Willie Virgen 7443468 Discussion Questions Set #2 • CHAPTER 5 1. Four data items that could be used by both personnel and payroll functions are employee names, Social Security numbers, wage rate, and date hired. Personnel functions can also include number of years worked, and spouse’s name. Payroll functions can include wage benefits and gross pay to date. 2. Accounting transactions associated with payroll processing must be repetitive because of all of the controls that the AIS must use in order to effectively organize, manage, and calculate the employee’s money. Some companies go outside of their businesses to make sure that their calculations are correct and so that they are not liable for any mishaps. 3. When adding new raw inventory materials to a system, an employee must fill out a materials requisition form to acquire more. When a worker records time spent on the production line, he has to fill out his time card to process when he checked-in and checked-out. 4. An important non-financial document of AIS for a manufacturing firm’s production process would be the master production schedule. This shows the quantities and the timing of goods needed to meet the required quantities for anticipated sales. 5. Inputs and outputs of a production process for a home-builder and a cement company would be relatively identical. The only difference would be the materials of the inputs and outputs. A home-builder would need wood, nails, etc., whereas a cement company would just need materials for concrete-working. 6. Three different vertical markets include: Grocery stores, Public Accounting firms, and Real Estate. Different influences for these different areas include prices of agriculture produce for Grocery stores, time and billing systems for accounting firms, and land prices for Real Estate. 7. To reengineer my business, I Would organize around the outcomes, not the tasks. This eliminates more errors and costs, and improves efficiency. Then I would centralize and disperse data to further lower costs of inventories and improve service. All in all, I would have to keep realistic expectations, meet employee resistance effectively and have the support of my top management. • CHAPTER 8 1. Managers organize and evaluate their corporate governance structure according to the 1992 COSO Report. It improves the quality of financial reporting through business ethics, effective internal controls, and corporate governance. It established a common definition of internal control for assessing control systems, as well as determined how to improve controls. In 2004, the primary provisions of ERM was to determine if the objectives are aligned with the organizational strategy and that goals are consistent with the level of risk the organization can take. 2. The primary provisions of CobiT are to research, develop, publicize and promote an authoritative, up-to-date international set of generallty accepted information technology control objectives for day-to-day use by managers, IT pros, and assurance pros. 3. COSO and CobiT frameworks are so important because managers must first tend to the requirements outlined in the COSO report (control environment, risk assessment, control activities, info and comm., and monitoring. This determines how IT can best be used to support the business processes. 4. A company’s control procedures are classified into three major types: preventive controls, detective controls, and corrective controls. The most important of the three in my opinion are the preventive control, because if you can prevent an error from happening, then you don’t need the other controls. 5. Accountants are paranoid about having an effective and efficient internal control system because they want to be able to follow what is happening throughout all phases of accounting data processing. They want as few possible errors and irregularities as possible. 6. Preventive controls prevent errors from happening. Detective controls deal with errors that have actually already occurred, while Corrective controls correct the errors from happening again. An example of a Preventive control is determining the total dollar sales from all invoices before sending them to the information processing subsystem. A Detective control can be comparing sales invoice amounts to the sales department amounts; finally a Corrective control: if there is a problem, investigate the problem and fix it. 7. Competent employees are necessary for a firm because the quality directly affects the quality of the goods and services provided by the company. They also help create value for an organization. Because there are fewer employees then compared to before, today’s employees have more responsibility and oversight as well. 8. Separation of Duties reduces the risk of undetected errors and irregularities by using more than one person to perform essentially three different tasks: Authorizing, Recording, and/or Custody of Assets. If one person does more than one of these actions, he/she is more likely to commit an error because of the responsibilities. 9. Firms uses prenumbered checks to maintain accountability for both issued and unissued checks for making authorized cash disbursements. This reduces the risk of employee misappropriation of cash. They use a voucher system because it reduces the number of cash disbursement checks that are written and the disbursement voucher is an internally generated document. 10. Cost-benefit analysis plays the roll that lets the firm know whether or not certain internal controls should be implemented. It does this by figuring out expected loss (Exp. Loss = Risk * Exposure). • CHAPTER 9 1. A security policy is a comprehensive plan that helps protect the enterprise from internal and external threats. An integrated security system, supported by a comprehensive security policy, can significantly reduce the risk of attack because it increases the costs and resources needed by an intruder. 2. The guidance/framework I would use to establish IT governance would be the COSO report of 2004. I would use this for every level of management-related IT issues. 3. WLANs send information wirelessly. Hardwired LANs send information through cables and wires. Firms now use biometrics, such as digital fingerprint authentication technology and user accounts and passwords for network protection. 4. Contingency planning includes the development of a formal disaster recovery plan, or a business continuity plan. Such a plan is necessary because a variety of unforeseen disasters could occur that would cause a data processing center to not be operational. They are basically manuals for emergency situations for a firm’s branch. 5. Backup is the procedure in which a computer network system completes all procedures and then makes copies of all the data and other information needed to restart the system. This is recorded on a separate disk and is done multiple times per hour. Necessary for accounting info systems because computers crash relatively frequently and it is a good precaution to have. 6. Two common risks associated with microcomputers are Hardware and Data Software. Hardware is a risk because the computers can be stolen or lost easily because of their size. Data Software is a risk because the data can be manipulated by anyone with a computer-related background. Three controls that should always be implemented: Have the microcomputers locked to the desks or to the walls, secret passwords that are changed periodically, and mandatory backup of important data everyday. 7. Jean & Joan Cosmetics should use input controls such as, the test input data routine that tests the validity, accuracy, and completeness as early as possible. Observation control procedures assist in collecting data that will be recorded (feedback mechanism). Use of UPC codes on items also helps with inventory. 8. Edit tests examine selected fields of input data and reject those transactions (or other types of data input) whose data fields do not meet the preestablished standards of data quality. Check-digit procedures duplicate computational procedures at the time of data access, and therefore validate the accuracy of the data before the transaction data was used to update a master file. Passwords limit access to information. Activity listings create good audit trails. Control totals serve as a control on the contents of each bundle . It includes different information that may not make sense at all sometimes. 9. Logical access to a computer is having remote access to a computer from a distant location. Physical access is actually being in front of the computer in question and touching it. Security is important with both types of access to protect and safeguard assets. 10. The statement displays an opinion with an interesting argument, however, separation of duties should always be implemented amongst the organization of a firm because computers often crash and backup is always needed. Therefore, they should have checkpoints and procedures in their protocol that reduce the risk of error so that the mutil-task function still works properly. 11. Control totals control the contents of an information bundle. An example includes the bundle number, today’s date, and the total dollar amount for the checks themselves. They insufficient to guard against data inaccuracies because they need to be checked by internal controls to be accurate with internal counts. • CHAPTER 7 1. The “tip of the iceberg” description for computer crime cases, I believe, is very accurate. Even though today’s technology has allowed us to do many great unimaginable things, it has also paved the way for e-crime, which when performed accurately and correctly, can be untraceable. Also, the cyber-world is unimaginably huge. To this day, we do not know the exact size of it. 2. One explanation for the downplay of computer crimes and abuse is the fact that the majority take place in private companies, where it is handled as an internal matter. We have no laws that require organizations to report computer offenses. The number one reason why it is not reported by managers is because of the negative publicity that might impact their stock price and image. Also because of the fear that competitors would use the info to their advantage. 3. Most Computer cases are in fact not reported because of the exponential growth in computer resources. More people are also learning how to compromise computer systems as well. Many microcomputer users are not aware of, or conscientious about computer security. Lastly, many Internet pages now give step-by-step instructions on how to perpetrate computer crimes. 4. A company does not have the right to collect, store, and disseminate information about an individual’s purchasing activities without permission. This information is very private and contains things like Social Security numbers, addresses, account numbers, etc. Breaches like this could ruin a person’s credit score and could lead to identity theft. 5. The TRW employees were free to do whatever because they didn’t have any authorization and validation of credit changes in their AIS system whatsoever. This allowed them to enter false information. Had these controls been in place earlier, the crime would never have happened. 6. A hacker is a person who uses computers to gain unauthorized access to important data. To combat hacking, the U.S. Patriot Act of 2001 was placed to help discourage computer hacking by allowing the Feds to locate and prosecute hackers. Other tactics include user education, passwords, and bioauthorizations. 7. A computer virus is an attachment to other files or programs that affects computer files, operating system activities, or software. 8. Educating employees about computer crime can help stop it because it makes potential hackers aware of the ethics of computer usage and the inconvenience, lost time, and costs incurred by victim organizations. 9. Internet crimes are considered to be white-collar crime. This consists of fraud. Assets at risk are cash, accounts receivables, inventories, etc. Other examples of crimes include thieves supplying fake credit card numbers to buy stuff, copying web pages without permission, denying legitimate Internet users access, etc.To stop these kinds of crimes, we must have strict agencies that enforce the numerous accounting standards, such as FASB and the numerous accounting firms. And we also have to improve our own ethical standards that are based on social expectations, culture, etc. 10. Ethics is a set of moral principles or values. Therefore, ethical nehavior involves making choices and judgments that are morally acceptable and then acting accordingly. Types of ethical choices involved in AISs include “ignorance of proper conduct,” “misguided playfulness,” and even heroism and recognition. Codes of ethics are imposed to aid professionals in selecting among alternatives that are not clear-cut. They also provide ethics committees to help and remind employees with choices. Remind employees that ethics are important, provide real life examples, and teach by example and reward with promotions and benefits. 11. An Internal Services board of the Rivera Regional Bank should first review Mr. Allen. There might be a specific reason as to why he has not taken a vacation and willfully worked all those late nights. • CHAPTER 10 1. The Planning part of a systems study involves performing a preliminary investigation of the existing system, organizing a systems study team, and developing strategic plans for the remainder of the study. The Analysis step involves analyzing the company’s current system in order to identify the info needs, strengths, and weaknesses of the existing system. The Design step involves an organization’s attempt to design changes that eliminate the current system’s weak points while preserving the strengths. 2. A steering committee is an appointed committee that works with each study team as it performs its tasks. The committee consists of top management personnel that provide continuous interface. The rationale for such involvement is straightforward: top management commitment is critical to the ultimate success of a new or revised system. 3. General Systems Goals: Help AIS contribute to an efficient and effective organization. • Cost/benefit Analysis • Outputs improve decisions • Optimal access to info • Flexible enough to make new accommodations. Top Management Systems Goals: • Long-range budget planning for effective strategic decisions • Periodic performance reports for vital control info • Short-range operating performance knowledge of org’s subsystems Operating Management System Goals: Relate to well-defined and narrower organizational areas. • Majority of decisions are for the current business year. • Info required for decisions is generated internally as a byproduct. 4. A feasibility evaluation is the first procedure in which the design team determines the practicality of alternative proposals. They must examine five areas: (1) technical, (2) operational, (3) schedule, (4) legal, and (5) economic feasibility. This should precede the preparation of a systems specification report for a computer vendor evaluation so they know that the system is capable and feasible. 5. Annual cash benefits for an online ordering system include saving money by using less paper to print up accounts receivable or inventory reports. Annual cash costs for this same company include expenses for evaluating this same system for updates, strengths, and weaknesses. 6. Prototyping means developing a simplified model of a proposed information system, A prototype is a scaled-down, experimental version of a nonexistent information system that a design team can develop cheaply and quickly for user-evaluation purposes. It is useful when end users do not understand their info needs very well, system requirements are hard to define, the new system is mission-critical or needed quickly, past interactions have resulted in misunderstandings between end users and designers, and/or there are high risks associated with developing and implementing the wrong system. It is a bad idea when it is being used as systems design approach. And it is also not recommended for developing traditional AIS applications where the inputs, processing, and outputs are already well known and clearly defined. 7. The System Specifications Report summarizes the findings of the design team for the requirements of the new system. The information in this report includes: • Historical background information about the company’s operating activities. • Detailed information about the problems in the company’s current system. • Detailed descriptions of the systems design proposals. • Indication of what the vendors should include in their proposals to the company. • Time schedule for implementing the new system. 8. The rationale for performing step one before step two is that controls must be first established so that the data can be converted into the required file format for the new system that is specified. These controls are more inexpensive to imply in the beginning, than to go and change later on once all of the system is created. 9. Three conversion types for old-to-new system changes: • Direct: Immediately discontinuing use of the old system and letting the new system “sink or swim.” • Parallel: The organization operates both the new and the old system for some period of time. • The new system is implemented in stages, one process or module at a time. 10. A Program Evaluation Review Technique (PERT) Chart requires a project leader to prepare a list of systems implementation activities, identifies the prerequisite activities that must be completed before others can start, and estimates the amount of time required to complete each activity. PERT is a useful project management tool because of its ability to help managers identify critical paths and areas where slack time occurs. Gantt charts are useful for both scheduling and tracking the activities of systems implementation projects because actual progress can be indicated directly on the Gantt chart and contrasted with the planned progress. Compare estimated completion times against actual ones. A disadvantage is that they don’t indicate the precedence relationships among the project activities. 11. The purpose of the follow-up and maintenance phase is to monitor the new system and make sure that it continues to satisfy the three levels of organizational goals: (1) general systems goals, (2) top management systems goals, and (3) operating management systems goals. Reevaluate the new system by talking with top management and end users, evaluating the control procedures, observing employee work performance, looking at the output schedules to see if they are up to par. 12. A company’s software can be purchased by either acquiring prewritten software and tailoring it to the needs of the firm, or they can just acquire a complete, ready-to-go system. 13. KPO (Knowledge Process Outsourcing) is where a business or an individual contracts with someone, often in another country, to perform research or other knowledge-related work. BPO (Business Process Outsourcing) is outsourcing the actual business process. Firms outsource their IT because it is cheaper and more cost effective to go outside their company.