5.1) The personnel function of human resource management activity is responsible
for hiring employees and subsequently, maintaining the personnel and payroll
records for these employees. The primary objective of personnel function is to hire,
train, and employ appropriately qualified people to do an organization’s work.
Payroll processing involves maintaining employee earnings records, complying with
various government tax and reporting requirements, reporting on various
deduction categories, and interacting with the personnel function.
5.2) Because Accounting transactions are processed manually, which can be tedious,
repetitive, and error-prone. Some companies chose to have payroll processed by
external service bureaus it’s more easier and more cost-effective to use outsourcing
companies for processing paychecks and payroll reports.
5.3) The objective of manufacturing organization’s production process is to convert
raw materials into finished goods as efficiently as possible. Producing godds and
services often require expensive factory machinery. When the production area
needs raw materials, it issues a materials requisition form to acquire more materials
from a storeroom or warehouse where the raw materials are kept. Tracking labor
time is important to a job costing system because one employee may work on many
job and one job might require the work of many employees.
5.4) In general, it is the lack of a profit goal that most influences the special AIS
needs of non-for-profit organizations. Accounting standards, such as the Financial
Accounting Standards Board’s Statement No.117, Financial Statements of Not-for-
Profit Organization, now require the financial statements to more closely resemble
those of profit-seeking entities.
5.5) Yes, because the cement company’s inputs to the production order will
authorize the manufacture of goods and the production schedule. On the other hand,
home-builder will use job time card as an input to a job costing system.
5.6) Vertical markets with specialized AISs include organizations in the following
industries; professional services, non-for-profit, health care, retail, construction,
government, banking and financial services, and hospitality. Professional service
organizations are business establishments providing a special service to consumers.
Compared with organizations that provide tangible goods, professional service
organizations have several unique operating characteristics; no merchandise
inventory, emphasis on professional employees, difficulty in measuring the quantity
and quality of output, and small size. Non-for-profit organizations provide services
for the protection and betterment of society. The characteristics of non-for-profit
organizations are; they are usually staffed by professional employees and a number
of volunteers, they are usually not affected by the market, and they sometimes have
a political emphasis. Health care industry have made this vertical market segment
the target of much controversy and concern as the United States struggles to contain
health care costs. Health care shares its characteristics mostly with professional
service and not-for-profit institutions, besides; health care organizations do not
provide tangible goods to their customers, health care organizations count
professional staff as their most important asset resource, some health care
organizations are public and operate on a not-for-profit basis, and finally, output is
exceptionally difficult to measure for health care industry.
5.7) In many organizations, several individuals handle the order process. Each
person has responsibility for a particular function: a receptionist or secretary may
handle general inquiries, a salesperson follows up on product inquiries, warehouse
personnel assume responsibility for filling the order, an accounts receivable clerk
bills the customer, and so on. Reengineering the order process may result in an
integration of functional activities so that one specified individual handle customers
from start to finish. This redesign means a customer knows who to talk to when an
order is late and the customer is not passed around from one person to another
when problems occur.
7.1) Yes, because computer crimes, frauds, and other irregularities are so much
many and large that have occurred in the past and will more likely continue
occurring in the future.
7.2) One explanation for this is the fact that a large proportion of computer crime
and abuse takes place in private companies, where it is handled as an internal
matter. And the number one reason managers cited for not reporting intrusions was
negative publicity that might negatively impact their stock price or image(43%), and
the next most important reason was their fear that competitors would use the
information’s to advantage (33%). I would agree with the reasoning because if this
impact affects on stock prices, it will bring up some sort of curiosity by the external
investors, and if they find out about the crimes then they will no longer make any
investments in the company.
7.3) Despite our lack of complete statistics, there are several reasons why we
believe computer crime is growing. One reason is the exponential growth in
computer resources-for example, microcomputers, computer networks, and the
Internet. As more people become knowledgeable about how to use computers, more
people also learn how to compromise computer systems.
7.4) Yes, many retail firms have clear prosecution policies regarding shopliftings. In
contrast, prosecution policies associated with other tyeps of employee fraud are
notable for their absence in most organizations.
7.5) TRW advised its clients of bad credit risks on the basis of the information
maintained in its databases. However, this information could be changed. The fraud
began when six company employees, including a key TRW clerk in the consumer
relations department, realized this fact and began selling good credit to individuals
with bad credit ratings. The names and addresses of the bad credit risks were
already on file. It merely remained to contact these individuals and inform them of a
newfound method of altering their records. Accordingly, individuals with bad credit
ratings were approached and offered a clean bill of health in return for a
management fee. The TRW case involves two key issues; 1) the propriety of the
input information used in updating a specific AIS, and 2) the protection afforded
both consumer and user in the accuracy and use of credit information that is
gathered by a private company.
7.6) Hacking is a widespread problem. This is due, in part, to the fact that many
computer applications now run on local and wide area networks, where computer
files become accessible to unauthorized users. Then, also the internet enables users
to log onto computers from remote sites, again increasing vulnerability to hacking.
One helpful tactic is user prevent is user education- that is, making potential hackers
aware of the ethics of computer usage and the inconvenience, lost time, and costs
incurred by victim organizations. Another safeguard is to require user passwords,
which limit computer access to bona fide users.
7.7) Computer virus is an attachment to other files or programs that affects
computer files, operating system activities, or software.
7.8) Educating employees to stop computer crime is by informing employees of the
significance of computer crime and abuse, the amount it costs, and the work
disruption it creates helps employees understand why computer offenses are a
7.9) The Internet is a perfect environment for computer viruses because so many
people use it for e-mail, conducting research, and downloading files or software. For
example, a virus might be stored in a java applet. But unfortunately applets contain
viruses that can infect other computers and cause damage. Once programmer stores
a computer virus program on the file server of a computer network, the program
can affect thousands of other computers or disks before it is detected and
eradicated. Estimating the business costs of recovering from a virus infection is
difficult. The costs can be small-for example, limited to the inconveniences of
reformatting a hard disk and reloading a few software programs. On the other hand,
some experts estimate such costs in billions of dollars. There are number of ways to
thwart computer viruses. These include, but are not limited to 1) firewalls, which
limit external access to company computers; 2) antivirus software; and 3) antivirus
7.10) Ethics is a set of moral principal or values. Therefore, ethical behavior involves
making choices and judgments that are morally acceptable and then acting
accordingly. Ethical concerns are often the issue in instances of computer abuse. In
case involving hacking, for example, “ignorance of proper conduct” or “misguided
playfulness” may be the problem. Computerized AIS often raise ethical issues that
we did not have to face under manual AIS. An example is the practice of
unauthorized software copying. The challenge of defrauding a computer system and
avoiding detection is irresponsible because success brings recognition, notoriety,
and even heroism. In recent years, professional accounting associations at both the
national and state levels have established ethics committees to assist practitioners
in the self-regulation process. These ethics committees provide their members with
continuing education courses, advice on ethical issues, investigations of possible
ethics violations, and instructional booklets covering a variety of ethics case studies.
Some of the ethics committees provide their members with a “hotline” to advice
them on the ethical and moral dilemmas experienced in the workplace.
7.11) Mr. Allen is a person dedicated to his work. The main reason that the
customers complained in the last recent years, because, since the banking access is
electronically using password access to their personal data, some hacker created
another website exactly similar to Allen’s bank website, and started fishing personal
information of the customers. As a result few customers were mad because their
money electronically was spent on the places they haven’t been. So, Allen should
have consider installing additional security system where the bank representative
should have called the customers to make sure that they are the right people using
8.1) The primary provisions of the 1992 COSO Report were to define internal
control and describe its components, present criteria to evaluate internal control
systems, provide guidance for public reporting on internal controls, and offer
materials to evaluate an internal control system. The primary 2004 COSO Report
focuses on the enterprise risk management, builds on the 1992 COSO Internal
Control–Integrated Framework, due to widespread acceptance of ICIF, the
Framework includes the five components of ICIF (control environment, risk
assessment, control activities, information and communication, and monitoring) and
adds three additional components; objective setting, event identification, and risk
8.2) The primary provisions of CobiT includes 34 high-level objectives that cover
215 control objectives categorized in four domains: Plan and Organize, Acquire and
Implement, Deliver and Support, and Monitor and Evaluate a variety of potential
problems (such as dealing with rapidly changing economic and competitive
environments, as well as shifting cutomer demands and priorities). According to the
COSO report, an internal control system should consist of these five components:
1)the control environment, 2) risk assessment, 3) control activities, 4) information
and communication, and 5) monitoring.
8.3) Because many businesses want to develop plants that meet regulatory intent by
utilizing formal planning criteria and processes by widely recognized COSO or CobiT
standards. Also, CobiT standards build on the COSO famework to provide more
detailed steps for information system compliance.
8.4) There are five interrelated components of an internal control system; 1) the
control environment, which establishes the tone of a company and influences the
control awareness of the company’s employees. 2) Risk Assessment, which comes
from box external and internal parts of the organization and its purpose is to
identify organizational risks, analyze their potential in terms of costs and likelihood
of occurrence, and install those controls whose projected benefits outweigh their
costs. 3) Control Activities that are policies and procedure that a company develops
to help protect the assets of the firm. 4)Information and Communication, in which it
is management’s responsibility to make sure that its company’s accounting system
is collecting, measuring, processing, and communicating financial data from
business transactions to interested users of these data, weather theses individual
are inside the firm or outside the firm. 5) Monitoring process, which asses the
quality of internal control performance over time. In my opinion the Risk
Assessment is the most important because the measurement of the threat risk is
identified, analyzed, and even counter responded saving the outweigh of the costs.
8.5) Because an internal control system consists of the various methods and
measures designed into and implemented within an organizational system to
achieve the following four objectives; 1) to safeguard assets. 2) to check the
accuracy and reliability of accounting data, 3) to promote operational efficiency, and
4) to encourage adherence to prescribed managerial policies.
8.6) Preventive controls are those that management puts in place to prevent
problems from occurring. Under this section the management must identify possible
event that represent a problem to the firm and then identify appropriate responses
to those problems. For example, James Cash calls this scenario planning, which
means management identifies scenario of minor concern to major disaster that
could occur. Another, Cash points out ventive controls to minimize the likelihood of
each problem they identify. Detective controls will alert us when the preventive
controls have failed. Example, assume that a company’s information system
prepares daily responsibility accounting performance reports for management.
Another, Managers prepare daily selling goal of inventory for their employees.
Corrective controls are procedure a company uses to solver or correct problems.
Once the management discovers a problem, they should also modify the company’s
processing system to eliminate or at least to minimize future of occurrences. An
example of this type of corrective control procedure might be a change to the
company’s procedure for backup copies of important transactions and master files.
Another, companies realize the importance of this corrective control since 9/11 and
the many natural disasters that have occurred over the past few years.
8.7) Because competent and honest employees are more likely to help create value
for an organization. Employees work with organizational assets(example, handling
cash, acquiring and issuing inventory, and using equipment). Competent and honest
employees, coupled with fair and equitable personnel policies, lead to efficient use
of the company’s assets.
8.8) Since the speration of duties concept is very important in IT environments, the
way this concept is applied in these environments is often different. In modern
information systems the computer can be programmed to perform one or more of
the previously mentions functions (i.e., authorizing transactions, recording
transactions, and maintaining custody of assets). Thus, the computer replaces
employees in performing the function or functions. For example, the pumps at many
gas stations today are designed so that customers can insert their debit or credit
cards to pay for their gas. Consequently, the computer performs all three functions;
authorizes the transaction, maintains custody of the cash asset, and records the
transaction along with producing a receipt.
8.9) Under a voucher system, the employee prepares a document called
disbursement voucher, which identifies the specific vendor, lists the outstanding
invoices, specifies the general ledger accounts to be debited, and shows the net
amount to pay the vendor after deducting any returns and allowance as well as any
purchase discount. A voucher system has two advantages over nonvoucher system;
1) it reduces the number of cash disbursement check that are written, since several
invoices to the same vendor can be included on one disbursement voucher, and 2)
the disbursement voucher is an internally generated document. Thus, each voucher
can be prenumbered to simplify the tracking of all payables, thereby contributing to
an effective audit trail over cash disbursements. The advantage of making cash
disbursement with prenumbered checks reduces the risk of employee
misappropriation of cash.
8.10) Through a cost-benefit analysis, the internal auditor may find that the cost of
operating a specific control procedure is greater than the benefit that might be
obtained from this procedure. Consequently, the internal auditors should
recommend to management ways the control procedure can be changed to reduce
its cost, thereby making it cost-effective. A control is considered cost-effective when
its anticipated benefit exceeds its anticipated cost.
9.1) Security policy is a comprehensive plan that helps protect the enterprise from
internal and external threats. When we say organizations should have an integrated
security plan, we mean a security system, supported by a comprehensive security
policy, which can significantly reduce the risk of attack because it increases the costs
and resources needed by an intruder.
9.2) If I was a senior executive of a firm I would develop a security policy, which
would consider ISO, the international information security standards as an
establishment information security for best practices. The Standard would include
primary sections; security policy, system access control, computer and operations
management, system development and maintenance, physical and environmental
security, compliance, personnel security, security organization, asset classification
and control, and business continuity management.
9.3) Wireless LAN is a wireless local are network that links two or more computers
without using wires. The technology is based on radio waves to enable
communication between devices in a limited area, also know as the basic service set.
Hardwired LAN is a local area network that consists of two or more computers
connected together in a building or home using software and hardware. Data
encryption control must be used to minimize the risk of unauthorized access to data
through electronic eavesdropping.
9.4) Business Continuity Planing is a concept that is used to create and validate a
practiced logistical plan for how an organization will cover and restore within a
predetermined time after a disaster. Since copies of a disaster recovery plan will not
be of much use if they are located only in computer systems that are destroyed by a
disaster, for this reason, members of a company’s recovery team should each keep
an up-to-date copy of the plan at their homes. In addition to periodic testing, a
disaster recovery plan should be reviewed on a continues bases and revised when
necessary, that is the integral part of business continuity planning.
9.5) The backup is similar to the redundancy concept in fault-tolerant systems. For
example, if we write a research paper on a computer, it would be wise to back up
our work on a diskette. If there is no backup, a variety of unfortunate events could
occur and we might lose all of our work. Backup is important from the risk of losing
data before, during, or after processing, organizations have an even greater need to
establish backup procedures for their files.
9.6) Protecting accounting data through software protection precidures for labtabs
and PCs are not cost-effective as opposed to microcomputers. Secret passwords that
are periodically changed should be required for all authorized users of micros.
There are several common-sense microcomputer control procedures for protecting
data that cost virtually nothing. Micro useres should be required to back up all
important data and program files and to store these backup files in a locked storage
area. When dealing with sensitive file data, the file can be copied from the hard disk
to a variety of different storage media.
9.7) The company should implement Edit test controls for the validity and accuracy
of import data. Implement check digit controls, even though it doesn’t guarantee
data validity, yet limits the number of digits per inventory items. Also, implement
Processing control, which will focus on the manipulation of accounting data after
they are input to the computer system.
9.8) Edit tests examine selected fields of input data and reject those transaction
whose data fields do not meet the preestablished standards of data quality. When
incorrect account is keyed into a remote terminal and submitted to edit tests, it will,
for example, 1) pass a test of numeric field content ensuring that all digits were
numeric, 2) pass a test of reasonableness ensuring that the account number itself
fell within a valid range of values, 3) pass a test of sign, and 4) pass a test of
completeness. The check digit is computes as a mathematical function of the other
digits in a numeric field, and its sole purpose is to test the validity of the associated
data. A check digit doesn’t guarantee data validity. For example, the check-digit
procedure would be unable to distinguish between the correct account number,
2435, and the transported number, 2345, because the transportation of digits does
not affect the sum. Most computer systems therefore use secret password codes to
restrict access. Such codes vary in length and type of password information
required, but all have the same intent: to limit logical access to the computer only to
those individuals authorized to have it. As an example of validating processing
results, the validity, accuracy, and completeness of computerized output in AISs can
be established through preparation of activity listings that document processing
activity. These listings provide complete, detailed information about all changes to
master files and thus contribute to a good audit trail. A control total that involves a
dollar amount is called a financial control total.
9.9) Physical access to the computer refers to the ability of people to physically gain
access to a computer system. Logical access to the computer refers to in computer
security, being able to interact with data through access control procedures such as
identification, authentication and authorization. Logical access would permit a user
to call for printouts of sensitive corporate data and permit access to a company’s
software. They are important because the knowledgeable attacker can quickly get
the information needed to gain access to the organization’s computer network.
Thus, regulating who is permitted logical access to computer files is an important
general control in terms of safeguarding sensitive organizational data and software.
9.10) Consequently, an individual who has unlimited access to the computer, its
programs, and live data also has the opportunity to execute and subsequently
conceal a fraud. To reduce this risk, a company should deign and implement
effective separation duties control procedures.
9.11) A control total that involves a dollar amount is called a financial control total.
Other examples of financial control totals include the sum of cash receipts in an
accounts receivable application, the sum of cash disbursements in an accounts
payable application, and the sum of net pay in a payroll application. AISs also use
nonfinancial control totals, which compute nondollar sums – for example, the sum of
the total number of hours worked by employees. Because control totals do not have
to make sense to be useful, for example, when cash receipts from accounts
receivable customers are being processed by a company’s accountant, the sum of
the customers’ account number in a batch of transactions might be computed to
form a hash total.
10.1) Planning and Investigation step involves performing a preliminary
investigation of the existing system, organizing a systems study team, and
developing strategic plans for the remainder of the study. Analysis step involves
analyzing the company’s current system in order to identify the information needs,
strengths, and weaknesses of the existing system. In design step organization
designs changes that eliminate or minimize the current system’s weak points while
preserving its strengths.
10.2) Steering Committee is a group of individuals responsible for general operating
policy, procedures, and related matters affecting the first as a whole. It’s also
important that the study team communicate closely and meaningfully with the
company’s top managers. To provide this continuous interface, the company’s top
management should appoint a steering committee to work with each study team as
it performs its tasks. The committee will include top management personnel, for
example, the controller, the vice president of finance, the top-level information
systems manager, one or more staff auditors, and even the chief executive officer of
10.3) I would select General Systems Goals, because general system goals apply to
most organization’s information systems and help an AIS contribute to an efficient
and effective organization. Since the principles contributing to these goals are; 1)
awareness that the benefits of the new system should exceed the costs, 2) concerns
that the output of the system helps managers make better decisions, 3) commitment
to designing a system that allows optimal access to information, and 4) flexibility so
that the system can accommodate changing information needs.
10.4) The purpose of system feasibility evaluation is for design team, after obtaining
a positive response from the steering committee, to perform a detailed investigation
of different potential systems. The activity should precede system feasibility
evaluation activity because we want to detailed system design before making a
decision of buy or make.
10.5) If the steering committee approves the detailed design work, it will now face
cost-benefit(make or buy) decision. In large organizations, one possibility is to use
internal IT staff to develop the project in-house. This choice offers the tightest
control over project development, the best security over sensitive data, the benefits
of a custom product that has been tailor-made for the exact requirements of the
application, the luxury of replacing the old system piecemeal as modules become
available, and a vote of confidence for the organization’s IT staff.
10.6) Prototyping means developing a simplified model of a proposed information
system. A prototype is a scale-down, experimental version of a nonexistent
information system that a design team can develop cheaply and quickly for user-
evaluation purposes. Prototyping is useful when end users do not understand their
information needs very well, system requirements are hard to define, the new
system is mission-critical or needed quickly, past interaction have resulted in
misunderstandings between end users and designers, and/or there are high risks
associated with developing and implementing the wrong system. Prototyping is not
useful system design approach, for example, when both managers and IT
professionals can distrust it – the managers, if they perceive prototyping as “too
experimental,” and the IT professionals, if they harbour fears that the results lead to
poor design solutions.
10.7) The purpose of a system specifications report is for members to summarize
their findings after the design team completes its work for specifying the inputs,
outputs, and processing requirements of the new system. It defers by its historical
background information about the company’s operating activities, detailed
information about the problems in the company’s current system, detailed
descriptions of the systems design proposals, indication of what the vendors should
include in their proposals, and finally time schedule for implementing new system.
10.8) The rationale for establishing controls before converting data files is that
organization wants to install control procedures that will safeguard its assets. Which
will ensure the accuracy and reliability of accounting data, promote operating
efficiency, and encourage employee compliance with prescribed managerial policies.
That’s why establishing internal controls should be performed before conversion of
any data. Then the organization converts data files in order to alternate more useful
10.9) The advantage of direct conversion is the new system replacing the old
system. The disadvantage of the direct conversion is the cost of teaching how the
new system works. Implementing parallel conversion gives more advantage to
direct conversion, because in this case both old and new system are run parallel at
the same time. Another choice is the modular conversion where the new systems is
implemented in stages. First, implementing inventory module, then order
processing module, and so on, which again is time consuming.
10.10) Program Evaluation Review Technique (PERT) chart is when a project leader
first prepares a list of systems implementation activities, identifies the prerequisite
activities that must be completed before others can start, and estimates the amount
of time required to complete each activity. Gantt chart is another tool that an
organization can use in planning and controlling a system implementation project.
Gantt charts are useful for both scheduling and tracking the activities of systems
implementation projects because actual progress can be indicated directly on the
Gantt chart and contrasted with the planned progress.
10.11) After the new system has been in operation for a period of time, the
implementation team should re-evaluate the new system’s effectiveness by 1)
talking with top management personnel and operating management personnel
about their satisfaction with the new system, 2) talking with end users to ascerain
their satisfaction, 3) Evaluating the control procedures of the system to verify
whether they are functioning properly, 4) Observing employee work performance to
determine whether they are able to perform their job functions efficiently and
effectively, 5) Evaluating whether computer processing functions, including data
capture and preparation, are performed efficiently and effectively. 6) Determining
whether output schedules for both internal and external reports are met with the
new computer system.
10.12) Project management software requires users to break down complex
projects into smaller, simpler activities and to estimate the time, cost, and other
resources required for each of them. The project leader then enters these estimates
into the computer running the project software, along with the precedence
relationships associated with the various activities. The software then can schedule
tasks, identify critical and noncritical activities, compute slack times, and so forth.
Project management software also allows the project leader to perform what-if
analysis- for example, to experiment with different systems implementation work
schedules or determine how delays in specific activities are likely to affect other
10.13) Business Process Outsourcing(BPO) is when in the accounting area, the
degree to which a company outsources its processing operations can range from
routine assistance with a single application such as payroll or tax compliance to
performing almost all the accounting functions of the organization. Outsourcing
contracts are typically signed for 5-10 years, and annual costs depends on the
amount of data processing work to be performed and range from “thousands” to
“millions” of dollars. Knowledge Process Outsourcing(KPO) is where a business or
an individual contracts with someone, often in another country, to perform research
or other knowledge-related work. The growth of outsourcing in this area is expected
to be as much as 46 percent per year, with that country doing much of the work.
Three high potential areas for this type of outsourcing are intellectual property
research related to development and filing a patent application, data mining of
consumer data, and research and development related to medical drugs and
biotechnology. The primary motivator for outsourcing is the cost of savings, which
comes from economies of scale where the process-provider is able to spread costs
among several clients and achieve high volumes for purchases.