here it is the 2 assignments i made that must be redo””’
format word, time new roman at 12
due date for assignments are saturday 18 at midnight.
text required for this course was:
Accounting Information Systems12th Edition, Marshall B. Romney, Paul John Steinbart 2009 Pearson – Prentice Hall
Nyanya thank you very much once again.
ill be waiting.
Week 2: Chapter 3
Chapter 3: Systems Documentation Techniques
3.1 Identify the DFD elements in the following narrative: A customer purchases a few items from a local grocery store. Jill, a salesclerk, enters the transition in the cash register and takes the customer’s money. At closing, Jill gives both the cash and the register tape her manager.(25 points)
Data Flows: merchandise, payment, cash and register tape
Data Source: customer
Processes: capture sales and payment data and collect payment, give cash and register tape to manager
Storage: sales file (register tape), cash register
3.2 Do you agree with the following statement: “Any one of the systems documentation procedures, such as DFD, can adequately document a given system”? Explain. (25 points)
It is usually not sufficient to use just one documentation tool. Every tool documents a uniquely important aspect of a given information system. For example, system flowcharts are employed to understand physical system activities including inputs, outputs, and processing. In contrast, data flow diagrams provide a graphic picture of the logical flow of data within an organization. Each alternative is appropriate for a given aspect of the system. As a result, they work together to fully document the nature and function of the information system.
3.3 Compare the guidelines for preparing flowcharts and DFDs. What general design principles and limitations are common to both documentation techniques? (25 points)
Similar design concepts include the following:
Ø Both methods require an initial understanding of the system before actual documentation begins. This insures that the system is properly represented by the diagram.
Ø Both measures require the designer to identify the elements of the system and to identify the names and relations associated with the elements.
Ø Both methods encourage the designer to show only the regular flows of information and not to be concerned with unique situations.
Ø Both approaches require more than one “pass” through the diagramming or flowcharting process to accurately capture the essence of the system.
The product of both methods is a model documenting the flow of information and/or documents in an information system. Both documentation methods are limited by the nature of the models they employ, as well as by the talents and abilities of the designer to represent reality.
3.4 Your classmates ask you to explain flowcharting conventions using real-world examples. Draw each of the major flowchart symbols from memory, placing them into one of four categories: input/output, processing, storage, and flow and miscellaneous. For each symbol, suggest several uses. (25 points)
Flowcharting symbols are divided into four categories:
1. Input/Output Symbols
· Document: an employee time card, a telephone bill, a budget report, a parking ticket, a contract
· Display: student information monitors, ATM monitors, the monitor on your microcomputer.
2. Processing Symbols
· Processing: processing a student payroll program, assessing late fees
· Manual operation: writing a parking ticket, preparing a paper report, collecting and entering student payments
3. Storage Symbols
· Magnetic disk: alumni information data base, a report stored on your PC hard disk
· Magnetic tape: archival student information
4. Flow (Miscellaneous)
· Terminal: A beginning, end, or point of interruption in a process or program; also used to indicate an external party.
· Communication link: a telephone linkage that connects you to an on-line data base.
Week 4: Chapters 5 and 6
Chapter 5: Computer Fraud and Abuse
5.1 Do you agree that the most effective method of obtaining adequate system security is to rely on the integrity of company employees? Why or why not? Does this seem ironic? What measures should a company take to ensure the integrity of its employees? (7.15 points)
The statement is ironic because employees represent both the greatest control strength and the greatest control weakness. Honest, skilled employees are the most effective fraud deterrent. However, when fraud occurs, it often involves an employee in a position of trust. As many as 90% of computer frauds are insider jobs by employees.
Employers can do the following to maintain the integrity of their employees.
· Human Resource Policies. Implement human resource policies for hiring, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the required level of ethical behavior and integrity
· Hiring and Firing Practices: Effective hiring and firing practices include:
o Screen potential employees using a thorough background checks and written tests that evaluate integrity.
o Remove fired employees from all sensitive jobs and deny them access to the computer system to avoid sabotage.
· Managing Disgruntled Employees: Some employees who commit a fraud are disgruntled and they are seeking revenge or “justice” for some wrong that they perceive has been done to them. Companies should have procedures for identifying these individuals and helping them resolve their feelings or removing them from jobs that allow them access to the system. One way to avoid disgruntled employees is to provide grievance channels that allow employees to talk to someone outside the normal chain of command about their grievances.
· Culture. Create an organizational culture that stresses integrity and commitment to both ethical values and competence.
· Management Style. Adopt an organizational structure, management philosophy, operating style, and appetite for risk that minimizes the likelihood of fraud.
· Employee Training: Employees should be trained in appropriate behavior, which is reinforced by the corporate culture. Employees should be taught fraud awareness, security measures, ethical considerations, and punishment for unethical behavior.
5.2 You are the president of a multinational company. One of your senior executives confessed to kiting $100,000. Explain what kiting is and what your company can do to prevent it. How would you respond to your employee’s confession? What issues must you consider before pressing formal charges.(7.15 points)
In a kiting scheme, cash is created using the lag between the time a check is deposited and the time it clears the bank. Suppose a fraud perpetrator opens accounts in banks A, B, and C. The perpetrator “creates” cash by depositing a $1,000 check from bank B in bank C and withdrawing the funds. If it takes two days for the check to clear bank B, he has created $1,000 for two days. After two days, the perpetrator deposits a $1,000 check from bank A in bank B to cover the created $1,000 for two more days. At the appropriate time, $1,000 is deposited from bank C in bank A. The scheme continues, writing checks and making deposits as needed to keep the checks from bouncing.</para></listitem>
Kiting can be detected by analyzing all interbank transfers. Since the scheme requires constant transferring of funds, the number of interbank transfers will usually increase significantly. This increase is a red flag that should alert the auditors to begin an investigation.
When the employee confesses, the company should immediately investigate the fraud and determine the actual losses. Employees often “under confess” the amount they have taken. When the investigation is complete, the company should determine what controls could be added to the system to deter similar frauds and to detect them if they do occur.
Employers should consider the following issues before pressing charges:
· How will prosecuting the case impact the future success of the business?
· What effect will adverse publicity have upon the company’s well being? Can the publicity increase the incidence of fraud by exposing company weaknesses?
· What social responsibility does the company have to press charges?
· Does the evidence ensure a conviction?
· If charges are not made, what message does that send to other employees?
· Will not exposing the crime subject the company to civil liabilities?
5.3Discuss the following statement by Roswell Steffen, a convicted embezzler: “For every foolproof system, there is a method for beating it.” Do you believe a completely secure computer system is possible? Explain. If internal controls are less than 100% effective, why should they be employed at all?(7.15 points)
The old saying “where there is a will, there is a way” applies to committing fraud and to breaking into a computer system. It is possible to institute sufficient controls in a system so that it is very difficult to perpetrate the fraud or break into the computer system, but most experts would agree that it just isn’t possible to design a system that is 100% secure from every threat. There is bound to be someone who will think of a way of breaking into the system that designers did not anticipate and did not control against.
If there were a way to make a foolproof system, it would be highly likely that it would be too cost prohibitive to employ.
Though internal controls can’t eliminate all system threats, controls can:
· Reduce threats caused by employee negligence or error. Such threats are often more financially devastating than intentional acts.
· Significantly reduce the opportunities, and therefore the likelihood, that someone can break into the system or commit a fraud.
5.4Revlon hired Logisticon to install a real-time invoice and inventory processing system. Seven months later, when the system crashed, Revlon blamed the Logisticon programming bugs they discovered and withheld payment on the contract. Logisticon contended that the software was fine and that it was the hardware that was faulty. When Revlon again refused payment, Logisticon repossessed the software using a telephone dial-in feature to disable the software and render the system unusable. After a three-day standoff, Logisticon reactivated the system. Revlon sued Logisticon, charging them with trespassing, breach of contract, and misappropriation of trade secrets (Revlon passwords). Logisticon countersued for breach of contract. The companies settled out of court. (7.15 points)
Would Logisticon’s actions be classified as sabotage or repossession? Why? Would you find the company guilty of committing a computer crime? Be prepared to defend your position to the class.
This problem has no clear answer. By strict definition, the actions of Logisticon in halting the software represented trespassing and an invasion of privacy. Some states recognize trespassing as a breach of the peace, thereby making Logisticon’s actions illegal.
However, according to contract law, a secured party can repossess collateral if the contract has been violated and repossession can occur without a breach of the peace.
The value of this discussion question is not in disseminating a “right answer” but in encouraging students to examine both sides of an issue with no clear answer. In most classes, some students will feel strongly about each side and many will sit on the fence and not know.
5.5 Because improved computer security measures sometimes create a new set of problems—user antagonism, sluggish response time, and hampered performance—some people believe the most effective computer security is educating users about good moral conduct. Richard Stallman, a computer activist, believes software licensing is antisocial because it prohibits the growth of technology by keeping information away from the neighbors. He believes high school and college students should have unlimited access to computers without security measures so that they can learn constructive and civilized behavior. He states that a protected system is a puzzle and, because it is human nature to solve puzzles, eliminating computer security so that there is no temptation to break in would reduce hacking.(7.15 points)
<para>Do you agree that software licensing is antisocial? Is ethical teaching the solution to
computer security problems? Would the removal of computer security measures reduce
Software licensing encourages the development of new ideas by protecting the efforts of businesses seeking to develop new software products that will provide them with a profit and/or a competitive advantage in the marketplace. This point is supported by the following ideas:
· The prospect of a financial reward is the primary incentive for companies to expend the time and money to develop new technologies.
· If businesses were unable to protect their investment by licensing the software to others, it would be much more difficult for them to receive a reward for their efforts in the research and development of computer software.
· Economic systems without such incentives are much more likely to fail in developing new products to meet consumer needs.
The only way to foster new ideas is to make information and software available to all people. The most creative ideas are developed when individuals are free to use all available resources (such as software and information).
Many security experts and systems consultants view proper ethical teaching as an important solution to most security problems. However, no single approach is a complete solution to the problem of computer fraud and abuse. Proper ethical teachings can reduce but not eliminate the incidents of fraud.
Though no security system is impenetrable, system security measures can significantly reduce the opportunity for damages from both intentional and unintentional threats by employees. Controls can also make the cost (in time and resources) greater than the benefit to the potential perpetrator.
Ultimately, the reduction in security measures will increase opportunities for fraud. If the perpetrator has sufficient motive and is able to rationalize his dishonest acts, increased opportunity will probably lead to an increase in computer crimes.
Chapter 7: Control and Accounting Information Systems
7.1 Answer the following questions about the audit of Springer’s Lumber & Supply(7.15 points)
a. What deficiencies existed in the internal environment at Springer’s?
The “internal environment” refers to the tone or culture of a company and helps determine how risk consciousness employees are. It is the foundation for all other ERM components, providing discipline and structure. It is essentially the same thing as the control environment in the internal control framework.
The internal environment also refers to management’s attitude toward internal control, and to how that attitude is reflected in the organization’s control policies and procedures. At Springer’s, several deficiencies in the control environment are apparent:
1. Management authority is concentrated in three family members, so there are few, if any, checks and balances on their behavior. In addition, several other relatives and friends of the family are on the payroll.
2. Since the company has a “near monopoly” on the business in the Bozeman area, few competitive constraints restrain prices, wages, and other business practices.
3. Lines of authority and responsibility are loosely defined, which make it difficult to identify who is responsible for problems or decisions.
4. Management may have engaged in “creative accounting” to make its financial performance look better, which suggests a management philosophy that could encourage unethical behavior among employees.
b. Do you agree with the decision to settle with the Springers rather than to prosecute them for fraud and embezzlement? Why or why not?
Whether or not to settle with the Springers is a matter of opinion, with reasonable arguments on both sides of the issue.
· The reasons for reaching a settlement are clearly stated: the difficulty of obtaining convictions in court, and the possible adverse effects on the company’s market position.
· On the other hand, the evidence of fraud here seems strong. If this kind of behavior is not penalized, then the perpetrators may be encouraged to do it again, with future adverse consequences to society.
c. Should the company have told Jason and Maria the results of the high-level audit? Why or why not?
Whether or not Jason and Maria should have been told the results of the high-level audit is also a matter of opinion. The investigative team is apparently trying to keep its agreement to maintain silence by telling as few people as possible what really happened. On the other hand, Jason and Maria were the ones who first recognized the problems; it seems only right that they be told about the outcome.
Many lessons may be drawn from this story.
1. Auditors should view the condition of an organization’s control environment as an important indicator of potential internal control problems.
2. Fraud is more easily perpetrated and concealed when many perpetrators are involved, and especially when management is involved.
3. Purchasing and payroll are two areas that are particularly vulnerable to fraud.
4. Determining whether fraud has actually occurred is sometimes quite difficult, and proving that it has occurred is even more difficult.
5. Frauds do occur, so auditors must always be alert to the possibility of fraud.
6. Auditors should not accept management’s explanations for questionable transactions at face value, but should do additional investigative work to corroborate such explanations.
7.2 Effective segregation of duties is sometimes not economically feasible in a small business. What internal control elements do you think can help compensate for this threat?(7.15 points)
Small companies can do the following things to compensate for their inability to implement an adequate segregation of duties:
· Effective supervision and independent checks performed by the owner/manager may be the most important element of control in situations where separation of functions cannot be fully achieved. In very small businesses, the owner-manager may find it necessary to supervise quite extensively. For example, the manager could reconcile the bank account, examine invoices, etc.
· Fidelity bonding is a second form of internal control that is critical for persons holding positions of trust that are not entirely controlled by separation of functions.
· Document design and related procedures are also important to internal control in this situation. Documents should be required with customer returns to encourage customer audit.
· Document design should include sequential pre-numbering to facilitate subsequent review.
· Where appropriate, employees should be required to sign documents to acknowledge responsibility for transactions or inventories.
· In small organizations, management can use computers to perform some of the control functions that humans perform in manual systems. For example, the computer can:
– Check all customer numbers to make sure they are valid
– Automatically generate purchase orders and have a member of management or a designated buyer authorize them.
7.3 One function of the AIS is to provide adequate controls to ensure the safety of organizational assets, including data. However, many people view control procedures as “red tape.” They also believe that, instead of producing tangible benefits, business controls create resentment and loss of company morale. Discuss this position.(7.15 points)
Well-designed controls should not be viewed as “red tape” because they can actually improve both efficiency and effectiveness. The benefits of business controls are evident if one considers the losses that frequently occur due to the absence of controls.
Consider a control procedure mandating weekly backup of critical files. Regular performance of this control prevents the need to spend a huge amount of time and money recreating files that are lost when the system crashes, if it is even possible to recreate the files at all. Similarly, control procedures that require workers to design structured spreadsheets can help ensure that the spreadsheet decision aids are auditable and that they are documented well enough so that other workers can use them.
It is probably impossible to eliminate resentment or loss of morale among all employees, but these factors may be minimized if controls are administered fairly and courteously.
Of course, there is a cost-benefit tradeoff in implementing internal controls. If an organization has too many controls, this may justifiably generate resentment and loss of morale among employees. Controls having only marginal economic benefit may be rejected for this reason.
Another factor is the obtrusiveness of the controls. When the user sees no clear need or purpose to a control it can appear to be there only to control them and little more than that. When the user does not understand their purpose, controls can often provoke resentment.
7.4In recent years, Supersmurf’s external auditors have given clean opinions on its financial statements and favorable evaluations of its internal control systems. Discuss whether it is necessary for this corporation to take any further action to comply with the Sarbanes–Oxley Act.(7.15 points)
The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their auditors and was intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud.
SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on CPAs of publicly held companies and the audits of those companies.
As a result of SOX, Supersmurf’s management and their audit committee must take a more active role in the financial disclosure process. Some of the more prominent roles include:
· Audit committee members must be on the company’s board of directors and be independent of the company. One member of the audit committee must be a financial expert.
· Audit committees hire, compensate, and oversee any registered public accounting firm that is employed
· Auditors report to the audit committee and not management
· Audit committees must pre-approve all audit and non-audit services provided by its auditor
· The CEO and CFO at companies with more than $1.2 billion in revenue must prepare a statement certifying that their quarterly and annual financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.
· Management must prepare an annual internal control report that states
o Management is responsible for establishing and maintaining an adequate internal control structure
o Management assessed the company’s internal controls and attests to their accuracy, including notations of significant defects or material noncompliance found during their internal control tests.
o Auditors were told about all material internal control weaknesses and fraud
o Significant changes to controls after management’s evaluation were disclosed and corrected
· Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The report must contain a statement identifying the framework used by management to evaluate internal control effectiveness. The most likely framework is one of those formulated by COSO and discussed in the chapter.
· SOX also specifies that a company’s auditor must attest to as well as report on management’s internal control assessment.
7.5 When you go to a movie theater, you buy a pre-numbered ticket from the cashier. This ticket is handed to another person at the entrance to the movie. What kinds of irregularities is the theater trying to prevent? What controls is it using to prevent these irregularities? What remaining risks or exposures can you identify?(7.15 points)
There are two reasons for using tickets.
1. The theater is trying to prevent cashiers from stealing cash by providing greater control over cash receipts. You cannot get into the theater without a ticket so you never give cash to a cashier without insisting on a ticket. That makes it much harder for a cashier to pocket cash.
2. Pre-numbered tickets are also used so cashiers cannot give tickets to their friends. The number of tickets sold at the cashier counter can be reconciled with the number of tickets taken by the usher letting patrons into the theater.
Reconciling the cash in the register to the tickets sold and then reconciling the number of tickets sold to the number collected by the ticket-taker helps prevent the theft of cash and giving tickets away to friends.
Despite these controls, the following risks still exist:
· The ticket-taker can let friends into the theater without tickets.
· The ticket-taker may take money from theater patrons, pocketing the cash and letting them enter without a ticket.
· The cashier and the ticket-taker may collude in selling admittances without issuing tickets and then split the proceeds.
7.6Some restaurants use customer checks with pre-numbered sequence codes. Each food server uses these checks to write up customer orders. Food servers are told not to destroy any customer checks; if a mistake is made, they are to void that check and write a new one. All voided checks are to be turned in to the manager daily. How does this policy help the restaurant control cash receipts?(7.15 points)
The fact that all documents are pre-numbered provides a means for accounting for their use and for detecting unrecorded transactions. Thus, a missing check indicates a meal for which a customer did not pay. Since each server has his or her own set of checks, it is easy to identify which server was responsible for that customer.
This policy may help to deter theft (e.g., serving friends and not requiring them to pay for the meal, or pocketing the customer’s payment and destroying the check) because a reconciliation of all checks will reveal that one or more are missing.
7.7 Compare and contrast the following three frameworks: COBIT, COSO Integrated Control, and ERM.(7.15 points)
The COBIT Framework consolidates systems security and control standards into a single framework. This allows management to benchmark security and control practices of IT environments, users to be assured that adequate IT security and control exist, and auditors to substantiate their internal control opinions and to advise on IT security and control matters. The framework addresses control from three vantage points:
1. Business objectives, to ensure information conforms to and maps into business objectives.
2. IT resources, including people, application systems, technology, facilities, and data.
3. IT processes, including </planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation.
COSO’s Internal Control Framework is widely accepted as the authority on internal controls and is incorporated into policies and regulations that control business activities. However, it examines controls without looking at the purposes and risks of business processes and provides little context for evaluating the results. It makes it hard to know which control systems are most important, whether they adequately deal with risk, and whether important controls are missing. In addition, it does not adequately address Information Technology issues.
It has five components:
1. Control environment, which are the individual attributes, (integrity, ethical values, competence, etc.) of the people in the organization and and the environment in which they operate.
2. Control activities, which are control policies and procedures that help ensure that the organization addresses risks and effectively achieves its objectives.
3. Risk assessment, which is the process of identifying, analyzing, and managing organizational risk
4. Information and communication, which is the system that captures and exchanges the information needed to conduct, manage, and control organizational operations.
5. Monitoring company processes and controls, so modifications and changes can be made as conditions warrant.
COSO’s Enterprise Risk Management Framework is a new and improved version of the Integrated Control Framework. It is the process the board of directors and management use to set strategy, identify events that may affect the entity, asses and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM are:
· Companies are formed to create value for their owners.
· Management must decide how much uncertainty it will accept as it creates value.
· Uncertainty results in risk and opportunity, which are the possibilities that something negatively or positively affects the company’s ability to create or preserve value.
· The ERM framework can manage uncertainty as well as create and preserve value.
TERM adds three additional elements to COSO’s IC framework:
1. Setting objectives
2. Identifying events that may affect the company
3. Developing a response to assessed risk.
The ERM framework takes a risk-based rather than a controls-based approach. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.
Because the ERM model is more comprehensive than the Internal Control framework, it will likely become the most widely adopted of the two models.
7.8Explain what is meant by objective setting and describe the four types of objectives used in ERM.(7.15 points)
Objective setting, the second ERM component, is determining what the company hopes to achieve. It is often referred to as the corporate vision or mission. The four types of objectives used in ERM are:
1. Strategic objectives are high-level goals that align with the company’s mission, support it, and create shareholder value. Management should identify alternative ways of accomplishing the strategic objectives, identify and assess the risks and implications of each alternative, and formulate a corporate strategy.
2. Operations objectives deal with the effectiveness and efficiency of company operations and determine how to allocate resources. They reflect management preferences, judgments, and style and are a key factor in corporate success. They vary significantly – one company decides to be an early adopter of technology, another adopts technology when it is proven, and a third adopts it only after it is generally accepted.
3. Reporting objectives help ensure the accuracy, completeness, and reliability of company reports; improve decision-making; and monitor company activities and performance.
4. Compliance objectives help the company comply with all applicable laws and regulations.
Most compliance and many reporting objectives are imposed by external entities due to laws or regulations. ERM provides reasonable assurance that reporting and compliance objectives are achieved because companies have control over them. However, the only reasonable assurance ERM can provide about strategic and operations objectives is that management and directors are informed on a timely basis of the progress the company is making in achieving them.
7.9Discuss several ways that ERM processes can be continuously monitored and modified so that deficiencies are reported to management.(7.15 points)
1. Have a special team or internal auditing perform a formal or a self-assessment ERM evaluation.
2. Supervise effectively, including training and assisting employees, correcting errors, and overseeing employees who have access to assets.
3. Use Responsibility Accounting Systems such as budgets, quotas, schedules, standard costs, and quality standards; reports comparing actual and planned performance; and procedures for investigating and correcting significant variances.
4. Use risk analysis and management software packages to review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements.
5. Track purchased software to comply with copyrights and protect against software piracy lawsuits. Companies should periodically conduct software audits. Employees should be informed of the consequences of using unlicensed software. Track and monitor mobile devices, as their loss could represent a substantial exposure. Also, track who has them, what tasks they perform, the security features installed, and what software is needed to maintain adequate system and network security.
6. Have periodic external, internal, and network security audits to assess and monitor risk as well as detect fraud and errors.
7. Have a chief security officer (CSO), who is independent of the information system function; be in charge of system security and report to the chief operating officer (COO) or the CEO. Have a chief compliance officer (CCO), who reports to the same people, be responsible for all compliance issues
9. Use forensic investigatorss, who specialize in fraud detection and investigation, help with the financial reporting and corporate governance process. Most forensic investigators received specialized training with the FBI, IRS, or other law enforcement agencies. Investigators with the computer skills to ferret out fraud perpetrators are in great demand.
10. Install fraud detection software to help ferret out fraud, such as illegal credit card use, and notify forensic investigators when it is found.
11. Use a fraud hotline so people witnessing fraudulent behavior can report it anonymously.