Accounting information systems (14/e): part 2

392 114 0
Accounting information systems (14/e): part 2

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

part 2 book “accounting information systems” has contents: the production cycle, general ledger and reporting system, systems design, implementation, and operation, the human resources management and payroll cycle, database design using the rea data model,… and other contents.

www.downloadslide.net Accounting Information Systems Applications Primary Activities The Revenue Cycle: Sales to Cash Collections Secondary Activities Operations Marketing and Sales Service III CHAPTER 12 Inbound Logistics Outbound Logistics PA R T Firm Infrastructure Human Resources Technology Purchasing CHAPTER 13 The Expenditure Cycle: Purchasing to Cash Disbursements CHAPTER 14 The Production Cycle CHAPTER 15 The Human Resources Management and Payroll Cycle CHAPTER 16 General Ledger and Reporting System M12_ROMN4021_14_SE_C12.indd 351 06/09/16 11:58 AM www.downloadslide.net CHAPTER 12 The Revenue Cycle: Sales to Cash Collections LEARNING OBJECTIVES Describe the basic business activities in the revenue cycle and discuss the general threats to that process and the controls that can be used to mitigate those threats Explain the sales order entry process, key decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats Explain the shipping process, key decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats Explain the billing process, key decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats Explain the cash collections process, key decisions that need to be made and threats to that process, and describe the controls that can be used to mitigate those threats I N T E G R AT I V E C A S E Alpha Omega Electronics Alpha Omega Electronics (AOE) manufactures a variety of inexpensive consumer electronic products, including calculators, digital clocks, radios, pagers, toys, games, and small kitchen appliances Like most manufacturers, AOE does not sell its products directly to individual consumers, but only to retailers Figure 12-1 shows a partial organization chart for AOE Linda Spurgeon, president of AOE, called an executive meeting to discuss two pressing issues First, AOE has been steadily losing market share for the past three years Second, cash flow problems have necessitated increased short-term borrowing At the executive meeting, Trevor Whitman, vice president of marketing, explained that one reason for AOE’s declining market share is that competitors are apparently providing better customer service When Linda asked for specifics, however, Trevor admitted that his opinion was based on recent conversations with two major customers He also admitted that he could not 352 M12_ROMN4021_14_SE_C12.indd 352 06/09/16 11:58 AM www.downloadslide.net President Linda Spurgeon Vice President Marketing Trevor Whitman Director of Sales Faith Weber Receiving Joe Schmidt Vice President Manufacturing LeRoy Williams Plant Manager Leon Malone Inventory Control Melissa Brewster Vice President Information Systems Ann Brandt Director of Purchasing Ryan McDaniel Shipping Jack Kent FIGURE 12-1 Director Internal Audit Paul Reinhardt Vice President Finance Stephanie Cromwell Controller Elizabeth Venko Vice President Human Resources Peter Wu Partial Organization Chart for Alpha Omega Electronics Treasurer Frank Stevens Dir Budget Ali Hussam Cashier Bill Black Taxes Carol Jones Credit Manager Sofia Lopez General Accounting Mike Turno readily identify AOE’s 10 most profitable customers Linda then asked Elizabeth Venko, the controller, about AOE’s cash flow problems Elizabeth explained that the most recent accounts receivable aging schedule indicated a significant increase in the number of pastdue customer accounts Consequently, AOE has had to increase its short-term borrowing because of delays in collecting customer payments In addition, the Best Value Company, a retail chain that has been one of AOE’s major customers, recently went bankrupt Elizabeth admitted that she is unsure whether AOE will be able to collect the large balance due from Best Value Linda was frustrated with the lack of detailed information regarding both issues She ended the meeting by asking Elizabeth and Trevor to work with Ann Brandt, vice president of information systems, to develop improved reporting systems so that AOE could more closely monitor and take steps to improve both customer service and cash flow management Specifically, Linda asked Elizabeth, Trevor, and Ann to address the following issues: How could AOE improve customer service? What information does marketing need to perform its tasks better? How could AOE identify its most profitable customers and markets? 353 M12_ROMN4021_14_SE_C12.indd 353 06/09/16 11:59 AM www.downloadslide.net 354 PART III ACCOUNTING INFORMATION SYSTEMS APPLICATIONS How can AOE improve its monitoring of credit accounts? How would any changes in credit policy affect both sales and uncollectible accounts? How could AOE improve its cash collection procedures? The AOE case shows how deficiencies in the information system used to support revenue cycle activities can create significant problems for an organization As you read this chapter, think about how a well-designed information system can improve both the efficiency and effectiveness of an organization’s revenue cycle activities Introduction revenue cycle - The recurring set of business activities and data processing operations associated with providing goods and services to customers and collecting cash in payment for those sales The revenue cycle is a recurring set of business activities and related information processing operations associated with providing goods and services to customers and collecting cash in payment for those sales (Figure 12-2) The primary external exchange of information is with customers Information about revenue cycle activities also flows to the other accounting cycles For example, the expenditure and production cycles use information about sales transactions to initiate the purchase or production of additional inventory to meet demand The human resources management/payroll cycle uses information about sales to calculate sales commissions and bonuses The general ledger and reporting function uses information produced by the revenue cycle to prepare financial statements and performance reports The revenue cycle’s primary objective is to provide the right product in the right place at the right time for the right price To accomplish that objective, management must make the following key decisions: ● ● ● To what extent can and should products be customized to individual customers’ needs and desires? How much inventory should be carried, and where should that inventory be located? How should merchandise be delivered to customers? Should the company perform the shipping function itself or outsource it to a third party that specializes in logistics? FIGURE 12-2 Deposits The Context Diagram of the Revenue Cycle Bank Statements Inquiries Orders Payments Customer Bill of Lading Carrier Sales Bill of Lading Packing Packing Slip Slip Responses to Inquiries Revenue Cycle Invoices Monthly Statements Cash Receipts Commissions Information About Goods Available Information About Goods Available Expenditure Cycle General Ledger and Reporting System Human Resources Management/ Payroll Cycle Production Cycle Production and Purchasing Needs (Back Orders) M12_ROMN4021_14_SE_C12.indd 354 06/09/16 11:59 AM www.downloadslide.net THE REVENUE CYCLE: SALES TO CASH COLLECTIONS CHAPTER 12 355 FIGURE 12-3 Human Resources Management/ Payroll Cycle Commissions Inquiries 1.0 Sales Order Entry Response to Inquiries Orders Sales Orders Sales Order Sales Order Production and Purchasing Needs Information About Goods Available Expenditure Cycle Level Data Flow Diagram: Revenue Cycle Information About Goods Available Inventory Production Cycle Customer Back Orders Packing Slip Customer Bill of Lading Carrier Packing Slip Bill of Lading 2.0 Shipping Bill of Lading Invoice Payments Deposits Bank Statements Monthly Statements 4.0 Cash Collections Cash Receipts Customer Cash Receipts ● ● ● 3.0 Billing Sales Sales General Ledger and Reporting System What are the optimal prices for each product or service? Should credit be extended to customers? If so, what credit terms should be offered? How much credit should be extended to individual customers? How can customer payments be processed to maximize cash flow? The answers to those questions guide how an organization performs the four basic revenue cycle activities depicted in Figure 12-3: Sales order entry Shipping Billing Cash collections This chapter explains how an organization’s information system supports each of those activities We begin by describing the design of the revenue cycle information system and the basic controls necessary to ensure that it provides management with reliable information We then discuss in detail each of the four basic revenue cycle activities For each activity, we describe how the information needed to perform and manage those activities is collected, processed, and stored We also explain the controls necessary to ensure not only the reliability of that information but also the safeguarding of the organization’s resources M12_ROMN4021_14_SE_C12.indd 355 06/09/16 11:59 AM www.downloadslide.net 356 PART III ACCOUNTING INFORMATION SYSTEMS APPLICATIONS Revenue Cycle Information System Like most large organizations, AOE uses an enterprise resource planning (ERP) system Figure 12-4 shows the portion of the ERP system that supports AOE’s revenue cycle business activities PROCESS AOE’s customers can place orders directly via the Internet In addition, salespeople use portable laptops to enter orders when calling on customers The sales department enters customer orders received over the telephone, by fax, or by mail Regardless of how an order is initially received, the system quickly verifies customer creditworthiness, checks inventory availability, and notifies the warehouse and shipping departments about the approved sale Warehouse and shipping employees enter data about their activities as soon as they are performed, thereby updating information about inventory status in real time Nightly, the invoice program runs in batch mode, generating paper or electronic invoices for customers who require invoices Some of AOE’s customers still send checks to one of the regional banks with which AOE has established electronic lockboxes, but an increasing number use their bank’s online bill paying service Each day, the bank sends AOE a file containing remittance data, which the cashier uses to update the company’s cash account balances and the accounts receivable clerk uses to update customer accounts THREATS AND CONTROLS Table 12-1 lists the threats that occur throughout the various stages of the revenue cycle and the controls that can be used to mitigate those threats Figure 12-4 shows that all revenue cycle FIGURE 12-4 Overview of ERP System Design to Support the Revenue Cycle Shipping Web Storefronts Packing Slips & Bill of Lading Internet Orders Customer Account Information Shipping Sales Order Processing Sales Customer Remittances Integrated Database: Customers, Inventory, Pricing, Sales Orders, Shipping, Invoices Billing and Accounts Receivable Cash Collection Processing Inv oic es Accounting Accounts Receivable Customer Remittances Cashier Customer Payments Sales Invoice Banks Inquiries and Reports Customers M12_ROMN4021_14_SE_C12.indd 356 Warehouse Picked Items Sales Order Entry Customer Accounts Picking Tickets Inventory Status Sales and Profitability Reports Customer Account Inventory Control Marketing Customer Service 06/09/16 11:59 AM www.downloadslide.net CHAPTER 12 TABLE 12-1 ACTIVITY 357 THE REVENUE CYCLE: SALES TO CASH COLLECTIONS Threats and Controls in the Revenue Cycle THREAT CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) General issues throughout entire revenue cycle Inaccurate or invalid master data Unauthorized disclosure of sensitive information Loss or destruction of data Poor performance 1.1 1.2 1.3 2.1 2.2 2.3 3.1 4.1 Data processing integrity controls Restriction of access to master data Review of all changes to master data Access controls Encryption Tokenization of customer personal information Backup and disaster recovery procedures Managerial reports Sales order entry Incomplete/inaccurate orders Invalid orders Uncollectible accounts Stockouts or excess inventory Loss of customers 5.1 5.2 6.1 7.1 7.2 Data entry edit controls (see Chapter 10) Restriction of access to master data Digital signatures or written signatures Credit limits Specific authorization to approve sales to new customers or sales that exceed a customer’s credit limit Aging of accounts receivable Perpetual inventory control system Use of bar codes or RFID Training Periodic physical counts of inventory Sales forecasts and activity reports CRM systems, self-help websites, and proper evaluation of customer service ratings 7.3 8.1 8.2 8.3 8.4 8.5 9.1 Shipping 10 Picking the wrong items or the wrong quantity 11 Theft of inventory 12 Shipping errors (delay or failure to ship, wrong quantities, wrong items, wrong addresses, duplication) 10.1 Bar-code and RFID technology 10.2 Reconciliation of picking lists to sales order details 11.1 Restriction of physical access to inventory 11.2 Documentation of all inventory transfers 11.3 RFID and bar-code technology 11.4 Periodic physical counts of inventory and reconciliation to recorded quantities 12.1 Reconciliation of shipping documents with sales orders, picking lists, and packing slips 12.2 Use RFID systems to identify delays 12.3 Data entry via bar-code scanners and RFID 12.4 Data entry edit controls (if shipping data entered on terminals) 12.5 Configuration of ERP system to prevent duplicate shipments Billing 13 Failure to bill 14 Billing errors 15 Posting errors in accounts receivable 16 Inaccurate or invalid credit memos 13.1 Separation of billing and shipping functions 13.2 Periodic reconciliation of invoices with sales orders, picking tickets, and shipping documents 14.1 Configuration of system to automatically enter pricing data 14.2 Restriction of access to pricing master data 14.3 Data entry edit controls 14.4 Reconciliation of shipping documents (picking tickets, bills of lading, and packing list) to sales orders 15.1 Data entry controls 15.2 Reconciliation of batch totals 15.3 Mailing of monthly statements to customers 15.4 Reconciliation of subsidiary accounts to general ledger 16.1 Segregation of duties of credit memo authorization from both sales order entry and customer account maintenance 16.2 Configuration of system to block credit memos unless there is either corresponding documentation of return of damaged goods or specific authorization by management (continued ) M12_ROMN4021_14_SE_C12.indd 357 06/09/16 11:59 AM www.downloadslide.net 358 PART III TABLE 12-1 ACCOUNTING INFORMATION SYSTEMS APPLICATIONS Continued ACTIVITY THREAT CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) Cash collections 17 Theft of cash 18 Cash flow problems 17.1 Segregation of duties—the person who handles (deposits) payments from customers should not also: a Post remittances to customer accounts b Create or authorize credit memos c Reconcile the bank account 17.2 Use of EFT, FEDI, and lockboxes to minimize handling of customer payments by employees 17.3 Obtain and use a UPIC to receive EFT and FEDI payments from customers 17.4 Immediately upon opening mail, create list of all customer payments received 17.5 Prompt, restrictive endorsement of all customer checks 17.6 Having two people open all mail likely to contain customer payments 17.7 Use of cash registers 17.8 Daily deposit of all cash receipts 18.1 Lockbox arrangements, EFT, or credit cards 18.2 Discounts for prompt payment by customers 18.3 Cash flow budgets activities depend on the integrated database that contains information about customers, inventory, and pricing Therefore, the first general threat listed in Table 12-1 is inaccurate or invalid master data Errors in customer master data could result in shipping merchandise to the wrong location, delays in collecting payments because of sending invoices to the wrong address, or making sales to customers that exceed their credit limits Errors in inventory master data can result in failure to timely fulfill customer orders due to unanticipated shortages of inventory, which may lead to loss of future sales Errors in pricing master data can result in customer dissatisfaction due to overbilling or lost revenues due to underbilling Control 1.1 in Table 12-1 shows that one way to mitigate the threat of inaccurate or invalid master data is to use the various processing integrity controls discussed in Chapter 10 to minimize the risk of data input errors It is also important to use the authentication and authorization controls discussed in Chapter to restrict access to that data and configure the system so that only authorized employees can make changes to master data (control 1.2 in Table 12-1) This requires changing the default configurations of employee roles in ERP systems to appropriately segregate incompatible duties For example, sales order entry staff should not be able to change master pricing data or customer credit limits Similarly, the person who maintains customer account information should not be able to process cash collections from customers or issue credit memos to authorize writing off sales as uncollectible However, because such preventive controls can never be 100% effective, Table 12-1 (control 1.3) also indicates that an important detective control is to regularly produce a report of all changes to master data and review them to verify that the database remains accurate A second general threat in the revenue cycle is unauthorized disclosure of sensitive information, such as pricing policies or personal information about customers Table 12-1 (control 2.1) shows that one way to mitigate the risk of this threat is to configure the system to employ strong access controls that limit who can view such information It is also important to configure the system to limit employees’ ability to use the system’s built-in query capabilities to access only those specific tables and fields relevant to performing their assigned duties In addition, sensitive data should be encrypted (control 2.2) in storage to prevent IT employees who not have access to the ERP system from using operating system utilities to view sensitive information The organization should also design its websites to encrypt information requested from customers while that information is in transit over the Internet However, because encryption does not protect information during processing, organizations should also M12_ROMN4021_14_SE_C12.indd 358 06/09/16 11:59 AM www.downloadslide.net CHAPTER 12 THE REVENUE CYCLE: SALES TO CASH COLLECTIONS 359 tokenize customer personal information (control 2.3) to protect it from being viewed by employees who have authority to perform various revenue cycle activities A third general threat in the revenue cycle concerns the loss or destruction of master data The best way to mitigate the risk of this threat is to employ the backup and disaster recovery procedures (control 3.1) that were discussed in Chapter 10 A best practice is to implement the ERP system as three separate instances One instance, referred to as production, is used to process daily activity A second is used for testing and development A third instance should be maintained as an online backup to the production system to provide near real-time recovery Accurate master data enables management to better use an ERP system’s extensive reporting capabilities to monitor performance (see threat in Table 12-1) Accountants should use their knowledge about the underlying business processes to design innovative reports (control 4.1) that provide management with insights beyond those provided by traditional financial statements For example, companies have always closely monitored sales trends Additional information is needed, however, to identify the causes of changes in that measure Metrics such as revenue margin1 can provide such information Revenue margin equals gross margin minus all expenses incurred to generate sales, including payroll, salesforce-related travel, customer service and support costs, warranty and repair costs, marketing and advertising expenses, and distribution and delivery expenses Thus, revenue margin integrates the effects of changes in both productivity and customer behavior Growth in revenue margin indicates that customers are satisfied (as reflected in repeat sales), productivity is increasing (reflected in reduced costs per sale), or both Conversely, a declining revenue margin indicates problems with customer retention, productivity, or both Revenue margin is a metric to evaluate overall performance of revenue cycle activities As we will see in the following sections, accountants can help managers design detailed reports and metrics that are relevant to evaluating each business activity Sales Order Entry The revenue cycle begins with the receipt of orders from customers The sales department, which reports to the vice president of marketing (refer to Figure 12-1), typically performs the sales order entry process, but increasingly customers are themselves entering much of this data through forms on a company’s website storefront Figure 12-5 shows that the sales order entry process entails three steps: taking the customer’s order, checking and approving customer credit, and checking inventory availability Figure 12-5 also includes an important related event that may be handled either by the sales order department or by a separate customer service department (which typically also reports to the vice president of marketing): responding to customer inquiries TAKING CUSTOMER ORDERS Customer order data are recorded on a sales order document In the past, organizations used paper documents; today, as Figure 12-6 shows, the sales order document is usually an electronic form displayed on a computer monitor screen (interestingly, many ERP systems continue to refer to these data entry screens as documents) Examination of Figure 12-6 reveals that the sales order contains information about item numbers, quantities, prices, and other terms of the sale sales order - The document created during sales order entry listing the item numbers, quantities, prices, and terms of the sale PROCESS In the past, customer orders were entered into the system by employees Increasingly, organizations seek to leverage IT to have customers more of the data entry themselves One way to accomplish this is to have customers complete a form on the company’s website Another is for customers to use electronic data interchange (EDI) to submit the order electronically in a format compatible with the company’s sales order processing system electronic data interchange (EDI) - The use of computerized communications and a standard coding scheme to submit business documents electronically in a format that can be automatically processed by the recipient’s information system The concept of revenue margin was developed by James B Hangstefer, “Revenue Margin: A Better Way to Measure Company Growth,” Strategic Finance (July 2000): pp 40–45 M12_ROMN4021_14_SE_C12.indd 359 06/09/16 11:59 AM www.downloadslide.net 360 PART III ACCOUNTING INFORMATION SYSTEMS APPLICATIONS FIGURE 12-5 Level Data Flow Diagram: Sales Order Entry (annotated to identify threats) Orders 1.1 Take Order Customer Rejected Orders Customer Orders Ac Response 1.2 Approve Credit led ow kn Inquiries t en gm Approved Orders 1.3 Check Inventory Availability Customer Sales Order Inventory 1.4 Respond to Customer Inquiries Sales Order Shipping Sales Order Billing Picking Ticket Warehouse Back Orders Purchasing Both techniques improve efficiency and cut costs by eliminating the need for human involvement in the sales order entry process Focus 12-1 describes how another recent IT development, QR codes, can further improve the efficiency and effectiveness of interacting with customers Besides cutting costs, IT also provides opportunities to increase sales One technique, used by many Internet retailers, is to use sales history information to create marketing messages tailored to the individual customer For example, once an Amazon.com customer selects FIGURE 12-6 Example of a Sales Order Document (Order Entry Screen) Customer’s Purchase Order Number Clerk enters item number and quantity; system retrieves other information Source: 2010 © NetSuite Inc M12_ROMN4021_14_SE_C12.indd 360 06/09/16 11:59 AM www.downloadslide.net 728 GLOSSARY universal product code (UPC)  A machine-readable code that is read by optical scanners The code consists of a series of bar codes and is printed on most products sold in grocery stores UNIX A flexible and widely used operating system for 16-bit machines update anomaly  Improper organization of a database that results in a non-primary key item, such as customer address, being stored multiple times in a database When the address is updated in one location and not the others, an update anomaly occurs and data inconsistencies occur updating  Changing stored data to reflect more recent events (e.g., changing the accounts receivable balance because of a recent sale or collection) URL hijacking See typosquatting user ID  A knowledge identifier, such as an employee number or account number, that users enter to identify themselves when signing on to a system user stories  A description of something a user wants to include in the system written by the product owner users  People who record transactions, authorize data processing, and use system output utilization  The percentage of time a system is being used productively V validity check  An edit test that compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists value chain  The linking together of all the primary and support activities in a business Value is added as a product passes through the chain value of information  The benefit provided by information less the cost of producing it value system  The combination of several value chains into one system A value system includes the value chains of a company, its suppliers, its distributors, and its customers vendor-managed inventory (VMI)  Practice in which manufacturers and distributors manage a retail customer’s inventory using EDI The supplier accesses its customer’s point-of-sale system in order to monitor inventory and automatically replenish products when they fall to agreed-upon levels virtualization  Running multiple systems simultaneously on one physical computer voucher system A method for processing accounts payable in which a disbursement voucher is prepared instead of posting invoices directly to vendor records in the accounts payable subsidiary ledger The disbursement voucher identifies the vendor, lists the outstanding invoices, and indicates the net amount to be paid after deducting any applicable discounts and allowances Contrast with nonvoucher system vouching  Comparing accounting journal and ledger entries with documentary evidence, such as a purchase order or vendor invoice, to verify that a transaction is valid, accurate, properly authorized, and correctly recorded vulnerabilities  Flaws in programs that can be exploited to either crash the system or take control of it vulnerability scanners Automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats W walk-through  Step-by-step reviews of procedures or program logic to find incorrect logic, errors, omissions, or other problems war dialing  Programming a computer to dial thousands of phone lines searching for dial-up modem lines Hackers hack into the PC attached to the modem and access the network to which it is connected war driving  The practice of driving around looking for unprotected home or corporate wireless networks war rocketing  Using rockets to let loose wireless access points attached to parachutes that detect unsecured wireless networks web cramming  Offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the website or not web-page spoofing See phishing white-collar criminals Typically, businesspeople who commit fraud White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence worm  Similar to a virus, except that it is a program rather than a code segment hidden in a host program A worm also copies itself automatically and actively transmits itself directly to other systems X virtual private network (VPN)  Using encryption and authentication to securely transfer information over the Internet, thereby creating a “virtual” private network XBRL  eXtensible Business Reporting Language is a variant of XML (eXtensible Markup Language) specifically designed for use in communicating the content of financial data It does this by creating tags for each data item that look much like the tags used by HTML virus  A segment of executable code that attaches itself to an application program or some other executable system component When the hidden program is triggered, it makes unauthorized alterations to the way a system operates Z vishing  Voice phishing; it is like phishing except that the victim enters confidential data by phone voucher  A document that summarizes the data relating to a disbursement and represents final authorization of payment voucher package  The set of documents used to authorize payment to a vendor It consists of a purchase order, receiving report, and vendor invoice Z01_ROMN4021_14_SE_GLOS.indd 728 zero-balance test  A processing control that verifies that the balance of a control account equals zero after all entries to it have been made zero-day attack  An attack between the time a new software vulnerability is discovered and “released into the wild” and the time a software developer releases a patch to fix the problem zombie  A hijacked computer, typically part of a botherd, that is used to launch a variety of Internet attacks 29/09/16 2:00 PM www.downloadslide.net Index A ABC cost analysis, 404 acceptance tests, 669, 692 access control list (ACL), 249 access control matrix, 245 accounting duties, segregation of, 213–214 accounting information system (AIS) business functions, 9–10, 11 components, 11 corporate strategy, impact on, 13 cost reduction and, 11 decision-making and, 12 definition, 10 efficiency improvement and, 11 factors influencing design of, 13 firm infrastructure, 14 human resources, 14 inbound logistics, 14 internal control structure and, 12 knowledge sharing and, 11 low-cost strategy, 11 marketing and sales, 14 operations, 14 outbound logistics, 14 predictive analysis, 13 primary activities, 13 primary purpose of, 218 purchasing, 14 service activities, 14 supply chain, 11, 14–15 support activities, 14 systems, technology, 14 threats to, 127, 128–130, 197–198 value chain, role in the, 13–15 value to organization, 11–12 accounting subsystems, 497 accounts payable in expenditure cycle, 411 manufacturing process improvement ­principles and, 414 accounts receivable, maintaining, 373–376 accounts receivable aging report, 363 accounts receivable file update process, 33 accruals, 501 ACFE See Association of Certified Fraud Examiners (ACFE) ACL See access control list (ACL) activity-based costing (ABC), 448–449, 450 Address Resolution Protocol (ARP) spoofing, 160, 177 adjusting entries, posting, 501–502 adware, 172, 177 agents, 530 agents/resources relationships, 593 aggression, 629 agile methodologies, 667–668 extreme programming (XP), 669 Scrum, 668–669 Unified Process, 669–670 AICPA See American Institute of Certified Public Accountants (AICPA) AIS cookie, 130 operational audits of, 324 sabotage, 129 system objectives, 631, 635 threats, 127, 128–130, 198 (see also computer fraud; fraud; information security) algorithm, 280 American Idol, 164 American Institute of Certified Public Accountants (AICPA), 12, 199, 237 analytical review, 217, 326 antimalware controls, 247 antivirus software vendors, 171 application controls, 198 application service providers (ASPs), 656 archive, 306 Association of Certified Fraud Examiners (ACFE), 130, 132 asymmetric encryption systems, 280, 281 attribute placement, 567, 568–569, 585–590 attributes, 32 AUC-C Section 240, 133 audit committee, 206 Audit Control Language (ACL), 336 audit evidence, 325 analytical review, 326 collection of, 325–326 confirmation, 325 evaluation of, 326 reperformance, 325 vouching, 325 audit hooks, 333, 334 auditing audit evidence, 325–326 audit hooks, 333, 334 audit log, 333 audit software, 336–338 automated decision table programs, 334 automated flowcharting programs, 334 compensating controls, 326, 328, 329, 330, 332, 336, 337 compliance audit, 324 computer-assisted audit techniques (CAATs), 336 concurrent audit techniques, 333–334 continuous and intermittent simulation (CIS), 333–334 control risk, 324 definition, 323 detection risk, 324 embedded audit modules, 333 errors and fraud, 326 financial audit, 323 generalized audit software (GAS), 336 information systems audits, 323, 327–336 inherent risk, 324 input controls matrix, 334–335 integrated test facility (ITF), 333 internal auditing, 323 internal control audit, 323 investigative audit, 324 mapping programs, 334 materiality, 326 operational audits of an AIS, 338 operational (management) audit, 324 overview of process, 324–325 parallel simulation, 331 program logic, 334 program tracing, 334 reasonable assurance, 326 reprocessing technique, 331 risk-based audit approach, 326 scanning routines, 334 snapshot technique, 333 software, computer, 336–338 source code comparison program, 331 system control audit review file (SCARF), 333 systems review, 326 test data generator, 332 tests of controls, 326, 328, 329, 330, 331, 332, 336, 337 729 Z02_ROMN4021_14_SE_INDEX.indd 729 02/11/16 11:00 AM www.downloadslide.net 730 INDEX audit log, 333 audit planning, 324 audit results, communication of, 326 audits, periodic, 219–220 audit software, 336–338 audit trail, 31–32, 218, 500–501, 665 Australian, The, 168 authentication, 243 authentication controls, 243–245, 275 authentication credentials, 244 authorization, 212, 213, 245 authorization controls, 245–246, 275 Automated Clearing House (ACH) blocks, 416 Automated Clearing House (ACH) network, 377 automated decision table programs, 334 automated flowcharting programs, 334 availability archive, 306 backup, 305 business continuity plan (BCP), 307 cloud computing and, 308 cold site, 306 data backup procedures, 305 differential backup, 305 disaster recovery plan (DRP), 306 fault tolerance, 303 full backup, 305 hot site, 306 incremental backup, 305 objectives and key controls, 303 real-time mirroring, 306 recovery point objective (RPO), 304 recovery time objective (RTO), 305 redundant arrays of independent drives (RAID), 303 system downtime, minimizing, 303–304 testing, 308 uninterruptible power supply (UPS), 304 virtualization and, 308 avoidance, 629 B back door, 174, 179 background check, 207 back order, 364 backup, 305 balanced scorecard, 510–511 balance-forward method, 374, 375 bar-coding, 365, 404, 448 batch processing, 33, 34 batch processing data entry controls, 299 batch processing integrity controls, 297–299 batch-related overhead, 449 batch totals, 299, 300, 477 behavioral aspects of change, 628–630 behavioral problems preventing, 629–630 reasons for, 628 belief system, 199 benchmark problem, 657 bid rigging, 131 billing, 371–376 bill of lading, 369, 370 bill of materials, 437, 438, 440, 441 biometric identifier, 243 bits, 301 blanket purchase order, 405 Z02_ROMN4021_14_SE_INDEX.indd 730 block codes, 28 blogs, 159 bluebugging, 177 Blue Cross/Blue Shield of Massachusetts, 626 bluesnarfing, 176, 177 border router, 248 bot herders, 128, 158, 177 botnet, 128, 158, 177 botnet owners, 171 boundary system, 199 bribery, 131 Bring Your Own Device (BYOD), 252 buffer overflow attack, 161, 177, 253 business continuity plan (BCP), 306, 307 business intelligence, 86–87 business process diagrams (BPD), 51 definition, 63 guidelines for preparing, 63, 65, 82–83 symbols, 63, 64 business processes cycle activities, 8–9 definition, expenditure cycle, 7, financing cycle, 7, general ledger and reporting system, give-get exchange, human resources/payroll cycle, 7, improving, example, 9–10 production cycle, 7, revenue cycle, 6, Toyota Production System (TPS), 9–10 transaction, transaction cycles, 6–7 transaction processing, business processes or transaction cycles expenditure cycle, 7, financing cycle, 7, human resources/payroll cycle, 7, production cycle, 7, revenue cycle, 6, business process management (BPM), 664 business process management systems (BPMS), 664 Business Process Modeling Initiative Notation Working Group, 63 business process reengineering (BPR), 664 Business Software Alliance (BSA), 165, 219 C calculation linkbase, 506 caller ID spoofing, 159, 177 Canadian Institute of Chartered Accountants (CICA), 237, 277 canned software, 656 capital budgeting model, 627 cardinalities, 536–540 graphical symbols for representing, 536 representing, alternative methods for, 537 carding, 168, 177 cash collections, 377–380 cash disbursements, 401, 415–417 cash flow budget, 379–380 CCO See chief compliance officer (CCO) certificate authority, 284 change controls, change management and, 247 change management, 215 change controls and, 247 change management controls, 216 chart of accounts, 29–30 function of, 30 sample, 29 check digit, 298 check digit verification, 298–299 check-kiting scheme, 136 checksum, 301 chief compliance officer (CCO), 220 chief information security officer (CISO), 257–258 chipping, 170, 177 CICA See Canadian Institute of Chartered Accountants (CICA) CIO magazine, 13 ciphertext, 278 CIRT See computer incident response team (CIRT) CISO See chief information security officer (CISO) CITP (Certified Information Technology Professional), 12 click fraud, 165, 177 closed-loop verification, 299, 375, 498 cloud computing, 258, 273, 308 cloud service providers, 237 COBIT framework, 200–201, 237, 242, 243, 247, 251, 252, 253, 255, 256, 257, 272, 273 Code Red worm, 161 coding, defined, 28 coding techniques, 28–29 cold site, 306, 307 collusion, 214 Committee of Sponsoring Organizations (COSO), 202 companywide overhead, 449 compatibility test, 245 compensating controls, 326, 328, 329, 330, 332, 336, 337 compensation policies, 452 completeness check, 298, 570–571 completeness test, 298, 498 compliance audit, 324 compliance objectives, 209 computer-aided design (CAD), 437–438 computer-aided software (systems) engineering (CASE), 670–671 computer-assisted audit techniques (CAATs), 336–338 computer-based storage concepts, 32 computer forensics specialists, 220 computer fraud Address Resolution Protocol (ARP) spoofing, 160, 177 adware, 172, 177 back door, 174, 179 blogs, 159 bluebugging, 177 bluesnarfing, 176, 177 bot herders, 158, 177 botnet, 158, 177 buffer overflow attack, 161, 177 caller ID spoofing, 159, 177 carding, 168, 177 chipping, 170, 177 classifications, 140–142 click fraud, 169, 177 computer attacks and abuse, 157–165 02/11/16 11:00 AM www.downloadslide.net INDEX computer instructions fraud, 140, 141 cross-site scripting (XSS), 160–161, 177 cyber-bullying, 164, 177 cyber-extortion, 164, 177 cyber sleuths, 139–140 data diddling, 163, 177 data fraud, 140, 141–142 data leakage, 163, 177 definition, 138 denial-of-service (DoS) attack, 158, 177 dictionary attacks, 159, 177 direct harvesting attacks, 159 DNS (Domain Name System) spoofing, 160, 177 drive-by downloading, 171 dumpster diving, 169 eavesdropping, 170, 177 economic espionage, 163–164, 177 e-mail spoofing, 159, 177 e-mail threats, 164, 177 evil twin, 169, 177 forensic experts and, 139 hacking, 157–158, 177 hijacking, 158, 177 identity theft, 167, 177 impersonation, 162, 178 input fraud, 140–141 Internet auction fraud, 164, 177 Internet extortion, 164 Internet misinformation, 164, 177 Internet pump-and-dump fraud, 169, 178 Internet terrorism, 164, 177 IP address spoofing, 159, 178 keylogger software, 173, 178 Lebanese looping, 170, 178 logic bombs, 174, 179 MAC (Media Access Control) address attack, 160, 178 malware, 170–177, 178 man-in-the-middle (MITM) attack, 161, 178 masquerading/impersonation, 162, 178 online underground fraud community, 171 output fraud, 142 packet sniffers, 174, 178 password cracking, 162, 178 patch, 160 perpetrators of, 156, 158, 165–166, 170, 171, 172 pharming, 168, 178 phishing, 167–168, 178 phreaking, 163, 178 piggybacking, 162, 178 podslurping, 163, 178 posing, 167, 178 pretexting, 167, 178 preventing and detecting, 142–143 processor fraud, 141 QR barcode replacements, 169, 178 ransomware, 173, 178 rise in, 138–139 rootkit, 174–175, 178 round-down fraud, 163, 178 salami technique, 163, 178 scareware, 172, 178 scavenging/dumpster diving, 169, 178 sexting, 164, 178 shoulder surfing, 169–170, 178 skimming, 170, 178 Z02_ROMN4021_14_SE_INDEX.indd 731 SMS (short message service) spoofing, 160, 178 social engineering, 165–170, 178 software piracy, 169, 178 spamming, 159, 178 splogs, 159, 178 spoofing, 159, 178 spyware, 171–172, 178 SQL injection (insertion) attack, 161, 178 steganography programs, 174, 178 superzapping, 175, 179 tabnapping, 169, 179 techniques, summary, 177–179 time bombs, 174, 179 torpedo software, 172, 179 trap door, 174, 179 Trojan horse, 173–174, 179 typosquatting, 169, 179 URL hijacking, 169, 179 virus, 175, 179 vishing, 168, 179 war dialing, 162, 179 war driving, 163, 179 war rocketing, 163, 179 Web cramming, 169, 179 Web-page spoofing, 160, 179 worm, 175–176, 179 zero-day (zero-hour) attack, 160, 179 zombies, 158, 179 computer incident response team (CIRT), 257 computer instructions fraud, 140, 141 computer-integrated manufacturing (CIM), 444 information system, 435–437 production cycle, 436 computer operators, 215 computer programmers, 623 computer screen design, 687 computer security officer (CSO), 220 computer virus See virus, computer Computing Technology Industry Association, 129 concatenated keys, 568 conceptual design, 621–622 conceptual design specifications, 685 conceptual-level schema, 88, 89 conceptual systems design activities, 684 conceptual design specifications, 685 conceptual systems design report, 685 definition, 683 design alternatives, evaluation of, 683–684 conceptual systems design report, 685 concurrent audit techniques, 333–334 concurrent update controls, 300 confidentiality components of protecting, 271 controlling access to sensitive information, 272–273 data loss prevention (DLP) software, 273 digital watermark, 273 identification and classification of information to be protected, 272 information rights management (IRM), 272–273 protecting, with encryption, 272 training programs, 274 confirmation, 325 context diagram, 54, 80 731 continuous and intermittent simulation (CIS), 333–334 continuous monitoring, 256 control account, 28 control activities analytical review, 217 assets, records, and data, safeguarding of, 216–217 authorization, 212, 213 authorization of transactions and activities, 212–213 categories of, 212 change management controls, 216 collusion, 214 corrective controls, 198, 255–256 custody, 213 defective controls, 198 definition, 212 design and use of documents and records, 216 digital signature, 212 general authorization, 212 performance, independent checks on, 217–218 project development and acquisition controls, 215–216 recording, 213 segregation of accounting duties, 213 segregation of systems duties, 214–215 specific authorization, 212 transactions and activities, authorization of, 212–213 control concepts application controls, 198–199 belief system, 199 boundary system, 199 COBIT framework, 200–201 Committee of Sponsoring Organizations (COSO), 202 corrective controls, 198 detective controls, 198 diagnostic control system, 199 Enterprise Risk Management–Integrated Framework (ERM), 202–204 ERM framework vs internal control framework, 204 Foreign Corrupt Practices Act (FCPA), 199 general controls, 198 interactive control system, 199 Internal Control–Integrated Framework (IC), 202 internal controls, 198–199 levers of, 199 preventive controls, 198 Public Company Accounting Oversight Board (PCAOB), 199 Sarbanes-Oxley Act (SOX; 2002), 199 control frameworks, 200–204 Control Objectives for Information and Related Technology (COBIT) framework, 200–201 COSO’s Enterprise Risk Management– Integrated Framework (ERM) framework, 202–204 COSO’s Internal Control Framework, 202, 203, 204 Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act (2003), 275 Control Objectives for Information and Related Technology (COBIT) framework, 200–201 02/11/16 11:00 AM www.downloadslide.net 732 INDEX control reports, 498–500 control risk, 324 controls design, 689–690 conversion, 693 (see also systems conversion) cookies, 277 corporate strategy, AIS and, 13 corrections, 502 corrective controls, 198 corruption, 131 COSO (Committee of Sponsoring Organizations), 202 cost accounting, 446–452 cost/benefit effectiveness, determination of, 211 cost driver, 449 cost management, 450–451 cost reduction, AIS and, 11 costs, in expenditure cycle, 403 costs and benefits, estimation of, 211 credit approval, 362–364 credit limit, 362 credit memo, 375, 376 credit sales, recording and posting, 31 critical path, 624 cross-footing balance test, 300 cross-footing the payroll register, 477 cross-site scripting (XSS), 160–161, 177 CRUD (creating, reading, updating, and deleting data), 33 cryptographic keys, management of, 280 custody, 213 customer inquires, responding to, 365–366 customer orders, taking, 359–362 customer relationship management (CRM) ­systems, 366 custom software, 659 cyber-bullying, 164, 177 cyber-extortion, 164, 177 cyber sleuths, 139–140 backgrounds of, 139 skills needed by, 139 cycle billing, 375 D data, data backup procedures, 305–306 database definition, 32, 85 file vs., 85–86 financial statement vs., 102–103 importance of database data, 87–88 retrieving information from, with REA ­diagram, 571–573 well-designed, tax benefits of, 602 database administrator (DBA), 86 database design, 527–528 See also REA data model; REA diagrams database management system (DBMS) See also relational databases definition, 86 software uses, 88 database system accounting and, future of, 102–103 advantages of, 87 conceptual-level schema, 88, 89 data, good, importance of, 87–88 data dictionary, 90, 91 DBMS languages, 90 Z02_ROMN4021_14_SE_INDEX.indd 732 definition, 86 external-level schema, 88, 89 internal-level schema, 88, 89 logical and physical views of data, 88, 89 record layout, 88 schemas, 88–90 subschema, 88, 89 data control group, 215 data definition language (DDL), 90 data destination, 52 data dictionary, 90, 91 data diddling, 163, 177 data entry controls, 298–299 additional batch processing, 299 data flow, 53 data flow diagram (DFD) See also flowcharts context diagram, 54, 80 data flow, 53 data source and data destination, 52 data store, 54 definition, 51 drawing guidelines, 57 elements, 52 Level 0, 56, 80–81 Level 1, 56, 57, 82 processes, 53 subdivision of, 54 symbols, 52 use of, 52 data fraud, 140, 141–142 data input, 26–27 company policies, following, 27 data capture, 26 data capture, checking accuracy of, 27 steps, 26 data leakage, 163, 177 data loss prevention (DLP) software, 273 data manipulation language (DML), 90 data masking, 275 data matching, 299 data mining, 86 data model, logical, 90 data modeling in database design process, 528 definition, 528 user participation in, 542 data normalization, 117–124 definition, 117 first normal form (1NF), 118 remove partial dependencies, 123 remove repeating groups, 121–123 remove transitive dependencies, 123–124 second normal form (2NF), 118 third normal form (3NF), 118 unnormalized table, steps in normalization process, 121 data processing batch processing, 33, 34 online batch processing, 33, 34 online real-time processing, 33, 34 types of, 33 data processing cycle, 26–35 data processing schedule, 215 data query language (DQL), 90 data source, 52 data storage, 27–32 data store, 54 data value, 32 data warehouse definition, 86 using, 86–87 Data Warehousing Institute, 87 DBA See database administrator (DBA) DBMS See database management system (DBMS) DBMS languages data definition language (DDL), 90 data manipulation language (DML), 90 data query language (DQL), 90 defense-in-depth, 239, 250, 272 report writer, 90 DDL See data definition language (DDL) debit memo, 409 debugging, 688–689 decision making, AIS value added to, 12 decryption, 278, 279 deduction register, 475 deep packet inspection, 250 defense-in-depth, 239, 250, 272 deferrals, 502 definition linkbase, 506 delete anomaly, 92 demand reports, 686 demilitarized zone (DMZ), 248 denial-of-service (DoS) attack, 128, 158–159, 177 Department of Defense (DOD), resistance to change at, 629 detection risk, 324 detective controls, 198 definition, 198 intrusion detection systems (IDSs), 256 log analysis, 255–256 penetration test, 256 preventive controls vs., 211 development documentation, 692 device hardening controls, 251–252 DFD See data flow diagram (DFD) diagnostic control system, 199 dictionary attacks, 159, 177 See also direct harvesting attacks corporate e-mail systems and, 159 detection of, 159 Internet service providers and, 159 differential backup, 305 digital assets, 591 digital certificate, 284 digital signature, 212, 282–284 digital watermark, 273 direct conversion, 693 direct deposit, 478 direct harvesting attacks, 159 See also dictionary attacks direct labor costs, 447 disaster recovery plan (DRP), 306–308 disbursement voucher, 412 disbursing payroll, 477–479 disposal of sensitive information, 273 DML See data manipulation language (DML) DMZ See demilitarized zone (DMZ) DNS (Domain Name System) spoofing, 160, 177 documentation, 51, 692 document flowcharts, 58–59 See also flowcharts definition of, 51 example, 60–61 02/11/16 11:00 AM www.downloadslide.net INDEX internal control flowcharts, 59 preparation of, 62 documents, 33–34 double-entry accounting, 217–218 DQL See data query language (DQL) drive-by downloading, 171 drop services (drops), 171 DRP See disaster recovery plan (DRP) dumpster diving, 169, 178 See also scavenging E earnings statement, 475 eavesdropping, 170, 177 e-business, encryption in, 278 economic espionage, 163, 177 economic feasibility, 626, 636 economic order quantity (EOQ), 403 EDI over the Internet (EDINT), 405 efficiency improvement, AIS and, 11 electronic data interchange (EDI), 359, 396, 398, 410, 417, 442 Electronic Data Systems (EDS), Navy contract, 625 electronic funds transfer (EFT), 377, 378, 379, 399, 417, 418 electronic lockbox, 377 electronic voting example, 302 electronic warfare, 128 element, 503–504 definition, 503 e-mail, backing up and archiving, 306 e-mail spoofing, 159, 177 e-mail threats, 164, 177 embedded audit modules, 333, 416 embezzlement, 232 employee deductions, voluntary, calculating and disbursing, 479 employee fraud, 130–131, 134, 137 See also misappropriation of assets employee jobs and attitudes, understanding, 467 employees’ time tracking, 598–599 employer-paid benefits taxes, calculating and disbursing, 479 employment (hiring) law, 469 encryption algorithm, 280 asymmetric encryption systems, 280, 281 certificate authority, 284 ciphertext, 278 confidentiality protection with, 272 decryption, 278, 279 definition, 278 digital certificate, 284 digital signatures, 282–284 hashing, 282 HRM/payroll master data and, 467 IT solutions, 254 key escrow, 281 key length, 279 management of cryptographic keys, 280 nonrepudiation, 282 plaintext, 278 privacy and, 274–275 private key, 280 process, steps in, 279 public key, 280 Z02_ROMN4021_14_SE_INDEX.indd 733 public key infrastructure (PKI), 284 symmetric encryption systems, 280, 281 systems, types of, 280–281 virtual private network (VPN), 285 endpoint configuration, 251–252 endpoints, 251–252 end-user computing (EUC), 659–660 end-user developed software, 659–660 enterprise resource planning (ERP) systems, 25 advantages, 36–37 definition, 35 disadvantages, 37 expenditure cycle and, 397 human resources management (HRM)/payroll cycle and, 464 modules, 35–36 overview, 35–38 production cycle and, 435, 436, 441–442, 443, 449 revenue cycle and, 356, 358, 359 selection of, 37–38 Enterprise Risk Management–Integrated Framework (ERM), 202–204 Enterprise Risk Management model control activities, 212–218 event identification, 209 information and communication, 218 monitoring, 218–221 objective setting, 208–209 risk response and assessment, 209–212 entity, 32, 528, 529, 530 entity integrity rule, 94 entity-relationship (ER) diagram, 528–529 See also REA data model; REA diagrams ERM framework vs internal control framework, 204 error log, 299 estimates, 502 Ethernet headers, 249 evaluated receipt settlement (ERS), 412–413 even parity, 301 event, defined, 209 event entities, redundant, merging, 565 event identification, 209 events, 198, 209, 530, 596, 597 evil twin, 169, 177 executable architecture baseline, 670 expected loss, 211 expenditure cycle, 15 ABC cost analysis, 404 accounts payable, 411, 414 activities, 7, attribute placement, 587–590 blanket purchase order, 405 cash disbursements, 415–417 context diagram, 395 costs in, 403 debit memo, 409 definition, 7, 395 disbursement voucher, 412 economic order quantity (EOQ), 403 electronic data interchange (EDI), 396, 397, 407, 410, 417 embedded audit modules, 416 enterprise resource planning (ERP) system and, 390 errors in counting goods, 410 evaluated receipt settlement (ERS), 412–413 733 events, 587–590 imprest fund, 417 inferior-quality goods, purchasing, 407 inflated prices, ordering goods at, 406–407 information system, 396–402, 434 integrative case, 394–395 just-in-time (JIT) inventory system, 403 kickbacks, 408 level data flow diagram, 397 manufacturing process improvement principles, 414 materials requirement planning (MRP), 403 nonvoucher system, 411 objectives, 396 ordering, 402–408 ordering costs, 403 paying for goods and services, 411–413 payment of approved invoices, 411–413 procurement card, 412–413 purchase order, 405, 406 purchase requisition, 404 purchasing, 403–408 radio frequency identification, 398, 410, 417 REA diagrams and, 562, 587–590 receiving, 409–411 receiving report, 409 reorder point, 403 revenue cycle compared to, 398 source documents and, 27 stockout costs, 403 supplier audits, 408 supplier invoices, approving, 411–415 suppliers, choosing, 405–408 theft, 411, 417 threats and controls, 399–402, 404–405, 406–408, 410–411, 413–415, 415–417 unordered goods, receiving, 410 vendor invoices, approving, 411–413 vendor-managed inventory (VMI), 406 voucher package, 411 voucher system, 411 exploit, 252 exposure, 198, 198 See also impact extensible language, 507 extension taxonomy, 507 external failure costs, 452 external-level schema, 88, 89 extreme programming (XP), 669 F Facebook, fraud and, 166 fault tolerance, 303 feasibility analysis, 625–627 feasibility study, 633 field, 32 field check, 298 field (format) checks, 498 FIFO/LIFO, 406 file, 32 file and database design, 686 file labels, 299 filtering packets, 249–250 Financial Accounting Standards Board (FASB), 472 financial audit, 323 financial electronic data interchange (FEDI), 378, 379, 399 02/11/16 11:00 AM www.downloadslide.net 734 INDEX Financial Services Modernization Act (FSMA), 277 financial statement pressure triangle (fraud), 134, 135 financial statements databases vs., 102–103 generating, 572–573 preparing, 502–508 financial total, 299 financing activities data model, 599–600 financing cycle, 7, 15 activities, 7, firewall, 248 firm infrastructure, AIS and, 14 fixed assets, accounting for, 445 flexible benefits plans, 479 flexible budget, 510 flow and miscellaneous symbols, 58, 59 flowcharts See also data flow diagram definition, 58 document flowcharts, 58–61 flow and miscellaneous symbols, 58, 59 guidelines for preparing, 62, 78–79 input/output symbols, 58 internal control flowcharts, 59 preparation guidelines, 62 processing symbols, 58 program, 63 storage symbols, 58, 59 system flowcharts, 60–62, 63 Foreign Corrupt Practices Act (FCPA; 1977), 199 foreign key, 90, 569–570, 587, 589 forensic experts, 139 forensic investigators, 220 format check, 498 form design, 687, 688 forms design, 297 fraud See also computer fraud check-kiting scheme, 136 “cook the books” schemes, 132 corruption, 131 definition, 130 employee, 130–131, 134, 137 fraud triangle, 134–138 fraudulent financial reporting, 132 investment, 131 lack of reporting and prosecution, 208 lapping scheme, 136 losses to, 130–131, 132, 138 misappropriation of assets, 131–132 opportunities for committing, 135–137 perpetrators of, 133–134, 135, 137–138 pressures to commit, 134–135 rationalizations for, 137–138 risk-based audit approach and, 326 SAS No 99, 133 white-collar criminals, 131, 150–151 fraud detection software, 220–221 fraud hotline, 221 fraud triangle, 134–138 opportunities, 135–137 pressures, 134–135 rationalization, 137–138 fraudulent financial reporting, 508 freight bill, 369 FSMA See Financial Services Modernization Act (FSMA) full backup, 305 Z02_ROMN4021_14_SE_INDEX.indd 734 G Gantt chart, 624, 625 GAPPs See Generally Accepted Privacy Principles (GAPP) general authorization, 212 general controls, 198 generalized audit software (GAS), 336–338 general journal, 30 general ledger, 28 general ledger and reporting system, 8, 15 accountant, role of, 506–507 accounting subsystems, 497 accruals, 501 activities, 493–494 adjusting entries, posting, 496, 501–502 audit trail, 500–501 balanced scorecard, 510–511 closed-loop verification, 498 completeness test, 498 context diagram, 494 corrections, 502 deferrals, 502 design of, 494–495 element, 503 estimates, 502 extension taxonomy, 507 field (format) checks, 498 financial statements, preparing, 496, 502–508 flexible budget, 510 GAAP transition to IFRS, 502–503 graph design, 511–513 instance document, 503 integrative case, 492–493 introduction, 493–494 journal voucher file, 497 level data flow diagram of, 494 linkbases, 506 loss or unauthorized disclosure of financial information, 496 managerial reports, producing, 496, 508–513 reconciliations and control reports, 498–500 responsibility accounting, 508 revaluations, 502 run-to-run totals, 498 schema, 504 sign check, 498 style sheet, 506 taxonomy, 504 threats and controls, 495–496, 497–498, 502, 507–508 treasurer, 497 trial balance, 498–499 updating the general ledger, 496, 497–501 validity check, 498 XBRL (eXtensible Business Reporting Language), 503–506 zero-balance check, 498 Generally Accepted Accounting Principles (GAAP), 502–503 Generally Accepted Privacy Principles (GAPPs), 277–278, 451 give-get exchange, globalization, in revenue cycle, 371 goal conflict, goal congruence, Gramm-Leach-Bliley Act, 277 graph design, 511–513 group codes, 28 guarantors, 171 H Hackers (film), 163 hacking, 157–158, 177 hardening, 252 hardware acquisition, 656–657 hardware evaluation, 657 hardwiring, 303 hash, 282 hashing, 282 hash total, 299 header record, 299 Health Information Technology for Economic and Clinical Health Act (HITECH), 277 Health Insurance Portability and Accountability Act (HIPPA), 237, 277 help desk, 661 hijacking, 158, 177 HIPPA See Health Insurance Portability and Accountability Act (HIPPA) hiring, of unqualified or larcenous employees, 469 HITECH See Health Information Technology for Economic and Clinical Health Act (HITECH) hot site, 306, 307 HR cycle entities, 597–598 HR/payroll data model, combination of, 597–599 HTML sanitization, 161 human resources activities, AIS and, 14 human resources cycle, source documents and, 27 human resources management (HRM)/payroll cycle, 7, 8–9, 15 accountants and compensation policies, 472 activities, batch totals, 477 compensation policies, 452 contents and purpose of commonly generated reports, 477 context diagram, 469 controls, 466–469 cross-footing the payroll register, 477 deduction register, 475 definition, 463 direct deposit, 477 disbursing payroll, 468, 477–478 earnings statement, 475 employee deductions, voluntary, calculating and disbursing, 479 employee jobs and attitudes, understanding, 467 employees’ time tracking, 598–599 employer-paid benefits taxes, calculating and disbursing, 479 enterprise resource planning (ERP) system and, 465 flexible benefit plans, 479 hiring laws, violation of, 469 hiring unqualified or larcenous employees, 468–469 HR cycle entities, 597–598 inaccurate or invalid master data, 466–467 inaccurate time and attendance data, 473 inaccurate updating of payroll master data, 466 information needs, 464–466 integrative case, 482–483 introduction and overview, 463–464 02/11/16 11:00 AM www.downloadslide.net INDEX knowledge management systems, 465 level data flow diagram, 470 master database, 466 outsourcing, 479–480 overview, 464–466 paychecks, 469 payroll, preparing, 468, 474–477 payroll batch processing, flowchart of, 474 payroll check, 469 payroll clearing account, 477 payroll cycle activities, 469–479 payroll master database, updating, 468, 470–471 payroll register, 475 payroll service bureaus, 479 processing payroll, 474–475 professional employer organization (PEO), 479–480 tasks, 463 theft or fraudulent distribution of paychecks, 471 threats and controls, 466–469, 470–471, 473, 475, 477, 478–479 time and attendance data, validating, 468, 471–473 time card, 471 time sheets, 471 unauthorized disclosure of sensitive information, 467 I identity fraudsters, 171 identity intermediaries, 171 identity theft, 167, 177, 276 IDSs See intrusion detection systems (IDSs) image processing technology, 375 impact, 198 See also exposure impersonation, 162, 178 implementation and conversion, 622 implementation plan, 690 imprest fund, 417 inbound logistics, 14 incremental backup, 305 independent checks on performance, 217–218 independent review, 218 information, characteristics of useful, information and communication, 218 information needs business processes and, 4–10 HRM process and, 464–466 systems requirements and, 633–635 information output, 33–35 documents, 33–34 forms of, 33–35 query, 35 reports, 34–35 information overload, information rights management (IRM), 272–273 information security See also confidentiality; encryption; privacy access control list (ACL), 249 access control matrix, 245, 246 access controls, 254 antimalware controls, 247 antivirus tools, 238 authentication controls, 243–245 authorization controls, 245–246 Z02_ROMN4021_14_SE_INDEX.indd 735 biometric identifier, 243 border router, 248 chief information security officer (CISO), 257–258 cloud computing, 258 COBIT framework, 237–238 compatibility test, 245 computer incident response team (CIRT), 257 concepts, 238–240 continuous monitoring, 256 corrective controls, 257–258 deep packet inspection, 250 defense-in-depth, 239, 250 demilitarized zone (DMZ), 248 device and software hardening controls, 252 dial-up connections, 251 encryption, 238, 254 endpoint configuration, 251–252 endpoints, 251–252 exploit, 252 firewall, 248 hardening, 252 Internet of Things (IoT), 259 intrusion detection systems (IDSs), 256 intrusion prevention systems (IPSs), 250 life cycle, 239 log analysis, 255–256 as management issue, 238–239 man-trap, 254 multifactor authentication, 244 multimodal authentication, 244 network access controls, 247–248 network access restriction, 251 organizational network architecture, 248 packet filtering, 250 passwords, 245 patch, 252 patch management, 252 penetration testing, 246 perimeter defense, 248–251 physical access controls, 254–255 preventive controls, 243–246 routers, 249 security awareness training, 242–243 “security-conscious” culture, 242 software design, 253 software hardening controls, 251–253 spear phishing, 242 systems reliability and, 238 targeted attacks, 240–241 TCP/IP, 249–250 time-based model of security, 239–240, 241 user access controls, 243–246 user account management, 252 virtualization, 258 vulnerabilities, 252 vulnerability scanners, 252 wireless access, 251 information system library, 215 information systems audits, 323, 327–336 audit program development, framework for, 329 computer processing, 331–334 data files, 335 overall security, 327–329 program development and acquisition, 329–330 program modification, 330–331 source data, 334–335 735 information systems steering committee, 622 information technology (IT), AIS corporate strategy and, 13 external reporting and, 102 FedEx, use of, 13 input/output symbols, 56 organizational reliance on, 237 in revenue cycle, 359–361 inherent risk, 209, 324 initial investigation, 630 input controls, 297–298, 301 input controls matrix, 334–335 input design, 687 input fraud, 140–141 input/output symbols, 58 insert anomaly, 92 inspection costs, 452 instance document, 503 intangible services, 590–591 integrated test facility (ITF), 333 integration tests, 669 intellectual property, 594–596 intentional acts, examples of, 129–130 interactive control system, 199 Interactive Data Extraction and Analysis (IDEA), 336 internal auditing, 323 internal control audit, 323 internal control flowcharts, 59 Internal Control–Integrated Framework (IC), 202 internal controls in business process management system, 664–665 categories of, 198–199 developing, 198 functions of, 198 limitations of, 199 risk assessment approach to designing, 210 internal control structure, AIS and, 12 internal environment audit committee, 206 authority, assigning, 206 background check, 207 board of directors, internal control oversight by, 206 commitment to integrity, ethical values, and competence, 205–206 compensation, 207 components of, 204–205 confidentiality agreements and fidelity bond insurance, 208 definition, 204 discharging employees, 207 disgruntled employees, management of, 207 evaluation and promotion methods, 207 external influences, 208 hiring procedures, 207 human resources standards, 206–208 organizational structure, 206 policy and procedures manual, 206 prosecution and incarceration of perpetrators, 208 responsibility, assigning, 206 risk appetite, 205 training programs, 207 vacations and rotations of duties, 207–208 internal failure costs, 452 internal-level schema, 88, 89 02/11/16 11:00 AM www.downloadslide.net 736 INDEX internal rate of return (IRR), 627 International Financial Reporting Standards (IFRS), 502–503 Internet auction fraud, 164, 177 Internet misinformation, 164, 177 Internet of Things (IoT), 259 Internet Protocol (IP), 249 Internet pump-and-dump fraud, 165, 178 Internet terrorism, 164, 177 interview, 632 intrusion detection systems (IDSs), 256 intrusion prevention systems (IPS), 250 inventory invoices/invoicing, 371–373 just-in-time (JIT) system, 403 materials requirements planning (MRP), 403 theft of, 368 inventory availability, checking, 364–365 investigative audit, 324 investment fraud, 131 invoiceless approach, 412 invoices/invoicing, 371–373, 411–415 IP address spoofing, 159, 178 IPS See intrusion prevention systems (IPS) IRS, system modernization, 620 IT See information technology (IT) J job-order costing, 446 job rotation, 408 job-time ticket, 447 John Hancock, prototyping at, 670 journals See also general ledger and reporting system attributes, 32–33 audit trail, 31–32 computer-based storage concepts, 32 database, 32 data value, 32 entity, 32 field, 32 file, 32 general journal, 30 master file, 32 record, 32 in relational database, 571–572 sample sales, 30 specialized journal, 30 transaction file, 32 journals and ledgers, creating, 571–572 journal voucher file, 497 just-in-time (JIT) inventory system, 10, 403 K kaizen, 414 key escrow, 281 keylogging software, 173, 178 kickbacks, 408 knowledge management systems, 465 knowledge sharing, AIS and, 11 L label linkbase, 506 lapping scheme, 136 lean manufacturing, 439 Z02_ROMN4021_14_SE_INDEX.indd 736 Lean principles, 414 Lebanese looping, 170, 178 ledgers See also general ledger and reporting system block codes, 28 chart of accounts, 29–30 coding techniques, 28–29 control account, 28 general ledger, 28 group codes, 28 mnemonic codes, 28 in relational database, 572 sequence codes, 28 subsidiary ledger, 28 legal feasibility, 626 level data flow diagram, 56, 80–81 Level data flow diagram, 56, 57, 82 LIFO/FIFO, 406 likelihood of threat, 198 limit check, 298 linkbases, 506 local area network (LAN), 249 location entities, 593 lockbox, 377 log analysis, 255–256 logical models, 633 logical view, of data, 88, 89 logic bombs, 174, 179 low-cost strategy, 13 M MAC See media access control (MAC) machinery and equipment usage, 447 MAC (Media Access Control) address attacks, 160, 178 malicious software, 133 malware, 128, 133, 168 See also virus, ­computer adware, 172 back door, 174 bluesnarfing, 176–177 defined, 170 keylogger software, 173 logic bombs, 174 packet sniffers, 174 ransomware, 173 rootkit, 174–175 scareware, 172 spyware, 171–172 steganography programs, 174 superzapping, 175 time bombs, 174 torpedo software, 172 trap door, 174 Trojan horse, 173–174 malware owners, 171 malware writers, 171 managerial reports, 508–513, 573 man-in-the-middle (MITM) attack, 161–162, 178 man-trap, 254 manufacturing overhead costs, 447 manufacturing resource planning (MRP-II), 439 many-to-many (M:N) relationship, 538, 539, 540, 566–568 mapping programs, 334 marketing and sales activities, AIS and, 14 masquerading (impersonation), 162, 178 master file, 32 master plan, 623, 624 master production schedule (MPS), 439–440, 442 materiality, 326 materials requirements planning (MRP), 403 materials requisition, 440 maximum cardinality, 537 media access control (MAC), 245 Media Access Control (MAC) address attack, 160 merging redundant resource entities, 535–536 Microsoft Access database, creating queries in, 95–102 minimum cardinality, 537 misappropriation of assets, 131–132 See also employee fraud M:N agent-event relationships, 593 mnemonic codes, 28 M:N relationship, 538, 539, 540, 566–568 mobile devices, 219 configuration of, 253 monitoring, performance conducting periodic audits, 219–220 employing chief compliance officer (CCO), 220 employing computer security officer (CSO), 220 engaging forensic specialists, 220 implementing effective supervision, 218–219 implementing fraud hotline, 221 installing fraud detection software, 220–221 monitoring system activities, 219 performing internal control evaluations, 218 tracking purchased software and mobile devices, 219 using responsibility accounting systems, 219 monthly statement, 374 move tickets, 440 multifactor authentication, 244 multimodal authentication, 244–245 N narrative description, 51 NASDAQ, 307 National Commission on Fraudulent Reporting (Treadway Commission), 132 natural disasters, AIS threats and, 128 net present value (NPV), 627 network access controls, 247–251 network access restriction, 250 network managers, 215 neural networks, 220–221 noninventory purchases, 410–411 nonoperational (throwaway) prototypes, 666 nonrepudiation, 282 nonvoucher system, 411 normalization, 95 O objective setting compliance objectives, 209 operations objectives, 209 reporting objectives, 209 strategic objectives, 208–209 02/11/16 11:00 AM www.downloadslide.net INDEX observation, 632, 633 Office Space (film), 163 OLAP See online analytical processing (OLAP) 1:1 relationships, 538, 539, 541, 569–570 one-to-many (1:N) relationship, 538, 539, 540, 541, 570, 597 one-to-one (1:1) relationship, 538, 539, 541, 569–570 online analytical processing (OLAP), 86 online batch processing, 33, 34 online real-time processing, 33, 34 open-invoice method, 374 operational audit, 324, 338 operational feasibility, 626 operational prototypes, 666 operation and maintenance postimplementation review, 694 postimplementation review report, 694 operations activities, 14 operations and maintenance, 622 operations documentation, 692 operations list, 437, 438 operations objectives, 209 opportunities for committing fraud internal control factors, 137 other factors, 137 opportunity triangle (fraud), 135–137 committing fraud, 135 concealing fraud, 135–136 converting theft or misrepresentation to personal gain, 136 permitting employee and financial statement fraud, 137 opposite one-to-many (1:N) relationship, 538 ordering, 400, 402–408 ordering costs, 403 organizational culture, 13 organizational network architecture, 248 outbound logistics, 14 output controls, 300–301, 302 output design, 686 output fraud, 142 outsourcing, 369, 479–480, 662–663 overhead, 449 overproduction, 443 P packet filtering, 250 packet sniffers, 174, 178 packing slip, 369 parallel conversion, 693 parallel simulation, 331 parity bit, 301 parity checking, 301 password cracking, 162, 178 passwords, 244 patch management, 252 patch (software), 160, 252 “Patch Tuesday,” 160 payback period, 627 Payment Card Industry Data Security Standards (PCI-DSS), 237 payroll clearing account, 477 payroll cycle, REA diagrams and, 563 payroll master database, updating, 468, 470–471 payroll register, 475 payroll service bureau, 479 Z02_ROMN4021_14_SE_INDEX.indd 737 PCI-DSS See Payment Card Industry Data Security Standards (PCI-DSS) penetration test, 246 performance, independent checks on, 217–218 performance metrics, 451 perimeter defense, 248–250 personnel, selecting and training, 691 phantom controllers, 137 pharming, 168, 178 phase-in conversion, 694 phishing, 167, 178 See also Web-page spoofing phreaking, 163, 178 physical access controls, 254–255 physical design, 622 physical inventory worksheet, 365 physical models, 633 physical systems design activities, 685 computer screen design, 687 controls design, 689–690 debugging, 688 definition, 685 demand reports, 686 file and database design, 686–687 form design, 687 input design, 687 output design, 686 physical systems design report, 690 procedures design, 689–690 program design, 688 program maintenance, 689 scheduled reports, 686 special-purpose analysis reports, 686 structured programming, 688 triggered exception reports, 686 physical systems design report, 690 physical view, of data, 88 picking ticket, 364 piggybacking, 162, 178, 242 pilot conversion, 694 PKI See public key infrastructure (PKI) plaintext, 278 planning and scheduling, 439–444 podslurping, 163, 178 point scoring, 657–658 policy and procedures manual, 206 political disasters, AIS threats and, 128 posing, 167, 178 postimplementation review, 215, 694 postimplementation review report, 694 pre-award audit, 406 predictive analysis, 13 presentation linkbase, 506 preserving confidentiality, 271–274 pressures to commit fraud, 134–135 emotional, 134, 135 financial, 134–135, 136 industry conditions, 136 lifestyle, 134, 135 management characteristics, 136, 137 pretexting, 167, 178 prevention costs, 452 preventive controls, 198, 211 primary activities, 13 primary key, 90, 568, 587, 589 privacy components of protecting, 271 concerns, 275–276 737 controls for, 274–275 cookies, 277 data masking, 275 identity theft, 276 regulations and Generally Accepted Privacy Principles (GAPP), 277–278 tokenization, 275 private key, 280 procedures design, 689–690 process costing, 446 processes, 53–54 processing controls, 299–300, 301–302 processing integrity controls in spreadsheets, 302–303 processing integrity principle, 297–303 batch processing data entry controls, 299 batch processing integrity controls, 297–299 batch totals, 299 cancellation and storage of source documents, 297 check digit, 298 check digit verification, 298–299 checksum, 301 closed-loop verification, 299 completeness check, 298 concurrent update controls, 300 cross-footing balance test, 300 data entry controls, 298–299 data matching, 299 error log, 299 field check, 298 file labels, 299–300 financial total, 299 forms design, 297 hash total, 299 header record, 299 input controls, 297–299, 301 limit check, 298 online controls, 299 online data entry controls, 299 output controls, 300–301, 302 overview, 297 parity bit, 301 parity checking, 301 processing controls, 298, 299–300, 301–302 prompting, 299 range check, 298 reasonableness test, 298 record count, 299 sequence check, 299 sign check, 298 size check, 298 source documents, cancellation and storage of, 297 spreadsheets and, 302–303 trailer record, 299 transaction log, 299 transposition error, 300 turnaround document, 297 validity check, 298 write-protection mechanisms, 300 zero-balance test, 300 processing symbols, 58 processing test data, 692 processor fraud, 141 procurement card, 412–413 product backlog, 668 product design, 437–439 02/11/16 11:00 AM www.downloadslide.net 738 INDEX production cycle accountant, role of, 434–435 activities, 7, activity-based costing and, 448–449, 450 batch-related overhead, 449 bill of materials, 437, 438 companywide overhead, 449 computer-aided design (CAD) software, 437–438 computer-integrated manufacturing (CIM), 444 context diagram, 434 cost accounting, 437, 446–452 cost driver, 449 cost management, 450–451 definition, 7, 433 direct labor costs, 447 enterprise resource planning (ERP) system and, 435–436, 441–442, 449 events, 596, 597 external failure costs, 452 fixed assets, accounting for, 445 information, 435–437 inspection costs, 452 integrative case, 432–433 internal failure costs, 452 job-order costing, 446 job-time ticket, 447 lean manufacturing, 439 level data flow diagram, 434 machinery and equipment usage, 447 manufacturing overhead costs, 447 manufacturing resource planning (MRP-II), 439 master production schedule (MPS), 439–440 materials requisition, 440 move tickets, 440 operations list, 437, 438 performance metrics, 451 planning and scheduling, 437, 439–444 prevention costs, 452 process costing, 446 product design, 437–439 production operations, 437, 444–446 production order, 440 product life-cycle management (PLM) software, 437, 438 product-related overhead, 449 pull manufacturing, 439 push manufacturing, 439 quality control, 452 radio frequency identification (RFID), 446, 448 raw materials usage data, 446 REA model and, 595–597 request for proposal (RFP), 445 threats and controls, 436–437, 439, 443–444, 444–446, 447–448 throughput, 451–452 production cycle REA model events of, 594, 596 intellectual property, 594–596 production operations, 444–446 production order, 440 productive capacity, 451 productive processing time, 451 product life-cycle management (PLM) software, 437, 438, 439 Z02_ROMN4021_14_SE_INDEX.indd 738 product owner, 668 product-related overhead, 449 professional employer organization (PEO), 479–480 program design, 688–689 program evaluation and review technique (PERT), 623–624 program flowchart, 51, 63 See also flowcharts program logic, 334 program maintenance, 689 programmers, 215 program tracing, 334 project development and acquisition controls, 215–216 project development plan, 215, 623 project development team, 622–623 projection, 629 project milestones, 215 prompting, 299 proposal to conduct systems analysis, 631 prototyping advantages of, 666–667 conditions favoring use of, 667 definition, 665 developing, 665–666 disadvantages of, 667 nonoperational (throwaway) prototypes, 666 operational prototypes, 666 when to use, 666 Public Company Accounting Oversight Board (PCAOB), 199 public key, 280 public key infrastructure (PKI), 284 pull manufacturing, 439 purchase order, 405 purchase requisition, 404 purchasing, 14, 402–408 purchasing activities, AIS and, 14 push manufacturing, 439 Q QR barcode replacements, 169, 178 QR codes, 361 QR (Quick Response) code, 169 quality control, 452 query, 35 questionnaires, 632, 633 R radio-frequency data communication (RFDC) terminals, 367 radio frequency identification (RFID), 300, 365, 367, 368, 398, 404, 406, 410, 417, 418, 440, 444, 445, 446, 448 rainbow tables, 497 range check, 298 ransomware, 173, 178 rationalization, definition, 137 rationalization triangle (fraud), 137–138 raw materials usage data, 446 REA data model agents, 530 definition, 529 elements, 530 employee roles, 593 entities, 530 E-R diagrams and, 528–529 events, 530 integrative case, 526 introduction, 526–527 locations, 593 M:N agent-event relationships, 593 production cycle and, 594–597 resources, 530 resources/agents relationships, 593 template for, 530–532 types of, 530 REA diagrams acquisition of intangible services, 590–591 agents, relationship between, 593 attribute placement, 585–590 cardinalities of relationships, 536–540 combining, 563–564 completeness check, 570–571 developing, 533–540 digital assets, 591 enterprise-wide, integrated, 600–601 event entities, merging, 565 events, 596 expenditure cycle events and, 587–590 financial statements, generating, 572–573 financing activities data model and, 599–600 for HRM/payroll cycles, 597–599 intangible services, 590–591 integrated, validating accuracy of, 566 integrating, across cycles, 561–565 intellectual property and, 594–596 journals and, 571–572 ledgers and, 572 locations, 593 managerial reports, creating, 573 many-to-many (M:N) relationship, 539, 540, 566–568 maximum cardinality, 537 minimum cardinality, 537 one-to-many (1:N) relationship between employees and supervisors, 597 one-to-many (1:N) relationship, 539, 540, 541, 570 one-to-one (1:1) relationship, 538, 541, 569–570 opposite one-to-many (1:N or N:1) relationship, 538 production cycle and, 594 redundant resource entities, merging, 564–565 relational databases and, 566–571 relevant events, identifying, 533–535 rental transactions, 591–593 resource entities, merging, 564–565 resources and agents, identifying, 535–536 resources and agents, relationships between, 593 for retrieving information from a database, 571–573 revenue cycle events and, 585–587 sale of services, 590 uniqueness of, 541–542 read-only access, restricting, 497 real-time mirroring, 306 reasonable assurance, 326 reasonableness test, 298 receiving, 400, 409–411 receiving report, 409 reconciliations and control reports, 498–500 02/11/16 11:00 AM www.downloadslide.net 739 INDEX record, 32 record count, 299 recording, 213 record layout, 88 recovery point objective (RPO), 304 recovery time objective (RTO), 305 redundant arrays of independent drives (RAID), 303 redundant resource entities, merging, 564–565 reference linkbase, 506 referential integrity rule, 94 relational database queries, creating, 95–102 relational databases See also database system attributes, 90–92 creating relational database queries, 95–102 data model, 90 definition, 94 delete anomaly, 92 design approaches, 95 designing, 92–94 entity integrity rule, 94 foreign key, 90 insert anomaly, 92 introduction, 84–85 normalization, 95 primary key, 90 queries, creating, 95–102 REA diagrams and, 566–571 referential integrity rule, 94 relational data model, 90 requirements of, 94–95 semantic data modeling, 95 tuple, 90 update anomaly, 92 relational data model, 90 relational tables, attributes for, 567, 568–569, 587, 589, 595 relationships and cardinalities, 538–540 remittance advice, 374 remittance list, 377 Remote Deposit Capture software, 377 rental transactions, 591–593 reorder point, 403 reperformance, 325 reporting objectives, 209 reports, 34–35 report writer, 90 reprocessing technique, 331 request for proposal (RFP), 445, 656 request for systems development, 630 requirement costing, 658 residual risk, 209 resource entities, merging, 564–565 resources, 530 resources/agents relationships, 593 response time, 215 responsibility accounting, 508 revaluations, 502 revenue cycle, 15 accounts receivable, maintaining, 373–376 accounts receivable aging report, 363–364 activities, 6, 8, 355 application, 354 attribute placement, 585–587 back order, 364 balance-forward method, 374 billing, 357, 371–376 bill of lading, 369, 370 Z02_ROMN4021_14_SE_INDEX.indd 739 cash collections, 358, 377–380 cash flow budget, 379, 380 context diagram, 354 credit approval, 362–364 credit limit, 362 credit memo, 375 customer orders, taking, 359–362 customer relationship management (CRM) systems, 366 cycle billing, 375 definition, 6, 354 distribution centers, 370 electronic data interchange (EDI), 359–360 electronic funds transfer (ETF), 377 electronic lockbox, 377 enterprise resource planning (ERP) system, 356, 359 financial electronic data interchange (FEDI), 378 freight bill, 369 globalization, 371 image processing technology, 375 information system, 356–359, 434 information technology and, 359–361 inquiries, customer, responding to, 365–366 integrative case, 352–354 inventory availability, checking, 364–365 invoicing, 371–376 level data flow diagram, 355 lockbox, 377 monthly statement, 374 open-invoice method, 374 outsourcing, 369–370 packing slip, 369 physical inventory worksheet, 365 picking ticket, 364 radio frequency identification (RFID) and, 367–368 REA diagrams and, 562, 585–587 remittance advice, 374 remittance list, 377 rental transactions, 591–593 sales invoice, 371–376 sales order, 359 sales order entry, 357, 359–366 shipping, 357, 366–371 source documents and, 27 theft, 368 threats and controls, 356–359, 361–362, 364–365, 368, 371, 373, 375–376, 378–380 universal payment identification code (UPIC), 379 vendor-managed inventory (VMI) program, 406 reverse auctions, 406 RFID See radio frequency identification (RFID) risk appetite, 205 risk assessment and risk response control risk, 324 cost/benefit effectiveness, determination of, 211 costs and benefits, estimation of, 211 detection risk, 324 estimate likelihood and impact, 210–211 expected loss, 211 identify controls, 211 implementing control or accept, share, or avoid the risk, 211–212 inherent risk, 209, 324 residual risk, 209 risk-based audit approach compensating controls, 326 determine threats facing the company, 326 evaluate control procedures, 326 identify control procedures, 326 systems review, 326 tests of controls, 326 risk of threat, 198 risks, in auditing, 324 robots, in warehouse, 368 rootkit, 174–175, 178 round-down fraud, 163, 178 routers, 249 run-to-run totals, 498 S sabotage, 129 salami technique, 163, 178 sale of services, 590 sales invoice, 371–373 sales order, 359, 360 Sarbanes-Oxley Act (SOX; 2002), 52, 88, 199–200, 237 SAS No 99, 133 documenting and communicating findings, 133 evaluate results of audit tests, 133 identifying, assessing, and responding to risks, 133 incorporate a technology focus, 133 obtaining information, 133 risks of material fraudulent misstatements, discussing, 133 understanding fraud, 133 scanning programs, 334 scanning routines, 334 scareware, 172, 178 scavenging, 169, 178 See also dumpster diving scheduled reports, 686 scheduling feasibility, 626 schemas, 88–90, 504 scrum development, 668 scrum master, 668 scrum methodology, 668 scrum team, 668 security management, 215 segregation of accounting duties, 213–214 segregation of systems duties, 214–215 semantic data modeling, 95 September 11, 2001, attacks, 307 and NASDAQ, 307 sequence check, 299 sequence codes, 28 service activities, 14 service set identifier (SSID), 251 session hijacking attack, 161 sexting, 164, 178 shipping, 366–371 shoulder surfing, 169–170, 178 sign check, 298, 498 Simons, Robert, 199 site preparation, 690–691 Six Sigma, 414, 435 size check, 298 skimming, 170, 178 SMS (short message service) spoofing, 160, 178 02/11/16 11:00 AM www.downloadslide.net 740 INDEX snapshot technique, 333 social engineering See also computer fraud carding, 168 chipping, 170 defined, 165, 240 dumpster diving, 169 eavesdropping, 170 evil twin, 169 identity theft, 167 issues and techniques, 167–170 Lebanese looping, 170 pharming, 168 phishing, 167–168 policies and procedures for minimizing, 166 posing, 167 pretexting, 167 QR barcode replacements, 169 scavenging, 169 shoulder surfing, 169–170 skimming, 170 tabnapping, 169 typosquatting, 169 URL hijacking, 169 vishing, 168 software, 655 See also information security acceptance tests, 669 acquisition of, 656–657 agile development, 668 application service providers (ASPs), 656 auditing, 336–338 business process management (BPM), 664 business process management systems (BPMS), 664 business process reengineering (BPR), 664 canned, 656 computer-aided software (systems) engineering (CASE), 670–671 custom, 659 data loss prevention (DLP), 273 development by in-house information systems departments, 659–661 end-user computing (EUC), 659–661 end-user developed, 659–660 evaluation of, 657–658 extreme programming (XP), 669 for fraud detection, 220–221 generalized audit software (GAS), 336–338 hardware acquisition, 656–657 help desk, 661 integration tests, 669 malicious, 133 nonoperational (throwaway) prototypes, 666 operational prototypes, 666 outsourcing, 662–663 point scoring, 657–658 proposal evaluation, 656 prototyping, 665–667 purchasing, 658 Remote Deposit Capture, 377 request for proposal (RFP), 656 requirement costing, 658 scrum methodology, 668 selecting a system, 657–658 tracking, 219 turnkey systems, 656 Unified Process, 669–670 unit tests, 669 vendor evaluation, 656 Z02_ROMN4021_14_SE_INDEX.indd 740 vendor selection, 656 war dialing, 162, 179 software design, 253 software errors, examples of, 129 software hardening controls, 251–252 software piracy, 165, 178 forms of, 165 source code comparison program, 331 source data automation (SDA), 27 source documents, 26 cancellation and storage of, 297 common business activities and, 27 prenumbering, 297 sources, 52 spam, 275 spamming, 159, 178 spear phishing, 167–168, 242 specialized journal, 30 special-purpose analysis reports, 686 specific authorization, 212 splogs, 159, 178 spoofing, 159, 178 Address Resolution Protocol (ARP) spoofing, 160 caller ID spoofing, 159 DNS spoofing, 160 e-mail spoofing, 159 IP address spoofing, 159 SMS spoofing, 160 Web-page spoofing, 160 spreadsheets processing integrity controls in, 302–303 XBRL-encoded, 505 sprint, 668 spyware, 171–172, 178 SQL injection (insertion) attack, 161, 178, 253 S&S, Inc activities and data flows in payroll processing at, 55 designing relational database for, 92–94 narrative description of payroll processing at, 55 Statement on Auditing Standards (SAS) No 99 See SAS No.99 steering committee, 215 steganography programs, 174, 178 stockout costs, 403 stockouts/excess inventory, preventing, 404 storage symbols, 58, 59 strategic master plan, 215 strategic objectives, 208–209 structured programming, 688 Stuxnet virus, 128 style sheet, 506 subschema, 88, 89 subsidiary ledger, 28 Superman III (film), 163 superzapping, 175, 179 supplier audits, 408 supplier invoices, approving, 400, 411–415 suppliers, choosing, 405–406 supply chain, 11, 14–15 importance of, 14–15 ineffective, problems created by, 15 support activities, 14 symbols business process diagrams, 63, 64 flowchart, 58–59 symmetric encryption systems, 280, 281 system, system control audit review file (SCARF), 333 system downtime, minimizing, 303–304 system flowchart, 60–61, 63 See also ­flowcharts definition, 51 use of, 51 system performance measurements, 215 systems administrators, 215 systems analysis See also systems development design tools and techniques, 633 feasibility study, 633 information needs and systems requirements, 633–635 initial investigation, 630–631 logical models, 633 physical models, 633 proposal to conduct systems analysis, 631 request for systems development, 630 steps in, 631 systems analysis report, 635 systems documentation, 633 systems survey, 631–633 systems survey report, 633 systems analysis report, 636 systems analysts, 215, 623 systems conversion data conversion, 694 definition, 693 direct conversion, 693 parallel conversion, 693 phase-in conversion, 694 pilot conversion, 694 systems development See also systems analysis behavioral aspects of change, 628–630 behavior problems, preventing, 629–630 capital budgeting model, 627 computer programmers, 623 critical path, 624 external players, 623 feasibility analysis, 625–627 Gantt chart, 624, 625 information systems steering committee, 622 integrative case, 618 introduction, 619–620 management role, 622 master plan, 623, 624 methods for improving, 663–671 planning, 623–624 program evaluation and review technique (PERT), 623–624 project development plan, 623 project development team, 622–623 systems analysts, 623 users, 622 systems development life cycle (SDLC), 621–622 components of, 621 conceptual design, 621–622 implementation and conversion, 622 operations and maintenance, 622 physical design, 622 systems analysis, 621 systems documentation, 633 systems duties, segregation of, 214–215 systems implementation acceptance tests, 692 02/11/16 11:00 AM www.downloadslide.net INDEX activities, 691 definition, 690 documentation, completing, 692 implementation plan, 690 personnel, selecting and training, 691 processing test data, 692 site preparation, 690–691 testing, 692–693 walk-throughs, 692 systems integrator, 216 systems review, 326 systems survey, 631–633 systems survey report, 633 T tabnapping, 169, 179 targeted attacks, 240–241 conduct reconnaissance, 240 cover tracks, 241 execute the attack, 241 research, 241 scan and map the attack, 240–241 social engineering, 240 tax benefits, of well-designed databases, 602 taxonomy, 504 TCP/IP, 249–250 technical feasibility, 626 technology, AIS and, 14 test data, processing, 332–333 test data generator, 332 testing, in systems implementation, 692 tests of controls, 298, 299, 300, 301, 302, 303, 308, 326, 328, 329, 330, 331, 332, 336, 337 theft of inventory, 368 threats, 127, 128–130, 197–198 3-D printing, 444 throughput, 215, 451–452 time and attendance data, validating, 473 time-based model of security, 239–240, 241 time bombs, 174, 179 time card, 471 time sheets, 471 tokenization, 275, 467 top-level reviews, 217 torpedo software, 172, 179 Toyota Production System (TPS), 9–10 business processes and, principles of, 9–10 trailer record, 299–300 training programs for employees, 207 production operations, 445 Z02_ROMN4021_14_SE_INDEX.indd 741 for protecting confidentiality, 274 reducing system downtime and, 304 security awareness, 242–243 in systems implementation, 691 transaction, transaction cycles, 6–7 transaction file, 32 transaction log, 299 transaction processing, Transmission Control Protocol (TCP), 249, 301 transposition error, 300 trap door, 174, 179 treasurer, 497 trial balance, 498, 499 triggered exception reports, 686 Trojan horse, 173–174, 179 Trust Services Framework, 237, 274 availability, 238 confidentiality, 237 privacy, 238 processing integrity, 238 security, 237 tunnels, 285 tuple, 90 turnaround document, 26, 297 turnkey systems, 656 typosquatting, 169, 179 See also URL hijacking U unauthorized suppliers, purchasing from, 407 underproduction, 443–444 Unified Process, 669–670 unintentional acts, examples of, 129 uninterruptible power supply (UPS), 304 unit tests, 669 universal payment identification code (UPIC), 379 updata anomaly, 92 URL hijacking, 169, 179 See also typosquatting USA Today, 174 user access controls, 243–246 user account management, 252–253 user documentation, 692 users, 215 user stories, 668 utilization, 215 V validity check, 298, 375, 498 value chain, 13 role of AIS in, 13–15 741 value of information, 7-Eleven and, vendor evaluation, 657–658 vendor-managed inventory (VMI) program, 406 vendor selection, 656 virtualization, 258, 273, 308 virtual private network (VPN), 285 virus, computer, 176 vishing, 168, 179 Voice over Internet Protocol (VoIP), 273 voice phishing See vishing voucher package, 411 voucher system, 411–412 vouching, 325 vulnerabilities, 252 vulnerability scanners, 252 W walk-throughs, 692 war dialing, 162, 179 war dialing software, 162, 179 war driving, 163, 179 War Games (film), 162 war rocketing, 163, 179 Web cramming, 165, 179 web log See Blogs Web-page spoofing, 160, 179 See also ­phishing Web sites, use of, in sales, 360–361 weighted-average approach, 406 white-collar criminals, 131, 150–151 wireless access, 251 worm, 175–176, 179 write-protection mechanisms, 300 X XBRL (eXtensible Business Reporting Language), 503–508 Y yield, 452 Z zero-balance checks, 498 zero-balance test, 300 “zero-day Wednesday,” 160 zero-day (zero-hour) attack, 160, 179 zombies, 158, 179 02/11/16 11:00 AM www.downloadslide.net This page intentionally left blank ... THE CORRESPONDING THREAT) 1.1 1 .2 1.3 2. 1 2. 2 3.1 4.1 5.1 5 .2 5.3 6.1 6 .2 6.3 7.1 7 .2 7.3 7.4 8.1 8 .2 8.3 8.4 9.1 9 .2 10.1 10 .2 10.3 11.1 11 .2 11.3 Receiving 12 Accepting unordered items 13 Mistakes... FIGURE 12- 20 Newton Hardware Company Revenue Cycle Procedures M 12_ ROMN4 021 _14_SE_C 12. indd 387 19/09/16 4 :23 PM www.downloadslide.net 388 PART III ACCOUNTING INFORMATION SYSTEMS APPLICATIONS 12. 11... 07/03 07/05 07/13 07 /20 07 /28 08/01 08/ 02 08/10 08/10 08/14 08 /20 08 /22 08 /23 09/01 09/ 02 09/05 09/11 09/11 09/15 09 /20 09/30 09/30 09/30 CALLS MADE 100 110 95 115 120 125 115 110 100 135 115

Ngày đăng: 22/09/2020, 22:37

Từ khóa liên quan

Tài liệu cùng người dùng

Tài liệu liên quan