Document Sample
CHAPTER 8 CHAPTER 8 Powered By Docstoc
					                                                 CHAPTER 8



8.1     For the consumer, opt-out represents many disadvantages because the consumer is responsible for
        explicitly notifying every company that might be collecting the consumer’s personal information
        and tell them to stop collecting their personal data. Consumers are less likely to take the time to
        opt-out of these programs and even if they do decide to opt-out, they may not know of all of the
        companies that are capturing their personal information. For the organization collecting the data,
        opt-out is an advantage for the same reasons it is a disadvantage to the consumer, the organization
        is free to collect all the information they want until explicitly told to stop.

8.2     a. The cost here is tangible, consisting of the salaries of additional employees, if any, who must
           be hired in order to accomplish segregation of duties. The benefit is much less tangible,
           comprising primarily the reduction in the risk of loss from both fraud and unintentional errors.
            One approach might be to estimate an "expected benefit" as a product of the possible loss
           from fraud and the reduction in probability of fraud.

        b. The costs here are also relatively tangible, including the costs of maintaining a tape library and
           of performing special procedures such as file labeling, concurrent update controls, encryption,
           virus protection, maintaining backup files, and so forth. The benefit is again intangible,
           consisting of the reduction in risk of loss of vital business data. Once again an "expected
           benefit" might be estimated as the reduction of the product of the cost of data reconstruction
           and the probability of data loss.

        c. The cost here consists of the extra programming and processing time required to prepare and
           execute the input validation routines. As in the other cases, the benefits are intangible and
           difficult to measure in dollars. The primary benefit is the increase in accuracy of files and
           output. In this case, the decision must be primarily subjective, since a reliable dollar value is
           unlikely to be available.

Ch. 8: Computer-Based Information Systems Control

8.3    The disadvantage of a full backup is time. Organizations do not normally make full backups of
       their data on a frequent (daily) basis simply due to the time a full backup takes. Most
       organizations do full backups on a weekly basis and supplement them with partial backups on a
       daily basis. The advantage of frequent full backups is that the full system can be restored from a
       single backup. An advantage of doing partial daily backups is time. It takes less time and
       therefore, fewer resources to perform a partial backup on a daily basis than a full backup on daily
       basis. There are two primary types of partial backups: incremental and differential daily partial

       Incremental backups copy only data files that have changed since the last backup. The advantage
       of the incremental backup is time; it can be done quickly since it only a subset of all files (the files
       that have changed since the last backup) are copied. The disadvantage of incremental backups is
       that it requires multiple backups for a full restoration; i.e., the restoration would require going back
       to the last full backup and then installing each incremental backup until the last incremental
       backup prior to the loss of data.

       Differential backups copy all files that have changed since the last full backup. Thus, each
       differential backup contains a cumulative record of all file changes since the last full backup.
       Obviously, the first backup after a full backup can be termed an incremental and a differential
       backup. But after the first incremental/differential backup, each successive differential backup
       will take longer than a simple incremental backup since it is not only copying newly changed files,
       but it is also copying all changed files from prior differential backups up to the last full backup.
       The advantage of the differential backup is that a full restoration will only require the last full
       backup and the last differential backup since all prior differential backups are contained in the
       most recent differential backup.

8.4    In addition to the hardware and network equipment, a hot site must also have all of the software
       and office equipment required to run an office. This means that a hot site is essentially a fully
       functional, turn-key, office that management and staff could use and be fully operational and
       productive in a very short period of time. .Office equipment would include telephones, fax
       machines, copy machines, internal communication lines such as an intercom or two-way radios,
       paper pads, pencils, pens, staplers and staples, all applicable paper forms used in daily operations,
       extra toner cartridges for printers and copiers, petty cash and/or corporate credit card for incidental
       expenses, etc.

8.5    Good internal control procedures dictate the objectives of internal control, but not the techniques
       by which those objectives are to be achieved. Computer systems can efficiently scan large
       volumes of records on a regular basis, identify transactions that need to be initiated, and then take
       appropriate transaction-initiation steps such as document preparation and file updating.

       Given that computer systems will be programmed to initiate transactions, the issue is to identify
       internal control techniques that will achieve the stated objective under these circumstances. These
       include (1) strong controls over the development and revision of the computer programs that
       initiate transactions, (2) organizational separation of the programming and computer operations
       functions, (3) logical access controls to prevent unauthorized access to computer programs, and (4)
       review by user department personnel of transactions initiated by the computer.

                                                                          Accounting Information Systems

      In summary, automatic generation of transactions by computer does not necessarily violate good
      internal control.

8.6   Since outsourcing is and will likely continue to be a topic of interest, this question should generate
      some good discussion from students. Data security and data protection are rated in of the top ten
      risks of offshore outsourcing by CIO News. Compliance with The Health Insurance Portability
      and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) are of particular concern to
      companies outsourcing work to offshore companies. Since offshore companies are not required to
      comply with HIPAA, companies that contract with offshore providers do not have any enforceable
      mechanisms in place to protect and safeguard Protected Health Information; i.e., patient health
      information, as required by HIPAA. They essentially lose control of that data once it is processed
      by an offshore provider. Similarly, offshore companies are not governed by SOX and therefore
      when the CEO and CFO attest to the accuracy of their company’s financial statements which
      includes documentation of any business processes performed by offshore entities.

      One question that may facilitate discussion is to ask the students that once a company sends some
      operations offshore, does the outsourcing company still have legal control over their data or do the
      laws of the off shore company dictate ownership? Should the outsourcing company be liable in
      this country for data that was lost or compromised by an outsourcing offshore partner?

8.7   Since most students will encounter this question as an employee and as a future manager, the
      concept of personal email use during business hours should generate significant discussion. One
      question that may help facilitate discussion is to ask whether personal emails are any different than
      personal phones calls during business hours. The instructor may also want to use this opportunity
      to discuss security issues with email. Viruses are frequently spread through email and although a
      virus could infect company computers through a business related email, personal email will also
      expose the company to viruses and therefore warrant the policy of disallowing any personal
      emails. In addition, there is the risk that employees could overtly or inadvertently release
      confidential company information through personal email. Once the information is written in
      electronic form it is easy and convenient for the recipient to disburse that information.

8.8   Many people may view biometric authentication as invasive. That is, in order to gain access to a
      work related location or data, that they must provide a very personal image of part of their body
      such as their retina, finger or palm print, their voice, etc. Providing such personal information
      may make some individuals fearful of identity theft in that unlike a social security number or a
      bank account number, biometric identification characteristics cannot simply be “reset”. If
      someone’s digitized biometric identification such as a finger print is stolen, then how can they
      prevent their identity from being used to lie, cheat, and steal? Indeed, facial scans and voice scans
      can be obtained and recorded without the consent and knowledge of the person being scanned.
      RFID tags that are embedded or attached to a persons clothing would allow anyone with that
      particular tag’s frequency to track the exact movements of the “tagged” person. For police tracking
      criminals that would be a tremendous asset, but what if criminals were tracking people who they
      wanted to rob or whose property they wanted to rob when they knew the person would not be at
      home. Already one elementary school tried using RFID tags on students to track attendance, but
      stopped the program due to parental complaints and because the company that donated the
      equipment decided to stop supplying the RFID tags to the school.

Ch. 8: Computer-Based Information Systems Control


8.2    a. Record Count:          4 records

             Hash and Financial Totals are shown in the table below.

  Employee         Pay           Hours               Gross             Deductions           Net Pay
   Num.            Rate          Worked               Pay
        121             250                  38           $ 9500               01050             08450
        123             275                  40            11000               01250             09750
        125             200                  90            16000               02000             12000
        122             280                  40            11200               11000             00200
        491           1005                                $47700              $15300            $30400
 Hash Total     Hash Total          Hash Total    Financial Total      Financial Total   Financial Total

       b. Field Check:                    $9500 Gross Pay for Employee 121 should not contain the A$@

             Sequence Check:              Employee 122 is out of order. This record should appear directly
                                          after Employee 121.

             Limit Check:                 90 Hours Worked for Employee 125 is probably too high.

             Reasonableness Test:         $11000 in Deductions for Employee 122 seems too high given a
                                          Gross Pay of $11200.

             Crossfooting Balance Test: $30400 Net Pay for all Employees does not equal $47700-
                                        $15300. This is because:
                                               $16000 Gross Pay for Employee 125 does not equal
                                               $12000 Net Pay for Employee 125 does not equal 16000-

                                                                          Accounting Information Systems

a.    Field 1 - Member number:
            Range check to verify that the field contains only four digits within the range of 0001 to
            Validity check on member number if a file of valid member numbers is maintained.

             Field 2 - Date of flight start:
            Check that day, month, and year corresponds to the current date.
            Field check to verify that the field contains six digits.
             Field 3 - Plane used:
            Validity check that character is one of the legal characters to describe a plane (G, C, P, or
            Check that only a single character is used. (field check)
            Field 4 - Time of take off:
           Range check that both pairs of numbers are within the acceptable range (first two digits
      are       within range 00 to 23, and second two digits are within the range 00 to 59).
            Field check to verify that the field contains four digits.
              Field 5 - Time of landing:
            Range check that both pairs of numbers are within the acceptable range described for field
            Reasonableness test that field 5 is greater than field 4.

      b. Five of the six records contain errors as follows:
                  1st - Wrong date is used (Nov. 31 instead of Nov. 1).

                  2nd - Member number is outside range (4111 is greater than 1368).

                  4th - Plane code is not legal.

                  5th - Member number contains a character.

                  6th - Plane landing time is earlier than the take off time.

      c. Other possible controls to prevent input errors are:
           user ID numbers and passwords to limit system access to authorized personnel.
            compatibility test to ensure that authorized personnel have access to the correct data.
            prompting to request each required input item.
            preformatting to display an input form including all required input items.
            completeness check on each input record to ensure all item have been entered.
            default values such today=s date for the flight date.

Ch. 8: Computer-Based Information Systems Control

             closed-loop verification (member name would appear immediately after the member
       (SMAC Examination, adapted)
8.4    Differences between the correct batch total and the batch totals obtained after processing:

               (a)              (b)             (c)              (d)
               $29,341.28       $29,341.28      $29,341.28       $29,341.28
               -24,088.72       -29,431.28      -30,341.28       -27,578.66
               $ 5,252.56       $ (90.00)       $(1,000.00)      $ 1,762.62

       Analysis of these differences:

       a. The difference of $5,252.56 is not divisible evenly by 9, which rules out a transposition error.
          The difference affects multiple columns, which rules out a single transcription error. The
          difference amount is not equal to any of the entries in the first batch total calculation, which
          rules out an error of omission. Dividing the difference by 2 gives $2,626.28, which is one of
          the entries in the first calculation. More careful inspection reveals that this amount has been
          inadvertently subtracted from the second batch total calculation rather than added.

       b. The difference of $90 is evenly divisible by 9, which suggests the possible transposition of
          adjoining digits in the hundredths and tenths columns. More careful inspection indicates that
          the amount $4,566.86 from the first calculation was incorrectly transposed to $4,656.86 in the
          second calculation.

       c. A difference of $1,000 represents a discrepancy in only one column, the thousandths column.
          A possible error in transcribing one digit in that column is indicated. More careful
          examination reveals that the amount $2,772.42 from the first calculation was incorrectly
          recorded in the second calculation as $3,772.42.

       d. The difference of $1,762.62 exists in multiple columns and is not divisible evenly by 9.
          However, this amount is equal to one of the entries in the first calculation. Inspection reveals
          that this item was inadvertently omitted from the second calculation.

                                                                            Accounting Information Systems


The following edit checks might be used to detect errors during the typing of answers to the input cues:
               Validity check of operator access code and password C ensures that the operator is
                authorized to access computer programs and files. Also use of expense account # -
                ensures that proper expense account number is used.
               Compatibility test of operator request to access payroll file C ensures that this operator has
                been granted authority to access and modify payroll records.
               Field check C ensures that numeric characters are entered into and accepted by the system
                in fields where only numeric characters are required; e.g., numbers 0-9 in a social security
               Field check C ensures that letters are entered into and accepted by the system in fields
                where only letters are required; e.g., letters A-Z in employee name.
               Field check C ensures that only specific special characters are entered into and accepted by
                the system where only these special characters are required; e.g., dashes in a social
                security number.
               Sign check C ensures that positive or negative signs are entered into and accepted by the
                system where only such signs are required to be entered or that the absence of a positive or
                negative sign appears where such an absence is required; e.g., hours worked.
               Validity check C ensures that only authorized data codes will be entered into and accepted
                by the system where only such authorized data codes are required; e.g., authorized
                employee account numbers.
               Range check C ensures that only data values within a predetermined range will be entered
                into and accepted by the system; e.g., rate per hour for new employees cannot be lower
                than the minimum set by law or higher than the maximum set by management.
               Size check C ensures that only data using fixed or defined field lengths will be entered
                into and accepted by the system; e.g., number of dependents requires exactly two digits.
               Check digit C ensures that only specific code numbers prepared by using a specific
                arithmetic operation will be entered into and accepted by the system. This may not be
                needed if the more powerful validity checks are properly used.
               Completeness test C ensures that no blanks will be entered into and accepted by the system
                when data should be present; e.g., an "S" or "M" is entered in response to single or
               Overflow check C ensures that no digits are dropped if a number becomes too large for a
                variable during processing; e.g., hourly rates "on size errors" are detected.
               Control-total check C ensures that no unauthorized changes are made to specified data or
                data fields and all data have been entered.
               Reasonableness test C ensures that unreasonable combinations of data are rejected; e.g.,
                overtime hours cannot be greater than zero if regular hours are less than 40.

Ch. 8: Computer-Based Information Systems Control

            Limit check C ensures that inputs do not exceed a specified limit; e.g., overtime hours
             cannot exceed 40.
       (CPA Examination, adapted)

                                                                           Accounting Information Systems


       a. Reasonableness check between fields indicating salaried and hours field.

       b. All files should have header labels to identify their contents, and all programs should check
          these labels before processing transactions against the file.

       c. A field check should be performed to check whether all characters entered in this field are
          numeric. There should be a prompt correction and re-processing of erroneous transactions.

       d. A reasonableness test of quantity ordered relative to the product if 50 is an unusually large
          number of monitors to be ordered at one time. Closed-loop verification to make sure that the
          stock number matches the item that is ordered.

       e. An uninterruptible power system should be used to provide a reserve power supply in the
          event of power failure.

       f.   Fireproof storage and maintenance of duplicate files at an off-site location.

       g. A reasonableness test of quantity on hand.

       h. A completeness check to check whether all required fields were filled in.

       i.   Check digit verification on each customer account number and a validity check for actual
            customers should have caught this error.

       j.   A size check would prevent 400 characters from being entered into a field that allows for only
            5 characters.

       k. Concurrent update controls protect records from errors when more than one salesman tries to
          update the inventory database by locking one of the users out of the database until the first
          salesman’s update has been completed.

       l.   A limit check based on the original sales date.

       m. Check digit verification on each customer account number and a validity check for actual
          customers and closed loop verification.

       n. Check digit verification on each customer account number and a validity check for actual
          customers and closed loop verification.

       o. A completeness check for all payroll checks and a hash total using employee numbers.

Ch. 8: Computer-Based Information Systems Control

       p. Encrypting the email containing the bid would have prevented the competitor from reading the
          email even if they could have intercepted the email.

       q. Parity checks and echo checks will test for data transmission errors.


Shared By: