and data and program backup service for LRC’s system. LRC operates one shift, five days a week. All manufacturing data are collected and recorded by Saturday evening so that the prior week’s production data can be processed. One of management’s primary concerns is how the actual manufacturing process costs compare with planned or standard manufacturing process costs. As a result, the cost accounting system produces a report that compares actual costs with standards costs and provides the difference, or variance. Management focuses on significant variances as one means of controlling the manufacturing processes and calculating bonuses. Occasionally, errors occur in processing a week’s production cost data, which requires the entire week’s cost data to be reprocessed at a cost of $34,500. The current risk of error without any control procedures is 8%. LRC’s management is currently considering a set of cost accounting control procedures that is estimated to reduce the risk of the data errors from 8% to 3%. This data validation control procedure is projected to cost $1,000 per week. a. Perform a cost/benefit analysis of the data-validation control procedures. Cost of Production Data Reprocessing Risk of Data Errors Expected Reprocessing Costs (Cost of Process * Risk) Cost of Control Process Net estimated benefit/(loss) Without Control Process With Control Process Net Difference Expected $34,500 $34,500 8% 3% $2,760 $1,035 $1,725 $1,000 -$1,000 $725 Accounting Information Systems b. Based on your analysis, make a recommendation to management regarding the control procedure. Since the process yields an estimated net weekly benefit of $725, LRC should implement the control process. c. The current risk of data errors without any control procedures is estimated to be 8%. The data control validation procedure costs $1,000 and reduces the risk to 3%. At some point between 8% and 3% is a point of indifference—that is, Cost of reprocessing the data without controls = Cost of processing the data with the controls + Cost of controls. Use a spreadsheet application such as Excel Goal Seek to find the solution Solution: 6% 7-43 Ch. 7: Control and Accounting Information Systems Without Control Process Cost of Production Data Reprocessing Risk of Data Errors Expected Reprocessing Costs (Cost of Process * Risk) Cost of Control Process Net estimated benefit Goal Seek Setup: With Control Process Net Difference Expected $34,500 $34,500 6% 3% $2,035 $1,035 $1,000 $1,000 -$1,000 $0 Accounting Information Systems Goal Seek Solved: 7-45 Ch. 7: Control and Accounting Information Systems 7.11 Spring Water Spa Company is a 15-store chain in the Midwest that sells hot tubs, supplies, and accessories. Each store has a full-time, salaried manager and an assistant manager. The sales personnel are paid an hourly wage and a commission based on sales volume. The company uses electronic cash registers to record each transaction. The salesperson enters his or her employee number at the beginning of his/her shift. For each sale, the salesperson rings up the order by scanning the item’s bar code, which then displays the item’s description, unit price, and quantity (each item must be scanned). The cash register automatically assigns a consecutive number to each transaction. The cash register prints a sales receipt that shows the total, any discounts, the sales tax, and the grand total. The salesperson collects payment from the customer, gives the receipt to the customer, and either directs the customer to the warehouse to obtain the items purchased or makes arrangements with the shipping department for delivery. The salesperson is responsible for using the system to determine whether credit card sales are approved and for approving both credit sales and sales paid by check. Sales returns are handled in exactly the reverse manner, with the salesperson issuing a return slip when necessary. At the end of each day, the cash registers print a sequentially ordered list of sales receipts and provide totals for cash, credit card, and check sales, as well as cash and credit card returns. The assistant manager reconciles these totals to the cash register tapes, cash in the cash register, the total of the consecutively numbered sales invoices, and the return slips. The assistant manager prepares a daily reconciled report for the store manager’s review. Cash sales, check sales, and credit card sales are reviewed by the manager, who prepares the daily bank deposit. The manager physically makes the deposit at the bank and files the validated deposit slip. At the end of the month, the manager performs the bank reconciliation. The cash register tapes, sales invoices, return slips, and reconciled report are mailed daily to corporate headquarters to be processed with files from all the other stores. Corporate headquarters returns a weekly Sales and Commission Activity Report to each store manager for review. Please respond to the following questions about Spring Water Spa Company’s operations: (CMA exam adapted) a. The fourth component of the COSO ERM framework is risk assessment. What risk(s) does Spring Water face? Spring Water faces the risk of fraud and employee theft of merchandise and cash. Spring Water also faces the risk of unintentional employee errors. b. Control strengths in c. Type of d. Problems avoided/Risks mitigated by Accounting Information Systems Spring Water’s sales/cash receipts 1. All 15 stores use the same electronic, bar-code based system for recording and controlling sales transactions. control activity Proper authorization of transactions and activities. 2. Transactions are sequentially numbered by the cash register. 3. The cash receipts, checks, credit cards, sales returns, and cash register tapes are reconciled. 4. The bank deposit is prepared and deposited by the manager. 5. Segregating the sale of goods from the delivery of goods. Design and use of documents and records. Independent check. -Difficulty in managing and auditing all stores and in making system changes. -Barcodes automatically identifies item description, unit price, quantity. - Ensures mechanical accuracy of all transactions and recording processes. -Automatic receipt generation helps ensure all transactions are entered into system. -Minimizes employee error and theft. -Minimizes undetected or lost invoices. -Provides an audit trail for invoices. -Reduces the risk of theft or fraud and employee error. Segregation of duties. -Reduces the risk of theft or fraud and employee error. Segregation of duties. -Customers not having access to goods reduces shoplifting, customer/clerk collusion, and other theft. 7-47 the controls Ch. 7: Control and Accounting Information Systems e. How might Spring Water improve its system of controls? • The bank reconciliation should be performed by someone other than the manager who makes the deposits. • Sales people should never be allowed to authorize credit sales. At Spring Water, the sales person authorizes credit purchases and approves payments made by check. They also approve sales returns. This lack of separation of duties facilitates fraud. In addition, since the sales person is paid a commission based on sales without taking into account returns and collections, they have incentive to approve all credit sales and accept all payments made by check without checking whether a customer is credit worthy and/or whether the have sufficient funds available to cover their check. They can also talk customers into buying more than they need and then returning the items not needed. • Warehouse personnel should have electronic read-only access to daily sales orders to control and facilitate customer order pick-up and/or delivery. • Warehouse personnel should scan-in the bar codes of all sales-return merchandise. The manager or assistant manager should reconcile a sales return report from the warehouse to the sales return report from the cash registers on the sales floor. Accounting Information Systems 7.12 PriceRight Electronics (PEI) is a small wholesale discount supplier of electronic instruments and parts. PEI’s competitive advantage is its deep-discount, three-day delivery guarantee, which allows retailers to order materials often to minimize instore inventories. PEI processes its records with stand-alone, incompatible computer systems except for integrated enterprise resource planning (ERP) inventory and accounts receivable modules. PEI decided to finish integrating its operations with more ERP modules, but because of cash flow considerations, this needs to be accomplished on a step-by-step basis. It was decided that the next function to be integrated should be sales order processing to enhance quick response to customer needs. PEI implemented and modified a commercially available software package to meet PEI’s operations. In an effort to reduce the number of slow-paying or delinquent customers, PEI installed Web-based software that links to the Web site of a commercial credit rating agency to check customer credit at the time of purchase. The following are the new sales order processing system modules: • Sales. Sales orders are received by telephone, fax, e-mail, Web site entry, or standard mail. They are entered into the sales order system by the Sales department. If the order does not cause a customer to exceed his credit limit, the system generates multiple copies of the sales order. • Credit. When orders are received from new customers, the system automatically accesses the credit rating Web site and suggests an initial credit limit. On a daily basis, the credit manager reviews new customer applications for creditworthiness, reviews the suggested credit limits, and accepts or changes the credit limits in the customer database. On a monthly basis, the credit manager reviews the accounts receivable aging report to identify slow-paying or delinquent accounts for potential revisions to or discontinuance of credit. As needed, the credit manager issues credit memos for merchandise returns based on requests from customers and forwards copies of the credit memos to Accounting for appropriate account receivable handling. • Warehousing. Warehouse personnel update the inventory master file for inventory purchases and sales, confirm availability of materials to fill sales orders, and establish back orders for sales orders that cannot be completed from stock on hand. Warehouse personnel gather and forward inventory to Shipping and Receiving along with the corresponding sales orders. They also update the inventory master file for merchandise returned to Receiving. • Shipping and receiving. Shipping and Receiving accepts inventory and sales orders from Warehousing, packs and ships the orders with a copy of the sales order as a packing slip, and forwards a copy of the sales order to Billing. Customer inventory returns are unpacked, sorted, inspected, and sent to Warehousing. • Accounting. Billing prices all sales orders received, which is done approximately 5 days after the order ships. To spread the work effort throughout the month, 7-49 Ch. 7: Control and Accounting Information Systems customers are placed in one of six 30-day billing cycles. Monthly statements, prepared by Billing, are sent to customers during the cycle billing period. Outstanding carry forward balances reported by Accounts Receivable and credit memos prepared by the credit manager are included on the monthly statement. Billing also prepares electronic sales and credit memos for each cycle. Electronic copies of invoices and credit memos are forwarded to Accounts Receivable for entry into the accounts receivable master file by customer account. An aging report is prepared at the end of each month and forwarded to the credit manager. The general accounting office staff access the accounts receivable master file that reflects total charges and credits processed through the accounts receivable system for each cycle. General accounting runs a query to compare this information to the electronic sales and credit memo and posts the changes to the general ledger master file. (CMA exam adapted) a. Identify the internal control strengths in PEI’s system b • The automated customer credit limit system suggests a new customer's credit limit on a real-time basis. The Credit Manager establishes credit limits for new customers on a daily basis so that new credit-worthy customers can have their orders filled in a timely manner. • Real-time customer credit checks before orders are processed. • Monthly aging reports allow the credit manager to detect overdue and near overdue accounts so that corrective action can be taken. • The credit manager creates credit memos that authorize returned merchandise but has no recording responsibility. • Customers are not billed until an order has shipped. • Shipping and Receiving accept and inspect returned materials to assure the receipt and identification of damaged materials and to limit credit returns. • Warehouse personnel confirm the availability of materials to fill orders and prepare back-orders for sales orders that cannot be filled with current stock. • General Accounting posts changes to the general ledger master file after accessing the accounts receivable master file, electronic sales, and credit memo files. Identify the internal control weaknesses in PEI’s system, and suggest ways to correct them. Weakness 1: The Credit Department only checks the accounts receivable aging report at Accounting Information Systems month-end, which delays the identification of slow or non-paying customers for potential credit status changes. Correction: Revise the aging report process to produce an exception report whenever a customer account is overdue. The exception report should automatically be sent to the credit manager by email so that corrective action can be taken in a timely manner. Weakness 2: Customer credit requests for sales returns are not compared to materials received, which might result in credits to customer accounts for goods not returned or for returned goods that are damaged. Correction: Require the credit manager to receive an acknowledgement from Shipping and Receiving that the goods were returned in good condition before issuing a credit memo. In addition, Accounting should not process any credit memos without receiving a report of goods received from Shipping and Receiving. Weakness 3: Warehouse personnel have responsibility for updating inventory records for purchases and sales that can lead to inventory shrinkage. Correction: Create a purchasing function to update the inventory master file for purchases. The update should not take place until Shipping and Receiving notify them that the goods have been received. Weakness 4: Receiving does not prepare a Returned Goods report. Correction: Receiving should record all purchase returns and prepare a Returned Goods report. This record should be used to create a daily report that should be sent to General Accounting to compare with the purchase returns put back into the warehouse. Weakness 5: Warehouse personnel have responsibility for updating inventory records for purchase returns, which can lead to inventory shrinkage. Correction: Have the warehouse create a daily purchases returned report for all returned goods they receive from Receiving. This report should be sent to General Accounting for comparison with a purchase return report prepared by Receiving. Weakness 6: Inventory is not counted when received and then counted again when received by the warehouse to prevent theft after items are received. In similar fashion, inventory is not counted before leaving the warehouse, when received by shipping, and when shipped. Those counts should be the same to ensure that inventory is not stolen before it is shipped to the customer. 7-51 Ch. 7: Control and Accounting Information Systems Correction: Count and compare inventory counts as inventory enters the company and as it arrives in warehousing; likewise count and compare inventory counts as it leaves warehousing and arrives at shipping. Weakness 7: Billing is not done until 5 days after shipping. Correction: Billing should be more prompt in billing for goods shipped. This gives customers more time to put the bill through their bill paying process and pay for the goods on time. Accounting Information Systems SUGGESTED SOLUTIONS TO THE CASES 7.1 Nino Moscardi, president of Greater Providence Deposit & Trust (GPD&T), received an anonymous note in his mail stating that a bank employee was making bogus loans. Moscardi asked the bank’s internal auditors to investigate the transactions detailed in the note. The investigation led to James Guisti, manager of a North Providence branch office and a trusted 14-year employee who had once worked as one of the bank’s internal auditors. Guisti was charged with embezzling $1.83 million from the bank using 67 phony loans taken out over a three-year period. Court documents revealed that the bogus loans were 90-day notes requiring no collateral and ranging in amount from $10,000 to $63,500. Guisti originated the loans; when each one matured, he would take out a new loan, or rewrite the old one, to pay the principal and interest due. Some loans had been rewritten five or six times. The 67 loans were taken out by Guisti in five names, including his wife’s maiden name, his father’s name, and the names of two friends. These people denied receiving stolen funds or knowing anything about the embezzlement. The fifth name was James Vanesse, who police said did not exist. The Social Security number on Vanesse’s loan application was issued to a female, and the phone number belonged to a North Providence auto dealer. Lucy Fraioli, a customer service representative who cosigned the checks, said Guisti was her supervisor and she thought nothing was wrong with the checks, though she did not know any of the people. Marcia Perfetto, head teller, told police she cashed checks for Guisti made out to four of the five persons. Asked whether she gave the money to Guisti when he gave her checks to cash, she answered, “Not all of the time,” though she could not recall ever having given the money directly to any of the four, whom she did not know. Guisti was authorized to make consumer loans up to a certain dollar limit without loan committee approvals, which is a standard industry practice. Guisti’s original lending limit was $10,000, the amount of his first fraudulent loan. The dollar limit was later increased to $15,000 and then increased again to $25,000. Some of the loans, including the one for $63,500, far exceeded his lending limit. In addition, all loan applications should have been accompanied by the applicant’s credit history report, purchased from an independent credit rating firm. The loan taken out in the fictitious name would not have had a credit report and should have been flagged by a loan review clerk at the bank’s headquarters. News reports raised questions about why the fraud was not detected earlier. State regulators and the bank’s internal auditors failed to detect the fraud. Several reasons were given for the failure to find the fraud earlier. First, in checking for bad loans, bank auditors do not examine all loans and generally focus on loans much larger than the ones in question. Second, Greater Providence had recently dropped its computer services arrangement with a local bank in favor of an out-of-state bank. This 7-53 Ch. 7: Control and Accounting Information Systems changeover may have reduced the effectiveness of the bank’s control procedures. Third, the bank’s loan review clerks were rotated frequently, making follow-up on questionable loans more difficult. Guisti was a frequent gambler and used the embezzled money to pay gambling debts. The bank’s losses totaled $624,000, which was less than the $1.83 million in bogus loans, because Guisti used a portion of the borrowed money to repay loans as they came due. The bank’s bonding company covered the loss. The bank experienced other adverse publicity prior to the fraud’s discovery. First, the bank was fined $50,000 after pleading guilty to failure to report cash transactions exceeding $10,000, which is a felony. Second, bank owners took the bank private after a lengthy public battle with the State Attorney General, who alleged that the bank inflated its assets and overestimated its capital surplus to make its balance sheet look stronger. The bank denied this charge. 1. How did Guisti commit the fraud, conceal it, and convert the fraudulent actions to personal gain? Commit: James Guisti, a trusted 14-year employee and manager of a Greater Providence Deposit & Trust’ branch office, was authorized to make consumer loans up to a certain dollar limit without loan committee approvals. He used this authority to create 67 fraudulent 90-day notes requiring no collateral. As the scheme progressed, he was able to bypass the loan committee approval as some of his loans exceed his loan limit. Guisti was charged with embezzling $1.83 million from the bank. Conceal: He made the loans out to five people: his wife using her maiden name, his father, two friends, and a non-existent person. To avoid detection, he made sure the loans were performing and that they were never examined for non-payment. That is, when the loans matured, he would take out a new loan, or rewrite the old one, to pay the principal and interest due. He also kept the loans small to avoid the attention of auditors, who examined loans much larger than those he was fraudulently originating. Convert: He had a subordinate, customer service representative Lucy Fraioli, cosign the checks. He then had another subordinate, head teller Marcia Perfetto, cash the checks, and give him the money. Accounting Information Systems 2. Good internal controls require that the custody, recording, and authorization functions be separated. Explain which of those functions Guisti had and how the failure to segregate them facilitated the fraud. Authorization: Guisti was authorized to make consumer loans up to $10,000 (later $15,000 and then $25,000) without loan committee approval. This authorization is standard industry practice. He used this authority to create fraudulent loans. As the scheme progressed, he was able to bypass loan committee approval for loans that exceeded his loan limit. This is not standard industry practice and represents a failure of bank internal controls. Custody: Guisti was able to commit the fraud because he was able to obtain custody of the checks used to extend the loans. He used his position as branch manager to get his subordinates to cosign the checks and cash them. Recording: Nothing in the case write-up indicates that Guisti had any recording responsibilities. It appears that he used the bank’s normal recording processes: the bank recorded the loans when created and the payments were appropriately recorded when Guisti repaid them 3. Identify the preventive, detective, and corrective controls at GPD&T and discuss whether they were effective. Preventive: All bank loans exceeding Guist’s limit ($10,000, then $15,000 and then $25,000) were supposed to be approved by a loan committee. This control was not enforced or was not effective as Guisti was able to bypass it. GPD&T segregated the functions of loan origination, authorization (a co-signer needed on loans), and custody of cash (tellers). Guisti used his position of branch manager to override the controls over co-signatures and check cashing. Loan applications were to be accompanied by the applicant’s credit history report, purchased from an independent credit rating firm. The loan taken out in the fictitious name did not have that credit report and it should have been flagged by a loan review clerk at the bank’s headquarters. This control was not enforced or was not effective as Guisti was able to bypass it. Greater Providence dropped its computer services arrangement with a local bank in favor of an out-of-state bank. This may have reduced the effectiveness of the bank’s control procedures. 7-55 Ch. 7: Control and Accounting Information Systems Detective: State regulators and the bank’s internal auditors failed to detect the fraud. Bank auditors do not examine all loans and focus on much larger loans than Guisti’s. The bank’s loan review clerks were rotated frequently, making follow-up on questionable loans more difficult. Corrective: The bank bonded (an insurance policy on an employee’s honesty) its employees. When the bank was defrauded, the bank’s bonding company covered the loss. This control was effective in restoring the financial losses the bank experienced. 4. Explain the pressures, opportunities, and rationalizations that were present in the Guisti fraud. Pressures: Guisti was a frequent gambler and needed the money to pay gambling debts. Opportunities: As the Branch Manager, Guisti could override some internal controls and unduly influence his subordinates not to comply with others. Rationalization: No information is given on how or why Guisti rationalized his fraud 5. Discuss how Greater Providence Deposit & Trust might improve its control procedures over the disbursement of loan funds to minimize the risk of this type of fraud. In what way does this case indicate a lack of proper segregation of duties? Loan funds should generally not be disbursed in cash. Better control would be established by depositing the funds in a checking account in the borrower's name or by issuing a bank check to the borrower. When cashing such a check, bank personnel should require identification containing the borrower's photograph, and the borrower's signature on the check, and should scan both the photograph and the signature to verify the borrower's identity. In no case should one bank employee disburse cash to another for a loan to a third party borrower without first verifying the existence and identity of the borrower. Customer service representatives generally should not co-sign checks to borrowers without first verifying their existence. 6. Discuss how Greater Providence might improve its loan review procedures at bank headquarters to minimize its fraud risk. Was it a good idea to rotate the assignments of loan review clerks? Why or why not? Accounting Information Systems A system should be in place at the bank's headquarters to maintain data on all outstanding bank loans. This system should flag all loans that have been made in excess of the loan officer's lending limit. The authenticity of these loans should be scrutinized by internal auditors or other bank officials independent of the loan officer. Disciplinary action should be taken when a loan officer extends a loan that is greater than his loan limit. Approved loans for which there is no credit report should be flagged and scrutinized. Bank headquarters could send a letter to each new borrower thanking them for their business. Individuals whose names had been used on loan documents without their permission would be likely to question why they had received such a letter, while letters mailed to fictitious borrowers would be returned as undeliverable. Either event should trigger an investigation. Rotating the assignments of loan review clerks may have made it more difficult for the bank to detect this fraud. After it discovered the embezzlement, Greater Providence changed its policy to require its loan review clerks to track a problem loan until it is resolved. 7. Discuss whether Greater Providence’s auditors should have been able to detect this fraud. Audits are not guaranteed to detect fraud. It is too costly for auditors to examine every loan, so they generally examine a systematically selected sample. It makes sense for auditors to focus on larger loans, since that is where the greatest exposure is. The case notes that Guisti was a former auditor. Therefore, he would have been very familiar with the bank's control system and its audit procedures. He undoubtedly made use of this knowledge in planning and carrying out his embezzlement scheme. On the other hand, since the bank's central records were computerized, it should have been a simple matter for auditors to find and examine every outstanding loan record with questionable characteristics, such as: • • Loan amounts in excess of the loan officer's lending limit Short-term loans that had been rewritten several times. If auditors had any indication that Guisti was heavily involved in gambling activities, they should have examined his accounts very carefully. However, the case gives no indication that the auditors were ever aware of Guisti's penchant for gambling. 7-57 Ch. 7: Control and Accounting Information Systems 8. Are there any indications that the internal environment at Greater Providence may have been deficient? If so, how could it have contributed to this embezzlement? There are three indications of potential deficiencies in the bank's control environment. § § § Controls may have been deficient during the computer services changeover. However, the fraud took place over a three-year period, and any problems relating to the computer changeover should have taken much less than three years to resolve. The bank pled guilty to a felony three years prior to discovery of the fraud, which was about the time the fraud began. The state's charges of an inflated balance sheet suggest the possibility that the integrity of the bank's management may be flawed, though there is certainly no proof of this. While one indicator of a deficient internal environment may be tolerable, three begins to look like a pattern. Deficiencies in the bank's internal environment certainly could have contributed to the embezzlement by enhancing the opportunity for fraud and by fostering an attitude that dishonest behavior is somehow acceptable. Accounting Information Systems CHAPTER 8 INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY Part 1: Information Security SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 8.1 Explain why an organization would want to use all of the following information security controls: firewalls, intrusion prevention systems, intrusion detection systems, and a CIRT. Using this combination of controls provides defense-in-depth. Firewalls and intrusion prevention systems are preventive controls. Intrusion detection systems are used to identify problems and incidents. The purpose of a Computer Incident Response Team (CIRT) is to respond to and mediate problems and incidents. According to the time-based model of security, information security is adequate if the firewalls and intrusion prevention systems can delay attacks from succeeding longer than the time it takes the intrusion detection system to identify that an attack is in progress and for the CIRT to respond. 8.2 What are the advantages and disadvantages of having the person responsible for information security report directly to the chief information officer (CIO), who has overall responsibility for all aspects of the organization’s information systems? It is important for the person responsible for security (the CISO) to report to senior management. Having the person responsible for information security report to a member of the executive committee such as the CIO, formalizes information security as a top management issue. One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals. Therefore, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations. 8-1 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 8.3 Reliability is often included in service level agreements (SLAs) when outsourcing. The toughest thing is to decide how much reliability is enough. Consider an application like e-mail. If an organization outsources its e-mail to a cloud provider, what is the difference between 95%, 99%, 99.99%, and 99.9999% reliability? The differences in promised reliability levels over the course of a year in terms of days when the e-mail system may not work are: 95% reliability = 18.25 days 99% reliability = 3.65 days 99.99% reliability = .0365 days or approximately 52.56 minutes 99.9999% reliability = .000365 days or less than one minute 8.4 What is the difference between authentication and authorization? Authentication and authorization are two related controls designed to restrict access to an organization’s information systems and resources. The objective of authentication is to verify the claimed identity of someone attempting to obtain access. The objective of authorization is to limit what an authenticated user can do once they have been given access. 8.5 What are the limitations, if any, of relying on the results of penetration tests to assess the overall level of security? Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security by attempting to break into the organization’s information system. Internal audit and external security consulting team perform penetration tests in which they try to compromise a company’s system. Some outside consultants claim that they can get into 90 percent or more of the companies they attack. This is not surprising, given that it is impossible to achieve 100% security. Thus, one limitation of penetration testing is that it almost always shows that there are ways to break into the system. The more important analysis, however, is evaluating how difficult it was to break in and the cost-effectiveness of alternative methods for increasing that level of difficulty. Another limitation is that failure to break in may be due to lack of skill by the tester. Finally, penetration testing typically focuses on unauthorized access by outsiders; thus, it does not test for security breaches from internal sources. 8-2 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8.6 Security awareness training is necessary to teach employees “safe computing” practices. The key to effectiveness, however, is that it changes employee behavior. How can organizations maximize the effectiveness of their security awareness training programs? Top management support is always essential for the success of any program an entity undertakes. Thus, top management support and participation in security awareness training is essential to maximize its impact on the employees and managers of the firm. Effective instruction and hands-on active learning techniques help to maximize training. “Real life” example should be used throughout the training so that employees can view or at least visualize the exposures and threats they face as well as the controls in place to address the exposures and threats. Role-playing has been shown to be an effective method to maximize security awareness training especially with regard to social engineering attack training. Training must also be repeated periodically, at least several times each year, to reinforce concepts and update employees about new threats. It is also important to test the effectiveness of such training. Including security practices and behaviors as part of an employee’s performance evaluation is also helpful as it reinforces the importance of security. 8.7 What is the relationship between COSO, COBIT, and the AICPA’s Trust Services frameworks? COSO is a broad framework that describes the various components of internal control. It does not, however, provide any details about IT controls. COBIT is a framework for IT governance and control. The AICPA’s Trust Services framework is narrower in scope than COBIT, focusing only on those IT controls (security, confidentiality, privacy, processing integrity, and availability) that relate directly to systems reliability. 8-3 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability SUGGESTED SOLUTIONS TO THE PROBLEMS 8.1 Match the following terms with their definitions: Term Definition __d__ 1. Vulnerability a. Code that corrects a flaw in a program. __s__ 2. Exploit b. Verification of claimed identity. __b__ 3. Authentication c. The firewall technique that filters traffic by comparing the information in packet headers to a table of established connections. __m__ 4. Authorization d. A flaw or weakness in a program. __f__ 5. Demilitarized zone (DMZ) e. A test to determine the time it takes to compromise a system. __t__ 6. Deep packet inspection f. A subnetwork that is accessible from the Internet but separate from the organization’s internal network. __o__ 7. router g. The device that connects the organization to the Internet. __j__ 8. social engineering h. The rules (protocol) that govern routing of packets across networks. __k__ 9. firewall i. The rules (protocol) that govern the division of a large file into packets and subsequent reassembly of the file from those packets. __n__ 10. hardening j. An attack that involves deception to obtain access. __l__ 11. CIRT k. A device that provides perimeter security by filtering packets. __a__ 12. patch l. The set of employees assigned responsibility for resolving problems and incidents. ___u_ 13. virtualization m. Restricting the actions that a user is permitted to perform. __i__ 14. Transmission Control Protocol (TCP) n. Improving security by removal or disabling of unnecessary programs and features. _q___ 15. static packet filtering o. A device that uses the Internet Protocol 8-4 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems (IP) to send packets across networks. __g__ 16. border router p. A detective control that identifies weaknesses in devices or software. __p__ 17. vulnerability scan q. A firewall technique that filters traffic by examining the packet header of a single packet in isolation. __e__ 18. penetration test r. The process of applying code supplied by a vendor to fix a problem in that vendor’s software. s. Software code that can be used to take advantage of a flaw and compromise a system. _r___ s. patch management t. A firewall technique that filters traffic by examining not just packet header information but also the contents of a packet. _v___ t. cloud computing u. The process of running multiple machines on one physical server. v. An arrangement whereby a user remotely accesses software, hardware, or other resources via a browser. 8.2 Install and run the latest version of the Microsoft Baseline Security Analyzer on your home computer or laptop. Write a report explaining the weaknesses identified by the tool and how to best correct them. Attach a copy of the MBSA output to your report. Solution: will vary for each student. Examples of what to expect (from a computer running Windows 7 follow: 8-5 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 1. The first section should identify the computer (not shown below) and the status of security updates: 8-6 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 2. Next is a section about user accounts and Windows settings: 3. Then there is a section about other system information 8-7 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 8-8 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems The following table lists the actions that various employees are permitted to perform: 8.3 Employee Permitted actions Able Check customer account balances Check inventory availability Baker Change customer credit limits Charley Update inventory records for sales and purchases Denise Add new customers Delete customers whose accounts have been written off as uncollectible Add new inventory items Remove discontinued inventory items Ellen Review audit logs of employee actions Complete the following access control matrix so that it enables each employee to perform those specific activities: Customer Master file Inventory Master File Payroll Master File System Log Files 1 1 0 0 Baker 2 0 0 0 Charley 0 2 0 0 Denise 3 3 0 0 Ellen 0 0 0 1 Employee Able Use the following codes: 0 = no access 1 = read only access 2 = read and modify records 3= read, modify, create, and delete records 8-9 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 8.4 Which preventive, detective, and/or corrective controls would best mitigate the following threats? a. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit identity theft. Preventive: Policies against storing sensitive information on laptops and requiring that if any such information must exist on the laptop that it be encrypted. Training on how to protect laptops while travelling to minimize the risk of theft. Corrective: Installation of “phone home” software might help the organization either recover the laptop or remotely erase the information it contains. b. A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password. Preventive: Strong password requirements such as at least an 8 character length, use of multiple character types, random characters, and require that passwords be changed frequently. Detective: Locking out accounts after 3-5 unsuccessful login attempts; since this was a “guessing” attack, it may have taken more than a few attempts to login. c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters. Preventive: Integrate physical and logical security. In this case, the system should reject any user attempts remotely log into the system if that same user is already logged in from a physical workstation. Detective: Having the system notify appropriate security staff about such an incident. d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger. Preventive: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. 8-10 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Detective and corrective: Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process for accessing a company's information system. e. A company’s programming staff wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Preventive: Teach programmers secure programming practices, including the need to carefully check all user input. Management must support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Detective: Make sure programs are thoroughly tested before being put into use Have internal auditors routinely test in-house developed software. f. A company purchased the leading “off-the-shelf” e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code. Preventive: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. g. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security. Preventive: Enact a policy that forbids installation of unauthorized wireless access points. Detective: Conduct routine audits for unauthorized or rogue wireless access points. Corrective: Sanction employees who violate policy and install rogue wireless access points. 8-11 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability h. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop. Preventive: Security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source. Anti-spyware software that automatically checks and cleans all detected spyware on an employee's computer as part of the logon process. i. Once an attack on the company’s website was discovered, it took more than 30 minutes to determine who to contact to initiate response actions. Preventive: Document all members of the CIRT and their contact information. Practice the incident response plan. j. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem. Preventive: Routinely check for unauthorized or rogue modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. k. An attacker gained access to the company’s internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies. Preventive: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system. 8-12 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8.5 What are the advantages and disadvantages of the three types of authentication credentials (something you know, something you have, and something you are)? Type of Credential Advantages Disadvantages Something you know + Easy to use + Easy to forget or guess + Universal - no special hardware required + Hard to verify who is presenting the credential + Revocable – can cancel and create new credential if compromised + May not notice compromise immediately + Easy to use + May require special hardware if not a USB token (i.e., if a smart card, need a card reader) Something you have + Revocable – can cancel and reissue new credential if compromised + Quickly notice if lost or stolen Something you are (biometric) + Strong proof who is presenting the credential + Hard to copy/mimic + Cannot be lost, forgotten, or stolen + Hard to verify who is presenting the credential + Cost + Requires special hardware, so not universally applicable + User resistance. Some people may object to use of fingerprints; some culture groups may refuse face recognition, etc. + May create threat to privacy. For example, retina scans may reveal health conditions. + False rejection due to change in biometric characteristic (e.g., voice recognition may fail if have a cold). + Not revocable. If the biometric template is compromised, it cannot be re-issued (e.g., you cannot assign someone a new fingerprint). 8-13 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 8.6 a. Apply the following data to evaluate the time-based model of security for the XYZ Company. Does the XYZ Company satisfy the requirements of the time-based model of security? Why? • • • Estimated time for attacker to successfully penetrate system = 25 minutes Estimated time to detect an attack in progress and notify appropriate information security staff = 5 minutes (best case) to 10 minutes (worst case) Estimated time to implement corrective actions = 6 minutes (best case) to 20 minutes (worst case) Solution: XYZ Company is secure under their best case scenario but they do not meet security requirements under their worst case scenario. P = 25 Minutes D = 5 Minutes (Best Case) 10 Minutes (Worst Case) C = 6 Minutes (Best Case), 20 minutes (Worst Case) Time-base model: P > D + C Best Case Scenario P is greater than D + C (25 > 5 + 6) Worst Case Scenario P is less than D + C (25 < 10 + 20) b. Which of the following security investments to you recommend? Why? 1. Invest $50,000 to increase the estimated time to penetrate the system by 4 minutes 2. Invest $50,000 to reduce the time to detect an attack to between 2 minutes (best case) and 6 minutes (worst case) 3. Invest $50,000 to reduce the time required to implement corrective actions to between 4 minutes (best case) and 14 minutes (worst case). Solution: Option 3 is the best choice because it is the only one that satisfies the timebased model of security under the worst case conditions: Option P (worst case) D (worst case) C (worst case) 1 29 10 20 2 25 6 20 3 25 10 14 8-14 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8.7 Explain how the following items individually and collectively affect the overall level of security provided by using a password as an authentication credential. a. Length – interacts with complexity to determine how hard it is to “guess” a password or discover it by trial-and-error testing of every combination. Of the two factors, length is more important because it has the biggest impact on the number of possible passwords. To understand this, consider that the number of possible passwords = xy, where x = the number of possible characters that can be used and y = the length. As the following table shows, increasing the length increases the number of possibilities much more than does the same proportionate increase in complexity: Complexity (types of characters allowed) Number of characters Length Number of possible passwords Numeric 10 (0-9) 4 104 = 10,000 Alphabetic, not case sensitive 26 (a-z) 8 268 = 2.088+E11 Alphabetic, case sensitive 52 (a-z, A-Z) 8 528 = 5.346+E13 Alphanumeric, case sensitive 62 (0-9, a-z, A-Z) 8 628 = 2.183+E14 12 6212 = 3.226+E21 Alphanumeric, case sensitive, Alphanumeric, case sensitive, plus special characters 95 (0-9, a-z, A-Z, and $, !, #, etc.) 8 958 = 6.634+E15 Alphanumeric, case sensitive, plus special characters 95 (0-9, a-z, A-Z, and $, !, #, etc.) 12 9512 = 5.404+E23 b. Complexity requirements (which types of characters are required to be used: numbers, alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) - interacts with complexity to determine how hard it is to “guess” a password or discover it by trial-and-error testing of every combination. c. Maximum password age (how often password must be changed) – shorter means more frequent changes which increases security 8-15 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability d. Minimum password age (how long a password must be used before it can be changed) – this combined with history prevents someone from just keeping their same password, because it prevents repeatedly changing passwords until the system allows use of the same password once again. e. Maintenance of password history (how many prior passwords does system remember to prevent reselection of the same password when required to change passwords) – the larger this is, the longer the time before someone can reuse a password. For example, a password history of 12 combined with a minimum age of 1 month means that the same password cannot be used until after a year. Note that this requires setting a minimum age. Otherwise, if the minimum age is zero, someone could repeatedly change their password as many times as the system’s history setting, and then change it one more time, this last time setting it to be the current password. f. Account lockout threshold (how many failed login attempts before the account is locked) – this is designed to stop guessing attacks. However, it needs to account for typos, accidentally hitting the CAPS LOCK key, etc. to prevent locking out legitimate users. Its effect also depends on the next variable, time frame. g. Time frame during which account lockout threshold is applied (i.e., if lockout threshold is five failed login attempts, time frame is whether those 5 failures must occur within 15 minutes, 1 hour, 1 day, etc.). – Shorter time frames defeat attempts to guess. h. Account lockout duration (how long the account remains locked after exceeding the maximum allowable number of failed login attempts) – longer lockouts defeat attempts to guess. Too short a value on this parameter may enable an attacker to try to guess x times, get locked out for only a few minutes, and then start guessing again. 8-16 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8.8 The chapter briefly discussed the following three common attacks against applications a. Buffer overflows b. SQL injection c. Cross-site scripting Required Research each of these three attacks and write a report that explains in detail how each attack actually works and that describes suggested controls for reducing the risks that these attacks will be successful. Solution: Reports will vary from student to student; however, the reports should contain at least some of the following basic facts gathered from the text, cgisecurity.net, and Wikipedia: a. Buffer overflows One of the more common input-related vulnerabilities is what is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Buffer overflows may cause the system to crash or, even worse, may provide a command prompt, thereby giving the attacker full administrative privileges, and control, of the device. Because buffer overflows are so common, it is instructive to understand how they work. Most programs are loaded into RAM when they run. Oftentimes a program may need to temporarily pause and call another program to perform a specific function. Information about the current state of the suspended program, such as the values of any variables and the address in RAM of the instruction to execute next when resuming the program, must be stored in RAM. The address to go to find the next instruction when the subprogram has finished its task is written to an area of RAM called the stack. The other information is written into an adjoining area of RAM called a buffer. A buffer overflow occurs when too much data is sent to the buffer, so that the instruction address in the stack is overwritten. The program will then return control to the address pointed to in the stack. In a buffer overflow attack, the input is designed so that the instruction address in the stack points back to a memory address in the buffer itself. Since the buffer has been filled with data sent by the attacker, this location contains commands that enable the attacker to take control of the system. Note that buffer overflows can only occur if the programmer failed to include a check on the amount of data being input. Thus, sound programming practices can prevent buffer overflow attacks. Therefore, internal auditors should routinely test all applications developed in-house to be sure that they are not vulnerable to buffer overflow attacks. 8-17 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability b. SQL injection Many web pages receive an input or a request from web users and then, to address the input or the request, they create a Structured Query Language (SQL) query for the database that is accessed by the webpage. For example, when a user logs into a webpage, the user name and password will be used to query the database to determine if they are a valid user. With SQL injection, a user inputs a specially crafted SQL command that is passed to the database and executed, thereby bypassing the authentication controls and effectively gaining access to the database. This can allow a hacker to not only steal data from the database, but also modify and delete data or the entire database. To prevent SQL injection attacks, the web server should be reprogrammed so that user input is not directly used to create queries sent to the database. c. Cross-site scripting Cross site scripting (also known as XSS) occurs whenever a web application sends user input back to the browser without scrubbing it. The problem is that if the input is a script, the browser will execute it. The attack requires tricking a user into clicking on a hyperlink to a trusted website that is vulnerable to cross site scripting. The hyperlink will take the victim to that website, but it also contains a script. When the user’s browser visits the trusted website, it sends the input (the embedded script in the hyperlink) back to the browser. The browser then executes that script and sends information, often cookies that may contain authentication credentials, back to the attacker. The best protection is that web sites should never replay user input verbatim back to the browser, but should always convert it to harmless HTML code first. 8-18 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8.9 Physical security is extremely important. Read the article “19 Ways to Build Physical Security into a Data Center,” which appeared in the CSO Magazine November 2005. (You can find the article at www.csoonline.com/read/110105/datacenter.html). Which methods would you expect to find used by almost any major corporation? Which might likely only be justified at a financial institution? Solution: Depending on the sensitivity and value of the data processed and stored at a data center, all of the 19 methods could be used by a corporation. For example, IBM is extremely concerned about the loss of data and trade secrets due to disasters and corporate espionage and employs all 19 methods. However, most corporations do not employ all 19 methods. Thus, the following solution is an approximation of the methods that a typical corporation may employ and the more extensive methods that a financial institution would choose. The methods that any corporation would use can also be employed at financial institutions, but are not checked to more clearly highlight the differences. Method Any Corporation 1. Build on the right spot X 2. Have redundant utilities X Extra methods justified at a Financial Institution 3. Pay attention to walls X 4. Avoid windows X 5. Use landscaping for protection X 6. Keep a 100-foot buffer zone around the site X 7. Use retractable crash barriers at vehicle entry points X 8. Plan for bomb detection X 9. Limit entry points X 10. Make fire doors exit only X 11. Use plenty of cameras X 12. Protect the buildings machinery X 8-19 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability 13. Plan for secure air handling X 14. Ensure nothing can hide in the walls and ceilings X 15. Use two-factor authentication X 16. Harden the core with security layers X 17. Watch the exits too X 18. Prohibit food in the computer rooms X 19. Install visitor restrooms X 8-20 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED SOLUTIONS TO THE CASES CASE 8.1 Costs of Preventive Security Firewalls are one of the most fundamental and important security tools. You are likely familiar with the software-based host firewall that you use on your laptop or desktop. Such firewalls should also be installed on every computer in an organization. However, organizations also need corporate-grade firewalls, which are usually, but not always, dedicated special-purpose hardware devices. Conduct some research to identify three different brands of such corporate-grade firewalls and write a report that addresses the following points: • Cost • Technique (deep packet inspection, static packet filtering, or stateful packet filtering) • Ease of configuration and use Specifics of the solution will differ depending upon the brand identified. The instructor may wish to require students to turn in copies of their source materials. At a minimum, solution should clearly demonstrate that students understand the different types of firewalls and have read and understood the review of a product’s ease of configuration and ease of use. 8-21 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability CASE 8.2 Developing an Information Security Checklist Obtain a copy of COBIT (available at www.isaca.org) and read section DS5. Design a checklist for assessing each of the 11 detailed information security control objectives. The checklist should contain questions to which a Yes response represents a control strength, a No response represents a control weakness, plus a possible N/A response. Provide a brief reason for asking each question. Organize your checklist as follows: Question Yes No 1. Is there regular security awareness training? N/A Reason for asking Training is one of the most important preventive controls because many security incidents happen due to either human error or social engineering. 8-22 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Suggested solution (answers will vary, key is to address each objective) COBIT Control Objective Possible questions DS5.1 • Does the person responsible for information security report to the C-suite? • Is information security a topic at meetings of the Board of Directors? DS5.2 • Does an information security plan exist? • Do information security policies and procedures exist? • Are information security policies and procedures communicated periodically to all employees? DS5.3 • Do all employees have unique user IDs? • Are all employees required to use passwords? • Are there policies to ensure that passwords are sufficiently strong? • Are access rights assigned by employee role? • Are access rights approved by management? DS5.4 • Are there procedures for closing user accounts when an employee leaves the company? • Do employees who need administrative access have two accounts – one that is a limited account and the other with administrative rights? • Do employees routinely use only their limited user accounts when surfing the Internet? DS5.5 • Are there periodic vulnerability assessments? • Are there periodic penetration tests? • Is logging enabled? • Are logs regularly reviewed? DS5.6 • Is there a computer incident response team (CIRT)? • Does membership of the CIRT include all appropriate functions? • Is there a written incident response plan? • Has the plan been practiced this year? 8-23 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Ch. 8: Information System Controls for Systems Reliability DS5.7 • Is documentation related to firewalls and IPS stored securely and with restricted access? • Are firewalls and other security devices protected with appropriate logical and physical access controls? DS5.8 • Is sensitive information encrypted? • Are there procedures for issuing and revoking encryption keys? DS5.9 • Do all computers run up-to-date anti-malware? • Are patches applied on a timely basis? DS5.10 • Are firewalls and IPS used to protect the perimeter? • Are firewalls used to segregate functions within the corporate network? • Are intrusion detection systems used? DS5.11 • Is sensitive information encrypted prior to transmission over the Internet? 8-24 © 2010 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 9 INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY – PART 2: CONFIDENTIALITY AND PRIVACY SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 9.1 From the viewpoint of the customer, what are the advantages and disadvantages to the opt-in versus the opt-out approaches to collecting personal information? From the viewpoint of the organization desiring to collect such information? For the consumer, opt-out represents many disadvantages because the consumer is responsible for explicitly notifying every company that might be collecting the consumer’s personal information and tell the company to stop collecting his or her personal data. Consumers are less likely to take the time to opt-out of these programs and even if they do decide to opt-out, they may not know of all of the companies that are capturing their personal information. For the organization collecting the data, opt-out is an advantage for the same reasons it is a disadvantage to the consumer, the organization is free to collect all the information they want until explicitly told to stop. For the consumer, opt-in provides more control to protect privacy, because the consumer must explicitly give permission to collect personal data. However, opt-in is not necessarily bad for the organization that is collecting information because it results in a database of people who are predisposed to respond favorably to communications and marketing offers. 9.2 What risks, if any, does offshore outsourcing of various information systems functions pose to satisfying the principles of confidentiality and privacy? Outsourcing is and will likely continue to be a topic of interest. One question that may facilitate discussion is to ask the students if once a company sends some operations offshore, does the outsourcing company still have legal control over their data or do the laws of the off shore company dictate ownership? Should the outsourcing company be liable in this country for data that was lost or compromised by an outsourcing offshore partner? Data security and data protection are rated in the top ten risks of offshore outsourcing by CIO News. Compliance with The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) are of particular concern to companies outsourcing work to offshore companies. Since offshore companies are not required to comply with HIPAA, companies that contract with offshore providers do not have any enforceable mechanisms in place to 9-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy protect and safeguard Protected Health Information; i.e., patient health information, as required by HIPAA. They essentially lose control of that data once it is processed by an offshore provider. Yet they remain accountable for HIPAA violations. 9.3 Should organizations permit personal use of e-mail systems by employees during working hours? Since most students will encounter this question as an employee and as a future manager, the concept of personal email use during business hours should generate significant discussion. Organizations may want to restrict the use of email because of the following potential problems: o Viruses are frequently spread through email and although a virus could infect company computers through a business related email, personal email will also expose the company to viruses and therefore warrant the policy of disallowing any personal emails. o The risk that employees could overtly or inadvertently release confidential company information through personal email. Once the information is written in electronic form it is easy and convenient for the recipient to disburse that information. One question that may help facilitate discussion is to ask whether personal emails are any different than personal phone calls during business hours. 9-2 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.4 What privacy concerns might arise from the use of biometric authentication techniques? What about the embedding of RFID tags in products such as clothing? What other technologies might create privacy concerns? Many people may view biometric authentication as invasive. That is, in order to gain access to a work related location or data, they must provide a very personal image of part of their body such as their retina, finger or palm print, their voice, etc. Providing such personal information may make some individuals fearful that the organization collecting the information can use it to monitor them. In addition, some biometrics can reveal sensitive information. For example, retina scans may detect hidden health problems – and employees may fear that such techniques will be used by employers and insurance companies to discriminate against them. RFID tags that are embedded or attached to a person’s clothing would allow anyone with that particular tag’s frequency to track the exact movements of the “tagged” person. For police tracking criminals that would be a tremendous asset, but what if criminals were tracking people who they wanted to rob or whose property they wanted to rob when they knew the person was not at home. Cell phones and social networking sites are some of the other technologies that might cause privacy concerns. Most cell phones have GPS capabilities that can be used to track a person’s movement – and such information is often collected by “apps” that then send it to advertisers. GPS data is also stored by cell phone service providers. Social networking sites are another technology that creates privacy concerns. The personal information that people post on social networking sites may facilitate identity theft. 9.5 What do you think an organization’s duty or responsibility should be to protect the privacy of its customers’ personal information? Why? Some students will argue that managers have an ethical duty to “do no harm” and, therefore, should take reasonable steps to protect the personal information their company collects from customers. Others will argue that it should be the responsibility of consumers to protect their own personal information. Another viewpoint might be that companies should pay consumers if they divulge personal information, and that any such purchased information can be used however the company wants. 9-3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9.6 Assume you have interviewed for a job online and now receive an offer of employment. The job requires you to move across the country. The company sends you a digital signature along with the contract. How does this provide you with enough assurance to trust the offer so that you are willing to make the move? A digital signature provides the evidence needed for non-repudiation, which means you can enforce the contract in court, if necessary. The reason is that the digital signature provides the evidence necessary to prove that your copy of the contract offer is identical to the company’s and that it was indeed created by the company. The digital signature is a hash of the contract, encrypted with the creator’s (in this case, the company’s) private key. Decrypting the signature with the company’s public key produces the hash of the contract. If you hash your copy of the contract and it matches the hash in the digital signature, it proves that the contract was indeed created by the company (because decrypting the digital signature with the company’s private key produced a hash sent by and created by the company). The fact that the two hashes match proves that you have not tampered with your copy of the contract – it matches, bit for bit, the version created by the company. 9-4 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED SOLUTIONS TO THE PROBLEMS 9.1 Match the terms with their definitions: 1. _d__ Virtual Private Network (VPN) 2. _k__ Data Loss Prevention (DLP) 3. _a__ Digital signature 4. _j__ Digital certificate a. A hash encrypted with the creator’s private key 5. _e__ Data masking 6. _p__ Symmetric encryption 7. __h_ Spam 8. __i_ Plaintext 9. _l__ Hashing 10. _m__ Ciphertext 11. _r__Information rights management (IRM) 12. _b_ Certificate authority 13. _q__ Non-repudiation 14. _c__ Digital watermark 15. _o__ Asymmetric encryption 16. _n_ Key escrow b. A company that issues pairs of public and private keys and verifies the identity of the owner of those keys. c. A secret mark used to identify proprietary information. d. An encrypted tunnel used to transmit information securely across the Internet. e. Replacing real data with fake data. f. Unauthorized use of facts about another person to commit fraud or other crimes. g. The process of turning ciphertext into plaintext. h. Unwanted e-mail. i. A document or file that can be read by anyone who accesses it. j. Used to store an entity’s public key, often found on web sites. k. A procedure to filter outgoing traffic to prevent confidential information from leaving. l. A process that transforms a document or file into a fixed length string of data. m. A document or file that must be decrypted to be read. n. A copy of an encryption key stored securely to enable decryption if the original encryption key becomes unavailable. o. An encryption process that uses a pair of matched keys, one public and the other private. Either key can encrypt something, but only the other key in that pair can decrypt it. p. An encryption process that uses the same key to both encrypt and decrypt. q. The inability to unilaterally deny having created a document or file or having agreed to perform a transaction. r. Software that limits what actions (read, copy, print, etc.) that users granted access to a file or document can perform. 9-5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9.2 Cost-effective controls to provide confidentiality require valuing the information that is to be protected. This involves classifying information into discrete categories. Propose a minimal classification scheme that could be used by any business, and provide examples of the type of information that would fall into each of those categories. There is no single correct solution for this problem. Student responses will vary depending on their experience with various businesses. One minimal classification scheme could be highly confidential or top-secret, confidential or internal only, and public. The following table lists some examples of items that could fall into each basic category. Highly Confidential (Top Secret) Research Data Product Development Data Proprietary Manufacturing Processes Proprietary Business Processes Competitive Bidding Data Confidential (Internal) Payroll Cost of Capital Tax data Manufacturing Cost Data Financial Projections Public Financial Statements Security and Exchange Commission Filings Marketing Information Product Specification Data Earnings Announcement Data 9-6 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.3 Download a hash calculator that can create hashes for both files and text input. Use it to create SHA-256 (or any other hash algorithm your instructor assigns) hashes for the following: a. A document that contains this text: “Congratulations! You earned an A+” b. A document that contains this text: “Congratulations! You earned an A-” c. A document that contains this text: “Congratulations! You earned an a-” d. A document that contains this text: “Congratulations! You earned an A+” (this message contains two spaces between the exclamation point and the capital letter Y). e. Make a copy of the document used in step a, and calculate its hash value. Solution: Slavasoft.com has a free hash calculator called “HashCalc” that will allow you to generate a number of different hashes, including SHA-256. It is an easy tool to install and use. To use it, simply open the program and then point to the file that you wish to hash: Step 1: Click on the button to find your file Step 2: Select one or more hash values by clicking on the box to the left of that hash Step 3: Click the “Calculate” button 9-7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy The exact hash values will differ depending upon the program used to create the text documents (e.g., Word versus Notepad). Below are SHA-256 hashes of files created in Word for Windows 2007 on a computer running Windows 7: Part a: 866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24 Part b: b537d8ba8de6331b7db1e9d7a446fd447c0a2b259c562bf4bc0caa98e4df383d Part c: 826a17a341d37aece1e30273997a50add1f832a8b7aac18f530771412e3f919a Part d: 2250234c61a4ccd1a1dbf0da3ea40319baee3c27c172819c26ae2b0f906482a2 And here are the SHA-256 hash values of the same files created in NotePad: Part a: 414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490 Part b: 90f373ea52c567304a6630ecef072471727e9bfda1514a7ed4988fc7884ffc3b Part c: 327194a7459ab8f7db9894bd76430d8e9c7c3ce8fbac5b4a8fbc842ab7d91ec4 Part d: 8c47c910a0aa4f8f75695a408e757504e476b2e02a4dd5dfb4a527f3af05df22 Notice how any change, no matter how small results in a different hash value: • changing a “+” to a “-“ sign (compare hashes for parts a and part b) • changing from uppercase “A” to lowercase “a” (compare hashes for parts b and c) • inserting a space (compare hashes for parts a and d) This is the reason that hashes are so important – they provide a way to test the “integrity” of a file. If two files are supposed to be identical, but they have different hash values, then one of them has been changed. The solution to part e depends upon whether you are using a simple text editor like NotePad or a more powerful word processing program like Word. If you are using NotePad, then simply opening the file for part a and saving it with the name part e generates an exact copy of the original file, as evidenced by the identical hash values: • NotePad file for part a: 414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490 • NotePad file for part e: 414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490 If you are using Word, then the “Save As” command will generate a document that has the same text, but a different hash value because Word incorporates system data when saving the file: • Word document for part a: 866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24 • Word document for part e: 03f77774bfab4cbb1b1660cb3cd7fc978818506e0ed17aca70daa146b54c06c1 But, if you right-click on the original document, select “Copy” and then paste it into the same directory, you get a file that is marked as a copy: “Problem 9-3 part a –Copy.docx” 9-8 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems – which has the same SHA-256 value as the original: 866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24 The point of this exercise is to show the power of using simple utilities like Notepad – you can play with a document and restore it. In contrast, playing with a document using more powerful programs like Word will leave tell-tale traces that the document was altered. NOTE: simply opening a Word document to read it and then closing it or saving it (not Save As) will not alter the hash value. f. Hash any multiple-page text file on your computer. no matter how large the file, the hash will be the same length as the hashes for parts a-e. 9-9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.4 Accountants often need to print financial statements with the words “CONFIDENTIAL” or “DRAFT” appearing in light type in the background. a. Create a watermark with the word “CONFIDENTIAL” in a Word document. Print out a document that displays that watermark. In Word, the Page Layout menu contains an option to create a watermark. When you click on the Watermark choice, a drop-down menu presents an array of built-in options for using the word “Confidential” as a watermark. 9-10 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems b. Create the same watermark in Excel and print out a spreadsheet page that displays that watermark. Excel does not have a built-in watermark facility. However, if you search for information about watermarks in Excel’s help function, you learn that you have two options: 9-11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9-12 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9-13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall . Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy c. Can you make your watermark “invisible” so that it can be used to detect whether a document containing sensitive information has been copied to an unauthorized location? How? How could you use that “invisible” watermark to detect violation of copying policy? If you make the text of the watermark white, then it will not display on the screen. To make the watermark visible in Word, on the Page Layout menu select the “Page Color” option and set the color to something dark to reveal the “invisible” white watermark. In Excel, you would select all cells and then change the fill color to something dark to reveal the “invisible” white watermark. 9-14 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.5 Create a spreadsheet to compare current monthly mortgage payments versus the new monthly payments if the loan were refinanced, as shown (you will need to enter formulas into the two cells with solid borders like a box: D9 and D14) a. Restrict access to the spreadsheet by encrypting it. In Excel 2007, choose Prepare and then Encrypt Document. 9-15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Then select a password, and be sure to remember it: 9-16 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Further protect the spreadsheet by limiting users to only being able to select and enter data in the six cells without borders. To protect the two cells that contain the formula (shown below with red boxed borders): a. Select the cells that users are allowed to change (cells D6:D8 and D11:D13) b. Under the Format drop-down menu, select format cells 9-17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Then uncheck the box next to “Locked” as shown below, because these are going to be the only cells we do not protect in the next step. Now, under the Format drop-down menu, select “Protect Sheet” and then 9-18 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems a) enter a password, and b) uncheck the box “Select locked cells”. This will protect the entire sheet EXCEPT for the cells you unlocked in the previous step – users can only move between the six unlocked cells! BE SURE TO REMEMBER YOUR PASSWORD – it is the only way to unlock the spreadsheet. 9-19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.6 Research the information rights management software that may be available for your computer. What are its capabilities for limiting access rights? Write a report of your findings. Optional: If you can download and install IRM software, use it to prevent anyone from being able to copy or print your report. Solutions will vary depending upon the student’s computer and version of operating system. Windows, for example, has information rights management software but consumers must create a LiveID account to use it. The following screen shot shows how to access the Information Rights Management (IRM) software in Word 2007: Choosing the “Manage Credentials” option calls up the dialogue for Microsoft’s Information Rights Management (IRM) software: 9-20 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9-21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9.7 The principle of confidentiality focuses on protecting an organization’s intellectual property. The flip side of the issue is ensuring that employees respect the intellectual property of other organizations. Research the topic of software piracy and write a report that explains: a. What software piracy is. b. How organizations attempt to prevent their employees from engaging in software piracy. c. How software piracy violations are discovered. d. The consequences to both individual employees and to organizations who commit software piracy. Solutions will vary. Key points to look for in the report: a. Definition of software piracy that clearly indicates it involves the illegal or unauthorized downloading and use of software in violation of the terms of the software license agreement. b. Training and periodic audits of employees’ computers. c. Most often by anonymous tips, either from disgruntled employees or a competitor. d. Organizations discovered to have illegal copies of software have received large fines. It is possible that individuals convicted of software piracy could go to jail. The sites that people visit to obtain illegal copies of software often are not very secure, so people often find that they download and install not just the program they want, but also malware. 9-22 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9.8 Practice encryption. Required: a. Use your computer operating system’s built-in encryption capability to encrypt a file. In Windows, if you are working with an open document, you can encrypt it by choosing that option under the “Prepare” menu: You will then be prompted for a password to protect that file. 9-23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy You can also encrypt an existing file by right-clicking on its name in a directory list and then choosing Properties, which brings up this pop-up window: 9-24 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Clicking on the Advanced button brings up this dialog box: Select the box “Encrypt contents to secure data” and follow the directions. Create another user account on your computer and log in as that user. In Windows, there are two ways to create new user accounts. One way is to open the Control Panel and select the option “User Accounts”. This brings up the following screen: 9-25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Select the “Manage User Accounts” and then click the “Add” button. You will then be prompted to give a name to your new user account and decide whether it is a standard user or an account with administrative rights. For purposes of this exercise, just create a standard user. 9-26 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Method 2: Open the Control Panel, choose “Administrative Tools and then select “Computer Management”: Double-click on Computer Management and then click on the Users and Groups: 9-27 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Now, click on the “Users” folder in the left pane, and then click on the “Action” menu item at the top and select the option “New user”: Fill in the screen, giving your new user a name and password. It will probably be easiest for this assignment to not force the new user to change passwords. Also, uncheck the box “Account is disabled” so that you can do the rest of this exercise. 9-28 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 9-29 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Which of the following actions can you perform? 1. Open the file 2. Copy the file to a USB drive. 3. Move the file to a USB drive. 4. Rename the file. 5. Delete the file ADDITIONAL NOTE TO INSTRUCTORS: Tell students to save the encrypted file in a shared directory that is accessible to all users who log onto that system. That way, even a standard user will be able to see the files. Solutions may vary depending upon the computer’s operating system. In Windows, a standard user who did not create the encrypted file will not be able to open, copy, or move the encrypted file to a USB drive – but is able to rename or delete it. This demonstrates that encryption is not a total solution – if someone has physical access to a computer that has encrypted files on it, they may not be able to read that file but they can destroy it. Thus, physical access controls are also important. In Windows, if a student creates another user account with Administrative privileges, that account will also not be able to open, copy or move the encrypted file to a USB drive – but can rename or delete it. One other difference is that a user with administrative privileges can also open up other user’s profiles. IMPORTANT NOTE TO INSTRUCTORS: Tell students to delete the new user account that they created to do this problem after they finish the assignment. b. TrueCrypt is one of several free software programs that can be used to encrypt files stored on a USB drive. Download and install a copy of TrueCrypt (or another program recommended by your professor). Use it to encrypt some files on a USB drive. Compare its functionality to that of the built-in encryption functionality provided by your computer’s operating system. TrueCrypt is available at www.truecrypt.org – note that the name is TrueCrypt. The article “Protect Your Portable Data—Always and Everywhere,” (by Simon Petravick and Stephen Kerr) in the June 2009 issue of the Journal of Accountancy discusses a number of encryption products. Students will likely report that software like TrueCrypt offers many more features than their computer operating system’s built-in encryption functionality. 9.9 Research the problem of identity theft and write a report that explains: a. Whether the problem of identity theft is increasing or decreasing 9-30 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems b. What kind of identity theft protection services or insurance products are available. Compare and contrast at least two products. Students should report that the problem of identity theft is increasing. One issue, however, concerns how identity theft is defined. Some sources include things like stealing credit card or debit card numbers; others limit identity theft to impersonating someone to open a new credit card account, take out a loan, purchase a major item (like a car) on credit, etc. Regardless, the general trend is increasing. An excellent source of detailed information for instructors is the FTC. If you go to the main web site (www.ftc.gov) you will see a link to Identity Theft under the list “Quick Finder”: Clicking that link brings you to a page with videos and documents about how to protect yourself, etc. Particularly interesting is the document “To buy or not to buy: Identity theft spawns new products and services to help minimize risk.” The web site www.insure.com provides a lot of information about different identity theft protection products (you can find it under the “Other Insurance” tab on the main page). Probably the most well-known product is LifeLock. Increasingly, many home insurance policies also offer riders for identity theft protection. 9-31 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9.10 Certificate authorities are an important part of a public key infrastructure (PKI). Research at least two certificate authorities and write a report that explains the different types of digital certificates that they offer. Solutions will vary depending upon the specific certificate authorities the student investigates. Students will most likely choose Verisign, GoDaddy, Entrust, Equifax, Deutsche Telekom, and Thawte. These certificate authorities (CAs) issue several types of certificates. For example, the Verisign site has a white paper called “Beginners Guide to SSL certificates” that includes the following explanation: DIFFERENT TYPES OF SSL CERTIFICATE There are a number of different SSL Certificates on the market today. 1. The first type of SSL Certificate is a self-signed certificate. As the name implies, this is a certificate that is generated for internal purposes and is not issued by a CA. Since the web site owner generates their own certificate, it does not hold the same weight as a fully authenticated and verified SSL Certificate issued by a CA. 2. A Domain Validated Certificate is considered an entry-level SSL Certificate and can be issued quickly. The only verification check performed is to ensure that the applicant owns the domain (web site address) where they plan to use the certificate. No additional checks are done to ensure that the owner of the domain is a valid business entity. 3. A fully authenticated SSL Certificate is the first step to true online security and confidence building. Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate. All VeriSign® brand SSL Certificates are fully authenticated. 4. Even though an SSL Certificate is capable of supporting 128-bit or 256-bit encryption, certain older browsers and operating systems still cannot connect at this level of security. SSL Certificates with a technology called Server-Gated Cryptography (SGC) enable 128or 256-bit encryption to over 99.9% of web site visitors. Without an SGC certificate on the web server, browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with certain older browsers and operating systems will temporarily step-up to 128-bit SSL encryption if they visit a web site with an SGC-enabled SSL Certificate. For more information about SGC please visit: www.verisign.com/sgc. 5. A domain name is often used with a number of different host suffixes. For this reason, you may employ a Wildcard Certificate that allows you to provide full SSL security to 9-32 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems any host of your domain—for example: host.your_domain. com (where “host” varies but the domain name stays constant). 6. Similar to a Wildcard Certificate, but a little more versatile, the SAN (Subject Alternative Name) SSL Certificate allows for more than one domain to be added to a single SSL Certificate. 7. Code Signing Certificates are specifically designed to ensure that the software you have downloaded was not tampered with while en route. There are many cyber criminals who tamper with software available on the Internet. They may attach a virus or other malicious software to an innocent package as it is being downloaded. These certificates make sure that this doesn’t happen. 8. Extended Validation (EV) SSL Certificates offer the highest industry standard for authentication and provide the best level of customer trust available. When consumers visit a web site secured with an EV SSL Certificate, the address bar turns green (in highsecurity browsers) and a special field appears with the name of the legitimate web site owner along with the name of the security provider that issued the EV SSL Certificate. It also displays the name of the certificate holder and issuing CA in the address bar. This visual reassurance has helped increase consumer confidence in e-commerce. 9-33 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 9.11 Obtain a copy of COBIT (available at www.isaca.org) and read the control objectives that relate to encryption (DS5.8 and DS5.11). What are the essential control procedures that organizations should implement when using encryption? COBIT control objective DS5.8 addresses key management policies with respect to encryption. This should include procedures concerning: • • • • • • • • Minimum key lengths Use of approved algorithms Procedures to authenticate recipients Secure distribution of keys Secure storage of keys Key escrow Policies governing when to use encryption and which information should be encrypted (this probably requires the organization to classify and label all information assets so that employees can identify the different categories) Procedures for revoking compromised keys COBIT control objective DS5.11 addresses the use of encryption during the transmission of information. This should include procedures concerning: • • • • Procedures to ensure information is encrypted prior to transmission Specification of approved encryption algorithms Access controls over incoming encrypted information Secure storage of encryption keys 9-34 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED SOLUTIONS TO THE CASES Case 9-1 Protecting Privacy of Tax Returns The department of taxation in your state is developing a new computer system for processing individual and corporate income-tax returns. The new system features direct data input and inquiry capabilities. Identification of taxpayers is provided by using the Social Security number for individuals and federal tax identification number for corporations. The new system should be fully implemented in time for the next tax season. The new system will serve three primary purposes: 1 Data will either be automatically input directly into the system if the taxpayer files electronically or by a clerk at central headquarters scanning a paper return received in the mail. 2 The returns will be processed using the main computer facilities at central headquarters. Processing will include four steps: a. Verifying mathematical accuracy b. Auditing the reasonableness of deductions, tax due, and so on, through the use of edit routines, which also include a comparison of current and prior years’ data. c. Identifying returns that should be considered for audit by department revenue agents d. Issuing refund checks to taxpayers 3 Inquiry services. A taxpayer will be allowed to determine the status of his or her return or get information from the last three years’ returns by calling or visiting one of the department’s regional offices, or by accessing the department’s web site and entering their social security number. The state commissioner of taxation and the state attorney general are concerned about protecting the privacy of personal information submitted by taxpayers. They want to have potential problems identified before the system is fully developed and implemented so that the proper controls can be incorporated into the new system. Required Describe the potential privacy problems that could arise in each of the following three areas of processing, and recommend the corrective action(s) to solve each problem identified: a. Data input b. Processing of returns c. Data inquiry [CMA examination, adapted] 9-35 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy a. Privacy problems which could arise in the processing of input data, and recommended corrective actions, are as follows: Problem Controls Unauthorized employee accessing paper returns submitted by mail. b. Restrict physical access to room used to house paper returns and scanning equipment by • Using ID badges or biometric controls • Logging all people who enter. Unauthorized employee accessing the electronic files. Multi-factor authentication of all employees attempting to access tax files. Interception of tax information submitted electronically. Encrypt all information submitted to the tax website. Privacy problems which could arise in the processing of returns, and recommended corrective actions, are as follows: Problem Controls Operator intervention to input data or to gain output from files. Limit operator access to only that part of the documentation needed for equipment operation. Prohibit operators from writing programs and designing the system. Daily review of console log messages and/or run times. Encryption of data by the application program. Attempts to screen individual returns on the basis of surname, sex, race, etc., rather than tax liability. Training about proper procedures Multi-factor authentication to limit access to system. Encrypt of tax return data stored in system 9-36 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems c. Privacy problems which could arise in the inquiry of data, and recommended corrective actions, are as follows: Problem Controls Unauthorized access to taxpayer information on web site Strong authentication of all people making inquiries via the web site using something other than social security numbers – preferably multi-factor, not just passwords. Encryption of all tax return data while in storage Encryption of all traffic to/from the web site Unauthorized release of information in response to telephone inquiry Training on how to properly authenticate taxpayers who make telephone inquiries Disclosure of taxpayer information through improper disposal of old files Training on how to shred paper documents prior to disposal Strong authentication of taxpayers making telephone inquiries Training on how to wipe or erase media that contained tax return information prior to disposal (CMA Examination, adapted) 9-37 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy Case 9-2 Generally Accepted Privacy Principles Obtain the practitioner’s version of Generally Accepted Privacy Principles from the AICPA’s web site (www.aicpa.org). You will find it located under professional resources and then information technology. Use it to answer the following questions: 1. What is the difference between confidentiality and privacy? Privacy relates to information collected about identifiable individuals. Confidentiality relates to the organization’s intellectual property and similar information it collects/shares with business partners. Regulations exist concerning responsibilities for protecting privacy; no such broad regulations exist with respect to confidentiality. 2. How many categories of personal information exist? Why? Two: personal information and sensitive personal information. Examples are provided on page 4 of the GAPP document (which is reproduced below and highlighted in yellow): Personal Information Personal information (sometimes referred to as personally identifiable information) is information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual. Individuals, for this purpose, include prospective, current, and former customers, employees, and others with whom the entity has a relationship. Most information collected by an organization about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows: • Name • Home or e-mail address • Identification number (for example, a Social Security or Social Insurance Number) • Physical characteristics • Consumer purchase history Some personal information is considered sensitive. Some laws and regulations define the following to be sensitive personal information: • Information on medical or health conditions • Financial information • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership 9-38 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems • Sexual preferences • Information related to offenses or criminal convictions Sensitive personal information generally requires an extra level of protection and a higher duty of care. For example, some jurisdictions may require explicit consent rather than implicit consent for the collection and use of sensitive information. Some information about or related to people cannot be associated with specific individuals. Such information is referred to as nonpersonal information. This includes statistical or summarized personal information for which the identity of the individual is unknown or linkage to the individual has been removed. In such cases, the individual’s identity cannot be determined from the information that remains because the information is deidentified or anonymized. Nonpersonal information ordinarily is not subject to privacy protection because it cannot be linked to an individual. However, some organizations may still have obligations over nonpersonal information due to other regulations and agreements (for example, clinical research and market research). The difference is that sensitive personal information can, if misused, cause significant harm or embarrassment to the individual. 3. In terms of the principle of choice and consent, what does GAPP recommend concerning opt-in versus opt-out? Sensitive personal information requires explicit consent (i.e., opt-in). Other personal information can be collected through either explicit (opt-in) or implicit (opt-out) consent. 4. Can organizations outsource their responsibility for privacy? No. The section on “Outsourcing and Privacy” on page 3 specifically states that organizations cannot totally eliminate their responsibility for complying with privacy regulations when they outsource collection, use, etc. of personal information. 5. What does principle 1 state concerning top management’s and the Board of Directors’ responsibility for privacy? It is top management’s responsibility to assign privacy management to a specific individual or team (management criterion 1.1.2). As an illustrative control for this criterion, the Board of Directors should review privacy policies at least annually. 6. What does principle 1 state concerning the use of customers’ personal information when testing new applications? It must be rendered anonymous (all personally identified information removed). 9-39 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy 7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP criterion 2.2.3? Why? Answers will vary. The key point is the rationale provided as to why the policy is (not) clear and easy to understand. 8. What does GAPP principle 3 say about the use of cookies? Organizations must develop programs and procedures to ensure that if customers want to disable cookies, that the organization complies with those wishes. 9. What are some examples of practices that violate management criterion 4.2.2? • • • Surreptitious collection of data via secret cookies or web beacons Linking information collected with information collected from other sources without notifying individuals Use of a third party to collect information in order to avoid having to provide notice to people that the organization is collecting personal information about them. 10. What does management criterion 5.2.2 state concerning retention of customers’ personal information? How can organizations satisfy this criterion? Organizations need a retention policy and must regularly inventory the information they store and delete it if no longer relevant. 11. What does management criterion 5.2.3 state concerning the disposal of personal information? How can organizations satisfy this criterion? Organizations need to destroy media with sensitive information. Note that sometimes this requires destruction of an entire file or database (e.g., cannot just destroy one track on CD or DVD). If documents are released, personal information needs to be redacted. 12. What does management criterion 6.2.2 state concerning access? What controls should organizations use to achieve this objective? Organizations need to authenticate the identity of people requesting access to their personal information. DO NOT use Social Security Numbers for such authentication. 13. According to GAPP principle 7, what should organizations do if they wish to share personal information they collect with a third party? 9-40 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Organizations should • • • • Disclose that they intend to share information with third parties (management criterion 7.1.1) Provide third parties with the organization’s privacy policies (management criterion 7.1.2) Only share information with third parties that have systems in place to provide the same level of protection of privacy as the sharing organization (management criterion 7.2.2) Take remedial actions against third parties that misuse personal information disclosed to them (management criterion 7.2.4) 14. What does GAPP principle 8 state concerning the use of encryption? Personal information must be encrypted whenever transmitted (management criterion 8.2.5) or stored on portable media (management criterion 8.2.6). 15. What is the relationship between GAPP principles 9 and 10? Principle 9 stresses the importance of maintaining accurate records. Principle 10 requires that a complaint resolution process must exist. One of the most frequent causes of complaints will likely be customers discovering, when provided access as per principle 6, errors and inaccuracies in their records which the organization fails to correct on a timely basis. 9-41 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 10 INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY – PART 3: PROCESSING INTEGRITY AND AVAILABILITY SPECIAL INTRODUCTION TO EXCEL This chapter includes a number of problems that use Excel’s built-in Data Validation tool to help students better understand processing integrity controls by programming them in a spreadsheet. Some students will already be familiar with this tool, others will not. Therefore, this brief introductory tutorial may be useful as a hand-out prior to assigning the Excel questions in this chapter. The Data Validation tool is found on the “Data” tab, as shown below: 10-1 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Click on “Data Validation” and then choose the option “data validation”: This brings up the following window, which can be used to design a variety of processing integrity controls that will apply to the currently selected cell (in the example above, the Data Validation controls will be applied to cell C2): 10-2 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Clicking on the drop-down arrow in the “allow” box yields the following choices: • • • Any value (the cell can take numeric, text, date, etc. input) without restrictions Whole numbers only allowed Decimals allowed (but not required) Choosing either whole numbers or decimals, yields the following additional choices: This default window can be used to create a “range check” with minimum and maximum values. 10-3 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Click the drop-down arrow in the Data box to reveal other types of tests that can be created: • List – permissible values must be selected from a list that the control designer creates The list of permissible choices can appear in a drop-down menu (if that box is checked) using values found in a set of cells in the spreadsheet (using the source field): If the “In-cell dropdown” box is checked, the values will appear in a drop-down list when a user clicks on that cell. The list of permitted values in the drop-down box can be found in the portion of the spreadsheet as indicated in the “Source” box 10-4 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems If the “In-cell dropdown” box is not checked, users will still be restricted to entering values from the list indicated in the source box, but will have to manually type in those values rather than selecting from a drop-down menu. • • • Date – only date values Time – only time values Text Length – length of text string Choosing either Date, Time, or Text Length yields the same set of choices as for “whole numbers” or “decimals”, making it easy to create limit checks, range checks, size checks, etc.: 10-5 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability • Custom – formulas can be used to limit input values For example, we can create a “reasonableness test” that requires cell C2 to be less than or equal to 10 times the value in cell B2 as follows: Once the processing integrity control has been designed, the “Input Message” tab can be used to create a message explaining the permissible input values that will appear whenever a user selects that cell: Which yields the following: 10-6 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Finally, the “Error Alert” tab can be used to create a meaningful error message whenever user data violates the constraints: 10-7 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability The message can have a title, plus as much text as desired. In addition, there are three action choices: 1. Stop – the user is prohibited from inputting the erroneous data 2. Warning – the user is informed that the data is not valid, but has the option of entering it anyway. 3. Information – the user is informed that the data is not valid. Clicking OK results in the data being entered anyway; clicking cancel rejects the data. 10-8 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 10.1 Two ways to create processing integrity controls in Excel spreadsheets are to use the built-in Data Validation tool or to write custom code with IF statements. What are the relative advantages and disadvantages of these two approaches? Excel provides a “Data Validation” tool on the Data tab: The Data Validation tool serves as a “wizard” to program a variety of input editing/ processing controls. For example, if you want to limit the values in cell A1 to be between 18 and 65, you could use the Data Validation tool to program this range check as follows: The “Input Message” tab can be used to inform the user what values are permissible. The “Error Alert” tab can be used to create an error message that will be displayed if the values are not permissible (in the case of this example, if the values are either less than 18 or greater than 65). The same range check could be programmed using an IF statement, as follows: 10-9 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability =IF(AND(A1>=18,A1<=65),"","Error: values must be between 18 and 65") An IF statement consists of three arguments, separated by commas: =IF(first argument, second argument, third argument). The first argument is the test to be performed, the second controls what happens if the test is true, and the third argument controls what happens if the test is false. In this example, the first argument is testing whether the value in cell A1 is between 18 and 65, inclusive. The second argument directs that if the test is true, no error message should be displayed (the two double-quote marks indicate that nothing will be displayed). The third argument controls what happens if the test is not true. In this example, if the value entered into cell A1 is less than 18 or greater than 65, the message “Error: values must be between 18 and 65” will be displayed. The Data Validation tool is easier to use. However, it is limited to performing tests of just one condition. More complex tests require the IF function. For example, perhaps we want to treat values of 18, 19, and 20 different from values 21-65. This can be done by nesting IF statements, as follows: =IF(A1>=18,IF(A1<21,"value is 18-20",IF(A1<=65,"value is between 21 and 65","Error: value must be less than or equal to 65")),"Error: Value must be greater than or equal to 18") This formula works as follows: Step 1: the first IF statement tests whether the value in cell A1 is greater than or equal to 18. If it is true, then it proceeds to evaluate the second if statement. If the value entered is less than 18, it returns the final error message: “Value must be greater than or equal to 18” Step 2: If the first IF statement is true (i.e., the value in cell A1 is greater than or equal to 18) the next test is whether the value is less than 21. If it is, then the message “value is 18-20” is displayed. If the value in A1 is greater than or equal to 21, a third test is performed, testing whether it is less than or equal to 65. Writing IF statements requires careful thought, but provides total flexibility in creating very complicated processing integrity checks. 10-10 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10.2 What is the difference between using check digit verification and a validity check to test the accuracy of an account number entered on a transaction record? Check digit verification is designed to detect typographical errors such as transposing two digits or entering the wrong digit (e.g., typing an 8 instead of a 3). Passing a check digit verification test only ensures that the account number could exist. A validity check verifies that the account number actually does exist, by searching for it in a master file. Check digit verification can be done at the point of data entry; a validity test requires accessing the relevant master file and takes time to search the account number field in that file to see if it contains a specific value. 10.3 For each of the three basic options for replacing IT infrastructure (cold sites, hot sites, and real-time mirroring) give an example of an organization that could use that approach as part of its DRP. Be prepared to defend your answer. Many solutions are possible. The important point is to justify that the method yields an appropriate RTO for the organization. Cold sites yield RTOs measured in days; hot sites result in RTOs measured in hours; and real-time mirroring have RTOs measured in minutes. Here are some possible examples: Cold site: smaller businesses, such as a local CPA firm. In most situations, CPA firms can probably function without their main information system for a day or a couple of days. Most employees have laptops and could continue to do much of their work (collecting audit evidence, writing reports, working on spreadsheets) and then upload their work to the main servers once the cold site is up and running. Hot site: Many businesses could function for several hours using paper-based forms until their data center was back up and running. For example, if a retailer’s information system went down, new sales orders could be processed on paper and entered later. Real-time mirroring: Internet-only companies need this because they can only earn revenue when their web site is up and running. Nor can airlines and financial institutions operate using paper-based forms; they need to have a backup system available at all times. 10-11 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability 10.4 Use the numbers 10–19 to show why transposition errors are always divisible by 9. A Original Number 10 11 12 13 14 15 16 17 18 19 B Transposed Number 01 11 21 31 41 51 61 71 81 91 B-A Difference 9 0 9 18 27 36 45 54 63 72 Divisible by 9? Yes Not a transposition Yes Yes Yes Yes Yes Yes Yes Yes When two numbers are transposed, the difference between the original number and the transposed number is divisible by 9 except when the two digits have the same value. 10.5 What are some business processes for which an organization might use batch processing? Batch processing may be used when master files do not need to be updated in real-time. For example, many organizations process accounts payable in batches once a day or once a week because they do not need up-to-the-minute accuracy about the balances they owe to suppliers. In contrast, accounts receivable benefits from on-line processing because organizations need to know whether a new order will exceed a customer’s credit limit. Batch processing is also appropriate for business processes such as payroll and dividend payments that only happen periodically but affect virtually every account in a master file. 10.6 Why do you think that surveys continue to find that a sizable percentage of organizations either do not have formal disaster recovery and business continuity plans or have not tested and revised those plans for more than a year? Likely reasons include: • Belief that “it won’t happen to us” • Lack of time to develop plans • Lack of money to develop plans • Not important to senior management (no support for planning or testing) • Risk attitude/appetite of senior management 10-12 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED SOLUTIONS TO THE PROBLEMS 10.1 Match the following terms with their definitions: __s__ 1. business continuity plan (BCP) a. A file used to store information for long periods of time. __j__ 2. completeness check b. A plan that describes how to resume IT functionality after a disaster. __o__ 3. hash total c. An application control that verifies that the quantity ordered is greater than 0. __u__ 4. incremental daily backup d. A control that verifies that all data was transmitted correctly by counting the number of odd or even bits. __a__ 5. archive e. An application control that tests whether a customer is 18 or older. __v__ 6. field check f. A daily backup plan that copies all changes since the last full backup. __c__ 7. sign check g. A disaster recovery plan that contracts for use of an alternate site that has all necessary computing and network equipment, plus Internet connectivity. __w__ 8. change control h. A disaster recovery plan that contracts for use of another company’s information system. __i__ 9. cold site i. A disaster recovery plan that contracts for use of an alternate site that is prewired for Internet connectivity but has no computing or network equipment. __e__ 10. limit check j. An application control that ensures that a customer’s ship-to address is entered in a sales order. __k__ 11. zero-balance test k. An application control that makes sure an account does not have a balance after processing. __n__ 12. recovery point objective (RPO) l. An application control that compares the sum of a set of columns to the sum of a set of rows. __m__ 13. recovery time objective (RTO) m. A measure of the length of time that an organization is willing to function without its information system. __p__ 14. record count n. The amount of data an organization is willing to re-enter or possibly lose in the event of a disaster. __r__ 15. validity check o. A batch total that does not have any 10-13 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability __t__ 16. check digit verification p. __x__ 17. closed-loop verification q. __d__ 18. parity checking r. __q__ 19. reasonableness test s. __y__ 20. financial total t. __z__ 21. turnaround document u. v. w. x. y. z. intrinsic meaning. A batch total that represents the number of transactions processed. An application control that validates the correctness of one data item in a transaction record by comparing it to the value of another data item in that transaction record. An application control that verifies that an account number entered in a transaction record matches an account number in the related master file. A plan that describes how to resume business operations after a major calamity, like Hurricane Katrina, that destroys not only an organization’s data center but also its headquarters. A data-entry application control that verifies the accuracy of an account number by recalculating the last number as a function of the preceding numbers. A daily backup procedure that copies only the activity that occurred on that particular day. A data-entry application control that could be used to verify that only numeric data is entered into a field. A plan to ensure that modifications to an information system do not reduce its security. A data-entry application control that displays the value of a data item and asks the user to verify that the system has accessed the correct record. A batch total that represents the total dollar value of a set of transactions. A document sent to an external party and subsequently returned so that preprinted data can be scanned rather than manually reentered. 10-14 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10.2 Excel Problem Enter the following data into a spreadsheet and then perform the following tasks: Employee Number 12355 2178g 24456 34567 Pay rate 10.55 11.00 95.00 10.00 Hours worked 38 40 90 40 Gross Pay 400.90 440.00 8550.00 400.00 Deductions 125.00 395.00 145.00 105.00 Net pay 275.90 45.00 8405.00 505.00 a. Calculate examples of these batch totals: • A hash total Solution: sum of the employee number or pay rate columns, since these totals have no intrinsic meaning. In this example, the error in the second employee’s number would prevent calculating a hash total on that column. So you could only sum the pay rate column, yielding a hash total of 126.55 • A financial total Solution: sum of the hours worked (208), gross pay (9790.90), deductions (770), or net pay (9,230.90) columns as all these results have financial meaning • A record count Solution: 4, which is a count of the rows b. Assume the following rules govern normal data: • Employee numbers are five-digits in length and range from 10000 through 99999. • Maximum pay rate is $25, and minimum is $9. • Hours worked should never exceed 40. • Deductions should never exceed 40% of gross pay. Give a specific example of an error or probable error in the data set that each of the following controls would detect: • Field check A field check on the employee number column would detect that the second row does not contain only numbers; thus, it would detect the letter “g” in the employee number. 10-15 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability • Limit check A limit check on pay rate could flag row 3 as an error because $95 exceeds the maximum pay rate of $25,) A limit check on hours worked would also flag row 3 as an error because 90 hours worked exceeds the maximum hours worked of 40. • Reasonableness test Comparison of deductions to gross pay would flag a potential problem in row 2 since it is not unlikely that a person being paid $440 have $395 of deductions. • Cross-footing balance test A cross-footing balance test would detect that sum of gross pay (9790.90) minus sum of deductions (770) does not equal sum of net pay (9230.90). c. Create a control procedure that would prevent, or at least detect, each of the errors in the data set. • Employee number not numeric Using the data validation tool, select the cells you want to test (in the employee number column) and specify the legal limits (whole numbers beginning with 10000 through 99999) as follows: 10-16 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Alternatively, you could write the following IF statement to perform the same test: =IF(AND(E3>=10000,E3<=99999),"","error") This tests whether the cell value is both greater than or equal to 10000 and also less than or equal to 99999. If it is, nothing will be displayed (the two double quote marks tell Excel to not display any error message). If the value of the cell falls outside the allowed limits, an error message is displayed. • Pay rate too high or too low This range test could be programmed using the data validation tool as follows: Alternatively, this logical test would catch such errors and display an appropriate error message: =IF(D6<9,"pay rate must be at least $9",IF(D6>25,"pay rate must be less than $25","")) This formula first tests whether the pay rate in the cell is less than the minimum allowable rate of $9. If this test is true, an error message is displayed that specifically states that the pay rate must be at least $9. If the test if false, then a second IF statement is evaluated to check whether the pay rate in the cell is greater than the maximum allowable rate of $25. If it is, the appropriate error message is displayed. If the second IF statement is false, then it means that the 10-17 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability pay rate in the cell must be between $9 and $25 (because the second IF test is only evaluated if the first one is true), so no error message is displayed (hence the two double-quotes). • Hours worked too high Using the data validation tool, a limit check to ensure that hours worked must be less than or equal to 40 can be designed as follows: Alternatively, the following IF statement would enforce the same limit check: =IF(A4<=40,””,”Error: hours worked cannot exceed 40”) The IF test checks whether the value in cell A4 is less than or equal to 40. If it is, then no error message is displayed (the two double-quotes say to display nothing). If the value in cell A4 is greater than 40, the test fails and the error message is displayed. 10-18 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems • Deductions too high relative to gross pay This reasonableness test would be programmed using the data validation tool and choosing “custom” in the allow field, as follows: The formula would limit the deductions in cell M7 to be less than or equal to 40% of the gross pay in cell L7. Alternatively, the following IF statement would perform the same reasonableness test: =IF(M7/L7<=0.4,””,"deductions exceed 40% of gross pay") The IF statement would test whether the deductions in cell M7 are less than or equal to 40% of gross pay in cell L7. If the test is true, no error message would be displayed (the two double-quotes for the second argument of the IF formula). If the test is false, the error message in the third argument of the IF formula would be displayed. 10-19 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability • Error in calculating net pay Alternatively, the following IF statement would catch the error: =IF(L5-M5=N5,"","net pay does not equal gross pay - deductions") 10.3 Excel Problem The Moose Wings Cooperative Flight Club owns a number of airplanes and gliders. It serves fewer than 2,000 members, who are numbered sequentially from the founder, Tom Eagle (0001), to the newest member, Jacques Noveau (1368). Members rent the flying machines by the hour, and all must be returned on the same day. The following six records were among those entered for the flights taken on September 1, 2010: Flight Date Member # MM/DD/YY Plane Used Takeoff time Landing time 1234 09/10/10 G 6:25 8:46 4111 09/01/10 C 8:49 10:23 1210 09/01/10 P 3:42 5:42 0023 09/01/10 X 1:59 12:43 012A 09/01/10 P 12:29 15:32 0999 09/01/10 L 15:31 13:45 Valid plane codes (plane used column): C = Cessna, G = glider, L = Lear Jet, P = Piper Cub) 10-20 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems a. Identify and describe any errors in the data. Five of the six records contain errors as follows: 1st - Wrong date is used (September 10 instead of September 1). 2nd - Member number is outside range (4111 is greater than 1368). 4th - Plane code X is not valid. 5th - Member number contains a character (A). 6th - Plane landing time (13:45) is earlier than the take off time (15:31). b. For each of the five data fields, suggest one or more input edit controls that could be used to detect input errors. Field 1 - Member number: • Range check to verify that the field contains only four digits within the range of 0001 to 1368. • Validity check on member number if a file of valid member numbers is maintained. Field 2 - Date of flight start: • Check that day, month, and year corresponds to the current date. • Field check that value is a date Field 3 - Plane used: • Validity check that character is one of the legal characters to describe a plane (G, C, P, or L). • Field check to verify that only a single character is used.) Field 4 - Time of take off: • Field check to verify that the field contains valid time format. Field 5 - Time of landing: • Field check to verify that the field contains valid time format. • Reasonableness test that field 5 is greater than field 4. 10-21 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability c. Enter the data in a spreadsheet and create appropriate controls to prevent or at least detect the input errors. Field 1 - Member number: • Range check to verify that the field contains only four digits within the range of 0001 to 1368. Using the Data Validation tool in Excel (under the Data tab) this range check could be programmed as follows: Alternatively, the following IF statement would do the same thing: =IF(AND(A4>0,A4<1369),””,”Error: Values must be between 1 and 1368”) The first argument tests whether the cell value for member numbers is a whole number that is greater than 0 and less than 1369 (you could also code this as greater than or equal to 1 and less than or equal to 1368). If the test is true, no error message is displayed (the two double quotes in argument 2 of the IF function). If the test is false, the error message displayed in the quotes in the third argument is displayed. 10-22 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems • Validity check on member number if a file of valid member numbers is maintained. Using the data validation tool, the validity check would be programmed as follows: This tools says that the value input must match a list of legal values that are found in cells A4:A7 (which would hold the values C, G, L and P) Alternatively, the following IF statement would perform the same test: =IF(OR(G8=”C”,G8=”G”,G8=”L”,G8=”P”),””,”Error: Invalid plane code”) The OR test checks the value of cell G8 against the four permissible values. If any match, the test is true and nothing is displayed. If none of the four tests matches, then the error message in the third argument is displayed. 10-23 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Field 2 - Date of flight start: • Check that day, month, and year correspond to the current date. In the data validation tool, you would select the cells you want to test and enter the date value you want to compare to, as follows: 10-24 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Field 3 - Plane used: • Validity check that character is one of the legal characters to describe a plane (G, C, P, or L). This tools says that the value input must match a list of legal values that are found in cells A4:A7 (which would hold the values C, G, L and P) Alternatively, the following IF statement would perform the same test: =IF(OR(G8=”C”,G8=”G”,G8=”L”,G8=”P”),””,”Error: Invalid plane code”) The OR test checks the value of cell G8 against the four permissible values. If any match, the test is true and nothing is displayed. If none of the four tests matches, then the error message in the third argument is displayed. 10-25 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability • Check that only a single character is used. (field check) Alternatively, the following IF statement also checks this: =IF(LEN(S4)=1,"","Plane character must contain only one character") The LEN function returns the length of a text string. In this case, it checks the cell containing the plane code to verify that it is only 1 letter. If the test is true, no error message is displayed (the second argument of the IF statement has two double-quotes). If the test is false, it displays the error message in the third argument of the IF function. 10-26 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Field 4 - Time of take off: • Field check to verify that the field contains valid time format. Field 5 - Time of landing: • Field check to verify that the field contains valid time format. Same as for field 4 • Reasonableness test that field 5 is greater than field 4. 10-27 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability d. Suggest other controls to minimize the risk of input errors. • prompting to request each required input item. • preformatting to display an input form including all required input items. • completeness check on each input record to ensure all item have been entered. • default values such as today’s date for the flight date. • closed-loop verification (member name would appear immediately after the member number) (SMAC Examination, adapted) 10.4 The first column in Table 10-3 lists transaction amounts that have been summed to obtain a batch total. Assume that all data in the first column are correct. Cases a through d each contain an input error in one record, along with a batch total computed from that set of records. For each case (a-d), compute the difference between the correct and erroneous batch totals and explain how this difference could help identify the cause of the error. Solution: Differences between the correct transactions column and the batch totals obtained after processing (Case A through D columns): (a) $57,607.24 (b) $57,607.24 (c) $57,607.24 (d) $57,607.24 10-28 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems - 57,616.24 ($ 9.00) -51,607.24 $ 6,000.00 -48,807.24 $8,800.00 - 56,952.92 $ 654.32 Analysis of these differences: a. The difference of $9 is evenly divisible by 9, which suggests the possible transposition of adjoining digits in the hundredths and tenths columns. More careful inspection indicates that the amount $1,978.95 from the correct transactions calculation was incorrectly transposed to $1,987.95 in the Case A calculation. b. A difference of $6,000 represents a discrepancy in only one column, the thousands column. A possible error in transcribing one digit in that column is indicated. More careful examination reveals that the amount $7,832.44 from the correct transactions column was incorrectly recorded as $1,832.44 in the Case B column. c. The difference of $8,800.00 is not divisible evenly by 9, which rules out a transposition error. The difference affects multiple columns, which rules out a single transcription error. The difference amount is not equal to any of the entries in the correct transactions batch total calculation, which rules out an error of omission. Dividing the difference by 2 gives $4,400.00, which is one of the entries in the correct transactions column. More careful inspection reveals that this amount has been inadvertently subtracted from the Case C batch total calculation rather than added. d. The difference of $654.32 is not divisible evenly by 9. However, this amount is equal to one of the entries in the correct transactions column. Inspection reveals that this item was inadvertently omitted from the Case D column. 10.5 Excel Problem Create a spreadsheet with the following columns: • Plaintext character • ASCII code (7-bits, binary number) • First bit • Second bit • Third bit • Fourth bit • Fifth bit • Sixth bit • Seventh bit • Number of bits with value = 1 • Parity bit for odd parity coding • Parity bit for even parity coding 10-29 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability a. Enter the 26 letters a-z (lowercase) and the ten digits (0-9) in the plaintext column b. The ASCII column should convert the plaintext character to the binary code used by your computer. c. The next seven columns should each display one bit of the ASCII code, beginning with the leftmost digit. (Hint: Excel provides text functions that can select individual characters from a string). d. The tenth column should sum the number of bits that have the value ‘1’. (Hint: the text functions used to populate columns 3-9 return a text string that you will need to convert to a numeric value). e. The eleventh column should have a 1 if the number in the tenth column is odd and 0 if the number in the tenth column is even. f. The twelfth column should have a 1 if the number in the tenth column is even and a 0 if the number in the tenth column is odd. 10-30 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems The solution should look like this: NOTE: Tell students that one of the objectives of this exercise (besides illustrating how parity bits work) is for them to explore the large number of built-in Excel functions. You may wish to provide one or two examples from the solution to get them started. 10-31 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Functions used to populate columns in the solution: Column b: converting the ASCII character in column A to its binary equivalent. This is accomplished by using the DEC2BIN and CODE functions: =DEC2BIN(CODE(A2)) • The CODE function is one of Excel’s built-in Text functions. It takes one argument, which in this case is the reference to the cell that contains the plaintext (cell A2), and returns the computer’s code set. The result for the lowercase letter “a” is 97: • The DEC2BIN function is one of Excel’s built-in Engineering functions. It transforms a number, in this case the result of the CODE function, into binary (0s and 1s): 10-32 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Columns C-I: the individual bits in the binary string. These are found using Excel’s Text functions as follows: • Column C: =VALUE(LEFT(B2)) The LEFT function with only one argument returns a string representing the left-most digit in the reference cell. In this case, the reference cell (B2) contains the binary representation of the letter “a” = 1100001. Thus, the LEFT function returns a text string of 1. The VALUE function converts a text value into a number. In this case, it converts the text of “1” into the number 1. This is necessary for the step of counting the number of bits with a value of 1 in order to calculate the parity bit (column J). • Column D: =VALUE(LEFT(RIGHT(B2,6))). The combination of LEFT and RIGHT functions is used to return the second digit from the left in the binary number 1100001. The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B2) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 6 right-most digits: 100001. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “1”. Finally, the VALUE function converts that text into the number 1. • Column E: =VALUE(LEFT(RIGHT(B2,5))). The combination of LEFT and RIGHT functions is again used to return the third digit from the left in the binary number 1100001. The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B2) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 5 right-most digits: 00001. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “0”. Finally, the VALUE function converts that text into the number 0. • Column F: =VALUE(LEFT(RIGHT(B2,4))). The combination of LEFT and RIGHT functions is used to return the fourth digit in the binary number 1100001. The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B2) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 4 right-most digits: 0001. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “0”. Finally, the VALUE function converts that text into the number 0. Column G: =VALUE(LEFT(RIGHT(B2,3))). The combination of LEFT and RIGHT functions is used to return the • 10-33 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability fifth digit in the binary number 1100001. The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B2) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 3 right-most digits: 001. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “0”. Finally, the VALUE function converts that text into the number 0. • Column H: =VALUE(LEFT(RIGHT(B2,2))). The combination of LEFT and RIGHT functions is used to return the sixth digit in the binary number 1100001. The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B2) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 4 right-most digits: 01. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “0”. Finally, the VALUE function converts that text into the number 0. • Column I: =VALUE(RIGHT(B2)). The RIGHT function with just one argument is used to return the right-most digit in the reference cell (B2), which in this case is the binary number 1100001. It returns a text string of “1”. The VALUE function then converts that text into the number 1. COLUMN J: the number of bits with the value 1. Since columns C through I contain either the number 1 or the number 0, a simple SUM(C:I) yields the number of bits with the value of 1. COLUMN K: Calculate the parity bit if using even parity. Even parity means that there should be an even number of bits, including the parity bit, that have a value of 1. Therefore, if the value in column J is odd (there are an odd number of bits in the 7digit binary number representation of the plaintext character in that row) then the parity bit must be set to 1 in order to yield an even number of bits with the value 1. For example, in row 2, the binary representation of the lowercase letter “a” is 1100001 which, as shown in Column J, contains an odd number of bits with a value of 1. Therefore, the parity bit for the lowercase letter “a” must be set to 1. Excel contains a built-in function (under the heading of “More Functions” – “information”) to determine whether a number is odd. The ISODD function returns a value of “True” if the reference cell is an odd number and false otherwise. Therefore, the following IF function can be used to calculate the parity bit value assuming we want even parity: =IF(ISODD(J2),1,0) The ISODD function tests whether the value in cell J2 is odd. If it is, the IF function evaluates to true and displays a 1 in column K. If the ISODD function is false, the IF function returns the value 0. COLUMN L: The objective here is to calculate the parity bit value for odd parity. Odd parity means that there should be an odd number of bits, including the parity bit, that have a value of 1. Therefore, if the value in column J is even (there are an even 10-34 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems number of bits in the 7-digit binary number representation of the plaintext character in that row) then the parity bit must be set to 1 in order to yield an odd number of bits with the value 1. For example, in row 2, the binary representation of the lowercase letter “a” is 1100001 which, as shown in Column J, contains an odd number of bits with a value of 1. Therefore, the parity bit for the lowercase letter “a” must be set to 0. Excel contains a built-in function (under the heading of “More Functions” – “information”) to determine whether a number is even. The ISEVEN function returns a value of “True” if the reference cell is an even number and false otherwise. Therefore, the following IF function can be used to calculate the parity bit value assuming we want odd parity: =IF(ISEVEN(J2),1,0) The ISEVEN function tests whether the value in cell J2 is even. If it is, the IF function evaluates to true and displays a 1 in column L so that the resulting 8-digit binary number contains an odd number of bits set to value of 1. If the ISEVEN function is false, the IF function returns the value 0 for the parity bit. Adjustment for special characters: Note that the five special characters (? ! % & ;) have only 6-digits to begin with (column B). Therefore, columns H and I duplicate each other. Consequently, the formula in column J must be adjusted to only sum the values for columns C through H. The formulas for the parity bit can then remain the same as used in the rows for the upper and lower case letters. If all characters are going to be represented by a string of 8 bits, then a leading 0 would be appended to the left of the code for each special character (i.e., the code for the ? would be 0111111 plus a parity bit.) 10-35 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10.6 The ABC Company is considering the following options for its backup plan: 1. Daily full backups: • Time to perform backup = 60 minutes • Size of backup = 50 GB • Time to restore from backup = 30 minutes 2. Weekly full backups plus daily incremental backup: • Same time, storage, and restoration as above to do a weekly backup on Friday, plus o Time to perform daily backup = 10 minutes o Size of daily backup = 10 GB o Time to restore each daily backup file = 5 minutes 3. Weekly full backups plus daily differential backup: • Same time, storage, and restoration as above to do a weekly backup on Friday, plus o Time to perform daily backup = 10 minutes first day, growing by 5 minutes each day thereafter o Size of daily backup = 10 GB first day, growing by 10 GB each day o Time to restore differential backup file = 5 minutes first day, increasing by 2 minutes each subsequent day Which approach would you recommend? Why? 10-36 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Solution: Management must weigh the trade-offs shown below. Full daily backups take the most time to perform and require most storage, but in the event of a disaster have the quickest restore time. Daily incremental backups on average take less time and use less storage than daily differential backups, but restoration is faster for the differential backups. Type of Backup Plan Time spent weekly to backup Storage requirements Time to Restore 250 GB (5 days * 50 GB/day) 30 Minutes to restore most recent full backup 250 GB 30 Minutes Option 1: Full Daily Backup 300 Minutes (5 days * 60 minutes) Total 300 Minutes Option 2: weekly full backup plus daily incremental backup Full Weekly Backup on Friday 60 Minutes 50 GB 30 Minutes to restore last full backup Daily Incremental Backup 40 Minutes (4 days * 10 minutes/day) 40 GB (4 days * 10 GB/day) 5- 20 Minutes (5 minutes per day since last full backup) 90 GB 35-50 Minutes Total 100 Minutes Option 3: weekly full backup plus daily differential backup Full Weekly Backup 60 Minutes 50 GB 30 Minutes to restore last full backup Daily Differential Backup 70 Minutes (10 minutes first day, increasing by 5 minutes/day – but on Friday, just make the full weekly backup) = 100 GB (10 GB for first day, 20 GB for second day, etc. but on Friday, just make the full weekly backup)= 10+15+20+25=70 10+20+30+40=100 5- 11 Minutes (5 minutes first day, 2 minutes more each subsequent day but on Friday, just make the full weekly backup) 150 GB 35-41 Minutes Total 130 Minutes 10-37 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability 10.7 Which control(s) would best mitigate the following threats? a. The hours worked field in a payroll transaction record contained the value 400 instead of 40. As a result, the employee received a paycheck for $6,257.24 instead of $654.32. A limit check on hours worked. The limit would have to be higher than 40 (such as 55 – or whatever the company deemed appropriate) to allow for overtime, but would certainly catch the extra 0 added to the 40 hours worked. b. The accounts receivable file was destroyed because it was accidentally used to update accounts payable. All files should have header labels to identify their contents, and all programs should check these labels before processing transactions against the file. There should also be a clearly marked external label to reduce the risk of an operator loading the wrong file. c. During processing of customer payments, the digit 0 in a payment of $204 was mistakenly typed as the letter “O.” As a result, the transaction was not processed correctly and the customer erroneously received a letter that the account was delinquent. A field check should be performed to check whether all characters entered in this field are numeric. There should be a prompt correction and re-processing of erroneous transactions. d. A salesperson mistakenly entered an online order for 50 laser printers instead of 50 laser printer toner cartridges. A reasonableness test of quantity ordered relative to the product if 50 is an unusually large number of monitors to be ordered at one time. Closed-loop verification to make sure that the stock number matches the item that is ordered. 10-38 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems e. A 20-minute power brownout caused a mission-critical database server to crash, shutting down operations temporarily. An uninterruptible power system should be used to provide a reserve power supply in the event of power failure. The UPS should at a minimum allow enough time for the system to operated for a defined length of time and then, if necessary, power down in the event of an extended power outage. Longer power outages are best handled by backup generators and real-time mirroring systems f. A fire destroyed the data center, including all backup copies of the accounts receivable files. FILES: A backup copy of the files should be stored off-site. HARDWARE: A hot or cold site arrangement BOTH: Real-time mirroring, so that when one site is down the other site(s) can pick up the slack. A disaster recovery plan Liability and business interruption insurance g. After processing sales transactions, the inventory report showed a negative quantity on hand for several items. A sign test of quantity on hand. h. A customer order for an important part did not include the customer’s address. Consequently, the order was not shipped on time and the customer called to complain. A completeness check to determine whether all required fields were filled in. 10-39 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability i. When entering a large credit sale, the clerk typed in the customer’s account number as 45982 instead of 45892. That account number did not exist. The mistake was not caught until later in the week when the weekly billing process was run. Consequently, the customer was not billed for another week, delaying receipt of payment. Check digit verification on each customer account number Or a validity check for actual customers. j. A visitor to the company’s Web site entered 400 characters into the five-digit Zip code field, causing the server to crash. A size check would prevent 400 characters from being entered into a field that allows for only 5 characters. k. Two traveling sales representatives accessed the parts database at the same time. Salesperson A noted that there were still 55 units of part 723 available and entered an order for 45 of them. While salesperson A was keying in the order, salesperson B, in another state, also noted the availability of 55 units for part 723 and entered an order for 33 of them. Both sales reps promised their customer next-day delivery. Salesperson A’s customer, however, learned the next day that the part would have to be back-ordered. The customer canceled the sale and vowed to never again do business with the company. Concurrent update controls protect records from errors when more than one salesman tries to update the inventory database by locking one of the users out of the database until the first salesman’s update has been completed. l. The warranty department manager was upset because special discount coupons were mailed to every customer who had purchased the product within the past 3 years, instead of to only those customers who had purchased the product within the past 3 months. A limit check based on the original sales date. 10-40 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems m. The clerk entering details about a large credit sale mistakenly typed in a nonexistent account number. Consequently, the company never received payment for the items. Check digit verification on each customer account number Or a validity check for actual customers Or closed loop verification that returns the customer name associated with a customer number. n. A customer filled in the wrong account number on the portion of the invoice being returned with payment. Consequently, the payment was credited to another customer’s account. Turnaround documents should include account numbers on them. o. A batch of 73 time sheets was sent to the payroll department for weekly processing. Somehow, one of the time sheets did not get processed. The mistake was not caught until payday, when one employee complained about not receiving a paycheck. Batch totals would have caught this. A record count would have indicated that one record was not processed. Or a hash total (sum of the employee numbers). q. Sunspot activity resulted in the loss of some data being sent to the regional office. The problem was not discovered until several days later when managers attempted to query the database for that information. Parity checks and checksums will test for data transmission errors. 10-41 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability 10.8 MonsterMed Inc. (MMI) is an online pharmaceutical firm. MMI has a small systems staff that designs and writes MMI’s customized software. The data center is installed in the basement of its two-story headquarters building. The data center is equipped with halon-gas fire suppression equipment and an uninterruptible power supply system. The computer operations staff works a two-shift schedule, five days per week. MMI’s programming staff, located in the same building, has access to the data center and can test new programs and program changes when the operations staff is not available. Programmers make changes in response to oral requests by employees using the system. Since the programming staff is small and the work demands have increased, systems and programming documentation is developed only when time is available. Backups are made whenever time permits. The backup files are stored in a locked cabinet in the data center. Unfortunately, due to several days of heavy rains, MMI’s building recently experienced serious flooding that destroyed not only the computer hardware but also all the data and program files that were on-site. a. Identify at least five weaknesses in MonsterMed Inc.’s backup and DRP procedures. 1. 2. 3. 4. 5. No written backup. No written disaster recovery plan. Backups are not done on a regular basis. Restoration of backups is not tested. Systems documentation is prepared when someone has the time to do it; consequently, documentation will be incomplete and not current. 6. The programming staff has access to the computer room without supervision of the operations staff. The programmers could alter the data files or operational programs. 7. The location of the computing facility in the basement increases the risk of damage due to flooding. 8. No written request, approval process, or testing process for systems changes b. Evaluate change controls at MonsterMed Inc. 1. There does not appear to be a separate testing and development system, so changes are made directly in the production system. 2. Change requests are made orally, with no formal approval or documentation. (Adapted from CMA Exam) 10-42 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10.9 Excel Problem Create data validation rules in a spreadsheet to perform each of the following controls: a. Limit check – that values in the cell are < 70 b. Range check – that values in the cell are between 15 and 65 10-43 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability c. Sign check – that values in the cell are positive d. Field check – that values in a cell are only numeric The ISNUMBER function tests whether the cell contains only numeric data. 10-44 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems e. Size check – that cell accepts no more than 40 characters of text f. Reasonableness check – that cell’s value is less than 75% of cell to its left 10-45 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems g. Validity check – that a value exists in a list of allowable values 10-46 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems If the preceding data validation rule was applied to cell C7, the spreadsheet would look like this: And clicking the drop-down arrow would display the following: 10-47 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability 10.10 Excel Problem Creating and testing check digits. a. Create a spreadsheet that will take as input a five-digit account number and calculate a check digit using this formula: (5 x left-most digit + 4 x next digit + 3 x third digit + 2 x fourth digit + fifth digit) modulus division by 7. (Modulus division returns the remainder – for example: 11 modulus division by 3 = 2). The check digit then becomes the 6th (right-most) digit in the account number. Your spreadsheet should look like this: Explanation: the formula for the check digit calculation is =MOD(((5*C4)+(4*D4)+(3*E4)+(2*F4)+G4),7). The MOD function is one of Excel’s built-in “Math&Trig” functions. It takes two arguments: the number you are dividing, and the divisor. In this 10-48 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems case, the number is a formula (5 x the first digit in cell C4 plus 4 x the second digit in cell D4 plus 3 x the third digit in cell E4 plus 2 x the second digit in cell F4 plus the last digit from cell G4). This result is then divided by 7, and the MOD function returns the remainder. Thus for the first row, the formula yields: (5 x 1) + (4 x 2) + (3 x 3) + (2 x 4) + 5 = 35. Dividing 35 by 7 yields 5 with a remainder of 0. Therefore, the MOD function returns a value of 0 for the check digit. Appending the zero to raw account number yields the actual account number of 123450. Students should use the text formulas (LEFT and RIGHT) plus the VALUE formula to parse the raw account number from column B in order to automatically fill in columns C through G as follows: • Column C: =VALUE(LEFT(B4)). The LEFT function with one argument is used to return the left-most digit from reference cell (B4). The result is a text value of 1. Then the VALUE function converts that text into the number 1. • Column D: =VALUE(LEFT(RIGHT(B4,4))). The combination of LEFT and RIGHT functions is used to return the second digit from the left in the reference cell (B4). The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B4) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 4 right-most digits: 2345. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “2”. Finally, the VALUE function converts that text into the number 2. • Column E: =VALUE(LEFT(RIGHT(B4,3))). The combination of LEFT and RIGHT functions is used to return the third digit in reference cell (B4). The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B4) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 3 right-most digits: 345. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “3”. Finally, the VALUE function converts that text into the number 3. • Column F: =VALUE(LEFT(RIGHT(B4,2))). The combination of LEFT and RIGHT functions is used to return the fourth digit in the reference cell (B4). The RIGHT function can take two arguments: the cell containing the numeric value to be manipulated (in this case B4) and the number of digits, beginning with the rightmost one, to return. In this case, it returns the 2 right-most digits: 45. Next, the LEFT function lops off the left-most digit in that string, yielding text string of “4”. Finally, the VALUE function converts that text into the number 4. • Column G: =VALUE(RIGHT(B4)). The RIGHT function with one argument returns the rightmost character from 10-49 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability the reference cell (B4). In this case, it returns the text string of “5”. Then the VALUE function converts that text into the number 5. Finally, the actual account number in column I can be created using the CONCATENATE and VALUE functions: • The CONCATENATE function is one of Excel’s built-in text functions that appends two strings together. Thus, in cell I4, the function CONCATENATE(B4, H4) would append the value in cell H4 (which is the calculated check-digit of 0) to the value in cell B4 (the raw account number 12345) yielding the string 123450. • The VALUE function then transforms that text string of 123450 into the number 123450. b. Add another panel to the spreadsheet that takes as input a six-digit account number and uses the check digit formula in part a to test whether or not the account number is valid. Your solution should look like this: 10-50 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10-51 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Solution: This formula in the “Valid? (Y/N)” column will test any six-digit account number: =IF(H20=MOD(((C20*5)+(D20*4)+(E20*3)+(F20*2)+G20),7),"Y","N") Ideally, all a user should need to do is input a six-digit account number in the “Account number” column and then the spreadsheet will display the individual digits in the appropriate columns. This requires the following formulas to parse the six-digit account number entered in cell B20 (you can copy these formulas down for as many rows as desired): “First digit” column: =VALUE(LEFT(B20)) “Second digit” column: =VALUE(LEFT(RIGHT(B20,5))) “Third digit” column: =VALUE(LEFT(RIGHT(B20,4))) “Fourth digit” column: =VALUE(LEFT(RIGHT(B20,3))) “Fifth digit” column: =VALUE(LEFT(RIGHT(B20,2))) “Check digit” column: =VALUE(RIGHT(B20)) Alternatively, if you only want a two-column display with the account number and the “Valid? (Y/N)” column, you could modify the formula in the “Valid? (Y/N)” column so that the cell references were replaced as follows: =IF(H20=MOD(((VALUE(LEFT(B20))*5)+( VALUE(LEFT(RIGHT(B20,5)))*4)+( VALUE(LEFT(RIGHT(B20,4)))*3)+( VALUE(LEFT(RIGHT(B20,3)))*2)+ VALUE(LEFT(RIGHT(B20,2)))),7),"Y","N") 10-52 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 10. 11 For each of the following scenarios, determine whether the company’s current backup procedures enable it to meet its recovery objectives and explain why: a. Scenario 1: • Recovery point objective = 24 hours • Daily backups at 3:00 am, process takes 2 hours • Copy of backup tapes picked up daily at 8:00 am for storage off-site Solution: No. Many companies make two backup copies – one to keep locally and one to store offsite. If a fire or similar event destroyed the data center on a weekday before 8:00 a.m., both copies of the most recent daily backup tapes would be destroyed because the disaster happened before the second copy was picked up for offsite storage. For example, assume that a fire happened Wednesday morning at 7:00 a.m. Both copies of Tuesday night’s back-up tape would have been destroyed. It does have a copy of Monday night’s backup stored off-site. But this means it would have lost all data since the backup that was made at 3:00 am on Tuesday morning. Consequently, the company would be missing 28 hours of data (all transactions that happened between 3:00 am Tuesday and 7:00 am on Wednesday), which is more than its recovery point objective of 24 hours. b. Scenario 2: Company makes daily incremental backups Monday-Saturday at 7:00 pm each night. Company makes full backup weekly, on Sunday at 1:00 pm. • Recovery time objective = 2 hours • Time to do full backup = 3 hours • Time to restore from full backup = 1 hour • Time to make incremental daily backup = 1 hour • Time to restore each incremental daily backup = 30 minutes Solution: No. If a disaster happened any time after 7:00 pm on Wednesday, it would take more than 2 hours to completely restore all backups: Time to restore from Sunday’s full backup = 1 hour Time to restore Monday’s incremental backup = 30 minutes Time to restore Tuesday’s incremental backup = 30 minutes Time to restore Wednesday’s incremental backup = 30 minutes Total time to restore = 2.5 hours c. Scenario 3: Company makes daily differential backups Monday-Friday at 8:00 p.m each night. Company makes full backup weekly, on Saturdays, at 8:00 am. • Recovery time objective = 6 hours • Time to do full backup = 4 hours • Time to restore from full backup = 3 hours 10-53 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability • • Time to do differential daily backups = 1 hour on Monday, increasing by 30 minutes each successive day Time to restore differential daily backup = 30 minutes for Monday, increasing by 15 minutes each successive day Solution: Yes. Even if a disaster happened early Saturday morning (say at 3:00 am) the company would not have yet done a full backup, but would have completed its final differential backup Friday night. Therefore, full restoration would take: Time to restore from last Saturday’s full backup = 3 hours Time to restore Friday’s differential backup = 1 hour 30 minutes Total time to restore = 4.5 hours The total time of 4.5 hours is less than the RTO of 6 hours. If a disaster happened earlier in the week, the company would take even less time to restore. For example, if a fire destroyed the data center Wednesday morning, the company would have to restore the previous Saturday’s full backup plus Tuesday night’s differential backup: Time to restore from last Saturday’s full backup = 3 hours Time to restore Friday’s differential backup = 45 minutes Total time to restore = 3.75 hours which is less than the RTO of 6 hours. 10-54 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE CASES Case 10-1 Ensuring Systems Availability The Journal of Accountancy (available at www.aicpa.org) has published a series of articles that address different aspects of disaster recovery and business continuity planning: 1. Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?” Journal of Accountancy (April): 61-64. 2. McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May): 46-54. 3. Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June): 54-63. 4. Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,” Journal of Accountancy (April): 57-66. Read one or more of the following articles that your professor assigns plus section DS4 of COBIT version 4.1 (available at www.isaca.org) to answer the following questions: 10-55 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability 1. What does COBIT suggest as possible metrics for evaluating how well an organization is achieving the objective of DS4? Why do you think that metric is useful? Proposed Metric Number of hours lost per user per month due to unplanned outages Percent of availability SLAs met Number of business-critical processes relying on IT not covered by IT continuity plan Percent of tests that achieve recovery objectives Frequency of service interruption of critical systems Elapsed time between tests of any given element of IT continuity plan Number of IT continuity training hours per year per relevant employee Percent of critical infrastructure components with automated availability monitoring Frequency of review of IT continuity plan Why useful • High level measure of availability reflecting overall success • Need to subtract any planned downtime for upgrades to get accurate metric • If referring to vendors, this measures how well they meet obligations • If referring to company, measures how well it is fulfilling its contractual obligations • Focus on critical business processes for which there is no DRP or BCP. This is a warning sign of potential risks. • Evaluates performance of testing the DRP and BCP (detective measure that identifies areas in need of improvement) • Another measure of overall performance. Helps interpret the hours lost metric – (e.g., did the organization have just one or two major problems or many smaller ones?) • Indicates areas in need of testing • Measure of preparedness • Measure of extent of usage of costeffective proactive availability controls • Measure of preparedness and how well the DRP and BCP are maintained 10-56 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 2. For each article assigned by your professor, complete the following table, summarizing what each article said about a specific COBIT control objective (an article may not address all 10 control objectives in DS4): Solution: Answers will vary, but should include at least the following: Gerber, J. A., and Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?” COBIT Control Objective Points discussed in article DS4.1 Lists who should be involved in developing the framework and plan Don’t overlook key external parties and contact methods DS4.2 Who should be involved in developing the framework and plan DS4.3 Discusses how details of the plans will differ depending upon the nature of the organization’s business operations DS4.4 DS4.5 Need to do simulations and other tests DS4.6 Practice the plans and everyone’s roles DS4.7 Make sure everyone understands the plan DS4.8 Plans should specify how to recover from the disaster and resume operations DS4.9 DS4.10 McCarthy, E. 2004. “The Best-Laid Plans,” Journal of Accountancy (May): COBIT Control Objective Points discussed in article DS4.1 DS4.2 DS4.3 How to prioritize what needs to be protected and how to protect DS4.4 Need to update the plan DS4.5 How to test plans – specific things to do/consider for scenario tests DS4.6 Review the test results with employees to identify what worked, what didn’t DS4.7 DS4.8 DS4.9 Checklist of how to do backups, where to store, etc. DS4.10 Importance of periodically reviewing the plans and updating 10-57 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Myers, R. 2006. “Katrina’s Harsh Lessons,” Journal of Accountancy (June): COBIT Control Objective Points discussed in article DS4.1 Reviews different types of plans and what each contains DS4.2 DS4.3 DS4.4 DS4.5 Need to test the plan at least annually DS4.6 Divide responsibilities across employees and practice DS4.7 Importance of communications procedures – and specific recommendations of how to ensure you can do this DS4.8 Specific steps for how to recover data after floods, fires, etc. DS4.9 Examples of why you need off-site backup copies DS4.10 Phelan, S., and Hayes, M. 2003. “Before the Deluge – and After,” COBIT Control Objective Points discussed in article DS4.1 Involve senior management in developing the plans DS4.2 Discusses hot sites and other issues about planning to replace the infrastructure Examples of the benefits of having a plan so can be prepared DS4.3 Specific examples of the kinds of information assets that need to backup DS4.4 DS4.5 DS4.6 Communication methods discussed DS4.7 DS4.8 Detailed side-bar on how to actually recover data/information in various situations DS4.9 DS4.10 10-58 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Case 10-2 Change Controls Read section AI6 in version 4.1 of COBIT (available at www.isaca.org) and answer the following questions: 1. What is the purpose of each detailed control objective – why is it important? AI6.1 Change Standards and Procedures Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. Reason it is important • Unauthorized changes can introduce malware and weaken segregation of duties. • Failure to formally document changes makes it difficult to recover functionality after a disaster. AI6.2 Impact Assessment, Prioritisation and Authorisation Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorised, prioritised and authorised. Reason it is important • Proactive analysis of proposed changes reduces the risk of making changes that negatively affect system performance and availability. AI6.3 Emergency Changes Establish a process for defining, raising, testing, documenting, assessing and authorising emergency changes that do not follow the established change process. Reason it is important • Emergency changes occur in response to problems or incidents. It is often important to resolve the problem quickly by implementing a change without going through the formal change control management process. • Once the problem has been solved or the crisis is over, it is important to go back and test the changes for any other unanticipated side effects. • It is also important to document the change, so that in the event of a subsequent incident the system can be properly restored. AI6.4 Change Status Tracking and Reporting 10-59 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 10: Information Systems Controls for Systems Reliability – Part 3: Processing Integrity and Availability Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned. Reason it is important • Employees will not abide by change control procedures if they do not receive prompt feedback on requests. AI6.5 Change Closure and Documentation Whenever changes are implemented, update the associated system and user documentation and procedures accordingly. Reason it is important • Changes need to be documented so that they can be replicated, if necessary, in the event of future problems. 2. How is each of the suggested metrics useful? Suggested metric Why useful Number of disruptions or • Overall measure of effectiveness of data errors caused by change controls in preventing problems inaccurate specifications or incomplete impact assessments Amount of application • Another outcome measure of overall rework caused by effectiveness of the change control inadequate change process specification Reduced time and effort • Positive outcome measure reflecting required to make changes the overall goal of change control Percent of total changes • Measures compliance with change that are emergency fixes control process. A high number of emergency changes is evidence that people may be “gaming” the system, claiming something is an emergency in order to avoid formal change control. Helpful in measuring compliance with DS6.3 10-60 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Percent of unsuccessful changes to the infrastructure due to inadequate change specifications Number of changes not formally tracked, reported, or authorized Number of backlogged change request Percent of changes recorded and tracked with automated tools Percent of changes that follow formal change control process Ratio of accepted to refused change requests Number of different versions of each business application or infrastructure being maintained Number and type of emergency changes to the infrastructure components Number and type of patches to the infrastructure components • Negative outcome measure of compliance with DS6.2 • Negative outcome measure of overall effectiveness of change control process, measures compliance with DS6.1 • Efficiency measure for DS6.4 • Compliance with change control processes requires timely feedback on requests. This metric assesses efficiency of DS6.4 • Overall measure of effectiveness of change control; also useful to assess DS6.3 • Feedback to employees; relevant to DS6.4 • Measures compliance with change control process – higher scores here suggest lack of standard procedures and numerous ad hoc changes • Measure of overall compliance with formal change control process; also relevant to DS6.3 • Patches are planned changes, so this measures preventive actions taken 10-61 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 11 AUDITING COMPUTER-BASED INFORMATION SYSTEMS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 11.1 Auditing an AIS effectively requires that an auditor have some knowledge of computers and their accounting applications. However, it may not be feasible for every auditor to be a computer expert. Discuss the extent to which auditors should possess computer expertise to be effective auditors. Since most organizations make extensive use of computer-based systems in processing data, it is essential that computer expertise be available in the organization's audit group. Such expertise should include: • Extensive knowledge of computer hardware, software, data communications, and accounting applications • A detailed understanding of appropriate control policies and procedures in computer systems • An ability to read and understand system documentation • Experience in planning computer audits and in using modern computer assisted auditing tools and techniques (CAATTs). Not all auditors need to possess expertise in all of these areas. However, there is certainly some minimum level of computer expertise that is appropriate for all auditors to have. This would include: • An understanding of computer hardware, software, accounting applications, and controls. • The ability to examine all elements of the computerized AIS • The ability to use the computer as a tool to accomplish these auditing objectives. 11.2 Should internal auditors be members of systems development teams that design and implement an AIS? Why or why not? Many people believe that internal auditors should be involved in systems development projects in order to ensure that newly developed systems are auditable and have effective controls. However, if the auditor's involvement is too great, then his or her independence may be impaired with respect to subsequent review and evaluation of the system. Accordingly, the auditor should not be a member of a systems development team, or be otherwise directly involved in designing or implementing new systems. There are indirect forms of auditor involvement that are appropriate. The auditor can 1. Recommend a series of control and audit guidelines that all new systems should meet. 11-1 Ch. 11: Auditing Computer-Based Information Systems 2. Independently review the work of the systems development team, evaluate both the quality of the systems development effort and its adherence to control and audit guidelines, and report the findings to management. In both cases, the auditor is working through management rather than with the systems development team. 11.3 At present, no Berwick employees have auditing experience. To staff its new internal audit function, Berwick could (a) train some of its computer specialists in auditing, (b) hire experienced auditors and train them to understand Berwick’s information system, (c) use a combination of the first two approaches, or (d) try a different approach. Which approach would you support, and why? The most effective auditor is a person who has training and experience as an auditor and training and experience as a computer specialist. However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. Berwick may find it necessary to accept some tradeoffs in staffing its audit function. Since auditors generally work in teams, Berwick should probably begin by using a combination of the first two approaches. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience. 11.4 The assistant finance director for the city of Tustin, California, was fired after city officials discovered that she had used her access to city computers to cancel her daughter’s $300 water bill. An investigation revealed that she had embezzled a large sum of money from Tustin in this manner over a long period. She was able to conceal the embezzlement for so long because the amount embezzled always fell within a 2% error factor used by the city’s internal auditors. What weaknesses existed in the audit approach? How could the audit plan be improved? What internal control weaknesses were present in the system? Should Tustin’s internal auditors have discovered this fraud earlier? Audit approach weaknesses 1. The question implies Tustin's internal auditors never bothered to investigate transactions below a certain dollar amount, and/or shortages of less than a certain percent. This is not good audit practice. 2. While auditors generally examine transaction samples that are selected to include a high percentage of items having a high dollar value, their sampling procedures should not ignore transactions with lower dollar values. There must have been hundreds of falsified transactions, and an effective sampling plan might have uncovered a few of them. 3. An internal control audit should have detected inadequacies in Tustin's computer access controls, as well as a lack of transaction documentation. Audit plan improvements 1. Audit software could be used to fully reconcile collections with billings, and list any 11-2 Accounting Information Systems discrepancies for further investigation. Internal control weaknesses 1. An assistant finance director should not have the authority to enter credits to customer accounts. Certainly, there should have been documentation to support such transactions. 2. The assistant finance director should not have been granted rights to cancel water or other utility bills Should the auditors have detected the audit earlier? The easy answer here is yes, they should have uncovered the fraud earlier. While she was able to embezzle a large sum of money from Tustin, it was over a long period. One of the keys to her success was that she did not get greedy and the amounts taken in any one year was probably immaterial to the city. These kinds of frauds are very hard to detect. 11.5 Lou Goble, an internal auditor for a large manufacturing enterprise, received an anonymous note from an assembly-line operator who has worked at the company’s West Coast factory for the past 15 years. The note indicated that there are some fictitious employees on the payroll as well as some employees who have left the company. He offers no proof or names. What computer-assisted audit technique could Lou use to help him substantiate or refute the employee’s claim? (CIA Examination, adapted) Computer-assisted audit tools and techniques (CAATTs) could have been used to identify employees who have no deductions. Experience has shown that fictitious or terminated employees will generally not have deductions. This happens because the fraud perpetrator wants as much money from each fraudulent or terminated employee paycheck as possible. Another reason for this is that they fear that a deduction payment sent to a third party might cause an investigation and uncover their fraud. 11.6. Explain the four steps of the risk-based audit approach, and discuss how they apply to the overall security of a company. The risk-based audit approach provides a framework for conducting information system audits. It consists of the following 4 steps: 1. 2. 3. 4. Determine the threats (fraud and errors) facing the company. This is a list of the accidental or intentional abuse and damage to which the system is exposed. Identify the control procedures that prevent, detect, or correct the threats. These are all the controls that management has put into place and that auditors should review and test, to minimize the threats. Evaluate control procedures. Controls are evaluated two ways. First, a systems review determines whether control procedures are actually in place. Second, a tests of controls are conducted to determine whether existing controls work as intended. Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures. If the auditor determines that control risk is too high because the control system is inadequate, the auditor may have to gather more evidence, better evidence, or more timely 11-3 Ch. 11: Auditing Computer-Based Information Systems evidence. Control weaknesses in one area may be acceptable if there are compensating controls in other areas. The risk-based approach provides auditors with a clearer understanding of the overall security of a company, including the fraud and errors that can occur in the company. It also helps them understand the related risks and exposures. In addition, it helps them plan how to test and evaluate internal controls, as well as how to plan subsequent audit procedures. The result is a sound basis for developing recommendations to management on how the AIS control system should be improved. 11.7. Compare and contrast the frameworks for auditing program development/acquisition and for auditing program modification. The two are similar in that: • • • They both deal with the review of software. They both are exposed to the same types of errors and fraud. They use many of the same control procedures, audit procedures (both systems review and tests of controls), and compensating controls, except that one set applies to program development and acquisition and the other set is tailored to address program modifications. These include management and user authorization and approval; thorough testing; review of the policies, procedures, and standards; and proper documentation. (Compare Tables 2 and 3 in the chapter.) The two are dissimilar in that: • The auditor’s role in systems development is to perform an independent review of systems development and acquisition activities. The auditor’s role in program modification is to perform an independent review of the procedures and controls used to modify software programs. • There are some control procedures, audit procedures (both systems review and tests of controls), and compensating controls that are unique to program development and acquisition and others that are unique to program modifications. (Compare Tables 2 and 3 in the chapter.) • Auditors test for unauthorized program changes, often on a surprise basis, is several ways that they do not have to test program development and acquisition. These include: o Using a source code comparison program to compare the current version of the program with the source code. o Reprocessing data using the source code and comparing the output with the company’s output. o Parallel simulation, where the auditor writes a program instead of using the source code to compare the outputs. 11-4 Accounting Information Systems SUGGESTED SOLUTIONS TO THE PROBLEMS 11.1 You are the director of internal auditing at a university. Recently, you met with Issa Arnita, the manager of administrative data processing, and expressed the desire to establish a more effective interface between the two departments. Issa wants your help with a new computerized accounts payable system currently in development. He recommends that your department assume line responsibility for auditing suppliers’ invoices prior to payment. He also wants internal auditing to make suggestions during system development, assist in its installation, and approve the completed system after making a final review. Would you accept or reject each of the following? Why? a. The recommendation that your department be responsible for the pre-audit of supplier's invoices. Internal auditing should not assume responsibility for pre-audit of disbursements. Objectivity is essential to the audit function, and internal auditors should be independent of the activities they must review. They should not prepare records or engage in any activity that could compromise their objectivity and independence. Furthermore, because internal auditing is a staff function, involvement in such a line function would be inconsistent with the proper role of an internal auditor. b. The request that you make suggestions during system development. It would be advantageous for internal auditing to make specific suggestions during the design phase concerning controls and audit trails to be built into a system. Internal auditing should build an appropriate interface with the Data Processing Department to help achieve this goal. Neither objectivity nor independence is compromised if the auditor makes recommendations for controls in the system under review. For example, internal auditing may: • Provide a list of control requirements. • Review testing plans. • Determine that there are documentation standards and that they are being followed. • Determine that the project itself is under control and that there is a system for gauging design progress. Internal auditing must refrain, however, from actual participation in system design. c. The request that you assist in the installation of the system and approve the system after making a final review. The auditor must remain independent of any system they will subsequently audit. Therefore, the auditor must refrain from giving overall approval of the system in final review. The auditor may help in the installation or conversion of the system by continuing to offer suggestions for controls, particularly during the implementation period. In this situation, the auditor may review for missing segments, results of testing, and adequacy of documentation of program and procedures in order to determine readiness of the system for installation or conversion. After installation or conversion, the auditor may participate in a post-installation audit, either alone or as part of a team. (CIA Examination, adapted) 11-5 Ch. 11: Auditing Computer-Based Information Systems 11.2 As an internal auditor for the Quick Manufacturing Company, you are participating in the audit of the company’s AIS. You have been reviewing the internal controls of the computer system that processes most of its accounting applications. You have studied the company’s extensive systems documentation. You have interviewed the information system manager, operations supervisor, and other employees to complete your standardized computer internal control questionnaire. You report to your supervisor that the company has designed a successful set of comprehensive internal controls into its computer systems. He thanks you for your efforts and asks for a summary report of your findings for inclusion in a final overall report on accounting internal controls. Have you forgotten an important audit step? Explain. List five examples of specific audit procedures that you might recommend before reaching a conclusion. The important audit step that has not been performed is tests of controls (sometimes called compliance tests). A system review only tells the auditor what controls are prescribed. Tests of controls allow the auditor to determine whether the prescribed controls are being adhered to and they are operating effectively. Examples of audit procedures that would be considered tests of controls are: • Observe computer operations, data control procedures, and file library control procedures. • Inquiry of key systems personnel with respect to the way in which prescribed control procedures are interpreted and implemented. A questionnaire or checklist often facilitates such inquiry. • Review a sample of source documents for proper authorization. • Review a sample of on-line data entries for authorization. • Review the data control log, computer operations log, file librarian's log, and error log for evidence that prescribed policies are adhered to. • Test data processing by submitting a set of hypothetical transactions and comparing system outputs with expected results. • Trace selected transactions through the system and check their processing accuracy. • Check the accuracy of a sample of batch totals. • Review system operating statistics. • Use a computer audit software package to edit data on selected master files and databases. 11-6 Accounting Information Systems 11.3 As an internal auditor, you have been assigned to evaluate the controls and operation of a computer payroll system. To test the computer systems and programs, you submit independently created test transactions with regular data in a normal production run. List four advantages and two disadvantages of this technique. a. Advantages • • • • • • • • • • b. Disadvantages Does not require extensive programming knowledge Approach and results are easy to understand. The complete system may be reviewed. Results are often easily checked. An opinion may be formed as to the system's data processing accuracy. A regular computer program may be used. It may save time. The auditor gains experience. The auditor maintains control over the test. Invalid data can be submitted to test for rejections. • Impractical to test all error possibilities. • May be unable to relate input data to output reports in a complex system. • If independent files are not used, it may be difficult to reverse or back out test data. • Preparation of satisfactory test transactions may be time consuming. (CIA Examination, adapted) 11-7 Ch. 11: Auditing Computer-Based Information Systems 11.4 You are involved in the audit of accounts receivable, which represent a significant portion of the assets of a large retail corporation. Your audit plan requires the use of the computer, but you encounter the following reactions: For each situation, state how the auditor should proceed with the accounts receivable audit. a. b. The computer operations manager says the company’s computer is running at full capacity for the foreseeable future and the auditor will not be able to use the system for audit tests. • The auditor should not accept this explanation and should arrange with company executives for access to the computer system. • The auditor should recommend that the procedures manual spell out computer use and access for audits. The computer scheduling manager suggests that your computer program be stored in the computer program library so that it can be run when computer time becomes available. • c. You are refused admission to the computer room. • d. The auditor should not permit the computer program to be stored because it could then be changed without the auditor's knowledge. The auditor's charter should clearly provide for access to all areas and records of the organization. The systems manager tells you that it will take too much time to adapt the auditor’s computer audit program to the computer’s operating system and that company programmers will write the programs needed for the audit. • Auditors should insist on using their own computer audit program, since someone at the company may wish to conceal falsified data or records. • Auditors should insist on using their own computer audit program to expedite the audit, simplify the application, and avoid misunderstanding. (CIA Examination, adapted) 11-8 Accounting Information Systems 11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe (DC&H). While reviewing your staff’s audit work papers for the state welfare agency, you find that the test data approach was used to test the agency’s accounting software. A duplicate program copy, the welfare accounting data file obtained from the computer operations manager, and the test transaction data file that the welfare agency’s programmers used when the program was written were processed on DC&H’s home office computer. The edit summary report listing no errors was included in the working papers, with a notation by the senior auditor that the test indicates good application controls. You note that the quality of the audit conclusions obtained from this test is flawed in several respects, and you decide to ask your subordinates to repeat the test. Identify three existing or potential problems with the way this test was performed. For each problem, suggest one or more procedures that might be performed during the revised test to avoid flaws in the audit conclusions. Problems Duplicate copy of the program may not be a true duplicate of the current version. Duplicate copy of the file may not be a true duplicate of the current version. • • • • • Programmer's test data file a. was not independently prepared, and b. may not have contained any erroneous transactions to test the program’s ability to detect errors. The test only checks the programs, not the source data controls, error procedures, etc. • Audit senior's conclusion has no basis (no supporting evidence). • Suggested Solutions Source code comparison. Reprocessing (use previously valid program). Process test transactions concurrently with live ones, on a concealed basis. Obtain the live file and duplicate it under audit control. Process test transactions concurrently with live ones, on a concealed basis. Auditor must devise their own test transactions, either (a) manually, or (b) using a test data generator. Erroneous transactions should deliberately be included. • • 11-9 Process test transactions concurrently with live ones, on a concealed basis. Use mini-company test (Integrated Test Facility). Must predetermine the result of test data processing, and then compare these to actual results. Ch. 11: Auditing Computer-Based Information Systems 11.6 You are performing an information system audit to evaluate internal controls in Aardvark Wholesalers’ (AW) computer system. From an AW manual, you have obtained the following job descriptions for key personnel: Director of information systems: Responsible for defining the mission of the information systems division and for planning, staffing, and managing the IS department. Manager of systems development and programming: Reports to director of information systems. Responsible for managing the systems analysts and programmers who design, program, test, implement, and maintain the data processing systems. Also responsible for establishing and monitoring documentation standards. Manager of operations: Reports to director of information systems. Responsible for management of computer center operations, enforcement of processing standards, and systems programming, including implementation of operating system upgrades. Data entry supervisor: Reports to manager of operations. Responsible for supervision of data entry operations and monitoring data preparation standards. Operations supervisor: Reports to manager of operations. Responsible for supervision of computer operations staff and monitoring processing standards. Data control clerk: Reports to manager of operations. Responsible for logging and distributing computer input and output, monitoring source data control procedures, and custody of programs and data files. a. Prepare an organizational chart for AW’s information systems division. Director of Information Systems Manager of Operations Manager of Systems Development and Programming Data Entry Supervision 11-10 Operations Supervisor Data Control Clerk Accounting Information Systems b. Name two positive and two negative aspects (from an internal control standpoint) of this organizational structure. 1. What is good about this organization structure: • Systems development and programming are organizationally independent of the operations functions. • Computer operations organizationally independent of data entry and data control. 2. What is bad about this organization structure: c. • The manager of operations is responsible for systems programming, which is a violation of segregation of systems duties. • The data control clerk is responsible for the file library, which is a violation of segregation of systems duties. What additional information would you require before making a final judgment on the adequacy of AW’s separation of functions in the information systems division? • Is access to equipment, files, and documentation restricted and documented? • Are activity logs for operating functions maintained and reviewed? • Is there rotation of operations personnel and mandatory vacations? • Is source data authorized? 11-11 11-12 Accounting Information Systems 11.7 Robinson’s Plastic Pipe Corporation uses a data processing system for inventory. The input to this system is shown in Table 11-7. You are using an input controls matrix to help audit the source data controls. Table 11-7 Parts Inventory Transaction File Field Name Field Type Item number Description Transaction date Transaction type Document number Quantity Unit cost Numeric Alphanumeric Date Alphanumeric Alphanumeric Numeric Monetary Prepare an input controls matrix using the format and input controls shown in Figure 11-3; however, replace the field names shown in Figure 11-3 with those shown in Table 11-7. Place checks in the matrix cells that represent input controls you might expect to find for each field. 11-13 Ch. 11: Auditing Computer-Based Information Systems Inventory transactions input control matrix: RECORD FIELD NAMES NAME: Item Description Transaction Transaction Document Unit Parts inventory number date type number Quantity cost Comments transactions INPUT CONTROLS: Financial totals X Compute Total cost if possible Hash totals X X Record counts Yes Cross-footing balance Visual inspection Check digit verification Prenumbered forms Turnaround document Edit program No X X X X X All fields X Use prenumbered form No Yes X X X Sign check Validity check X X Sequence check Field check X X X X X X X Also for balance on hand X X Limit check Reasonableness test Completeness test Size check X X X X X X X Compare quantity with item number X All fields X X X X X X X All fields Other: 11-14 Accounting Information Systems 11.8 As an internal auditor for the state auditor’s office, you are assigned to review the implementation of a new computer system in the state welfare agency. The agency is installing an online computer system to maintain the state’s database of welfare recipients. Under the old system, applicants for welfare assistance completed a form giving their name, address, and other personal data, plus details about their income, assets, dependents, and other data needed to establish eligibility. The data are checked by welfare examiners to verify their authenticity, certify the applicant’s eligibility for assistance, and determine the form and amount of aid. Under the new system, welfare applicants enter data on the agency’s Web site or give their data to clerks, who enter it using online terminals. Each applicant record has a “pending” status until a welfare examiner can verify the authenticity of the data used to determine eligibility. When the verification is completed, the examiner changes the status code to “approved,” and the system calculates the aid amount. Periodically, recipient circumstances (income, assets, dependents, etc.) change, and the database is updated. Examiners enter these changes as soon as their accuracy is verified, and the system recalculates the recipient’s new welfare benefit. At the end of each month, payments are electronically deposited in the recipient’s bank accounts. Welfare assistance amounts to several hundred million dollars annually. You are concerned about the possibilities of fraud and abuse. a. Describe how to employ concurrent audit techniques to reduce the risks of fraud and abuse. Audits should be concerned about a dishonest welfare examiner or unauthorized person submitting fictitious transactions into the system. Fictitious transactions could cause excessive welfare benefits to be paid to a valid welfare recipient, or payments made to an ineligible or fictitious recipient. The concurrent audit techniques needed most deal with submitting changes in record status from "pending" to "approved" and modifying welfare records to reflect changes in the recipient's circumstances. The auditor should verify that the system is set up to: • check the password of every person who uses the system • permit applicant records to be entered only by persons classified as "welfare clerks" • permit transaction update records to be entered only by persons classified as "welfare examiners" • capture and store the identity of the person entering every applicant record and transaction update record The most useful concurrent audit technique to minimize the risk of fraudulent update transactions would be audit hooks. These program subroutines would review every record entered into the system, capture all data relating to any record that is suspicious and possibly fraudulent, write these records on an audit log or file, and report these records to the audit staff on a real-time basis. Some examples of questionable records that audit hooks might be designed to flag would be: • Any welfare application record that is entered into the system by someone other than one of the authorized welfare clerks, and especially if entered by a welfare examiner. 11-15 Ch. 11: Auditing Computer-Based Information Systems • Any welfare record status change or modification that is entered into the system by someone other than one of the authorized welfare examiners. • Assuming that it takes a minimum of n days for a welfare examiner to verify the authenticity of the data provided by a welfare applicant, any record update transaction entered in less than n days of the original applicant record entry. • Any welfare record modification transaction that causes a welfare recipient's benefits to increase by a significant amount (say, 20%), or to exceed some upper limit that is close to the maximum amount a recipient can collect. • Any welfare record that is modified more than two or three times within a short period, such as two or three months. • Any record modification transaction that involves a change in the recipient's address. • Any welfare record where the recipient's address is a post office box. • Any welfare record that is not modified within a five-year period. • Any attempt to access the system by someone not able to supply a valid welfare clerk or welfare examiner password. • Any record entered into the system at a time of day other than during the agency's normal business hours, or one that is entered during a weekend or holiday period. Undoubtedly, other useful audit hooks could be identified. The audit staff should "brainstorm" about methods that a fraud perpetrator could use to defraud the system, and develop audit hooks to counteract plausible fraud schemes. As the audit staff receives the data captured by these audit hooks, they must promptly follow up to verify the validity of the data in each questionable record. The auditor should verify that the program code that calculates welfare recipient's benefits is thoroughly tested during the implementation process. She should copy the program code so it can be compared with the code that is in use at subsequent intervals. To supplement this procedure, as well as to provide additional protection against a possible fraud perpetrator, the auditor could add another audit hook that captures relevant data relating to any attempt to access and modify the welfare processing program itself. 11-16 Accounting Information Systems b. Describe how to use computer audit software to review the work welfare examiners do to verify applicant eligibility data. Assume that the state auditor’s office has access to other state and local government agency databases. Computer audit software can process the welfare recipient database against other databases that contain data about welfare recipients, identify any discrepancies in the data items used to determine eligibility for benefits and/or calculate the amount of benefits, and report these discrepancies to the audit staff. Other possible databases that might be used for this purpose would include: • State income tax records, which contain data on the income and dependents of welfare recipients. • State unemployment and/or disability compensation records, which contain data on other sources of income for welfare recipients. • State motor vehicle registration records, which might contain data about valuable assets owned by welfare recipients. • Property tax records, which might contain data about valuable assets owned. • Death records, which would reflect changes in eligibility for benefits. The reason it is important to review these is that a very common fraud scheme involves failure to enter a death record, followed by the diversion of subsequent benefit checks. If a welfare recipient does not appear in any of the first four databases listed above, it would raise the issue of whether the person exists at all (e.g., is the welfare recipient a fictitious person?). To investigate this, driver license registration records and voter registration records could also be checked. If the recipient does not show up there, the audit staff should probably insist that a Welfare Agency employee (other than a welfare examiner) verify the recipient's existence. If a recipient appears in the death records database, it represents either deliberate fraud or failure to update the welfare records properly. The use of computer audit software serves two purposes. First, it helps reduce the risk of system abuse by welfare applicants who provide inaccurate or incomplete data about the factors on which benefit calculations are based. Welfare examiners are responsible for identifying such cases, but may not always do so effectively, so audit reviews of this kind provide a second line of defense against this form of abuse. Second, it should increase the chance that the audit staff will identify cases where a welfare examiner attempts to perpetrate fraud by entering false records into the system. Combined with the audit hooks described in part (a), the use of computer audit software should provide strong assurance that the risks of fraud and abuse have been minimized. 11-17 Ch. 11: Auditing Computer-Based Information Systems 11.9 Melinda Robinson, the director of internal auditing at Sachem Manufacturing Company, believes the company should purchase software to assist in the financial and procedural audits her department conducts. Robinson is considering the following software packages: • A generalized audit software package to assist in basic audit work, such as the retrieval of live data from large computer files. The department would review this information using conventional audit investigation techniques. The department could perform criteria selection, sampling, basic computations for quantitative analysis, record handling, graphical analysis, and print output (i.e., confirmations). • An ITF package that uses, monitors, and controls dummy test data processed by existing programs. It also checks the existence and adequacy of data entry and processing controls. • A flowcharting package that graphically presents the flow of information through a system and pinpoints control strengths and weaknesses. • A parallel simulation and modeling package that uses actual data to conduct the same tests using a logic program developed by the auditor. The package can also be used to seek answers to difficult audit problems (involving many comparisons) within statistically acceptable confidence limits. (CMA Examination, adapted) a. Without regard to any specific computer audit software, identify the general advantages of using computer audit software to assist with audits. b. • Audits can be more efficient, saving labor time spent on routine calculations. The routine operations of footing extensions, transcription between reports, report generation, etc., are performed by the computer. • The auditor's time spent on the audit is more analytical than clerical. • The auditor can examine more records and extract data more readily through ad hoc reporting. • Computer-generated reports and schedules are more objective and professional, improving data communication. • Audit sampling is improved. Any bias in sample selection is eliminated because of assured randomness. This has a direct effect on sampling precision, reliability, and audit accuracy. • Possible to check 100% of all records in a file or database Describe the audit purpose facilitated and the procedural steps to be followed by the internal auditor in using the following: Generalized audit software package. The purpose of generalized audit software programs is to perform a variety of auditing operations on the computer files used to store the information. The steps to be followed by the internal auditor to use generalized computer audit software would include things such as planning and designing the audit application. Integrated test facility package. An integrated test facility (ITF) can be used to test both source data controls and processing controls as follows: • Select and prepare the test transactions to be passed through the ITF. These 11-18 Accounting Information Systems transactions must be representative of all of the transactions the dummy unit emulates. All types of valid and invalid transactions must be used and blended with regular transactions over time to test the system properly under normal conditions. • Review all output and processing routines including a comparison of actual results to predetermined results. Flowcharting package The purpose of a control flowcharting package is to interpret the program source code and generate a program flowchart corresponding to it in order to facilitate the review of internal controls. To use a control flowcharting package, the internal auditor should: • Establish the audit objective by identifying the systems and programs to be tested. • Review manuals and documentation of the system and interview involved personnel to get an overview of the operations to be tested. Parallel simulation and modeling package The purpose of a parallel simulation package is to ensure that organizational objectives are being met, ensure compliance to technical standards, and detect unauthorized program changes. To use a parallel simulation package: • Run the same data used in the company's current application program using the "simulated" application program. • Compare the results from the "simulated" application with the results from the company's current application program to verify that objectives are being met. 11-19 Ch. 11: Auditing Computer-Based Information Systems 11.10 The fixed-asset master file at Thermo-Bond includes the following data items: Asset number Description Type code Location code Date of acquisition Original cost Date of retirement (99/99/2099 for assets still in service) Depreciation method code Depreciation rate Useful life (years) Accumulated depreciation at beginning of year Year-to-date depreciation Explain several ways auditors can use computer audit software in performing a financial audit of Thermo-Bond’s fixed assets. • Edit the file for obvious errors or inconsistencies such as: o Retired assets that have a non-zero net value. o Retirement date that precedes acquisition date. o Accumulated depreciation that exceeds original cost. o Useful life that exceeds a reasonable limit (such as 40 years). o Invalid type code, location code, or depreciation method code. o Numeric fields that contain non-numeric data. • Recalculate year-to-date depreciation for each asset record, compare to the amount in the record, and list all asset records for which a discrepancy exists. • Prepare a list of all assets retired during the current year for comparison to supporting documents. • Prepare a list of all assets acquired during the current year, by location, for possible physical examination by the auditor. • Select a sample of assets, stratified by net dollar value, and sorted and listed by location, for possible physical examination by the auditor. • Foot the entire file to obtain file totals for total original cost, total accumulated depreciation, total current year depreciation, and total cost of current year acquisitions, for comparison to externally maintained records. 11-20 Accounting Information Systems 11.11 You are auditing the financial statements of a cosmetics distributor that sells thousands of individual items. The distributor keeps its inventory in its distribution center and in two public warehouses. At the end of each business day, it updates its inventory file, whose records contain the following data: Item number Item description Quantity-on-hand Item location Cost per item Date of last purchase Date of last sale Quantity sold during year You will use audit software to examine inventory data as of the date of the distributor’s physical inventory count. You will perform the following audit procedures: 1. Observe the distributor’s physical inventory count at year-end and test a sample for accuracy. 2. Compare the auditor’s test counts with the inventory records. 3. Compare the company’s physical count data with the inventory records. 4. Test the mathematical accuracy of the distributor’s final inventory valuation. 5. Test inventory pricing by obtaining item costs from buyers, vendors, or other sources. 6. Examine inventory purchase and sale transactions on or near the year-end date to verify that all transactions were recorded in the proper accounting period. 7. Ascertain the propriety of inventory items located in public warehouses. 8. Analyze inventory for evidence of possible obsolescence. 9. Analyze inventory for evidence of possible overstocking or slow-moving items. 10. Test the accuracy of individual data items listed in the distributor’s inventory master file. Describe how the use of the audit software package and a copy of the inventory file data might be helpful to the auditor in performing each of these auditing procedures. (CPA Examination, adapted) 11-21 Ch. 11: Auditing Computer-Based Information Systems Audit Procedure How Audit Software Can Help 1. Observe the distributor’s physical count of inventories as of a given date, and test a sample of the distributor’s inventory counts for accuracy. Determine which items are to be test counted by taking a random sample of a representative number of items from the inventory file as of the date of the physical count. 2. Compare the auditor’s test counts to the inventory records. Arrange test counts in a format identical to the inventory file, and then match the counts. 3. Compare physical count data to the inventory records. Compare the total of the extended values of all inventory items counted, and the extended values of each inventory item counted, to the inventory records. 4. Test the mathematical accuracy of the distributors’ final inventory valuation. Calculate the dollar value of each inventory item counted by multiplying the quantity on hand by the cost per unit, and then verify the addition of the extended dollar values. 5. Test the pricing of the inventory by obtaining a list of costs per item from buyers, vendors, or other sources. Compare the unit costs on the auditor’s price test to those on the inventory file. 6. Examine inventory purchase and sale transactions on or near the year-end date to verify that all such transactions were recorded in the proper accounting period. Take a sample of inventory file items for which the date of last purchase and date of the last sale are on or immediately prior to the date of the physical count, which is usually at fiscal year end. 7. Ascertain the propriety of items of inventory located in public warehouses. Prepare a list of items located in public warehouses. 8. Analyze inventory for evidence of possible obsolescence. Prepare a list of items on the inventory file for which the date of last sale indicates a lack of recent transactions. 9. Analyze inventory for evidence of possible overstocking or slow-moving items. Prepare a list of items on the inventory file for which the quantity on hand is excessive in relation to the quantity sold during the year. 10.Test the accuracy of individual data items listed in distributor’s inventory master file. Prepare a list of items, if any, with negative quantities or costs. 11-22 Accounting Information Systems 11.12 Which of the following should have the primary responsibility to detect and correct data processing errors? Explain why that function should have primary responsibility and why the others should not. (CPA Examination, adapted) a. The data processing manager – The data processing manager should have primary responsibility to detect and correct data processing errors. The data processing manager has primary responsibility for the four stages of the data processing cycle, which are data input, data processing, data storage, and information output. Setting up a system that will detect and correct data processing errors falls squarely into the data processing cycle. b. The computer operator – Although the computer operator is responsible for the operation of the hardware and software of the organization, he is not responsible for detecting and correcting data processing errors. Being able to both process data and correct data processing errors would allow the operator to “fix” non-existent errors in a way that would benefit the operator personally; that is, it would allow the perpetrator to commit and conceal fraud. c. The corporate controller – The corporate controller has overall responsibility for the operation of the accounting function, but would not have primary responsibility to detect and correct data processing errors. d. The independent public accountant – The independent auditor has no responsibility to detect and correct a client’s data processing errors. The independent auditor’s responsibility is to attest to fairness of the financial statements. 11-23 Ch. 11: Auditing Computer-Based Information Systems SUGGESTED SOLUTIONS TO THE CASES 11.1 You are performing a financial audit of the general ledger accounts of Preston Manufacturing. As transactions are processed, summary journal entries are added to the general ledger file at the end of the day. At the end of each day, the general journal file is processed against the general ledger control file to compute a new current balance for each account and to print a trial balance. The following resources are available as you complete the audit: • • • • Your firm’s generalized computer audit software A copy of the general journal file for the entire year A copy of the general ledger file as of fiscal year-end (current balance = year-end balance) A printout of Preston’s year-end trial balance listing the account number, account name, and balance of each account on the general ledger control file Create an audit program for Preston Manufacturing. For each audit step, list the audit objectives and the procedures you would use to accomplish the audit program step. General Journal Field Name Field Type Account number Amount Debit/credit code Date (MM/DD/YY) Reference document type Reference document number Numeric Monetary Alphanumeric Date Alphanumeric Numeric General Ledger Control Field Name Field Type Account number Account name Beginning balance/year Beg-bal-debit/credit code Current balance Cur-bal-debit/credit code Numeric Alphanumeric Monetary Alphanumeric Monetary Alphanumeric 11-24 Accounting Information Systems AUDIT PROGRAM AUDIT OBJECTIVES AND PROCEDURES a. Edit the general journal file for errors and inconsistencies such as: Objective: Evaluate the quality of the file data. Procedures: Review error listing for common error patterns; initiate correction of the errors; trace cause of errors if possible. • Invalid debit/credit code or document type. • Date not within current fiscal year. • Missing data values. • Non-numeric data in account number, amount, or document number fields. b. Edit the general ledger file for errors and exceptions such as: Objective: Evaluate the quality of the file data Procedures: Review errors listing for common error patterns; initiate error correction; trace cause of errors. • Invalid debit/credit codes. • Missing data values. • Non-numeric data in account number or balance fields. c. Select a sample of general journal transactions, stratified by dollar value. Sort and list by document type. d. Merge the general journal and general ledger files by account number, and list all unmatched general journal entries. (or look them up in the appropriate tables) e. Recalculate each ledger account’s current balance from the beginning balance and the general journal amounts, and list any discrepancies between the recalculated balance and the file balance. f. Prepare comparative financial statements for the current and prior year, including selected liquidity, profitability, and capital structure ratios. g. Analyze selected accounts, listing the beginning balance, all transaction, and the current balance for the allowance for bad debts, notes receivable from officers, capital stock, etc. Objective: Test the transaction data entry accuracy. Procedures: Compare transaction data values to source documents and identify discrepancies. Initiate correction of all errors discovered. Objective: Test transaction data entry accuracy. Procedures: Compare unmatched transaction data values to source documents; initiate errors correction. Objective: Test current ledger balance accuracy. Procedures: Review discrepancies to see if the transaction amounts or ledger balances are erroneous; initiate appropriate corrections. Objective: Identify accounts to be investigated in detail. Procedures: Analytical review of ratios and trends to search for unusual account balances. Objective: Provide reference data for accounts the auditor wishes to investigate in detail. Procedures: Review, analysis and investigation of specific account as appropriate. 11-25 CHAPTER 12 THE REVENUE CYCLE: SALES AND CASH COLLECTIONS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 12.1 Customer relationship management systems hold great promise, but their usefulness is determined by the amount of personal data customers are willing to divulge. To what extent do you think concerns about privacy-related issues affect the use of CRM systems? The basic issue concerns the willingness of consumers to divulge the kind of information that would allow companies to personalize the sales interaction versus concerns that such information would be misused or sold to other parties. In addition, with the growing problem of identity theft, consumers are becoming increasingly concerned about the safety and security of their personal information. Companies that wish to collect this data will most likely have to demonstrate the need for this information to the consumer as well as the company’s ability to keep this information secure. 12.2 Some products, like music and software, can be digitized. How does this affect each of the four main activities in the revenue cycle? Digitized products do not change the four basic business activities of the revenue cycle. For all products, whether digitized or not, an order must be taken, the product shipped, the customer billed, and cash collected. The only thing that digitized products change is inventory management as products do not need to be removed from a warehouse to be delivered. However, a copy of a product must be shipped (usually electronically, but in some cases it may need to be burned on a DVD and then shipped). Ch. 12: The Revenue Cycle: Sales and Cash Collections 12.3 Many companies use accounts receivable aging schedules to project future cash inflows and bad-debt expense. Review the information typically presented in such a report (see Figure 12-8). Which specific metrics can be calculated from those data that might be especially useful in providing early warning about looming cash flow or bad-debt problems? The accounts receivable aging report shows dollar amounts outstanding by number of days past due by customer and by invoice. The following metrics can provide useful early warnings about looming cash flow or bad-debt problems. • • • 12.4 The percentage of total accounts receivable categorized by days past due would alert management of categories that are increasing. This could also be reported by customer and by invoice. This way if a particular invoice was not being paid, the company could more quickly identify the invoice, contact the customer, and potentially resolve any problems or disputes about the particular invoice. Reporting by customer can help to identify chronic “slow paying” customers so that corrective action could be taken such as offering discounts for quick payment, changes in terms, and notifying the credit manager to restrict credit for this particular customer. The company may have a threshold for each category of past due accounts either in percentages or absolute dollars. A metric could be calculated and presented that highlights the categories exceeding that threshold. Table 12-1 suggests that restricting physical access to inventory is one way to reduce the threat of theft. How can information technology help accomplish that objective? Possibilities include: • • • • • Electronic locks on all entrances and exits to the inventory area. Smart card technology where employees must scan their ID card prior to entering/exiting the inventory area. Biometric access controls (fingerprint reader, face recognition software, etc.) Attach RFID tags to inventory items and install RFID tag scanners at each exit of the inventory area. Install and monitor surveillance cameras in the inventory area. Accounting Information Systems 12.5 Invoiceless pricing has been adopted by some large businesses for B2B transactions. What are the barriers, if any, to its use in B2C commerce? Many companies are trying to incent their customers to sign up for automatic bill-pay. The primary barrier is consumer resistance to or fear of online bill payment in general. However, there are also problems on the seller side – particularly in regards to billing disputes. A related issue is the threat of asset misappropriation – how easily can the seller attempt to recover items sold to the consumer? 12.6 The use of some form of electronic “cash” that would provide the same kind of anonymity for e-commerce that cash provides for traditional physical business transactions has been discussed for a long time. What are the advantages and disadvantages of electronic cash to customers? To businesses? What are some of the accounting implications of using electronic cash? Any form of electronic or digital cash has the same audit risks as physical cash: susceptibility to theft and loss of an audit trail. In addition, digital “cash” also has risks associated with the durability of the store of value – to what extent can the cash be recovered if the storage media becomes defective? Another issue concerns the potential loss of privacy, because the digital currency can be “marked” in a manner that enables tracing its path through the economy. Finally, there is the question of how to provide and maintain an adequate audit trail to prevent unscrupulous businesses from “skimming” digital cash sales and thereby underreporting sales for tax purposes. 12-3 Ch. 12: The Revenue Cycle: Sales and Cash Collections SUGGESTED ANSWERS TO THE PROBLEMS 12.1 Match the term in the left column with its definition in the right column. 1. __d__ CRM system 2. __g_ Open-invoice method 3. __a__ Credit memo 4. __h__ Credit limit 5. __b__ Cycle billing 6. __c___ FEDI 7. _n__ Remittance advice 8. _j__ Lockbox 9. _k__ Back order 10. _m__ Picking ticket 11. _l__ Bill of lading a. Document used to authorize reducing the balance in a customer account b. Process of dividing customer account master file into subsets and preparing invoices for one subset at a time c. System that integrates EFT and EDI information d. System that contains customer-related data organized in a manner to facilitate customer service, sales, and retention e. Electronic transfer of funds f. Method of maintaining accounts receivable that generates one payments for all sales made the previous month g. Method of maintaining customer accounts that generates payments for each individual sales transaction h. Maximum possible account balance for a customer i. Electronic invoicing j. Post office box to which customers send payments k. Document used to indicate stock outs exist l. Document used to establish responsibility for shipping goods via a third party m. Document that authorizes removal of merchandise from inventory n. Turnaround document returned by customers with payments Accounting Information Systems 12.2 What internal control procedure(s) would provide protection against the following threats? a. Theft of goods by the shipping dock workers, who claim that the inventory shortages reflect errors in the inventory records. Inventory clerks should count and document goods (on paper or by computer) as they leave inventory storage. Shipping personnel should be required to count and document receipt of goods from the finished goods storeroom to acknowledge responsibility for custody of the goods transferred. Counting goods when they are received and when they are sent to inventory storage as well as when goods leave inventory storage and are sent to shipping helps maintain control over inventory. Reconciling the two sets of counts makes it more difficult for employees to steal inventory as it is received and shipped. b. Posting the sales amount to the wrong customer account because a customer account number was incorrectly keyed into the system. If the transactions are being entered online, closed loop verification could be used. The system could respond to the operator entering the account number by retrieving and displaying the customer's name for the operator to review. If the transactions are being entered in batches, redundant data such as the first five characters of the customer's name could be included in each input record; after finding a match on customer account number, the system would also verify that the name characters match before posting the transaction. Note that a validity check would only tell you if a valid customer number was entered, not if the correct valid customer number was entered. Likewise, check digit verification could tell you if the customer number existed, but not if it was the right customer number. c. Making a credit sale to a customer who is already four months behind in making payments on his account. Up-to-date credit records must be maintained to control this problem. During the credit approval process, the credit manager should review the accounts receivable aging schedule to identify customer’s with past-due balances to prevent additional sales to those customers. Alternatively, the computer system could be programmed to determine if the customer had any past due balances over a specified length of time (such as 60 days). If not, the sale would be approved. If they had a past-due balance, a notice could be sent to the credit manager who could review the sale and make a decision about extending additional credit. 12-5 Ch. 12: The Revenue Cycle: Sales and Cash Collections A credit limit check would not be sufficient, because a customer could have a balance below the credit limit but be past due. A computer system could be programmed to check both credit limit and past due accounts and authorize sales. Sales not passing either the credit limit or the past due test would be sent to the credit manager for a decision. d. Authorizing a credit memo for a sales return when the goods were never actually returned. A receiving report should be required before a credit for sales returns is issued. The system should be configured to block issuance of credit memos without the required documentation that the goods have been returned. e. Writing off a customer’s accounts receivable balance as uncollectible to conceal the theft of subsequent cash payments from that customer. The problem usually occurs because the same individual writes off accounts and processes cash payments. Therefore, the best control procedure to prevent this problem is to separate the function of authorizing write-offs of uncollectible accounts from the function of handling collections on account. f. Billing customers for the quantity ordered when the quantity shipped was actually less due to back ordering of some items. Shipping personnel should be required to record the actual quantity shipped on the order document and/or enter the quantity shipped into the accounting system, in order that bills can be prepared based upon the quantity shipped rather than the quantity ordered. The system should be configured to generate invoices automatically based on the quantity shipped. g. Theft of checks by the mailroom clerk, who then endorsed the checks for deposit into the clerk’s personal bank account. In order to cover up this theft, the mailroom clerk has to be able to alter the accounts receivable records. Otherwise, a customer who is subsequently notified that they are past due will complain and provide proof that they sent in payment. Therefore, the critical control is to segregate duties so that whoever opens the mail does not have the ability to maintain customer accounts. If accounts receivable updates the records based on a cash receipts pre-list instead of the actual checks, the mailroom clerk could conceivably lap payments. To prevent this, the cash receipts pre-list could be compared to the checks before the list is sent to accounts receivable. The checks should not be sent to accounts receivable as the accounts receivable clerk could perform the lapping. Accounting Information Systems Other deterrents used to deter theft of checks by the mailroom clerk include having two people open the mail, using video cameras to tape the check opening process, and utilizing a bank lockbox. h. Theft of funds by the cashier, who cashed several checks from customers. In order to cover up this theft, the cashier has to be able to alter the accounts receivable records. Otherwise, a customer who is subsequently notified that they are past due will complain and provide proof that they sent in payment. Therefore, the critical control is to segregate the duties of handling cash and making deposits from the maintenance of accounts receivable records. One way to control cash receipts is shown below. The mailroom creates a cash prelist, sends a copy to a 3rd party, and sends the checks to the cashier. The cashier prepares duplicate deposit slips, sends the original to the bank with the checks, and sends a copy to the 3rd party. When the checks are deposited, the bank sends a copy of the validated deposit slip to the 3rd party, who compares all three documents to make sure all cash is deposited. Checks Mailroom Checks and deposit Cashier Cash Prelist Deposit Slip Bank Validated Deposit Slip 3rd Party compares cash prelist, deposit slip from cashier, and validated deposit slip from bank 12-7 Ch. 12: The Revenue Cycle: Sales and Cash Collections i. Theft of cash by a waiter who destroyed the customer sales ticket for customers who paid cash. In a manual system, all sales tickets should be prenumbered and accounted for so management can detect missing sales tickets. In many restaurant systems, waiters cannot get food out of the kitchen without entering a customer order into the system. The system creates a prenumbered sales document that must be cleared by the waiter that day. This prevents the waiter from destroying sales tickets and giving people free food. These systems also are capable of some reasonableness tests such as: Beginning inventory of food • Food used in the sales orders that day = Ending inventory of food The ending inventory of food is counted and compared to the projected ending inventory to determine if food items are missing. This check is most frequently used for expensive items of food like steak, shrimp, lobster, etc. j. Shipping goods to a customer but then failing to bill that customer. To prevent this from occurring deliberately, it is necessary to segregate the shipping and billing functions. To prevent this from happening by accident, the system needs to automatically bill customers for shipments. The system should also be configured to periodically reconcile all shipments with a billing and generate reports of unbilled shipments for management review and corrective action. k. Lost sales because of stockouts of several products for which the computer records indicated there was adequate quantity on hand. Regular physical inventory counts need to be made, the results compared to recorded amounts on hand, and needed adjustments to inventory quantities made. In this scenario, it is possible that the judgment as to what is “adequate quantity on hand” was inaccurate. This quantity can be improved using an accurate sales forecasting system and frequently reviewing and revising the forecasts as needed. l. Unauthorized disclosure of buying habits of several well-known customers. Access to customer information should be restricted using User IDs, passwords, and an access control matrix. Accounting Information Systems Employees given such access need to be trained to follow the organization’s privacy policies. In addition, encryption of the data would prevent snooping by IT employees who do not have direct access to the application system. Otherwise, such employees may be able to use their access to the operating system to be able to view data. m. Loss of all information about amounts owed by customers in New York City because the master database for that office was destroyed in a fire. Data: Regular backups with copies being stored off-site. Hardware and software: Hot or cold site arrangements for both Recovery: Disaster recovery plan developed, tested, and in place n. The company’s Web site was unavailable for seven hours because of a power outage. A UPS can power a system for a time, but most are unlikely to be able to power a system for seven hours. Two better options are • • Backup power generators capable of running the web site for seven hours Real-time mirroring, with the system switching over to the other site when the system went down. o. Interception and theft of customers’ credit card numbers while being sent to the company’s Web site. Encryption of credit card information prior to transmitting over the Internet. Typically this involves using SSL. p. A sales clerk sold a $7,000 wide-screen TV to a friend and altered the price to $700. All product prices and sales discounts maintained in the system Use of barcodes and RFID tags to identify the product and sales price A system configured to give sales clerks read-only access to pricing data to prevent them from changing the price. 12-9 Ch. 12: The Revenue Cycle: Sales and Cash Collections Supervisor approvals for any needed changes or discounts to the listed price A log of all system overrides and supervisor changes to prices q. A shipping clerk who was quitting to start a competing business copied the names of the company’s 500 largest customers and offered them lower prices and better terms if they purchased the same product from the clerk’s new company. Shipping clerks should not have access to customer account information. Access (and attempted access) to customer records should be logged and reports reviewed to verify that only authorized employees see that information. r. A fire in the office next door damaged the company’s servers and all optical and magnetic media in the server room. The company immediately implemented its disaster recovery procedures and shifted to a backup center several miles away. The company had made full daily backups of all files and stored a copy at the backup center. However, none of the backup copies were readable. Periodically practicing and testing the backup and restoration process would verify its effectiveness. Accounting Information Systems 12.3 For good internal control, which of the following duties can be performed by the same individual? 1. Approve changes to customer credit limits 2. Sales order entry 3. Shipping merchandise 4. Billing customers 5. Depositing customer payments 6. Maintaining accounts receivable 7. Issuing credit memos 8. Reconciling the organization’s bank accounts 9. Checking inventory availability Cells with an “X” indicate duties that can be performed by the same individual: Duty 1 1 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 X X For sound internal control, most of these duties need to be performed by different people. There are two exceptions: • The same person can take customer orders and check inventory availability because this combination does not provide any way to commit and conceal a theft. • The same person can create invoices (bill customers) and maintain accounts receivable. Key duties to segregate include: • Approving changes to customer credit and sales order entry. If both duties are performed by the same person, they could authorize sales to friends that are subsequently not paid. • Shipping and billing. If the same person performs both duties, they could ship merchandise to friends without billing them. 12-11 Ch. 12: The Revenue Cycle: Sales and Cash Collections • Depositing customer payments and maintaining accounts receivable. If the same person performs both duties, they could commit the fraud known as lapping (stealing payments and covering it up by adjusting the accounts so that the customer does not complain about a missing credit). • Depositing customer payments and issuing credit memos. If the same person performs both duties, they could steal payments and create a credit memo to cover up the theft and adjust the customer’s account so that they do not complain about a missing credit. • Depositing customer payments and reconciling the bank account. If the same person did both duties, they could steal cash and cover up the difference by listing fraudulent bank expenses to adjust the cash balance. • Maintaining accounts receivable and issue credit memos. If the same person performed both tasks, they could write off their friends’ accounts. • The remaining combinations are not desirable because they involve tasks that require significantly different skills and knowledge, so would be unlikely to be efficiently performed by the same person. Accounting Information Systems 12-13 12.4 EXCEL PROJECT. (Hint: For help on steps b and c, see the article “Dial a Forecast,” by James A. Weisel, in the December 2006 issue of the Journal of Accountancy. The Journal of Accountancy is available in print or online at the AICPA’s Web site: www.aicpa.org Required: a. Create a 12-month cash flow budget in Excel using the following assumptions: • Initial sales of $5,000,000 with forecasted monthly growth of 1% • 40% of each month’s sales for cash; 30% collected the following month; 20% collected 2 months later; 8% collected 3 months later; and 2% never collected • Initial cash balance of $350,000 Accounting Information Systems Formulas (the formulas for June – December are similar to those shown in the column for April and May) 12-15 Ch. 12: The Revenue Cycle: Sales and Cash Collections b. Add a “spinner” to your spreadsheet that will enable you to easily change forecasted monthly sales growth to range from 0.5% to 1.5% in increments of 0.1%. A “spinner” is a tool that enables the user to easily alter the values of a variable by clicking on the “spinner” rather than having to type in a new value. The spinner tool then displays how changing that variable changes the spreadsheet. As shown below, if you search for the word “spinner” in the built-in Excel help function, you will be directed to help for creating and using either a scroll bar or a spin button. Clicking on either the “Add a spin button” or “Add a scroll bar” entries in the Help Screen will walk you through the steps for how to add these tools to your spreadsheet. Accounting Information Systems In part b, we will create a spin button to change the assumed sales growth rate. Step 1: Click on the “Developer” tab and then click on the “Insert” button as shown: Step 2: In the drop-down menu that appears when you click on “Insert”, click on the “Spin button” option from the Active X controls choices (move your mouse over the various Active X choices to reveal their names – the Spin button is the larger pair of arrows) 12-17 Ch. 12: The Revenue Cycle: Sales and Cash Collections Then click on a cell that is two cells to the right of the one that contains your initial assumption for the sales growth rate (i.e., cell F5) which will result in the following: Step 3: Now we have to link the spin button tool to the cell that we wish to manipulate. In this case, the objective is to be able to vary the sales growth rate (in cell D5) from 0.5% to 1.5%. However, the spin button tool can only increment variables in whole units, not percents. Therefore, we will change the value of the cell containing the monthly sales growth rate (cell D5) so that it equals cell E5 divided by 1000. Then we will be able to use the spin button to vary the sales growth rate from 5 to 15, which when divided by 1000 yields 0.5% to 1.5% as desired. After entering the value of 10 in cell E5 the spreadsheet will now look like this: Accounting Information Systems Step 4: Now right-click on the spin button, then select “Properties” and enter the following values: Linked cell = E5 Max = 15 Min = 5 Smallchange = 1 12-19 Ch. 12: The Revenue Cycle: Sales and Cash Collections Accounting Information Systems Step 5: Click the “Design Mode” option in the tool bar to exit Design Mode. You can now click on the spin button and change the value of the sales growth rate. Notice how all of the values in the spreadsheet change simply by clicking the spin button arrows – no need to repeatedly type in the new sales growth rate value. c. Add a scroll bar to your spreadsheet that will let you modify the amount of initial sales to vary from $4,000,000 to $6,000,000 in increments of $100,000. A scroll bar is another spinner tool. The difference between a scroll bar and a spin button is that a scroll bar has a space between its arrows. This allows you to see how close you are to the upper and lower limits for the variable you are manipulating. The process of creating a scroll bar is very similar to that for creating a spin button. Step 1: In Developer Tab, click on Design Mode to get back into Design Mode. Then click on Insert. Select the scroll bar option from the Active X choices that appear. (As before, moving your mouse over the choices reveals their names. The scroll bar option is the smaller pair of arrows). Move to cell F4 and click to enter the scroll bar there. Your spreadsheet should now look like this: 12-21 Ch. 12: The Revenue Cycle: Sales and Cash Collections Step 2: Click on one corner of the scroll bar and drag it so that it fills cell F5 horizontally. Your spreadsheet should now look like this: Accounting Information Systems Step 3: As with the spin button, we have to link the scroll bar to the cell that will display the values we wish to vary. Our goal is to vary sales from $4,000,000 to $6,000,000 in increments of $100,000. The spinner tool, however, cannot work with such large values. Therefore, we will change cell D5 so that it equals our cell E5 times 1000. After changing the value of cell D5 and entering the value of 5000 in cell E5, your spreadsheet should now look like this: 12-23 Ch. 12: The Revenue Cycle: Sales and Cash Collections Accounting Information Systems Step 4: Now right-click on the scroll bar tool in cell F5, select properties, and enter the following values: LinkedCell = E4 Max = 6000 Min = 4000 SmallChange = 100 Step 5: You can now click on the left and right arrows in the scroll bar to vary the amount of initial sales and see the effects ripple through the spreadsheet – without having to retype new initial sales values. 12-25 Ch. 12: The Revenue Cycle: Sales and Cash Collections d. Design appropriate data entry and processing controls to ensure spreadsheet accuracy. Chapter 10 describes the various data input validation controls that can be used. In this problem, students should be instructed to set reasonable range checks on the allowable values for the percentage of sales that are cash sales and what percentage of credit sales is never collected. Excel’s built-in Data Validation tool can be used to create such range checks. For example, cell D6 contains the assumption for percentage of cash sales. To restrict the range of permissible values, click on that cell, then select the “Data Validation” option from the Data tab, and enter the allowable limits of the range check. Repeat the process for cell D10 (percent sales never collected). In addition, user data entry should be restricted to the cells that contain the initial assumptions. All other cells in the spreadsheet should be locked. 12.5 For each of the following activities identify the data that must be entered by the employee performing that activity and list the appropriate data entry controls: a. Sales order entry clerk taking a customer order Data that must be entered User ID Password Customer number Delivery method Desired delivery date Item number Item quantity Appropriate Data Entry Edit Controls Validity check Compatibility test (is user authorized to perform this task?) Completeness check (cannot be null) Validity check Compatibility test (is user authorized to perform this task?) Completeness check (cannot be null) Select from pull-down menu (validity check) Closed loop verification (system displays name that matches number selected) Completeness check (cannot be null) Choose from pull-down list of options Field check (date) Reasonableness check (compare difference between desired date and today’s date to preset tolerance limit) Field check Validity check Check digit Field check Reasonableness check Note: All other fields on the sample sales order entry screen (see Figure 12-6) can be completed by the system. Ch. 12: The Revenue Cycle: Sales and Cash Collections b. Shipping clerk completing a bill of lading for shipment of an order to a customer Data that must be entered User ID Password Carrier name Customer name (consigned to) Number of packages Description Weight Class or rate Appropriate Data Entry Edit Controls Validity check Compatibility test (is user authorized to perform this task?) Completeness check (cannot be blank) Validity check Compatibility test (is user authorized to perform this task?) Completeness check (cannot be blank) Choose from pull-down list of approved carriers Completeness check (cannot be blank) Choose from pull-down list of customers Completeness check (cannot be blank) Field check (numeric only) Sign check (>0) Completeness check (cannot be blank) Completeness check (cannot be blank) Field check (numeric only) Completeness check (cannot be blank) Choose from pull-down menu of options Completeness check (cannot be blank) Note: All other fields on the sample bill of lading (see Figure 12-11) can be completed by the system. Accounting Information Systems 12.6 Create a questionnaire checklist that can be used to evaluate controls for each of the four basic activities in the revenue cycle (sales order entry, shipping, billing, and cash collections). a. For each control issue, write a Yes/No question such that a “No” answer represents a control weakness. For example, one question might be “Are customer credit limits set and modified by a credit manager with no sales responsibility?” A wide variety of questions is possible. Below is a sample list: Question 1. Is access to master data restricted? 2. Is the master data regularly reviewed and all changes investigated? 3. Is sensitive data encrypted while stored in the database? 4. Does a backup and disaster recovery plan exist? 5. Have backup procedures been tested within the past year? 6. Are appropriate data entry edit controls used? 7. Are digital signatures required for online orders? 8. Are physical counts of inventory taken regularly and used to adjust the perpetual inventory records? 9. Are the credit approval and sales order entry tasks performed by separate individuals? 10. Are picking list quantities compared to sales orders? 11. Is physical access to inventory controlled? 12. Are reports of open sales orders regularly created and reviewed? 13. Are shipping documents reconciled with sales orders? 14. Are the shipping and billing functions performed by different individuals? 15. Are monthly statements mailed to customers? 16. Are the functions of processing customer payments and maintaining accounts receivable performed by separate individuals? 17. Is the bank account reconciled by someone other than the person who processes customer payments? 18. Are lockbox arrangements used? 19. Are customer credit limits set and modified by a credit manager with no sales responsibility? 12-29 Yes No Ch. 12: The Revenue Cycle: Sales and Cash Collections b. For each Yes/No question, write a brief explanation of why a “No” answer represents a control weakness. Question Reason a “No” answer represents a weakness 1 Unrestricted access to master files could facilitate fraud by allowing employees to change account balances to conceal theft 2 Failure to investigate all changes to customer master data may allow fraud to occur because unauthorized changes to credit limits may not be detected. 3 Failure to encrypt sensitive data can result in unauthorized disclosure of personal information about customers 4 If a backup and disaster recovery plan does not exist, the organization may suffer loss of important data. 5 If the backup plan is not regularly tested, it may not work. 6 Without proper data entry edit controls, errors in sales order entry may occur resulting in shipments that are not billed, sending the wrong items, etc. 7 Without a digital signature, orders may be processed and sent that the customer later refuses, resulting in increased costs 8 Without periodic physical counts, the perpetual inventory records are likely to be incorrect, creating problems in filling customer orders on time 9 If the same individual approves changes in credit and takes customer orders, they can increase credit limits for friends which may result in sales that are not collected. 10 Not comparing picking lists to sales orders can result in shipping the wrong merchandise or the wrong quantities to customers. 11 If physical access to inventory is not restricted, theft may occur. 12 Failure to monitor sales orders may result in delays in filling customer orders 13 Failure to compare shipping documents to sales orders may result in errors in filling customer orders 14 Not segregating the billing and shipping functions increases the risk of deliberately not billing for shipments 15 Not mailing monthly statements to customers increases the risk of not detecting errors or fraud in maintaining accounts receivable 16 Not segregating handling of customer payments and maintenance of accounts receivable creates the possibility of lapping 17 If the bank account is reconciled by the same person who processes customer payments, theft can occur and be covered up by adjusting the bank balance on the bank reconciliation 18 Not using lockboxes, where feasible, creates delays in receiving customer payments which could result in cash flow problems 19 If credit limits are set by someone with sales responsibility, that person may be tempted to grant credit to customers to maximize sales (and thereby commissions or bonuses earned) without regard to the risk of having to write off the sales as uncollectible. Accounting Information Systems 12.7 O’Brien Corporation is a midsize, privately owned, industrial instrument manufacturer supplying precision equipment to manufacturers in the Midwest. The corporation is 10 years old and uses an integrated ERP system. The administrative offices are located in a downtown building and the production, shipping, and receiving departments are housed in a renovated warehouse a few blocks away. Customers place orders on the company’s website, by fax, or by telephone. All sales are on credit, FOB destination. During the past year sales have increased dramatically, but 15% of credit sales have had to written off as uncollectible, including several large online orders to first-time customers who denied ordering or receiving the merchandise. Customer orders are picked and sent to the warehouse, where they are placed near the loading dock in alphabetical sequence by customer name. The loading dock is used both for outgoing shipments to customers and to receive incoming deliveries. There are ten to twenty incoming deliveries every day, from a variety of sources. The increased volume of sales has resulted in a number of errors in which customers were sent the wrong items. There have also been some delays in shipping because items that supposedly were in stock could not be found in the warehouse. Although a perpetual inventory is maintained, there has not been a physical count of inventory for two years. When an item is missing, the warehouse staff writes the information down in log book. Once a week, the warehouse staff uses the log book to update the inventory records. The system is configured to prepare the sales invoice only after shipping employees enter the actual quantities sent to a customer, thereby ensuring that customers are billed only for items actually sent and not for anything on back order. 12-31 Ch. 12: The Revenue Cycle: Sales and Cash Collections Identify at least three weaknesses in O’Brien Corporation’s revenue cycle activities. Describe the problem resulting from each weakness. Recommend control procedures that should be added to the system to correct the weakness. (CMA Examination, adapted) Weaknesses and Potential Problem(s) Recommendation(s) to Correct Weaknesses 1. Orders from new customers do not require any form of validation, resulting in several large shipments being sent and never paid for. Require digital signatures on all online orders from new customers. 2. Customer credit histories are not checked before approving orders, resulting in excessive uncollectible accounts. Customers’ credit should be checked and no sales should be made to those that do not meet credit standards. 3. Outgoing shipments are placed near the loading dock door without any physical security. The loading dock is also used to receive incoming deliveries. This increases the risk of theft, which may account for the unexplained shortages in inventory. Separate the shipping and receiving docks. 4. Physical counts of inventory are not made at least annually. This probably accounts for the inaccuracies in the perpetual inventory records and may also prevent timely detection of theft. Physical counts of inventory should be made at least once a year. 5. Shipments are not reconciled to sales orders, resulting in sending customers the wrong items. The system should be configured to match shipping information to sales orders and alert the shipping employees of any discrepancies. Require a written customer purchase order as confirmation of telephone and fax orders. Physically restrict access to the loading dock area where customer orders are placed. Inventory records discrepancies should be corrected and investigated. 6. The perpetual inventory records are only The warehouse staff should enter updated weekly. This contributes to the information about shortages as soon as unanticipated shortages that result in delays they are discovered. in filling customer orders. Accounting Information Systems 12.8 Parktown Medical Center, Inc. is a small health care provider owned by a publicly held corporation. It employs seven salaried physicians, ten nurses, three support staff, and three clerical workers. The clerical workers perform such tasks as reception, correspondence, cash receipts, billing, and appointment scheduling. All are adequately bonded. Most patients pay for services rendered by cash or check on the day of their visit. Sometimes, however, the physician who is to perform the respective services approves credit based on an interview. When credit is approved, the physician files a memo with one of the clerks to set up the receivable using data the physician generates. The servicing physician prepares a charge slip that is given to one of the clerks for pricing and preparation of the patient’s bill. At the end of the day, one of the clerks uses the bills to prepare a revenue summary and, in cases of credit sales, to update the accounts receivable subsidiary ledger. The front office clerks receive cash and checks directly from patients and give each patient a prenumbered receipt. The clerks take turns opening the mail. The clerk who opens that day’s mail immediately stamps all checks “for deposit only.” Each day, just before lunch, one of the clerks prepares a list of all cash and checks to be deposited in Parktown’s bank account. The office is closed from 12 noon until 2:00 p.m. for lunch. During that time, the office manager takes the daily deposit to the bank. During the lunch hour, the clerk who opened the mail that day uses the list of cash receipts and checks to update patient accounts. The clerks take turns preparing and mailing monthly statements to patients with unpaid balances. One of the clerks writes off uncollectible accounts only after the physician who performed the respective services believes the account will not pay and communicates that belief to the office manager. The office manager then issues a credit memo to write off the account, which the clerk processes. The office manager supervises the clerks, issues write-off memos, schedules appointments for the doctors, makes bank deposits, reconciles bank statements, and performs general correspondence duties. Additional services are performed monthly by a local accountant who posts summaries prepared by the clerks to the general ledger, prepares income statements, and files the appropriate payroll forms and tax returns. 12-33 Ch. 12: The Revenue Cycle: Sales and Cash Collections Identify at least three control weaknesses at Parktown. Describe the potential threat and exposure associated with each weakness, and recommend how to best correct them. (CPA Examination, adapted) 1. Weakness: The employees who perform services are permitted to approve credit without an external credit check. Threat: Sales could be made that turn out to be uncollectible. Control: Someone other than the physician performing the services (probably the office manager) should do a credit check. Credit limits should be established and used to control the amount of credit offered. 2. Weakness: The physician who approves credit also approves the write-off of uncollectible accounts. Threat: Accounts receivable could be understated and bad debts expense overstated because write-offs of accounts could be approved for accounts that are, in fact, collectible. Accounts receivable could be overstated and bad debt expense understated because write-offs may not be initiated for accounts that are uncollectible. Control: Separate the duties of approving credit and approving the write-off of accounts receivable. 3. Weakness: The employee who initially handles cash receipts also prepares billings and maintains accounts receivable. Threat: Theft by lapping could occur. Fees earned and cash receipts or accounts receivable could be understated because of omitted or inaccurate billing. Control: Segregate the functions of cash receipts handling and billing/accounts receivable. 4. Weakness: The employee who makes bank deposits also reconciles bank statements. Threat: The cash balance per books may be overstated because all cash is not deposited (i.e. theft). Control: Bank reconciliation should be done by an employee with no other cash handling responsibilities. 5. Weakness: The employee who makes bank deposits also issues credit memos. Accounting Information Systems Threat: The office manager could steal cash and cover up the shortage by issuing a credit memo for the amount stolen. Control: Cash deposits should be made by an employee who does not have authority to issue credit memos and who also does not maintain accounts receivable. 6. Weakness: Trial balances of the accounts receivable subsidiary ledger are not prepared independently of, or verified and reconciled to, the accounts receivable control account in the general ledger. Threat: Any of fees earned, cash receipts, and uncollectible accounts expense could be either understated or overstated because of undetected differences between the subsidiary ledger and the general ledger. Also, fees earned and cash receipts or accounts receivable could be understated because of failure to record billings, cash receipts, and write-offs accurately. Control: Periodic reconciliation of the subsidiary accounts receivable ledger to the general ledger control account for accounts receivable. 12-35 Ch. 12: The Revenue Cycle: Sales and Cash Collections 12.9 Figure 12-18 depicts the activities performed in the revenue cycle by the Newton Hardware Company. (CPA Examination, adapted) a. Identify at least 7 weaknesses in Newton Hardware’s revenue cycle. Explain the resulting threat and suggest methods to correct the weakness. Weakness Threat/Problem Recommendation Credit approval by bookkeeper A has no effect on shipping. Uncollectible sales. Credit approval must occur prior to shipping merchandise to customers. Warehouse clerk (who has physical access to the inventory) initiates posting to inventory records by preparing shipping advice. Failure to prepare shipping advice would result in inaccurate inventory records; could release goods to friends with no invoice. Inventory posting should be done by the sales clerk once sales are approved. Warehouse clerk does not retain copy of the shipping advice. Cannot easily identify loss if the carrier has accident. Use a 4-copy shipping advice and retain one copy in the warehouse. Bookkeeper A authorizes customer credit and prepares source documents for posting to customer accounts. Sales to friends that exceed credit limit. Credit manager should approve all credit. Bookkeeper A prepares invoices without notification about what was shipped and when. Billing mistakes. Prepare invoice only after receipt of a copy of the shipping advice indicating the quantities shipped and the date. Bookkeeper A authorizes write-offs of customer accounts and approves credit. Can approve sales to friends and later write them off. Someone else should authorize the write-off of customer accounts. Bookkeeper B does not Failure to bill periodically verify that all sales customers. orders and shipping advices have been invoiced. Prenumber all sales orders and shipping documents and periodically account for them Verify that all sales orders and shipping advices have been invoiced. Accounting Information Systems Bookkeeper C does not reconcile the subsidiary A/R with the general ledger. Potential imbalances due to posting errors. Bookkeeper C maintains journals and posts to ledgers. No independent check Bookkeeper B should record in on accuracy of recording journals and Bookkeeper C post process. to ledgers. Collections Clerk does not deliver postdated checks and checks with errors to an employee independent of the bank deposit for review and disposition. Possible theft of checks. Deliver all checks not deposited to another employee who has no bank deposit/reconciliation duties. Collection Clerk initiates posting of receipts to subsidiary accounts receivable ledger and has initial access to cash receipts. Theft by lapping. Checks should be opened by someone who does not have bookkeeping or accounting duties. That person should then send a list of cash receipts to the collections clerk to be used to record cash receipts. Cash collection clerk does not deposit checks promptly. Possible loss of checks; loss of interest. Deposit all receipts promptly. Cash collection clerk reconciles bank statement and has initial access to cash receipts. Can cover up theft by “fudging” the bank reconciliation. Have bank reconciliation performed by an employee with no other involvement in cash receipts processing. 12-37 Reconcile the subsidiary A/R ledger with the general ledger. Ch. 12: The Revenue Cycle: Sales and Cash Collections b. Identify ways to use IT to streamline Newton’s revenue cycle activities. Describe the control procedures required in the new system. Some ways that Newton could use IT to improve efficiency include: • On-line data entry by sales staff. The system should include credit checks on customers as well as check inventory availability • Email notification of each department (shipping, billing, etc.) whenever another department performs an action (e.g., billing is notified whenever shipping enters data indicating that an order has been released) • EDI billing of customers • Establishment of electronic lockboxes with banks so that customer payments go directly to company’s account Controls that should be implemented in the new system include: • Passwords to limit access to authorized users, and to restrict the duties each employee may perform and which files they may access • A variety of input edit checks (limit checks, range checks, reasonableness tests, etc.) to ensure completeness of data entry and accuracy Accounting Information Systems 12.10 The Family Support Center is a small charitable organization. It has only four fulltime employees: two staff, an accountant, and an office manager. The majority of its funding comes from two campaign drives, one in the spring and one in the fall. Donors make pledges over the telephone. Some donors pay their pledge by credit card during the telephone campaign, but many prefer to pay in monthly installments by check. In such cases, the donor pledges are recorded during the telephone campaign and they are then mailed pledge cards. Donors mail their contributions directly to the charity. Most donors send a check, but occasionally some send cash. Most donors return their pledge card with their check or cash donation, but occasionally the Family Support Center receives anonymous cash donations. The procedures used to process donations are as follows: Sarah, one of the staff members who has worked for the Family Support Center for 12 years, opens all mail. She sorts the donations from the other mail and prepares a list of all donations, indicating the name of the donor (or anonymous), amount of the donation, and the pledge number (if the donor returned the pledge card). Sarah then sends the list, cash, and checks to the accountant. The accountant enters the information from the list into the computer to update the Family Support Center’s files. The accountant then prepares a deposit slip (in duplicate) and deposits all cash and checks into the charity’s bank account at the end of each day. No funds are left on the premises overnight. The validated deposit slip is then filed by date. The accountant also mails an acknowledgment letter thanking each donor. Monthly, the accountant retrieves all deposit slips and uses them to reconcile the Family Support Center’s bank statement. At this time, the accountant also reviews the pledge files and sends a follow-up letter to those people who have not yet fulfilled their pledges. Each employee has a computer workstation that is connected to the internal network. Employees are permitted to surf the Web during lunch hours. Each employee has full access to the charity’s accounting system, so that anyone can fill in for someone else who is sick or on vacation. Each Friday, the accountant makes a backup copy of all computer files. The backup copy is stored in the office manager’s office. a. Identify two major control weaknesses in the Family Support Center’s cash receipts procedures. For each weakness you identify, suggest a method to correct that weakness. Your solution must be specific—identify which specific employees should do what. Assume that no new employees can be hired 1. Weakness - Sarah opens all mail and prepares a list of donations (cash and checks). Sarah could misappropriate anonymous cash donations. 12-39 Ch. 12: The Revenue Cycle: Sales and Cash Collections Control - Mail should be opened by both Sarah and the other staff member. The use of lockboxes would also eliminate this problem, but would cost the charity money to implement. 2. Weakness - The donations and donation list are sent to the accountant for recording and to prepare the bank deposit. Therefore, the accountant has custody of the donation and records the donation. Weakness - Bank reconciliation is performed by the accountant, who also makes the bank deposit. Control - The donations should be sent to the office manager for deposit and the donation list sent to the accountant for recording. This corrects both weaknesses. 3. Weakness - Each employee has full access (create, read, update, delete) to the accounting system. Control - Only the accountant and the office manager should have full access to the accounting system. b. Describe the IT control procedures that should exist in order to protect the Family Support Center from loss, alteration, or unauthorized disclosure of data. • The weekly back-up should be stored off-site, not in the manager's office. • The files both on-site and off-site should be password protected and encrypted to guard against alteration and unauthorized disclosure. • The backup files should be kept locked in a secure place. Accounting Information Systems 12.11 Match the threats in the first column to the appropriate control procedures in the second column (more than one control may address the same threat). Threat 1. _a,p__ Uncollectible sales 2. _g,i__ Mistakes in shipping orders to customers. 3. __o_ Crediting customer payments to the wrong account. 4. _f,m,o__ Theft of customer payments. 5. _e,j,k__ Theft of inventory by employees. 6. __l_ Excess inventory. Applicable Control Procedures a. Restrict access to master data. b. Encrypt customer information while in storage. c. Backup and disaster recovery procedures. d. Digital signatures. e. Physical access controls on inventory f. Segregation of duties of handling cash and maintaining accounts receivable. 7. _a__ Reduced prices for sales g. Reconciliation of packing lists with sales to friends. orders. 8. _d__ Orders later repudiated h. Reconciliation of invoices with packing by customers who deny lists and sales orders. placing them. 9. _h,q__ Failure to bill i. Use of bar-codes or RFID tags. customers. 10. _h__ Errors in customer j. Periodic physical counts of inventory invoices 11. _m,n_ Cash flow problems k. Perpetual inventory system. 12. _c__ Loss of accounts l. Use of either EOQ, MRP, or JIT receivable data inventory control system. 13. __a,b_ Unauthorized m. Lockboxes or electronic lockboxes. disclosure of customer personal information. 14. _g,r__ Failure to ship orders n. Cash flow budget to customers. o. Mail monthly statements to customers. p. Credit approval by someone not involved in sales. q. Segregation of duties of shipping and billing. r. Periodic reconciliation of prenumbered sales orders with prenumbered shipping documents. 12-41 Ch. 12: The Revenue Cycle: Sales and Cash Collections 12.12 EXCEL PROBLEM Use EXCEL’s regression tools to analyze and forecast future sales. (Hint: The article “Forecasting with Excel,” by James A. Weisel in the February 2009 issue of the Journal of Accountancy (available at www.aicpa.org) explains how to perform the following tasks using either Excel 2003 or Excel 2007). a. Create a spreadsheet with the following data about targeted emails, click ads, and unit sales: Emails 150000 155000 125000 130000 135000 120000 125000 130000 130000 120000 100000 110000 100000 140000 120000 Clicks 100 105 75 150 125 100 125 135 110 95 75 100 80 130 110 Unit Sales 12000 12500 10000 14000 12500 10000 10900 11500 12500 10500 10750 10000 9500 13500 11500 130000 100000 110000 120000 130000 140000 130000 120000 100000 130000 150000 140000 125000 110000 130000 125 85 100 135 140 125 115 105 95 145 150 120 100 95 140 13000 12000 9000 10000 13500 13400 12750 12750 10000 9000 15000 12000 13500 11000 13500 b. Create a scattergraph to illustrate the relationship between targeted emails and unit sales. Display the regression equation and the R2 between the two variables on the chart. c. Create a scattergraph to illustrate the relationship between click ads and unit sales. Display the regression equation and the R2 between the two variables on the chart. Accounting Information Systems d. Which variable (targeted emails or click ads) has the greater influence on unit sales? How do you know? Targeted emails have a greater effect on unit sales than do click ads as shown by the higher R2 for the regression formula. e. Use the “ =Forecast “function to display the forecasted sales for 200,000 targeted emails and for 200 click ads. Formula to forecast sales given number of click ads (cell C32): =FORECAST(B32,C2:C31,B2:B31) Answer: Forecasted sales for 200 click ads is 14,956 Formula to forecast sales given number of targeted emails (cell C33): =FORECAST(A33,C2:C31,A2:A31) Answer: Forecasted sales for 200,000 targeted emails is 16,610 12.13 Give two specific examples of nonroutine transactions that may occur in processing cash receipts and updating accounts receivable. Also specify the control procedures that should be in place to ensure the accuracy, completeness, and validity of those transactions. Nonroutine Transaction 1. Change of customer name or address 2. Credit memos for sales returns/allowances. 1. Control Procedure Log of who initiated change and date. 2. Approval by credit manager Verification of return of goods (receiving report). Review and approval by credit manager both prior to event and after recording. 3. Adjustments to customer credit rating or credit limit. 3. 4. Correction of errors in amounts, dates, etc. 4. Review and approval by department manager prior to resubmission. 5. New customers added to master file. 5. Review and approval by credit manager prior to submission. 6. Account write-offs (bad debts). 6. Review and approval by credit manager both before event and after recording. 12-45 Ch. 12: The Revenue Cycle: Sales and Cash Collections SUGGESTED ANSWERS TO THE CASES Case 12.1: RESEARCH PROJECT: IMPACT OF IT ON REVENUE CYCLE ACTIVITIES, THREATS, AND CONTROLS Search popular business and technology magazines (Business Week, Forbes, Fortune, CIO, etc.) to find an article about an innovative use of IT that can be used to improve one or more activities in the revenue cycle. Write a report that: a. Explains how IT can be used to change revenue cycle activities Answers will vary depending upon the article selected. b. Discusses the control implications. Refer to Table 12-1 and explain how the new procedure changes the threats and appropriate control procedures for mitigating those threats. Be sure that the report addresses the portions of Table 12-1 affected by the changes discussed in the article. Ch 13: Expenditure Cycle CHAPTER 13 THE EXPENDITURE CYCLE: PURCHASING AND CASH DISBURSEMENTS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 13.1 In this chapter and in Chapter 12 the controller of AOE played a major role in evaluating and recommending ways to use IT to improve efficiency and effectiveness. Should the company’s chief information officer make these decisions instead? Should the controller be involved in making these types of decisions? Why or why not? There are several reasons why accountants should be involved in decisions about investing in IT and not leave such decisions solely to IS professionals. First, the economic merits of proposed IT investments need to be subjected to the same kind of detailed analysis as any other major capital investment (e.g., plant expansions). Accountants are skilled in making such analyses. Second, the operational feasibility of IT investments must also be evaluated. How will the investment affect daily operating procedures? Will the system be able to adapt as the company changes the nature of its operations? As one of the major users of the information system, accountants need to participate in these analyses. Third, what is the long-run viability of the proposed supplier? Here again accountants can make a valuable contribution by analyzing the long-run economic viability of proposed vendors. 13-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.2 Companies such as Wal-Mart have moved beyond JIT to VMI systems. Discuss the potential advantages and disadvantages of this arrangement. What special controls, if any, should be developed to monitor VMI systems? Vendor Managed Inventory (VMI) is essentially Electronic Data Interchange (EDI) where the retailer has given their vendor access rights to their point-of-sale (POS) system. Some of the potential advantages and disadvantages of moving to a VMI are: Advantages: • Lower cost. Retailers are able to “outsource” their inventory management to their vendors. • Potentially reduced lost sales. – When vendors are able to meet product demand, the company can minimize lost sales due to stockouts. • More accurate forecasts. Since vendors have more data from the retailers, they are able to more accurately forecast and meet demand for their products. Disadvantages: • Cost. Retailers and vendors must incur the costs of acquiring the technology and changing the organization to a VMI arrangement. • Security. –. The retailer puts one of their most valuable assets, their sales data, in the hands of their vendors. Such significant access to retailer data opens the door to a myriad of data and system security issues such as data alteration and deletion, unauthorized access to nonsales related data, inadvertent loss of data, and corporate espionage. • Over supply. The vendor can ship more inventory than the retailer needs to meet the demand. Controls: The following controls could be implemented to monitor VMI systems: 1. Monitor inventory levels. At least at first, and then periodically thereafter, the retailer should monitor inventory levels to determine whether the vendor is sending enough inventory to prevent stock outs but not too much inventory that is slow to sell. 2. Analyze inventory costs. If VMI is working, then overall inventory costs should decline. 3. Intrusion detection systems. To determine if the vendor has compromised the security of the retailer’s system. 4. Monitor unauthorized access attempts. All attempts by vendors to access non-VMI related areas of the retailer’s system should be investigated. 13-2 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.3 Procurement cards are designed to improve the efficiency of small noninventory purchases. What controls should be placed on their use? Why? Since the primary benefit of procurement cards is to give employee’s the ability to make small non-inventory purchases necessary for their area of responsibility -- be it office supplies, computer or office equipment, or meals and/or travel expenses -- a formal approval process for all purchases would negate the benefit of the procurement card. Therefore, the focus of procurement card controls should be on the initial issuance of the card and subsequent reviews and audits of purchases made by employees entrusted with procurement cards. Employees receiving cards must be properly trained in their proper use and in the procurement card controls implemented by the organization. If employees know that any purchase they make can be the subject of subsequent review and audit, they are more likely to make legitimate purchases. Subsequent reviews and audits must also require proper documentation related to each purchase made with the procurement card. During procurement card training, it should be emphasized that employees will be required to produce original receipts or other formal documentation for all items purchased. Budgets and detailed variance analyses are an important detective control to identify potential problems before they get too large. 13.4 In what ways can you apply the control procedures discussed in this chapter to paying personal debts (e.g., credit card bills)? Many people do not keep their credit card receipts as evidenced by receipts left at “pay-at-thepump” gas stations. If consumers do not keep their receipts, how do they know whether their credit card bill is accurate? Thus, consumers should verify each charge on their bill to each receipt. In addition, credit card bill should be reviewed for accurate refunds for returned merchandise or cancelled services. Just as businesses should take advantage of discounts for prompt payment, consumers should attempt to always pay the balance due in full because the interest rate on outstanding balances can result in significantly greater total payments. Finally, consumers need to shred all statements prior to disposal, to reduce the risk of identity theft. If consumers engage in online banking, they should vigilantly monitor their account for signs of compromise. Ideally, they should only do online banking from one computer and use a different browser than is used for all other online activities. 13-3 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.5 Should every company switch from the traditional 3-way matching process (purchase orders, receiving reports, and supplier invoices) to the 2-way match (purchase orders and receiving reports) used in Evaluate Receipt Settlement (ERS)? Why (not)? Switching to ERS simplifies accounts payable and eliminates a major source of problems: inconsistency between supplier invoices and prices quoted when placing the order. However, ERS requires firm commitments to prices by suppliers – which may not be feasible for certain types of products like commodities. ERS also requires that receiving dock employees exercise great care in counting merchandise received. It also requires configuring the information system to automatically calculate and track payment due dates without the benefit of a reminder provided by receiving a supplier invoice. 13.6 Should companies allow purchasing agents to start their own businesses that produce goods the company frequently purchases? Why? Would you change your answer if the purchasing agent’s company was rated by an independent service, like Consumer Reports, as providing the best value for price? Why? The primary issue here is conflict of interest. If a purchasing manager owns a business that supplies goods to his employer, how does the employer know that they are receiving the best quality goods for the lowest prices? By allowing a purchasing manager to own an independent company that supplies his employer, the employer is in effect dis-aligning the interests of the purchasing manager with the interests of the employer. The higher the prices the supply company charges, the more money the purchasing manager makes. The employer may find some comfort if the purchasing manager’s supply business is reviewed or audited by some independent organization. However, independent rating organizations cannot audit every transaction. Since the purchasing manager has intimate knowledge of the employer’s operations and cost structure, he has the ability to structure transactions that could conceal purchases that were favorable to the purchasing manager’s business and unfavorable to the employer. Given the degree of oversight that any prudent employer would have to implement to make sure the purchasing manager provided the best quality for the best price, why would an employer want to allow such an arrangement? 13-4 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle SUGGESTED ANSWERS TO THE PROBLEMS 13.1 a. A purchasing agent orders materials from a supplier that he partially owns. • • • • Require a purchase requisition from an operating department as authorization for preparation of all purchase orders. Require purchasing manager, before approving PO, to o Review the purchase requisition o Ensure that orders are placed only with approved vendors. Require purchasing agents to disclose any financial interest in supplier companies, though this may be difficult to enforce. Ensure that purchasing agents do not have investments in vendors on the approved vendor list. b. Receiving-dock personnel steal inventory and then claim the inventory was sent to the warehouse. • Count all deliveries and record counts on a receiving report. • Require warehouse personnel to count the goods received when they are transferred to the warehouse and acknowledge receipt of the specified quantity by signing the receiving report. • Have accounts payable personnel review the signed receiving report copy (signed by both the receiving department and the warehouse personnel) prior to approving payment. c. An unordered supply of laser printer paper delivered to the office is accepted and paid for because the “price is right.” After jamming all of the laser printers, however, it becomes obvious that the “bargain” paper is of inferior quality. • • The problem here is that office employees are seldom trained about proper procedures for receiving, because it is assumed that all goods are delivered only to the warehouse. Office employees, like receiving employees, need to be trained not to accept deliveries unless they can verify the existence of an approved purchase order for those goods. In addition, companies should not approve and pay invoices unless they can match the invoice to an approved purchase order and receiving report. d. The company fails to take advantage of a 1% discount for promptly paying a vendor invoice. • • File invoices by discount date Maintain a cash budget 13-5 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements e. A company is late in paying a particular invoice. Consequently, a second invoice is sent, which crosses the first invoice’s payment in the mail. The second invoice is submitted for processing and also paid. • • • f. Review related supporting voucher package or records (receiving report and purchase order) before approving an invoice for payment. Change the status of the invoice and its supporting records from "pending" to "paid" after payment is made. Deface the invoice and all supporting documents (such as marking them paid) so they cannot be used to support the payment of a duplicate invoice. Inventory records show that an adequate supply of copy paper should be in stock, but none is available on the supply shelf. • • Count physical inventory periodically. Correct system records using the count. g. The inventory records are incorrectly updated when a receiving-dock employee enters the wrong product number at the terminal. • • Use closed loop verification – The item number is entered as input, the system displays the corresponding item description, and the user is asked to verify that it is the desired item. Use bar-codes or RFID tags to eliminate the need to enter the item number manually. h. A clerical employee obtains a blank check and writes a large amount payable to a fictitious company. The employee then cashes the check. • • • • Store unused blank company checks in a secure location. Segregate duties by having the person reconciling the bank account be different from the person making payments Segregate duties by having the person signing checks be different from the person authorizing disbursements and preparing checks Ensure that the check signer reviews the documentation (purchase order and receiving report) supporting each disbursement prior to signing each check. 13-6 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle i. A fictitious invoice is received and a check is issued to pay for goods that were never ordered or delivered. • • • • • • • • • j. Program the system so that it only prints checks to approved suppliers listed in the database Restrict access to the supplier master data. Require appropriate background checks and management approvals before adding a new supplier to the supplier master data Review changes to the supplier master data periodically Require supporting documents (purchase order and receiving report) for each invoice that is paid Require the person who authorizes disbursements to review the purchase order and receiving report, as well as the invoice. Segregate duties by having the person signing checks be different from the person authorizing disbursements and preparing checks Ensure that the check signer reviews the invoice, purchase order, and receiving report supporting each disbursement prior to signing a check. Deface the invoice and all supporting documents (such as marking them paid) so they cannot be used to support the payment of a duplicate invoice. The petty cash custodian confesses to having “borrowed” $12,000 over the last five years. • • Create a petty cash imprest fund and only replenish it based on receipts documenting how the funds were used Conduct periodic surprise counts of petty cash on hand to verify that the total of cash plus receipts equals the fund amount. k. A purchasing agent adds a new record to the supplier master file. The company does not exist. Subsequently, the purchasing agent submits invoices from the fake company for various cleaning services. The invoices are paid. • • • • Restrict access to the supplier master file Require appropriate background checks and management approvals before adding a new supplier to the supplier master data Monitor on a regular basis all changes made to the supplier master data Implement budgetary controls and regular analyses of expenses related to services to detect this type of problem, as well as higher-than-expected expenses for a particular department. 13-7 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements l. A clerk affixes a price tag intended for a low-end flat panel TV to a top-of-theline model. The clerk’s friend then purchases that item, which the clerk scans at the checkout counter. • • • • 13.2 Restrict access to price tags so that cashiers do not have access to price tags Segregate duties by not letting stocking clerks work as cashiers. Monitor check-out clerks, either live or by closed-circuit cameras, to deter fraud. Hire honest and ethical employees by conducting effective interviews, checking references, and conducting background checks if cost effective. Match the terms in the left column with their appropriate definition in the right column. 1. 2. 3. 4. Terms _n__ economic order quantity __f_ materials requirements planning (MRP) _e__ Just-in-time (JIT) inventory system __g_ purchase requisition a. b. c. d. 5. __b_imprest fund e. 6. __a_ purchase order f. 7. _s__ kickbacks g. 8. __r_ procurement card h. 9. i. __p_ blanket purchase order 10. _h__ evaluated receipts settlement (ERS) j. 11. __m_ disbursement voucher k. 12. _q_ receiving report l. Definitions A document that creates a legal obligation to buy and pay for goods or services. The method used to maintain the cash balance in the petty cash account. The time to reorder inventory based on the quantity on hand falling to predetermined level. A document used to authorize a reduction in accounts payable when merchandise is returned to a supplier. An inventory control system that triggers production based upon actual sales. An inventory control system that triggers production based on forecasted sales. A document only used internally to initiate the purchase of materials, supplies, or services. A process for approving supplier invoices based on a two-way match of the receiving report and purchase order. A process for approving supplier invoices based on a three-way match of the purchase order, receiving report, and supplier invoice. A method of maintaining accounts payable in which each supplier invoice is tracked and paid for separately. A method of maintaining accounts payable which generates one check to pay for a set of invoices from the same supplier. Combination of a purchase order, receiving report, and supplier invoice that all relate to the same transaction. 13-8 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13. __d_ debit memo 14. _o__ vendor managed inventory 15. __l_ voucher package 16. _j__ non-voucher system 17. _k__ voucher system m. A document used to list each invoice being paid by a check. n. An inventory control system that seeks to minimize the sum of ordering, carrying, and stockout costs. o. A system whereby suppliers are granted access to point-of-sale (POS) and inventory data in order to automatically replenish inventory levels. p. An agreement to purchase set quantities at specified intervals from a specific supplier. q. A document used to record the quantities and condition of items delivered by a supplier. r. A special purpose credit card used to purchase supplies. s. A fraud in which a supplier pays a buyer or purchasing agent in order to sell its products or services. 13-9 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.3 EXCEL PROJECT. Using Benford’s Law to Detect Potential Disbursements Fraud. a. Read the article “Using Spreadsheets and Benford’s Law to Test Accounting Data,” by Mark G. Simkin in the ISACA Journal, Vol. 1, 2010, available at www.isaca.org. b. Follow the steps in the article to analyze the following set of supplier invoices: Invoice Number 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 Invoice Number 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 Amount $7,845 $2,977 $1,395 $3,455 $7,733 $1,455 $6,239 $2,573 $1,862 $1,933 $7,531 $4,400 $5,822 $7,925 $2,100 13-10 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Amount $8,256 $1,863 $3,375 $6,221 $1,799 $1,450 $7,925 $2,839 $1,588 $2,267 $7,890 $7,945 $1,724 $9,311 $4,719 Ch 13: Expenditure Cycle Hint: You may need to use the VALUE function to transform the results of using the LEFT function to parse the lead digit in each invoice amount. 13-11 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle To apply Benford’s law, we need to write a formula that extracts the left-most digit from an invoice number. Excel has a number of built-in functions that can parse characters in a string. The function LEFT(cell, n) returns the left n characters from the specified cell. Thus, in our case, Left (C4,1) returns the left-most digit from cell C4. However, the various character-parsing functions (LEFT, RIGHT, MID) all return their results as text. Therefore, we need to transform that result back into a number by using the VALUE function. Therefore, the formula in column C is: =VALUE(LEFT(C4,1)) The formula for the sample size is: =COUNT(C2:C31) The formula in the “expected” column multiplies the values in cells F4:F12 by the count result in Cell G15 The formula in the “actual” column uses the COUNTIF function: =COUNTIF($C$2:$C$31,E18) – which counts the column of lead digits to see how many of them have the value in cell E18. Copying this formula down will yield counts of the number of lead digits equal to the value in cell E19, then E20, etc. 13-12 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.4 Match threats in the first column to appropriate control procedures in the second column. More than one control may be applicable. Threat 1. _d,e__ Failing to take available purchase discounts for prompt payment. 2. _f__ Recording and posting errors in accounts payable. 3. _l__ Paying for items not received. 4. __h,o_ Kickbacks. 5. _b,c,g_ Theft of inventory. 6. _m,l_ Paying the same invoice twice. Control Procedure a. Only accept deliveries for which an approved purchase order exists. b. Document all transfers of inventory. 7. _g,b,c_ Stockouts. 8. __h,i,j,o_ Purchasing items at inflated prices. 9. __k,q_ Misappropriation of cash. g. h. 10. _h,i,o,p__ Purchasing goods of inferior quality. 11. __a_ Wasted time and cost of returning unordered merchandise to suppliers. 12. __n_ Accidental loss of purchasing data. j. 13. __j_ Disclosure of sensitive supplier information (e.g., banking data). c. d. e. f. i. Restrict physical access to inventory. File invoices by due date. Maintain a cash budget. Automated comparison of total change in cash to total changes in accounts payable. Adopt a perpetual inventory system. Require purchasing agents to disclose financial or personal interests in suppliers. Require purchases to be made only from approved suppliers. Restrict access to the supplier master data. k. Restrict access to blank checks. l. Only issue checks for a complete voucher package (receiving report, supplier invoice, and purchase order). m. Cancel or mark “Paid” all supporting documents in a voucher package when a check is issued. n. Regular backup of the expenditure cycle database. o. Train employees how to respond properly to gifts or incentives offered by suppliers. p. Hold purchasing managers responsible for costs of scrap and rework. q. Reconciliation of bank account by someone other than the cashier. 13-13 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.5 Use Table 13-2 to create a questionnaire checklist that can be used to evaluate controls for each of the basic activities in the expenditure cycle (ordering goods, receiving, approving supplier invoices, and cash disbursements). a. For each control issue, write a Yes/No question such that a “No” answer represents a control weakness. For example, one question might be “Are supporting documents, such as purchase orders and receiving reports, marked “paid” when a check is issued to the vendor?” A wide variety of questions is possible. Below is a sample list: Yes No Question 1. Is access to supplier master data restricted? 2. Are additions to supplier master data regularly reviewed and all changes investigated? 3. Is sensitive data encrypted while stored in the database? 4. Does a backup and disaster recovery plan exist? 5. Have backup procedures been tested within the past year? 6. Are appropriate data entry edit controls used? 7. Is a perpetual inventory maintained? 8. Are physical counts of inventory taken regularly and used to adjust the perpetual inventory records? 9. Are competitive bids used when ordering expensive items? 10. Are purchasing agents required to disclose financial interests in suppliers? 11. Are budgets set for service expenses and are variances investigated? 12. Is the system configured to generate purchase orders only to suppliers listed in the database? 13. Are receiving dock employees trained to accept deliveries only when an approved purchase order exists? 14. Are receiving dock employees trained about the importance of accurately counting all items delivered? 15. Do receiving dock employees inspect all deliveries for quality? 16. Do both receiving dock employees and inventory control employees sign off on the transfer of items? 17. Is physical access to inventory restricted? 18. Are invoices only approved for payment when accompanied by both a purchase order and receiving report? 19. Is supporting documentation cancelled or marked “Paid” when a check is generated? 20. Are invoices filed by due date (adjusted for any discounts for early payment)? 21. Is access to blank checks restricted? 22. Is access to the EFT system restricted? 23. Is the bank account regularly reconciled by someone not involved in issuing checks? 13-14 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle b. For each Yes/No question, write a brief explanation of why a “No” answer represents a control weakness. Question 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Reason a “No” answer represents a weakness Unrestricted access to supplier master data could facilitate fraud by allowing the creation of fake suppliers to whom checks can be issued. Failure to investigate all changes to supplier master data may allow fraud to occur because unauthorized suppliers may not be detected. Failure to encrypt sensitive data can result in the unauthorized disclosure of banking-related information about suppliers. If a backup and disaster recovery plan does not exist, the organization may lose important data. If the backup plan is not tested regularly, it may not work. Without proper data entry edit controls, errors in purchasing, receiving, and paying suppliers can occur. Without a perpetual inventory system, shortages and excess inventory is more likely. Without periodic physical counts, the perpetual inventory records are likely to be incorrect. Without competitive bids, purchases may be at higher than necessary prices. Non-disclosure of personal interests in suppliers creates a conflict of interest and may lead to kickbacks and other forms of fraud. Without budgets and analyses of services expenses, these expenses can be fraudulently inflated to cover up fraud. If generating purchase orders is not restricted to suppliers in the database, purchases may be made from unauthorized suppliers which may result in paying too much, receiving inferior quality goods, or violating laws. If receiving dock employees accept deliveries without an approved purchase order, this may result in higher costs and wasted time processing deliveries and then returning those unordered items. Failure to count deliveries accurately will create errors in inventory records and may result in paying for goods not received. Failure to inspect the quality of goods at the receiving dock increases the risk of production delays when the problem is discovered later. Failure to acknowledge the transfer of goods increases the risk of loss and precludes assigning responsibility for any shortages. Inadequate physical security increases the risk of theft of inventory. Failure to require a voucher package can result in paying for items not ordered or not received. Failure to cancel supporting documents can result in paying the same invoice twice. Failure to file invoices by due date increases the risk of not taking advantage of discounts for prompt payment. Unrestricted access to blank checks increases the risk of misappropriation of funds. Unrestricted access to the EFT system increases the risk of misappropriation of funds. Lack of an independent bank account reconciliation increases the risk of fraud going undetected. It also precludes the timely identification of unauthorized disbursements, possibly resulting in the bank refusing to correct the problem. 13-15 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.6 EXCEL PROJECT a. Expand the cash budget you created in Problem 12.4 to include a row for expected cash outflows equal to 77% of the current month’s sales. b. Also add a row to calculate the amount of cash that needs to be borrowed, in order to maintain a minimum cash balance of $50,000 at the end of each month. c. Add another row to show the cash inflow from borrowing. d. Add another row to show the cumulative amount borrowed. e. Add another row to show the amount of the loan that can be repaid, being sure to maintain a minimum ending balance of $50,000 each month. 13-16 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle Explanation of solution: 13-17 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 1. Always use references to assumption cells in the formulas. For example, the cash sales row formulas should be that column’s sales times cell D6 (e.g., in February, cash sales cell has this formula: =E19*$D$6 2. The solution rounds sales to the nearest dollar, to keep it looking clean, using this formula in February: =ROUND(D19*(100%+$D$5),0) 3. Collections from prior sales row is set to zero in January; then it gets progressively more complex as follows: a. February: =D19*$D$7 b. March: =(D19*$D$8)+(E19*$D$7) c. April: =(D19*$D$9)+(E19*$D$8)+(F19*$D$7) 4. Tentative cash balance = beginning balance + cash sales that month + collections of prior month’s cash sales – current expenditures: =D18+D20+D21-D22 5. Amount borrowed = zero if tentative balance >= desired balance, otherwise the amount of the shortfall: =IF(D23>=D24,0,(D24-D23)) 6. Cumulative loan initially = starting loan balance plus that month’s borrowing: =$D$14+D25. Subsequently, it equals prior month’s balance plus new borrowing less repayments: =D27+E25-D28 7. Loan repayment is calculated as the excess of cash available over desired ending balance, but never more than the amount of the loan. Therefore, need a nested if statement in which first test whether tentative cash balance exceeds desired balance and then if it does, compares excess cash available to outstanding loan balance: =IF(D26>50000,IF(D26-50000>D27,D27,D26-50000),0) 13-18 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle Problem 13-6 continued f. Add appropriate data validation controls to ensure spreadsheet accuracy. The solutions manual for chapter 10 discussed data validation controls in detail. Possible solutions include the following: 1. Limit initial sales to the range $1,000,000 - $10,000,000 Also, include an appropriate input message: And an appropriate error message: 13-19 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 2. Limit the sales growth, the percentage of sales made for cash, the percentages collected in subsequent months, the percentage never collected, and expenditures as a percentage of sales to reasonable ranges. For example, sales growth may be constrained to be between 1% and 10%; expenditures may be constrained to be between 50% and 90%, etc. 3. Limit desired ending cash balance to be greater than zero. 4. Students should also lock all the cells in the body of the spreadsheet so that users can only change the assumption cells. 13-20 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.7 For each of the following activities, identify the data that must be entered by the employee performing that activity and list the appropriate data entry controls: a. Purchasing agent generating a purchase order Data that must be entered User ID Password Supplier name Delivery method Desired delivery date Item number Item quantity Appropriate Data Entry Edit Controls Validity check Compatibility test (is user authorized to perform this task?) Validity check Compatibility test (is user authorized to perform this task?) Choose from pull-down list of approved suppliers Choose from pull-down list of options Field check (date) Reasonableness check (compare difference between desired date and today’s date to preset tolerance limit) Field check Validity check Field check Reasonableness check Notes: 1. All other fields on the sample purchase order (see Figure 13-5) can be completed by the system. 2. In addition to the specific edit controls listed above, a completeness check should be done to ensure all data is entered. 13-21 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements b. Receiving clerk completing a receiving report Data that must be entered User ID Password Supplier name Purchase Order number Delivery method Item number Item quantity Remarks (quality inspection) Appropriate Data Entry Edit Controls Validity check Compatibility test (is user authorized to perform this task?) Validity check Compatibility test (is user authorized to perform this task?) Choose from pull-down list of approved suppliers Choose from pull-down list of open purchase orders from that supplier Choose from pull-down list of options Field check Validity check Field check Reasonableness check – compare to quantity ordered and tolerance limits Completeness check Notes: 1. All other fields on the sample receiving report (see Figure 13-6) can be completed by the system. 2. In addition to the specific edit controls listed above, a completeness check should be done to ensure all data is entered. 13-22 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.8 The following list identifies several important control features. For each control, (1) describe its purpose and (2) explain how it could be best implemented in an integrated ERP system. a. Cancellation of the voucher package by the cashier after signing the check b. Separation of duties of approving invoices for payment and signing checks c. Prenumbering and periodically accounting for all purchase orders. d. Periodic physical count of inventory. e. Requiring two signatures on checks for large amounts f. Requiring that a copy of the receiving report be routed through the inventory stores department prior to going to accounts payable. g. Requiring a regular reconciliation of the bank account by someone other than the person responsible for writing checks h. Maintaining an approved supplier list and checking that all purchase orders are issued only to suppliers on that list Item a. Part I - Purpose Prevent resubmission of invoices for double payment b. Prevent payment of fictitious invoices c. d. Prevent unauthorized purchases. Verify the accuracy of recorded amounts and detect losses. Prevent large disbursements for questionable reasons. Verifies that items received were placed in inventory and were not stolen. e. f. g. h. Detect unauthorized disbursements. Ensure the purchase of quality goods and prevent violations of laws or company policies. Part II – ERP System Control Control field in supplier invoice record to indicate the document has been used Control field in purchase order and receiving report records to indicate the document has been used to support payment. System matches all invoices to corresponding receiving reports and purchase orders Checks signed by cashier. Sequence check of all purchase orders. Still need to count physical inventory periodically. Still need two signatures. Receiving clerks enter that goods were transferred to inventory. Inventory clerks acknowledge receipt of goods via terminals. System configured so that voucher package requires that the receiving report include the acknowledgement of receipt by inventory control. Still required. Validity check of supplier number on all purchase orders. Restrict access to the supplier master file Verify all changes to the supplier master file Restrictions on who can make changes to the supplier master file. 13-23 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.9 For good internal control, which of the following duties can be performed by the same individual? 1. Approve purchase orders 2. Negotiate terms with suppliers 3. Reconcile the organization’s bank account 4. Approve supplier invoices for payment 5. Cancel supporting documents in the voucher package 6. Sign checks 7. Mail checks 8. Request inventory to be purchased 9. Inspect quantity and quality of inventory received The cells in the following table marked with an X indicate duties that can be performed by the same individual without creating an internal control weakness: Duty 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 X X X 7 8 9 X Rationale: 1. The person who approves purchase orders should be in the purchasing function, which is also the function with the knowledge and skill to negotiate terms with supplierrs. However, the same person should not both initiate and approve purchases. 2. The cashier should sign checks, cancel the supporting documents before returning them to A/P, and mail the checks. However, the person performing these three duties should not also reconcile the bank account nor should that person approve payment of supplier invoices. 13-24 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.10 Last year the Diamond Manufacturing Company purchased over $10 million worth of office equipment under its “special ordering” system, with individual orders ranging from $5,000 to $30,000. Special orders are for low-volume items that have been included in a department manager’s budget. The budget, which limits the types and dollar amounts of office equipment a department head can requisition, is approved at the beginning of the year by the board of directors. The special ordering system functions as follows: Purchasing A purchase requisition form is prepared and sent to the purchasing department. Upon receiving a purchase requisition, one of the five purchasing agents (buyers) verifies that the requester is indeed a department head. The buyer next selects the appropriate supplier by searching the various catalogs on file. The buyer then phones the supplier, requests a price quote, and places a verbal order. A prenumbered purchase order is processed, with the original sent to the supplier and copies to the department head, receiving, and accounts payable. One copy is also filed in the open-requisition file. When the receiving department verbally informs the buyer that the item has been received, the purchase order is transferred from the open to the filled file. Once a month, the buyer reviews the unfilled file to follow up on open orders. Receiving The receiving department gets a copy of each purchase order. When equipment is received, that copy of the purchase order is stamped with the date and, if applicable, any differences between the quantity ordered and the quantity received are noted in red ink. The receiving clerk then forwards the stamped purchase order and equipment to the requisitioning department head and verbally notifies the purchasing department that the goods were received. Accounts Payable Upon receipt of a purchase order, the accounts payable clerk files it in the open purchase order file. When a vendor invoice is received, it is matched with the applicable purchase order, and a payable is created by debiting the requisitioning department’s equipment account. Unpaid invoices are filed by due date. On the due date, a check is prepared and forwarded to the treasurer for signature. The invoice and purchase order are then filed by purchase order number in the paid invoice file. Treasurer Checks received daily from the accounts payable department are sorted into two groups: those over and those under $10,000. Checks for less than $10,000 are machine signed. The cashier maintains the check signature machine’s key and signature plate and monitors its use. Both the cashier and the treasurer sign all checks over $10,000. a. Describe the weaknesses relating to purchases and payments of “special orders” by the Diamond Manufacturing Company. b. Recommend control procedures that must be added to overcome weaknesses identified in part a. c. Describe how the control procedures you recommended in part b should be modified if Diamond reengineered its expenditure cycle activities to make maximum use of current IT (e.g., EDI, EFT, bar-code scanning, and electronic forms in place of paper documents). (CPA Examination, adapted) 13-25 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements Weakness 1. Buyer does not verify that the department head’s request is within budget. 2. No procedures established to ensure the best price is obtained. 3. Buyer does not check vendor’s past performance. 4. Blind counts not made by receiving. 5. Written notice of equipment receipt not sent to purchasing. 6. Written notice of equipment receipt not sent to accounts payable 7. Mathematical accuracy of vendor invoice is not verified. 8. Invoice quantity not compared to receiving report quantity. 9. Notification of acceptability of equipment from requesting department not obtained prior to recording payable. 10. Voucher package not sent to Treasurer. 11. Voucher package not cancelled when invoice paid. Control Compare requested amounts to total budget and YTD expenditures. Solicit quotes/bids for large orders. Effect of new IT System can automatically compare the requested amount to the remaining budget. EDI and Internet can be used to solicit bids. Prepare a vendor performance report and use it when selecting vendors. Black out quantities ordered on copy of Purchase Order sent to receiving Provide incentives if discrepancies between packing slip and actual delivery are detected. Vendor performance ratings can be updated automatically and made available to buyer. Do not permit receiving clerks to access quantities on purchase orders. Request bar coding or RFID tagging of all items and use readers to check in all deliveries. Still provide incentives to detect discrepancies. Receiving data and comments entered via on-line terminals and routed to purchasing. Configure system to notify accounts payable automatically of equipment receipt. Automatic verification of mathematical accuracy of vendor invoice. System verifies invoice quantity with quantity received. Send written notice of equipment receipt to purchasing. Send written notice of equipment receipt to accounts payable Verify mathematical accuracy of vendor invoice. Compare/verify invoiced quantity with quantity received. Obtain confirmation from requisitioner of the acceptability of equipment ordered prior to recording payable. Send voucher package (purchase order and receiving report) to Treasurer along with approved invoice. Treasurer should mark voucher package as PAID when check is signed. Configure system to require confirmation of equipment acceptability prior to approving invoice for payment. Configure system to match invoices automatically with supporting documents. Configure system to mark supporting documents as used when invoice is paid. 13-26 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 12. No mention of bank reconciliation. Bank account should be reconciled by someone other than Accounts Payable or the treasurer. Bank account should be reconciled by someone other than Accounts Payable or the treasurer. 13-27 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 13.11 The ABC Company performs its expenditure cycle activities using its integrated ERP system as follows: • Employees in any department can enter purchase requests for items they note as being either out of stock or in small quantity. • The company maintains a perpetual inventory system. • Each day, employees in the purchasing department process all purchase requests from the prior day. To the extent possible, requests for items available from the same supplier are combined into one larger purchase order in order to obtain volume discounts. Purchasing agents use the Internet to compare prices in order to select suppliers. If an Internet search discovers a potential new supplier, the purchasing agent enters the relevant information in the system, thereby adding the supplier to the approved supplier list. Purchase orders above $10,000 must be approved by the purchasing department manager. EDI is used to transmit purchase orders to most suppliers, but paper purchase orders are printed and mailed to suppliers who are not EDI capable. • Receiving department employees have read-only access to outstanding purchase orders. Usually, they check the system to verify existence of a purchase order prior to accepting delivery, but sometimes during rush periods they unload trucks and place the items in a corner of the warehouse where they sit until there is time to use the system to retrieve the relevant purchase order. In such cases, if no purchase order is found, the receiving employee contacts the supplier to arrange for the goods to be returned. • Receiving department employees compare the quantity delivered to the quantity indicated on the purchase order. Whenever a discrepancy is greater than 5%, the receiving employee sends an email to the purchasing department manager. The receiving employee uses an online terminal to enter the quantity received before moving the material to the inventory stores department. • Inventory is stored in a locked room. During normal business hours an inventory employee allows any employee wearing an identification badge to enter the storeroom and remove needed items. The inventory storeroom employee counts the quantity removed and enters that information in an online terminal located in the storeroom. • Occasionally, special items are ordered that are not regularly kept as part of inventory, from a specialty supplier who will not be used for any regular purchases. In these cases, an accounts payable clerk creates a one-time supplier record. • All supplier invoices (both regular and one-time) are routed to accounts payable for review and approval. The system is configured to perform an automatic 3way match of the supplier invoice with the corresponding purchase order and receiving report. • Each Friday, approved supplier invoices that are due within the next week are routed to the treasurer’s department for payment. The cashier and treasurer are the only employees authorized to disburse funds, either by EFT or by printing a 13-28 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle • check. Checks are printed on dedicated printer located in the treasurer’s department, using special stock paper that is stored in a locked cabinet accessible only to the treasurer and cashier. The paper checks are sent to accounts payable to be mailed to suppliers. Monthly, the treasurer reconciles the bank statements and investigates any discrepancies with recorded cash balances. Identify weaknesses in ABC’s expenditure cycle procedures, explain the resulting problems, and suggest how to correct those problems. Weakness/Problem Purchase requests are not reviewed and approved prior to submission. This can result in ordering unnecessary items. A formal inventory control system (EOQ, MRP, or JIT) is not used. This is likely to result in both shortages and excess inventory. There is no mention of periodic physical counts of inventory. Thus, the perpetual inventory records are likely to become inaccurate over time. It will also not be possible to detect theft of inventory in a timely manner. Any purchasing agent can add new suppliers to the approved supplier master file without approval. As a result, the approved supplier master file may contain unreliable or non-existent suppliers. Selection of suppliers is based solely on price. As a result, inferior quality products could be purchased, resulting in increased costs due to warranty repairs, scrap, or rework. Receiving department employees have access to the quantities ordered on purchase orders. This may lead them to not actually count every delivery, especially during busy times, but instead simply visually compare the quantity delivered to the quantity ordered. Applicable Control Purchase requisitions should be reviewed and approved by the originating department’s manager prior to being processed. A formal inventory control system should be used to plan purchases to minimize the combined costs of stock outs, excess inventory, and ordering costs. Regular physical counts of inventory need to be conducted. Discrepancies with the perpetual inventory records need to be promptly investigated. Restrict the number of employees who can make changes to the approved supplier list. Periodically print a report of all changes and review them to ensure that they have all been approved. Criteria for selecting suppliers should include information on supplier reliability and product quality. The system should be configured to track actual supplier performance against promised delivery dates. Reconfigure the system and do not permit receiving department employees’ to access quantity ordered information. 13-29 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements Receiving department employees sometimes unload deliveries without verifying the existence of an approved purchase order. This wastes time in unloading and then subsequently contacting the supplier to return the unordered items. Receiving department employees inform purchasing of discrepancies between quantities received and ordered greater than 5%. They may fail to do this during busy periods, resulting in failure to timely resolve problems. The identity of employees removing inventory from the storeroom is not recorded. This makes it difficult to investigate the cause of any discrepancies between recorded and actual counts of inventory. Accounts payable clerks can create onetime supplier records without review and subsequently approve payments to those suppliers. This creates the possibility of fraudulent disbursements. There is no indication that supporting documents in the voucher package are marked “cancelled” or “paid” after being used to issue a check. This can result in duplicate payments. Checks are returned to accounts payable to be mailed to suppliers. This provides an opportunity to intercept and alter a check. The treasurer, who has the ability to write checks and authorize EFT payments, also reconciles the bank account. This provides an opportunity to commit fraud and cover up the discrepancy by altering the reconciliation. Create a policy requiring receiving department employees to always verify the existence of a valid purchase order before accepting delivery. Publish and enforce sanctions for violating this policy. Schedule additional help during busy periods. Configure the system to compare quantities received to quantities ordered. The system should send discrepancies exceeding a tolerable deviation directly to the purchasing manager. The identity of employees removing inventory should be recorded. This can be done either by swiping an ID badge or by entering a user ID in an online terminal. The system should be configured to print a list of all one-time suppliers. Management should review that list regularly. Accounts payable should not be able to create any new supplier records – that task should only be done by the purchasing manager. The system should be configured to mark supporting documents in a voucher package as PAID when used to generate a check or EFT payment. Checks should be mailed by the cashier or the cashier’s assistant. Someone other than the cashier or treasurer should reconcile the bank account statement. 13-30 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle 13.12 Alden, Inc. has hired you to review its internal controls for the purchase, receipt, storage, and issuance of raw materials. You observed the following: • Raw materials, which consist mainly of high-cost electronic components, are kept in a locked storeroom. Storeroom personnel include a supervisor and four clerks. All are well trained, competent, and adequately bonded. Raw materials are removed from the storeroom only upon written or oral authorization by a production supervisor. • No perpetual inventory records are kept; hence, the storeroom clerks do not keep records for goods received or issued. To compensate, the storeroom clerks perform a physical inventory count each month. • After the physical count, the storeroom supervisor matches the quantities on hand against a predetermined reorder level. If the count is below the reorder level, the supervisor enters the part number on a materials requisition list that is sent to the accounts payable clerk. The accounts payable clerk prepares a purchase order for each item on the list and mails it to the supplier from whom the part was last purchased. • The storeroom clerks receive the ordered materials upon their arrival. The clerks count all items and verify that the counts agree with the quantities on the bill of lading. The bill of lading is then initialed, dated, and filed in the storeroom to serve as a receiving report. a. Describe the weaknesses that exist in Alden’s expenditure cycle. b. Suggest control procedures to overcome the weaknesses noted in part a. Weaknesses 1. Raw materials may be removed from the storeroom upon oral authorization from one of the production foremen. 2. Alden’s practice of monthly physical inventory counts does not compensate for the lack of a perpetual inventory system. Quantities on hand at the end of one month may not be sufficient to last until the next month’s count. If the company has taken this into account in establishing reorder levels, then it is carrying too large an investment in inventory. Recommended Improvements Raw materials should be removed from the storeroom only upon written authorization from an authorized production foreman. Authorization forms should be prenumbered and accounted for, list quantities and job or production number, and be signed and dated. A perpetual inventory system should be established under the control of someone other than the storekeepers. The system should include quantities and values for each item of raw material. Total inventory value per the perpetual records should be agreed to the general ledger at reasonable intervals. When physical counts are taken, they should be compared to the perpetual records. Where differences occur, they should be investigated. If the perpetual records are in error they should be adjusted. Controls should be established over obsolescence of stored materials. 13-31 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements 3. Raw materials are purchased at a predetermined reorder level and in predetermined quantities. Since production levels may often vary during the year, quantities ordered may be either too small or too great for the current production demands. 4. The accounts payable clerk handles both the purchasing function and payment of invoices. This is not a satisfactory separation of duties. 5. Raw materials are always purchased from the same vendor. 6. There is no receiving department or receiving report. For proper separation of duties, the individuals responsible for receiving should be separate from the storeroom clerks. 7. There is no inspection of the merchandise received. Since highcost electronic components usually must meet certain specifications, they should be tested for these requirements when received. Requests for purchases of raw materials should come from Production department management and be based on production schedules and quantities on hand per the perpetual records. The purchasing function should be centralized in a separate department. Prenumbered purchase orders should originate from and be controlled by this department. A copy of the purchase order should be sent to the accounting and receiving departments (with the quantity ordered blacked out on the copy sent to receiving). The purchasing department should obtain competitive bids on all purchases over a specified amount. A receiving department should be established. Personnel in this department should count or weigh all goods received and prepare a prenumbered receiving report. A copy of the receiving report should accompany the inventory when it is transferred to storage and be signed there by the inventory staff. The copy signed by storage personnel should be sent to Accounts Payable to show that the items have been received and placed into inventory. The goods need to be inspected for quality standards promptly upon receipt. 13-32 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch 13: Expenditure Cycle c. Discuss how those control procedures would be best implemented in an integrated ERP system using the latest developments in IT. (CPA Examination, adapted) • The system can be configured to restrict access to only the information needed to perform assigned functions. For example, the receiving dock employees would not be able to create purchase orders, nor see the quantity ordered. • The system can automatically assign numbers to all documents and track them to identify unfilled orders. Sequence checks can automatically be performed on all electronic documents assigned numbers by the system. • Removal of inventory from the storeroom can be documented by having the employee removing the inventory swipe his or her ID badge (or by manually entering their user ID and password via a terminal). • The system can automatically maintain the perpetual inventory records. Periodic physical counts of inventory will continue to be necessary, however, and any discrepancies with recorded amounts investigated. • The company should adopt either MRP or JIT inventory to improve the efficiency of ordering inventory. • Digital signatures and digital time stamps can be used to verify the authenticity of all electronic documents. • EDI and the Internet can be used to solicit and receive competitive bids. • Suppliers should be asked to bar code or RFID-tag all items so that receiving can use IT to check in all deliveries. • Comments by inspectors should be entered via on-line terminals. 13-33 © 2012 Pearson Education, Inc. Publishing as Prentice Hall Ch. 13: The Expenditure Cycle: Purchasing and Cash Disbursements SUGGESTED ANSWERS TO THE CASES CASE 13-1 RESEARCH PROJECT: IMPACT OF IT ON EXPENDITURE CYCLE ACTIVITIES, THREATS, AND CONTROLS Search popular business and technology magazines (Business Week, Forbes, Fortune, CIO, etc.) to find an article about an innovative use of IT that can be used to improve one or more activities in the expenditure cycle. Write a report that: a. Explains how IT can be used to change expenditure cycle activities Solutions will vary depending upon articles read. b. Discusses the control implications. Refer to Table 13-2 and explain how the new procedure changes the threats and appropriate control procedures for mitigating those threats. Be sure that the report adequately addresses the relevant issues from Table 13-2. 13-34 © 2012 Pearson Education, Inc. Publishing as Prentice Hall CHAPTER 14 THE PRODUCTION CYCLE SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 14.1. When activity-based cost reports indicate that excess capacity exists, management should either find alternative revenue-enhancing uses for that capacity or eliminate it through downsizing. What factors influence management’s decision? What are the likely behavioral side effects of each choice? What implications do those side effects have for the long-run usefulness of activity-based cost systems? It will often be easier to identify opportunities to downsize and eliminate jobs than to find creative value-adding activities for excess capacity. Thus, management may be more likely to eliminate excess capacity than to redirect it to new tasks. This can have serious negative effects on both employee morale and the long-run survival of the firm. When employees are let go, their knowledge and customer relationships go with them. Some consultants argue that such soft knowledge is a company’s most valuable asset and, therefore, that downsizing is likely to have negative long-run consequences. If management uses ABC systems to justify downsizing, there is likely to be a backlash against and distrust of such systems by many managers. Instead, managers should seek to find new opportunities to productively make use of excess capacity. This can involve creating teams to look for ways to improve processes and cut costs. It is also useful to build-in resources for ongoing maintenance. Finally, it is critical to focus on “practical” capacity rather than “theoretical” capacity, recognizing that neither humans nor machines can function productively 100% of the time – there needs to be “slack” built in to accommodate breaks, maintenance, and unexpected interruptions. Ch. 14: The Production Cycle 14.2. Why should accountants participate in product design? What insights about costs can accountants contribute that differ from the perspectives of purchasing managers and engineers? Product design is concerned with designing a product that meets customer requirements in terms of quality, durability, and functionality while also minimizing costs. Accountants can add value to the production team by using their expertise to help properly track and minimize costs. Accountants can collect past data and use it to project potential warranty and repair costs. They can also help analyze components used to identify those used in multiple products and those that are unique. They can then provide cost data about the unique products and ask engineering whether those parts can be replaced with components used on other products. Doing so will reduce a number of indirect product costs, especially those related to purchasing and carrying inventory. Most important, accountants provide a different perspective and may notice things or question assumptions that engineers and product designers take for granted. 14.3. Some companies have eliminated the collection and reporting of detailed analyses on direct labor costs broken down by various activities. Instead, first-line supervisors are responsible for controlling the total costs of direct labor. The justification for this argument is that labor costs represent only a small fraction of the total costs of producing a product and are not worth the time and effort to trace to individual activities. Do you agree or disagree with this argument? Why? This question should create some debate. The important issues to keep in mind are: • • • How will management use detailed labor data? What actions can be taken based on such data? How do the potential benefits of collecting and reporting detailed labor costs compare to the costs of processing that data? The answers to these questions will determine whether the cost of collecting the data is less than its value. Production Cycle 14.4. Typically, McDonald’s produces menu items in advance of customer orders based on anticipated demand. In contrast, Burger King produces menu items only in response to customer orders. Which system (MRP-II or lean manufacturing) does each company use? What are the relative advantages and disadvantages of each system? McDonald’s uses MRP-II; Burger King uses JIT. An advantage of MRP-II is that customer orders can be filled with less delay. A disadvantage is the potential for over-producing items that are not in high demand (in the case of McDonald’s, this could be either cold or stale food). An advantage of JIT is that it facilitates customization. A disadvantage is delay in filling customer orders (i.e., longer wait times) if there is an unanticipated large increase in demand. The two systems also differ in terms of implications for the supply chain: because MRPII systems rely on maintaining a larger supply of raw materials than JIT systems, they are less vulnerable to short-term interruptions in the supply chain due to strikes or natural disasters that may disrupt deliveries. 14.5 Some companies have switched from a “management by exception” philosophy to a “continuous improvement” viewpoint. The change is subtle, but significant. Continuous improvement focuses on comparing actual performance to the ideal (i.e., perfection). Consequently, all variances are negative (how can you do better than perfect?). The largest variances indicate the areas with the greatest amount of “waste,” and, correspondingly, the greatest opportunity for improving the bottom line. What are the advantages and disadvantages of this practice? An advantage of continuous improvement reports is that they combat the tendency for complacency. A disadvantage is that they can create too much pressure if expectations for improvement are unrealistic. Accountants can help avoid this by becoming involved in collecting and analyzing performance data to ensure that targets are realistic. 14-3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle SUGGESTED ANSWERS TO THE PROBLEMS 14.1. Match the terms in the left column with their definitions from the right column: 1. _c__ Bill of materials 2. _k__ Operations list 3. _l__ Master Production Schedule 4. _m_ Lean manufacturing 5. _j__ Production order 6. _d__ Materials requisition 7. _i__ Move ticket 8. _h__ Job-time ticket 9. _f__ Job-order costing 10. _a_ Cost driver 11. _b_ Throughput 12. _o_ Computer-integrated manufacturing a. A factor that causes costs to change. b. A measure of the number of good units produced in a period of time. c. A list of the raw materials used to create a finished product. d. A document used to authorize removal of raw materials from inventory. e. A cost-accounting method that assigns costs to products based on specific processes performed. f. A cost accounting method that assigns costs to specific batches or production runs and is used when the product or service consists of uniquely identifiable items. g. A cost accounting method that assigns costs to each step or work center and then calculates the average cost for all products that passed through that step or work center. h. A document that records labor costs associated with manufacturing a product. i. A document that tracks the transfer of inventory from one work center to another. j. A document that authorizes the manufacture of a finished good. k. A document that lists the steps required to manufacture a finished good. l. A document that specifies how much of a finished good is to be produced during a specific time period. m. A production planning technique that is an extension of the just-in-time inventory control method. n. A production planning technique that is an extension of the Materials Requirement Planning inventory control method. o. A term used to refer to the use of robots and other IT techniques as part of the production process. Production Cycle 14.2 What internal control procedure(s) would best prevent or detect the following problems? a. A production order was initiated for a product that was already overstocked in the company’s warehouse. Base the master production schedule on — Current data on product sales — Product sales forecasts — Quantities on hand — Quantity scheduled or under production Maintain accurate perpetual inventory records. b. A production employee stole items of work-in-process inventory. • • • Ensure good supervision by factory supervisors. Implement documentary control over quantities of in-process inventories and their movement through the factory (e.g., move tickets). Count/record quantities at each workstation and have both parties to any transfer acknowledge the transaction.. c. The “rush-order” tag on a partially completed production job became detached from the materials and lost, resulting in a costly delay. — Use rush order tags — Have production schedules indicate the high priority jobs. — Configure the ERP system to prepare status reports of production so that failure to complete portions of the MPS will be detected on a timely basis. — Use expediters to monitor work on high priority jobs. d. A production employee entered a materials requisition form into the system in order to steal $300 worth of parts from the raw materials storeroom. — Limit authority to prepare or authorize materials requisitions to production planning personnel and perhaps factory supervisors. — Have recipient sign a copy of the requisition at the point of issue and send it to the accounting department for subsequent posting to the work-in-process records. — Investigate significant unexplained variances between actual and recorded work in process. 14-5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle e. A production worker entering job-time data on an online terminal mistakenly entered 3,000 instead of 300 in the “quantity-completed” field. — Validate input by comparing the quantity entered with the quantity scheduled during the elapsed time. — Flag any amounts that are unreasonably high or low and have the system display a request that the worker reenter the quantity. f. A production worker entering job-time data on an online terminal mistakenly posted the completion of operation 562 to production order 7569 instead of production order 7596. — Have the system keep track of which order each employee is working on and o Verify that the production order number properly corresponds to the employee number. o Verify that the operation number entered corresponds to the production order number entered. — Have any lack of correspondence cause the system to request reentry of the input data. g. A parts storeroom clerk issued parts in quantities 10% lower than those indicated on several materials requisitions and stole the excess quantities. The discrepancy should show up in an unfavorable materials usage variance, since the shortage will necessitate requesting additional goods. To deter this type of problem: — Require the recipient of inventories from stores to sign a requisition for the exact quantities received — Hold the recipient responsible for shortages to provide an incentive to accurately count what is received. h. A production manager stole several expensive machines and covered up the loss by submitting a form to the accounting department indicating that the missing machines were obsolete and should be written off as worthless. — Limit authority to write off expensive machines to management — Document all transactions involving the acquisition or disposal of fixed assets. — Require a dual authorization; that is, two separate members of management must authorize the disposal of obsolete machinery. — Have someone not involved in the transaction review it prior to disposing of the equipment. Production Cycle i. The quantity-on-hand balance for a key component shows a negative balance. — Use sign checks on master file balances after every file update — Reconcile recorded amounts with a physical count of inventory — Determine cause of errors and take corrective action to eliminate it. j. A factory supervisor accessed the operations list file and inflated the standards for work completed in his department. Consequently, future performance reports show favorable budget variances for that department. — Restrict update access to operations list to a limited number of authorized supervisors of the engineering and product design teams. — Review all changes to the operations list on a regular and timely basis — Use variance analysis to determine the difference between standard and actual usage and investigate any material differences k. A factory supervisor wrote off a robotic assembly machine as being sold for salvage, but actually sold the machine and pocketed the proceeds. • • • • Limit authority to write off machines to management Document all transactions involving the acquisition or disposal of fixed assets. Require a dual authorization; that is, two separate members of management must authorize the disposal of obsolete machinery. Have someone not involved in the transaction review it prior to disposing of the equipment. l. Overproduction of a slow-moving product resulted in excessive inventory that had to eventually be marked down and sold at a loss. • Create a Master Production Schedule based on information from sales forecasts and customer orders, taking into account inventory on hand. 14-7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 14.3 Use Table 14-1 to create a questionnaire checklist that can be used to evaluate controls for each of the basic activities in the production cycle (product design, planning and scheduling, production operations, and cost accounting). a. For each control issue, write a Yes/No question such that a “No” answer represents a control weakness. A wide variety of questions is possible. Below is a sample list: Question Yes 1. Is access to production master data (production orders, inventory, master production schedule, etc.) restricted? 2. Is the production master data regularly reviewed and all changes investigated? 3. Is production data encrypted while stored in the database? 4. Does a backup and disaster recovery plan exist? 5. Have backup procedures been tested within the past year? 6. Are appropriate data entry edit controls used? 7. Is a perpetual inventory of raw materials components maintained? 8. Are physical counts of raw materials inventory taken regularly and used to adjust the perpetual inventory records? 9. Are competitive bids used when ordering fixed assets? 10. Are reports prepared showing the number of unique components for each finished product? 11. Are warranty and repair costs tracked for each finished product? 12. Is a Master Production Schedule (MPS) created and followed? 13. Are materials requisitions used to authorize and document removal of raw materials from inventory? 14. Are move tickets used to document transfers of raw materials and work-in-process in the factory? 15. Are the disposals of fixed assets documented? 16. Is there insurance against losses due to fire, flood, or other disaster? No Production Cycle b. For each Yes/No question, write a brief explanation of why a “No” answer represents a control weakness. Question 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Reason a “No” answer represents a weakness Unrestricted access to the production master data could result in disclosure of trade secrets or creation of unauthorized production orders. Failure to investigate all changes to production master data may allow errors to remain undetected that result in over- or under-production of finished goods. Failure to encrypt production data can result in the unauthorized disclosure of sensitive information. If a backup and disaster recovery plan does not exist, the organization may lose important data. If the backup plan is not regularly tested, it may not work. Without proper data entry edit controls, errors may occur in recording production operations, which may result in inventory valuation errors, overor under-production, or poor pricing decisions. Without a perpetual inventory system, shortages and excess inventory is more likely. Without periodic physical counts and any necessary inventory records adjustments, the perpetual inventory records are likely to be incorrect. Without competitive bids, purchases may be at higher than necessary prices. Failure to track the number of common and unique components used can result in poor product design or excessive costs of production and inventory. Failure to trace warranty and repair costs to specific finished products precludes correcting poor product designs. Without a Master Production Schedule, unauthorized production orders could result in over-production of finished goods. There could also be underproduction of finished goods. Failure to document transfer of raw materials from inventory stores can lead to theft. Not documenting the transfer of raw materials and work-in-process can prevent discovery of theft and make it difficult to identify the perpetrator. Not documenting the disposal of fixed assets can cover up theft and make it difficult to identify the perpetrator. Lack of adequate insurance exposes the organization to the risk of substantial monetary loss in the event of an insurable incident. 14-9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 14.4 You have recently been hired as the controller for a small manufacturing firm that makes high-definition televisions. One of your first tasks is to develop a report measuring throughput. Describe the data required to measure throughput and the most efficient and accurate method of collecting that data. Throughput = A x B x C where A = total production (units) / processing time B = processing time / total elapsed real time C = good units / total production (units) A x B x C reduces down to good units/total elapsed real time The key data needed are: • total production in units • good units produced (i.e., those without defects) • time spent performing production tasks • total time The AIS can calculate total time by recording 1) the time when the production order was released and 2) the time when it was completed and the products were placed into finished goods inventory. Total time spent in operations (processing time) can be collected by measuring the time spent on each operation. This can be most accurately done with badge or card readers at each station. Total production can be recorded by counting (with bar-code scanners or using RFID tags , if possible) all units produced at each step of the manufacturing process. Subtracting defective units from total production yields good production. Production in multi-stage processes is probably the most difficult to measure accurately, especially if defects are identified continuously because then it is necessary to track all such partially completed work to obtain a more accurate measure of throughput. Production Cycle 14.5 The Joseph Brant Manufacturing Company makes athletic footwear. Processing of production orders is as follows: At the end of each week, the production planning department prepares a master production schedule (MPS) that lists which shoe styles and quantities are to be produced during the next week. A production order preparation program accesses the MPS and the operations list (stored on a permanent disk file) to prepare a production order for each shoe style that is to be manufactured. Each new production order is added to the open production order master file stored on disk. Each day, parts department clerks review the open production orders and the MPS to determine which materials need to be released to production. All materials are bar-coded. Factory workers work individually at specially designed U-shaped work areas equipped with several machines to assist them in completely making a pair of shoes. Factory workers scan the bar-codes as they use materials. To operate a machine, the factory workers swipe their ID badge through a reader. This results in the system automatically collecting data identifying who produced each pair of shoes and how much time it took to make them. Once a pair of shoes is finished, it is placed in a box. The last machine in each work cell prints a bar-code label that the worker affixes to the box. The completed shoes are then sent to the warehouse. 14-11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle a. Prepare a data flow diagram of all operations described. inventory QOH 1.0 Plan Production sales forecasts Scheduled Production MPS open production orders operations list bill of materials 2.0 Prepare Production Order Production Order Production Orders Operations Card 3.0 Perform Production Operation Work Activity Production Cycle b. What control procedures should be included in the system? A large number of controls are possible, including the following: • • • • • • • • • • • • • • • • • • • Access Control - User ID and Password Compatibility Test - Password Preformatting or Prompting -All Data Entered Record Count - # of Transactions Validity Check - Product Code Number Limit Check - Production Quantity Field Check - Production Date Field Check - Quantity Completeness Test - Each Record File Library - Log Master Files External Labels - Master Files Header Labels - Master Files Backup Copy - Operations List and Bill of Materials Backup Copy - Production Orders Record Count - # of Operations Sequentially Numbered Product Orders Reasonableness Check - Date Completed versus date started Validity Check - Employee Number Reasonableness Test - Elapsed Time 14-13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 14.6 The XYZ company’s current production processes have a scrap rate of 15% and a return rate of 3%. Scrap costs (wasted materials) are $12 per unit; warranty/repair costs average $60 per unit returned. The company is considering the following alternatives to improve its production processes: • Option A: Invest $400,000 in new equipment. The new process will also require an additional $1.50 of raw materials per unit produced. This option is predicted to reduce both scrap rates return rates by 40% from current levels. • Option B: Invest $50,000 in new equipment, but spend an additional $3.20 on higher quality raw materials per unit produced. This option is predicted to reduce both scrap and return rates by 90% from current levels. • Option C: Invest $2,000,000 in new equipment. The new process will require no change in raw materials. This option is predicted to reduce both scrap and return rates by 50% from current levels. a. Assume that current production levels of 1,000,000 units will continue. Which option do you recommend? Why? At current production levels of 1,000,000 units, none of the options reduce total costs, but option B results in the smallest increase in total costs. Option A: Investment = $400,000 + $1.5 x 1,000,000 units = $1,900,000. Savings = $1,440,000: Reduced scrap costs = 40% x 15% x $12 x 1,000,000 units = $720,000 Reduced warranty/repair costs = 40% x 3% x $60 x 1,000,000 units = $720,000 Option B: Investment = $50,000 + $3.2 x 1,000,000 units = $3,250,000 Savings = $3,240,000: Reduced scrap costs = 90% x 15% x $12 x 1,000,000 units = $1,620,000 Reduced warranty/repair costs = 90% x 3% x $60 x 1,000,000 units = $1,620,000 Option C: Investment = $2,000,000 Savings = $1,800,000: Reduced scrap costs = 50% x 15% x $12 x 1,000,000 units = $900,000 Reduced warranty/repair costs = 50% x 3% x $60 x 1,000,000 units = $900,000 Production Cycle b. Assume that because all of the proposed changes will increase product quality, that production will jump to 1,500,000 units. Which option do you recommend? Why? At production levels of 1,500,000 units, options B and C both reduce total costs. Option C, however, reduces them the most. Option A: Investment = $400,000 + $1.5 x 1,500,000 units = $2,650,000. Savings = $2,160,000: Reduced scrap costs = 40% x 15% x $12 x 1,500,000 units = $1,080,000 Reduced warranty/repair costs = 40% x 3% x $60 x 1,500,000 units = $1,0800,000 Option B: Investment = $50,000 + $3.2 x 1,500,000 units = $4,850,000 Savings = $4,860,000: Reduced scrap costs = 90% x 15% x $12 x 1,500,000 units = $2,430,000 Reduced warranty/repair costs = 90% x 3% x $60 x 1,500,000 units = $2,430,000 Option C: Investment = $2,000,000 Savings = $2,700,000: Reduced scrap costs = 50% x 15% x $12 x 1,500,000 units = $1,350,000 Reduced warranty/repair costs = 50% x 3% x $60 x 1,500,000 units = $1,350,000 14-15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall 14.7 EXCEL PROBLEM a. Create the following spreadsheet Production Cycle b. Create formulas to calculate • Accumulated depreciation (all assets use the straight line method; all assets acquired any time during the year get a full year’s initial depreciation) • Current year’s depreciation (straight-line method, full amount for initial year in which asset acquired) • Ending accumulated depreciation • Net book value at end of period • Current year in the cell to the right of the phrase “Depreciation schedule for year” • Column totals for acquisition cost, beginning depreciation, current depreciation, ending accumulated depreciation, net book value • In the cell to the right of the arrow following the text “Cross-footing test” create a formula that checks whether the sum of the net book value column equals the sum of acquisition costs minus the sum of ending accumulated depreciation. If the two values match, the formula should display the text “Okay” otherwise it should display the text “Error” c. Create a table at the bottom of your worksheet that consists of two columns: • Asset name (values should be chair, desk, laptop, monitor, software, and workstation) • Net book value (create a formula to calculate this number) assuming that the current date is 06/30/2010 • Create a formula that sums the total net book values for all classes of assets • In the cell to the right of the total net book values for all asset classes, create a formula that compares the total net book values for all classes of assets to the sum of all net book values in the top portion of the spreadsheet. The formula should return “Okay” if the two totals match or “Error: Sum of net book values by asset class does not equal sum of all net book values” if the two totals do not equal one another. d. Enter your name in row 1 in the cell to the right of the text “Name” 14-17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle Note: this solution was created assuming that the current year is 2011. Therefore, when using the problem in subsequent years, you may want to have students increment all years initially placed in service by one. Production Cycle Useful formulas: • Current year: =YEAR(TODAY()) – this calculates the current year. In cell E2, it is currently set to increment by 1 because the solution was created in 2010, but designed to mimic 2011. Therefore, when using this problem in 2011 and subsequent years, students should not increment it by 1, but simply have the formula =YEAR(TODAY()) to return the value of the current year. • Excel has a built-in function for computing straight-line depreciation: SLN. The SLN function takes three arguments: cost, salvage value, and estimated life: SLN(cell with cost, cell with salvage value, cell with estimated life). • Beginning accumulated depreciation equals the minimum of actual accumulated depreciation, if the asset is not yet at the end of its useful life, or acquisition cost minus salvage value if it is past the end of its useful life. In the solution, beginning accumulated depreciation is based on running the spreadsheet in 2011. When using this problem in 2012 and subsequent years, you should have students increment the acquisition years by one so that the answer remains the same as shown. Note that the formula references cell E2 to facilitate use in any year: =MIN(VALUE($E$2-YEAR(D5))*SLN(F5,G5,E5),F5-G5). IMPORTANT: be sure that student formulas reference only cell E2 ($E$2), but use relative references for all other terms. • Current period depreciation is either the result of the straight-line depreciation calculation, if the asset has not yet been fully depreciated, or zero: =IF(F5-H5=G5,0,SLN(F5,G5,E5)) • Ending Accumulated depreciation: =H5+I5 • Net book value equals acquisition cost less accumulated depreciation. Thus for the desk (account 11001) the formula is =F5-J5. • Cross-foot test: =IF(K19=F19-J19,"Okay","Error") • Net book values for asset classes: =SUMIF($C$5:$C$17,C22,$K$5:$K$17) – copy down, note that second entry does NOT use absolute cell references • Cross-foot check of net book values by class versus by asset: =IF(D28=K19,"okay","Error: Sum of net book values by asset category does not equal total net book values") 14-19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 14.8 EXCEL PROBLEM Task: Use Excel and the Solver add-in to explore the effect of various resource constraints on the optimal product mix. a. Read the article “Boost Profits With Excel,” by James A. Weisel in the December 2003 issue of the Journal of Accountancy (available online at the AICPA’s Web site, www.aicpa.org b. Download the sample spreadsheet discussed in the article and print out the screenshots showing that you used the Solver tool as discussed in the article. To load Solver in Excel 2007, click on the “Microsoft Office Button” in the upper left corner of an Excel spreadsheet. Then click on Excel Options to open the following screen, select Add-Ins, highlight “Solver Add-in” and click the “Go” button: This brings up the following pop-up window. Select the “Solver Add-in” and click OK. Production Cycle Then, to use Solver: 14-21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 1. Move to the Data tab and then click on ?/arrow symbol in the Solver Click on the ?/arrow symbol 2. Then enter the values in the cells in the Solver pop-up window as instructed in the article : Production Cycle 3. Choose “Keep Solver Solution” and click OK 14-23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle 4. The result is the following spreadsheet as shown in the article: 5. Students should save screen shots to show that they have followed the remaining steps in the article. Production Cycle Clicking “Solve” and then “Keep the Solver Solution” yields the following spreadsheet, as shown in the article: 14-25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle Finally, adjusting the total amount of labor hours and dollars and re-running the Solver yields the final spreadsheet depicted in the Production Cycle article: 14-27 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle c. Rerun the Solver program to determine the effect of the following actions on income (print out the results of each option): • double market share limitations for all three products Production Cycle • Double market share limitations for all three products plus the following constraint: sauce case sales cannot exceed 50% of the sum of soup and casserole case sales 14-29 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle Production Cycle 14.9 EXCEL PROBLEM Create the spreadsheet shown in Figure 14-11. Write formulas to calculate the total depreciation expense and to display the correct values in the following three columns: Age, Depreciation Rate, and Depreciation Expense. (Hint: You will need to use the VLOOKUP and MATCH functions to do this. You may also want to read the article “Double-Teaming In Excel,” by Judith K. Welch, Lois S. Mahoney, and Daniel R. Brickner, in the November 2005 issue of the Journal of Accountancy, from which this problem was adapted). Solution is on next page: 14-31 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 14: The Production Cycle Depreciation expense formula: =VLOOKUP(J5,$A$4:$D$14,MATCH(H5,$A$4:$D$4,0)) - explanation of formula: • • • The age column subtracts the year the asset was purchased from the reference year in cell H3. It then adds one to that value because the year the asset is purchased is its first year of depreciation. The VLOOKUP function extracts tax rate from the tax table. The first argument to the VLOOKUP function is the asset’s age. The second argument is the location of the vlookup table (cells A14 to D14, using absolute references so that the formula can be correctly copied). The third argument is the row in which to find the answer. In this case, the row is given by the result of the MATCH function. The first argument of the MATCH function is the cell which contains the asset class (column H). The second argument indicates where the column headings are for the different classes (A4:D4). The third argument (0) indicates the match type where 0 means an exact match. SUGGESTED ANSWERS TO THE CASES CASE 14-1 The Accountant and CIM Examine issues of the Journal of Accountancy, Strategic Finance, and other business magazines for the past three years to find stories about current developments in factory automation. Write a brief report that discusses the accounting implications of one development: how it affects the efficiency and accuracy of data collection and any new opportunities for improving the quality of performance reports. Also discuss how the development affects the risks of various production cycle threats and the control procedures used to mitigate those risks. There is no one correct answer. In addition to grading on writing quality, be sure that students fulfill task requirements (i.e., describe the development, the controller’s role, and the effect on production cycle threats). The logical reasoning used to support any analysis should also be evaluated. Accounting Information Systems CHAPTER 15 THE HUMAN RESOURCES MANAGEMENT/PAYROLL CYCLE SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 15.1 This chapter noted many of the benefits that can arise by integrating the HRM and payroll databases. Nevertheless, many companies maintain separate payroll and HRM information systems. Why do you think this is so? (Hint: Think about the differences in employee background and the functions performed by the HRM and payroll departments.) Payroll and HRM systems are separate in many companies because integration was generally not feasible using early data processing technology. Also, different events generate data and two different professions were interested in using the data. As a result, many companies (and their employees) became accustomed to having payroll data processed by the accounting function and personnel data processed by the human relations function. Now that modern information technology makes integration more feasible, employees in some companies are still likely to resist suggestions for change because they are comfortable with the old way of doing things. In addition, employees within the accounting and personnel functions probably feel some degree of "ownership" of "their" data, and this is taken away when control of these data is transferred to a centralized data base function. Reasons for integrating the personnel and HRM systems include the following: • Integration will improve decision-making by providing access to more of the relevant data needed for monitoring employee development. • It is logical, since both systems are organized around the same entity: the employee. • It should facilitate the retrieval and utilization of employee data when the data required would otherwise have to be obtained from both data bases. • It should facilitate the process of updating employee data, since a single update process would replace two separate updating processes. • It should simplify the development and implementation of more complex compensation schemes, such as flexible benefits or incentive pay. • Centralizing the administration of employee data under the control of database management software should enhance data security. • It should minimize or eliminate the cost of storing identical data in two different databases. • It should minimize or eliminate the confusion that might otherwise arise when two different databases use different data definitions, or report different values, for the same data item. 15-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.2 Some accountants have advocated that a company’s human assets be measured and included directly in the financial statements. For example, the costs of hiring and training an employee would be recorded as an asset that is amortized over the employee’s expected term of service. Do you agree or disagree? Why? This question should generate some debate. The issue is the trade-off between “subjectivity” in measuring the value of a company’s investment in the knowledge and skills of its employees versus the usefulness of at least attempting to explicitly measure those assets. In the “information era” the value of a company’s employee knowledge base is increasingly important. Attempting to measure it should facilitate more effective management of this resource by focusing more attention on it. Some companies, such as Dow Chemical and Skandia, have attempted to formally provide stockholders with information about the company’s intellectual capital, but such efforts have not become mainstream because of the inherent subjectivity. 15.3 You are responsible for implementing a new employee performance measurement system that will provide factory supervisors with detailed information about each of their employees on a weekly basis. In conversation with some of these supervisors, you are surprised to learn they do not believe these reports will be useful. They explain that they can already obtain all the information they need to manage their employees simply by observing the shop floor. Comment on that opinion. Formal reports on employee performance are not intended to replace direct observation, but to supplement it. Direct observation is important, but a manager cannot observe all employees all the time. It is also difficult to accurately summarize detailed observations across time. How could formal reports supplement and enhance what the supervisors learn by direct observation? Well-designed reports provide quantitative summary measures of aspects of employee performance that are believed to be important to the achievement of the organization’s goals. Quantitative measures facilitate tracking performance trends over time. These benefits, however, will be difficult for many managers to understand until they have had experience in using such reports. There are also legal issues at stake. If an employee or former employee brings suit against the employer, supporting documentation may justify the employer’s position. 15-2 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.4 One of the threats associated with having employees telecommute is that they may use company-provided resources (e.g., laptop, printer, etc.) for a side business. What are some other threats? Other threats are: 1. Not working or working less productively than if the employees were working onsite. 2. Security risks, such as the employee not proactively maintaining proper antivirus and patch management practices or not protecting and/or backing up their data adequately. 3. Inappropriate use of company hardware (e.g., gambling, visiting pornographic websites, etc.). 4. An increased risk of loss of confidentiality and privacy if sensitive data is stored on the remote computer. Such remote storage may also violate privacy regulations, such as HIPAA. What controls can mitigate the risk of these threats? The solutions to these potential threats primarily involve monitoring and the use of security controls discussed in chapter 8. For example, software exists to enable companies to monitor employees, including what they do on the Internet. In addition, a company could require that telecommuting employees login their company’s network and store all work related files on the company’s network and not on their home machines. The VPN connection could be configured to restrict what employees can do, such as preventing local storage of sensitive data and mandatory updates of anti-virus and security software. The VPN software should also be designed to prevent employees from simultaneously opening a VPN connection to the corporate network and a second connection to their ISP (i.e., disable split-tunneling). 15.5 How would you respond to the treasurer of a small charity who tells you that the organization does not use a separate checking account for payroll because the benefits are not worth the extra monthly service fee? A separate payroll account limits the organization’s exposure to only the amount of cash deposited into the payroll account. A separate account is also easier to reconcile and to detect any errors or irregularities. 15-3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.6 This chapter discussed how the HR department should have responsibility for updating the HRM/payroll database for hiring, firing, and promotions. What other kinds of changes may need to be made? Other types of changes include name changes (usually due to change in marital status), number of dependents, voluntary extra withholdings, and address changes. What controls should be implemented to ensure the accuracy and validity of such changes? Allow employees to make these changes through a web-based application available on the organization’s intranet. The application should include processing integrity checks to prevent invalid entries. Closed loop verification (displaying all changes to the employee) should also be used. To ensure validity, multi-factor authentication should be required to enter such changes Strict access controls should be implemented to protect the master database. A detective control is to separately notify the employee of changes that were made and ask for confirmation that they are valid. 15-4 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 15.1 Match the terms in the left column with the appropriate definition from the right column. 1. _e__ Payroll service bureau 2. _h__ Payroll clearing account 3. _g__ Earnings statement 4. _a__ Payroll register 5. _c__ Time card 6. _b__ Time sheet a. A list of each employee’s gross pay, payroll deductions, and net pay in a multicolumn format. b. Used to record the activities performed by a salaried professional for various clients. c. Used to record time worked by an hourly-wage employee. d. An organization that processes payroll and provides other HRM services. e. An organization that processes payroll. f. A list of all the deductions for each employee. g. A document given to each employee that shows gross pay, net pay, and itemizes all deductions both for the current pay period and for the year-to-date. h. Special general ledger account used for payroll processing. 15-5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.2 What internal control procedure(s) would be most effective in preventing the following errors or fraudulent acts? a. An inadvertent data entry error caused an employee’s wage rate to be overstated in the payroll master file. • Have the personnel department maintain a hash total of employee wage rates • Check hash total against payroll master file total after each update. • Test the reasonableness of wage rate changes during data entry to detect large errors. • Have supervisors review departmental payroll expenses as a way of detecting these kinds of problems. b. A fictitious employee payroll record was added to the payroll master file. • Use strong multifactor authentication techniques to restrict access to the payroll master data to authorized personnel in the HR department.. • Have the personnel department maintain a record count of the number of employees and check it against a record count generated during each payrollprocessing run. Require positive identification of recipients as each paycheck is distributed. This would likely result in the paycheck not being claimed, which would then trigger an investigation. • Periodically print and verify all changes to the payroll master file c. During data entry, the hours worked on an employee’s time card for one day were accidentally entered as 80 hours, instead of 8 hours. • Use a limit check during data entry to check the hours-worked field for each employee transaction record. Management would set a limit that makes sense in their organization. If overtime was never allowed, they could use 8 hours for the limit. If overtime was permitted, they might decide instead to use 9 or 10 hours. 15-6 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems d. A computer operator used an online terminal to increase her own salary. • Use passwords and an access control matrix to restrict access to authorized personnel. • Use a compatibility test on all transactions entered to verify that the operator's password allows access and modification authority. • Have the the personnel department maintain a batch total of all salaries and check it against the corresponding total generated during each payroll run as a backup control, e. A factory supervisor failed to notify the HRM department that an employee had been fired. Consequently, paychecks continued to be issued for that employee. The supervisor pocketed and cashed those paychecks. • Implement a policy prohibiting supervisors from picking up or distributing paychecks. Instead, have the payroll department distribute all paychecks. • Investigate all unclaimed paychecks. f. A factory employee punched a friend’s time card in at 1:00 P.M. and out at 5:00 P.M. while the friend played golf that afternoon. • Use biometric controls to record time in and time out • Observe (in person or by video surveillance) time clock activity to uncover punching other people’s cards • Collect detailed job time data and prior to payroll processing reconcile it with data o Prepared or approved by factory supervisors, or o Captured with automated data collection equipment g. A programmer obtained the payroll master file and increased his salary. • Implement physical access controls such as a file library function to prevent programmers from having unsupervised access to production databases • Implement authentication and authorization controls such as user ID’s, passwords, and access control matrix to limit access to all master files to authorized personnel 15-7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle • Have supervisors review reports of all changes to payroll master data to detect this type of fraud • Have the the personnel department maintain a batch total of all salaries and check it against the corresponding total generated during each payroll run as a backup control, h. Some time cards were lost during payroll preparation; consequently, when paychecks were distributed, several employees complained about not being paid. • Prepare a record count of job time records before they are submitted for processing and compare record count subsequent to data entry against the number of paychecks prepared. • Reconcile job time records to employee clock cards • Print a payroll register report with the paychecks. The total number of employees should match the number in the payroll master file • Promptly investigate any discrepancies. i. A large portion of the payroll master file was destroyed when the disk pack containing the file was used as a scratch file for another application. • Use internal and external file labels to identify the contents and expiration date of all active files • Train computer operators to carefully examine external file labels before file processing begins. • Have all programs check internal file labels prior to processing. • Maintain backup copies of all current files. 15-8 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems j. The organization was fined $5000 for making a late quarterly payroll tax payment to the IRS. • Use IRS Publication Circular E, which provides instructions for making required remittances of payroll taxes, to configure the system to make payroll tax payments. • Set up a quarterly “tickler” or reminder message to the cashier about making the required payroll tax remittance. 15-9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.3 You have been hired to evaluate the payroll system for the Skip-Rope Manufacturing Company. The company processes its payroll in-house. Use Table 15-1 as a reference to prepare a list of questions to evaluate Skip-Rope’s internal control structure as it pertains to payroll processing for its factory employees. Each question should be phrased so that it can be answered with either a yes or a no; all no answers should indicate potential internal control weaknesses. Include a third column listing the potential problem that could arise if that particular control were not in place. (CPA Exam, adapted) Question Y/N Threat if control missing 1. Are payroll changes (hires, separations, salary changes, overtime, bonuses, promotions, etc.) properly authorized and approved? 1. Unauthorized pay raises and fictitious employees. 2. Are discretionary payroll deductions and withholdings authorized in writing by employees? 2. Errors; employee lawsuits; penalties if tax code violated. 3. Are the employees who perform each of the following payroll functions independent of the other five functions? • personnel and approval of payroll changes • preparation of payroll data • approval of payroll • signing of paychecks • distribution of paychecks • reconciliation of payroll account 3. Fraud; theft of paychecks. 4. Are changes in standard data on which payroll is based (hires, separations, salary changes, promotions, deduction and withholding changes, etc.) promptly input to the system to process payroll? 4. Errors in future payroll; possible fines and penalties. 5. Is gross pay determined by using authorized salary rates and time and attendance records? 5. Over/under payment of employees. 6. Are clerical operations in payroll preparation verified? 6. Errors not detected. 7. Is payroll preparation and recording reviewed by supervisors or internal audit personnel? 7. Errors not detected and corrected. 15-10 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 8. Is access to payroll master data restricted to authorized employees? 8. Unauthorized changes in pay rates or creation of fictitious employees. 9. Are paychecks approved by reviewing the payroll register before payroll checks are issued? 9. Fraudulent paychecks. 10. Is a separate checking account used for payroll? 10. Greater risk of paycheck forgery; harder to reconcile payroll. 11. Is the payroll bank account reconciled to the general ledger by someone not involved in payroll or paycheck distribution? 11. Failure to detect errors 12. Are payroll bank reconciliations properly approved and differences promptly followed up? 12. Failure to detect and correct problems. 13. Is the custody and follow-up of unclaimed salary checks assigned to a responsible official? 13. Theft of paychecks. Failure to detect fake employees. 14. Are differences reported by employees followed up on a timely basis by persons not involved in payroll preparation? 14. Cover-up of fraud. 15. Are there procedures (e.g., tickler files) to assure proper and timely payment of withholdings to appropriate bodies and to file required information returns? 15. Fines and/or penalties. 16. Are employee compensation records reconciled to control accounts? 16. Inaccurate records; failure to detect and correct errors. 17. Is access to personnel and payroll records, checks, forms, signature plates, etc. limited? 17. Fraudulent payroll. 18. Is payroll master data encrypted both in storage and during transmission over the Internet? 18. Unauthorized disclosure of sensitive information. 19. Is payroll master data regularly backed up? 19. Loss of data. 20. Are credentials of job applicants verified? 20. Hiring larcenous or unqualified employees. 21. Are hiring, firing, and performance evaluation processes performed in accordance with applicable laws and such practices documented? 21. Possible violations of employment laws. 15-11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.4 Although most medium and large companies have implemented sophisticated payroll and HRM systems like the one described in this chapter, many smaller companies still maintain separate payroll and HRM systems that employ many manual procedures. Typical of such small companies is the Kowal Manufacturing Company, which employs about 50 production workers and has the following payroll procedures: • • • • The factory supervisor interviews and hires all job applicants. The new employee prepares a W-4 form (Employee’s Withholding Exemption Certificate) and gives it to the supervisor. The supervisor writes the hourly rate of pay for the new employee in the corner of the W-4 form and then gives the form to the payroll clerk as notice that a new worker has been hired. The supervisor verbally advises the payroll department of any subsequent pay raises. A supply of blank time cards is kept in a box near the entrance to the factory. All workers take a time card on Monday morning and fill in their names. During the week they record the time they arrive and leave work by punching their time cards in the time clock located near the main entrance to the factory. At the end of the week the workers drop the time cards in a box near the exit. A payroll clerk retrieves the completed time cards from the box on Monday morning. Employees are automatically removed from the payroll master file when they fail to turn in a time card. The payroll checks are manually signed by the chief accountant and then given to the factory supervisor, who distributes them to the employees. The factory supervisor arranges for delivery of the paychecks to any employee who is absent on payday. The payroll bank account is reconciled by the chief accountant, who also prepares the various quarterly and annual tax reports. a. Identify weaknesses in current procedures, and explain the threats that they may allow to occur. Weakness 1. Factory supervisor hires all job applicants and forwards their W-4 form to the payroll clerk. 2. Factory supervisor verbally informs payroll of all employee pay raises. 3. Factory supervisors determine pay Threat The factory supervisor could hire fictitious employees and submit their W-4 form. No documentation on pay raises could lead to employee disputes and litigation. The factory supervisor could give the fictitious employees raises. Factory supervisors can overpay or underpay 15-12 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems rates 4. Blank time cards are readily available. new hires An employee could have another employee fill out a time card when they were late or not even at work. Time cards could be altered over the weekend with fictitious or false information in the case of a vendetta against another employee. 5. Weekly time cards are not collected until the next Monday. 6 Employees are automatically removed from the payroll master if they do not turn in a timecard 7. The factory supervisor distributes pay checks. Someone could “fire” an employee by removing his timecard over the weekend A sick employee or one on vacation could be “fired” because they did not turn in a timecard. The supervisor can conveniently keep the pay checks of fictitious or fired employees. b. Suggest ways to improve the Kowal Manufacturing Company’s internal controls over hiring and payroll processing. (CPA Examination, adapted) 1. A system of advice forms should be installed so that new hires, terminations, rate changes, etc., are reported to the payroll department in writing. Such forms should be submitted by the employee and verified by the appropriate supervisor. 2. Before applicants are hired, their backgrounds should be investigated by contacting references to determine that they are honest and have no undesirable personal characteristics. 3. The supply of blank time cards should be removed. At the beginning of each week the payroll department should provide each worker with a time card with his name typed or printed on it. 4. The foreman should collect the time cards at the end of the week, approve them, and turn them over to the payroll clerk. All time cards should be accounted for and any missing cards investigated. 5. The payroll checks should be distributed to the workers by a responsible person other than the foreman. Unclaimed checks should be sent to internal audit until claimed by the worker. In addition, the following changes should be made because the problem does not state that these procedures are being followed: • If the Company has a cost system that requires the workers to prepare production reports or to account for their time by work tickets, the time cards and the production reports or work tickets should be compared. • The payroll checks should be prenumbered to control their issuance. 15-13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle • A responsible person other than the chief accountant and the payroll clerks should reconcile the payroll bank account. • From time to time, an officer of the Company should witness a payroll distribution on a surprise basis. 15-14 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.5 Arlington Industries manufactures and sells engine parts for large industrial equipment. The company employs over 1,000 workers for three shifts, and most employees work overtime when necessary. Figure 15-10 depicts the procedures followed to process payroll. Additional information about payroll procedures follows: • The HRM department determines the wage rates of all employees. The process begins when a form authorizing the addition of a new employee to the payroll master file is sent to the payroll coordinator for review and approval. Once the information about the new employee is entered in the system, the computer automatically calculates the overtime and shift differential rates for that employee. • A local accounting firm provides Arlington with monthly payroll tax updates, which are used to modify the tax rates. • Employees record time worked on time cards. Every Monday morning the previous week’s time cards are collected from a bin next to the time clock, and new time cards are left for employees to use. The payroll department manager reviews the time cards to ensure that hours are correctly totaled; the system automatically determines if overtime has been worked or a shift differential is required. • The payroll department manager performs all the other activities depicted in Figure 15-10 • The system automatically assigns a sequential number to each payroll check. The checks are stored in a box next to the printer for easy access. After the checks are printed, the payroll department manager uses an automatic checksigning machine to sign the checks. The signature plate is kept locked in a safe. After the checks have been signed, the payroll manager distributes the paychecks to all first-shift employees. Paychecks for the other two shifts are given to the shift supervisor for distribution. • The payroll master file is backed up weekly, after payroll processing is finished. (CMA Examination, adapted) 15-15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle a. Identify and describe at least three weaknesses in Arlington Industries’ payroll process. • The payroll processing system at Arlington Industries violates the principle of segregation of duties. The same individual verifies time cards, inputs payroll information into the master file, prints the checks, machine-signs the checks, distributes the checks, and prepares the payroll journal entry. • There is no authorization of employees' time cards by a supervisor or other objective party such as a timekeeper. • Time cards are not stored securely when completed on Fridays. • There is no authorization of overtime. • The payroll checks are not prenumbered nor are they properly stored. As a result, there is no audit trail to verify check usage. • Supervisors for the second and third shifts distribute paychecks. b. Identify and describe at least two different areas in Arlington’s payroll processing system where controls are satisfactory. • The personnel department determines the wage rate and initiates the setup of payroll records, which is a good example of segregation of duties. • A backup of the master file is made after each weekly processing of the payroll. • A local accounting firm provides Arlington Industries with updates on tax rates. • Time cards are reviewed for accuracy. 15-16 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.6 Excel Problem Objective: Learn how to find and correct errors in complex spreadsheets used for payroll. a. Read the article “Ferret Out Spreadsheet Errors” by Mark G. Simkin, in the Journal of Accountancy (February 2004). You can find a copy online by accessing www.aicpa.org. b. Download the worksheet referenced in the article. c. Enter the following erroneous data in the worksheet you downloaded in step b: • Change hours worked for Adams to 400, • Change hours worked for Englert to 4, and • Change hours worked for Hartford to –40. Create a chart like that shown in Exhibit 2 of the article. Which of the errors are easily found by the chart? What are the strengths and limitations of creating such charts to detect errors? Print out your chart and save your work. Note: Disable data validation on the hours worked column in order to input erroneous data. The errors on the time cards of Adams, Englert, and Hartfort are easily identified. The chart clearly identifies the employees whose reported hours are different from their fellow employees. The downside of the chart is that it would be difficult to identify less obvious errors; for example, recording 41 hours instead of 40 hours may not be readily apparent. 15-17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle d. Create the three data validation rules described in the article (Exhibits 4–7 illustrate how to create the first rule). Print out screen shots of how you create each rule, and save your work. (Note: The article “Block That Spreadsheet Error” by Theo Callahan, in the Journal of Accountancy (August 2002) provides additional examples of data validation rules.) Rule 1: Payrates must be between $6.75 and $14.00. • • • Step 1: Select the relevant range of cells Step 2: On the data tab, select Data Validation Step 3: Complete the windows as follows: 15-18 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15-19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle Rule 2: Hours worked must be between 0 and 40 15-20 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Rule 3: Overtime must be between 0 and 10 15-21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15-22 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems e. Follow the instructions for using the formula auditing tool. Print out a screen shot showing use of the tool to circle invalid data (yours should be similar to Exhibit 9 in the article). Note: This is now another Data Validation feature. To test it, first change all validation rules from Stop to Warning on the Error Alert screen. Then highlight the three columns of data and select the “Circle Invalid Data” option to get the following results: 15-23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle f. Follow the instructions to run the “trace precedents” audit tool. Print screen shots that show the results, and save your work. How useful is this tool? What are its limitations, if any? The Trace Precedents tool is found on the formulas tab. It may help visually identify problems, but it may also be easy to overlook missing dots. (How easy is it to see that only the row for Adams has a dot in the regular hours column?) 15-24 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems g. Enter the following data for new employees (inserting new rows in proper order to maintain alphabetical listing of employees): • Name = Able, payrate = 11.11, regular hours = 40, overtime hours = 5 • Name = Easton, payrate = 10.00, regular hours = 40, overtime hours = 0 • Name = Johnson, payrate = 12.00, regular hours = 35, overtime hours = 10 Which audit tests and validation rules change? Why? Print screen shots, and save your work. Several audit tests and validation rules changed because their parameters were established with the unadjusted cell references. The following audit tests and validation rules should be adjusted to include the new entries: • • • • All input validation rules All Control totals using the CountIf formula All formulas used to calculate totals, minimums, and maximums Also need to adjust the formulas for calculating pay for Easton and Johnson 15-25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15.7 Excel Problem Objective: Learn how to use the VLOOKUP function for payroll calculations. a. Read the article “Make Excel a Little Smarter” by Lois S. Mahoney and Charles Kelliher in the Journal of Accountancy (July 2003). You can find a copy at www.aicpa.org. b. Read the section titled “Data in Different Places” and create the spreadsheet illustrated in Exhibit 6. Print a screen shot of your work, and save your spreadsheet. 15-26 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems c. Create a formula that calculates total bonuses. Also create a cell entry that indicates what that number represents. Print a screen shot of your work, and save it. In the Bonus column, click on the cell for the first Smith, choose the formulas tab, select “Lookup and Reference” and choose VLOOKUP. Then complete the window as follows: The result should be this formula: =VLOOKUP(C7,$F$7:$G$13,2,TRUE) Then copy this formula down the column and you will get the following spreadsheet: 15-27 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15-28 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems d. Add the following data validation controls to your spreadsheet, including explanatory error messages. Save your work. • Sales must be positive. • Sales cannot exceed 125. • Amount of bonus must be nonnegative. • Amount of bonus cannot exceed 20% of unit sales. The data validation for sales is: The data validation for the bonus is: 15-29 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15-30 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems e. Modify your worksheet by placing the sales data and resulting bonus on a different worksheet from the bonus table. Name your table array, and modify the VLOOKUP function accordingly. Then add another employee: Johnson, who sold 150 units. Print a screen shot of your new worksheet showing the bonuses for each employee, including Johnson. Save your work. New VLOOKUP formula: =VLOOKUP(B5,'Problem 15-7'!$F$7:$G$13,2,TRUE) 15-31 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.8 The local community feels that secondary school education is a necessity in our society and that lack of education leads to a number of social problems. As a result, the local school board has decided to take action to reverse the rising dropout rate. The board has voted to provide funds to encourage students to remain in school and earn their high school diplomas. The idea is to treat secondary education like a job and pay students. The board, however, could not agree on the details for implementing this new plan. Consequently, you have been hired to devise a system to compensate students for staying in school and earning a diploma. As you devise your compensation scheme, be sure it meets the following general control objectives for the payroll cycle: • All personnel and payroll transactions are properly authorized. • All employees are assigned to do productive work, and they do it efficiently and effectively. • All transactions are accurately recorded and processed. • Accurate records are maintained. • All disbursements are proper. Write a proposal that addresses these five questions: a. How should the students be compensated (e.g., for attendance, grades)? b. How and by whom will the payments be authorized? c. How will the payments be processed? d. How should the payments be made (e.g., in cash or other means)? e. When will the payments be made? There is no one correct answer to this problem. Students should answer parts b, c, d and e as if they were developing a payroll system, regardless of how they answer part a. The following are some of the issues that need to be addressed: • Who will have custody over records relating to student activity? • Are controls in place to ensure that students actually receive their pay? • What controls govern adding/deleting students from the database? • How will attendance and grades be verified? • How will the rewards be safeguarded? (e.g., if pay with cash, what controls will prevent employees from stealing the funds?) 15-32 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.9 What is the purpose of each of the following control procedures (i.e., what threats is it designed to mitigate)? a. Compare a listing of current and former employees to the payroll register. To make sure former employees are no longer on the payroll register and still drawing a paycheck. b. Reconciliation of labor costs (based on job-time ticket data) with payroll (based on time card data). To check for inaccurate or incomplete time data as well as errors in processing. c. Direct deposit of paychecks. To reduce the risk of theft of paychecks and to cut costs. d. Validity checks on Social Security numbers of all new employees added to the payroll master file. To prevent the addition of fictitious employees to the payroll. e. Cross-footing the payroll register. To check for inaccurate or incomplete payroll processing. f. Limit checks on hours worked for each time card. To prevent overpaying employees. g. Use of a fingerprint scanner in order for employees to record the time they started and the time they quit working each day. To ensure the validity of employee time and attendance data by preventing one employee from recording that another employee showed up for work when that person was really absent. h. Encryption of payroll data both when it is electronically sent to a payroll service bureau and while at rest in the HR/payroll database. To protect the confidentiality of payroll information. 15-33 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle i. Establishing a separate payroll checking account and funding it as an imprest account. To limit the amount of funds at risk to the amount of the imprest fund; to make it easier to reconcile the payroll account and validate payroll expenses. j. Comparison of hash totals of employee numbers created prior to transmitting time-worked data to payroll provider with hash totals of employee numbers created by payroll provider when preparing paychecks. To ensure complete processing of all payroll transactions. k. Periodic reports of all changes to payroll database sent to each department manager. To detect unauthorized changes to the payroll master file. l. Providing employees with earnings statements every pay period. This is a detective control. Employees will likely notice and report errors in payroll calculations as well as mistakes in various withholdings, retirement contributions, etc. 15-34 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15-35 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 15.10 Excel Problem Objective: Learn how to use text and array formulas to locate potential payroll problems. a. Download the spreadsheet for this problem from the course Web site. b. In column I, under the label “Ghost Employee?” write a function that compares the employee# in the timecards column to the employee# in the payroll master data column and displays the message: “Timecard employee# does not exist in master data” for any employee in the timecards columns who is not listed in the payroll master data columns. The function should leave the cell blank if the employee# in the timecards worksheet does exist in the payroll master file worksheet. (Hint: Use the ISNA and MATCH functions.) formula: =IF(ISNA(MATCH(A4,$E$4:$E$26,0)),"Timecard employee# does not exist in master data","") The MATCH function compares the focal cell (in this case, the employee number in the timecard data from column A) to an array of values (in this case, the list of employee numbers in the payroll master data in column E) to look for an exact match (the value of the third argument is zero). If there is no match, the MATCH function returns the value N/A. The ISNA function returns the value true if that cell has the value N/A, and nothing otherwise. Therefore, the IF function will return the message that the employee number on the timecard does not exist in the master data if the MATCH function fails to find an exact match. The double quotes ensure that if the employee number does exist, then no message is returned. c. In column L, titled “Invalid SSN?” write a function to identify invalid Social Security numbers. Assume that Social Security numbers that begin with the digit 9 or that have the digits 00 for the middle two numbers are invalid. Your function should display a message that flags either of these two conditions or which displays nothing otherwise. (Hint: there are text functions that examine specific portions of a string, such as the left 3 characters, and there are also functions that convert text to numeric values.) formula: =IF(VALUE(MID(G4,5,2))=0,"SSN that with 00 as middle digits not valid",IF(VALUE(LEFT(G4,1))=9,"SSN that begin with 9xx are not valid","")) Excel’s built-in text functions (MID and LEFT) are used here to parse social security numbers. The function MID takes three arguments: the first one indicates the cell to test (in this case, the social security numbers in column G); the second indicates the position to begin with (in this case, the fifth character which is the one immediately following the first hyphen in a social 15-36 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems security number); and the third argument indicates how many digits to examine (in this case, 2, in order to check the middle two digits in a social security number). The LEFT function takes two arguments: the first one indicates the cell to test (in this case, the social security numbers in column G); the second indicates how many digits to examine (in this case, just the leftmost digit). The entire nested IF function then works as follows: 1. Test if the middle two digits are zero. If they are, return a message that a Social Security Number with the two middle digits of 00 is invalid. 2. If the two middle digits are not zero, then the second IF test is performed, which checks to see if the left-most digit is 9. If it is, then the formula returns the message “Social Security Numbers that begin with 9 are not valid”. If this test is also not true, then the social security number is valid and no message is displayed. d. In column P, titled “Missing Paycheck?” write a function to check whether a timecard exists for each employee in the master payroll data section of the worksheet. The formula should return either the message “No paycheck created for this employee” or display nothing. Formula: =IF(ISNA(MATCH(E4,$A$4:$A$25,0)),"No paycheck created for this employee","") The MATCH function checks to see if the employee number in the master payroll data (column E) exists in the timecard data (column A). If it does, then the MATCH function is true. This means that the ISNA function is false. Therefore, the IF function displays nothing (the double quotes). If the employee number in the master payroll data (column E) does not exist in the timecard data (column A) the MATCH function returns the value N/A. Therefore, the ISNA function is true, and the IF statement displays the message that “No paycheck created for this employee.” The solution looks like this: 15-37 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 15: The Human Resources Management/Payroll Cycle 15-38 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE CASES CASE 15-1 Research Report: HRM/Payroll Opportunities for CPAs Payroll has traditionally been an accounting function and some CPAs have provided payroll processing services to their clients. Today, CPAs are finding additional new lucrative opportunities to provide not only payroll processing but also various HR services. Write a brief report that compares the provision of payroll and HR services by CPAs with that of national payroll providers. Perform the following research to collect the data for your report: 1. Read the articles “Be an HR Resource for Your Clients,” by Michael Hayes and “Hired Help: Finding the Right Consultant,” by Joanne Sammer, both of which were published in the November, 2006 issue of the Journal of Accountancy. 2. Contact a local CPA firm that provides payroll and HR services and find out what types of services they perform and what types of clients they serve. Reports will of course vary from student to student; however, the following presents some points that should appear in a student’s report: 1. CPA’s naturally have the necessary skills to provide payroll and human resource (HR) services. 2. Although national payroll providers also provide the same services, CPA’s are in a better position to provide those services and recommend benefit consultants due to their detailed knowledge of their client’s business, operations, and internal needs. 3. Even if a CPA does not offer payroll/HR services, they are in good position to help their client’s choose the consultant for the work that is required. 4. Some of the payroll/HR services a CPA can offer are as follows: a. Payroll administration b. Benefits administration c. Retirement plan administration d. Human resource consulting e. Regulatory compliance f. Outsourcing g. Management recruiting h. CFO outsourcing/consulting i. Labor relations j. Acquisition/divestiture HR related consulting 15-39 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 16 GENERAL LEDGER AND REPORTING SYSTEM SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 16.1 Although XBRL facilitates the electronic exchange of financial information, some external users do not think it goes far enough. They would like access to the entire general ledger, not just to XBRL-tagged financial reports that summarize general ledger accounts. Should companies provide external users with such access? Why or why not? No, companies should not provide access to their general ledger. Providing external users access to a company’s general ledger opens the company up to significant competitive and financial risk. 16.2 How can responsibility accounting and flexible budgets improve morale? Responsibility accounting improves morale by holding managers accountable only for the activities over which they have control. In this way, they are not unfairly “punished” for poor performance that they could not alter. Flexible budgeting enables more accurate interpretation of deviations from budget. For example, if activity levels are higher than planned, then costs should also increase. Therefore, costs higher than the original budget may not be “bad” if they have risen at a rate less than or equal to the proportionate increase in activity. 16.3 Why is the audit trail an important control? The audit trail is a detective control used to verify the accuracy and completeness of transaction processing. Tracing a set of source documents forward through the journal entries that updated the general ledger verifies that the transactions were actually recorded. Tracing changes in general ledger accounts back to source documents provides a way to verify that the transactions did indeed occur and that they were recorded correctly. Although an accounting system should employ a variety of processing integrity controls to prevent errors from occurring, preventive controls are never 100% effective. Therefore, they need to be supplemented with detective controls like an audit trail. 16-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.4 The balanced scorecard measures organizational performance along four dimensions. Is it possible that measures on the customer, internal operations, and innovation and learning dimensions could be improving without any positive change in the financial dimension? If so, what are the implications of such a pattern? It may indeed be possible for measures on three dimensions of the balanced scorecard to improve, but for financial results to deteriorate. This may occur because the 3 other areas are leading indicators of financial performance. If so, the latter should soon begin to improve. On the other hand, it may be that the measures developed for the other areas are flawed in that they do not address activities that customers value. Consequently, improved performance on those dimensions does not translate into improved profitability. In this case, management needs to redesign the nonfinancial dimensions of the Balanced Scorecard to include items that are causally related to future financial performance. Yet another possibility is that macroeconomic factors could be depressing earnings. Clearly, a company cannot continue indefinitely with declining financial performance. Top management needs to investigate the underlying causes of this pattern. 16.5 Do you think that mandatory standards should be developed for the design of graphs of financial data that are included in annual reports and other periodic communications to investors? Why or why not? There is no right answer here but it should generate a good discussion. It may be helpful to start the discussion off by talking about the reporting standards of the SEC and FASB. It may also be useful to find annual reports or other financial news stories that contain graphs which violate one or more of the rules presented in this chapter, and ask students to discuss the effects, if any, of such violations. Should students support standards, a good follow-up topic concerns the type of audit guidance that would be helpful. 16-2 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 16.1 Match the term in the left column with its appropriate definition from the right column: 1. __d__ journal voucher file 2. __k__ instance document 3. __a__ XBRL element 4. __f__ Balanced Scorecard 5. __l__ XBRL extension taxonomy 6. __i__ audit trail 7. __e__ XBRL taxonomy 8. __g__ XBRL linkbase 9. __h__ XBRL schema 10. __j__ XBRL style sheet 11. __b__ responsibility accounting 12. __c__ flexible budget a. an individual financial statement item b. evaluating performance based on controllable costs c. evaluating performance by computing standards in light of actual activity levels d. the set of journal entries that updated the general ledger e. a set of files that defines XBRL elements and specifies the relationships among them f. a multi-dimensional performance report g. a file that defines relationships among XBRL elements h. a file that defines the attributes of XBRL elements i. a detective control that can be used to trace changes in general ledger account balances back to source documents j. a file that explains how to display an XBRL instance document k. a file that contains specific data values for a set of XBRL elements for a specific time period or point in time l. a file containing a set of customized tags to define new XBRL elements that are unique to a specific organization 16-3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.2 Which control procedure would be most effective in addressing the following problems? a. When entering a journal entry to record issuance of new debt, the treasurer inadvertently transposes two digits in the debit amount. • Use a cross-footing balance check to test the equality of debits and credits b. The spreadsheet used to calculate accruals had an error in a formula. As a result, the controller’s adjusting entry was for the wrong amount. Audit spreadsheets used to support journal entries c. The controller forgot to make an adjusting entry to record depreciation. • Create a set of standard adjusting entries d. A sales manager tipped off friends that the company’s financial results, to be released tomorrow, were unexpectedly good. • Implement access controls to prevent the sales manager from obtaining access to the general ledger and reporting system. e. The general ledger master file is stored on disk. For some reason, the disk is no longer readable. It takes the accounting department a week to reenter the past month’s transactions from source documents in order to create a new general ledger master file. • Backup files more frequently. • Create two copies of the backup files and store one on-site and the other off-site. f. The controller sent a spreadsheet containing a preliminary draft of the income statement to the CFO by e-mail. An investor intercepted the e-mail and used the information to sell his stock in the company before news of the disappointing results became public. • Encrypt sensitive financial information when it is transmitted over the Internet. g. A company’s XBRL business report was incorrect because the controller selected the wrong element from the taxonomy. 16-4 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems • Train users on the proper use of the taxonomy to prevent this.. • Audit or validate the instance document prior to submission to detect this. h. Instead of a zero, the letter o was entered when typing in data values in an XBRL instance document. • Use processing integrity controls when entering data in instance documents. • Use a field check to detect this kind of error. 16-5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.3 Explain the components of an audit trail for verifying changes to accounts payable. Your answer should specify how those components can be used to verify the accuracy, completeness, and validity of all purchases, purchase returns, purchase discounts, debit memos, and cash disbursements. The sum of all amounts owed to individual vendors would be computed and compared to the balance in the general ledger accounts payable control account. To verify all transactions, you would follow the audit trail to identify the voucher numbers, purchase order numbers, and receiving report numbers for all approved vendor invoices and use that list to select all source documents. You could then recalculate the total amount purchased and the total cash disbursed. You could also recalculate all purchase discounts available and compare that to the amount taken. To verify vendor balances, you could recompute the effects of all purchases and payments on the beginning balance; this calculated figure should equal the new ending balance. 16-6 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 16.4 As manager of a local pizza parlor, you want to develop a balanced scorecard so you can more effectively monitor the restaurant’s performance. a. Propose at least two goals for each dimension, and explain why those goals are important to the overall success of the pizza parlor. One goal should be purely performance-oriented and the other should be risk-related. b. Suggest specific measures for each goal developed in part a. Below is a sample of a balanced scorecard containing goals and measures. Dimension Goals Financial Increase sales Profitability Measure Customer Customer satisfaction Attract new customers Fast service Internal operations Reduce waste Reduce mistakes Innovation and learning Develop new products Improve employee skills Target Actual Percentage change in sales Operating margin 5% 12% 4% 13.5% Customer satisfaction rating Percentage of sales to first time customers Average time to serve food 9.5 10% 9.6 3% 15 minutes 14 minutes Food waste (% of sales) Percentage of orders with mistakes 3% 1% 4% 2% Number of new products this year 2 2 Number of cooking classes attended this year Percentage of cooks who attended at least one cooking class this year 25 18 85% 75% c. Explain how to gather the data needed for each measure developed in part b. Financial measures would be generated by the accounting system. Customer satisfaction and first-time customers could be measured through in-store surveys. The other measures would have to be collected as part of performing the activities. 16-7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.5 Use Table 16-1 to create a questionnaire checklist that can be used to evaluate controls in the general ledger and reporting cycle. a. For each control issue, write a Yes/No question such that a “No” answer represents a control weakness. For example, one question might be “Is access to the general ledger restricted?” A wide variety of questions is possible. Below is a sample list: Question 1. Is access to the general ledger restricted? 2. Is the general ledger regularly reviewed and all changes investigated? 3. Is sensitive data encrypted while stored in the database? 4. Does a backup and disaster recovery plan exist? 5. Have backup procedures been tested within the past year? 6. Are appropriate data entry edit controls used for journal entries? 7. Is an audit trail maintained and regularly reviewed? 8. Are the spreadsheets used to calculate amounts for adjusting journal entries audited to verify that the formulas are correct? 9. Has the controller or person responsible for mapping the organization’s data to an XBRL taxonomy attended XBRL training? 10. Are XBRL instance documents validated by someone not involved in their creation? 11. Have employees responsible for creating graphs been trained in the principles of graph design? Yes No b. For each Yes/No question, write a brief explanation of why a “No” answer represents a control weakness. Question Reason a “No” answer represents a weakness 1 Unrestricted access to the general ledger could facilitate fraud or the unauthorized disclosure of sensitive data 2 Failure to investigate all changes to the general ledger may allow fraud to occur because unauthorized master records (e.g., fake suppliers, non-existent employees, etc.) may not be detected. Also, unauthorized changes to account balances may not be detected. 3 Failure to encrypt sensitive data can result in unauthorized disclosure of financial results by someone who obtains access to the data 4 If a backup and disaster recovery plan does not exist, the organization may suffer the loss of important data. 5 If the backup plan is not regularly tested, it may not work. 6 Without proper data entry edit controls, errors in journal entries used to update the general ledger may occur 16-8 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 7 8 9 10 11 Without an audit trail, it is not possible to verify the completeness and accuracy of all changes to the general ledger. Failure to audit spreadsheets for errors increases the risk of erroneous adjusting entries Training in XBRL is necessary to avoid making errors in the mapping of the organization’s data to taxonomy elements or the unnecessary creation of taxonomy extensions Failure to validate an instance document by someone not involved in its creation increases the risk of submitting inaccurate instance documents. If employees have not been trained in the principles of proper graph design, they may create misleading graphs. 16-9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.6 Visit the SEC website (www.sec.gov) and explore what is available in terms of interactive data (the SEC’s term for XBRL reports). Use the SEC’s viewer software and examine the annual reports for two companies. There is no “solution” per se – the objective of this problem is to introduce students to XBRL filings and the use of viewer software. 16.7 Obtain the annual report of a company assigned by your professor. Read the management discussion and analysis section, and develop a balanced scorecard that reflects that company’s vision, mission, and strategy. Create both performanceoriented and risk-based goals and measures for each section of the balanced scorecard. The key to this assignment is the appropriateness of the goals and measures developed for the Balanced Scorecard in light of management’s discussion about the mission, vision, and values of the company. This requires inferring from management’s discussion in the annual report the company’s strategy (low-cost or product differentiation) and strategic position (variety-based, needs-based, or access-based). You should probably develop your own grading key, based on what you expect from the students. At a minimum, students need to develop multiple goals for each of the four dimensions of the Balanced Scorecard. They also need to present quantifiable measures for each goal. To facilitate grading, ask them to turn in both the annual report they used and a list of references to specific points in the management discussion that they used to justify their choice of goals and measures. 16-10 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 16.8 Excel Problem Objective: Practice graph design principles. Use the data in Table 16-3 to create the following graphs: Sales Cost of Goods Sold Gross Margin Earnings Per Share 2010 598,000 350,000 248,000 12.52 2009 640,000 400,000 240,000 12.10 2008 575,000 375,000 200,000 11.95 2007 560,000 330,000 230,000 11.66 2006 530,000 300,000 230,000 10.50 a. Sales Sales 640,000 530,000 2006 560,000 575,000 2007 2008 2009 598,000 2010 b. Sales and Gross Margin 640,000 530,000 230,000 2006 575,000 560,000 230,000 200,000 2007 240,000 2008 Sales 2009 598,000 248,000 2010 Gross Margin 16-11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System c. Earnings per share Earnings Per Share 10.50 2006 11.66 11.95 12.10 12.52 2007 2008 2009 2010 d. Which principles of graph design, if any, did you have to manually implement to over-ride the default graphs created by Excel? 1. Students had to reverse the x-axis, which automatically followed the sequence of years in the spreadsheet. 2. Students had to adjust the y-axis to begin at zero for earnings per share. However, if variations in EPS are important to monitor, then the default graph below may be preferred. Earnings Per Share 12.52 11.66 11.95 12.10 10.50 2006 2007 2008 2009 2010 16-12 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 16.9 Excel Problem Objective: Create pivot tables for what-if analysis Read the article “Make Excel an Instant Know-It-All” by Roberta Ann Jones in the March 2004 issue of the Journal of Accountancy. (Available at www.aicpa.org) a. Follow the instructions in the article to create a spreadsheet with pivot tables. First, create the spreadsheet. Then, to create the Pivot Table, position your cursor in a cell where you want the Pivot Table to appear. Then click on the Insert Tab, and then click on the Pivot Table choice. Click on PivotTable option 16-13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System Next, highlight the cells containing the data as shown: Clicking OK yields the following blank skeleton outline of a PivotTable which we will use in parts b and c to create PivotTables: 16-14 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 16-15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System b. Print out a report that shows sales by month for each salesperson. Step1: select the salesperson, order date, and order amount fields in the window in the upper right corner that says “Choose Fields to add to Report.” 16-16 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Step 2: Then click on the salesperson entry and move it from the “Row Labels” window to the “Column Labels” window. 16-17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System Step 3: Highlight all the cells in the PivotTable and format them to display currency with two decimals. 16-18 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems c. Assume that Brown and David are in sales group 1 and the other three salespeople are in sales group 2. Print out a report that shows monthly sales for each group. Step 1: To separate the sales people into groups, click on the sales person row in the Pivot Table and highlight Brown and David. 16-19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System Step 2: Right click the two highlighted cells and select “Group”. They will now have a super-title called “Group 1”. Do the same for the other three sales people to form group 2. The spreadsheet should look like this: 16-20 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Step 3: You can collapse and display the groups by clicking on the button to the left of each group name. The preceding screen shot showed all members of each group (note the minus signs to the left of the labels “Group1” and “Group2”). Clicking those to change to a plus sign produces the following: 16-21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System 16.10 Excel Problem Objective: How to do what-if analysis with graphs. a. Read the article “Tweaking the Numbers,” by Theo Callahan in the June 2001 issue of the Journal of Accountancy (either the print edition, likely available at your school’s library, or access the Journal of Accountancy archives at www.aicpa.org). Follow the instructions in the article to create a spreadsheet with graphs that do what-if analysis. Most of the steps in the article can be done as indicated. One difference is finding the control toolbox to create a spin button. This requires that the “Developer” tab is available as shown below. Click on “Design Mode” to toggle Click on Insert to add spin buttons and other Active X controls The Developer tab normally appears to the right of the View tab The Microsoft Office Button is in the far upper left 16-22 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems If the developer tab is not available, follow these steps (for Excel 2007): 1. Click the Microsoft Office Button (in far upper left corner – see prior screenshot) 2. Click Excel Options 3. In the “Popular” category, under “Top options for working with Excel” select the “Show Developer tab in the Ribbon” check box and click OK On the Developer tab you then click insert and select the “spin box” option from the list of choices of Active X controls. Then position your cursor in the cell where you want to insert a spin button and left-click once. You can now right-click on the spin-button and fill in the values for the spin buttons as indicated in the article. Hint: it may help to increase the height of the rows before trying to add more spin buttons. The rest of the article steps work as described. 16-23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System b. Now create a spreadsheet to do graphical what-if analysis for the “cash gap.” Cash gap represents the number of days between when a company has to pay its suppliers and when it gets paid by its customers. Thus, Cash gap = Inventory days on hand + Receivables collection period – Accounts payable period. The “cash gap” formula indicates how much of a cushion a company has, given a set of assumptions about inventory, receivables, and payables. If the projected cash gap is too small, management can increase it by instituting changes that either increase the delay in paying suppliers, speeding up collections from customers, or reducing inventory levels. The purpose of your spreadsheet is to display visually what happens to cash gap when you “tweak” policies concerning inventory, receivables, and payables. Thus, you will create a spreadsheet that looks like Figure 16-11 c. Set the three spin buttons to have the following values: Linked cell Maximum Minimum Value Small change Spin button for Inventory C2 120 0 30 10 Spin button for Receivables C3 120 30 60 10 16-24 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Spin button for Payables C4 90 20 20 10 Accounting Information Systems 16-25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 16: General Ledger and Reporting System SUGGESTED ANSWERS TO THE CASES 16.1 Student reports will vary depending on what they find and focus on in the website. The website contains pages such as Latest News, Project News, Technical News, etc. However, the useful page for students will likely be the XBRL IN ACTION page. This page contains case studies that describe how XBRL is being used in specific organizations, details of XBRL projects that are being implemented or are currently being developed. It also contains interactive demonstrations of XBRL projects and descriptions of XBRL related products and services. 16.2 Answers will vary depending upon the package selected and depth of research undertaken. You may want to assign the package to be researched in order to reduce the number of students studying the same package. Grade on writing quality, soundness of reasoning, and completeness of answer. 16-26 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 17 DATA MODELING AND DATABASE DESIGN SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 17.1 Why is it not necessary to model activities such as entering information about customers or suppliers, mailing invoices to customers, and recording invoices received from suppliers as events in an REA diagram? The REA data model is used to develop databases that can meet both transaction processing and management analysis needs. Only events that either (1) directly change the quantities of resources, (2) represent commitments to future exchange events, or (3) that provide new information about activities that management wants to plan, evaluate, and control need to be included in such databases. None of the activities listed in the question satisfy these requirements. Customer information is stored in rows in the customer table and supplier data is stored in rows in the supplier table. The bulk of this would have been entered when the database was initially created and the customer and supplier tables created and populated. Subsequently, new rows would be entered in these tables as a by-product of other events that management does want to plan, evaluate, and control – such as a sales call, the receipt of an order from a new customer, or placing an initial order with a new supplier. Data processing activities, such as preparing reports or transcribing data from a form, are not explicitly modeled because they do not change information about any resources nor are they fundamental activities which management wants to control. (Consider: How often are managers concerned about how many reports a given employee prints in one day?) Indeed, all the information contained in a vendor invoice is already in the purchasing company’s database before the vendor invoice arrives: the quantity ordered is known when the order is placed, as is the quoted price and terms of payment, and the quantity received in good condition is known when the receiving report is stored. Consequently, there is no need to explicitly model activities such as mailing or recording invoices as events in an REA data model. In fact, many administrative data processing activities are not even necessary steps in the value chain. For example, with the advent of sophisticated AIS, particularly ERP systems, many companies are requesting their suppliers not to send them any invoices. 17-1 © 2011 Pearson Education, Inc. Publishing as Prentice Hall 17.2 The basic REA template includes links between two events and links between events and resources and between events and agents. Why do you think the basic REA template does not include direct links between (a) two resources, (b) two agents, or (c) between resources and agents? a. The basic REA template was developed to assist in modeling an organization’s economic transactions and, therefore, centers on events, the resources they affect, and the agents who participate in them. Two events can be linked to reflect economic duality (the give-to-get relationship) or causal sequence (orders precede sales). Most resources are independent of one another and thus do not need to be directly linked. For example, inventory and cash do not directly affect one another, but only do so through events such as the sale of inventory and subsequent receipt of cash. Nevertheless, in chapter 19 we will see that sometimes two resources may be directly linked to one another in order to represent information about location, such as in which warehouse inventory is stored. b. Similarly, the basic REA template does not directly link agents to one another because they often do not influence one another. As with resources, however, we will see in chapter 19 that it is sometimes desirable to directly model links between agents. One reason would be to represent supervisory relationships; another would be to reflect the assignment of employees to service specific subsets of customers or suppliers. c. Finally, the basic REA template does not include direct links between agents and resources because in many situations there is no reason to track such relationships. As chapter 19 will show, however, if management wants to assign and track custody over specific resources, it is possible to enhance the basic REA template to include direct links between resources and agents. 17-2 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.3 How can REA diagrams help an auditor understand a client’s business processes? An REA diagram presents a model of the company’s database. Included in the model is a representation of all the tables contained in the database as well as all of the relationships that exist between the tables within the database. These tables and relationships reflect the business processes and business events of the company. Thus, an auditor can use an REA diagram to understand which events affect the organization’s resources and which agents participate in them. The information about cardinalities in an REA diagram provides useful information about an organization’s business practices, such as whether it permits customers to make installment payments. Thus, auditors can use REA diagrams to plan the audit. For example, examination of an REA diagram would reveal whether the organization extends credit to its customers, which would then require audits of accounts receivable, or only makes cash sales. In addition, an auditor can use an REA diagram to test a client’s business processes for compliance with various controls that the client has created. For example, the auditor can design queries linking various employees to different events in order to evaluate whether there is adequate segregation of duties. 17.4 Which parts of Figure 17-6 would accurately depict almost every organization’s revenue cycle? Which parts would change? The 1:N relationships between the events and customers depicted in Figure 17-6 would apply to every organization, because it is always necessary to associate an order, sale, and receipt of cash with a specific customer. The 1:N relationships between those events and employees would likely apply to most organizations, but there could be situations in which the relationship would be M:N. For example, a real estate firm may want to split the commission for a sale between the listing agent and the buyer’s agent. The M:N relationships between inventory and the take customer order and sale events are typical for retail organizations that deal in mass-produced merchandise. Those relationships would become 1:N, however, for businesses, such as art galleries, that sell unique products. The 1:N relationship between cash and the receive cash event would apply universally, reflecting sound internal control over cash. The cardinalities of the relationships between the events, however, would differ across organizations depending upon their business policies. For example, if an organization did not permit installment payments, then the maximum cardinality from the sale event to the receive cash event would be one, not many. 17-3 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model 17.5 What is the relationship between the things that would be represented as resources in an REA diagram and the different categories of assets found on an organization’s balance sheet? (Hint: Are there any assets that would not be modeled as resources? Are there any resources in an REA diagram that are not listed as assets on a balance sheet?) There are asset categories listed on a company balance sheet that would not be presented as a resource on an REA diagram. The most noticeable is Accounts Receivable. Accounts Receivable is merely the difference between amount that a company has sold to a customer and the amount the customer has paid for those sales, and, therefore, need not be explicitly modeled as a resource. There are also some resources in an REA model that do not appear on an organization’s balance sheet as an asset. A noteworthy example is employee skills. The skills possessed by employees are certainly an economic resource to an organization. As we will see in chapter 19, these skills would be recorded in a database to facilitate effective management, plan for future hiring and training needs, etc. According to generally accepted accounting principles, however, employee skills are not recorded as an asset in the financial statements. This does not mean that they lack economic value; indeed, the stock market appears to place considerable weight on intangibles like employee knowledge when determining the market value of a company. 17.6 How would accounts payable be reflected in an REA diagram? Why? Accounts payable is not represented on an REA diagram. Accounts payable represents purchases for which the organization has not yet paid the supplier. Thus, at any point in time, accounts payable can be calculated by comparing two events: purchases and cash disbursements for those purchases. However, this difference must be recorded in financial statements as a liability at a particular point in time. Since the payable recorded in the financial statements is an artifact of reporting time periods, it is not a resource, event, nor an agent. Therefore, it will not appear on an REA diagram. 17-4 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.7 What are the five stages of the database design process? In which stages should accountants participate? Why? The five stages of database design are: systems analysis, conceptual design, physical design, implementation and conversion, and operation and maintenance. Accountants can and should participate in every stage of the database design process, but their level of participation will vary across stages. During the systems analysis phase, accountants help evaluate project feasibility and identify user information needs. In the conceptual design stage, accountants participate in developing the logical schemas, designing the data dictionary, and specifying important controls. Accountants with good database skills may directly participate in implementing the data model during the physical design stage. During the implementation and conversion stage accountants should be involved in testing the accuracy of the new database and the application programs that will use that data, as well as assessing the adequacy of controls. Finally, many accountants are regular users of the organization’s database and sometimes even have responsibility for its management. Accountants may provide the greatest value to their organizations by taking responsibility for data modeling. Data modeling is the process of defining a database so that it faithfully represents all aspects of the organization, including its interactions with the external environment. Data modeling occurs during both the systems analysis and conceptual design stages of database design. 17.8 What is the difference between an Entity-Relationship (E-R) diagram and an REA diagram? An entity-relationship (E-R) diagram is a graphical representation of a database that depicts the entities of interest and the important relationships among those entities. The entities are represented as rectangles; the relationships are represented as lines that connect entities. An REA diagram is an E-R diagram that is designed using the REA data model to identity the three basic kinds of entities relevant to transaction processing systems: the resources controlled by the organizations, the events (business activities) that managers want to plan, control, and evaluate, and the agents who participate in those events. 17-5 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model SUGGESTED ANSWERS TO THE PROBLEMS 17.1 Joe’s is a small ice-cream shop located near the local university’s baseball field. Joe’s serves walk-in customers only. The shop carries 26 flavors of ice cream. Customers can buy cones, sundaes, or shakes. When a customer pays for an individual purchase, a sales transaction usually includes just one item. When a customer pays for a family or group purchase, however, a single sales transaction includes many different items. All sales must be paid for at the time the ice cream is served. Joe’s maintains several banking accounts but deposits all sales receipts into its main checking account. Draw an REA Diagram, complete with cardinalities, for Joe’s revenue cycle,. Inventory Sales Employee Customer Cash Receive Cash Employee 17-6 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.2 Joe, the owner of the ice-cream shop, purchases ice cream from two vendors. Over the years, he has developed good relationships with both vendors so that they allow Joe to pay them biweekly for all purchases made during the preceding two-week period. Joe calls in ice-cream orders on Mondays and Thursdays. The orders are delivered the next day. Joe buys ice-cream toppings from one of several local stores and pays for each such purchase at the time of sale with a check from the company’s main checking account. Draw an REA Diagram, complete with cardinalities, for Joe’s expenditure cycle. Inventory Order Inventory Employee Receive Inventory Vendor Employee Cash Disburse Cash Vendor 17-7 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model 17.3 Sue’s Gallery sells original paintings by local artists. All sales occur in the store. Sometimes customers purchase more than one painting. Individual customers must pay for purchases in full at the time of sale. Corporate customers, such as hotels, however, may pay in installments if they purchase more than 10 paintings. Although Sue’s Gallery has several bank accounts, all sales monies are deposited intact into the main checking account. Draw an REA Diagram for the gallery’s revenue cycle. Be sure to include cardinalities. Inventory Sales Employee Customer Cash Receive Cash Employee 17-8 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.4 Sue’s Gallery only purchases finished paintings (it never commissions artists). It pays each artist 50% of the agreed price at the time of purchase, and the remainder after the painting is sold. All purchases are paid by check from Sue’s main checking account. Draw an REA Diagram, complete with cardinalities, of the gallery’s expenditure cycle. Inventory Purchases Employee Vendor Cash Disburse Cash Employee 17-9 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model 17.5 Develop a data model of Fred’s Train Shop’s expenditure cycle activities related to the acquisition of office equipment and other fixed assets. Fred sometimes orders multiple pieces of equipment. Vendors usually ship the entire order, but sometimes are out of stock of some items. In such cases, they immediately ship to Fred what they have in stock, and then send a second shipment when they obtain the other items. Conversely, several orders placed within a short time period with the same vendor might be filled with one delivery. Assume that Fred makes installment payments for most fixed-asset acquisitions, but occasionally pays for some equipment in full at the time of purchase. Draw an REA Diagram of your data model. Be sure to include cardinalities. Office Equipment Order Office Equipment Employee (Purchasing Clerk) Supplier Receive Office Equipment Employee (Receiving Clerk) Supplier Cash Pay for Equipment Employee (Cashier) 17-10 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.6 Provide an example (in terms of companies with which you are familiar) for each of the business situations described by the following relationship cardinalities: a. Sales Receive Cash A company may receive multiple cash payments on a single sale or a company may receive one payment for several sales. This scenario could take place between any vendor and any customer. The vendor is allowing customers to make multiple payments on a single invoice and is allowing customers to pay for multiple invoices with a single payment. b. Inventory Sales A sale can include multiple items, but an item can be included in only one sale. This type of arrangement would involve individual items like art work or automobiles. c. Receive Inventory Disburse Cash In this scenario, some inventory purchases can be paid for with multiple payments, while at times a single disbursement may pay for multiple purchases. This scenario represents a revolving credit plan offered by suppliers. 17-11 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model d. Disburse Cash Receive Inventory In this scenario, inventory purchases are to be paid for with a single payment. For example, a vendor sends a monthly bill for merchandise delivered to a customer. The supplier does not accept or allow installment payments. This is typical for many business to business transactions that involve low-priced items. e. Receive Inventory Disburse Cash In this scenario, a single purchase of inventory is paid for with multiple payments. For example, a car dealership makes installment payments for cars delivered from the manufacturer. f. Take Customer Order Sales In this scenario, each sale must be preceded by one and only one order. The fact that both the order and sales events are recorded implies that there is probably a time lag between taking the customer’s order and filling that order, so that the selling organization needs to be able to track the status of orders. An internet sale is an example of this type of scenario. When a customer places an order with Amazon.com, there is a time lag between the time the order is sent by the customer and the time Amazon fills the order. g. 17-12 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems Take Customer Order Sale In this scenario, each sale can be comprised of multiple orders and each order can be associated with multiple sales. Thus, we have here a situation where the selling company batches orders and only ships periodically – e.g., with restaurants, suppliers may take orders daily but fill them only on Mondays and Thursdays. Moreover, suppliers may occasionally run out of some items, requiring multiple deliveries (sales) to fill a specific order. h. Sales Receive Cash Payment upfront for a single sale similar to the way DELL sells computers; i.e., no installment payments are allowed, the customer must pay in full in advance (prior to shipment). i. Inventory Sale In this scenario, a sale can include multiple inventory items. Also, a single inventory item can be included in multiple sales. For example, Wal-Mart customers can purchase many inventory items such as detergent, tires, and clothing items. These mass-produced inventory items can also be sold to many customers. Therefore, a sale can include a box of detergent, a set of tires, and a sweatshirt. By the same token, the same brand of detergent can be included in many different sales. j. 17-13 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model Take Customer Order Sales Sales need not be preceded by orders, but any orders are associated with only one sale (filled individually, not batched). An example is a hardware store in which some sales are made to walk-in customers (sales without preceding orders), but which also allows contractors to place orders by phone, fax, or over the Internet in advance and then pick up the order later. 17-14 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 17.7 Model the cardinalities of the following business policies: a. The relationship between the Sale and Receive Cash events for installment sales. Sales Receive Cash b. The relationship between the Sale and Receive Cash events at a convenience store. Sales Receive Cash c. The Take Customer Order–Sale relationship in a situation when occasionally several shipments are required to fill an order because some items were out of stock. The solution presented here presumes that one sale (order fulfillment event) can be linked to multiple orders, with occasional partial deliveries because items need to be back ordered. Take Customer Order Sales Alternate solution, if each order is filled individually but sometimes requires multiple deliveries: Take Customer Order Sales 17-15 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model d. The Sale-Inventory relationship for a custom homebuilder. This solution assumes that customers only purchase one home at a time. This is likely to be the case for custom homes. Situations in which an investor purchases multiple homes from a builder are most likely going to involve “tract” homes (e.g., several homes that follow a standard floor plan). Sales Inventory e. The relationship between the Sale and Receive Cash events for Dell computers, which requires customers to pay the entire amount of their purchase in advance, prior to Dell shipping the merchandise. Sales f. Receive Cash The relationship between the Sale and Receive Cash events for a retail store that has some in-store sales paid in full by customers at the time of the sale but that also makes some in-store sales to customers on credit, billing them later and permitting them to make installment payments. This solution assumes that customers also occasionally pay for multiple sales with one payment. If, however, this never occurs, the alternate solution would be appropriate. Sales Receive Cash Alternate solution assuming all payments are for one and only one sale. Sales Receive Cash 17-16 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems g. The relationship between the Receive Inventory and Disburse Cash events in the case where suppliers require payment in advance, in full. Disburse Cash Receive Inventory h. The relationship between the Call on Customers event (i.e., the visit by a salesperson to a potential customer) and the Take Customer Order event for a business that is only conducted door-to-door (e.g., kitchen knives, certain books, etc.) so that the only way to order the items is when a salesperson visits the customer. (Hint: do you think every call results in an order?) Take Customer Order Call on Customers i. The relationship between the Call on Customers and Take Customer Orders events for a manufacturer which also accepts orders on its Web site. Take Customer Order Call on Customers j. The relationship between the Receive Inventory and Disburse Cash events for a company which receives monthly bills from its suppliers for all purchases made the previous month; some suppliers require payment of the entire bill, in full, within 30 days or they will not accept any subsequent orders, but other suppliers accept installment payments. Disburse Cash Receive Inventory 17-17 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model 17.8 The Computer Warehouse sells computer hardware, software, and supplies (such as paper). Individual customers just walk into the store, select merchandise, and must pay for their purchases in full before leaving the store. Corporate customers, however, call in orders in advance, so that the items are waiting to be picked up. Corporate customers may charge their purchases to their account. The Computer Warehouse mails corporate customers monthly statements that summarize all purchases made the prior month. Corporate customers pay the entire balance, as listed on the monthly statement, with one check or EFT transaction. Draw an REA Diagram for Computer Warehouse revenue cycle, complete with cardinalities. Inventory Sales Employee Customer Cash Receive Cash 17-18 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Employee Accounting Information Systems 17.9 The Computer Warehouse purchases its inventory from more than a dozen different vendors. Orders are placed via telephone, fax, or on the supplier’s Web site. Most orders are delivered the next day. Most orders are filled completely in one shipment, but sometimes a supplier is out of stock of a particular item. In such situations, the bulk of the order is shipped immediately and the out-of-stock item is shipped separately as soon as it arrives (such shipments of back orders are never combined with any new orders placed by the Computer Warehouse). The Computer Warehouse pays for some of its purchases COD but usually pays by the 10th of the month for all purchases made the prior month. None of its suppliers allows it to make installment payments. Draw an REA Diagram for Computer Warehouse expenditure cycle, complete with cardinalities. Inventory Order Inventory Employee Vendor Receive Inventory Employee Cash Disburse Cash Vendor 17-19 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model 17.10 Stan’s Southern Barbeque Supply Store orders mass-produced barbecue products from various suppliers. Stan’s maintains information about a contact person at each supplier along with all required address information. Each purchase order has the order number, date, tax, and total. Purchase orders also contain the following information for each product ordered: stock number, description, and price. The manager of Stan’s places orders by fax several times a day, whenever he notices that an item is running low. Some suppliers fill each individual order separately. Others, however, consolidate orders and fill all of them in one weekly delivery. Stan's suppliers never make partial shipments; if they are out of stock of a certain item, they wait until they obtain that item and then ship the entire order. Some suppliers require payment at the time of delivery, but others send Stan’s a monthly statement detailing all purchases during the current period. Two suppliers allow Stan’s to make installment payments for any individual purchase orders that exceed $20,000. Draw an REA Diagram for Stan’s Southern Barbecue expenditure cycle, complete with cardinalities Employee Inventory Order Inventory Vendor Employee Receive Inventory Vendor Cash Disburse Cash 17-20 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Employee Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 17.1 Sparky’s Amusement Park is an entertainment park run by recent college graduates. It caters to young people and others who are young at heart. The owners are very interested in applying what they have learned in their information systems and marketing classes to operate a park better than any other in the area. To accomplish these goals, guests of the park are given a personal “membership card” as they enter. This card will be used to identify each guest. Assume that a new card is issued each time a guest comes to the park. As a result, the system does not have to track one person over a period of time. As at other parks, guests pay a flat fee for the day and then are able to ride all of the attractions (such as a double-looping roller coaster and the merry-go-round) for no extra charge. The owners, however, want to track the rides each guest takes and the attractions the guests use. They plan to have guests swipe their membership card through a computerized card reader, which automatically enters information into the computer system. This should allow the owners to gather data about the following: • Number of people who use each piece of equipment. (How many people rode the Ferris wheel today?) • Number of times each piece of equipment is operated daily. • Times of day the attraction is busy or slow. (When was the carousel the busiest?) • Number of attractions each guest uses. (How many different pieces of equipment did customer 1122 ride?) • Number of rides each guest enjoys. (How many different rides did customer 1122 enjoy? Did each guest go on any rides more than once?) Draw an REA diagram for Sparky’s revenue cycle only. Be sure to include cardinalities. State any assumptions you had to make. (This problem is adapted from one developed for classroom use by Dr. Julie Smith David at Arizona State University.) The entities of interest include the equipment, cash accounts, the events of running the rides and collecting cash, the guests, and the employees. Note that there is no event called “sell membership card” because the economic exchange is the providing of rides in return for money. The membership card is just a means of tracking who uses what rides and could be replaced with tokens, hand stamps, or any other mechanism. Be sure students understand that the membership cards are not a resource – Sparky’s is not better off by printing up more cards. (This is a good point to discuss). 17-21 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 17: Database Design using the REA Data Model The suggested REA diagram solution is as follows: Equipment Give Ride Employee Customer Cash Receive Cash Employee The relationships of interest are those shown in the REA diagram. Most cardinalities are standard, except for the following: • The “Give Ride” event involves running one particular piece of equipment. This solution assumes that attractions are run (e.g., the Ferris Wheel is turned on) at regular intervals, even if no customers happen to be on it. If, however, an attraction is only run if there is at least one customer who wants to go on that ride, then the diagram would have to be modified to show that each “Give Ride" event is linked to at least one customer. • Many guests can ride the same piece of equipment at the same time. • The “Receive Cash” (or “Get Cash”) event can involve receiving money for a group of people. • The cardinalities also reflect the fact that the “Receive Cash” event precedes the “Give Ride” event. • The unique number assigned to an activated membership card represents each “Guest” – this is how Sparky can track who uses what rides. Hence, a new row is only added to the Guest table for each paying customer. Since Sparky does not know the personal identity of his patrons, a new row in that table is created each separate 17-22 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems day that the same person pays for admission. Note that customers do not, however, have to ride any rides – they may just be “babysitting” for example. On the other hand, most paying customers probably go on many different rides. 17-23 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 18 IMPLEMENTING AN REA MODEL IN A RELATIONAL DATABASE SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 18.1 How would the process of generating a cash disbursements journal from the REA data model presented in Figure 18-4 and Table 18-1 differ from the process for creating a sales journal? The steps required to create a cash disbursements journal would be simpler than the process used to create a sales journal. A cash disbursements journal typically lists all of an organization’s payments to its various suppliers (payroll disbursements are usually recorded separately from payments to suppliers). The information typically recorded in a cash disbursements journal includes the date, method of payment, payment identifier (e.g., check number or EFT transaction number), payee, amount, and description of the purpose. Note that all of this information can be found in the disburse cash event table. Thus, the information necessary to produce a cash disbursements journal can be found by querying only one table. The query would be restricted to those rows for which the supplier number, a foreign key, has values (null values for the supplier number would occur because the cash disbursements were for payroll). 18.2 Why take the time to develop separate REA diagrams for each business cycle if the ultimate objective is to combine them into one integrated enterprise-wide data model? Why not just focus on the integrated model from the start? One way to think about it is divide and conquer. Modeling each business cycle individually makes it easier to be sure to identify all the relevant resources, events, and agents for that cycle. Once the resources, events, and agents have been identified, the relationships between these entities can be prepared. It is also easier to assign cardinalities to relationships in REA diagrams for a single business cycle because the relationships directly represent the organization’s business policies. The data modeler can also show the single cycle REA diagram to the employees who participate in those activities to be sure that everything of importance is included in the model and that the business policies are represented correctly. Working with a single cycle REA diagram makes this review process easier by excluding information not relevant to a particular employee. 18-1 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database Once each single cycle REA diagram is correct, the data modeler can combine them using the rules explained in chapters 17 and 18. This combination process can be done without the involvement of any employees. The integrated diagram, however, needs to be discussed with management to verify accuracy and completeness. 18.3 Building separate tables for every relationship (1:1, 1:N, and M:N) does not violate any of the rules for building a well-structured database. Why then do you think that REA data modelers recommend building separate tables only for M:N relationships and using foreign keys to implement 1:1 and 1:N relationships? To reduce the number of tables. It is more efficient to use foreign keys for relationships than to build separate tables. This also simplifies queries because fewer tables are needed to retrieve information. Consider the task of generating a list of payments received from a particular customer. If the 1:N relationship between customers and the Receive Cash event is implemented using foreign keys, all the information needed can be found in the Receive Cash and Customer tables. The Receive Cash table would identify the date and amount of payments received from each customer; the customer table would be referenced in order to restrict the query to retrieving only those rows for which the foreign key value for customer number in the Receive Cash table matched the primary key value of a customer with a specific name in the Customer table. However, if the 1:N relationship were implemented as a separate table, then the query would also have to access the 1:N relationship table. 18.4 Assume that there exists a 1:1 relationship between the Receive Inventory and Disburse Cash events. How does the manner in which the relationship between the two events is implemented (i.e., in which table a foreign key is placed) affect the process used to record payments made to suppliers? If the primary key of the Receive Inventory table was included as a foreign key in the Disburse Cash table, then recording payments to suppliers would involve adding a new row to the Disburse Cash table. If, however, the primary key of the Disburse Cash table was included as a foreign key in the Receive Inventory table, then recording a payment to a supplier would involve not only creating a new row in the Disburse Cash table, but also updating the value of the check number (foreign key) column in the appropriate row of the Receive Inventory table. 18-2 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 18.5 Refer to Figure 18-4 and Table 18-1. How would you determine the amount of cash that Fred’s Train Shop has at any point in time? To calculate the amount of cash that Fred’s Train Shop has at a particular point in time, you would need to query three tables: Cash, Disburse Cash, and Receive Cash. The Cash table would include the cash on hand at the beginning of the current fiscal year. The Disburse Cash table includes an attribute for the amount of each disbursement made during the current fiscal year; summing this column would yield total cash outflows. Similarly, the Receive Cash table includes an attribute showing the amount of each cash receipt during the current fiscal year; summing this column would yield total cash inflows. Thus, cash on hand at particular point in time equals beginning cash on hand plus the sum of all receipts minus the sum of all disbursements. 18.6 Why does Figure 18-4 show only one cash disbursement entity if Fred’s Train Shop uses a general operating checking account for purchases of inventory, supplies, and operating expenses such as rent but also uses a separate checking account for payroll? REA models do not represent actual physical accounts but types of accounts. Thus, even though Fred’s Train Shop uses two checking accounts, the REA displays a single entity for cash. This entity contains information about all of Fred’s individual checking accounts. Each row in the cash table for Fred’s train shop would provide information about a specific checking account. Each account would have its own primary key. Then, when there is a cash disbursement it would be linked to the specific record or row in the cash table that represented which of the two checking accounts for Fred’s Train Shop was used to make a particular disbursement. This linking would involve using the primary key of the appropriate checking account as a foreign key in that row in the Disburse Cash event table. 18-3 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database 18.7 Examine Figure 18-4 and Table 18-1. Why do the Inventory, Customers, and Suppliers tables all have an attribute that contains data about the balance at the beginning of the current fiscal period? The reason that all three entities contain an attribute that stores the beginning balance is that the related event tables typically contain information for only the current year. Thus, the beginning balance attribute represents information about prior years’ events. This information about beginning balances is needed in order to calculate current balances at any point in time. For example, the Inventory table would show the quantity on hand for each inventory item at the beginning of the current fiscal year. The M:N table linking the Receive Inventory and Inventory tables includes an attribute for the quantity received of a specific inventory item. The M:N table linking the Inventory and Sales tables includes an attribute for the quantity sold of a particular item. Thus, the quantity on hand at a particular point in time equals the beginning quantity on hand plus the sum of all receipts of that inventory item minus the sum of all sales of that item. The Customer and Supplier tables contain information about the beginning balances of Accounts Receivable and Accounts Payable for specific customers and suppliers, respectively. Current balances can then be computed by adding the sum of all sales to a customer (purchases from a supplier) and subtracting the sum of all payments from a customer (payments to a supplier) during the current fiscal year. 18-4 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 18.1 Refer to Problems 17.1 and 17.2 for information about the revenue and expenditure cycle activities for Joe’s ice-cream shop in order to draw an integrated REA diagram of both cycles. Employees Order Inventory Inventory Sales Employee Vendors Customer Receive Inventory Employees Vendors Disburse Cash Cash Receive Cash 18-5 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Employee Ch. 18: Implementing an REA Model in a Relational Database 18.2 Develop a set of tables to implement the integrated REA diagram you developed in Problem 18.1 for Joe’s ice-cream shop in a relational database. Specify a primary key for each table, and suggest at least one other attribute that should be included in each table. Table Other attributes foreign keys in italics Primary key Employees Employee# Name, date hired, salary, position Vendors Vendor# Name, address, beginning account balance Order Inventory Purchase Order# Date, vendor#, employee# Receive Inventory Receiving Report# Date, vendor#, employee#, purchase order#, check# Disburse Cash Check# Employee#, Vendor#, GLAccount#, amount Inventory Item# Description, beginning quantity on hand, list price Cash GLAccount# Account Name, beginning balance Sales Invoice# Date, customer#, employee#, amount Receive Cash Remittance# Date, customer#, employee#, invoice#, GLAccount# Inventory Item# Description, quantity on hand, reorder quantity, reorder point Order InventoryInventory PurchaseOrder#, Item# Quantity, UnitCost Receive Inventory- ReceivingReport#, Inventory Item# Quantity, condition Sales-Inventory Quantity, UnitPrice Invoice#, Item# 18-6 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 18.3 Refer to Problems 17.3 and 17.4 for information about Sue’s Gallery’s revenue and expenditure cycle activities in order to draw an integrated REA diagram of both cycles. Employees Purchases Inventory Sales Vendors Employees Employee Customer Disburse Cash Cash Receive Cash 18-7 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Employee Ch. 18: Implementing an REA Model in a Relational Database 18.4 Develop a set of tables to implement the integrated REA diagram you developed in Problem 18.3 for Sue’s Gallery in a relational database. Specify a primary key for each table, and suggest at least one other attribute that should be included in each table. Table Primary key Other attributes foreign keys in italics Vendor Vendor# Name, address, phone, contact, account balance Employees Employee# Name, date hired, salary, date of birth, position Purchases Purchase Order# Date, employee#, vendor# Disburse Cash Check# GLAccount#, employee#, vendor#, purchase order#, date, amount Inventory Item# Purchase order#, invoice#, cost, sales price, description Cash GLAccount# Account name, beginning balance Sales Invoice# Customer#, employee#, date Receive Cash Remittance# Date, amount, employee#, customer#, invoice#, GLAccount# Customer Customer# Name, address, beginning balance Note: The cost and sales price are attributes of the inventory table because each unique item is only purchased once and sold once. 18-8 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 18.5 The following tables and attributes exist in a relational database: Table Attributes Vendor Vendor#, name, street address, city, state Purchases P.O.#, date, amount, vendor#, purchasing agent# Inventory Receipts Receiving report#, date, receiving clerk#, remarks, P.O.# Cash Disbursed Check#, date, amount Inventory Receipts – Cash Disbursed Check#, receiving report#, amount applied to invoice Draw an REA diagram for this database. State any additional assumptions you need to make about cardinalities. The solution appears on the following page. Students should be able to suggest adding the entities connected by dotted lines, even though they are not listed in the problem. Key assumptions about cardinalities include the following: • Vendors do not make partial shipments. If you assume otherwise, then the cardinality from Purchases to Inventory Receipts should be adjusted. Note that the presence of P.O. number as an attribute in the Receive Inventory table rules out the possibility that this is an M:N relationship. • The inventory in question is not unique one-of-a-kind items. If it were, the maximum cardinality from Inventory to both events would be 1. • The existence of an Inventory Receipts – Cash Disbursed table with an attribute in it suggests that this is a M:N relationship: the company can make installment payments on purchases and also runs a tab, paying periodically for all purchases made during a specified time. The amount-applied attribute informs the seller how to apply the payment. 18-9 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database Inventory Purchases Employee Inventory Receipts Vendor Employee Cash Cash Disbursed 18-10 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Vendor Accounting Information Systems 18.6 Refer to Problems 17.8 and 17.9 for information about the revenue and expenditure cycles for the Computer Warehouse and use that information to draw an integrated REA diagram for both cycles. Employee Order Inventory Inventory Sales Vendor Employee Customer Receive Inventory Employee Vendor Disburse Cash Cash Receive Cash 18-11 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Employee Ch. 18: Implementing an REA Model in a Relational Database 18.7 Develop a set of tables to implement the integrated REA diagram you developed in Problem 17.6 for the Computer Warehouse in a relational database. Specify a primary key for each table, and suggest at least one other attribute that should be included in each table. Table Primary key Other attributes (foreign keys in italics) Vendor Vendor# Name, address, phone, contact Employees Employee# Name, date hired, salary, date of birth, position Order Inventory Purchase Order# Date, vendor#, employee# Receive Inventory Receiving Report# Date, vendor#, employee#, check#, purchase order# Disburse Cash Check# Date, amount, vendor#, employee#, GLaccount# Inventory Item# Description, beginning quantity on hand, reorder quantity, reorder point Cash GLaccount# Account name, beginning balance Sales Invoice# Date, employee#, customer#, remittance# Receive Cash Remittance# Date, amount, employee#, customer#, GLaccount# Customers Customer# Name, address, beginning balance Order InventoryInventory Purchase Order#, Item# Quantity, unit cost Sales-Inventory Invoice#, Item# Quantity, unit price Receive Inventory- Receiving Report#, Inventory Item# Quantity, condition 18-12 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 18.8 Explain how to calculate the total amount of Accounts Payable: Total Accounts Payable can be calculated in five steps, as follows: Step 1: Normally, only orders actually received are considered purchases for purposes of calculating accounts payable. Therefore, begin with a query of the Receive Inventory table (or M:N relationship table linking the Order Inventory and Receive Inventory events) to determine which orders have been received this fiscal period. Step 2: Query the Order Inventory – Inventory table to determine the total amount purchased this fiscal period by summing the product of quantity ordered by its unit cost for those purchase orders for which there is a corresponding receipt of inventory (from step 1). Step 3: Retrieve the total beginning balance of Accounts Payable by querying the Suppliers table and summing the beginning balance column. Step 4: Query the Disburse Cash table to calculate the total amount paid to suppliers this fiscal period by summing the amount column for every row in which the supplier number is not null. It is important to exclude rows where the supplier number is null, as those represent other types of payments (e.g., payroll). Step 5: Total Accounts Payable = Answer to Query 2 + Answer to Query 3 – Answer to Query 4. 18-13 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database 18.9 Refer to Figure 18.4 and Table 18-1 to write the query logic needed to answer the following questions. (Optional: If requested by your instructor, write your queries in SQL or a Query-By-Example graphical interface.) Some answers may require more than one query—try to write the most efficient queries possible. a. Accounts payable for all suppliers in Arizona Step 1: Normally, only orders actually received are considered purchases for purposes of calculating accounts payable. Therefore, begin with a query of the Receive Inventory table (or M:N relationship table linking the Order Inventory and Receive Inventory events) and the Supplier table to determine which orders have been received this fiscal period. The supplier table is needed in order to restrict the result to only those suppliers located in Arizona. Step 2: Query the Order Inventory – Inventory table to determine the total amount purchased this fiscal period by summing the product of quantity ordered by its unit cost for those purchase orders for which there is a corresponding receipt of inventory (from step 1). Step 3: Retrieve the total beginning balance of Accounts Payable by querying the Suppliers table and summing the beginning balance column, restricting the sum operation to only those suppliers located in Arizona. Step 4: Query the Disburse Cash and Supplier tables to calculate the total amount paid to suppliers located in Arizona this fiscal period by summing the amount column for every row in the Disburse Cash table for which the supplier number equals the primary key of a row in the Supplier table that has a value of Arizona in its address column. Step 5: Total Accounts Payable to Arizona Suppliers = Answer to Query 2 + Answer to Query 3 – Answer to Query 4. b. Total amount of sales to a customer named Smith Step 1: Identify all sales to Smith by writing a query that joins the Sales and Customer tables, where the value of the customer# in the Sales table equals the primary key in the row of the Customer table where the name = Smith. Step 2: Sum the product of quantity sold times unit price in the M:N Sales-Inventory table for only those rows with sales invoice numbers identified in step 1. 18-14 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems c. Total wage expense Pay rates are likely to differ across employees. Therefore, calculate total wage expense by summing the wage expense for each employ, as follows: Step 1: Query the Time Worked table to sum the total hours worked, grouped by employee number. Step 2: Query the table produced in step 1 and the Employee table to calculate the total wages earned by each employee (by multiplying total hours worked times that employee’s pay rate). Step 3: Sum the total amounts in the table produced in step 2. d. Total wages payable Total wages payable equals wages earned but not yet paid. Thus, use the same procedure as used to calculate total wage expense, except restrict step 1 to only those rows in the Time Worked table for which the paycheck# column is null. e. Net increase (decrease) in quantity-on-hand for a particular inventory item Step 1: Write a query to sum the quantity received in the M:N relationship table linking the Receive Inventory event and the Inventory table for only those rows with a particular value in the item# column. Step 2: Write a query to sum the quantity sold in the M:N Sales-Inventory relationship table for only those rows with the same item# as used in step 1. Step 3: Net change in quantity-on-hand for that item = Query 1 – Query 2. f. The proportion of sales made to walk-in customers (i.e., no order) Step 1: Write a query to calculate total sales by summing the product of quantity sold times unit price in the Sales-Inventory M:N relationship table. Step 2: Write a query to identify all sales to walk-in customers by listing all sales invoices in the Sales table for which the order number column is null. Step 3: Repeat step 1, but restrict the calculation to only those rows in the SalesInventory table for which the sales invoice number appeared in the step 2 query. Step 4: Divide query 3 by query 1. 18-15 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database g. The salesperson who made the largest amount of sales in October Step 1: Write a query to calculate total sales by summing the product of quantity sold times unit price in the Sales-Inventory M:N relationship table. Step 2: Write a query to identify all sales to walk-in customers by listing all sales invoices in the Sales table for which the order number column is null. Step 3: Repeat step 1, but restrict the calculation to only those rows in the SalesInventory table for which the sales invoice number appeared in the step 2 query. Step 4: Divide query 3 by query 1. h. The salesperson who made the most sales in October Step 1: Write a query to identify all rows in the Sales table that occurred in October. Step 2: Write a query that counts the number of rows in the response to query 1, grouped by employee number. Step 3: Write a query that identifies the employee number in query 2 that has the maximum value in the count column. Step 4: Write a query that joins the result of query 3 with the employee table to display both the employee number and name. i. The most popular item, in terms of total units sold Step 1: Write a query against the M:N Sales-Inventory relationship table that sums the quantity sold column, grouped by product number. Step 2: Write a query against the table resulting from query 1, that identifies the item number with the maximum value in the total quantity sold column. Step 3: Write a query that joins the result of query 2 with the inventory table to display both the item# and its description. 18-16 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 18.10 Refer to Problem 17.10 and develop a set of tables to implement the REA diagram you developed for Stan’s Southern Barbeque Supply Store. Identify the primary and foreign keys for each table, and don’t forget to address any M:N relationships. Table Primary key Foreign Keys Other attributes Order Inventory Purchase Order# Employee#, Vendor#, Receiving Report# Date Receive Inventory Receiving Report# Vendor#, Employee# Date, vendor invoice # Disburse Cash Check# Vendor#, Employee#, GLAccount# Date, amount, description Cash GLAccount# Balance, beginning balance Inventory Item# Description, beginning quantity on hand, reorder quantity, reorder point Employee Employee# Name, hire date, position, payrate Vendor Vendor# Name, address, contact, beginning account balance, performance rating Order InventoryInventory Purchase Order#, Item# Quantity, unit cost Receive InventoryInventory Receiving Report#, Item# Quantity, condition Receive Inventory-Cash Disbursement Receiving Report#, Check# Amount applied 18-17 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database SUGGESTED ANSWERS TO THE CASES 18.1 The specific solution will vary depending upon the DBMS and REA data model used. Therefore, we present only the query logic here for the model depicted in Figure 18.4. 1. Calculate total Accounts Receivable. a. Calculate beginning Accounts Receivable by summing the beginning balance attribute in the Customer table. b. Calculate total new Sales this fiscal period by summing the product of quantity sold times unit price from the Sales – Inventory M:N relationship table. c. Calculate total cash received from customers by summing amount received column in the Receive Cash table. d. Total Accounts Receivable = Query A + Query B – Query C 2. Calculate Accounts Receivable for a specific customer. This requires a similar set of queries as used to calculate total Accounts Receivable: a. Calculate beginning Accounts Receivable by summing the beginning balance attribute in the Customer table for the customer of interest. b. Select only those rows in the Sales table that represent sales to the customer of interest (i.e., those rows in the Sales table which have a value in the Customer# foreign key column equal to the Customer# of the particular customer of interest). c. Calculate total new Sales this fiscal period by summing the product of quantity sold times unit price from the Sales – Inventory M:N relationship table for only those rows which have an invoice number in the set of invoice numbers from query b. d. Calculate total cash received from customers by summing amount received column in the Receive Cash table for only those rows which have a value in the Customer# foreign key column equal to the Customer# of the particular customer of interest. e. Total Accounts Receivable = Query A + Query C – Query D. 18-18 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 3. Create a sales invoice form that references the appropriate tables and inputs data about attributes into the proper tables. The syntax for doing this will vary depending upon the DBMS used. Solutions should be tested to ensure that the form adds new rows to the following tables: • Sales • Sales-Inventory It will also need to reference the Customer and Inventory tables to identify relevant information (shipping and billing addresses, item description, etc.). 4. Calculate as many financial statement items as possible from the data model you implement. Income Statement items derivable from Figure 18.4: Only Sales and Wage Expense can be definitively calculated; cost of goods sold requires making assumptions about inventory cost/valuation method (FIFO, LIFO, weighted average, specific identification). • Sales Sum the product of quantity sold times unit price for all rows in the M:N SalesInventory relationship table • Wage expense Step 1: Query the Time Worked table to sum the total hours worked, grouped by employee number. Step 2: Query the table produced in step 1 and the Employee table to calculate the total wages earned by each employee (by multiplying total hours worked times that employee’s pay rate). Step 3: Sum the total amounts in the table produced in step 2. 18-19 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database Balance Sheet items derivable from Figure 18.4: Only Cash, Accounts Receivable, Accounts Payable, and Wages Payable can be definitively calculated. Inventory valuation requires an assumption about inventory method (FIFO, LIFO, weighted average, specific identification). • Cash Step 1: Calculate the beginning balance of cash by summing the amount column in the Cash table. Step 2: Calculate total cash receipts by summing the amount column in the Receive Cash table. Step 3: Calculate total cash disbursements by summing the amount column in the Disburse Cash table. Step 4: Ending Cash Balance = Answer to Query 1 + Answer to Query 2 – Answer to Query 3. • Accounts Receivable a. Calculate beginning Accounts Receivable by summing the beginning balance attribute in the Customer table. b. Calculate total new Sales this fiscal period by summing the product of quantity sold times unit price from the Sales – Inventory M:N relationship table. c. Calculate total cash received from customers by summing amount received column in the Receive Cash table. d. Total Accounts Receivable = Query A + Query B – Query C 18-20 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems • Accounts Payable Step 1: Normally, only orders actually received are considered purchases for purposes of calculating accounts payable. Therefore, begin with a query of the Receive Inventory table (or M:N relationship table linking the Order Inventory and Receive Inventory events) to determine which orders have been received this fiscal period. Step 2: Query the Order Inventory – Inventory table to determine the total amount purchased this fiscal period by summing the product of quantity ordered by its unit cost for those purchase orders for which there is a corresponding receipt of inventory (from step 1). Step 3: Retrieve the total beginning balance of Accounts Payable by querying the Suppliers table and summing the beginning balance column. Step 4: Query the Disburse Cash table to calculate the total amount paid to suppliers this fiscal period by summing the amount column for every row in which the supplier number is not null. It is important to exclude rows where the supplier number is null, as those represent other types of payments (e.g., payroll). Step 5: Total Accounts Payable = Answer to Query 2 + Answer to Query 3 – Answer to Query 4. • Wages Payable Step 1: Query the Time Worked table to sum the total hours worked, grouped by employee number, restricted to only those rows for which the check number column is null. Step 2: Query the table produced in step 1 and the Employee table to calculate the total wages earned by each employee (by multiplying total hours worked times that employee’s pay rate). Step 3: Sum the total amounts column in the table produced in step 2. 18-21 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Ch. 18: Implementing an REA Model in a Relational Database 5. Design appropriate input controls for the sales invoice form created in step 3. The syntax required will vary depending upon the DBMS used. Students should be encouraged to review material from chapter 10 to identify appropriate input controls. Solutions should include the following: 1. Auto-number the sales invoice to prevent creating duplicate or null primary keys. 2. Validity check on item numbers. 3. Sign check on quantity sold and price fields. 4. Completeness checks on customer information (billing and shipping address) – this information should ideally be automatically populated upon entering the customer number. 5. Completeness checks on inventory information (description, list price, etc.) – this information should ideally be automatically populated upon entering the item number. 6. Validity check on sales date (check against the current system date). 18-22 © 2011 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 19 SPECIAL TOPICS IN REA MODELING SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 19.1 Often it takes several sales calls to obtain the first order from a new customer. Why then does Figure 19-1 depict the relationship between the Call on Customer and Take Customer Order events as being 1:1? When a sales person visits a customer it is represented by the event Call on Customer. Although single sales call may be followed by many orders from a customer over time, it is easier and more effective to evaluate sales force productivity by linking each sales call only to orders placed at the time of the sales call, that is, only those sales calls that linked to an order are successful. Hence, the maximum cardinality between the Call on Customer and the Take Order event is 1. However, a sales call does not always result in a sales order. Thus, the minimum cardinality from the Call on Customer event to the Take Order event is 0. Some orders, however, do not follow directly from a sales call. Therefore, the minimum cardinality from the Take Order event to the Call on Customer event is also 0. 19.2 How could an automobile dealer model the use of loaner cars, which it gives to customers for free whenever they drop off a vehicle for maintenance that will take longer than one day to complete? The loaner car arrangement could be handled the same as rental car arrangement, except that cash receipts will not be involved. The resource is the loaner car, the events are the loan (or free rental) of the car and its subsequent return, and the agents would be the customer whose car is in the service department and the employee who makes the loan arrangement. 19.3 In what situations would you expect to model a relationship between an agent and a resource? Relationships between agents and resources can be modeled for two reasons. Relationships between resources and suppliers provide information about preferred and alternate suppliers. Relationships between resources and employees can represent custody responsibilities. This would most likely be limited to high-cost and high-value resources. 19-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling 19.4 Why is depreciation not represented as an event in the REA data model? Depreciation is not modeled as an event in the REA diagram because it is an accounting concept that arbitrarily allocates the cost of an acquired resource to different fiscal periods. Periodic depreciation is simply a calculation based on a formula (depreciation method) and a set of assumptions (estimated useful life, salvage value, etc.). Information about the formula and assumptions is stored in the resource entity for use in calculating periodic depreciation charges, but the calculation process itself is not an event, just as the processes of calculating the total amount of a particular sales transaction or the amount of an employee’s paycheck are not modeled as events. 19.5 How would you model the acquisition of a digital asset, such as the purchase of software online (the software is downloaded and then installed on the purchaser’s computer)? There is very little difference in modeling an event where a physical resource is sold as opposed to a digital resource. The digital asset must still be ordered, received, recorded, and paid for. The primary difference is that with digital assets, all of these functions occur almost simultaneously. Nonetheless, all aspects of acquiring digital assets must still be addressed just like a physical asset. Therefore, if the digital asset was purchased for resale, its acquisition would be recorded as a Receive Inventory event and another row in the inventory table would be created to represent this new product. If the software was purchased for use in the business, its acquisition would be recorded as a Receive Software event and another row in a Software resource table would be created. 19.6 How are the similarities and differences between the purchase of services, such as telephone service, and the purchase of raw materials reflected in an REA data model? In terms of the REA model, the two types of transactions are handled much the same. In both cases, the acquisition (receive) event would be linked to a Disburse Cash event and to a resource. One difference, however, is that as shown in Figure 19-4, each service acquisition event is linked to only 1 service, because most service suppliers are specialists. For example, electric utilities provide electricity, but not other utilities. In contrast, each Receive Raw Materials event can be linked to many different raw materials, because most suppliers sell a variety of items. A bigger difference concerns the actual process. Acquired services often cannot be counted, so it is important to verify that a service (e.g., painting, cleaning, etc.) was indeed performed appropriately. 19-2 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 19.7 How would you modify the expenditure cycle REA diagram in Figure 19-4 to include the return of defective products to suppliers for credit? Since the supplier, inventory, and employee entities already exist on the diagram, return of defective good to the supplier would only need one additional event entity on the diagram. An event labeled something like “Return Defective Goods” would be added. It would be linked to both the supplier and employee agent entities to facilitate performance tracking for accountability purposes. It would be linked to the Inventory resource, because it would decrease the quantity on hand. Each “Return Defective Goods” event would be linked to a minimum of 1 and a maximum of many inventory items; each inventory item would be linked to 0 or many “Return” events. The “Return Defective Goods” event would be linked to the “Receive Inventory” event. Each “Receive Inventory” event would be linked to 0 or 1 “Return Defective Goods” events. The minimum is zero because the inventory has to be received prior to its return; the maximum is 1 because a given receipt event will be linked to at most one return event for defective merchandise. Each “Return” event would be linked to a minimum and maximum of 1 “Receive” events because something would have to be purchased before it could be returned, and if defective, the item would only be returned one time. 19-3 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling SUGGESTED ANSWERS TO PROBLEMS 19.1 We-Fix-Computers, Inc. provides spare parts and service for a wide variety of computers. Customers may purchase parts to take home for do-it-yourself repairs, or they may bring their systems in for repair, in which case they pay for both the parts and the labor associated with the type of service required. Some services do not include any new parts, just a labor charge for that service. Individual customers must pay for all parts purchases in full at the time of sale. Individual customers must pay 50% down when they bring their computers in for servicing and pay the balance at pickup. Corporate customers, however, are billed monthly for all sales (parts or service). Although We-Fix-Computers, Inc. has several different banking accounts, all sales are deposited intact into its main checking account. We-Fix-Computers, Inc. purchases its inventory of parts from more than a dozen different vendors. Orders are usually delivered the next day; sometimes, however, suppliers ship only partial orders. We-Fix-Computers pays for some of its purchases COD, but usually pays by the 10th of the month for all purchases made the prior month. None of its suppliers allows it to make installment payments. Required Draw an integrated REA diagram for We-Fix-Computers’ revenue and expenditure cycles. Employees Order Inventory Inventory Sales Employee Vendors Customer Service Receive Inventory Employees Vendors Disburse Cash Cash Receive Cash 19-4 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Employee Accounting Information Systems 19.2 The Mesa Veterinary Hospital is run by Dr. Brigitte Roosevelt. She has two employees in the office and has asked you to develop a database to help better track her data. Dr. Roosevelt currently uses her personal computer only for word processing, but she is interested in also using it to maintain pet histories and accounting information. She is excited about the transition and is counting on you to help her through the process. She describes her daily activities as follows: When new customers come to Mesa Veterinary Hospital, the “owners” of the pets are required to complete an introductory form. This form includes the following: • Owner name • Address • Day phone • Night phone They are also required to provide the following information about each pet, as some people own many pets: • Pet name • Breed • Color • Birth date Dr. Roosevelt would like to enter this information once and then have the system retrieve it for all subsequent visits. When customers call to make appointments, one of the office clerks asks what kind of services they require (e.g., is it a routine exam, a surgery, etc.). Dr. Roosevelt sees only one pet during each appointment. If she is going to see one owner’s two pets, then two separate appointments are necessary (but scheduled back-to-back). For each appointment, Dr. Roosevelt records the pet’s weight, notes the reason for the appointment, and records her diagnosis. Depending on the diagnosis, the doctor will possibly prescribe any number of medications to cure the pet. Owners are charged $25 for each appointment and must pay additionally for any medications prescribed for their pets. Dr. Roosevelt requires all pets to be brought back for another examination prior to refilling any prescriptions. Customers must pay for services and medication in full at the conclusion of their visits. You also learn that Dr. Roosevelt orders drugs and medications from several different suppliers. She places orders weekly, on Fridays. Suppliers usually make one shipment to fill each order, but sometimes have to make additional shipments if they are currently out of stock of one or more items. In such cases, they always ship the back-ordered item as soon as they receive it from the manufacturer; they never combine such back orders with subsequent orders by Dr. Roosevelt. Suppliers bill Dr. Roosevelt monthly and expect payment in full by the 15th of the following month. A few suppliers do permit Dr. Roosevelt to make installment payments. 19-5 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling The prices charged by suppliers for a given product may change several times during the year, so it is important to accurately store the cost of each item each time it is purchased. Dr. Roosevelt concludes the interview by requesting that in addition to the facts mentioned, she wants the system to store the following attributes: • Number of pets owned by each customer • Total charge for the appointment • Prescription price • Drug name • Length of appointment • Diagnosis • Date of appointment • Service requested 19-6 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems REQUIRED a. Given this brief overview, draw an integrated REA diagram for the Mesa Veterinary Hospital and include cardinalities. Employees Order Drugs Drugs Make Appointment Employee Customer Services Vendors Employees Perform Examination Receive Drugs Pet Employee Vendors Disburse Cash Receive Cash Cash 19-7 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Customer Ch. 19: Special Topics in REA Modeling b. As directed by your instructor, either draw the tables necessary to implement the integrated REA diagram you developed for the Mesa Veterinary Hospital or build the tables in a relational DBMS to which you have access. Be sure to include all attributes from the narrative plus the additional ones explicitly listed by Dr. Roosevelt at the conclusion of the interview. Create additional attributes only if necessary. Table Primary Key Other Attributes (foreign keys in italics) Services Service number Name, standard cost, list price, standard time to perform Drugs Drug number Drug name, standard cost, list price, beginning quantity-on-hand Cash GLAccount number Bank name, type of account, beginning balance Make Appointment number Date, Reason for visit, employee number, customer Appointment number, pet number Perform Exam Exam number Date, Pet number, time started, time completed, scheduled time, diagnosis, total charge, receipt_number, weight, appointment number Receive Cash Receipt number Date, amount, customer number, employee number, GLAccount number Pets Pet number Pet name, breed, color, birth date, customer number Customers Customer number Customer name, address, day phone, night phone, number of pets owned Employees Employee number Name, date hired, salary AppointmentAppointment number Services Service number AppointmentAppointment number Exam Exam number Drugs-Exams Drug number Dosage, actual cost, actual price Exam number Vendor Vendor number Name, address, account balance Order Drugs Purchase order Vendor number, employee number, date, amount number Receive Drugs Receiving report Vendor number, employee number, purchase order number number, date, vendor invoice Disburse Cash Check number Vendor number, employee number, GL Account number, amount, description, date Order DrugsPurchase order Quantity, unit cost Drugs number, Drug number Receive Drugs- Receiving report Quantity received, condition Drugs number, Drug number Receive Drugs- Receiving report, Amount applied to invoice Disburse Cash Check Number 19-8 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 19.3 Your university hires you to implement a database system for the library network. You have interviewed several librarians, and the following summarizes these discussions: • The library’s main goal is to provide students and professors with access to books and other publications. The library, therefore, maintains an extensive collection of materials that are available to anyone with a valid university identification card. • The standard procedure for lending materials is that the student or faculty member comes to one of the three campus libraries and locates the book or journal on the shelves. • Each book is assigned three unique numbers. First, the book is assigned a number by the publisher, called the International Standard Book Number (ISBN). This number allows the publishers to track each title and the number changes with each new edition. The second number is the Dewey decimal number, which is assigned to the title and written on the outside spine of the book. This number is used to organize the library shelves and is thus helpful to the students and faculty. It is therefore critical that this number be available to users on the online inquiry screens. The last number is a university book ID number. A different number is assigned to every book that is received so the library can track all copies of each book. This number is different from the other two numbers such that if the library has three copies of one book, each will have a unique university book ID number. • When students or faculty check out books, the system must be able to track the specific copy that is being borrowed. Each book has a magnetic strip inserted in its spine, which is used as a security measure. If someone tries to take a book without checking it out, an alarm sounds. • In general, students and faculty have equal clout in the library. Both are able to check out most books and to check out several books at one time. No one is allowed to remove periodicals from any library. The length of time that the book may be borrowed varies, however, depending on who checks it out. Students are allowed to check out a book for several weeks; faculty may borrow books for several months. • When patrons check out books, they take their materials to the circulation desk. At that time, the librarian scans in each item’s university book ID number and the borrower’s ID number. The system records a separate loan event for each book being checked out, assigning each a separate loan number. At this time, each book’s due date is calculated and marked on a slip located inside each book’s front cover. Simultaneously, the magnetic strip is deactivated so the book may be removed from the library. • After borrowers check out a book, they are expected to return it by its due date. In reality, everyone is allowed 30 days after the due date recorded on the checkout slip before the book is officially overdue. At that point, the book must be returned, and the borrower is assessed a $10 fine. If the book is permanently lost, then the borrower is fined $75 for the book’s replacement. All fines must be paid in cash, in full. Students are not allowed to enroll for subsequent semesters until all library fines are paid; they also do not receive a 19-9 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling diploma until all library fines are paid. Faculty must pay all outstanding fines by June 30 of each year. • When a book is returned, the return must be entered into the system, and a unique return number is used to log the transaction. At that time, the loan record is updated to show that the book has been returned. The following attributes have been identified as critical for the new system: • University book ID • Book publisher • Due date • Loan number • Checkout date • Borrower phone number • Cash account number • Librarian name • Book status (on the shelf or checked out) • Type of borrower (faculty or student) • Librarian college degree • Actual return date • Borrower ID • Borrower name • Book title • Fine receipt number • Amount received • Library name • Amount of fine • Default library where book is shelved • Borrower’s fine balance owed • ISBN number • Book return number • Dewey decimal number • Borrower address • Book copyright date • Borrower e-mail address • Library borrowed from • Librarian number • Account balance • Total number of books in a specific library • Loan status (still outstanding, or returned) • Author name 19-10 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems REQUIRED a. Draw an REA diagram for the library system. Remember to include cardinalities. a. REA diagram solution. Cash Employee Receive Fine Borrower Library Loan Book Employee Books Employee Book Return Book Titles Borrower Authors Library 19-11 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling Explanation of cardinalities: 1. One key to the problem is understanding that the Loan Book event represents the checking out of a single book. As stated in the problem, if a borrower checks out 5 books, the system adds five rows to the Loan Book table. This does not affect the borrower’s checkout experience at all. 2. Another important fact is realizing that books have multiple authors. 3. One final important fact involves recognizing the distinction between physical books and book titles. If the library has five copies of the same book title, it wants to track the status of each individual physical copy. But, a great deal of information about publisher, copyright, etc. is not affected by how many copies the library owns. Therefore, it is more efficient to create a separate entity called book title, to store this constant information. 4. The cardinality from Receive Fines to Loan Book is (1,N) because a loan has to occur prior to a fine being paid, but one cash receipt may pay for fines associated with a number of different loans. The cardinality from Loan Book to Receive Fines is (0,N) because many loans never result in fines, but some loans result in multiple fines ($10 late fee, $75 replacement fee). 19-12 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems b. As directed by your instructor, either create the tables on paper that would be required to implement your REA diagram or actually build those tables in a relational DBMS to which you have access. Only use the attributes listed, unless others are absolutely necessary. Problem 19-3, part b. Table solution Table Primary Key Library Books Library name * University Book ID Book Title ISBN# Author Book TitleAuthor Loan Book Author number Author number ISBN# Loan number Book Return Book return number Cash Receive Fine Cash account number Fine receipt# Employee Librarian# Borrower Borrower ID Fine-Loan Fine receipt# Loan number Other Attributes (foreign keys in italics) Number of books Book status, ISBN#, default library shelved at Publisher, copyright date, Dewey Decimal number Name Due date, University Book ID, Borrower ID, loan status, library borrowed from, librarian #, date checked out University Book ID, Loan number, library name, return date, borrower ID, librarian # Beginning account balance Amount received, cash account#, library name, librarian #, borrower ID Name, College degree, YTD loans processed Name, address, email, SSN, fine balance owed, phone number Amount of fine * Library name can be the primary key because it is created by the library system and, therefore, guaranteed to be unique for each library. 19-13 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling 19.4 The XYZ Company sells tools and parts to automotive repair shops. Shops call in orders; all orders received by noon are delivered the same day. Between 12:00 and 1:00, the system prints out schedules. From 1:00 to 5:00, drivers make deliveries according to the printed schedules. Typically, each driver makes between 25 and 30 deliveries each day. Each delivery is signed for by a repair shop manager; the portable laptop then uses wireless communications to transmit information about the delivery back to the XYZ Company and the information is recorded as another row in the sales event table. The XYZ Company uses its own trucks to make local deliveries to its customers. It wants to track information about the use of those trucks: which employee drove which truck, to which customers did a particular truck make deliveries, which deliveries are made on which days, what was the starting and stopping mileage each day? REQUIRED a. Draw a partial REA diagram of the XYZ Company’s revenue cycle to model these events: Taking Customer Orders, Deliveries, and the Use of Vehicles. Be sure to include cardinalities. Inventory Truck Take Order Employee Delivery Customer Use of Vehicle Employee 19-14 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems b. Create a set of tables (either on paper or in a relational DBMS to which you have access) to implement the REA model you developed for the XYZ Company. Table Name Primary Key Take Order Order Number Delivery Delivery Number Use of Vehicles Vehicle Use Number Inventory Item Number Truck Employee Customer Truck Number Employee Number Customer Number Other Fields(foreign keys in italics, others in normal font) Customer Number, Employee Number, Amount Order Number, Vehicle Use Number, Truck Number, Employee Number, Customer Number Employee Number, Truck Number, Depart Time, Return Time Description, Quantity, List Price, Unit Cost, Beginning Quantity On Hand, Reorder Quantity, Reorder Point Type, Description Name, Address, Position, Pay Rate Name, Address, Phone, Beginning Account Balance, Credit Limit Quantity Take OrderOrder Number, Item Number Inventory Delivery-Inventory Delivery Number, Item Number Quantity 19.5 Assume that Stained Glass Artistry, a new shop that specializes in making stained glass artwork, has hired you to design an integrated database that will provide the owners with the accounting information they need to effectively manage the business. Stained Glass Artistry makes a wide variety of stained glass windows for sale in its store. A unique job order is assigned to each production run, which includes creating multiple copies of the same basic design. When raw materials are issued to employees, the issuance is documented on a prenumbered raw material issue form. The different kinds of glass needed for the product, and other materials such as copper foil or lead, are issued at one time, so that employees can efficiently produce the design. Creating a piece of stained glass art involves several different steps, including cutting, foiling, and soldering. The owners want to track how much time each employee spends each day performing each of those various tasks. The owners have developed raw material and direct labor standards for each design they offer. They want their AIS to track actual costs and standard costs so that they can generate reports that provide price and quantity variance information. 19-15 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling The owners also have provided you with the following list of facts that they want stored in the database. (Note: You must create appropriate primary keys for each table; this is the list of other attributes.) Attributes in Standard Glass Artistry AIS: • Date hired • Time started task • Time completed task • Style of glass (name or description) • Quantity on hand • Color of glass • Quantity to be produced • Actual cost of design • Design name • Standard quantity of glass use in design • Quantity issued • Standard hours to make design • Standard cost of design • Date design produced • Date of birth • Wage rate • Employee name • Standard cost of glass 19-16 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems REQUIRED a. Draw an integrated REA diagram for Stained Glass Artistry. Include both minimum and maximum cardinalities. Raw Materials Inventory Bill of Materials Employee (Inventory Control) Issue Raw Materials Employee (Factory) Work in Process Employee Services Perform Job Operations Finished Goods Inventory Labor Standards Explanation of cardinalities: a) Each row in the Bill of Materials table represents the standards for using one specific raw material to produce one specific finished good design. Therefore, every row in the Bill of Materials table is linked to one and only one row in the finished goods table. A finished good, however, may consist of numerous raw materials and, therefore, be linked to many rows in the Bill of Materials table. b) Each row in the Labor Standards table represents the standards for making a particular design. Thus, each such standard is linked to one, and only one, finished good. A finished good, however, may involve several different labor activities and, therefore, be linked to multiple rows in the labor standards table. c) Jobs consist of making one or more copies of a specific design. Therefore, each Work in Process is linked to one and only one finished good. Each finished good, however, 19-17 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling d) e) f) g) may be produced many different times and, therefore, can be linked to multiple rows in the Work in Process table. All raw materials are issued at one time; thus, the relationship between Raw Materials Inventory and Issue Raw Materials is M:N. Sometimes there may be a need to obtain additional raw materials, due to breakage. Therefore, each Work in Process job may be linked to multiple Issue Raw Materials events. Each event, however, is linked to one, and only one, specific job. Each specific job operation is linked to one, and only one, Work in Process, but any given Work in Process job can be linked to many different labor operations. The Employee Services entity is an abstract entity that represents the time acquired from various classes of employees. It will be discussed in chapter 14. For now, just explain that each row represents all the time the company acquires from a specific class of employees (artisans, clerks, management, etc.) b. Create the set of relational tables required to implement your REA diagram for Stained Glass Artistry in a relational database. Table Name Raw Materials Employee Employee Services Bill of Materials Issue Raw Materials Primary Key(s) Raw Material number Employee number Category number B.O.M. number Work in Process Raw Materials Issue number W.I.P. number Perform Job Operation Job Operation number Finished Goods Inventory Labor Standards Design number Raw Materials – Issue Raw Materials Bill of Materials – Issue Raw Materials Labor Standard number Raw Material number Raw Materials Issue number B.O.M. number Raw Materials Issue number Other Attributes (foreign keys in italics, others in normal font) Style of glass, beginning quantity on hand, color of glass, standard cost of glass Name, date hired, wage rate, date of birth Raw materials number, design number, Standard quantity of glass to use in this design W.I.P. number, issuing employee number, receiving employee number Design number, Quantity to be produced, date design produced, actual cost of design Employee number, category number, labor standard number, W.I.P. number, Time started task, time completed task Design name, beginning quantity on hand, standard cost of design Design number, Standard hours to make design Quantity issued 19-18 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 19.6 Bernie’s Pet Store sells pet food, toys, and supplies. Bernie, the owner, is the only person who places orders with suppliers. He is also the only person who writes checks. Suppliers ship each order individually; if they are out of an item, they back order it and ship it separately as soon as it arrives. Bernie pays each supplier monthly for all purchases made the previous month. Suppliers do not allow him to make installment payments. Bernie has eight employees, each of whom can check in materials received from suppliers and sell merchandise to customers. Bernie pays his employees weekly from a separate checking account used only for payroll purposes. All sales are made in-store and are paid for immediately by cash, check, or credit card. When employees are not working the cash register or checking in merchandise, they restock shelves and clean up the premises. Bernie does not want to track each individual restock or clean-up event, but does want to know how much time each employee spends each day doing those tasks. He also wants to track how much time each employee spends each day receiving inventory and how much time they spend working at the cash register. He wants to be able to write queries that would show time spent by job task (restocking, cleaning, receiving, or sales) for each employee. It is not practical, however, to try to measure the time spent on individual tasks (e.g., Bernie does not want employees to track the time they start and finished unloading a shipment from supplier X, then repeat for supplier Y; similarly, he does not want to track how long it takes to ring up each individual customer at the cash register). All he wants is to know how much time each day (e.g., 3.75 hours) each employee spent performing each different type of job. REQUIRED Draw an integrated REA diagram for Bernie’s Pet Shop. Be sure to include both payroll processing and the ability to track how employees use their time. 19-19 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling Employees (Bernie) Order Inventory Inventory Sales Employee Vendors Receive Inventory Customer Employees Vendors Disburse Cash Cash Receive Cash Get Employee Time Employee Time Use Employee Time Employee Employees Employees (Bernie) Employees Explanation of cardinalities in Bernie’s pet store: a) Checks may be written to either suppliers or to employees. One table can be used for both types of checks. The primary key of that table would be a concatenated key consisting of two attributes: check number and account number. (The latter attribute distinguishes operating checks from payroll checks). Since a check may go to either a vendor or an employee, the minimum cardinalities from the disburse cash event to those agents are zero. b) Bernie pays employees weekly. Each day an employee works a new row is created in the Get Employee Time table. Each row thus represents a daily time card. Therefore, each paycheck is linked to many rows in the Get Employee Time event. c) The Employee Time resource represents the time acquired from various classes of employees. Since any one employee only falls into one category (i.e., full-time, parttime, management), each daily time card (row in the Get Employee Time table) can be linked to one, and only one, row in the Employee Time resource. 19-20 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems d) The Use Employee time event is used to track how employees spend their time. A row would be created for each block of time an employee spent performing a particular type of task. An attribute in this table would be a text field describing what an employee did during that block of time. For example, if the employee restocked shelves from 8:00 am to 11:00 am, there would be one row in the Use Employee Time table for that block of time, with the description being “restock shelves.” Similarly, if an employee worked the cash register from 1:00 pm to 5:00 pm, there would be one entry in the Use Employee Time table with the description being “worked cash register.” Some tasks, like working the cash register, can be linked to specific events that Bernie wants to track, such as cash receipts and receiving inventory. During a block of time, an employee is likely to participate in many such events. For example, during the block of time from 1:00 to 5:00, an employee working the cash register is likely to participate in many receive cash events. Thus the cardinality each Use Employee Time event can be linked to a minimum of 0 and a maximum of many Receive Cash events. Any specific cash receipt, however, is linked to one and only one employee’s use of time. Therefore, each Receive Cash event can be linked to 1, and only 1, Use Employee Time event. e) The Employee Time resource is shown in dashed lines because it is not likely to be implemented in a table. 19-21 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling 19.7 At Big Time University (BTU) students are allowed to purchase two basketball tickets for each home game. Each ticket contains the date of the game, and the seat information, such as section, row, and individual seat number. Students pay for each game individually; that is, student sporting event passes are not used at BTU. BTU deposits the proceeds from each game into its bank. REQUIRED a. Prepare an REA diagram with cardinalities for the revenue cycle for BTU’s basketball games. State any assumptions you may have to make concerning BTU’s business policies and practices. Ticket Ticket Sales Student Ticket Window Clerk Cash Receive Cash Student b. Implement your model in a set of relational tables. Be sure to specify primary keys, foreign keys, and identify at least one other attribute that should be included in each table. Table Name Ticket Sales Primary Key(s) Invoice Number Receive Cash Remittance Number Ticket Ticket Number Student Ticket Window Clerk Cash Student Number Employee Number GLAccount Number Other Attributes (foreign keys in italics, others in normal font) Student Number, Employee Number, Date, Total Amount Invoice Number, Employee Number, Student Number, GLAccount Number, Date, Total Amount Invoice Number, Event, Date, Section, Row, Seat Name, Address, Phone Name, Address, Phone, Position Name, Beginning Balance 19-22 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems 19.8 Small contractors often rent special equipment for specific jobs. They need to track the equipment that is rented, when it is returned, and payments made to the rental company. REQUIRED a. Draw a partial REA diagram for the acquisition, payment, and return of rental equipment. Be sure to include cardinalities and state any assumptions you made when specifying those cardinalities. Rented Equipment Cash Return Rented Equipment Employee Rent Equipment Vendor Disburse Cash Employee This solution is based on the following assumptions: 1. Each Rent event is independent of every other Rent event. For example, each time the contractor rents equipment, they must sign a rental agreement or contract for all the equipment they rent at that particular time. 2. Each Return Rented Items event is tied to one and only one Rent event. In other words, all equipment rented according to a previously signed rental agreement is returned at the same time. 3. The contractor pays for the rental at the time of Rent event. 4. The contactor maintains a listing of all types of equipment that they rent. This listing 19-23 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling allows the contractor to rent multiple items of the same type. For example, the contractor may rent 5 jackhammers and 5 air compressors in a single Rent event. Thus, many rental item types may appear on a single Rent event. Note: An alternative solution would be to model the rental and return of each individual piece of equipment separately. This would be appropriate if assumption 2 is relaxed and the contractor is permitted to return each individual item at different times. This alternative solution would be modeled similar to Figure 19-3.You may want to explore the effects of these two alternative solutions on both the processing of events and the subsequent generation of queries and reports. b. Create a set of tables (either on paper or in a relational DBMS to which you have access) to implement the REA model you developed. Table Name Rented Equipment Cash Return Rented Items Primary Key Equipment number GL Account Number Return number Rent Equipment Rental number Disburse Cash Check number Employee Vendor Employee number Vendor number Rented Equipment – Rent Equipment Rented Equipment – Return Rented Items Equipment number, rental number Equipment number, return number Other attributes (foreign keys) Description, Name, beginning balance Date, time, vendor number, employee number, rental number Date, time, vendor number, employee number Date, amount, GL Account number, Employee number, Vendor number Name, date hired, pay rate Name, address, beginning balance quantity quantity 19-24 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems SUGGESTED ANSWERS TO THE CASES Case 19.1 This case involves creating a database from an integrated REA diagram and then using the REA diagram to guide the writing of queries to prepare financial statements. Required a. Create the tables necessary to implement Figure 19-9 in a relational database. Be sure to include primary keys and other relevant attributes in each table. Table Name Customer Primary Key(s) Customer number Employee Employee number Take Customer Order Sales Order Number Sales Invoice Number Receive Cash Remittance Number Finished Goods Inventory Work in Process Item Number Use Equipment Machine Operation Number Equipment Operations List Job Operations List Use Employee Time Machine Operation List Number Job Operations List Number Job Ticket Number Bill of Materials Bill of Materials Number Raw Materials Raw Material Number Issue Raw Materials Raw Materials Issue Number W.I.P. Number Other Attributes (foreign keys in italics, others in normal font) Name, address, phone, beginning account balance, credit limit Name, date hired, wage rate, date of birth, position Customer number, employee number, date, total amount Customer number, employee number, sales order number, Item Number, date Customer number, employee number, GLAccount number,Invoice Number date, amount Name, Description, beginning quantity on hand, standard cost, list price Item Number, Quantity to be produced, date design produced Equipment ID number, W.I.P. number, Machine Operation List number, Time Started, Time Finished, Date Item number, standard time Standard time, Item number Description, Time started, Time Finished, Date, Employee Number, WIP Number, Job Operations List Number Raw materials number, item number, Standard quantity used in this design Description, beginning quantity on hand, standard cost W.I.P. number, issuing employee number, receiving employee number, 19-25 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling Suppliers Supplier Number Equipment Equipment ID Number Acquire Services Service Acquisition number General and Administrative Services Cash Time Worked GLAccount Number Order Raw Materials and Equipment Receive Raw Materials and Equipment Disburse Cash Purchase Order Number Issue Stock Issuance Number Issue Debt Loan Number Transfer Agent Customer Order – Finished Goods Sale – Receive Cash Transfer Agent Number Order Number, Item Number Invoice Number, Receipt Number Purchase Order Number, Raw Materials Number Order Raw Materials and Equipment – Raw Materials Receive Raw Materials and Equipment – Raw Materials Receive Raw Materials GLAccount Number TimeCard Number Receiving Report Number Check Number Raw Material Number Name, Address, Phone, Beginning balance Description, Cost, Depreciation Method, Useful Life, Salvage Value, Year Acquired, Purchase Order number, Receiving report number Description, Cost, Check number, supplier number, employee number, GL Account number Description, length of contract, budget Description, beginning balance Employee Number, Supervisor Number, Time in, Time Out, Date, Check number Date, employee number, supplier number, equipment ID number Date, supplier number, equipment ID number GLAccount Number, Date, Amount, Purpose, Employee (payee) Number, Supplier Number, Cashier number, Stock issuance number, Loan number, Transfer Agent Number Date, Transfer Agent Number, Employee (Treasurer) number, GLAccount number, Number of Shares, par value Amount, Date, Interest rate, term, Transfer Agent number, employee (Treasurer) number, GLAccount number Name, Address, Phone Quantity ordered, unit sales price Amount applied Quantity ordered, unit cost Receipt Number, Raw Materials Number Quantity received, condition Receiving Report Number, Amount applied to invoice 19-26 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems and Equipment – Cash Disbursements Order Raw Materials and Equipment – Receive Raw Materials and Equipment Issue Raw Materials – Raw Materials Sales - Finished Goods Inventory Employees – Receive Raw Materials and Equipment Check number Purchase Order number, Receiving Report number Raw materials number, Issue Raw Materials Number Invoice Number, Item Number Employee number, Receiving Report Number Quantity issued Quantity sold b. Write the query, or set of queries, necessary to generate as many elements of financial statements as possible. For example, write the query or set of queries that would be used to calculate the amount of cash on hand, the total of accounts receivable, the total value of raw materials, inventory on hand, etc. The actual syntax will depend on the software used. The following logic describes the queries that can be used to provide most of the information needed to construct a simple income statement and balance sheet: 1. To derive total sales you need to query three tables: Take Customer Order, Take Customer Order – Finished Goods Inventory, and Sales. First, find the set of customer order numbers that have been realized as sales (i.e., all customer order numbers that appear in the Sales table). Then, for that set of customer orders, query the M:N relationship table between Take Customer Orders and Finished Goods Inventory and sum the product of quantity ordered times unit sales price. 2. To derive total actual Cost of Goods Sold requires assumptions about inventory costing method (LIFO, FIFO, etc.). However, it is straightforward to calculate the standard cost of goods sold as follows: query the Finished Goods Inventory, the M:N relationship table between Finished Goods and Take Customer Order, Customer Orders, and Sales. First, find the set of customer order numbers that have been realized as sales (i.e., all customer order numbers that appear in the Sales table). Then, for that set of customer orders, query the M:N relationship table between Take Customer Orders and Finished Goods Inventory and the Finished Goods Inventory tables and sum the product of quantity ordered times standard cost per unit. 3. Only three expenses can be calculated from the model: wages, general administrative expenses, and depreciation. a. To calculate wages expense: Sum hours worked (from the Time Worked entity) and group by employee number. Then multiply the total hours 19-27 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Ch. 19: Special Topics in REA Modeling worked for each employee by that employee’s payrate (found in the Employees table). b. To calculate general administrative expenses, sum the cost column in the Acquire Services table. c. The Equipment table contains all the information needed to calculate depreciation (acquisition cost, useful life, depreciation method, salvage value, and year acquired). 4. To calculate cash balance first retrieve the sum of the beginning balance attribute from the Cash table. Second, sum the amount column in the Receive Cash, Issue Stock, and Issue Debt tables and add those three numbers to the beginning balance. Then sum the amount in the Disburse Cash table and subtract that from your previous total. 5. To calculate accounts receivable begin by computing the sum of the beginning balance attribute from the customers table. Next, add to that the total amount of sales (see step 1). Then, subtract the sum of the amount column in the Receive Cash table. 6. It is straightforward to calculate the standard cost of ending inventory using the standard unit price. Calculating the actual cost of ending inventory is complex, requiring retrieval of information from many tables and assumptions about the costing method (FIFO, LIFO, Weighted Average). 7. The equipment table has the cost of all equipment. Cumulative depreciation can be calculated from the information in the table and that amount subtracted from cost to yield book value. 8. Accounts payable can be calculated as follows. a. Begin by retrieving the sum of the beginning balance attribute from the suppliers table. b. Then calculate the total of all purchases. i. For equipment, this involves summing the cost attribute for all rows in the equipment table linked to a Receive Raw Materials and Equipment event this fiscal period. ii. For raw materials, this involves several steps. Begin by finding the set of raw materials orders that are linked to receive events this period. Then query the Order Raw Materials and Equipment – Raw Materials M:N table and sum the product of quantity ordered times unit cost. iii. For services, this equals the sum of the cost column in the Acquire Services table for all rows in which the check number is null. c. Then calculate payments to suppliers by summing the amount attribute in the Disburse Cash table for all rows that are linked to suppliers. 19-28 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems d. Accounts payable = step a + step b – step c 9. Long term debt can be calculated by summing the amount column in the Issue Debt table. 10. The total par value of common stock can be calculated by summing the product of par value times number of shares. 19-29 © 2009 Pearson Education, Inc. Publishing as Prentice Hall Accounting Information Systems CHAPTER 20 INTRODUCTION TO SYSTEMS DEVELOPMENT; SYSTEMS ANALYSIS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 20.1 The approach to long-range AIS planning described in this chapter is important for large organizations with extensive investments in computer facilities. Should small organizations with far fewer information systems employees attempt to implement planning programs? Why or why not? Be prepared to defend your position to the class. Yes, companies with few IS employees should attempt to implement planning programs. This is particularly true if the company or its computer usage is growing. The extent of the planning should be commensurate with the size of the computer facility, reliance on system information, and the potential value of the company’s system. Planning produces benefits even if the planning effort is minimal. In the smallest facility, the plan may consist simply of a few pages of thoughts and projects that are prepared and reviewed periodically by the person in charge of the system. It could also consist of a bare bones cost-benefit analysis. A smaller company will typically have fewer funds than a large company will. Therefore, inadequate planning can be more disastrous and financially draining for small companies. 20-1 Accounting Information Systems 20.2 You are a consultant advising a firm on the design and implementation of a new system. Management has decided to let several employees go after the system is implemented. Some have many years of company service. • Tell employees what is going to happen to them as soon as possible. • Institute a hiring freeze so staff can be reduced by attrition. • Retrain displaced employees for other jobs. • Offer early retirement to older employees. • Offer retirement incentives. • Offer displaced employees comparable positions in other divisions of the company. • Hire a personnel-consulting firm to help displaced employees find alternative employment. • Train displaced employees for positions in the new system. • Encourage part-time work or job-sharing. How would you advise management to communicate this decision to the affected employees? To the entire staff? • The communication should be direct, so that the employees are the first to find out and are not subject to the whims of rumors and uncertainty. • The communication should be prompt so the employees have sufficient time to seek other jobs. • Management should offer as much employee assistance as possible to help them find new jobs. This includes recommendations from supervisors, priority consideration for other jobs in the firm, opportunities for positions in the new system, time off to search for a new job, and severance pay. While these actions may be costly, they will provide benefits (cooperation, improved morale in the remaining employees, etc.) that will likely exceed the costs. 20-2 Accounting Information Systems 20.3 While reviewing a list of benefits from a computer vendor’s proposal, you note an item that reads, “Improvements in management decision making—$50,000 per year.” How would you interpret this item? What influence should it have on the economic feasibility and the computer acquisition decision? The item cannot be properly interpreted without further information from the computer vendor, such as what decisions, made by which managers, are they referring to? How will the decisions be improved by the system? Unless you get very specific answers that support the calculations, the item should be ignored when making the computer acquisition decision. Usually, a computer system will help management make better decisions. However, these decisions do not always result in a direct cost savings. The economic feasibility study should only include costs that can be directly determined. In addition to an economic feasibility study, qualitative factors, like better decision-making, should be considered. In many instances, these non-quantifiable benefits may be the most important or the majority of the benefits. Even though they are subjective and are surrounded by uncertainty, they must be considered. 20-3 Accounting Information Systems 20.4 For each of the following, discuss which data-gathering method(s) are most appropriate and why: a. Examining the adequacy of internal controls in the purchase requisition procedure Observation of procedures, interviews with employees, and documentation reviews (of document or control flowcharts, for example) will all aid in understanding purchase requisition procedures. Each type of procedure will identify different aspects of the internal controls in the purchasing department. b. Identifying the controller’s information needs - An in-depth interview with the controller is one way to determine her information needs. However, managers often don’t know what information they need; they say they need the information they are now getting and little else. Therefore, the interviewer/analyst must understand the manager’s function and the role of that function in the organization. The interviewer should also ask the controller what information she would like to receive that she is not now receiving. Interviewing is an efficient fact-finding technique that allows a prepared and informed interviewer to ask "why" or probing questions to better identify the controller's needs. Reviewing the reports that the controller currently receives is also a good way to identify her needs. c. Determining how cash disbursement procedures are actually performed - If the cash procedures are documented, a review of that documentation will help understand how it is supposed to work. The best way to understand how cash disbursement procedures are actually performed is to interview employees, observe them, and prepare flowcharts and notes. d. Surveying employees about the move to a total quality management program - By using a questionnaire, the opinions of many different employees can be gathered. Questionnaires also produce information in a standardized format. A questionnaire allows employees to think about the questions before giving answers and it is more objective than other data gathering methods. Anonymous questionnaires will encourage employees to give honest answers. Questionnaires produce a "breadth" but not a "depth" of information. To go beyond the questions in the questionnaire, interviews should be held with selected employees. The purpose of the interviews is to probe deeper to find out why employees feel as they do. e. Investigating an increase in uncollectible accounts - Interviews with employees and examination of documents will provide good initial sources of information to investigate the problem. Documents will show which accounts are uncollectible and help with an understanding of the company's collection policies. Interviews will help determine why uncollectible accounts have increased. 20-4 Accounting Information Systems 20.5 The following problem situations occurred in a manufacturing firm. What questions should you ask to understand the problem? Customer complaints about product quality have increased. • What is it, specifically, that customers are complaining about? • Has anything happened to change product quality during the past few years? • Is poor product quality the result of: • • Poor quality raw materials? • Inadequate product specifications? If so, can they be altered to improve quality? • Low employee morale? • Changes in production procedures? • Other possibilities for poor quality Does the company have a total quality management (TQM) program? Should they? Accounting sees an increase in the number and dollar value of bad debt write-offs • Has the company recently changed its credit policy? If so, why? • Are certain customer groups more delinquent than others are? • What collection procedures does the company employ? Are they adequate? If not, why not? • Are early payment discounts and late payment penalties adequate? • Are current economic conditions affecting delinquency rates? Operating margins have declined each of the past four years due to higher-than-expected production costs from idle time, overtime, and reworking products • Does the production scheduling system perform satisfactorily? If not, why not? • Are there delays in receiving materials? If so, why? What are the current policies for handling the receipt of raw materials? • What causes the overtime problem? Increasing sales, understaffed lines, inefficient workers? • Is product rework caused poor employee performance, poor quality materials, poor production process, etc.? • What economic conditions are affecting production costs? 20-5 Accounting Information Systems 20.6 Give some examples of systems analysis decisions that involve a trade-off between each of the following pairs of objectives: There are many examples of the tradeoffs between information system objectives. One example is provided here for each pair of objectives. a. economy and usefulness - the decision of how much information to give a credit manager to help in deciding whether to extend credit versus the cost of providing that information. b. economy and reliability - the decision of whether to implement a new internal control procedure. c. economy and customer service - the decision of whether or not to allow sales personnel to access data versus the cost of providing that information and the cost of the information being used for unintended purposes. d. simplicity and usefulness - any decision about the extent to which output information should be reported in detail or in summarized form. e. simplicity and reliability - any decision about whether or not to implement an internal control procedure. f. economy and capacity - the decision of whether to acquire additional storage capacity. g. economy and flexibility - the decision to replace older, less flexible storage mediums with newer, more flexible, and often more costly storage mediums. 20-6 Accounting Information Systems 20.7 For years, Jerry Jingle’s dairy production facilities led the state in sales volume but recent declines worry him. Customers are satisfied with his products but are troubled by the dairy’s late deliveries and incomplete orders. Production employees (not the cows) are concerned about bottlenecks in milk pasteurization and homogenization due to poor job scheduling, mixups in customers’ orders, and improperly labeled products. How should Jerry address the problems? What data-gathering techniques would be helpful at this early stage? Jerry could install an information system that coordinates job scheduling, tracks customer orders, and controls product labeling. The system can also help reduce bottlenecks in the milk pasteurization and homogenization process by controlling production schedules. It appears that Jerry has conducted an initial investigation and determined that actual problems exist. Jerry now needs to conduct a more in-depth investigation to verify the nature of the problem and to identify customer and the user needs. • The person conducting the investigation should interview the employees who process, bottle, and deliver the milk. These employees will be able to identify what is wrong with the current process and make suggestions for improvement. • Customers should also be interviewed to find out their needs, since meeting customer's needs is the ultimate goal of the company. • Jerry and supervisory personnel should be interviewed to get their insights about the problems and possible solutions. Interviewing from the bottom up can result in better problem identification and solutions than from the top down. Lower level employees are more likely to accept a change in the system when they were the ones who first suggested the changes. At this stage, Jerry and those he hires to help him will find interviewing techniques most useful in developing a problem statement. He will also probably find observation and reviewing whatever documentation is available to be of some use. A customer questionnaire may also produce useful information. 20-7 Accounting Information Systems 20.8 A manufacturing firm needed a specialized software program to identify and monitor cost overruns. After an extensive analysis, the company purchased prepackaged software and assigned three programmers to modify it to meet its individual circumstances and processes. After six months of work, during final testing, the company told them to stop all work until further notice. While reading the software vendor’s sales agreement, the manufacturing manager found a clause stating that the software could not be changed without the prior written consent of the vendor. The firm had to pay the software vendor an additional fee so it could use the modified software in its manufacturing process. Which aspect(s) of feasibility did the manufacturing firm failed to consider prior to purchasing the software. Of the five aspects of feasibility, the manufacturing firm failed to consider legal feasibility. Legal feasibility deals with the system’s compliance with all applicable federal and state laws, regulations, and contractual obligations. In this particular case, the company failed to consider the contractual obligation not to alter the software without express written consent from the vendor. 20.9 Ajax Manufacturing installed a new bar code based inventory tracking system in its warehouse. To close the books each month on a timely basis, the six people who work in the warehouse must scan each item in a 36-hour period while still performing their normal duties. During certain months, when inventory expands to meet seasonal demands, the scan takes as many as 30 hours to complete. In addition, the scanners do not accurately record some inventory items that require low operating temperatures. A recent audit brought to management’s attention that the inventory records are not always accurate. Which aspect(s) of feasibility did Ajax fail to consider prior to installing the inventory tracking system. Ajax Manufacturing failed to consider operational and technical feasibility when implementing their inventory tracking system. Operational feasibility considers whether the organization’s personnel can and/or will use the system. For Ajax, the 30 hours required to scan all inventory in a 36-hour period was very difficult on personnel and most likely led to human error in the inventory count due to fatigue. Technical feasibility deals with whether the technology is in place for the system to work. For Ajax, although the technology was in place and worked under normal circumstances, the scanners did not always work in the cold conditions of Ajax’s warehouse. Therefore, the technology sometimes failed, which resulted in inventory errors. 20-8 Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 20.1 How do you get a grizzled veteran police officer who is used to filling out paper forms to use a computer to process his arrests and casework—especially when he has little or no experience using a computer? That was the problem facing the Chicago Police Department when it decided to implement a relational database system. The system is capable of churning through massive amounts of data to give officers the information they need to fight crime more effectively. Initially, the department rolled out the case component of the CLEAR (Citizen Law Enforcement Analysis and Reporting) system that provided criminal history and arrest records. The officers hated it, complaining that the system was not user-friendly, that approval from supervisors was complex and involved multiple screens, and that they did not feel properly trained on the system. After listening to the officers’ complaints for a year, the department clearly had to do something. (Adapted from Todd Datz, “No Small Change,” CIO (February 15, 2004): 66–72) a. b. Identify as many system analysis and design problems as you can. • Apparently, the detectives were not asked what they wanted and/or needed in the new system. If they were asked for input, it was not adequately communicated to system designers or it was ignored. • The system did not provide the service or performance the detectives wanted. • The detectives were not trained on the new system to their satisfaction. They did not feel comfortable using it because they did not understand how to use it. What could the department have done differently to prevent the officers’ complaints? • If the department had involved the police officers early in the planning, analysis, and design process, they could have: o Helped systems analysts identify what they wanted in the new system, helped design the new system, and given constructive feedback on the new system. o Acted as conduits or liaisons to their respective departments by communicating suggestions from their department. They also could have acted as a champion or supporter of the new system to their colleagues. The Chicago Police Department recognized the problems with new systems and took steps to improve system performance and user acceptance. They: • Increased the competence of their information systems group. They were a good team, but lacked the training to manage a project of this magnitude. They recruited people with the correct skills and experience to implement successfully the system. • Increased training for all IS professionals, from entry-level developers to senior managers. 20-9 Accounting Information Systems c. • Sent programmers to the field for six weeks to document the user problems and issues. • Instituted joint application design sessions with teams comprised of management, users, and technical staff. • Used police officers to train users in the field, which made a huge difference to the cop on the street. One officer commented, “There is a certain degree of comfort with other police officers.” What principles of system analysis and design were violated in this case? • Limited or no user input • Poor training • Users were not part of the development team. 20-10 Accounting Information Systems 20.2 Mary Smith is the bookkeeper for Dave’s Distributing Company, a distributor of soft drinks and juices. Because the company is rather small, Mary performs all daily accounting tasks herself. Dave, the owner of the company, supervises the warehouse/delivery and front office staff, but he also spends much of his time jogging and skiing. For several years, profits were good, and sales grew faster than industry averages. Although the accounting system was working well, bottlers were pressuring Dave to computerize. With a little guidance from a CPA friend and with no mention to Mary, Dave bought a new computer system and some accounting software. Only one day was required to set up the hardware, install the software, and convert the files. The morning the vendor installed the computer system, Mary’s job performance changed dramatically. Although the software company provided two full days of training, Mary resisted learning the new system. As a result, Dave decided she should run both the manual and computer systems for a month to verify the new system’s accuracy. Mary continually complained that she lacked the time and expertise to update both systems by herself. She also complained that she did not understand how to use the new computer system. To keep accounts up to date, Dave spent two to three hours a day running the new system himself. Dave found that much of the time spent running the system was devoted to identifying discrepancies between the computer and manual results. When the error was located, it was usually in the manual system. This significantly increased Dave’s confidence in the new system. At the end of the month, Dave was ready to scrap the manual system, but Mary said she was not ready. Dave went back to skiing and jogging, and Mary went on with the manual system. When the computer system fell behind, Dave again spent time catching it up. He also worked with Mary to try to help her understand how to operate the computer system. Months later, Dave was very frustrated because he was still keeping the computer system up to date and training Mary. He commented, “I’m sure Mary knows how to use the system, but she doesn’t seem to want to. I can do all the accounting work on the computer in two or three hours a day, but she can’t even do it in her normal eight-hour workday. What should I do?” This is an actual case with the facts presented as accurately as possible. The objective is to familiarize students with the behavioral issues surrounding a systems change. It is less important to determine the "right answer" (there may not be one) that it is to discuss the issues. a. What do you believe is the real cause of Mary’s resistance to computers? Employee reaction to the installation of a new information system is often diverse and unpredictable. In many cases, employees must make significant behavioral adjustments to ensure the future success of the new system. These adjustments go well beyond mere surface anxieties such as fear of the unknown. Possible causes of Mary’s resistance to computers include (phased as questions): • Is Mary's adverse behavior due to a perceived need to protect her ego? Is she afraid she cannot use the computer properly and would look foolish? • Since Mary was excluded from the decision to automate the office, does she feel resentment and refuse to use a system she wasn't asked to help select? • Is she fearful because computers sometimes cause people to overcommunicate? (i.e., with capabilities such as electronic mail, employees can be reached anywhere and 20-11 Accounting Information Systems anytime, making it difficult to get away from all the interruptions that are part of the daily grind.) b. c. d. • Is she worried that the computer will impose its own structure on the organization? The computer can considerably narrow that freedom causing people to view the computer as structure and constraint. • Did she have an adverse experience with previous changes to her work environment and as a result is suspicious of any new system? What events may have contributed to the new system’s failure? • The company did not involve Mary in the systems change. They did not ask for her ideas, thoughts, or input. Evidently, she was not informed of the change until the computer was moved into her office and the furniture rearranged to make room for it. It would be easy for her to get the feeling she was not a very valued employee of the company. • The company did not explain why the system was being implemented, what the company hoped to achieve with the system, and why it was so important to the company. • The changes to Mary's job and responsibilities were not explained. • Mary was not given any assurance that she would not be replaced by the system. • The company did not alleviate Mary's fear by reassuring her that training would be provided to help her adapt to the new system and her duties. • Running two systems longer than it took to test system reliability was a mistake, as was having Dave do the work. In retrospect, how should Dave have handled the accounting system computerization? • Mary should have been informed of the change that was going to take place, the purpose of the change, and why it was important to the company. Discussing these things with Mary beforehand could have helped the company create an attitude of trust and cooperation and could have set an example for what they expected of Mary. • The company should have allowed Mary to make suggestions concerning the system, especially the things that would help her do her job more efficiently. • Mary should be reassured that she has control over the system and not the other way around and that the system will help her perform her job more effectively. • Education prior to systems implementation could perhaps have helped Mary adapt to the system more readily. At what point in the decision-making process should Mary have been informed? Should she have had some say in whether the computer was purchased? If so, what should have been the nature of her input? If Mary had not agreed with Dave’s decision to acquire the computer, what should Dave have done? • Mary should have at least been informed as soon as the decision was made to purchase the system. Preferably, Mary should have been informed at the very start when the company began thinking about the computer system. This would have allowed Mary to give valuable input and to be involved throughout the entire process. 20-12 Accounting Information Systems e. • Because Mary was only a bookkeeper and did not fully understand the necessity of the system, she should not have been allowed to make the final decision on acquiring the system. However, if Mary had been involved from the beginning it is possible that she would have been in favor of the system. Even though she should not make the final decision, if her input had been considered it would have helped her accept the decision better. • An effort should have been made to persuade her of the system's viability. If that is unsuccessful then consideration should be given to relocating her within the company. If both previous plans fail then termination is the only alternative available. • Mary should have been given an opportunity for greater input. The company should have solicited her suggestions concerning how the system would best assist her with her job and how the system could achieve success in general terms. This participation would have likely increased Mary's self-esteem and security with the new system and changed her whole outlook about the system. A hard decision must be made regarding Mary. Significant efforts have been made to train her, but they have been unsuccessful. What would you recommend at this point? Should she be fired? Threatened with the loss of her job? Moved somewhere else in the business? Given additional training? There are advantages and disadvantages to each of the following four options. Students will come to different conclusions based on their background. It is important to bring out the pros and cons of each approach. A few of these are shown below. This problem works well when the instructor determines which students support which alternative and plays them off against each other. 1. Firing can have the following advantages: • The company can hire a more qualified individual who can perform the job more efficiently. • The company can rid itself of an uncooperative employee and replace her with someone with a more positive attitude. Firing can have the following disadvantages: • The company sends messages to other employees and perhaps the community in general that they don't care about their employees as much as they do about profits and operations. This may lower company morale. • The firm may have higher training and hiring costs. • The person hired may cost more and bring unknown problems to the job. 2. Transferring employees can have the following advantages: 20-13 Accounting Information Systems • The company is less likely to communicate that it does not care for its employees. • The transferred person has experience with the company and may be of greater value to the company in another area than a newly hired person may. • Training and hiring costs remain constant. Transferring can have the following disadvantages: • Employees may resent being transferred and not perform well in their new duties. • Employees may not be qualified for the new job and perform poorly. • If the transferred employee is disgruntled and talks about her situation to her coworkers, it could affect company morale. 3. Persuasion can have the following advantages: • A valuable employee may be retained and her time freed up to perform tasks that are more important. • Hiring and training costs can be kept to a minimum. • The company communicates consideration for its employees. Persuasion can have the following disadvantages: • The employee may never truly adapt, resulting in poor job performance and an increase in errors. • Significant costs may be incurred to constantly train the employee and identify the mistakes made by the employee. • The company may make poor decisions based on incorrect information given by the employee. • It may only serve to increase even further the frustration level that already exists. Mary was eventually fired and another bookkeeper hired. With the new system, there was not enough work to keep the new employee busy full time. Consequently, the employee took over additional tasks that Dave had originally been performing. This freed him up for more creative tasks and to have more personal time. Mary was interviewed several years later. She was employed at another firm and worked extensively with computers. Mary was asked if the company could have done anything to help her adapt to the computer and she said no. She had such a mental block against the computer at the time that she doubted the company could have done anything else to help her. It required several years for her to overcome her fear and learn to use computers. 20-14 Accounting Information Systems 20.3 Wright Company’s information system was developed in stages over the past five years. During the design process, department heads specified the information and reports they needed. By the time development began, new department heads were in place, and they requested additional reports. Reports were discontinued only when requested by a department head. Few reports were discontinued, and a large number are generated each period. Management, concerned about the number of reports produced, asked internal auditing to evaluate system effectiveness. They determined that more information was generated than could be used effectively and noted the following reactions: • • • • a. Many departments did not act on reports during peak activity periods. They let them accumulate in the hope of catching up later. Some had so many reports they did not act at all or misused the information. Frequently, no action was taken until another manager needed a decision made. Department heads did not develop a priority system for acting on the information. Department heads often developed information from alternative, independent sources. This was easier than searching the reports for the needed data. Explain whether each reaction is a functional or dysfunctional behavioral response. 1. Avoiding or delaying activity on reports during peak activity periods is dysfunctional if they contain information that could improve company performance. If the reports continue to accumulate with no action taking place (no catch up during the lulls), this is a dysfunctional behavior called avoidance. On the other hand, they may let the reports accumulate because they are worthless. 2. Having so many reports that no action or the wrong action is taken means that the department heads were unable to assimilate the supplied information properly. This dysfunctional response is a good example of information overload and indicates that the system needs to be changed to correct the problem. 3. It is dysfunctional when a department head does not refer to report data until a fellow employee follows up on critical information in order to make a decision. If delays continually take place, and result in complications and/or delays in other departments, this lack of action is dysfunctional. 4. The department head's actions are both functional and dysfunctional. Developing information from alternative sources is dysfunctional because the formal system is not producing useable information and developing the needed information from other sources has a cost. However, the fact that the department head could generate the information from other sources so action could be taken is a functional response to the problem. b. Recommend procedures to eliminate dysfunctional behavior and prevent its recurrence. The dysfunctional behavior at Wright Company was a direct result of management's failure to recognize that information systems are dynamic. Once a system is designed and implemented, it should be continually reviewed to discover and incorporate any needed improvements. 20-15 Accounting Information Systems A committee composed of systems staff and users should be established to monitor the system and to educate users as to information needs and the use of information. The committee should gather information concerning what information each department needs to make accurate decisions. Allowing department heads to participate in the form, content, and volume of system output creates a corporate culture that motivates employees to help identify ways to improve the company and its information system. In addition, participation is ego enhancing, challenging, and intrinsically satisfying. Users who participate in developing the system know more about the technical aspects of the system and are better able to use and prioritize the information it produces, regardless of the volume produced. Once the system is ready for implementation, the system must be properly tested to minimize initial bad impressions and the dysfunctional behavior exhibited under the old system. 20-16 Accounting Information Systems 20.4 The controller of Tim’s Travel (TT) is deciding between upgrading the company’s existing computer system or replacing it with a new one. Upgrading the four-year-old system will cost $97,500 and extend its useful life for another seven years. The book value is $19,500, although it would sell for $24,000. Upgrading will eliminate one employee at a salary of $19,400; the new computer will eliminate two employees. Additional annual operating costs are estimated at $15,950 per year. Upgrading is expected to increase profits 3.5% above last year’s level of $553,000. The BetaTech Company has quoted a price of $224,800 for a new computer with a useful life of seven years. Annual operating costs are estimated to be $14,260. The average processing speed of the new computer is 12% faster than that of other systems in its price range, which would increase TT’s profits by 4.5%. Tim’s present tax rate is 35%, and the cost of financing (minimum desired rate of return) is 11%. After seven years, the salvage value, net of tax, would be $12,000 for the new computer and $7,500 for the present system. For tax purposes, computers are depreciated over five full years (six calendar years; a half year the first and last years), and the depreciation percentages are as follows: Year 1 2 3 4 5 6 Percent (%) 20.00 32.00 19.20 11.52 11.52 5.76 Using a spreadsheet package, prepare an economic feasibility analysis to determine if Tim’s Travel should rehabilitate the old system or purchase the new computer. As part of the analysis, compute the after-tax cash flows for years 1 through 7 and the payback, NPV, and IRR of each alternative. 20-17 Accounting Information Systems As shown below, Tim's Travel would be better off economically to purchase a new system rather than updating the existing one. Tim's Travel can achieve a 13.26% return by purchasing a new system and an 11.57% return by updating the old system. Note: For illustrative purposes, all calculations other than NPV and IRR have been rounded to zero decimal places. All costs and savings amounts are show net of tax effects. 20-18 Accounting Information Systems 20-19 Accounting Information Systems 20-20 Accounting Information Systems 20-21 Accounting Information Systems 20.5. Rossco is considering the purchase of a new computer with the following estimated costs: initial systems design, $54,000; hardware, $74,000; software, $35,000, one-time initial training, $11,000; system installation, $20,000; and file conversion, $12,000. A net reduction of three employees is expected, with average yearly salaries of $40,000. The system will decrease average yearly inventory by $150,000. Annual operating costs will be $30,000 per year. The expected life of the machine is four years, with an estimated salvage value of zero. The effective tax rate is 40%. All computer purchase costs will be depreciated using the straightline method over its four-year life. Rossco can invest money made available from the reduction in inventory at its cost of capital of 11%. All cash flows, except for the initial investment and start-up costs, are at the end of the year. Assume 365 days in a year. Use a spreadsheet to perform a feasibility analysis to determine if Rossco should purchase the computer. Compute the following as part of the analysis: initial investment, after-tax cash flows for years 1 through 4, payback period, net present value, and internal rate of return. Rossco should proceed with the purchase. The internal rate of return of 23.23% is higher than the hurdle rate of 11%. There is a positive NPV of $56,157. Payback is in 2.44 years. 20-22 Accounting Information Systems 20-23 Accounting Information Systems 20.6 A recently completed feasibility study to upgrade XYZ’s computer system shows the following benefits. Compensation figures in parentheses include wages, benefits, and payroll taxes. 1. Production a. Market forecasts, which take two $400 person-days a month, will be more accurate with software making the calculations. b. Effective inventory control will prevent part stockouts and reduce inventory by $1,000,000. XYZ’s cost of capital is 20%. c. Detailed evaluations of plan changes will increase production flexibility, reduce sales losses, and eliminate two clerks ($75,000 each). 2. Engineering a. Computerized updating of bills of material and operations lists will save 40% of an engineer’s ($100,000) and 25% of a clerk’s ($60,000) time. b. Computerized calculations of labor allocations, rates, and bonus details will save 40% of a clerk’s ($80,000) time. 3. Sales. Improved reporting will enable the five-person sales staff to react more quickly to the market, producing a $10,000 per person sales increase. 4. Marketing. Revised reports and an improved forecasting system will increase net income by $50,000. 5. Accounting a. Quickly determining new product costs will save 30% of the accountant’s ($100,000) time. b. An incentive earnings system will save 40% of the payroll clerk’s ($60,000) time. As a board member, which of the benefits can you defend as relevant to the system’s cost justification? Calculate how much XYZ will save with the new system. Adapted from the SMAC Exam 20-24 Accounting Information Systems Acceptable Items: 1 (a) More accurate market forecasts with software making the calculations reduces costs 1 (b) Effective inventory control reduces inventory by $1,000,000, allowing company to reduce carrying costs and earn money on freed up capital 1 (c) Eliminating 2 clerks saves money Improved flexibility and reduced sales losses hard to incorporate into cost justification. 2 (a) Computerized updating of bills of materials and operations lists saves money 2 ( b) Computerized calculations of labor allocations, rates, and bonus details saves money 5 (a) Quickly determining new product costs will save money 5 (b) An incentive earnings system will save money. Rejected Items: 3 Sales increases hard to incorporate into cost justification due to lack of support for vague estimates. 4 Benefits of revised reports and improved forecasting system hard to incorporate into cost justification due to lack of support for vague estimates. TOTAL SAVINGS 20-25 Cost Savings $ 9,600 ($400/day * 2 days/month * 12 months $200,000 (20% * $1,000,000) $150,000 (2 * $75,000) $ 40,000 (40% of $100,000) $ 15,000 (25% of $60,000) $ 20,000 (40% of $80,000) $ 30,000 (30% of $100,000) $ 24,000 (40% of $60,000) $488,600 Accounting Information Systems 20.7 The following list presents specific project activities and their scheduled starting and completion times: Activity Starting Date Ending Date A Jan. 5 Feb. 9 B Jan. 5 Jan. 19 C Jan. 26 Feb. 23 D Mar. 2 Mar. 23 E Mar. 2 Mar. 16 F Feb. 2 Mar. 16 G Mar. 30 Apr. 20 H Mar. 23 Apr. 27 a. Using a format similar to that in Figure 18-3, prepare a Gantt chart for this project. Assume that each activity starts on a Monday and ends on a Friday. Project Planning Chart 20-26 Accounting Information Systems b. Assume today is February 16 and activities A and B have been completed, C is half completed, F is a quarter completed, and the other activities have not yet commenced. Record this information on your Gantt chart. Is the project behind schedule, on schedule, or ahead of schedule? Explain. Partially Completed Gantt chart Once the activity bars have been filled in to reflect the activities that have been fully or partially completed, it is a simple matter to evaluate whether the project is on schedule by looking down the column corresponding to the current week. In this case, Activity C is one-half week shy of the current date (Feb. 16), and Activity F is one-fourth week short. Therefore, the project is behind schedule. 20-27 Accounting Information Systems c. Discuss the relative merits of the Gantt chart and PERT as project planning and control tools. Advantages of PERT: • Indicates which activities are critical as well as how much slack is available in the noncritical activities. This provides a basis for allocating resources to activities. • Provides a measure of the uncertainty associated with project time and cost estimates. • Indicates how to complete the project faster by speeding up certain activities. • Shows the order in which activities must be completed. (For example, activity A must be completed before activity B can start.) Advantages of GANTT Charts: • It is easier to prepare than a PERT chart. • Does not involve complex calculations and is thus less susceptible to error. • The calendar format is easier to interpret visually. • Is easier to update for completed activities. • Makes it easier to determine whether a project is on schedule. • Graphically shows the entire schedule for a project. • Shows progress to date and the current project status. • Shows a schedule of when each project should start and end. 20-28 Accounting Information Systems 20.8 Recent years have brought an explosive growth in electronic communication. Laptops, netbooks, e-readers, personal digital assistants, sophisticated cell phones, fax machines, email, teleconferencing, office productivity software, and sophisticated management information systems have changed the way information is received, processed, and transmitted. With the decreasing costs of computer equipment and the increasing power of automation, the full impact of computerization has yet to be felt. Although the development of computer applications is directed at being user friendly or user oriented, the integration of computers into the organization has had both positive and negative effects on employees. Adapted from the CMA Examination a. b. c. Describe the benefits companies and employees receive from electronic communications. • Greater optimization of organizational resources, increasing productivity and profitability. • More timely information for management decision making. • Easier and quicker access to corporate data. • More technological advancements, which sustains or increases the organization's competitive status and ensures employees of marketable technological skills. • Standardized procedures and operations. Once a procedure or operation is standardized, computers will repeat the same logical procedures. Discuss the organizational impact of introducing new electronic communication systems. The initial cost of some electronic communication systems is a major capital purchase, requiring special procedures for capital acquisitions. With the increase in technology, the organization will increase its comparative advantage. Small companies who cannot afford the technology may be squeezed out of the market. Employees may experience a loss of confidence and fear change and/or the loss of their jobs. Explain 1. Why an employee might resist the introduction of electronic communication systems • They may fear and resist change. This may include the fear that they will be replaced by automation and lose their employment. • They do not know what the system is and how it will help them on the job. • Embarrassment of not knowing how to use the system. 2. The steps an organization can take to alleviate this resistance. • Communication of information as to why the system is being implemented and how it will affect each employee's job. The intent should be to reinforce job security. • Education and training of employees on how to use the system by providing system manuals and designated user support. • Giving employees the opportunity to make suggestions for improving the system. 20-29 Accounting Information Systems 20.9 PWR manufactures precision nozzles for fire hoses. Ronald Paige, an engineer, started the corporation and it has experienced steady growth. Reporting to Ronald are six vice presidents representing marketing, production, research and development, information services, finance, and human resources. The information services department was established last year when PWR began developing a new information system consisting of a server connected to each employee’s personal computer. The PCs can download and upload data to the server. PWR is still designing and developing applications for its new system. Ronald received a letter from the external auditor and called a meeting with his vice presidents to review the recommendation that PWR form an information systems steering committee. Adapted from the CMA Examination a. Explain why the auditors would recommend an information systems steering committee and discuss its specific responsibilities. What advantages can the committee offer PWR? What advantages can such a steering committee offer PWR? 1. Because information systems span functional and divisional boundaries, organizations establish an executive level steering committee so that the company, from an overall organizational perspective, focuses on: 2. Planning and overseeing the information systems function. • Setting priorities to ensure that the highest priority items are considered first. Specific steering committee responsibilities include: 3. b. • • Developing a master plan to strategically develop and maintain the company's information system, incorporating short-term and long-term goals. • Approving or rejecting systems project proposals. • Assuring internal control considerations. • Establishing the company's information system policies and procedures. • Coordinating and approving hardware and software acquisitions. • Coordinating development projects and monitoring their progress without getting overly involved in technical details or specific project administration. • Reviewing the performance of the information systems function. The advantages of an information systems steering committee include: • Ensuring top management participation, guidance, and control of the IS function • Facilitating coordination and integration of IS activities among departments and functions, increasing goal congruence and reducing goal conflict. • Improving interdepartmental communications. • More effective management control over systems resources allocations. Identify the PWR managers most likely to serve on the committee. • The six vice-presidents or their representatives. 20-30 Accounting Information Systems • One or more members of the Information Systems Department. • The controller. • A member of the Financial and/or Internal Audit Departments. • Other areas, if any, which are affected by the information systems function. The chairperson is usually the chair of the IS department or another influential vice-president with strong IS skills and an active interest in the IS function. The IS steering committee should meet only when necessary to carry out its functions. 20-31 Accounting Information Systems 20.10 Businesses often modify or replace their financial information system to keep pace with their growth and take advantage of improved IT. This requires a substantial time and resource commitment. When an organization changes its AIS, a systems analysis takes place. Adapted from the CMA exam a. Explain the purpose and reasons for surveying an organization’s existing system. • To gain an understanding of the existing system and how it functions. • To determine the constraints of the current system. • To assess the strengths and weaknesses of the existing system and to identify problems that need to be resolved. • To provide design ideas for the new system and to identify available resources. • To provide information about users’ information needs. b. Explain the activities commonly performed during systems analysis. Initial Investigation • Verify the nature of the problem and the needs of the users. • Gather the information needed to evaluate the feasibility of the request. Systems Survey • Study and review the existing organizational structure to determine how it functions. • Collect and review internal documents and reports to determine design, content, use, frequency of preparation, etc. • Develop and use questionnaire forms to determine processing frequencies, input/output volumes, and other information. • Conduct personal interviews to confirm and expand upon data gathered from the questionnaire. • Develop flowcharts, models, and diagrams to document the existing system. • Study external data sources, including companies who develop or who similar systems, consultants specializing in such systems, customers, industry trade associations, and government agencies. • Observe activities to determine how the system actually works, rather than what people or the documentation say should be done. Feasibility Study • Conduct a study to determine whether to continue with the project. Information Needs and System Requirements • Define and document the information needs of the users. • Define and document the requirements of the new system. Systems Analysis Report • Summarize and document analysis activity findings. 20-32 Accounting Information Systems c. Systems analysis is often performed by a project team composed of a systems analyst, a management accountant, and other knowledgeable and helpful people. What is the management accountant’s role in systems analysis? Most systems analysis work is performed by systems people. However, the management accountant is an important part of the development team and would be of assistance in providing information about various aspects of the system, including: • Management's needs for required reports and their format. • System requirements. • Source documents in use. • The relevance, reliability, and timeliness of input/output data. • The internal controls which exist and which should be incorporated into any new or redesigned system. 20-33 Accounting Information Systems 20.11 Don Richardson, JEM Corporation’s vice president of marketing, is part of a management team that for several months has been discussing plans to develop a new line of business. Rumors about the major organizational changes that may be required to implement the strategic plan have been circulating for months. Several employees who are anxious about the expected changes confronted Don. The sales manager said, “It is imperative that we speak to you right away. The employees are very apprehensive about the proposed changes, and their job performance has slacked off.” The accounting manager added, “That’s right. My staff are asking me all sorts of questions about this new line of business, and I don’t have any answers for them. They’re not buying the ‘We will make an official announcement soon’ line any longer. I suspect that some of them are already looking for jobs in case the department changes phase out their positions.” Implementing organizational change is one of the most demanding assignments an executive faces. It has been suggested that every change requires three steps: unfreezing the current situation, implementing the change, and refreezing the effected change. This view, however, lacks the specific details needed by an operating manager who must initiate the change. Adapted from the CMA Examination a. Explain why employees resist organizational change. • Uncertainty and fear. Employees become anxious and nervous when they fear the unknown. They worry about losing their jobs and their ability to meet new job requirements. If they do not understand the change or its implications or mistrust those initiating the change, there is even more uncertainty and fear of the unknown. • No perceived need. Employees may not perceive the need for change, preferring to maintain the status quo. Many people believe that what has proven successful in the past will be satisfactory for the future. • Lack of time. Employees may not have or may be unwilling to expend the time and effort required to learn how to use the new system with its attendant new procedures. • Interpersonal relationships threatened. Changes may disrupt existing social networks, which threatens the social stability of the organization. People often have emotional attachments to their duties or to the people they work with and don't want to change. • Personal characteristics and background. Generally speaking, the younger people are, the fewer years they've been with the company, and the more highly educated they are, the more likely they are to accept change. • Manner in which change is introduced. Resistance is often a reaction to the methods of instituting change rather than to change itself. Employees may not feel the change is beneficial if the employee was not consulted or did not participate in the decisionmaking. • Amount of trust. If previous dealings with management have not created a feeling of trust, confidence, and cooperation, users may feel they are trying to "put something over on me." • Experience with prior changes. If employees have had a bad experience with prior changes, they will be more reluctant to cooperate with planned changes. • Top management support. Employees sense top management attitudes toward a proposed 20-34 Accounting Information Systems system and the extent of top-level support. When there is a lack of support, lower-level employees may think, "If top management doesn't support it, why should I?" • Communication. Employees often do not know why changes are made. Unless it is clear that a change is not an indication of poor performance, they may react negatively to it. • Disruptive nature of the change process. Requests for information and interviews are disruptive of the normal routine and place additional burdens on people. b. Discuss ways JEM Corporation can alleviate employee resistance to change. • Employee participation. Encourage employees to participate in the change planning and implementation. Employees who express their opinions, suggest ways to improve the system, and hear the positions of others are more likely to accept change. • Keep the lines of communication open. Inform managers and users of systems changes as soon as possible. Clear and frequent communication about the need for change and the expected results of the change will alleviate employee fears. The company should listen to employee grievances and help to resolve problems. • Provide feedback on employee suggestions. If they are not told why their suggestions were not implemented, they may foster bad feelings toward the new system. • Train. Teach the employees how to use the system. Effective use or support cannot be obtained if users do not understand the system. Acceptance of the system is not likely if an individual believes that the computer is controlling him or has usurped her position • Satisfy user needs. Design the form, content, and volume of system output to satisfy user needs and they are more likely to welcome the changes. • Build trust. If employees perceive management as fair and honest and have confidence in management's abilities, they are more likely to cooperate and less likely to resist change. • Get management support. Top management should make it clear that they fully support the system and everyone else to do so. When management is supportive of the changes, employees are more willing to accept the change. • Allay fears. To the degree possible, management should provide assurances that there will be no major loss of jobs or changes in job responsibilities. • Sell the system but control user expectations. Emphasize that the system may provide greater job satisfaction, more important and challenging tasks, and increased advancement opportunities. Do not oversell the system and create unrealistic expectations. When employee expectations are not met, the “seller” and the system will be blamed. • Properly test the system prior to implementation to minimize initial bad impressions. • Avoid emotionalism and threats. When logic vies with emotion, logic loses. Threatening behavior or employee intimidation often strengthens resistance to change • Keep the system simple. Avoid complex systems that cause radical changes. 20-35 Accounting Information Systems 20.12 Remnants, Inc., with headquarters in St. Louis, manufactures designer clothing. The company markets and services its products by region, with each functioning as a profit center. Each region has a manager, an accounting department, a human resources department, and several area offices to market and service the products. Each area office has sales, service, and administrative departments whose managers report to an area manager. The New York area office departed from the standard organizational structure by establishing a branch office to market and service the firm’s products in Boston. A branch manager who reports directly to the New York area manager heads the local office. The Boston branch manager is encouraging the New York area manager to consider a new information system to handle the local branch’s growing information needs. The NewYork area manager and the eastern region manager want to establish a project team with employees from the region, area, and branch office. The team will assess the information needs at the Boston branch office and develop system recommendations. The following employees have been appointed to the project team, with Keith Nash as chairperson: Eastern Region Office Kurt Johnson, Budget Supervisor Sally Brown, Training Director New York Area Office Keith Nash, Administrative Director Boston Branch Heidi Meyer, Branch and Sales Manager Bobby Roos, Assistant Branch and Service Manager Joe Gonzalez, Salesperson Juana Martinez, Serviceperson a. Project team members contribute their skills to help accomplish a given objective. Characteristics of group members can influence the functioning and effectiveness of a project team. Identify some of these characteristics. • Personality. Aggressive employees often influence a task force by their nature, directing resources to meet their needs first at the expense of the needs of the company. • Position and influence. A project team with different levels of management may find members using their leadership positions to influence group actions. Other employees can feel less inclined to contribute if their viewpoint conflicts directly with that of their supervisor. • Skills. Group members who possess IS skills often use their knowledge to influence decisions to meet their own needs without considering the entire company’s needs. b. Due to the team’s composition, what sources of conflict can you see arising among its members? Do you think the group will succeed in its objective to develop an information system for the Boston branch office? Why or why not? • Conflicts among offices. Regional officers may be at odds with local managers concerning Boston office needs and company resources available to meet these needs. 20-36 Accounting Information Systems • Conflicts among positions. Conflicts may arise between the needs assessments offered by managers and those offered by users. In addition, conflicts may arise concerning the IS needed and the finances available to fund it. • Conflicts along divisional lines. Such conflicts result as local offices battle for a fair share of a company's limited resources. With the number of people on the team from the Boston Branch, decisions made may favor that branch over the other offices. • Conflicts along functional lines. When assessing a company's needs, priority is often given to a local or influential group. This particular task force is weighted heavily with accounting and finance types. No representation exists for manufacturing, operations, marketing, research, or services. • Conflicts among user groups. Conflicts between the needs of the sales staff and the service employees may arise over the use of resources. Each student will have a different opinion about whether or not the group will succeed. The student's answer should be based on the conflicts listed and how important each conflict is. c. What contribution would a person who holds a position as budget supervisor make in a project team such as this one? The budget supervisor can contribute insight concerning the amount of funds available for the Boston branch to finance the IS project. As the budget supervisor has access to future financial projections, he can assess the economic feasibility of any potential project. 20-37 Accounting Information Systems 20.13 Managers at some companies face an ongoing systems development crisis: IS departments develop systems that businesses cannot or will not use. At the heart of the problem is a “great divide” that separates the world of business and the world of IS. Few departments seem able or ready to cross this gap. One reason for the crisis is that many companies are looking for ways to improve existing, out-of-date systems or to build new ones. Another is the widespread use of PC-based systems that have spawned high user expectations that IS departments are not meeting. Users seek more powerful applications than are available on many older systems. The costs of the great divide can be devastating. An East Coast chemical company spent over $1 million on a budgeting and control system that was never used. The systems department’s expertise was technical excellence, not budgets. As a result, the new system completely missed the mark when it came to meeting business needs. A Midwestern bank used an expensive computer-aided software engineering (CASE) tool to develop a system that users ignored because there had been no design planning. A senior analyst for the bank said, “They built the system right; but unfortunately they didn’t build the right system.” a. What is the great divide in the systems development process? What causes the gap? The "great divide" is the gap between the information needs of business managers and the information produced by IS. The great divide occurs because of the following: • Many systems are seriously outdated and do not produce the needed information. • Better-educated end users are demanding more powerful information systems and better results from information systems that aren’t performing. • Poor communications among system designers, end users, and business managers results in the development of ineffective information systems. • IS people who do not understand operations and the management of the business. b. What would you suggest to solve this great divide information crisis? • A first step in effective systems design is a thorough business analysis to understand how a business operates and how its business functions relate. This helps systems professionals and business managers to communicate effectively when developing an integrated system. • Businesses could hire managers with a systems background so they can be a liaison between the systems department and the finance and accounting departments, helping business managers to communicate their needs clearly. These managers should be willing and able to get involved in the IS development process. • More involvement and interaction between the systems staff and end users. End users should take an active role in the development process. In particular, designers should work closely with end users to assess needs and to develop specific working solutions. 20-38 Accounting Information Systems • A more integrated approach to systems development involving all the necessary parties: designers, programmers, business managers, and end users. • Management should provide employees with the training needed to make the system work right. c. Discuss the role a systems designer, business manager, and end user can take to narrow the great divide. Systems designers can involve end users and managers in the design and development process. This reduces the behavioral problems associated with a new system and improves the probability that the system will meet the desired business objectives. They should also make a concerted effort to understand the business processes of the company. Business managers can support the design team’s efforts to encourage end-user involvement in the development process. In addition, business managers can communicate regularly with systems developers to insure that the system is meeting business objectives. The end user can help bridge the great divide by taking a cooperative, interactive role in the development process. d. Who plays the most vital role in the effective development of the system? All players play important roles in the systems development process. The "information crisis" is in large part the result of an overreliance upon the systems analyst to meet the needs of managers and end users without their cooperation and input. It is also a result of analysts not taking the time to understand the business processes at their company. 20-39 Accounting Information Systems 20.14 Joanne Grey, a senior consultant, and David Young, a junior consultant, are conducting a systems analysis for a client to determine the feasibility of integrating and automating clerical functions. Joanne had previously worked for the client, but David was a recent hire. The first morning on the job, Joanne directed David to interview a departmental supervisor and learn as much as possible about department operations. David introduced himself and said, “Your company has hired us to study how your department works so we can make recommendations on how to improve its efficiency and lower its cost. I would like to interview you to determine what goes on in your department.” David questioned the supervisor for 30 minutes but found him to be uncooperative. David gave Joanne an oral report on how the interview went and what he learned about the department. Describe several flaws in David’s approach to obtaining information. How should this task have been performed? • Ms. Grey did not give Mr. Young adequate instructions about how to conduct the interview and what information to obtain. A senior consultant must exercise closer supervision and provide better guidance to junior employees. Perhaps Ms. Grey should have performed the interview while Mr. Young observed. • The consultants did not prepare for the interview. They should have studied available documentation to learn what the department does and what the supervisor's job responsibilities are. Then they should have prepared an interview guide listing the topics to be discussed and the questions to be asked. • Mr. Young provided an oral report rather than a written report of his findings. An interviewer should take notes during the interview, and polish them immediately afterward, in order to provide documentation for future analysis and reference. • Mr. Young's opening statements to the supervisor were negative in tone. He should attempt to establish rapport with the interviewee, avoid making negative or threatening statements, and be positive about the goals of the study. • Mr. Young should have asked the supervisor to explain how the department works. Most of the talking should have been done by the supervisor while Mr. Young listened and took notes. • The interview should have been scheduled ahead of time and the department supervisor should have had time to prepare for the interview. 20-40 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 20-1 Audio Visual Corporation (AVC) manufactures and sells visual display equipment. Headquartered in Boston, it has seven sales offices with nearby warehouses that carry its inventory of new equipment and replacement parts. AVC has a departmentalized manufacturing plant with assembly, maintenance, engineering, scheduling, and cost accounting departments as well as several component parts departments. When management decided to upgrade its AIS, they installed a mainframe at headquarters and local area networks at each sales office. The IS manager and four systems analysts were hired shortly before they integrated the new computer and the existing AIS. The other IS employees have been with the company for years. During its early years, AVC had a centralized decision-making organization. Top management formulated all plans and directed all operations. As the company expanded, decision making was decentralized, although data processing was highly centralized. Departments coordinated their plans with the corporate office but had the freedom to develop their own sales programs. However, information problems developed, and the IS department was asked to improve the company’s information processing system once the new equipment was installed. Before acquiring the new computer, the systems analysts studied the existing AIS, identified its weaknesses, and designed applications to solve them. In the 18 months since the new equipment was acquired, the following applications were redesigned or developed: payroll, production scheduling, financial statement preparation, customer billing, raw materials usage, and finished goods inventory. The departments affected by the changes were rarely consulted until the system was operational. Recently the president stated, “The systems people are doing a good job, and I have complete confidence in their work. I talk to them frequently, and they have encountered no difficulties in doing their work. We paid a lot of money for the new equipment, and the systems people certainly cost enough, but the new equipment and new IS staff should solve all our problems.” Two additional conversations regarding the new AIS took place. BILL TAYLOR, IS MANAGER AND JERRY ADAMS, PLANT MANAGER JERRY: Bill, you’re trying to run my plant for me. I’m the manager, and you keep interfering. I wish you would mind your own business. BILL: You’ve got a job to do, and so do I. As we analyzed theinformation needed for production scheduling and by top management, we saw where we could improve the workflow. Now that the system is operational, you can’t reroute work and change procedures, because that would destroy the value of the information we’re processing. And while I’m on that subject, we can’t trust the information we’re getting from production. The documents we receive from production contain a lot of errors. 20-41 Accounting Information Systems JERRY: I’m responsible for the efficient operation of production. I’m the best judge of production efficiency. The system you installed reduced my workforce and increased the workload of the remaining employees, but it hasn’t improved anything. In fact, it might explain the high error rate in the documents. BILL: This new computer cost a lot of money, and I’m trying to make sure the company gets its money’s worth. JERRY ADAMS, PLANT MANAGER AND TERRY WILLIAMS, HUMAN RESOURCES MANAGER JERRY: My best production assistant, the one I’m grooming to be a supervisor, told me he was thinking of quitting. When I asked why, he said he didn’t enjoy the work anymore. He’s not the only one who is unhappy. The supervisors and department heads no longer have a voice in establishing production schedules. This new computer system took away the contribution we made to company planning and direction. We’re going back to when top management made all the decisions. I have more production problems now than I ever had. It boils down to my management team’s lack of interest. I know the problem is in my area, but I thought you could help me. TERRY: I have no recommendations, but I’ve had similar complaints from purchasing and shipping. We should explore your concerns during tomorrow’s plant management meeting. Adapted from the CMA Examination Evaluate the preceding information, and answer the following questions: 1. Identify the problems the new computer system created and discuss what caused them. The problems stem from a total lack of communication at AVC. The failure to communicate has existed for years and exists between all levels of management. Top management did not adequately plan for the IS upgrade and did not involve non-IS employees in the process. In addition, through lack of direction or control, top management has allowed the IS group to change not only information systems but also operating systems and procedures without operating management approval. Further, there appears to be a lack of concern by IS over the problems the new systems have created for operating management. A new computer system was purchased and a new IS team was hired; however, top management failed to win the confidence of current operating management who are accustomed to a more decentralized approach. Communication problems continued during the systems design phase. The IS group failed to involve operating management in systems changes and apparently operating management failed to communicate their interest in being involved. As managers in a decentralized atmosphere they could have forced IS to communicate but they chose to ignore the problem. Therefore, the failure to communicate properly can be traced to both the IS and user groups. This problem was worsened by top management not adequately planning the conversion process and their failure to perceive the potential problems between IS and operating management. 20-42 Accounting Information Systems The new systems are now complete. Operating management realizes that there has been a centralization of decision-making and a loss of operating flexibility resulting in employee morale problems. Yet, they are still unable or unwilling to communicate with top management, who continue to be unaware of operating problems with the new IS system. 2. How could AVC have avoided the problems? How can they prevent them in the future? The problems could have been avoided by top management doing a better job of planning and communication, holding meetings between the IS staff and user groups throughout the systems design and implementation process, and by top management soliciting input from both user groups and IS staff in order to more closely monitor the project’s progress. To avoid future problems, AVC management needs to review organizational relationships to ensure proper organization and to insist on better cooperation and communication. In addition, top management should evaluate management personnel to determine if interpersonal problems are a roadblock to good internal communication. 20-43 CHAPTER 21 AIS DEVELOPMENT STRATEGIES SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 21.1 What is the accountant’s role in the computer acquisition process? Should the accountant play an active role, or should all the work be left to computer experts? In what aspects of computer acquisition might an accountant provide a useful contribution? The accountant is likely to be: • A major user of the computer output • Responsible for internal controls over data processing in the organization • An expert in cost estimation and analysis • A designer of many of the systems that the computer is intended to supplant. With these responsibilities, the accountant must be actively involved in the computer acquisition process. The accountant's role is probably best carried out by participating on a team or committee together with computer experts, systems analysts, production personnel, engineers, managers, and others whose functions are closely related to the information systems activity. 21-1 Ch. 21: AIS Development Strategies 21.2 In a Midwest city of 45,000, a computer was purchased and in-house programmers began developing programs. Four years later, only one incomplete and poorly functioning application had been developed, none of software met users’ minimum requirements, and the hardware and the software frequently failed. Why do you think the city was unable to produce quality, workable software? Would the city have been better off purchasing software? Could the city have found software that met its needs? Why or why not? Certainly not all instances of use or failure to use packaged software are as dramatic or as clear-cut as this. Nor in all cases will packaged software meet the functional requirements at a reasonable cost in an acceptable time frame. A careful evaluation of packaged software, however, can result in a system that performs admirably and cost effectively for data processing users. a. Some possible reasons why the city was unable to produce a quality, workable system are: • • • • • • • • b. c. Poor management. Inexperienced systems analysts and programmers. Inadequate needs analysis and requirements definition. Management does not understand development well enough to direct and manage it. Failure of users and development personnel to communicate. Failure to establish checkpoints for monitoring the project. Lack of continuity among the people working on the system. Failure to plan the development project adequately. The city would have been better off purchasing canned software for the following reasons: • They could have saved themselves a great deal of money. • They could have implemented the system much faster. • They would not have needed as many in-house programmers. • They could have avoided a lot of hassles, headaches, etc. • They could have "test-driven" the program to know exactly what they were getting. • They could also have talked to other users to measure satisfaction with the software. • Custom packages are much more likely to be bug free. • The developer can keep the package up-to-date easier and less expensively. • They probably would have gotten a much better system. There are certainly enough cities, and hence a large enough market, for there to be quality software available. A city of 45,000 shouldn't have an overly complex system, such that none of the available canned packages would have been acceptable. The package might not have been able to meet all of the city's detailed needs and desires, but a package that came close to their needs certainly could have been found without all the problems mentioned above. An adequate turnkey system was available and it would have saved the city nearly $500,000. In fact, the city’s annual data processing costs exceeded the annual costs of the new turnkey system. 21-2 Accounting Information Systems 21.3 You are a systems consultant for Ernst, Price, and Deloitte, CPAs. At your country club’s annual golf tournament, Frank Fender, an automobile dealer, describes a proposal from Turnkey Systems and asks for your opinion. The system will handle inventories, receivables, payroll, accounts payable, and general ledger accounting. Turnkey personnel would install the $40,000 system and train Fender’s employees. Identify the major themes you would touch on in responding to Fender. Identify the advantages and disadvantages of using a turnkey system to operate the organization’s accounting system. Major themes that should be touched upon in responding to Fender's inquiry include: • The need for a feasibility study to determine whether a new system is technically, economically, and operationally feasible for Fender's dealership. • The need to identify the dealership’s needs and prepare specifications based on those needs. • The importance of requesting proposals from competing vendors and systematically comparing them. • The possibility of using EDP consultants to help and of outsourcing the system. If students only suggest they obtain more information on this vendor and its hardware and software, then they are missing the point of the case. It is important to take a more general and systematic approach to the system acquisition decision, rather than making a "yes-no" decision on only this one system. Advantages of a turnkey system • • • • • • • Less expensive than internally built systems and the total package may be better priced. Takes less time and human resources to develop and run. Experts are available for both the application software and hardware. One-source support for the entire system. The vendor cannot pass the responsibility for a problem off on someone else. A single vendor may also facilitate system start-up and conversion as well as training on how to use the system. Warranties are usually available. Simplified selection process Costs are reduced since it is not necessary to match software with hardware meaning that it is less likely that various items of hardware and software will be incompatible. Disadvantages of a turnkey system: • • • • Software or hardware may not be completely suited to company's needs. Software modification may not be available or covered. Increased vulnerability to continuity of the vendor's business. Lack of control over design. 21-3 Ch. 21: AIS Development Strategies 21.4 Sara Jones owns a rapidly growing retail store that faces stiff competition due to poor customer service, late and error-prone billing, and inefficient inventory control. To continue its growth, its AIS must be upgraded but Sara is not sure what it wants the AIS to accomplish. Sara has heard about prototyping, but does not know what it is or whether it would help. How would you explain prototyping to Sara? Include an explanation of its advantages and disadvantages as well as when its use is appropriate. Prototyping is an approach to systems design in which a simplified working model of an information system is developed. In essence, a prototype is a scaled-down, experimental version of the system requested by the users. The first step is to identify the basic requirements of the system. The emphasis is on what output should be produced rather than how it should be produced. A "first draft" model is quickly (days or weeks) and inexpensively built and given to users so they can experiment with it. This allows users to determine what they want the system to accomplish and what they like and don't like about it. Based upon their reactions and feedback, the developers modify the system and again present it to the users. This iterative process of trial usage and modification continues until the users are satisfied that the system adequately meets their needs. The last step is making the system operational. The two choices are to use the already developed prototype or to use the prototype as a model for developing a new system. Some of the advantages of prototyping include: • Better definition of user needs • Higher user involvement and satisfaction • Faster development time • Fewer errors in the implemented system • More opportunity to make changes • Less costly than other development alternatives Some of the disadvantages of prototyping include: • Requires a significant amount of users’ time • Less efficient use of system resources • Incomplete systems development • Inadequately tested and documented systems • Cost of learning the different versions of the software • Never-ending development Prototyping is appropriate when • there is a high level of uncertainty about what is needed • it is unclear what questions to ask • the final system cannot be clearly visualized because the decision process is still unclear • Speed is an issue • The system must meet just one or two major critical needs • There is a high likelihood of failure. 21-4 Accounting Information Systems 21.5 Clint Grace has been business over 30 years and has definite ideas about how his ten retail stores should be run. He is financially conservative and is reluctant to make expenditures that do not have a clear financial payoff. Store profitability has declined sharply and customer dissatisfaction is high. Store managers never know how much inventory is on hand and when purchases are needed until a shelf is empty. Clint asks you to determine why profitability has declined and to recommend a solution. You determine that the current AIS is inefficient and unreliable and that company processes and procedures are out of date. You believe the solution is to redesign the systems and business processes using BPM. What are some challenges you might face in redesigning the system? How will you present your recommendations Clint? Business process management (BPM) is a systematic approach to continuously improving and optimizing an organization's business processes. Grace may be resistant to BPM and its attendant changes and new technology because: • • • • • • Tradition: Grace has been at the business for 30 years and the old way of doing things has been a part of his life. Changing a lifestyle is very difficult. Resistance: It is human nature to resist radical change and step out of one's "comfort zone." Grace may be so set in his ways that resistance seems inevitable. Time requirements: BPM is not a "quick-fix.” Redesigning business processes at a chain of regional stores is likely to a lengthy process. Cost: Resistance is likely because Grace's financially conservative attitude may not mesh with a costly business process redesign. Lack of management support: Grace has been calling the shots for many years. It may be difficult for him to give full support to the project even if the need for redesign is obvious. Retraining: After the BPM project is completed, Grace will be faced with the cost of retraining his employees. Retraining is also costly and time consuming. Student answers as to how to present the recommendations to Clint Grace will vary depending on the perception of the student. However, some general guidelines are: • • • • • • • Recognize that it may be hard to convince Grace. Therefore, you must plan your strategy well. You must be able to sell Grace on the benefits of BPM for his ten stores. Be aware of potential problems and seek to avoid them. Be sensitive to the feelings and reactions of persons affected by the change. Inform Mr. Grace that the reason for BPM is not to come in and without feeling destroy people's jobs. Having Grace very involved in the project will help him feel like the ideas that are instituted are his ideas also. Participation is ego enhancing, challenging, and intrinsically satisfying, and it builds self-esteem and security. You must provide honest feedback to Grace on all suggestions. Tell him which of his and his employee’s suggestions are being used and how they are being implemented, which suggestions are not being used and why, and which suggestions will be incorporated at a later date and why they are not being incorporated now. Show how Grace's competitors are using newer business processes to gain a competitive advantage over his department stores. Remember that it is better to take things slow, than to have Grace reject BPM. It is usually better to spend the extra time and money to ensure that a system is well accepted and well designed 21-5 Ch. 21: AIS Development Strategies SUGGESTED ANSWERS TO THE PROBLEMS 21.1 Don Otno has been researching software options but cannot decide among three alternatives. Don started his search at Computers Made Easy (CME) and almost wished he had looked no further. Steve Young, the manager of CME, appeared knowledgeable and listened attentively to Don’s problems, needs, and concerns. Steve had software and hardware that would, with a few exceptions, meet Don’s needs. Don could start using the system almost immediately. The system’s price was unexpectedly reasonable. After three hours at Custom Designed Software (CDS), Don left convinced that they could produce exactly what he needed. Cost and time estimates were not established, but CDS assured him that the cost would be reasonable and that the software would be complete in a few months. At Modified Software Unlimited (MSU), the owner said that customized software was very good but expensive and that canned software was inexpensive but rarely met more than a few needs. The best of both worlds could be achieved by having MSU modify the package that came closest to meeting Don’s needs. Don returned to CME and asked Steve about customized and modified software. Steve expressed enough concerns about both that Don came full circle—to thinking canned software was best. That night, Don realized he could not make an objective decision. He was swayed by whichever vendor he was talking with at the time. The next morning he called you for help. In practice, a system study must be conducted to determine what Don Otno needs before a credible decision can be made about these alternatives. a. List the advantages and disadvantages of each vendor’s approach. Advantages of canned (packaged software) • Lower cost of development. Some estimates indicate a software package may cost between 1/20 and 1/5 of the estimated cost of in-house development. • Software is more reliable. Other users have used the system, providing more "testing" in a live environment. • Lower cost of maintenance as the software supplier performs the maintenance. • Faster implementation - hence the organization can begin receiving the benefits sooner. • Staff is freed up to do other work. • Better documentation, as it must meet the needs of multiple users. • Software can be "test driven" and evaluated before it is purchased. • It may offer unique capabilities that are difficult to duplicate. Disadvantages of canned (packaged software) • It may not be possible to find a package that meets the users' unique and specific needs. • Operating procedures and practices constraints may require business process changes. • If the software is to be part of a larger system, it may put constraints on the overall system. 21-6 Accounting Information Systems • Inflexibility, as it may not be possible to suppress unneeded files, processing, or outputs. • Possible inefficiency. Generalized systems (are not written for particular circumstances or requirements) may be inefficient. • It takes time to evaluate all the available software. • There may not be anyone in-house sufficiently knowledgeable to fix the software if it fails. Advantages of Custom Software • Software that exactly meets (at least theoretically) the user's needs. • Easier to modify than canned software. • Often more efficient than canned software. Disadvantages of Custom Software • Most costly software development approach. • Quality programmers may be expensive, hard to find, etc. • Program development is time consuming; users have to wait for the software to be written. • There may not be any guarantee of product quality. • Involves significant supervision and control. • It is more likely to contain errors or "bugs" than packaged software. • If developed in-house, the user may have to wait an extended period for the software. • If developed externally, there is a risk of selecting an inexperienced or poor quality developer. The developer may "low ball" the price and take improper short cuts or try and increase the price later. Advantages of Modified Software • Software that is more likely to meet user's needs than canned software. • Usually less expensive than custom software. • Can be implemented faster than custom software. Disadvantages of Modified Software • May be hard to find programmers willing to modify code. • May be illegal to modify the software. • Modifying the software may invalidate the manufacturer’s warranty and support. • Changes may not be properly documented, resulting in out-of-date documentation. • May cause control problems and introduce errors into the program. • May make program less efficient, more costly to maintain. • May be more costly than a custom program, especially if modifications are significant. 21-7 Ch. 21: AIS Development Strategies b. Recommend a course of action for Don and support your decision. There isn't enough information to reach a definitive answer. It is probable that supporters for all three approaches can be found when discussing this in class. Letting the students support each of the three approaches helps solidify the answer to part a in their minds. The important thing in the discussion is not to get a "right" answer but for the student to recognize that they need more information before they can reach a definitive conclusion. By way of summary: Generally, packaged software is best if it is available and of acceptable quality, versatility, etc. If the software is acceptable to Otno (that is, it is sufficiently close to what he needs), the low cost and immediate implementation make packaged software an attractive approach. 21-8 Accounting Information Systems 21.2 A federal agency signed a 15-month contract for $445,158 for a human resources/payroll system. After 28 months and no usable software, the agency canceled the contract and withheld payment for poor performance. A negotiated settlement price of $970,000 was agreed on. The project experienced the following problems: • The contractor did not understand what software was desired. The RFP did not have fully developed user requirements or system specifications, and user requirements were never adequately defined and frozen. Changes delayed completion schedules and caused disagreements about whether new requirements were included in the original scope of work. • The contract did not specify systems requirements or performance criteria, and the terminology was vague. The contract was amended 13 times to add or delete requirements and to reimburse the contractor for the extra costs resulting from agency caused delays. The amendments increased the cost of the contract to $1,037,448. • The contractor complained of inexcusable agency delays, such as taking too much time to review items submitted for approval. The agency blamed the delays on the poor quality of the documentation under review. • The agency did not require each separate development phase to be approved before work continued. When the agency rejected the general system design, the contractor had to scrap work already completed. a. • • • • • • • • What caused the problems? The contractor did not fully understand what was required because the agency had not fully developed user requirements or system specifications when it issued the RPF. Project phases were not approved before the next phase began. When the conceptual systems design was rejected, the physical systems design work had to be scrapped. The contract did not contain acceptance-testing procedures and criteria. Documentation standards were never developed and documentation was poor, causing delays in agency approvals. Extensive changes were made by the agency. The contract was amended 13 times to provide for additional work or to delete requirements. Some changes were not in the contract and some changes altered the scope of the project. These led to disagreements as well as work delays and stoppages. Agency red tape and slow approval procedures caused extensive delays in the project. The system development contract was vague. In summary, the problems were caused by poor planning, poor problem definition, inadequate system specifications, poor project management, and poor communication. How could the agency have better managed the systems development project? • • • • Done a better job of defining what the system was to accomplish. Designed a complete set of specifications before asking for bids. Frozen systems design at an appropriate time so that continual changes weren't made. Created a comprehensive, specific, and clearly written contract. 21-9 Ch. 21: AIS Development Strategies • • • • Required prompt approval of each phase before allowing the contractor to proceed. Specified documentation standards and procedures for the contractor to follow. Managed the project better. Negotiated a better price upfront What could the contractor have done differently? • • • b. Refused to begin until an adequate problem definition and system requirements were developed. Insisted that system development be frozen at an appropriate time. Insisted on a clear, comprehensive, and specific contract detailing what was expected of them. Can we conclude from this case that organizations should not have custom software written for them? Explain your answer. No, we cannot generalize that companies should not have custom software developed for them. If the agency and contractor had followed good systems design and project management procedures, and had a clear and concise contract, problems with the engagement should have been minor and more easily resolvable. 21-10 Accounting Information Systems 21.3 Wong Engineering Corp (WEC) operates in 25 states and three countries. WEC faced a crucial decision: choosing network software that would maximize functionality, manageability, and end-user acceptance of the system. WEC developed and followed a fourstep approach: Step 1. Develop evaluation criteria. WEC organized a committee that interviewed users and developed the following evaluation criteria: • Ease of use • Scope of vendor support • Ease of network management and administration • Cost, speed, and performance • Ability to access other computing platforms • Security and control • Fault tolerance and recovery abilities • Ability to connect workstations to the network • Global naming services • Upgrade and enhancement options • Vendor stability WEC organized the criteria into the following four categories and prioritized them. Criteria vital to short-term and long-term business goals were given a 5. “Wish list” criteria were weighted a 3. Inapplicable criteria were given a 1. 1. Business criteria: overall business, economic, and competitive issues 2. Operational criteria: tactical issues and operating characteristics 3. Organizational criteria: networks’ impact on the information systems structure 4. Technical criteria: hardware, software, and communications issues Step 2. Define the operating environment. Several data-gathering techniques were used to collect information from which an information systems model was developed. The model revealed the need to share accounting, sales, marketing, and engineering data at three organizational levels: district, division, and home office. District offices needed access to centralized financial information to handle payroll. WEC needed a distributed network that allowed users throughout the organization to access company data. Step 3. Identify operating alternatives. Using the criteria from step 1, committee members evaluated each package and then compared notes during a roundtable discussion. Step 4. Test the software. The highest-scoring products were tested, and the product that fit the organization’s needs the best was selected. a. Discuss the committee’s role in the selection process. How should committee members be selected? What are the pros and cons of using a committee to make the selection? The evaluation committee selected a network operating system and other software to support the organization’s distributed structure. They developed and followed a four-step approach: 1. Develop evaluation criteria. 2. Define the current and future operating environment at the company. 3 Identify and evaluate the network operating system alternatives. 4 Test the products that appear to meet their needs and select the best package. 21-11 Ch. 21: AIS Development Strategies A committee with qualified people from all affected areas has the following advantages: • Encourages planning. An effective team effort requires planning to ensure the system meets the needs of the business. The result: compromise in the planning stage and not during implementation. • Produces better results. Organizing a cross-functional team to select an operating system insures that the selection process considers the needs of all parties. The result: fewer out-of-control projects. • Facilitates acceptance of the results. Behavioral problems are minimized using a cross-functional selection team that supports user participation. The result: smoother system implementation. Problems that may arise from using a committee include a longer development time, interdepartmental competition for resources, and irresolvable selection process conflicts. b. What data-gathering techniques could WEC use to assess user needs? To select a vendor? • Interviews with users • Surveys or questionnaires • Observations of business activities. What data-gathering techniques could WEC use to select a vendor? c. • Library research • Discussions with current and former customers • Word-of-mouth recommendations. • Meetings with vendor candidates to discuss the evaluation criteria selected. • Asking vendors to develop a demonstration to verify their claims. What is the benefit of analyzing the operating environment before selecting the software? It is difficult to select the proper software if you do not know how it is to be used and what needs it has to satisfy. An analysis of the operating environment provides the information needed to model the desired information system and to make the proper selection. The committee's analysis shows the need to share data at the district, division, and home office levels. In addition, the lower levels needed access to centralized data. The model that emerged made it clear that the company needed a distributed network that allows users throughout the organization access to company data. What data-gathering techniques help a company understand the operating environment? • Interviews • Surveys at various management and operational levels • Observations. 21-12 Accounting Information Systems d. In selecting a system using the point-scoring method, how should the committee resolve scoring disputes? List at least two methods. Disputes often arise when using committees. To resolve point scoring disputes, the committee could seek a unanimous consent on disputed issues by compromise and further discussion. If that fails, they could simply average the scores given by each committee member. The committee could also consider throwing out the highest and lowest scores. e. Should a purchase decision be made on the point-scoring process alone? What other procedure(s) should the committee employ in making the final selection? Seldom is a system selected based on point scoring alone. The scores are used to select the most promising candidates. The committee should test the most promising candidates to determine which product best meets the company's needs in the most cost-effective manner. The committee should also verify with existing customers that the system works as promised. 21-13 Ch. 21: AIS Development Strategies 21.4 Mark Mitton, the liaison to the IS department, has eliminated all but the best three systems. Mark developed a list of required features, carefully reviewed each system, talked to other users, and interviewed appropriate systems representatives. Mark used a point-scoring system to assign weights to each requirement. Mark developed Table 21-4 to help him select the best system. a. Use a spreadsheet to develop a point-scoring matrix and determine which system Mark should select. Based on the point-scoring evaluation, project number one should be selected. Project #1 scored 6645 points, project #2 scored 6370 points, and project #3 scored 6530 points. 21-14 Accounting Information Systems b. Susan Shelton did not agree with Mark’s weightings and suggested the following changes: Flexibility Reputation and reliability Quality of support utilities Graphics capability 60 50 10 10 When the changes are made, which vendor should Mark recommend? Based on Susan’s changes, Mark should now select project #3. Project #1 scored 6285 points, project #2 scored 6330 points, and project #3 scored 6610 points. 21-15 Ch. 21: AIS Development Strategies c. Mark’s manager suggested the following changes to Susan’s weightings: Reputation and reliability Installation assistance Experience with similar systems Training assistance Internal memory size 90 40 40 65 10 Will the manager’s changes affect the decision about which system to buy? Based on further revisions by his manager, Mark should now select project #2. Project 1 scored 6055 points, project #2 scored 6550 points, and project #3 scored 6490 points. 21-16 Accounting Information Systems d. What can you conclude about point scoring from the changes made by Susan and Mark’s manager? Develop your own weighting scale to evaluate the software packages. What other selection criteria would you use? Be prepared to discuss your results with the class. The most significant conclusion is that the results of the point-scoring methods are highly subjective. Slight variations in the weightings or in the points assessed can alter the results dramatically. A point-scoring matrix is a useful tool but the results are not always conclusive. e. What are the weaknesses of the point-scoring method? Care must be taken when to avoid placing too much emphasis on a point-scoring outcome. This approach does not recognize that the factors being evaluated may interact in ways that are not taken into account. Nor does it evaluate the effects of a particular weakness on other factors or assess compensating strengths. In addition, since both the weights and the points are assigned subjectively, the margin for error is sizable. Students should recognize that the best conclusion may be tentative at best and that Mark should conduct additional research to determine the most effective system to meet his business's needs. 21-17 Ch. 21: AIS Development Strategies 21.5 Nielsen Marketing Research (NMR), with operations in 29 countries, produces and disseminates marketing information. Nielsen has been the primary supplier of decision support information for more than 70 years. NMR’s most recognizable product is the Nielsen television ratings. Nielsen is one of the largest users of computer capacity in the UnitedStates. Its information system consistently ranks above average in efficiency for its industry. NMR hired IBM to evaluate outsourcing its information processing. NMR wanted to know whether outsourcing would allow it to concentrate on giving its customers value-added services and insights, increase its flexibility, promote rapid growth, and provide it with more real-time information. What are the benefits and risks of outsourcing for NMR? THE BENEFITS OF OUTSOURCING: • IT is changing so rapidly that companies spend a lot of their information system money on new technology. Outsourcing is a way to alleviate this cash drain. NMR could use the cash savings to provide a better product to its customers. • It is difficult to find well-trained people to maintain and develop these complex information systems. It is also very costly to have an in-house group of information systems experts. NMR may be concerned about the cost of maintaining an in-house information systems staff and their ability to remain current in the ever-changing technological environment. • When a company improves its information system or introduces new technology, the employees who operate and manage the system (and sometimes the users) must be retrained. Outsourcing would eliminate much of the time and costs required for training. • Outsourcing may make it easier for Nielsen to concentrate on the things it does best (its "core competencies") and leave the data processing business to computer companies who are more qualified. Companies who adopt outsourcing for this reason believe that their information systems are essential, but not that it is essential for them to operate the systems. • Outsourcers offer special expertise for anything from assisting with development and design to handling the complete design and installation of a new system. This could help NMR's information processing stay abreast of the most up-to-date changes in systems technology. • Outsourcing can help solve cost pressures and economic difficulties that force companies to consider head-count reductions, cutbacks on employee training, data center consolidations, budget and resource cutbacks, and other costs. • Companies can benefit from the economies of scale the outsourcers achieve from standardizing users' applications, buying hardware at bulk prices, splitting development and maintenance costs between projects, and operating at higher volumes. • Outsourcing development projects can help a company benefit from the skills of trained industry specialists who have installed hundreds of systems. • When companies downsize they can be left with an information system that is too large for their needs. Outsourcing can help solve this problem. • Outsourcing can help decrease the fixed costs associated with seasonal businesses that require heavy computer usage for part of the year and very light usage the rest of the year. 21-18 Accounting Information Systems AMONG THE RISKS OF OUTSOURCING ARE THE FOLLOWING: • A major risk is entering an inflexible agreement that does not provide the company an "out" for future unanticipated circumstances. • Another risk is losing too much control over your information system by outsourcing. NMR will want to make sure that it works closely with the outsourcer to oversee the development and operation of the information system. • It is possible to lose a fundamental understanding of information system needs and how the system can provide competitive advantages. If NMR decides to outsource it will be very important to maintain a close partnership with the outsourcer, helping NMR stay current and apprised of information system needs and strategies. NMR could lose its reputation and ability to provide a quality product if this risk is not completely controlled. • Once a company decides to outsource, the company is usually locked into outsourcing. If NMR decides to abandon outsourcing and begin processing its own data again they may have to buy or rent new buildings and equipment along with hiring a new data processing staff. The costs and effort involved in doing this are considerable. • NMR may not realize all of the projected outsourcing benefits. Critics contend that in many cases the goals of outsourcing never come to pass. • NMR may not receive the quality of service they desire. Some companies complain that outsource providers are slow to adopt new technologies and are slow to respond to changing business conditions. Do the benefits outweigh the risks? Explain your answer. Without knowing the results of the evaluation that NMR commissioned, there is no "right" answer as to whether the benefits would outweigh the risks. Even when the results are known, there may not be a "right" answer. The purpose of the question is to get the students to pick a side of the debate and support it. Class discussion should bring out the pros and cons of outsourcing. 21-19 Ch. 21: AIS Development Strategies 21.6 A large organization had 18 months to replace its old customer information system with a new one that could differentiate among customer levels and provide appropriate products and services on demand. The new system, which cost $1 million and was installed by the IS staff on time, did not work properly. Complex transactions were error-prone, some transactions were canceled and others were put on hold, and the system could not differentiate among customers. The system was finally shut down, and transactions were processed manually. New IS management was hired to build a new system and mend the strained relationship between operations and IS. So what went wrong? IS couldn’t—or wouldn’t—say no to all the requests for systems enhancements. Eager to please top management, IS management ignored the facts and assured them they could build a scalable system that was on time and on budget. Another big mistake was a strict project schedule with little flexibility to deal with problems and unforeseen challenges. Developers never spoke up about any glitches they encountered along the way. More than a dozen people (including the CIO) lost their jobs because of their roles in this disaster. a. b. c. What could IS management have done differently to make this project successful? • Negotiated more time to complete the project. • Provided monthly progress reports to management • Informed top management of unforeseen problems and challenges that caused delays or put the project significantly behind schedule. • Been more open with management in communicating costs and potential problems. • Frozen requirements so that development could proceed unhindered by new requests. What in-house development issues are demonstrated in this case? • Custom software development is difficult, time consuming, and error prone. • Time schedules can be tight and projects are often not finished on time. • Requirements and systems planning are often lacking. • There can be inadequate communication and cooperation between users and developers. How could the in-house issues have been addressed to prevent the system’s failure? • It should have been made clear to management that in-house development is difficult, time consuming, and error prone. This could have been facilitated by citing examples of in-house development projects, preferably from within their own industry, so that management could have gotten a clearer picture of the risks and benefits of in-house development. • A carefully thought-out and documented project plan should have been prepared. • A backup plan with worst-case scenarios and project completion times should have been prepared. 21-20 Accounting Information Systems • Key personnel should have been designated as liaisons between management and the project team so that credible and timely information could have been communicated back and forth. In the end, the company scrapped the software and hired two vendors to help them with the project. One vendor designed and built the system and the other vendor supervised the work of the first vendor. 21-21 Ch. 21: AIS Development Strategies 21.7 Meredith Corporation publishes books and magazines, owns and operates television stations, and has a real estate marketing and franchising service. Meredith has 11 different systems that do not communicate with each other. Management wants an executive information system that provides them with the correct and timely information they need to make good business decisions. Meredith has decided to use prototyping to develop the system. a. b. Identify three questions you would ask Meredith personnel to determine systems requirements. What information are you attempting to elicit from each question? • What is Meredith's background and what are its goals and objectives? It is difficult to help a company without knowing where it is coming from and where it hopes to go. • What is the nature of the problem and what are its causes? Oftentimes company employees have a good idea as to the cause of the company's problems and have good suggestions for resolving them. • What is the timetable for the project? How soon is the system needed? If the company must have a solution in a short amount of time, prototyping should be considered. The answer may also affect the decision as to whether the prototype should be operational or nonoperational. • What processes are involved? Identifying the business processes will allow the consultant to identify the basic system requirements. • What does Meredith expect from their new executive information system? What information does Meredith need to make effective decisions? When developing an information system, the question of what information is needed is more important than how the information should be processed. • What input data does Meredith need to capture and process in order to produce the desired information? Where does the data originate and how does it enter the system? How and where is it stored? Explain how prototyping works. What would the system developer do during the iterative process step? Why would you want the fewest iterations possible? 1. At Meredith, the prototype process would begin by interviewing personnel in order to identify system requirements for the prototype. The focus should be on what output should be produced and not how the output should be produced. Some of the questions to ask Meredith personnel are shown in the answer to part a. 2. After identifying system requirements, an initial prototype would be developed that meets the agreed-upon requirements. The goal would be to develop the prototype quickly and turn it over to the users. 3. The users experiment with the prototype and determine what is good and what is bad about it. Their feedback is used to modify the prototype. Within reason, there should be as many iterations as needed to capture accurately user requirements. The more efficiently this can be done; that is, the fewer iterations needed, the less the system will cost, the faster it can be developed and implemented, and the happier the company and the users will be. 4. When the prototype is completed, it is either made operational or used as the specifications for developing a more functional system. 21-22 Accounting Information Systems Prototyping tools are efficient, easy to use, and can create files, screens, reports, and program code much faster and with much less effort than conventional programming languages. c. Would you want the prototype to be operational or nonoperational? Why? If it were an operational prototype, what would have to happen? If it were a nonoperational prototype, how would the prototype be used? The answer to these questions will vary depending on the student's view of the situation. Some of the points the student should bring up are: Operational Prototype. Because Meredith needs the system so quickly, an operational prototype would be advantageous. To make the prototype operational, the developer must make any changes in the system that are required to incorporate needed controls, improve operational efficiency, provide backup and recovery, and to integrate the prototype with the systems with which it interfaces. Changes must also be made, if necessary, so that the system will accept real input, access real data files, process data, make the necessary computations and calculations, and produce real output. Nonoperational Prototype. In many instances, it is not practical to modify the prototype to make it a fully functional system. The process of making a prototype operational may take as long as recreating the system in a basic programming language and may not be as efficient. In such cases, the prototype is discarded and the system requirements identified during the prototyping process are used to develop a new system. The systems development life cycle is followed to develop the system, with the prototype as the model for development. d. Suppose the company decides the prototype system is not practical, abandons it, and takes some other approach to solving its information problem. Does that mean prototyping is not a valid systems development approach? Explain your answer. Just because the prototype system is not used does not mean prototyping is not a useful development technique. On the contrary, prototyping has saved the company thousands of dollars and a great deal of time by finding out quickly that the system is not functional. That is much more cost effective than going through the much more costly traditional SDLC process. 21-23 Ch. 21: AIS Development Strategies 21.8 Norcom, a division of a large manufacturer, needed a new distribution and customer service system. The project was estimated to take 18 months and cost $5 million. The project team consisted of 20 business and IT staff members. After two years, the CIO was fired, and the company hired a CIO with expertise in saving troubled projects. The new CIO said three grave errors were committed. 1. IT picked the wrong software using a very naïve request for proposal process. 2. IT did not formulate a project plan. 3. No one “owned” the project. The IT staff assumed the users owned the project, the users believed the IT staff owned it, and management believed the vendor owned it. The CIO developed a 2,000-line plan to rescue the project. Three months later, the system failed, even with IT staff and consultants working on it day and night. The failed system was to have been the company’s preeminent system, but it could not even process customer orders correctly, resulting in complaints about late shipments and receiving the wrong goods. After three years and $4 million, the new CIO polled the staff anonymously. Only two said the project could be saved, and they had staked their careers on the project. The message that the project was not worth saving was very hard for the CIO to give. It was likewise hard for the division president to receive it; he could not accept the idea of killing a project that cost so much money. He finally accepted the decision and all the ramifications involved, including corporate IT taking control of all IT operations at his division. a. b. c. List the primary components of an RFP. • Detailed system specifications, with a clear distinction between mandatory and desired requirements. • Applications required and desired. • Inputs and outputs required and desired • Files and databases required and desired • Frequency and methods of file updating and inquiry. • Unique characteristics or requirements. Identify possible components or deficiencies in Norcom’s RFP that could have led the new CIO to claim that it was naïve or insufficient. • The RFP lacked the software specifications needed to prepare a good RFP response. • Norcom did not have a project plan, which should have guided the RFP development. The formulation of a good RFP would have required the creation of a project plan. Identify possible approaches Norcom could have used to evaluate RFP responses. • Norcom could have requested help with the RFP process and the necessary documents from someone with extensive RFP experience, such as a systems consultant. • Norcom could have brought in a more effective and experienced CIO earlier. • Norcom management could have created clear lines of authority and ownership of the project. 21-24 Accounting Information Systems 21.9 Quickfix is rapidly losing business, and management wants to redesign its computer repair processes and procedures to decrease costs and increase customer service. Currently, a customer needing help calls one of five regional service centers. A customer service representative records the relevant customer information, finds the closest qualified technician, and calls the technician’s cell phone to see whether the repair fits into his or her schedule. If not, the representative finds the next closest technician. When a technician is located, customer repair information is provided over the phone. The technician calls the customer and arranges to pick up the computer and replace it with a loaner. Making these arrangements takes one to two days and sometimes more if technicians are not available or do not promptly return calls. If a broken computer cannot be quickly repaired, it is sent to a repair depot. These repairs take another four to seven days. If problems arise, it can take up to two weeks for an item to be repaired. When a customer calls to see whether the computer is ready, the service representative calls the technician to find out the status and calls the customer back. The repair process usually takes five phone calls between the customer, the service representative, and the technician. There are several problems with this process that have led to a significant drop in business: (1) it is time-consuming; (2) it is inconvenient for a customer to have a computer removed, a new one installed, and then the old one reinstalled; and (3) service representatives do not have immediate access to information about items being repaired. Quickfix decides to use BPM principles to redesign its business processes. a. Identify the repair processes that occur and decide which should be redesigned. 1. Customer calls Quickfix requesting service. 2. Customer service representatives record customer information and repair needs. 3. Technicians are scheduled to make the repair. 4. Computer is repaired. All four processes should be redesigned b. Describe how the repair process can be redesigned to solve the three problems identified. Design a new information system with the following features. • A single, centralized database that stores all the data about customers, technicians, and the items being serviced. • Software is available that automates the customer service process. The principles in the chapter about buying software should be followed to select the system that best meets Quickfix’s needs • The hardware needed to run the software and access the database mentioned above. • Quickfix could minimize its hardware and building costs and maximize efficiency by creating one centralized customer service center instead of the five regional centers. • Alternatively, it could opt for keeping two to five service centers, each with its own equipment. With multiple sites, each could serve as backups to the other sites. Service centers closer to the customers might provide better customer service. The repair process could be redesigned in many different ways. Some ideas are: 21-25 Ch. 21: AIS Development Strategies • In addition to phone requests for service, Quickfix could design their new system to accept requests via fax, emails, texts, entries on the customer service section of its web site, etc. • When a repair request is received, a customer service representative enters the necessary data into a customer order maintained in the information system. The design should minimize the amount of data the service representative enters, while still giving customers the flexibility of notifying Quickfix in the way that is most convenient to them. • The system uses the customer's address to search the list of authorized technicians maintained in the company's database. The system produces a list of the four closest technicians and their schedule for the next week. The system lists the technicians in order of priority, based on location and availability. The customer service representative selects one of the technicians to perform the repair service and the system sends them an electronic notification and an electronic copy of the customer order. • If the technician is unable to perform the work on a timely basis, he responds electronically and another technician is scheduled. • To repair computers faster, technicians could use specially equipped trucks equipped with the necessary spare parts. This would allow them to do most repairs at the customer's business instead of sending the computer to a repair center. • Each repair truck could be equipped with a global positioning systems (GPS) technology that helps the technician locate the customer. • The GPS could also be used to facilitate emergency orders. The system could locate the technician closest to the customer with the emergency and dispatching her to handle the emergency as soon as she is available. • Technicians carry notebook computers with built-in radio frequency and cellular phone technology modems that give them a direct, high-speed access to the company's information systems via the internet. Using these modems, the technicians can communicate with the central office from almost anywhere using a virtual private network (VPN) ensuring a secure transmission of data. • Each morning the technicians logon to the Customer Service Center and retrieve their schedule for the day. Their schedule is organized and prepared by the computer at the Customer Service Center to minimize travel time. As each repair job is completed, the technicians enter the data on the customer order and send it into the Customer Service Center over the VPN. • If the computer cannot be repaired at the customer's site by the technician, the customer service representative enters this into the system and picks up the computer. The technician arranges for the repair center to pick up the broken computer and deliver a loaner computer. The repair locations are also connected to the centralized system and as computers are scheduled for repairs based on estimated arrival time. As the repairs are made, the technicians update the customer order. • Since repair time will be greatly decreased, there will be many fewer phone calls asking about the status of the repair. For those who do call, the centralized information system provides the customer service representative with much more information. She can tell the customer when the repair is scheduled, who will do it, and how to get hold of him including his cell phone number and email address. If the computer has been sent away 21-26 Accounting Information Systems for repair, the representative can tell the customer when it is scheduled for repair and when it will be returned. In a world with no costs, Quickfix would do all of the above. However, we live in a world where we must always weigh costs versus benefits and only implement the things the above items that make financial sense. c. What benefits can be achieved by redesigning the repair process? • Increased customer service and satisfaction because most computers are repaired immediately at the customer's business. This should also save money because the amount of time it takes to repair computers is reduced • A significant improvement in communication speed due to the centralized system and the use of the latest advancements in technology. Customer service representatives will know the exact status of any customer repair order. • Reduced costs from closing regional centers, service representatives having to do less data entry and significantly less scheduling work, lower shipping and handling costs, and handling few calls. • Increased revenues from technicians being able make more service calls in any given day and the ability to handle higher margin emergency calls, 21-27 Ch. 21: AIS Development Strategies 21.10 Conduct a search (using written materials, the Internet, electronic databases, etc.) for successful and failed implementations of information systems. Per your professor’s instructions, prepare an oral or written summary of a successful and a failed implementation. Include in your summary the approach used to acquire or develop the system (purchase software, develop it, modify it, outsource it). Student answers will vary depending upon what they find. 21-28 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 21-1 Steve Cowan owns Professional Salon Concepts (PSC), a hair salon products distribution company. After working for his father, a barber and beauty salon products distributor, he started his own business selling Paul Mitchell products. Business was poor until Steve conducted a free seminar demonstrating how to successfully use his products. He left with a $1,000 order and a decision to sell to salons that allowed him to demonstrate his products. Steve’s strategy paid off as PSC grew to 45 employees, 3,000 customers, and sales of $7 million. PSC carries 1,000 products, compared with 10,000 for most distributors. The smaller product line allows PSC to achieve a 24-hour order turnaround, compared to over two days for the competition. Steve occasionally has to work late packing orders and driving them to the UPS hub a few towns away so he can meet the 2:00 A.M. deadline. After buying a computer and installing a $3,000 accounting package, Steve thought everything was going great until Terri Klimko, a consultant from a PSC supplier, stopped by. Terri asked the following questions to find out how well he knew his business: • Do you know exactly how much you ship each month and to whom? • Do you know how much each customer bought, by supplier? • Can you rank your customer sales? • Can you break your sales down by product? • Do you know how the profit per client breaks down into product lines? • Do you know how revenues per salesperson vary over the days of the week? When Steve answered no to each question, Terri told him that people who cannot answer the questions were losing money. Upset, Steve terminated the session by politely dismissing Terri. Although unimpressed with Terri’s advice, Steve was impressed with her and they were soon married. Shortly afterwards she joined the company. Steve asked Terri to help the salons become more profitable. She developed a template to help salon owners determine how much each hairstylist brings in per client, how many clients receive extra services, and which clients buy hair products. The Cowans soon became more like partners to their customers than trainers. If a salon had employee problems, the Cowans would help settle it. If a salon needed help with a grand opening, they lent a hand. The more PSC products the salons bought, the more time the Cowans gave. PSC sold turnkey systems and support services at cost to help salons answer Terri’s questions. Unfortunately, PSC’s computer could not answer those same questions. Steve asked consultant Mike Fenske for help. Mike entered all of PSC’s raw data into a database and wrote a program to produce the desired information. The system worked but had problems. It was so slow that accounts payable and purchasing information was handled manually, it did not answer Terri’s growing list of questions, and only a few months of detailed information were available at a time. To alleviate these problems, Steve hired Mike as the company controller. After reading an industry report, Steve realized it was time to purchase a new system. Steve and Mike decided to evaluate and select the software themselves and rely on the vendor for installation help. They spent months researching software and attending demonstrations before settling on a $20,000 system. The vendor began installing the system and training PSC personnel. 21-29 Ch. 21: AIS Development Strategies Three days prior to conversion, Steve met a distributor who described how his system met his detailed accounting and customer reporting needs as well as his inventory management and order fulfillment needs. Steve was so impressed that they stopped the conversion, went to North Dakota to check out the distributor’s system, and flew to Minneapolis to visit DSM, the software developer. DSM did a great job of demonstrating the software and provided Steve and Mike with great references. The only hitch was DSM’s inability to demonstrate two features that were particularly important: adjusting orders automatically to reflect outstanding customer credits and back orders, and determining the least expensive way to pack and ship each order. DSM’s salespeople assured them that those features would be up and running by the time the package was delivered to PSC. Their economic feasibility analysis showed $234,000 in yearly savings: $144,000 Most PSC orders consist of several boxes, 95% of which are sent COD. The old PSC system had no way to prepare orders for multiple-box shipments; a fivebox order required five sales invoices and five COD tickets. The new system allowed PSC to generate one sales order and ship one box COD and the other four by regular delivery. Not having to ship every box COD would save $144,000 a year. $50,000 PSC paid a CPA firm $50,000 a year to prepare its financial statements. The new software would prepare the statements automatically. $40,000 Because the old system did not have credit-managing capabilities, it was hard to detect past-due accounts. Earlier detection of past-due accounts would result in faster collections, fewer lost customers, and fewer write-offs. Unknown The major reason for acquiring the system was to improve customer service by making more detailed customer information available. After estimated annual maintenance costs of $10,000, there was an annual return on investment of $224,000. Because the system would pay for itself in less than a year, Steve bought it and wrote off his $20,000 investment in the other system. When DSM installed the software, Steve found out that the promised features were not available and that there was no immediate plan to add them. Although Steve and Mike were upset, they had to shoulder some of the blame for not insisting on the two features before signing the deal. They found a program that automatically determined the cheapest way to pack and ship an order. DSM agreed to pay half of the $10,000 cost to integrate it into the program. DSM offered to create the module to reflect customer credits and back orders for another $20,000, but Steve declined. These problems pushed the conversion date back several months. PSC spent three months preparing to implement the new system. Training PSC employees to use the new system was particularly important. Adding a customer to the database required only one screen with the old system, the new software required six screens. Employees were taught to shout “Fire!” when they had a problem they could not handle. Mike or a DSM programmer explained the error and how to correct it. During implementation, the new system was tested for glitches by processing real data. Looking back, Mike admits three 21-30 Accounting Information Systems months were not nearly enough for the training and testing. They should have used twice as much time to identify and eliminate glitches. When PSC converted to the new system, telephone operators were confronted with situations they had not been trained to handle. Soon everyone was yelling “Fire!” at the same time. In less than one hour, so many operators were waiting for help that the programmers stopped explaining the correct procedures and simply ran from operator to operator correcting problems. Mistakes were repeated numerous times, and the situation intensified. Some employees, frustrated by their inability to work the new system, broke down and cried openly. In the warehouse, Steve was not having much fun either. On a normal day, PSC has 200 to 300 boxes ready for 3:30 P.M. shipment. On conversion day, a lone box sat ready to go. Facing the first default on his 24-hour turnaround promise, Steve, Terri, Mike, and a few others stayed past midnight packing and loading boxes on trucks. They barely made it to the UPS hub on time. The next day, order entry and shipping proceeded more smoothly, but Steve could not retrieve data to monitor sales. That did not make him feel too kindly about his $200,000 system or DSM. It took Steve weeks to figure out how to get data to monitor sales. When he did, he was horrified that sales had dropped 15%. They had focused so hard on getting the system up and running that they took their eyes off the customers. To make matters worse, Steve could not get information on sales by customer, salesperson, or product, nor could he figure out why or where sales were falling. Things quickly improved after “Hell Week.” Orders were entered just as quickly, and warehouse operations improved thanks to the integrated add-in program. The new system provided pickers with the most efficient path to follow and told them which items to pack in which boxes based on destination and weight. The system selected a carrier and printed labels for the boxes. Order turnaround time was shaved to 20 minutes from five hours. Months after the system was installed, it still did not do everything Steve needed, including some things the old system did. Nor did it answer all of Terri’s questions. Steve is confident, however, that the system will eventually provide PSC with a distinct competitive advantage. He is negotiating with DSM to write the credit and back-order module. Steve believes the step up to the new system was the right move for his growing company. With the exceptions of taking the DSM salesperson’s word and not taking enough time to practice with the system, Steve feels PSC did as good a job as it could have in selecting, installing, and implementing a new system. 21-31 Ch. 21: AIS Development Strategies 1. Do you agree that PSC did a good job selecting, installing, and implementing the new system? If so, why? Or do you feel PSC could have done a better job? If so, what did it do wrong, and what should it have done differently? PSC could have done a better job by doing the following: 2. 3. • Steve knows Terri is outstanding and he could have used her to manage better the computerization process. • People who buy based on a demonstration or recommendations risk buying a demo expert's personality rather than a system. • PSC shouldn't have paid for the software in full until it was satisfied with the implementation. Vendor guarantees about performance and features should have been written into the initial contract. • PSC employees that would use the system should have been involved in system selection. • PSC should have developed a written project plan for tracking all tasks, from the software-selection process to implementation. Such a plan can highlight weaknesses in the process and reveal timing problems. • Pain is inevitable in this sort of process. However, up-front pain isn't as bad as back-end pain. PSC didn't have a strong enough implementation plan. • Instead of gambling on a "D-day" switchover to the new system, the company should have done more extensive pilot testing and had a backup plan in case of problems. • Spending $200,000 for the system described in the case may be overkill. PSC might have gotten most of the key benefits from a $20,000 system; the extra benefits may not have been worth the extra cost. How could PSC have avoided the missing features problem? • Steve should have prepared a specification document that defined all the features he wanted in the new system and had each vendor bid to those specifications. The specifications could then become part of the contract, and nasty surprises such as missing features can be avoided. • Never buy "vaporware" - features that are promised but aren't quite ready. How could PSC have avoided conversion and reporting problems? • PSC should have developed and documented a plan for testing the system. The plan should include tests for all the features specified as well as the various real operation problems people and the system will face. PSC should not have gone on-line until the system could pass all the tests. It is important not to forget that people and processes are as much a part of the system as the computer and the software. • Steve should have made sure, via testing, that he could get all the reports and information he wanted before going on-line. Steve should have looked at the information needed on a daily, weekly, and monthly basis, and established procedures tied to those frequencies. • More time should have been allocated for user training. 21-32 Accounting Information Systems 4. 5. Evaluate Steve’s economic feasibility analysis. Do you agree with his numbers and his conclusions? • Not all accountants’ fees can be saved. Even if the system prepares the statements, PSC will probably still need tax help as well as an independent audit or review of the statements. • Can PSC save $40,000 a year on faster collections, and fewer lost customers and customer write-offs when 95% of $7 million in sales are COD? • Are there more costs involved than maintenance, such as improvements to the system, higher personnel costs, etc. How could PSC's customers use the new multi-box shipping approach to defraud PSC? • 6. Customers could order a very large shipment, refuse the one COD package, and keep the rest of the products and not pay for them. How would you rate the service PSC received from DSM? What did it do well and what did it do poorly? The developer gets a bad grade for: • Their salespeople selling features that they had no intention of providing. • The conversion problems. The developer should have anticipated the problems and made sure PSC prepared their people better. The developer gets a good grade for: • Resolving one of the disputes over missing features by paying half of the cost and integrating the purchased program with their software. • Helping solve the conversion and first day system operations problems. In all fairness to the vendor, the conversion problems were not all their fault. PSC purchased the system and has the ultimate responsibility for the system. 21-33 CHAPTER 22 SYSTEMS DESIGN, IMPLEMENTATION, AND OPERATION SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 22.1 Prism Glass is converting to a new information system. To expedite and speed up implementation, the CEO asked your consulting team to postpone establishing standards and controls until after the system is fully operational. How should you respond to the CEO’s request? The consulting team should strongly advise the CEO that postponing standards and controls is not advisable. Rather than save time and money, the company will probably lose time in the future when unanticipated problems and weaknesses arise due to the lack of standards and controls. The following are reasons why performance standards and control procedures should be established before the system becomes operational: • Internal control considerations must be taken into account when assigning job responsibilities. • Job descriptions and work schedules must include the various control procedures. • Performance standards associated with each position must be considered when selecting personnel to operate the system. • Documentation standards and data security provisions must be formulated before the system can be operational. • Error checks must be built into all computer software systems. • Procedures for guiding users and operators through the system and the various error conditions must be established before the users and operators begin working with the new system. • If the information system is not properly controlled, the information it produces will be of little value. Controls must be built into the system to ensure its effectiveness, efficiency, and accuracy. 22-1 Accounting Information Systems 22.2 When a company converts from one system to another, many areas within the organization are affected. Explain how conversion to a new system will affect the following groups, both individually and collectively. The following are possible responses to each of the five areas: a. Personnel: Employees will be affected in at least two important ways. 1. They may be reluctant to accept the new system. They may fear for their jobs, feel as if they are no longer vital components of the organization, or they may completely reject the new system, and refuse to utilize it. 2. They will have to learn new policies and procedures to work with the new system. Initially, this may cause a slight reduction of overall productivity until they learn the system. b. Data Storage: One of the primary logistical concerns of implementing a new system is making the required data accessible to the new system. This often requires that files be converted to new formats and that the company's databases are restructured to accommodate the new system's information requirements. In addition, new sources of input may be required which will increase the need for employee instruction and training. c. Operations: New personnel may have to be hired or current employees may need to be trained to run the new system. Users will have to adjust to new system inputs and outputs. The company as a whole will be affected by changes in employee morale and productivity until the personnel are accustomed to and proficient with the system. d. Policies and Procedures: A new information system usually requires new operating policies and procedures, including those for data security and control, error checking, documentation, backup and recovery procedures, and file maintenance. These new policies and procedures should be disseminated to the employees before the actual conversion takes place to ensure that the employees are aware of the new requirements and to facilitate the system conversion. e. Physical Facilities: The effect on the physical facilities will be largely determined by the size and nature of the system being installed. For example, a server will only require a corner or perhaps a small room, whereas a mainframe may require a large facility. In any event, the company will need to be concerned about physical access to the system; off-site backup and recovery procedures; protection from fire, flooding, and other disasters; office space for programmers and operators; lighting, air conditioning, and humidity control; and data communications facilities. 22-2 Accounting Information Systems 22.3 The following notice was posted in the employee cafeteria on Monday morning: To: All Accounting and Clerical Employees From: I.M. Krewel, President Subject: Termination of Employee Positions Effective this Friday, all accounting and clerical employees not otherwise contacted will be terminated. Our new computer system eliminates the need for most of these jobs. We’re grateful for the loyal service you’ve rendered as employees and wish you success. You may wish to pick up your final checks on Friday before you go. Discuss the president’s approach to human resource management. This approach is clearly unproductive and it would not work. What are the possible repercussions of this episode? • Sabotage of the new system by disgruntled employees. • Employees not released will probably harbor ill feelings towards the company. Employees may reflect these feelings through poor work performance, lower productivity, higher absentee rates, and resentment towards the new system. Assuming that job termination is the best alternative available, how should management approach the situation? • • • • • • • Management should discuss the situation in person with each employee. The changes that are being made should be clearly communicated to each employee. Every effort should be made to relocate employees within the company and offer early retirement incentives where possible. Terminated employees should be told in person. Giving employees a week's notice that they are "being replaced by a computer" may well result in the system being sabotaged. Employees should be terminated on Friday afternoon and given the appropriate severance pay. The termination should not come as a complete surprise to the employees. The employees should have already known that every effort was made to relocate them within the company and that termination was a last resort. 22-3 Accounting Information Systems 22.4 In which phase of the systems development life cycle would each of the following positions be most actively involved? Justify your answers. a. Managerial accountant - The managerial accountant is usually involved in the analysis phase as designers assess their needs as users. The project development team may also ask the accountant to help with an economic feasibility analysis. In addition, the accountant may also assist in the design phases, helping design reports. b. Programmer - Most of the programmer's involvement comes during the physical design and the implementation and conversion phases - coding, testing, and debugging computer programs. The programmer is also involved with the maintenance phase, making modifications to the system and fixing bugs. c. Systems analyst - The analyst is usually involved in all phases of the SDLC. d. Financial vice president - The financial vice-president is usually involved in the systems analysis phase. However, as a member of the steering committee the financial VP will oversee all phases of the SDLC. e. Information systems manager – The IS manager is responsible for overseeing all information systems activities; she will be involved in all phases of the SDLC. f. Internal auditor - The auditor is often consulted during the systems analysis phase when security requirements for the new system are determined. During the design phase, the auditor will often test controls to insure their adequacy. The operation and maintenance phase lasts indefinitely and it is during this phase that the auditor conducts his routine audit tests. 22-4 Accounting Information Systems 22.5 During which of the five SDLC stages is each task, labeled (a) through (m), performed? More than one answer may apply for each activity. a. Writing operating procedures manuals - Physical (detailed) systems design phase and Implementation and conversion phase b. Developing program and process controls - Physical (detailed) systems design phase and Implementation and conversion phase c. Identifying alternative systems designs - Conceptual (general) systems design phase d. Developing a logical model of the system - Conceptual (general) systems design phase e. Identifying external and administrative controls - Conceptual (general) systems design phase f. Testing the system - Implementation and conversion phase g. Training personnel - Implementation and conversion phase and Operation and maintenance phase h. Evaluating the existing system - Systems analysis i. Analyzing the achievement of systems benefits - Operation and maintenance j. Modifying and altering programs - Operation and maintenance k. Analyzing total quality management (TQM) performance measures - This can be done in all phases, but is most likely in the first (systems analysis) and last (Operation and maintenance). l. Conducting a feasibility analysis - Feasibility tests are conducted at all phases of the SDLC. m. Aligning AIS development plans with business objectives - Systems analysis phase 22-5 Accounting Information Systems SUGGESTED ANSWERS TO THE PROBLEMS 22.1 You were hired to manage the accounting and control functions at the Glass Jewelry Company. During your introductory meeting, the president asked you to design and implement a new AIS within six months. Company sales for the past year were $10 million, and they are expected to double in the next 18 months. Outline the procedures you would follow to complete the assigned project. a. You would perform the following steps to design and implement a new AIS: • systems analysis (initial investigation, systems survey, feasibility study, and determining information needs and system requirements) • conceptual design (evaluate design alternatives, prepare design specifications, prepare conceptual systems design report) • physical design (output, file and database, input, program, procedures, and control design) • implementation of the system (implementation planning, prepare site, select and train personnel, complete documentation, test system, and convert to the new system) • operate and maintain the system Include a description of the following: 1. Sources of Information o company documents (organization charts, job descriptions, and procedure manuals) o current system outputs, reports, and documentation o interview users and management o observation of the current procedures 2. Methods of Recording Information o prepare narrative descriptions and organization charts o prepare data models o prepare document, systems, and program flowcharts o prepare data flow diagrams o complete questionnaires 3. Methods of Verifying the System Description o discussion with users o transaction testing o observation 22-6 Accounting Information Systems b. The accounts payable system will contain a number of programs, including Enter Invoices and Print Payable Checks. For each program, describe its purpose and outline application control considerations. 1. Enter Invoices This program permits operators to enter unpaid vendor invoices into the Accounts Payable system. The program should enable the distribution of the invoice to specific general ledger accounts. Controls include: o check to ensure that the vendor number is on file, i.e., valid vendor number o ensures that the invoice has not been previously entered, i.e., duplicate entry o ensures that the invoice has been fully allocated to general ledger accounts o ensures that the general ledger account numbers are valid o ensures that items were ordered and received and that prices and other charges are ok 2. Print Payable Checks This program generates supplier checks to pay outstanding invoices. Controls include: o ensures that the vendor number on the invoice is valid (i.e., vendor is still on file) o ensures that checks are used in sequential order o ensures that only the outstanding invoice amount is paid o lists the invoices and the amount paid by the check (i.e., the remittance list) o ensures that negative checks are not printed o ensures that checks do not exceed a predetermined amount o ensures that there is an approved, unpaid invoice in the Accounts Payable file before making a payment 22-7 Accounting Information Systems 22.2 Wang Lab’s tremendous growth left the company with a serious problem. Customers would often wait months for Wang to fill orders and process invoices. Repeated attempts by Wang’s understaffed IS department to solve these problems met with failure. Finally, Wang hired a consulting firm to solve its revenue tracking problems and expedite prompt receipt of payments. The 18-month project turned into a doubly long nightmare. After three years and $10 million, the consultants were dismissed from the unfinished project. The project failed for many reasons. The systems development process was so dynamic that the failure to complete the project quickly became self-defeating as modifications took over the original design. Second, management did not have a clear vision of the new AIS and lacked a strong support staff. As a result, a number of incompatible tracking systems sprang from the company’s distributed computer system. Third, the project was too large and complex for the consulting firm, who had little experience with the complex database at the heart of the new system. Finally, the project had too many applications. Interdependencies among subprograms left consultants with few completed programs. Every program was linked to several subprograms, which in turn were linked to several other programs. Programmers eventually found themselves lost in a morass of subroutines with no completed program. The IS department finally developed a system to solve the problem, but their revenue tracking system suffered quality problems for years. Wang Labs asked you, a member of the IS staff, to write a memo explaining the failure of the systems development project. a. Why did the development project fail? What role did the consultants play in the failure? • Dynamic requirements. The development process was so dynamic that the failure to complete the project quickly was self-defeating as modifications took over the original design. System requirements were never “frozen” so the project could be completed. • Management did not have a clear vision of the new system. As a result, incompatible tracking systems sprung up throughout the company's distributed processing system. • Management lacked a strong IS staff. A qualified IS staff could have planned and managed the development project better, improving the chances for success. • The project was too large and too complex and the consulting firm had little experience. The firm had little understanding of the desired technology: a complex database that represented the heart of the new system. • The project had too many applications. Interdependencies among subprograms and subroutines left consultants with few completed programs. b. Identify the organizational issues that management must address in the future. • Management should develop a unified strategic information plan. Organizations should reinforce their business strategy with a complementary information strategy. • Wang should establish an IS steering committee to govern the development process and support the strategic plan. A steering committee monitors systems development activities and could have provided management oversight to the consulting team. • Wang should support the strategy with an expanded, qualified IS staff. A company's 22-8 Accounting Information Systems reputation is tarnished when it develops an inadequate and unreliable system. Management should hire a larger IS staff, adding more qualified employees – ones that have the necessary skills to support the information strategy. • Wang should set policies governing systems development. Well-established procedures governing the planning, scheduling, design, implementation, and documentation of a new information system can minimize the risk of runaway projects. Management must also set standards governing the selection of consultants, if necessary. c. Recommend steps the company could take to guarantee consulting service quality. • Wang should improve existing development policies. Wang must first establish its internal development policies that govern the systems development process. For example, a more effective internal MIS staff can provide the consultants with necessary support. • Wang should establish consulting services evaluation criteria. Management must view consultants as vendors and evaluate which consulting firm provides the best service at a fair price. This may include closed bidding, background checks, credential checks, and probing meetings to determine if the firm has the skills to complete the project. • Wang should use an IS steering committee and project development teams to monitor consultants. An oversight body can reinforce the information strategy and hold the consulting team accountable for the development process. 22-9 Accounting Information Systems 22.3 Tiny Toddlers, a manufacturer of children’s toys and furniture, is designing and implementing a distributed system to assist its sales force. Each of the 10 sales offices in Canada and 20 in the United States maintains its own customers and is responsible for granting credit and collecting receivables. Reports used by each sales office to maintain the customer master file and to enter the daily sales orders are shown in Figures 22-4 and 22-5. Evaluate the reports shown in Figures 22-4 and 22-5 using the following format: Weakness Explanation Recommendation(s) Customer Maintenance Form Weakness Explanation Recommendation(s) No fields for recording a new customer’s phone number, email address, or website. Tiny Toddlers cannot call or email the customer or visit their website without this data. The form should have fields for this information after the address information. The form is not prenumbered. There is no way to ensure that all maintenance forms are processed and accounted for. The form should have a preprinted number in the upper right or left corner. No indication that information has been entered into the computer system. The person entering the data does not initial the form after the data is entered into the system. A form may be missed or entered twice. The report should have a space to record the initials of the person entering the data and the date it is entered. There is no space provided for recording date the form is created (or the effective date of the change). The company would not know the effective date of the change nor when the form was created. An effective change date should be added to this report. If the effective change date can be different from the date the form is created, a field for that date should also be included. The form does not have a place where the person who fills out the form can sign or initial. If the data entry clerk could not read or understand the information on the form, she would not know who filled out the form. A place should be provided for the person who fills out the form to sign or initial it. 22-10 Accounting Information Systems 22.3 (continued) Sales Order Form Weakness Explanation Recommendation(s) There is no indication that the customer approves of the order. Where possible, all orders should be signed by the customer to ensure that the customer is responsible for requesting the order. Provision should be provided on the form for the customer's order approval. The form is not prenumbered. There is no way to ensure that all sales orders are processed and accounted for. There is no space to enter a ship to address or shipping instructions The goods cannot be shipped to a different address than the customer’s office address, as there is no ship to address. Nor is there any want to know a customer’s special shipping instructions. The form should have a preprinted number in the upper right corner. Add a ship to address to the sales order form as well as a space to record special shipping instructions. There is no space for the customer’s purchase order number There is no room for the unit price or extended amounts on the sales order form There is no way for the company to reference back to purchase order from the customer There is no way to know if the customer was given a special price, a sale price, or a standard price. Add as space on the form for the customer purchase order number Include columns for Unit Price and Extended Amount. Some students may refer to the sales order form shown in the Revenue Cycle chapter. 22-11 Accounting Information Systems 22.4 Mickie Louderman is the new assistant controller of Pickens Publishers. She was the controller of a company in a similar industry, where she was in charge of accounting and had considerable influence over computer center operations. Pickens wants to revamp its information system, placing increased emphasis on decentralized data access and online systems. John Richards, the controller, is near retirement. He has put Mickie in charge of developing a new system that integrates the company’s accounting-related functions. Her promotion to controller will depend on the success of the new AIS. Mickie uses the same design characteristics and reporting format she used at her former company. She sends details of the new AIS to the departments that interface with accounting, including inventory control, purchasing, human resources, production control, and marketing. If they do not respond with suggestions by a prescribed date, she will continue the development process. Mickie and John have established a new schedule for many of the reports, changing the frequency from weekly to monthly. After a meeting with the director of IS, Mickie selects a programmer to help her with the details of the new reporting formats. Most control features of the old system are maintained to decrease the installation time, with a few new ones added for unusual situations. The procedures for maintaining the controls are substantially changed. Mickie makes all the AIS control change and program-testing decisions, including screening the control features related to payroll, inventory control, accounts receivable, cash deposits, and accounts payable. As each module is completed, Mickie has the corresponding department implement the change immediately to take advantage of the labor savings. Incomplete instructions accompany these changes, and specific implementation responsibility is not assigned to departmental personnel. Mickie believes operations people should learn as they go, reporting errors as they occur. Accounts payable and inventory control are implemented first, and several problems arise. The semimonthly payroll runs, which had been weekly under the old system, have abundant errors, requiring numerous manual paychecks. Payroll run control totals take hours to reconcile with the computer printout. To expedite matters, Mickie authorizes the payroll clerk to prepare payroll journal entries. The new inventory control system fails to improve the carrying level of many stock items. This causes critical stock outs of raw material that result in expensive rush orders. The new system’s primary control procedure is the availability of ordering and user information. The information is available to both inventory control and purchasing personnel so that both departments can issue timely purchase orders. Because the inventory levels are updated daily, Mickie discontinues the previous weekly report. Because of these problems, system documentation is behind schedule, and proper backup procedures have not been implemented. Mickie has requested budget approval to hire two systems analysts, an accountant, and an administrative assistant to help her implement the new system. John is disturbed by her request because her predecessor had only one part-time assistant. Adapted from the CMA Exam. a. List the steps Mickie should have taken during while designing the AIS to ensure that end-user needs were satisfied. • Interviews should have been conducted with users affected by the changes to understand existing system and business processes, what organizational units are affected by the changes, procedures used to provide information, decision users make and the 22-12 Accounting Information Systems information needed to make them, current problems users face, needed improvements, and future information needs b. • The capabilities of the new system should have been explained so users can determine how the capabilities can be used to improve the system – ways the developers may not have thought of. In other words, employees in the individual departments should have been encouraged to make suggestions for changes and improvements. • Mickie should not have automatically assumed that the things that worked for her previous employer would work at Pickens. While they can be used as a starting point, Mickie needs to make sure that the human aspect of systems development is not ignored. That is, Pickens employees have to buy into the new system. • As the different parts of the system are developed, the changes should be reviewed with the affected users to ensure that their needs are met. Mickie should have been more proactive in this process. It is not acceptable to give them a date to respond and then proceed with development if she does not hear from them. The users should have been actively involved in the development process all during development. This would endure that all affected users approve of the changes and buy into the change. • Mickie and John should not take upon themselves the responsibility of determining what information users need or when they need it. They should not have established a new schedule for many of the reports, changing the frequency from weekly to monthly. • Mickie should not have assumed that the control features of the old system were sufficient in the new system. While this may save time, it does not ensure adequate controls. Mickie should not change the procedures for maintaining the controls without user input and approval. In fact, all controls issues should be approved by the users. • Mickie cannot possibly understand the system and user needs well enough to made all the control change and program testing decisions. The departments affected by the changes should have been consulted. • While having departments implement changes immediately might produce labor savings, there are more important things to consider when deciding when to implement the system. These include whether it has been completely tested and how it interfaces with the rest of the changes. This is evidenced by the problems that surfaced when the changes were introduced too soon. • Incomplete instructions accompanied the changes, and specific implementation responsibility was not assigned to departmental personnel. That, and Mickie’s belief that operations people should learn as they go and report errors as they occur, is very bad development policy. • Documentation should be complete and back up procedures should be in place before a systems conversion takes place. Identify and describe three ways Mickie violated internal control principles during the AIS implementation. • Most of the control features of the "old" system were retained in the "new" system; however, the procedures for maintaining controls were substantially changed. The procedures and controls were not coordinated. More importantly, controls appropriate 22-13 Accounting Information Systems for the "new" systems were not properly developed and evaluated. c. • Proper backup procedures were not implemented in many areas. This put the system and overall operations in a vulnerable position. • Systems, programming, and operating documentation were behind schedule. Documentation should be complete before a systems conversion takes place. • Separation of duties was violated by allowing o both inventory control and purchasing personnel to issue purchase orders o payroll clerks to prepare journal entries for payroll processing Identify and describe the weaknesses in Mickie’s approach to implementing the new AIS. How could you improve the development process for the remaining parts of the AIS? Weaknesses No systems analysis or feasibility study. Poor planning Systems testing and reviews were not conducted prior to implementation. Little or no user involvement System modules implemented without adequate training, documentation, or instructions. Recommendations Perform a thorough systems analysis that includes a feasibility study. Prepare a development plan, a budget, and a schedule for project completion. An accepted implementation plan for each module must be formalized and followed All modules should be properly tested for processing, informational, and control effectiveness. . Users must participate in the development of the systems plan, the tests of information content and controls, and final implementation acceptance. New modules should not be implemented until adequate documentation is prepared and all affected organizations and personnel have been appropriately trained. 22-14 Accounting Information Systems 22.5 Ryon Pulsipher, manager of Columbia’s property accounting division, has had difficulty responding to the following departmental requests for information about fixed assets. 1. The controller has requested individual fixed assets schedules to support the general ledger balance. Although Ryon has furnished the information, it is late. The way the records are organized makes it difficult to obtain information easily. 2. The maintenance manager wants to verify the existence of a punch press that he thinks was repaired twice. He has asked Ryon to confirm the asset number and the location of the press. 3. The insurance department wants data on the cost and book values of assets to include in its review of current insurance coverage. 4. The tax department has requested data to determine whether Columbia should switch depreciation methods for tax purposes. 5. The internal auditors have spent significant time in the property accounting division to confirm the annual depreciation expense. Ryon’s property account records, kept in an Excel spreadsheet, show the asset acquisition date, its account number, the dollar amount capitalized, and its estimated useful life for depreciation purposes. After many frustrations, Ryon realizes his records are inadequate and that he cannot supply data easily when requested. He discusses his problems with the controller, Gig Griffith. RYON: Gig, something has to give. My people are working overtime and can’t keep up. You worked in property accounting before you became controller. You know I can’t tell the tax, insurance, and maintenance people everything they need to know from my records. Internal auditing is living in my area, and that slows down the work. The requests of these people are reasonable, and we should be able to answer their questions and provide the needed data. I think we need an automated property accounting system. I want to talk with the AIS people to see if they can help me. GIG: I think that’s a great idea. Just be sure you are personally involved in the design of any system so you get all the info you need. Keep me posted on the project’s progress. Adapted from the CMA Exam. a. Identify and justify four major objectives Columbia’s automated property accounting system should possess to respond to departmental requests for information. Chapter 1 lists the following seven characteristics of useful information • Relevant. Information is relevant if it reduces uncertainty, improves decision-making, or confirms or corrects prior expectations. • Reliable. Information is reliable if it is free from error or bias and accurately represents organization events or activities. • Complete. Information is complete if it does not omit important aspects of the events or activities it measures. • Timely. Information is timely if it is provided in time for decision makers to make 22-15 Accounting Information Systems decisions. • Understandable. Information is understandable if it is presented in a useful and intelligible format. • Verifiable. Information is verifiable if two independent, knowledgeable people produce the same information. • Accessible. Information is accessible if it is available to users when they need it and in a format, they can use. The CMA exam answer included a characteristic not on the above list: • Flexibility. Flexibility ensures that the computer will adapt to changing business needs without a complete redesign. b. Identify the data that should be included in the database for each asset. • Asset name • Manufacturer • Model • Serial number • Asset class code • Company assigned asset number • General ledger account number • Location data (plant, department, building) • Acquisition date • Original cost • Data for book depreciation and tax depreciation • Maintenance record: cycle, date, amount • Estimated salvage value 22-16 Accounting Information Systems 22.6 A credit union is developing a new AIS. The internal auditors suggest planning the systems development process in accordance with the SDLC concept. The following nine items are identified as major systems development activities that will have to be completed. 1. System test 2. User specifications 3. Conversion 4. Systems survey 5. Technical specifications 6. Post-implementation planning 7. Implementation planning 8. User procedures and training 9. Programming Adapted from the CIA Exam. a. Arrange the nine items in the sequence in which they should logically occur. The logical sequence of occurrence is as follows: 1. Systems Survey 2. User Specifications 3. Technical Specifications 4. Implementation Planning 5. Programming 6. User Procedures and Training 7. System Test 8. Conversion 9. Postimplementation Planning b. One major activity is converting data files from the old system to the new one. List three types of file conversion documentation that would be of particular interest to an auditor. 1. Conversion completion documentation indicating that all previously existing files have been converted at a satisfactory level of quality. 2. Operating test documentation indicating that the converted files are able to support the volume of work in the application. 3. Application approval documentation indicating that the implemented system had proper user and EDP management approval. 22-17 Accounting Information Systems 22.7 MetLife, an insurance company, spent $11 billion to acquire Travelers Life and Annuity from Citicorp in one of the largest insurance company acquisitions of all time. The Metlife CIO estimated it would take three years to integrate the two systems. Because the integration project was especially critical, he figured he could accomplish the integration in 18 months if he pulled out all the stops. The MetLife CEO gave him nine months to complete the task. To pull off the integration in nine months, he had to: • Integrate over 600 IS applications, all with their own infrastructure and business processes. The new systems had to comply with “One MetLife,” a company policy that all information systems had to have a common look and feel companywide and be able to function seamlessly with other MetLife systems. • Work with over 4,000 employees located in 88 offices scattered all over the globe. • Supervise an oversight team and 50 integration teams in seven project management offices. • Work with hostile, uncooperative Travelers employees for the six months it took to get regulatory approval and close the deal. The systems had to be integrated three months after the deal closed. • Identify integration deliverables (144 in total) and manage the process to deliver them. • Negotiate with Citicorp for hundreds of transition services that would not be immediately converted to MetLife’s systems. a. What tasks do you think MetLife would have to perform to successfully integrate the Traveler systems into MetLife’s? • Separate Travelers’ IS operations and assets from Citicorp’s so MetLife could begin the systems integration process. • Determine what systems had to be integrated before the deadline and which could be outsourced to Citicorp until they could be integrated into MetLife’s system. • Develop a critical path for the integration process so delays in critical path activities did not delay the whole process. • Train large numbers of employees in project planning activities and tools. • Identify and freeze systems requirements as soon as possible. The project management team should establish early deadlines for systems requirements and hold users to them. • Increase system capacity to handle all of the new data from the Travelers’ systems. • Develop/modify transaction-processing systems to handle all of Travelers’ transaction data. • Perform a security and privacy analysis of all of Travelers’ systems and determine needed upgrades to comply with MetLife’s security policies. • Change Travelers’ laptop and desktop infrastructure so that it matched that of MetLife. • Enlarge MetLife’s distribution system by integrating over 150 annuity and life insurance wholesalers and giving them appropriate access to MetLife’s systems. • Add all 4000 plus Travelers’ employees to MetLife’s Human Resources and Payroll 22-18 Accounting Information Systems • • • • b. systems and to their email system. Move Travelers’ 6 life insurance and 2 annuity product lines to MetLife’s systems. Travelers’ investment portfolio had to be made accessible to MetLife managers before the deal closed. Both projects required MetLife and Travelers employees to analyze the differences between the ways data were stored in the two companies. They then had to map all data elements in each system so they could convert Travelers data to the MetLife data storage format. This was one of the most difficult acquisition tasks. Integrate the two company’s data centers. This required some data centers to be combined and others to be expanded. Determine system test capacities, build test environments, and lock down testing procedures and capabilities. Stress and user acceptance testing had to be performed at least 3 months prior to the integration date. Travel to every country and every major Travelers office to train former Travelers employees on the MetLife systems. Search the Internet for articles that describe the integration process. Write a two-page summary of the problems and successes that MetLife experienced while integrating the two systems. A number of articles describe MetLife’s experience. A particularly good article is “Nine Months to Merge” found in the February 20, 2006 issue of Information Week. 22-19 Accounting Information Systems 22.8 During final testing, just before launching a new payroll system, the project manager at Reutzel Legal Services found that the purchased payroll system was doing the following: • Writing checks for negative amounts • Printing checks with names and employee numbers that did not match • Making errors; for example, $8 per hour became $800 per hour if a decimal point was not entered • Writing checks for amounts greater than a full year’s salary Fortunately, payroll was still installed on time, and only 1.5% of the checks had to be manually reissued every payday until the problem was solved. Other problems were that no one had made sure the new system was compatible with the existing payroll database, and there appeared to be no formal transition between the development of the project and the implementation of the project. The system was never run in parallel. Although the programming manager lost his job, the payroll problems helped raise awareness of the company’s growing dependence on IT. Lacking a major problem, there was a perception that the information system did not affect operations. a. What does “the system was never run in parallel” mean? Running in parallel refers to operating the old and new systems simultaneously for a period. A company processes all transactions with both systems, compares the output, reconciles the differences, and corrects problems. The old and new systems are run in parallel until the new system proves itself and the organization is certain that the new system is functioning properly. b. If the company had run the system in parallel, what should have occurred? Parallel processing protects companies from errors, but it is costly and stressful because the same set of transactions and activities must be processed twice. This places a significant burden on the company, a burden many companies are not willing to undertake. However, because companies often experience problems during conversion, parallel processing has gained widespread popularity. If the company had operated the new and old systems in parallel, they should have been able to use the paychecks produced by the old system until all errors were detected and corrected. c. What other testing methodologies could have been used by the firm? The company could have implemented a pilot conversion where one office or branch of the company could have implemented, tested, and corrected any errors before releasing the system to the rest of the organization. Alternatively, the company could have performed a phased conversion where a new system is implemented, tested, and modified one phase or module at a time. 22-20 Accounting Information Systems d. What other types of problems are evident from reading the case? There does not appear to be proper management or leadership of the system development, implementation, or testing processes involved in this system. For example • Final testing should have been attempted prior to just before launching the payroll system. • Management should have made sure the new system was compatible with the existing payroll database and the new system should have been tested using the existing database. • There should have been a formal transition between the development of the project and the implementation of the project. 22-21 Accounting Information Systems 22.9 A new program at Jones and Carter Corporation (JCC) was supposed to track customer calls. Unfortunately, the program took 20 minutes to load on a PC, and it crashed frequently. The project did not have a traditional reporting structure, and it appeared that no one was actually in charge. The lead project manager quit halfway through the project, the in-house programmers were reassigned to other projects or let go, and two layers of management loosely supervised the systems analyst. Management hired consultants to fix the application, but after three months and $200,000, the project was discontinued. JCC did not check the references of the consulting firm it hired to create the new system. The consultants, who were located two states away, made many programming errors. Although the systems analyst caught some of the consultant’s mistakes, they grew increasingly distant and difficult to work with. They would not even furnish the source code to the project managers, most likely because they were afraid of revealing their incompetence. a. Identify potential causes for the system implementation failure. • b. Leadership and managerial oversight is clearly lacking at Jones and Carter Corp (JCC). When the project was managed internally, the following problems existed: o There was no evident reporting structure to support and manage the project. It appeared that no one was actually in charge o The lead project manager quit halfway through the project o The in-house programmers who were familiar with the project were reassigned to other projects or let go. o Two layers of management loosely supervised the systems analyst. • Management falsely assumed that the problems could be solved by hiring a consultant. In truth, the problem with the project was internal and caused by poor management, supervision, and project management. • When a consulting firm was hired, it does not appear that anyone checked out their competence, obtained referrals, or did any other due diligence with regard to the consulting firm. What steps should JCC have taken to successfully design and implement the call tracking system? • Start and end the process with a clearly designated manager over the project and with clearly defined lines of authority. • Institute a formal review process for hiring consultants. • Require change control documentation so managers can see what changes were made during development. • Assign a central manager for the project team who is the conduit for communication and decisions. In summary, JCC should have followed the systems development processes explained in chapters 20-22. 22-22 Accounting Information Systems SUGGESTED ANSWERS TO THE CASES 22.1 Citizen’s Gas Company (CGC) provides natural gas service to 200,000 customers. The customer base is divided into the following three revenue classes: Class Residential Commercial Industrial Totals Customers 160,000 38,000 2,000 Sales in Cubic Feet 80 billion 15 billion 50 billion 145 billion Revenues $160 million $ 25 million $ 65 million $250 million Residential customer gas usage is highly correlated with the weather. Commercial customer usage is partially weather dependent. Industrial customer usage is governed almost entirely by business factors. The company buys natural gas from 10 pipeline companies in the amounts specified in contracts that run for 5 to 15 years. For some contracts, the supply is in equal monthly increments; for other contracts, the supply varies according to the heating season. Supply over the contract amounts is not available, and some contracts contain take-or-pay clauses. That is, the company must pay for the gas volume specified in the contract, regardless of the amount used. To match customer demand with supply, gas is pumped into a storage field when supply exceeds customer demand. Gas is withdrawn when demand exceeds supply. There are no restrictions on the gas storage field except that the field must be full at the beginning of each gas year (September 1). Consequently, when the contractual supply for the remain- der of the gas year is less than that required to satisfy projected demand and fill the storage field, CGC curtails service to industrial customers (except for heating quantities). The curtailments must be carefully controlled to prevent either an oversupply at year-end or a curtailing of commercial or residential customers so the storage field can be filled at year-end. In recent years, CGC’s planning efforts have not been able to control the supply during the gas year or provide the information needed to establish long-term contracts. Customer demand has been projected only as a function of the total number of customers. Commercial and industrial customers’ demand for gas has been curtailed. This has resulted in lost sales and caused an excess of supply at the end of the gas year. To correct the problems, CGC has hired a director of corporate planning. She is presented with a conceptual design for an information system that will help analyze gas supply and demand. The system will provide a monthly gas plan for the next five years, with particular emphasis on the first year. The plan will provide detailed reports that assist in the decisionmaking process. The system will use actual data during the year to project demand for the year. The president has indicated that she will base her decisions on the effect alternative plans have on operating income. Adapted from the CMA Exam. 1. Discuss the criteria to consider in specifying the structure and features of CGC’s new system. • Need for market information The factors that affect the demand and supply for gas must be isolated, their relative importance determined, and their effect quantified. 22-23 Accounting Information Systems • Need for accuracy The level of accuracy required of the system determines the required level of detail, quality of the input data, and sophistication of the system logic. While the system must be designed to provide the accuracy that matches the need, care must be taken to ensure that excessive effort is not spent in being overly accurate in specific areas when the overall accuracy is inherently less due to the planning environment. • Frequency of use The frequency of system use provides direction as to the level of automation and sophistication needed. If the system will be used only once each month to project the effect of the most recent actual data, it may be sufficient to develop a less sophisticated system. If it is likely that a variety of alternatives will be evaluated each month, a sophisticated, on-line system will be more desirable. • Turnaround required The need for timely reporting at month end provides guidance as to the degree of automation and the level of complexity that will be appropriate. Because the system is to be used for both multi-year planning and monthly tactical planning, the system should be designed to provide for quick turnaround of results at month end. Accordingly, consideration must be given to minimizing data input requirements. • Cost/benefit analysis The new system must be justified on a cost/benefit basis. • Data processing environment Typically, planning systems require a significant amount of computer resources, both in terms of processing time and data storage. • Supportability Company personnel must be able to support the system on an ongoing basis. This includes collecting and entering data as well as updating the system. If the support burden is excessive, the system will suffer from lack of timely reporting or will be run using simplifying assumptions that affect the degree of accuracy and credibility of the system. If the system cannot be readily modified and maintained, it will quickly fall into a state of disrepair and will no longer be used. 2. Identify the data that should be incorporated into CGC’s new system to provide adequate planning capability. Explain why each data item it is important and the level of detail needed for the data to be useful. • Number of customers The customer count should be projected by month, unless customer growth is regular, in which case a base customer count can be used in conjunction with a growth factor. The customer count should be broken into categories based upon use which will facilitate estimating demand, [i.e., residential, commercial heating, commercial nonheating, industrial heating, industrial non-heating]. • Weather data The weather data needed to project heating requirements should be entered as needed. For the first year, meteorological trends may indicate an unusually warm or cold year. For the following years, average monthly weather data may be used. As the year progresses, more accurate short-term forecasts should be entered to improve the predictive ability of the panning system • Heating factors Heating factors are data that convert weather data to customers' demand. They should be provided for each type of customer which uses heating, i.e., residential, commercial heating, and industrial heating. The heating factors need not vary by month unless it is determined that a seasonal relationship exists or that trends such as conservation are likely. 22-24 Accounting Information Systems • Customer unit demand The average monthly consumption for each commercial and industrial nonheating customer must be provided, either as a constant or as varying over time, to reflect both seasonal fluctuations and longer term trends. This data would also be used to project the nonheating portion of commercial and industrial customer demand. • Sales forecasts The sales to the top industrial accounts should be forecast individually by month for the first year of the five-year plan; future years may make use of annual growth rates. Heating and non-heating sales for all other customers will be projected by revenue class. • Customer rate structure The customer rate structure should provide monthly rate information at the revenue class level, i.e., residential, commercial, and industrial. Data must be monthly to provide for periodic rate changes by revenue class. • Supplier contract terms For each supply contract, the contract term (beginning and end dates), monthly volumes, unit costs, and take-or-pay conditions must be maintained. • Storage field capacity The capacity of the gas storage field is required in order to determine if gas remains in storage that can be withdrawn to supplement pipeline supply. • Priority system A priority system needs to be established in case the company needs to curtail service to its customers due to an inadequate supply of gas. The first six factors are necessary in order to determine the demand for gas. The next two items are necessary to determine supply. The last item is necessary to give direction whenever the supply is not adequate to meet demand. Data must be considered on a monthly basis because of the implied monthly variations of demand and supply. 22-25 For more Ebook's - Test Bank Solution Manual Please visit our website : http://www.needbooks1.com or contact us at needbooks1@hotmail.com
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : Paul John Steinbart Comments : Create Date : 2013:07:08 13:18:16-06:00 Modify Date : 2014:05:08 10:11:16-04:00 Subject : Has XFA : No XMP Toolkit : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 Format : application/pdf Creator : Paul John Steinbart Description : Title : Creator Tool : Acrobat PDFMaker 11 for Word Metadata Date : 2014:05:08 10:11:16-04:00 Keywords : Producer : Adobe PDF Library 11.0 Document ID : uuid:a6c5f40e-719a-477c-a7f4-c155d028fca2 Instance ID : uuid:5cfc3207-e6f2-49ac-bfb2-46d8fc43a61d Page Count : 746EXIF Metadata provided by EXIF.tools