Licensed to: ichapters User

Transcription

1

2 Accounting Information Systems SIXTH EDITION JAMES A. HALL Peter E. Bennett Chair in Business and Economics Lehigh University Australia Brazil Japan Korea Mexico Singapore Spain United Kingdom United States

3 Accounting Information Systems, Sixth Edition James A. Hall VP/Editorial Director: Jack W. Calhoun Publisher: Rob Dewey Acquisitions Editor: Matt Filimonov Developmental Editor: Aaron Arnsparger Marketing Manager: Kristin Hurd Production Project Manager: Darrell Frye Manufacturing Coordinator: Doug Wilke Production House: Pre-PressPMG Printer: Edwards Brothers Art Director: Stacy Jenkins Shirley Cover and Internal Designer: C. Miller Design Cover Images: Getty Images 2008 Cengage Learning ALL RIGHTS RESERVED. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the publisher. For more information about our products, contact us at: Cengage Learning Academic Resource Center, For permission to use material from this text or product, submit a request online at South-Western Cengage Learning, a part of Cengage Learning. Cengage, the Star logo, and South-Western are trademarks used herein under license. Library of Congress Control Number: ISBN-13: ISBN-10: Cengage Learning 5191 Natorp Boulevard Mason, OH USA Printed in the United States of America

4 Brief Contents Part I Overview of Accounting Information Systems 1 CHAPTER 1 The Information System: An Accountant s Perspective 2 CHAPTER 2 Introduction to Transaction Processing 44 CHAPTER 3 Ethics, Fraud, and Internal Control 112 Part II Transaction Cycles and Business Processes 161 CHAPTER 4 The Revenue Cycle 162 CHAPTER 5 The Expenditure Cycle Part I: Purchases and Cash Disbursements Procedures 234 CHAPTER 6 The Expenditure Cycle Part II: Payroll Processing and Fixed Asset Procedures 285 CHAPTER 7 The Conversion Cycle 332 CHAPTER 8 Financial Reporting and Management Reporting Systems 381 Part III Advanced Technologies in Accounting Information 429 CHAPTER 9 Database Management Systems 430 CHAPTER 10 The REA Approach to Database Modeling 496 CHAPTER 11 Enterprise Resource Planning Systems 528 CHAPTER 12 Electronic Commerce Systems 563 Part IV Systems Development Activities 623 CHAPTER 13 Managing the Systems Development Life Cycle 624 CHAPTER 14 Construct, Deliver, and Maintain Systems Project 659 Part V Computer Controls and Auditing 723 CHAPTER 15 IT Controls Part I: Sarbanes-Oxley and IT Governance 724 CHAPTER 16 IT Controls Part II: Security and Access 759 CHAPTER I7 IT Controls Part III: Systems Development, Program Changes, and Application Controls 797 GLOSSARY G-1 INDEX I-1

5 Table of Contents Part I Overview of Accounting Information Systems 1 Chapter 1 The Information System: An Accountant s Perspective 2 The Information Environment 3 What Is a System? 4 An Information Systems Framework 6 AIS Subsystems 9 A General Model for AIS 10 Acquisition of Information Systems 15 Organizational Structure 16 Business Segments 16 Functional Segmentation 17 The Accounting Function 20 The Information Technology Function 21 The Evolution of Information System Models 26 The Manual Process Model 26 The Flat-File Model 27 The Database Model 29 The REA Model 31 Enterprise Resource Planning Systems 34 The Role of the Accountant 34 Accountants as Users 35 Accountants as System Designers 35 Accountants as System Auditors 36 Summary 37 Chapter 2 Introduction to Transaction Processing 44 An Overview of Transaction Processing 45 Transaction Cycles 45 The Expenditure Cycle 45 The Conversion Cycle 46 The Revenue Cycle 47 Accounting Records 47 Manual Systems 47 The Audit Trail 54 Computer-Based Systems 55 Documentation Techniques 57 Data Flow Diagrams and Entity Relationship Diagrams 58

6 Table of Contents v Flowcharts 61 Record Layout Diagrams 72 Computer-Based Accounting Systems 73 Differences between Batch and Real-Time Systems 74 Alternative Data Processing Approaches 75 Batch Processing Using Real-Time Data Collection 78 Real-Time Processing 80 Summary 82 Appendix 82 Chapter 3 Ethics, Fraud, and Internal Control 112 Ethical Issues in Business 113 Business Ethics 113 Computer Ethics 114 Sarbanes-Oxley Act and Ethical Issues 117 Fraud and Accountants 119 Definitions of Fraud 119 Factors that Contribute to Fraud 120 Financial Losses from Fraud 122 The Perpetrators of Frauds 122 Fraud Schemes 125 Internal Control Concepts and Techniques 134 SAS 78/COSO Internal Control Framework 139 Summary 145 Part II Transaction Cycles and Business Processes 161 Chapter 4 The Revenue Cycle 162 The Conceptual System 163 Overview of Revenue Cycle Activities 163 Sales Return Procedures 170 Cash Receipts Procedures 173 Revenue Cycle Controls 177 Physical Systems 181 Manual Systems 182 Sales Order Processing 182 Sales Return Procedures 185 Cash Receipts Procedures 185

7 vi Table of Contents Computer-Based Accounting Systems 188 Automating Sales Order Processing with Batch Technology 188 Keystroke 191 Edit Run 191 Update Procedures 191 Reengineering Sales Order Processing with Real-Time Technology 193 Transaction Processing Procedures 194 General Ledger Update Procedures 194 Advantages of Real-Time Processing 195 Automated Cash Receipts Procedures 195 Reengineered Cash Receipts Procedures 197 Point-of-Sale (POS) Systems 197 Daily Procedures 198 End-of-Day Procedures 199 Reengineering Using EDI 200 Reengineering Using the Internet 200 Control Considerations for Computer-Based Systems 201 PC-Based Accounting Systems 203 PC Control Issues 204 Summary 204 Appendix 205 Chapter 5 The Expenditure Cycle Part I: Purchases and Cash Disbursements Procedures 234 The Conceptual System 235 Overview of Purchases and Cash Disbursements Activities 235 The Cash Disbursements Systems 243 Expenditure Cycle Controls 245 Physical Systems 249 A Manual System 249 The Cash Disbursements Systems 251 Computer-Based Purchases and Cash Disbursements Applications 252 Automating Purchases Procedures Using Batch Processing Technology 253 Cash Disbursements Procedures 258

8 Table of Contents vii Reengineering the Purchases/Cash Disbursements System 259 Control Implications 261 Summary 263 Chapter 6 The Expenditure Cycle Part II: Payroll Processing and Fixed Asset Procedures 285 The Conceptual Payroll System 286 Payroll Controls 294 The Physical Payroll System 296 Manual Payroll System 297 Computer-Based Payroll Systems 298 Automating the Payroll System Using Batch Processing 298 Reengineering the Payroll System 298 The Conceptual Fixed Asset System 301 The Logic of a Fixed Asset System 302 The Physical Fixed Asset System 305 Computer-Based Fixed Asset System 305 Controlling the Fixed Asset System 307 Summary 310 Chapter 7 The Conversion Cycle 332 The Traditional Manufacturing Environment 333 Batch Processing System 334 Controls in the Traditional Environment 344 World-Class Companies and Lean Manufacturing 347 What Is a World-Class Company? 348 Principles of Lean Manufacturing 348 Techniques and Technologies that Promote Lean Manufacturing 350 Physical Reorganization of the Production Facilities 350 Automation of the Manufacturing Process 350

9 viii Table of Contents Accounting in a Lean Manufacturing Environment 355 What s Wrong with Traditional Accounting Information? 355 Activity-Based Costing (ABC) 356 Value Stream Accounting 358 Information Systems that Support Lean Manufacturing 360 Materials Requirement Planning (MRP) 360 Manufacturing Resource Planning (MRP II) 360 Enterprise Resource Planning (ERP) Systems 363 Summary 364 Chapter 8 Financial Reporting and Management Reporting Systems 381 Data Coding Schemes 382 A System without Codes 382 A System with Codes 383 Numeric and Alphabetic Coding Schemes 383 The General Ledger System 387 The Journal Voucher 387 The GLS Database 388 GLS Procedures 389 The Financial Reporting System 389 Sophisticated Users with Homogeneous Information Needs 389 Financial Reporting Procedures 389 Controlling the FRS 391 COSO/SAS 78 Control Issues 392 The Management Reporting System 394 Factors that Influence the MRS 394 Management Principles 395 Management Function, Level, and Decision Type 398 Problem Structure 401 Types of Management Reports 403 Responsibility Accounting 405 Behavioral Considerations 409 Summary 412

10 Table of Contents ix Part III Advanced Technologies in Accounting Information 429 Chapter 9 Database Management Systems 430 Overview of the Flat-File vs. Database Approach 431 Data Storage 431 Data Updating 431 Currency of Information 431 Task-Data Dependency 431 The Database Approach 432 Flat-File Problems Solved 432 Controlling Access to the Database 433 The Database Management System 433 Three Conceptual Models 434 Elements of the Database Environment 434 Users 435 Database Management System 436 Database Administrator 438 The Physical Database 441 The Relational Database Model 442 Relational Database Concepts 443 Anomalies, Structural Dependencies, and Data Normalization 447 Designing Relational Databases 454 Identify Entities 455 Construct a Data Model Showing Entity Associations 457 Add Primary Keys and Attributes to the Model 458 Normalize Data Model and Add Foreign Keys 459 Construct the Physical Database 460 Prepare the User Views 463 Global View Integration 464 Databases in a Distributed Environment 464 Centralized Databases 464 Distributed Databases 466 Summary 470 Appendix 471

11 x Table of Contents Chapter 10 Chapter 11 The REA Approach to Database Modeling 496 The REA Approach 497 The REA Model 497 Developing an REA Model 501 Differences between ER and REA Diagrams 501 View Modeling: Creating an Individual REA Diagram 502 View Integration: Creating an Enterprise-Wide REA Model 509 Step 1. Consolidate the Individual Models 510 Step 2. Define Primary Keys, Foreign Keys, and Attributes 513 Step 3. Construct Physical Database and Produce User Views 516 REA and Value Chain Analysis 520 REA Compromises in Practice 521 Summary 521 Enterprise Resource Planning Systems 528 What Is an ERP? 529 ERP Core Applications 531 Online Analytical Processing 531 ERP System Configurations 532 Server Configurations 532 OLTP Versus OLAP Servers 532 Database Configuration 535 Bolt-on Software 535 Data Warehousing 537 Modeling Data for the Data Warehouse 537 Extracting Data from Operational Databases 538 Cleansing Extracted Data 540 Transforming Data into the Warehouse Model 540 Loading the Data into the Data Warehouse Database 541 Decisions Supported by the Data Warehouse 542 Supporting Supply Chain Decisions from the Data Warehouse 542

12 Table of Contents xi Risks Associated with ERP Implementation 543 Big Bang Versus Phased-in Implementation 544 Opposition to Changes in the Business s Culture 544 Choosing the Wrong ERP 545 Choosing the Wrong Consultant 546 High Cost and Cost Overruns 547 Disruptions to Operations 548 Implications for Internal Control and Auditing 549 Transaction Authorization 549 Segregation of Duties 549 Supervision 549 Accounting Records 550 Access Controls 550 Auditing the Data Warehouse 551 Summary 552 Appendix 553 Chapter 12 Electronic Commerce Systems 563 Intra-Organizational Networks and EDI 564 Internet Commerce 564 Internet Technologies 564 Protocols 567 Internet Protocols 569 Benefits from Internet Commerce 577 Risks Associated with Electronic Commerce 578 Intranet Risks 580 Internet Risks 581 Risks to Consumers 581 Security, Assurance, and Trust 587 Encryption 588 Digital Authentication 588 Firewalls 590 Seals of Assurance 591 Implications for the Accounting Profession 592 Privacy Violation 593 Audit Implications of XBRL 594 Continuous Auditing 594 Electronic Audit Trails 594

13 xii Table of Contents Confidentiality of Data 595 Authentication 595 Nonrepudiation 595 Data Integrity 595 Access Controls 595 A Changing Legal Environment 596 Summary 596 Appendix 597 Part IV Systems Development Activities 623 Chapter 13 Managing the Systems Development Life Cycle 624 The Systems Development Life Cycle 625 Participants in Systems Development 626 Systems Strategy 627 Assess Strategic Information Needs 627 Strategic Business Needs 627 Legacy Systems 628 User Feedback 629 Develop a Strategic Systems Plan 631 Create an Action Plan 632 The Learning and Growth Perspective 634 The Internal Business Process Perspective 634 The Customer Perspective 634 The Financial Perspective 634 Balanced Scorecard Applied to IT Projects 634 Project Initiation 635 Systems Analysis 635 The Survey Step 636 The Analysis Step 638 Conceptualization of Alternative Designs 640 How Much Design Detail Is Needed? 640 Systems Evaluation and Selection 642 Perform a Detailed Feasibility Study 642 Perform Cost-Benefit Analysis 643 Prepare Systems Selection Report 649

14 Table of Contents xiii Announcing the New System Project 650 User Feedback 650 The Accountant s Role in Managing the SDLC 651 How Are Accountants Involved with SDLC? 651 The Accountant s Role in Systems Strategy 651 The Accountant s Role in Conceptual Design 652 The Accountant s Role in Systems Selection 652 Summary 652 Chapter 14 Construct, Deliver, and Maintain Systems Project 659 In-House Systems Development 660 Tools for Improving Systems Development 660 Construct the System 664 The Structured Design Approach 664 The Object-Oriented Design Approach 667 System Design 669 Data Modeling, Conceptual Views, and Normalized Tables 670 Design Physical User Views 670 Design the System Process 677 Design System Controls 681 Perform a System Design Walk-Through 681 Program Application Software 682 Software Testing 683 Deliver the System 684 Testing the Entire System 684 Documenting the System 685 Converting the Databases 687 Converting to the New System 688 Post-Implementation Review 689 The Role of Accountants 690 Commercial Packages 691 Trends in Commercial Packages 691 Advantages of Commercial Packages 693 Disadvantages of Commercial Packages 693 Choosing a Package 693

15 xiv Table of Contents Maintenance and Support 698 User Support 698 Knowledge Management and Group Memory 698 Summary 699 Appendix 699 Part V Computer Controls and Auditing 723 Chapter 15 IT Controls Part I: Sarbanes-Oxley and IT Governance 724 Overview of Sections 302 and 404 of SOX 725 Relationship between IT Controls and Financial Reporting 725 Audit Implications of Sections 302 and IT Governance Controls 728 Organizational Structure Controls 728 Segregation of Duties within the Centralized Firm 729 The Distributed Model 731 Creating a Corporate IT Function 732 Audit Objectives Relating to Organizational Structure 734 Audit Procedures Relating to Organizational Structure 734 Computer Center Security and Controls 734 Computer Center Controls 735 Disaster Recovery Planning 737 Providing Second-Site Backup 738 Identifying Critical Applications 739 Performing Backup and Off-Site Storage Procedures 740 Creating a Disaster Recovery Team 740 Testing the DRP 740 Audit Objective: Assessing Disaster Recovery Planning 741 Audit Procedures for Assessing Disaster Recovery Planning 741 Summary 742 Appendix 743

16 Table of Contents xv Chapter 16 Chapter 17 IT Controls Part II: Security and Access 759 Controlling the Operating System 760 Operating System Objectives 760 Operating System Security 760 Threats to Operating System Integrity 761 Operating System Controls and Test of Controls 762 Controlling Database Management Systems 767 Access Controls 767 Backup Controls 770 Controlling Networks 771 Controlling Risks from Subversive Threats 771 Controlling Risks from Equipment Failure 780 Electronic Data Interchange (EDI) Controls 782 Transaction Authorization and Validation 783 Access Control 783 EDI Audit Trail 783 Summary 785 Appendix 786 IT Controls Part III: Systems Development, Program Changes, and Application Controls 797 Systems Development Controls 798 Controlling Systems Development Activities 798 Controlling Program Change Activities 800 Source Program Library Controls 801 The Worst-Case Situation: No Controls 802 A Controlled SPL Environment 802 Application Controls 806 Input Controls 806 Processing Controls 809 Output Controls 812 Testing Computer Application Controls 815 Black Box Approach 815 White Box Approach 816 White Box Testing Techniques 818

17 xvi Table of Contents The Integrated Test Facility 822 Parallel Simulation 823 Substantive Testing Techniques 824 The Embedded Audit Module 825 Generalized Audit Software (GAS) 826 Summary 830 GLOSSARY G-1 INDEX I-1

18 Welcome to the Sixth Edition The sixth edition of Accounting Information Systems includes a full range of new and revised homework assignments, up-to-date content changes, as well as several reorganized chapters. All of these changes add up to more student and instructor enhancements than ever before. As this preface makes clear, we have made these changes to keep students and instructors as current as possible on issues such as business processes, systems development methods, IT governance and strategy, security, internal controls, and relevant aspects of Sarbanes-Oxley legislation. Focus and Flexibility in Designing Your AIS Course Among accounting courses, accounting information systems (AIS) courses tend to be the least standardized. Often the objectives, background, and orientation of the instructor, rather than adherence to a standard body of knowledge, determines the direction the AIS course takes. Therefore, we have designed this text for maximum flexibility: This textbook covers a full range of AIS topics to provide instructors with flexibility in setting the direction and intensity of their courses. At the same time, for those who desire a structured model, the first nine chapters of the text, along with the chapters on electronic commerce and computer controls, provide what has proven to be a successful template for developing an AIS course. Earlier editions of this book have been used successfully in introductory, advanced, and graduate-level AIS courses. The topics in this book are presented from the perspective of the managers and accountants AIS-related responsibilities under the Sarbanes-Oxley Act. While the book was written primarily to meet the needs of accounting majors about to enter the modern business world, we have also developed it to be an effective text for general business and industrial engineering students who seek a thorough understanding of AIS and internal control issues as part of their professional education. Key Features Conceptual Framework Preface This book employs a conceptual framework to emphasize the professional and legal responsibility of accountants, auditors, and management for the design, operation, and control of AIS applications. This responsibility pertains to business events that are narrowly defined as financial transactions. Systems that process nonfinancial transactions are not subject to the new standards of internal control under Sarbanes-Oxley

19 xviii Preface legislation. Supporting the information needs of all users in a modern organization, however, requires systems that integrate both accounting and nonaccounting functions. While providing the organization with unquestioned benefit, a potential consequence of such integration is a loss of control due to the blurring of the lines that traditionally separate AIS from non-ais functions. The conceptual framework presented in this book distinguishes AIS applications that are legally subject to specific internal control standards. Evolutionary Approach Over the past 50 years, accounting information systems have been represented by a number of different approaches or models. Each new model evolved because of the shortcomings and limitations of its predecessor. An interesting feature in this evolution is that older models are not immediately replaced by the newest technique. Thus, at any point in time, various generations of legacy systems exist across different organizations and often coexist within a single enterprise. The modern accountant needs to be familiar with the operational characteristics of all AIS approaches that he or she is likely to encounter. Therefore, this book presents the salient aspects of five models that relate to both legacy and state-of-the-art systems: 1. manual processes 2. flat-file systems 3. the database approach 4. the resources, events, and agents (REA) model 5. enterprise resource planning (ERP) systems Emphasis on Internal Controls The book presents a conceptual model for internal control based on COSO and Statement on Auditing Standards (SAS) No. 78. This model is used to discuss control issues for both manual processes and computer-based information systems (CBIS). Three chapters (Chapters 15, 16 and 17) are devoted to the control of CBIS. Special emphasis is given to the following areas: computer operating systems database management systems electronic data interchange (EDI) electronic commerce systems ERP systems systems development and program change processes the organization of the computer function the security of data processing centers verifying computer application integrity

20 Preface xix Exposure to Systems Design and Documentation Tools The book examines various approaches and methodologies used in systems analysis and design, including the following: structured design object-oriented design computer-aided software engineering (CASE) prototyping In conjunction with these general approaches, professional systems analysts and programmers use a number of documentation techniques to specify the key features of systems. The modern auditor works closely with systems professionals during IT audits and must learn to communicate in their language. The book deals extensively with documentation techniques such as data flow diagrams (DFDs), entity relationship diagrams (ERDs), as well as system, program, and document flowcharts. The book contains numerous systems design and documentation cases and assignments intended to develop the students competency with these tools. Significant Changes in the Sixth Edition Chapter 4, The Revenue Cycle ; Chapter 5 The Expenditure Cycle Part I: Purchases and Cash Disbursements Procedures ; Chapter 6, The Expenditure Cycle Part II: Payroll Processing and Fixed Asset Procedures The end-of-chapter material to these chapters has been significantly revised. This entailed the creation of many new multiple-choice questions and problems. In particular, great attention was given to internal control case solutions to ensure that they were consistent in appearance and accurately reflect the cases in the text. In the 6th edition all case solution flowcharts are numerically coded and cross referenced to text that explains the internal control issues. This approach, which has been classroom tested, facilitates effective presentation of internal control case materials. Chapter 7, The Conversion Cycle This chapter has been completely rewritten to include issues, techniques, and technologies pertinent to the popular philosophy of lean manufacturing. The revised chapter pre sents the key features of two alternative cost accounting models: (1) activity-based costing (ABC) and (2) value stream accounting. The latter is gaining acceptance as a superior accounting technique for lean manufacturing companies. Chapter 9, Database Management Systems The body of this chapter has been revised to better integrate traditional data modeling techniques with REA modeling, which is discussed in Chapter 10. This integration

21 xx Preface facilitates distinguishing the modeling techniques that are unique to each approach while avoiding redundant treatment of issues that they have in common. The chapter appendix provides a new and easy-to-understand, business-based data normalization example. Chapter 10, The REA Approach to Database Modeling This is an entirely new chapter on REA data modeling. The chapter begins by presenting the theoretical REA model, which is based on an economic exchange. This model is then developed step by step into functional databases for revenue and expenditure cycle applications. Chapter 11, Enterprise Resource Planning Systems The significant change to this chapter is a revised appendix that presents the key features of the leading large-scale, midsized, and small business ERP systems. Chapter 12, Electronic Commerce Systems This chapter was revised to emphasize the growing and changing threats from denial of service Dos attacks. While such attacks can be aimed at any type of website, they are particularly devastating to business entities that are prevented from receiving and processing business transactions from their customers. Three common types of DOS attacks SYN flood, smurf, and distributed denial of service (DDOS) are discussed. Organization and Content Part I: Overview of Accounting Information Systems Chapter 1, The Information System: An Accountant s Perspective This chapter places the subject of accounting information systems in perspective for accountants. It is divided into four major sections, each dealing with a different aspect of information systems. The first section explores the information environment of the firm. It introduces basic systems concepts, identifies the types of information used in business, and describes the flows of information through an enterprise. This section also presents a framework for viewing accounting information systems in relation to other information systems components. The second section of the chapter deals with the impact of organizational structure on AIS. The centralized and distributed models are used to illustrate extreme cases in point. The third section reviews the evolution of information systems models. Accounting information systems have been represented by a number of different approaches or models. Five dominant models are examined: manual processes; flat-file systems; the database approach; the resources, events, agents (REA) model; and enterprise resource planning (ERP) systems.

22 Preface xxi The final section discusses the role of accountants as users, designers, and auditors of AIS. The nature of the responsibilities shared by accountants and computer professionals for developing AIS applications are examined. Chapter 2, Introduction to Transaction Processing The second chapter expands on the subject of transaction cycles introduced in Chapter 1. While the operational details of specific transaction cycles are covered in subsequent chapters, this chapter presents material that is common to all cycles. Topics covered include: the relationship between source documents, journals, ledgers, and financial statements in both manual and computer-based systems; system documentation techniques, such as data flow diagrams, entity relationship (ER) diagrams, document systems, and program flowcharts; and data processing techniques, including batch and real-time processing. The techniques and approaches presented in this chapter are applied to specific business cycle applications in later chapters. The chapter is supported by material in the appendix and on the website. Chapter 3, Ethics, Fraud, and Internal Control Chapter 3 deals with the related topics of ethics, fraud, and internal control. The chapter first examines ethical issues related to business and specifically to computer systems. The questions raised are intended to stimulate class discussions. The chapter then addresses the subject of fraud. There is perhaps no area of greater controversy for accountants than their responsibility to detect fraud. Part of the problem stems from confusion about what constitutes fraud. This section distinguishes between management fraud and employee fraud. The chapter presents techniques for identifying unethical and dishonest management and for assessing the risk of management fraud. Employee fraud can be prevented and detected by a system of internal controls. The section discusses several fraud techniques that have been perpetrated in both manual and computer-based environments. The results of a research study conducted by the Association of Certified Fraud Examiners as well as the provisions of the Sarbanes-Oxley Act are presented. The final section of the chapter describes the internal control structure and control activities specified in SAS 78 and the COSO framework. The control concepts discussed in this chapter are applied to specific applications in chapters that follow. Part II: Transaction Cycles and Business Processes Chapters 4, 5, and 6, The Revenue and Expenditure Cycles The approach taken in all three chapters is similar. First, the business cycle is reviewed conceptually using data flow diagrams to present key features and control points of each major subsystem. At this point the reader has the choice of either continuing within the

23 xxii Preface context of a manual environment or moving directly to computer-based examples. Each system is examined under two alternative technological approaches: First examined is automation, which preserves the basic functionality by replacing manual processes with computer programs. Next, each system is reengineered to incorporate real-time technology. Under each technology, the effects on operational efficiency and internal controls are examined. This approach provides the student with a solid understanding of the business tasks in each cycle and an awareness of how different technologies influence changes in the operation and control of the systems. Chapter 7, The Conversion Cycle Manufacturing systems represent a dynamic aspect of AIS. Chapter 7 discusses the technologies and techniques used in support of two alternative manufacturing environments: traditional mass production (batch) processing lean manufacturing These environments are driven by information technologies such as materials requirements planning (MRP), manufacturing resources planning (MRP II), and enterprise resource planning (ERP). The chapter addresses the shortcomings of the traditional cost accounting model as it compares to two alternative models: activity-based costing (ABC) and value stream accounting. Chapter 8, Financial Reporting and Management Reporting Systems Chapter 8 begins with a review of data coding techniques used in transaction processing systems and for general ledger design. It explores several coding schemes and their respective advantages and disadvantages. Next it examines the objectives, operational features, and control issues of three related systems: the general ledger system (GLS), the financial reporting system (FRS), and the management reporting system (MRS). The emphasis is on operational controls and the use of advanced computer technology to enhance efficiency in each of these systems. The chapter distinguishes the MRS from the FRS in one key respect: financial reporting is mandatory and management reporting is discretionary. Management reporting information is needed for planning and controlling business activities. Organization management implements MRS applications at their discretion, based on internal user needs. The chapter examines a number of factors that influence and shape information needs. These include management principles, decision type and management level, problem structure, reports and reporting methods, responsibility reporting, and behavioral issues pertaining to reporting. Part III: Advanced Technologies in Accounting Information Chapter 9, Database Management Systems Chapter 9 deals with the design and management of an organization s data resources. It begins by demonstrating how problems associated with traditional flat-file systems are resolved under the database approach.

24 Preface xxiii The second section describes in detail the functions and relationships among four primary elements of the database environment: the users, the database management system (DBMS), the database administrator (DBA), and the physical database. The third section is devoted to an in-depth explanation of the characteristics of the relational model. A number of database design topics are covered, including data modeling, deriving relational tables from ER diagrams, the creation of user views, and data normalization techniques. The fourth section concludes the chapter with a discussion of distributed database issues. It examines three possible database configurations in a distributed environment: centralized, partitioned, and replicated databases. Chapter 10, The REA Approach to Database Modeling Chapter 10 presents the REA model as a means of specifying and designing accounting information systems that serve the needs of all users within an organization. The chapter is composed of the following major sections. It begins by defining the key elements of REA. The basic model employs a unique form of ER diagram called an REA diagram that consists of three entity types (resources, events, and agents) and a set of associations linking them. Next the rules for developing an REA diagram are explained and illustrated in detail. An important aspect of the model is the concept of economic duality, which specifies that each economic event must be mirrored by an associated economic event in the opposite direction. The chapter goes on to illustrate the development of an REA database for a hypothetical firm following a multistep process called view modeling. The result of this process is an REA diagram for a single organizational function. The next section in the chapter explains how multiple REA diagrams (revenue cycle, purchases, cash disbursements, and payroll) are integrated into a global or enterprisewide model. The enterprise model is then implemented into a relational database structure, and user views are constructed. The chapter concludes with a discussion of how REA modeling can improve competitive advantage by allowing management to focus on the value-added activities of their operations. Chapter 11, Enterprise Resource Planning Systems This chapter presents a number of issues related to the implementation of enterprise resource planning (ERP) systems. It is composed of five major sections. The first section outlines the key features of a generic ERP system by comparing the function and data storage techniques of a traditional flat-file or database system to that of an ERP. The second section describes various ERP configurations related to servers, databases, and bolt-on software.

25 xxiv Preface Data warehousing is the topic of the third section. A data warehouse is a relational or multidimensional database that supports online analytical processing (OLAP). A number of issues are discussed, including data modeling, data extraction from operational databases, data cleansing, data transformation, and loading data into the warehouse. The fourth section examines risks associated with ERP implementation. These include big bang issues, opposition to change within the organization, choosing the wrong ERP model, choosing the wrong consultant, cost overrun issues, and disruptions to operations. The fifth section reviews several control and auditing issues related to ERPs. The discussion follows the SAS 78 framework. The chapter appendix provides a review of the leading ERP software products including SAP, Oracle E-Business Suite, Oracle PeopleSoft, JD Edwards, EnterpriseOne, SoftBrands, MAS 500, and Microsoft Dynamics. Chapter 12, Electronic Commerce Systems Driven by the Internet revolution, electronic commerce is dramatically expanding and undergoing radical changes. While electronic commerce promises enormous opportunities for consumers and businesses, its effective implementation and control are urgent challenges facing organization management and accountants. To properly evaluate the potential exposures and risks in this environment, the modern accountant must be familiar with the technologies and techniques that underlie electronic commerce. This chapter and the associated appendix deal with several aspects of electronic commerce. The body of the chapter examines Internet commerce including business-to-consumer and business-to-business relationships. It presents the risks associated with electronic commerce and reviews security and assurance techniques used to reduce risk and to promote trust. The chapter concludes with a discussion of how Internet commerce impacts the accounting and auditing profession. The internal usage of networks to support distributed data processing and traditional business-to-business transactions conducted via EDI systems are presented in the appendix. Part IV: Systems Development Activities Chapter 13, Managing the Systems Development Life Cycle and Chapter 14, Construct, Deliver, and Maintain Systems Projects These chapters examine the accountant s role in the systems development process. Chapter 13 begins with an overview to the systems development life cycle (SDLC). This multistage process guides organization management through the development and/or purchase of information systems. Next, Chapter 13 presents the key issues pertaining to developing a systems strategy, including its relationship to the strategic business plan, the current legacy situation,

26 Preface xxv and feedback from the user community. The chapter provides a methodology for assessing the feasibility of proposed projects and for selecting individual projects to go forward for construction and delivery to their users. The chapter concludes by reviewing the role of accountants in managing the SDLC. Chapter 14 covers the many activities associated with in-house development, which fall conceptually into two categories: (1) construct the system and (2) deliver the system. Through these activities, systems selected in the project initiation phase (discussed in Chapter 13) are designed in detail and implemented. This involves creating input screen formats, output report layouts, database structures, and application logic. Finally, the completed system is tested, documented, and rolled out to the user. Chapter 14 then examines the increasingly important option of using commercial software packages. Conceptually, the commercial software approach also consists of construct and delivery activities. In this section we examine the pros, cons, and issues involved in selecting off-the-shelf systems. Chapter 14 also addresses the important activities associated with systems maintenance and the associated risks that are important to management, accountants, and auditors. Several comprehensive cases designed as team-based systems development projects are available on the website. These cases have been used effectively by groups of three or four students working as a design team. Each case has sufficient details to allow analysis of user needs, preparation of a conceptual solution, and the development of a detailed design, including user views (input and output), processes, and databases. Part V: Computer Controls and Auditing Chapter 15, IT Controls Part I: Sarbanes-Oxley and IT Governance This chapter provides an overview of management and auditor responsibilities under Sections 302 and 404 of the Sarbanes-Oxley Act (SOX). The design, implementation, and assessment of internal control over the financial reporting process form the central theme for this chapter and the two chapters that follow. This treatment of internal control complies with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework. Under COSO, IT controls are divided into application controls and general controls. Chapter 15 presents risks, controls, and tests of controls related to IT governance including organizing the IT function, controlling computer center operations, and designing an adequate disaster recovery plan. Chapter 16, IT Controls Part II: Security and Access Chapter 16 continues the treatment of IT controls as described by the COSO control framework. The focus of the chapter is on SOX compliance regarding the security and control of operating systems, database management systems, and communication networks. This chapter examines the risks, controls, audit objectives, and tests of controls that may be performed to satisfy either compliance or attest responsibilities.

27 xxvi Preface Chapter 17, IT Controls Part III: Systems Development, Program Changes, and Application Controls This chapter concludes our treatment of IT controls as outlined in the COSO control framework. The focus of the chapter is on SOX compliance regarding systems development, program changes, and applications controls. This chapter examines the risks, controls, audit objectives, and tests of controls that may be performed to satisfy compliance or attest responsibilities. The chapter examines five computer-assisted audit tools and techniques (CAATT) for testing application controls: the test data method base case system evaluation tracing integrated test facility parallel simulation It also reviews two substantive testing techniques: embedded audit modules and generalized audit software. Supplements Product Website Additional teaching and learning resources, including access to additional internal control and systems development cases, are available by download from the book s website at PowerPoint Slides The PowerPoint slides, prepared and completely updated by Patrick Wheeler of the University of Missouri, provide colorful lecture outlines of each chapter of the text, incorporating text graphics and flowcharts where needed. The PPT is available for download from the text website. Test Bank The Test Bank, available in Word and written and updated by the text author, contains true/false, multiple-choice, short answer, and essay questions. The files are available for download from the text website. Solutions Manual The Solutions Manual, written by the author, contains solutions to all end-of-chapter problems and cases. Adopting instructors may download the Solutions Manual under password protection at the Instructor s Resource page of the book s website.

28 Preface xxvii Acknowledgments I want to thank the Institute of Internal Auditors, Inc., and the Institute of Certified Management Accountants for permission to use problem materials from past examinations. I would also like to thank Dave Hinrichs, my colleague at Lehigh University, for his careful work on the text and the verification of the Solutions Manual for this edition. I am grateful to the following people for reviewing the book in recent editions and for providing helpful comments: Beth Brilliant Kean University Kevin E. Dow Kent State University H.P. Garsombke University of Nebraska, Omaha Sakthi Mahenthiran Butler University Sarah Brown Southern Arkansas University David M. Cannon Grand Valley State University James Holmes University of Kentucky Frank Ilett Boise State University Andrew D. Luzi California State University, Fullerton Srini Ragothaman University of South Dakota Alan Levitan University of Louisville Jeff L. Payne University of Kentucky H. Sam Riner University of North Alabama Helen M. Savage Youngstown State University Jerry D. Siebel University of South Florida Richard M. Sokolowski Teikyo Post University Patrick Wheeler University of Missouri, Columbia James A. Hall Lehigh University

29 Dedication To my wife Eileen, and my children Elizabeth and Katie

30 Glossary The chapter in which the term is first defined is set in parentheses following the definition. A Access control list: These lists contain information that defines the access privileges for all valid users of the resource. An access control list assigned to each resource controls access to system resources such as directories, files, programs, and printers. (16) Access controls: Controls that ensure that only authorized personnel have access to the firm s assets. (3) Access method: The technique used to locate records and navigate through the database. (2) Access tests: Tests that ensure that the application prevents authorized users from unauthorized access to data. (17) Access token: These contain key information about the user, including user ID, password, user group, and privileges granted to the user. (16) Accounting information systems (AIS): Specialized subset of information systems that processes financial transactions. (1) Accounting record: A document, journal, or ledger used in transaction cycles. (2) Accounts payable pending file: File containing a copy of the purchase requisition. (5) Accounts receivable (AR) subsidiary ledger: An account record that shows activity by detail for each account type containing, at minimum, the following data: customer name; customer address; current balance; available credit; transaction dates; invoice numbers; and credits for payments, returns, and allowances. (4) Accuracy: Information must be free from material errors. However, materiality is a difficult concept to quantify. It has no absolute value; it is a problem-specific concept. This means that in some cases, information must be perfectly accurate. (3) Accuracy tests: Tests that ensure that the system processes only data values that conform to specified tolerances. (17) Activities: Work performed in a firm. (7) Activity driver: Factor that measures the activity consumption by the cost object. (7) Activity-based costing (ABC): Accounting technique that provides managers with information about activities and cost objects. (7) Ad hoc reports: This technology provides directinquiry and report-generation capabilities. (8) Advanced encryption standard (AES): Also known as Rijndael, this is a private key (or symmetric key) encryption technique. (12) Agents: Individuals and departments that participate in an economic event. (1) Algorithm: Procedure of shifting each letter in the cleartext message the number of positions that the key value indicates. (12) Alphabetic codes: Alphabetic characters assigned sequentially. (8) Alphanumeric codes: Codes that allow the use of pure alphabetic characters embedded within numeric codes. (8) Analytical review: Balances to identify relationships between accounts and risks that are not otherwise apparent. (11) Anomalies: Improperly normalized tables can cause DBMS processing problems that restrict, or even deny, users access to the information they need; such tables exhibit negative operational symptoms called anomalies. (9) AP subsidiary ledger: The records controlling the exposure in the cash disbursements subsystems. (5) Application controls: Ensure the integrity of specific systems. (3) Application-level firewall: Provides high-level network security. (12) Approved credit memo: The credit manager evaluates the circumstances of the return and makes a judgment to grant (or disapprove) credit. (4) Approved sales order: These contain sales order information for the sales manager to review once it is approved. (4) Architecture description: A formal description of an information system that identifies and defines the structural properties of the system. (13) Archive file: File that contains records of past transactions that are retained for future reference. (2) G-1

31 G-2 Glossary Asset acquisition: Usually begins with the departmental manager (user) recognizing the need to obtain a new asset or replace an existing one. (6) Asset disposal: A disposal report describing the final disposition of the asset. (6) Asset maintenance: Involves adjusting the fixed asset subsidiary account balances as the assets (excluding land) depreciate over time or with usage. (6) Association: The relationship among record types. (9) Assurance services: Professional services, including the attest function, that are designed to improve the quality of information, both financial and nonfinancial, used by decision makers. (1) Attendance file: File created by the timekeeping department upon receipt of approved time cards. (6) Attest function: Public confidence in the reliability of internally produced financial statements rests directly on their being validated by an independent expert auditor. (1) Attributes: Equivalents to adjectives in the English language that serve to describe the objects. (9) Audit objectives: The task of creating meaningful test data. (17) Audit procedures: This involves a combination of tests of application controls and substantive tests of transaction details and account balances. (17) Audit risk: Probability that the auditor will render unqualified opinions on financial statements that are, in fact, materially misstated. (17) Audit trail: Accounting records that trace transactions from their source documents to the financial statements. (2) Audit trail controls: Ensures that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements. (17) Audit trail test: Ensures that the application creates an adequate audit trail. (17) Auditing: Form of independent attestation performed by an expert who expresses an opinion about the fairness of a company s financial statements. (1) Auditor: An expert who expresses an opinion about the fairness of a company s financial statements. (1) Authenticity tests: Tests verifying that an individual, a programmed procedure, or a message attempting to access a system is authentic. (17) Authority: The right to make decisions pertaining to areas of responsibility. (8) Automated storage and retrieval systems (AS/RS): Computer-controlled conveyor systems that carry raw materials from stores to the shop floor and finished products to the warehouse. (7) Automation: Involves using technology to improve the efficiency and effectiveness of a task. (4) B Back-order: These records stay on file until the inventories arrive from the supplier. Back-ordered items are shipped before new sales are processed. (4) Back-order file: Contains customer orders for outof-stock items. (4) Backbone systems: Basic system structure on which to build. (1) Backup controls: Ensure that in the event of data loss due to unauthorized access, equipment failure, or physical disaster the organization can recover its files and databases. (16) Balanced scorecard (BSC): A management system that enables organizations to clarify their vision and strategy and translate them into action. (13) Base case system evaluation (BCSE): Variant of the test data technique, in which comprehensive test data are used. (17) Batch: A group of similar transactions accumulated over time and then processed together. (2) Batch control totals: Record that accompanies the sales order file through all of the data processing runs. (4) Batch controls: Effective method of managing high volumes of transaction data through a system. (17) Batch systems: Systems that assemble transactions into groups for processing. (2) Big bang: An attempt by organizations to switch operations from their old legacy systems to the new system in a single event that implements the ERP across the entire company. (11) Bill of lading: Formal contract between the seller and the shipping company that transports the goods to the customer. (4) Bill of materials: Document that specifies the types and quantities of the raw materials and subassemblies used in producing a single unit of finished product. (7)

32 Glossary G-3 Biometric devices: Devices that measure various personal characteristics, such as fingerprints, voice prints, retina prints, or signature characteristics. (16) Blind copy: A copy of the purchase order that contains no price or quantity information. (5) Block code: A coding scheme that assigns ranges of values to specific attributes such as account classifications. (8) Bolt-on software: Software provided by third-party vendors used in conjunction with already purchased ERP software. (11) Botnets: Collections of compromised computers. (12) Bribery: Involves giving, offering, soliciting, or receiving things of value to influence an official in the performance of his or her lawful duties. (3) Budget: This process helps management achieve its financial objectives by establishing measurable goals for each organizational segment. (8) Budget master file: Contains budgeted amounts for revenues, expenditures, and other resources for responsibility centers. (8) Business ethics: Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. (3) C Caesar cipher: The earliest encryption method is called the Caesar Cipher, which Julius Caesar is said to have used to send coded messages to his generals in the field. (12) Call-back device: Hardware component that asks the caller to enter a password and then breaks the connection to perform a security check. (16) Cardinality: The numerical mapping between entity instances. (2) Cash disbursement vouchers: Provide improved control over cash disbursements and allow firms to consolidate several payments to the same supplier on a single voucher, thus reducing the number of checks written. (5) Cash disbursements journal: Contains the voucher number authorizing each check and provides an audit trail for verifying the authenticity of each check written. (5) Cash receipts journal: Records that include details of all cash receipts transactions, including cash sales, miscellaneous cash receipts, and cash received. (4) Centralized database: Database retained in a central location. (9) Centralized data processing: Under this model, all data processing is performed by one or more large computers housed at a central site that serve users throughout the organization. (1) Certification authorities (CAs): Trusted third parties that issue digital certificates. (12) Changed data capture: The technique that can dramatically reduce the extraction time by capturing only newly modified data. (11) Chart of accounts: A listing of an organization s accounts showing the account number and name. (8) Check digit: Method for detecting data coding errors. A control digit is added to the code when it is originally designed to allow the integrity of the code to be established during subsequent processing. (17) Check register: A record of all cash disbursements. (5) Checkpoint feature: This feature suspends all data processing while the system reconciles the transaction log and the database change log against the database. (16) Client-server model: A form of network topology in which a user s computer or terminal (the client) accesses the ERP programs and data via a host computer called the server. (11) Closed accounts payable file: The check number is recorded in the voucher register to close the voucher and transfer the items to the closed AP file. (5) Closed database architecture: A database management system used to provide minimal technological advantage over flat file systems. (11) Closed purchase order file: The prepare purchase order function receives the purchase requisitions, which are sorted by vendor if necessary. The last copy is filed in the open/closed purchase order file which is sent to the vendor. (5) Closed sales order file: The batch program prepares and mails customer bills and transfers the closed sales records to the closed sales order file, which is also called as sales journal. (4) Closed voucher file: A file that contains the voucher packets of all paid (closed) accounts payable items. (5)

33 G-4 Glossary Cohesion: Number of tasks a module performs. (14) Cold turkey cutover: Process of converting in which a firm switches to a new system on a particular day and simultaneously terminates the old system. (14) Competency analysis: Provides a complete picture of the organization s effectiveness as seen via four strategic filters: resources, infrastructure, products/services, and customers. (13) Compilers: Language translation modules of the operation system. (16) Completeness: A report should provide all necessary calculations and present its message clearly and unambiguously. (3) Completeness tests: Tests identifying missing data within a single record and entire records missing from a batch. (17) Composite key: Comprises two attributes: INVOICE NUM and PROD NUM. (9) Computer ethics: The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology. Includes details about software as well as hardware and concerns about networks connecting computers as well as computers themselves. (3) Computer fraud: The theft, misuse, or misappropriation of assets by altering computer-readable records and files, or by altering the logic of computer software, or the illegal use of computerreadable information, or intentional destruction of computer software or hardware. (3) Computer numerical control (CNC): Computercontrolled machines that replace skilled labor. The computer contains programs for all parts being manufactured by the machine. (7) Computer-aided design (CAD): Use of computers to design products to be manufactured. (7) Computer-aided manufacturing (CAM): Use of computers in factory automation. (7) Computer-aided software engineering (CASE): Technology that involves the use of computer systems to design and code computer systems. (14) Computer-assisted audit tools and techniques (CAATTs): To illustrate how application controls are tested and to verify the effective functioning of application controls. (17) Computer-integrated manufacturing (CIM): Completely automated environment. (7) Conceptual system: The production of several alternative designs for the new system. (1) Conceptual user views: Description of the entire database. (14) Concurrency control: To ensure that transactions processed at each site are accurately reflected in the databases at all other sites. (9) Conflict of interest: Outlines procedures for dealing with actual or apparent conflicts of interest between personal and professional relationships. (3) Consolidation: The aggregation or roll-up of data. (11) Construct: To design and build working software that is ready to be tested and delivered to its user community. This phase involves modeling the system, programming the applications, and application testing. (14) Control activities: Policies and procedures used to ensure that appropriate actions are taken to deal with the organization s risks. (3) Control environment: The foundation of internal control. (3) Controller: The cash receipts department typically reports to the treasurer, who has responsibility for financial assets. Accounting functions report to the controller. Normally these two general areas of responsibility are performed independently. (4) Conversion cycle: Cycle comprising the production system and the cost accounting system. (2) Cookies: Files containing user information that are created by the web server of the site being visited and are then stored on the visitor s own computer hard drive. (12) Core applications: The applications that operationally support the day-to-day activities of the business. (11) Corporate IT function: The corporate IT function is a leaner unit with a different mission than that of the centralized IT function. (15) Corrective controls: Actions taken to reverse the effects of errors detected in the previous step. (3) Cost accounting system: The process of tracking, recording, and analyzing costs associated with the products or activities of an organization. (7) Cost center: Organizational unit with responsibility for cost management within budgetary limits. (8) Cost objects: Reasons for performing activities. (7) Cost-benefit analysis: Process that helps management determine whether (and by how much) the benefits

34 Glossary G-5 received from a proposed system will outweigh its costs. (13) Coupling: Measure of the degree of interaction between modules. (14) Credit authorization: Consent for authorizing credit. (4) Credit memo: Document used to authorize the customer to receive credit for the merchandise returned. (4) Credit records file: Provides customer credit data. (4) Currency of information: A problem associated with the flat-file model because of failing to update all the user files affected by a change in status that results in decisions based on outdated information. (1) Customer open order file: File containing a copy of the sales order. (4) Customer order: Document that indicates the type and quantity of merchandise being requested. (4) Cutover: Process of converting from the old system to the new system. (14) Cycle billing: Method of spreading the billing process out over the month. (4) D Data: Facts, which may or may not be processed (edited, summarized, or refined) and have no direct effect on the user. (1) Data attribute: The most elemental piece of potentially useful data in the database. (9) Data collection: It is the first operational stage in the information system. (1) Data collision: Collision of two or more signals due to simultaneous transmission that destroys both messages from the transmitting and the receiving nodes. (12) Data currency: When the firm s data files accurately reflect the effects of its transactions. (9) Data definition language (DDL): Programming language used to define the database to the database management system. (9) Data dictionary: Description of every data element in the database. (9) Data encryption: Technique that uses an algorithm to scramble selected data, making it unreadable to an intruder browsing the database. (16) Data flow diagram: Diagram that uses a set of symbols to represent the processes, data sources, data flows, and process sequences of a current or proposed system. (2) Data manipulation language (DML): Language used to insert special database commands into application programs written in conventional languages. (9) Data mart: A data warehouse organized for a single department or function. (11) Data mining: The process of selecting, exploring, and modeling large amounts of data to uncover relationships and global patterns that exist in large databases but are hidden among the vast amount of facts. (8) Data model: The blueprint for what ultimately will become the physical database. (2) Data modeling: The task of formalizing the data requirements of the business process as a conceptual model. (14) Data processing: This group manages the computer resources used to perform the day-to-day processing of transactions. (1) Data redundancy: The state of data elements being represented in all user files. (9) Data sources: Financial transactions that enter the information system from both internal and external sources. (1) Data storage: An efficient information system captures and stores data only once and makes this single source available to all users who need it. (1) Data structures: Techniques for physically arranging records in a database. (2) Data updating: Periodic update of data stored in the files of an organization. (1) Data warehouse: A database constructed for quick searching, retrieval, ad hoc queries, and ease of use. (8) Database: Physical repository for financial data. (1) Database administrator (DBA): The individual responsible for managing the database resource. (9) Database authorization table: Table containing rules that limit the actions a user can take. (16) Database conversion: The transfer of data from its current form to the format or medium the new system requires. (14) Database lockout: Software control that prevents multiple simultaneous access to data. (9) Database management: A special software system that is programmed to know which data elements each user is authorized to access. (1)

35 G-6 Glossary Database management fraud: Includes altering, deleting, corrupting, destroying, or stealing an organization s data. (3) Database management system (DBMS): Software system that controls access to the data resource. (1) Database model: An organization can overcome the problems associated with flat files by implementing this to data management. (1) Database tables: This flexible database approach permits the design of integrated systems applications capable of supporting the information needs of multiple users from a common set of integrated database tables. (1) Deadlock: A wait state that occurs between sites when data are locked by multiple sites waiting for the removal of the locks from the other sites. (9) Decision-making process: A cognitive process leading to the selection of a course of action among variations. (8) Deep packet inspection (DPI): To determine when an attack is in progress. It uses a variety of analytical and statistical techniques to evaluate the contents of message packets. (16) Deletion anomaly: The unintentional deletion of data from a table. (9) Denial of service attack (Dos): An assault on a web server to prevent it from servicing its legitimate users. (12) Deposit slip: A written notification accompanying a bank deposit which specifies and categorizes the funds (such as checks, bills, and coins) being deposited. (4) Depreciation schedule: Record used to initiate depreciation calculations. (6) Design phase: To produce a detailed description of the proposed system that both satisfies the system requirements identified during systems analysis and is in accordance with the conceptual design. (14) Detailed design report: Constitutes a set of blueprints that specify input screen formats, output report layouts, database structures, and process logic. (14) Detailed feasibility study: A step in the system evaluation and selection process where the feasibility factors that were evaluated on a preliminary basis as part of the systems proposal are reexamined. (13) Detective controls: Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls. (3) Digest: A mathematical value calculated from the text content of the message. (16) Digital certificate: A sender s public key that has been digitally signed by trusted third parties. (12) Digital envelope: An encryption method where both DES and RSA are used together. (12) Digital signature: An electronic authentication technique that ensures the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied. (12) Direct access files: Files in which each record has a unique location or address. (2) Direct access structures: Stores data at a unique location, known as an address, on a hard disk or floppy disk. (2) Disaster recovery plan (DRP): Comprehensive statement of all actions to be taken before, during, and after a disaster, along with documented, tested procedures that will ensure the continuity of operations. (15) Discovery model: A model that uses data mining to discover previously unknown but impor tant information that is hidden within the data. (8) Discretionary access privileges: Grants access privileges to other users. For example, the controller, who is the owner of the general ledger, may grant read-only privileges to a manager in the budgeting department. (16) Disseminating: Provides knowledge to the recipients in a usable form. The most difficult of these processes to automate is refining. (14) Distributed data processing (DDP): Involves reorganizing the IT function into small information processing units (IPUs) that are distributed to end users and placed under their control. (1) Distributed databases: Databases distributed using either the partitioned or replicated technique. (9) Distributed denial of services (DDos): A distributed denial of service (DDos) attack may take the form of a SYN flood or smurf attack. The distinguishing feature of the DDos is the sheer scope of the event. (12) Distribution level: Organizations operating on this use the Internet to sell and deliver digital products to customers. (12) Document flowchart: Flowchart that shows the relationship among processes and the documents that flow between them. (2)

36 Glossary G-7 Document name: A component of the URL that indicates the name of the file/document. (12) Documentation: Written description of how the system works. (14) Domain name: An organization s unique name combined with a top-level domain (TLD) name. (12) Drill-down: Operations permitting the disaggregation of data to reveal the underlying details that explain certain phenomena. (11) Duality: REA s semantic features derive from the elements of an economic transaction. (10) Dynamic virtual organization: Electronic partnering of business enterprises sharing costs and resources for the purpose of benefits to all parties involved. (12) E Eavesdropping: Involves listening to output transmissions over telecommunications lines. (3) Echo check: Technique that involves the receiver of the message returning the message to the sender. (16) Economic events: Phenomena that affect changes (increases or decreases) in resources. (10) Economic extortion: Economic extortion is the use (or threat) of force (including economic sanctions) by an individual or organization to obtain something of value. The item of value could be a financial or economic asset, information, or cooperation to obtain a favorable decision on some matter under review. (3) Economic feasibility: Pertains to the availability of funds to complete the project. (13) Economic order quantity (EOQ) model: Inventory model designed to reduce total inventory costs. (7) EDE3: Encryption that uses one key to encrypt the message. (16) EEE3: Encryption that uses three different keys to encrypt the message three times. (16) Electronic data interchange (EDI): The intercompany exchange of computer-processible business information in standard format. (4) Electronic input techniques: Form of electronic data collection, which falls into two basic types: input from source documents and direct input. (14) Embedded audit module (EAM): Technique in which one or more specially programmed modules embedded in a host application select and record predetermined types of transactions for subsequent analysis. (17) Embedded instructions: Embedded instructions are contained within the body of the form itself rather than on a separate sheet. (14) Employee file: A file used with the attendance file to create an online payroll register. (6) Employee fraud: Performance fraud by nonmanagement employees generally designed to directly convert cash or other assets to the employees personal benefit. (3) Employee payroll records: The system an employer uses to calculate, track, and report employee pay. (6) Empty shell: Arrangement that involves two or more user organizations that buy or lease a building and remodel it into a computer site, but without the computer and peripheral equipment. (15) Encryption: Technique that uses a computer program to transform a standard message being transmitted into a coded (cipher text) form. (16) End users: Users for whom the system is built. (1) Enterprise resource planning (ERP): A system assembled of prefabricated software components. (1) Entity: A resource, event, or agent. (2) Entity relationship (ER) diagram: Documentation technique used to represent the relationship among activities and users in a system. (2) Ethical responsibility: Organization managers have the responsibility to seek a balance between the risks and benefits to these constituents that result from their decisions. (3) Ethics: Principles of conduct that individuals use in making choices in guiding their behavior in situations that involve the concepts of right and wrong. (3) Event monitoring: Summarizes key activities related to system resources. (16) Event-driven language: Visual Basic, or object-oriented programming (OOP) languages such as Java or C++. (14) Events: Phenomena that affect changes in resources. (1) Existence or occurrence: Affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred. (17) Expenditure cycle: Acquisition of materials, property, and labor in exchange for cash. (2)

37 G-8 Glossary Exposure: Absence or weakness of a control. (3) External agent: The economic agents outside the organization with discretionary power to use or dispose of economic resources. (10) Extranet: A password-controlled network for private users rather than the general public. (12) F Fault tolerance: Ability of the system to continue operation when part of the system fails because of hardware failure, application program error, or operator error. (15) Feedback: A form of output that is sent back to the system as a source of data. Feedback may be internal or external and is used to initiate or alter a process. (1) File Transfer Protocol (FTP): Used to transfer text files, programs, spreadsheets, and databases across the Internet. (12) Financial transaction: An economic event that affects the assets and equities of the organization, is measured in financial terms, and is reflected in the accounts of the firm. (1) Firewall: Software and hardware that provide a focal point for security by channeling all network connections through a control gateway. (12) First normal form (1NF): Low degree of normalization of relational database tables. (9) Fixed assets: The property, plant, and equipment used in the operation of a business. (6) Flat file: Many so-called legacy systems are characterized by the flat-file approach to data management. In this environment, users own their data files. (9) Flat-file approach: An organizational environment in which users own their data exclusively. (2) Flat-file model: Describes an environment in which individual data files are not related to other files. (1) Foreign key: Using this key we can physically connected logically related tables to achieve the associations described in the data model. (9) Formalization of tasks: When organizational areas are subdivided into tasks that represent full-time job positions. (8) Fraud: Denotes a false representation of a material fact made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his or her detriment. (3) G Gantt chart: Horizontal bar chart that presents time on a horizontal plane and activities on a vertical plane. (14) Gathering: A process in knowledge management that brings data into the system. (14) General computer controls: Specific activities performed by persons or systems designed to ensure that business objectives are met. (15) General controls: Pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, and program maintenance. (3) General ledger change report: Report that presents the effects of journal voucher transactions on the general ledger accounts. (8) General ledger history file: File that presents comparative financial reports on a historic basis. (8) General ledger master file: The principal file in the GLS database. This file is based on the organization s published chart of accounts. (8) General ledger/financial reporting system (GL/ FRS): Produces the traditional financial statements, such as the income statement, balance sheet, statement of cash flows, tax returns, and other reports required by law. (1) General model for viewing AIS applications: A model that describes all information systems, regardless of their technological architecture. The elements of the general model are end users, data sources, data collec tion, data processing, database management, information generation, and feedback. (1) Generalized audit software (GAS): Software that allows auditors to access electronically coded data files and perform various operations on their contents. (17) Give event: An economic event is mirrored by another event in the opposite direction. These dual events constitute the give event and receive event of an economic exchange. (10) Goal congruence: The merging of goals within an organization. (8) Group codes: Codes used to represent complex items or events involving two or more pieces of related data. (8) Group memory: Makes an organization more effective just as human beings become more effective and mature with the accumulation of thoughts and memories. (14)

38 Glossary G-9 H Hard copy: The issue of whether the output should be hard copy (paper) or electronic must also be addressed. (14) Hash total: Control technique that uses nonfinancial data to keep track of the records in a batch. (17) Hashing structure: Structure employing an algorithm that converts the primary key of a record directly into a storage address. (2) Hierarchical indexed direct access method (HIDAM): In this method, the root segment (customer file) of the database is organized as an indexed file. (9) Hierarchical model: A database model that represents data in a hierarchical structure and permits only a single parent record for each child. (9) Home page: When an Internet user visits a website, his or her point of entry is typically the site s home page. (12) Human resource management (HRM) system: Captures and processes a wide range of personnelrelated data, including employee benefits, labor resource planning, employee relations, employee skills, and personnel actions (pay rates, deductions, and so on), as well as payroll. HRM systems need to provide real-time access to personnel files for purposes of direct inquiries and recording changes in employee status as they occur. (6) HyperText Markup Language (HTML): Provide the formatting for a web page as well as hypertext links to other web pages. The linked pages may be stored on the same server or anywhere in the world. (12) HyperText Transfer Protocol (HTTP): A communications protocol used to transfer or convey information on the World Wide Web. (12) HyperText Transport Protocol Next Generation (HTTP NG): An enhanced version of the HTTP protocol that maintains the simplicity of HTTP while adding important features such as security and authentication. (12) I Illegal gratuity: Involves giving, receiving, offering, or soliciting something of value because of an official act that has been taken. (3) Implementation: The carrying out, execution, or practice of a plan, a method, or any design for doing something. Short-term planning involves the implementation of specific plans that are needed to achieve the objectives of the long-range plan. (8) Inappropriate performance measures: Behavior and performance measures inconsistent with the objectives of the firm. (8) Independence: The separation of the record keeping function of accounting from the functional areas that have custody of physical resources. (1) Indexed random file: Randomly organized file that is accessed via an index. (2) Indexed sequential file: Sequential file structure that is accessed via an index. (9) Indexed structure: A class of file structure that use indexes for its primary access method. (2) Industry analysis: Provides management with an analysis of the driving forces that affect its industry and its organization s performance. (13) Information: Facts that cause the user to take an action that he or she otherwise could not, or would not, have taken. (1) Information content: The ability of a report to reduce uncertainty and influence behavior of the user. (8) Information flows: Flow of information in and out of an organization. (1) Information generation: The process of compiling, arranging, formatting, and presenting information to users. (1) Information level: The level of activity in which an organization uses the Internet only to display information about the company, its products, services, and business policies. (12) Information overload: When a manager receives more information than can be assimilated. (8) Information system: The set of formal procedures by which data are collected, processed into information, and distributed to users. (1) Information technology controls: Include controls over IT governance, IT infrastructure, security, and access to operating systems and databases, application acquisition and development, and program changes. (15) Inheritance: Each object instance inherits the attributes and operations of the class to which it belongs. (14) Insertion anomaly: The unintentional insertion of data into a table. (9) Instance: Single occurrence of an object within a class. (14)

39 G-10 Glossary Integrated test facility (ITF): Automated technique that enables the auditor to test an application s logic and controls during its normal operation. (17) Intelligent control agents: Computer programs that embody auditor-defined heuristics that search electronic transactions for anomalies. (12) Intelligent forms: Forms that help the user complete the form and that make calculations automatically. (14) Internal agent: The economic agents inside the organization with discretionary power to use or dispose of economic resources. (10) Internal auditing: An appraisal function housed within the organization. (1) Internal control system: Policies a firm employs to safeguard the firm s assets, ensure accurate and reliable accounting records and information, promote efficiency, and measure compliance with established policies. (3) Internal view: The physical arrangement of records in the database. (9) International Standards Organization: A voluntary group comprising representatives from the national standards organizations of its member countries. The ISO works toward the establishment of international standards for data encryption, data communications, and protocols. (12) Internet Message Access Protocol (IMAP): The most popular protocol for transmitting messages. Other protocols are Post Office Protocol (POP) and Internet Message Access Protocol (IMAP). (12) Internet Relay Chat (IRC): A popular interactive service on the Internet that lets thousands of people from around the world engage in real-time communications via their computers. (12) Interpreters: Language translation modules of the operation system that convert one line of logic at a time. (16) Intrusion Prevention Systems (IPS): Employ deep packet inspection (DPI), to determine when an attack is in progress. (16) Inventory subsidiary file: Updated by a batch program after the data processing department creates the receiving report file from data provided by the receiving report documents. (5) Inventory subsidiary ledger: This ledger has inventory records updated from the stock release copy by the inventory control system. (4) Inverted list: A cross reference created from multiple indexes. (9) Investment center: Organizational unit that has the objective of maximizing the return on investment assets. (8) IP broadcast address: An IP broadcast address is a 32-bit number that identifies each sender or receiver of information that is sent in packets across the Internet. (12) IP spoofing: A form of masquerading to gain unauthorized access to a web server and/or to perpetrate an unlawful act without revealing one s identity. (12) Islands of technology: An environment where modern automation exists in the form of islands that stand alone within the traditional setting. (7) IT auditing: Usually performed as part of a broader financial audit. (1) J Job tickets: Capture the time that individual workers spend on each production job. (6) Join: Builds a new physical table from two tables consisting of all concatenated pairs of rows, from each table. (9) Journal: A record of a chronological entry. (2) Journal voucher: Accounting journal entries into an accounting system for the purposes of making corrections or adjustments to the accounting data. For control purposes, all JVs should be approved by the appropriate, designated authority. (4) Journal voucher file: A compilation of all journal vouchers posted to the general ledger. (4) Journal voucher history file: Contains journal vouchers for past periods. (8) Journal voucher listing: Listing that provides relevant details about each journal voucher received by the GL/FRS. (8) Just-in-time (JIT): Philosophy that attacks manufacturing problems through process simplification. (7) K Key: A mathematical value that the sender selects. (12) Keystroke monitoring: Involves recording both the user s keystrokes and the system s responses. (16)

40 Glossary G-11 Knowledge management: A concept consisting of four basic processes: gathering, organizing, refining, and disseminating. (14) L Labor distribution summary: A summarization of labor costs in work-in-process accounts. (6) Labor usage file: The cost accounting department enters job cost data (real time or daily) to create this file. (6) Lapping: Use of customer checks, received in payment of their accounts, to conceal cash previously stolen by an employee. (3) Lean manufacturing: Improves efficiency and effectiveness in product design, supplier interaction, factory operations, employee management, and customer relations. (7) Ledger: A book of accounts that reflects the financial effects of the firm s transactions after they are posted from the various journals. (2) Ledger copy: The billing department clerk receives the customer invoice and this copy of the sales order from the sales department. (4) Legacy systems: Large mainframe systems that were implemented in the late 1960s through the 1980s. (1) Legal feasibility: Ensures that the proposed system is not in conflict with the company s ability to discharge its legal responsibilities. (13) Line error: Line errors are caused when the bit structure of the message can be corrupted through noise on the communications lines. (16) Log-on procedure: The operating system s first line of defense against unauthorized access. (16) Logical key pointer: A pointer containing the primary key of the related record. (2) M Management assertion: Involves a combination of tests of application controls and substantive tests of transaction details and account balances. (17) Management by exception: The concept that managers should limit their attention to potential problem areas rather than being involved with every activity or decision. (8) Management control decisions: Technique for motivating managers in all functional areas to use resources as productively as possible. (8) Management fraud: Performance fraud that often uses deceptive practices to inflate earnings or to forestall the recognition of either insolvency or a decline in earnings. (3) Management information system (MIS): System that processes nonfinancial transactions that are not normally processed by traditional accounting information systems. (1) Management report: A discretionary report used for internal decision making. Management reports are not mandated like income statements, balance sheets, etc. (8) Management reporting system (MRS): System that provides the internal financial information needed to manage a business. (1) Management responsibility: This concept holds that the establishment and maintenance of a system of internal control. (3) Manufacturing flexibility: Involves the physical organization of production facilities and the employment of automated technologies. (7) Manufacturing resources planning (MRP II): System that incorporates techniques to execute the production plan, provide feedback, and control the process. (7) Master file: File containing account data. (2) Materials requirements planning (MRP): System used to plan inventory requirements in response to production work orders. (7) Materials requisition: Document that authorizes the storekeeper to release materials to individuals or work centers in the production process. (7) Message sequence number: A sequence number inserted in each message to foil any attempt by an intruder in the communications channel to delete a message from a stream of messages, change the order of messages received, or duplicate a message. (16) Message transaction log: All incoming and outgoing messages, as well as attempted (failed) access, should be recorded in this log. (16) Methods: Actions that are performed on or by objects that may change their attributes. (14) Mirrored data center: Reflects current economic events of the firm. (15)

41 G-12 Glossary Mnemonic codes: Alphabetic characters in the form of acronyms that convey meaning. (8) Monitoring: The process by which the quality of internal control design and operation can be assessed. (3) Move ticket: Document that records work done in each work center and authorizes the movement of the job or batch from one work center to the next. (7) N Navigational model: Model that possesses explicit links or paths among data elements. (9) Net present value method: The method in which the present value of the costs is deducted from the present value of the benefits over the life of the system(13) Network model: Variation of the hierarchical model. (9) Network News Transfer Protocol (NNTP): Network used to connect to Usenet groups on the Internet. (12) Network-level firewall: Provides basic screening of low-security messages (for example, ) and routes them to their destinations based on the source and destination addresses attached. (12) Nonfinancial transactions: Events that do not meet the narrow definition of a financial transaction. For example, adding a new supplier of raw materials to the list of valid suppliers is an event that may be processed by the enterprise s information system as a transaction. (1) O Object class: Logical grouping of individual objects that share the same attributes and operations. (14) Object-oriented design: Building information systems from reusable standard components or modules. (14) Object-oriented programming (OOP) language: Programming language containing the attributes and operations that constitute the object modules represented in the ER diagram at the implementation phase of the SDLC. (14) Objects: Equivalent to nouns in the English language. (14) Occurrence: Used to describe the number of instances or records that pertain to a specific entity. (9) Off-site storage: A storage procedure used to safeguard the critical resources. (15) On-demand reports: Reports triggered by events. (8) Online analytical processing (OLAP): An enterprise resource planning tool used to supply management with real-time information and also permits timely decisions that are needed to improve performance and achieve competitive advantage. (11) Online documentation: To guide the user interactively in the use of the system. Such as tutorials and help features. (14) Online transaction processing (OLTP): Events consisting of large numbers of relatively simple transactions such as updating accounting records that are stored in several related tables. (11) One-time passwords: Network passwords that constantly change. (16) Open accounts payable file: File organized by payment due date and scanned daily to ensure that debts are paid on the last possible date without missing due dates and losing discounts. (5) Open purchase order file: The last copy of the multipart purchase order along with the purchase requisition is filed in the open PO file. (5) Open purchase requisition file: A copy of purchase requisitions are filed here. (5) Open sales order file: Shows the status of customer orders. (4) Open System Interface (OSI): Provides standards by which the products of different manufacturers can interface with one another in a seamless interconnection at the user level. (12) Open vouchers payable file: A file in which the source documents such as PO, receiving report, and invoice are transferred after recording the liability. (5) Operating system security: Controls the system in an ever-expanding user community sharing more and more computer resources. (16) Operating systems: Computer s control program. (15) Operational control decisions: Technique that ensures that the firm operates in accordance with pre-established criteria. (8) Operational feasibility: Pertains to the degree of compatibility between the firm s existing procedures and personnel skills and the operational requirements of the new system. (13)

42 Glossary G-13 Operations control reports: Identifies the activities that are about to go out of control and ignore those that are functioning within normal limits. (14) Operations fraud: The misuse or theft of the firm s computer resources. (3) Organization: Refers to the way records are physically arranged on the secondary storage device (for example, a disk). (2) Organizational chart: Shows some typical job positions in a manufacturing firm. (8) Organizing: Associates data items with subjects, giving them context. (14) Ownership: Ownership is the state or fact of exclusive rights and control over property, which may be an object, land/real estate, intellectual property, or some other kind of property. (3) P Packet switching: Messages that are divided into small packets for transmission. (12) Packing slip: Document that travels with the goods to the customer to describe the contents of the order. (4) Parallel operation cutover: Process of converting in which the old system and the new system are run simultaneously for a period of time. (14) Parallel simulation: Technique that requires the auditor to write a program that simulates key features of processes of the application under review. (17) Parity check: Technique that incorporates an extra bit into the structure of a bit string when it is created or transmitted. (16) Partial dependency: Occurs when one or more nonkey attributes are dependent on (defined by) only part of the primary key, rather than the whole key. (9) Partitioned database: Database approach that splits the central database into segments or partitions that are distributed to their primary users. (9) Password: Secret code entered by the user to gain access to the data files. (16) Payback method: A variation of break-even analysis. The break-even point is reached when total costs equal total benefits. (13) Paycheck: A bank check given as salary or wages. (6) Payroll imprest account: An account into which a single check for the entire amount of the payroll is deposited. (6) Payroll register: Document showing gross pay, deductions, overtime pay, and net pay. (6) Personnel action form: Document identifying employees authorized to receive a paycheck; is used to reflect changes in pay rates, payroll deductions, and job classification. (6) PERT chart: Chart that reflects the relationship among the many activities that constitute the implementation process. (14) Phased cutover: Process of converting to the new system in modules. (14) Phased-in: The approach for implementing ERP systems in a phased manner. (11) Physical address pointer: Contains the actual disk storage location (cylinder, surface, and record number) that the disk controller needs. (2) Physical database: The lowest level of the database containing magnetic spots on magnetic disks. (9) Physical system: The medium and method for capturing and presenting the information. (1) Ping: An internet maintenance tool used to test the state of network congestion and determine whether a particular host computer is connected and available on the network. (12) Point-of-sale (POS) system: A revenue system in which no customer accounts receivable are maintained and inventory is kept on the store s shelves, not in a separate warehouse. (4) Pointer structure: A structure in which the address (pointer) of one record is stored in the field on a related record. (2) Polling: Actively sampling the status of an external device by a client program as a synchronous activity. (12) Post Office Protocol (POP): Protocol for transmitting messages. (12) Prenumbered documents: These (sales orders, shipping notices, remittance advices, and so on) are sequentially numbered by the printer and allow every transaction to be identified uniquely. (4) Presentation and disclosure: Contingencies not reported in financial accounts are properly disclosed in footnotes. (17)

43 G-14 Glossary Preventive controls: Passive techniques designed to reduce the frequency of occurrence of undesirable events. (3) Primary key: Characteristics that uniquely identify each record in the tables. (9) Privacy: Full control of what and how much information about an individual is available to others and to whom it is available. (3) Privacy Enhanced Mail (PEM): A standard for secure on the Internet. It supports encryption, digital signatures, and digital certificates as well as both private and public key methods. (12) Privacy violation: A factor that is detrimental to a client entity. (12) Private Communications Technology (PCT): A security protocol that provides secure transactions over the web. (12) Private key: A method of encryption. (12) Proactive management: Management that stays alert to subtle signs of problems and aggressively looks for ways to improve the organization s systems. (13) Procedural language: Specifies the precise order in which the program logic is executed. (14) Process simplification: Process of improving the way work is done by providing value-added services, which deliver the results necessary to transform and grow the business faster, better, and cheaper than the competitor. (7) Product documents: Documents that result from transaction processing. (2) Product family: Product families share common processes from the point of placing the order to shipping the finished goods to the customer. (7) Production schedule: Formal plan and authorization to begin production. (7) Profit center: Organizational unit with responsibility for both cost control and revenue generation. (8) Program flowchart: Diagram that provides a detailed description of the sequential and logical operations of the program. (2) Program fraud: Includes the following techniques: (1) creating illegal programs that can access data files to alter, delete, or insert values into accounting records; (2) destroying or corrupting a program s logic using a computer virus; or (3) altering program logic to cause the application to process data incorrectly. (3) Programmed reports: Reports that provide information to solve problems that users have anticipated. (8) Project: Extracts specified attributes (columns) from a table to create a virtual table. (9) Project feasibility: Analysis that determines how best to proceed with a project. (13) Protocol: Rules and standards governing the design of hardware and software that permit network users to communicate and share data. (12) Protocol prefix: A general format for a URL, i.e., is a protocol prefix. (12) Prototyping: Technique for providing users a preliminary working version of the system. (14) Pseudocode: English-like code that describes the logic of a program without specific language systems. (14) Public Company Accounting Oversight Board (PCAOB): The PCAOB is empowered to set auditing, quality control, and ethics standards; to inspect registered accounting firms; to conduct investigations; and to take disciplinary actions. (3) Public key encryption: Technique that uses two keys: one for encoding the message, the other for decoding it. (12) Public key infrastructure (PKI): Constitutes the policies and procedures for administering this activity. (12) Pull processing: Principle characterizing the lean manufacturing approach where products are pulled into production as capacity downstream becomes available. Products are pulled from the consumer end (demand). (7) Purchase order: A document based on a purchase requisition that specifies items ordered from a vendor or supplier. (5) Purchase requisition: A document that authorizes a purchase transaction. (5) Q Quality assurance group: An independent group of programmers, analysts, users, and internal auditors to simulate the operation of the system to uncover errors, omissions, and ambiguities in the design. (14)

44 Glossary G-15 R REA diagram: Consists of three entity types (resources, events, and agents) and a set of associations linking them. (10) REA (resources, events, and agents) model: An alternative accounting framework for modeling an organization s critical resources, events, and agents and the relationships between them. (1) Reactive management: Management that responds to problems only when they reach a crisis state and can no longer be ignored. (13) Real-time systems: Systems that process transactions individually at the moment the economic event occurs. (2) Reasonable assurance: Assurance provided by the internal control system that the four broad objectives of internal control are met in a cost-effective manner. (3) Receive event: Each economic event is mirrored by another event in the opposite direction. These dual events constitute the give event and receive event of an economic exchange. (10) Receiving report: Report that lists quantity and condition of the inventories. (5) Receiving report file: A copy of the receiving report (stating the quantity and condition of the inventories) is placed in the receiving report file. (5) Record layout diagrams: Used to reveal the internal structure of the records that constitute a file or database table. The layout diagram usually shows the name, data type, and length of each attribute (or field) in the record. (2) Recovery module: Uses the logs and backup files to restart the system after a failure. (16) Recovery operations center (ROC): Arrangement involving two or more user organizations that buy or lease a building and remodel it into a completely equipped computer site. (15) Redundancy tests: Tests that determine that an application processes each record only once. (17) Redundant arrays of independent disks (RAID): Involves using parallel disks that contain redundant elements of data and applications. (15) Reengineering: The identification and elimination of nonvalue-added tasks by replacing traditional procedures with those that are innovative and different. (4) Reference file: File that stores data that are used as standards for processing transactions. (2) Refining: Adds value by discovering relationships between data, performing synthesis, and abstracting. (14) Relational database model: Permits the design of integrated systems applications capable of supporting the information needs of multiple users from a common set of integrated database tables. (1) Relational model: The relational model is a more flexible model that allows users to create new and unique paths through the database to solve a wider range of business problems. (9) Relative address pointer: Contains the relative position of a record in the file. (2) Relevance: The contents of a report or document must serve a purpose. (3) Reliability: The value of information to a user is determined by its reliability. (1) Remittance advice: Source document that contains key information required to service the customers account. (4) Remittance list: A cash prelist, where all cash received is logged. (4) Reorder point: Lead time times daily demand. (7) Repeating group: Repeating group data is the existence of multiple values for a particular attribute in a specific record. (9) Replicated database: Database approach in which the central database is replicated at each site. (9) Report attributes: To be effective, a report must possess the following attributes: relevance, summarization, exception orientation, accuracy, completeness, timeliness, and conciseness. This is called the report attributes. (8) Request-response technique: Technique in which a control message from the sender and a response from the sender are sent at periodic synchronized intervals. (16) Request for proposal (RFP): Systems requirements are summarized in a document called a request for proposal (RFP) that is sent to each prospective vendor. (14) Resources: Assets of an organization. (1) Responsibility: An individual s obligation to achieve desired results. (8)

45 G-16 Glossary Responsibility accounting: Concept that implies that every economic event affecting the organization is the responsibility of and can be traced to an individual manager. (8) Responsibility center file: Contains the revenues, expenditures, and other resource utilization data for each responsibility center in the organization. (8) Responsibility centers: Organization of business entities into areas involving cost, profit, and investment. (8) Responsibility reports: Reports containing performance measures at each operational segment in the firm, which flow upward to senior levels of management. (8) Restrict: Extracts specified rows from a specified table. (9) Return slip: When items are returned, the receiving department employee counts, inspects, and prepares a return slip describing the items. (4) Reusable password: A network password that can be used more than one time. (16) Revenue cycle: Cycle comprising of sales order processing and cash receipts. (2) Rights and obligations: A management assertion. (17) Risk: Risk is the possibility of loss or injury that can reduce or eliminate an organization s ability to achieve its objectives. In terms of electronic commerce, risk relates to the loss, theft, or destruction of data as well as the use of computer programs that financially or physically harm an organization. (12) Risk assessment: The identification, analysis, and management of risks relevant to financial reporting. (3) Rivest-Shamir-Adleman (RSA): One of the most trusted public key encryption methods is Rivest- Shamir-Adleman (RSA). This method is, however, computationally intensive and much slower than private key encryption. (12) Robotics: CNC machine used in hazardous environments or to perform dangerous and monotonous tasks that are accident prone. (7) Rounding error tests: Tests that verify the correctness of rounding procedures. (17) Route sheet: Document that shows the production path a particular batch of product follows during manufacturing. (7) RSA (Rivest-Shamir-Adleman): A highly secure public key cryptography method. (16) Run: Each program in a batch system. (2) Run manual: Documentation describing how to run the system. (14) Run-to-run controls: Controls that use batch figures to monitor the batch as it moves from one programmed procedure to another. (17) S Safe Harbor Agreement: A two-way agreement between the United States and the European Union establishing standards for information transmittal. (12) Safety stock: Additional inventories added to the reorder point to avoid unanticipated stock-out conditions. (7) Salami fraud: Fraud in which each victim is unaware of being defrauded. (17) Sales invoice: The customer s bill that formally depicts the charges to the customer. (4) Sales journal: A special journal used for recording completed sales transactions. (4) Sales journal voucher: Represents a general journal entry and indicates the general ledger accounts affected. (4) Sales order: Source document that captures such vital information as the name and address of the customer making the purchase; the customer s account number; the name, number, and description of product; quantities and unit price of items sold; and other financial information. (4) Sales order (credit copy): A copy of sales order sent by the receive-order task to the check-credit task, which is used to check the credit-worthiness of a customer. (4) Sales order (invoice copy): A copy of the sales order to be reconciled with the shipping notice, which describes the products that were actually shipped to the customer. (4) Sarbanes-Oxley Act: The most significant securities law that has many provisions designed to deal with specific problems relating to capital markets, corporate governance, and the auditing profession. (3) Scalability: The system s ability to grow smoothly and economically as user requirements increase. (11) Scavenging: Involves searching through the trash of the computer center for discarded output. (3) Schedule feasibility: Relates to the firm s ability to implement the project within an acceptable time. (13)

46 Glossary G-17 Scheduled reports: Reports produced according to an established time frame. (8) Schema (conceptual view): Description of the entire database. (9) Screening router: A firewall that examines the source and destination addresses that are attached to incoming message packets. (16) Second normal form (2NF): One or more of these anomalies will exist in tables that are not normalized or are normalized at a low level, such as first normal form (1NF) or second normal form (2NF). (9) Secure Electronic Transmission (SET): An encryption scheme developed by a consortium of technology firms and banks, to secure credit card transactions. (12) Secure Sockets Layer (SSL): A low-level encryption scheme used to secure transmissions in higher-level HTTP format. (12) Security: An attempt to avoid such undesirable events as a loss of confidentiality or data integrity. (3) Segments: Business organizations consist of functional units or segments. (1) Segregation of duties: Separation of employee duties to minimize incompatible functions. (3) Semantic models: Captures the operational meaning of the user s data and provides a concise description of it. (10) Sequential access method: The method in which all records in the file are accessed sequentially. (2) Sequential codes: Codes that represent items in some sequential order. (8) Sequential files: Files that are structured sequentially and must be accessed sequentially. (2) Sequential structure: A data structure in which all records in the file lie in contiguous storage spaces in a specified sequence arranged by their primary key. (2) Shipping log: Specifies orders shipped during the period. (4) Shipping notice: Document that informs the billing department that the customer s order has been filled and shipped. (4) Simple Network Mail Protocol (SNMP): The most popular protocol for transmitting messages. (12) Slicing and dicing: Operations enabling the user to examine data from different viewpoints. (11) Smurf attack: Involves three parties: the perpetrator, the intermediary, and the victim. (12) S.O. pending file: A file used to store the sales order (invoice copy) from the receive-order task until receipt of the shipping notice. (4) Sophisticated users: These users of financial reports understand the conventions and accounting principles that are applied and that the statements have information content that is useful. (8) Source documents: Documents that capture and formalize transaction data needed for processing by their respective transaction cycles. (2) Span of control: Number of subordinates directly under a manager s control. (8) Spooling: When applications are designed to direct their output to a magnetic disk file rather than to the printer directly. (17) Stakeholders: Entities either inside or outside an organization that have direct or indirect interest in the firm. (1) Standard cost system: Organizations that carry their inventories at a predetermined standard value regardless of the price actually paid to the vendor. (5) Statement on Auditing Standards No. 78: The current authoritative document for specifying internal control objectives and techniques, based on the COSO framework. (3) Statement on Auditing Standards No. 99: The authoritative document, which defines fraud as an intentional act that results in a material misstatement in financial statements. (3) Steering committee: An organizational committee consisting of senior-level management responsible for systems planning. (13) Stock flow: Economic events that effect changes (increases or decreases) in resources. (10) Stock records: The formal accounting records for controlling inventory assets. (4) Stock release: Document that identifies which items of inventory must be located and picked from the warehouse shelves. (4) Storekeeping: Location where records are maintained. (7) Strategic planning decisions: Planning with a longterm time frame and that is associated with a high degree of uncertainty. (8) Structure diagram: Diagram that divides processes into input, process, and output functions. (14) Structured design: Disciplined way of designing systems from the top down. (14)

47 G-18 Glossary Structured model: The data elements for predefined structured paths. (9) Structured problem: Problem in which data, procedures, and objectives are known with certainty. (8) Structured query language (SQL): A data processing tool for the end users and professional programmers to access data in the database directly without the need for conventional programs. (9) Subdirectory name: The general format for a URL. (12) Substantive tests: Tests that determine whether database contents fairly reflect the organization s transactions. (17) Subsystem: A system viewed in relation to the larger system of which it is a part. (1) Summarization: Information aggregated in accordance with the user s need in detailed manner. (3) Supervision: A control activity involving the critical oversight of employees. (3) Supplier s invoice: The bill sent from the seller to the buyer showing unit costs, taxes, freight, and other charges. (5) Supply chain management (SCM): A class of application software that supports the set of activities associated with moving goods from the raw materials stage through to the consumer. (11) Support events: Include control, planning, and management activities that are related to economic events but do not effect a change in resources. (10) Symmetric key: To encode a message, the sender provides the encryption algorithm with the key. (12) SYN flood attack: Server that keeps signaling for acknowledgement until the server times out. (12) SYNchronize-ACKnowledge (SYN-ACK): A receiving server that acknowledges the request. (12) System: Group of two or more interrelated components or subsystems that serve a common purpose. (1) System audit trails: The logs that record activity at the system, application, and user level. (16) System flowcharts: Flowcharts used to show the relationship between the key elements input sources, programs, and output products of computer systems. (2) System survey: Determination of what elements, if any, of the current system should be preserved as part of the new system. (13) Systems analysis: Two-step process that involves a survey of the current system and then an analysis of the user s needs. (13) Systems analysis report: The event that marks the conclusion of the systems analysis phase is the preparation of a formal report. (13) Systems design: Reflects the analysts perception of information needs rather than the perception of accountants and other users. (14) Systems development life cycle (SDLC): A software development process. (13) Systems evaluation and selection: An optimization process that seeks to identify the best system. (13) Systems professionals: Analysts, designers, and programmers who are expertise in the specific areas that the feasibility study covers. (13) Systems project proposal: Provides management with a basis for deciding whether to proceed with the project. (13) Systems selection report: The deliverable portion of the systems selection process that will go to the next phase. (13) Systems strategy: The understanding of the strategic business needs of the organization based on the mission statement. (13) T Tactical planning decisions: Planning performed by the middle-level manager to achieve the strategic plans of the organization. (8) Task-data dependency: The user s inability to obtain additional information as his or her needs change. (1) Technical feasibility: Determination of whether the system can be developed under existing technology or if a new is required. (13) TELNET: A terminal emulation protocol used on TCP/IP-based networks. (12) TELOS: Provides guidance for assessing project feasibility. (13) Temporary inconsistency: During accounting transactions, account balances pass through a state where the values are incorrectly stated. (9) Test data method: Technique used to establish application integrity by processing specially prepared sets of input data through production applications that are under review. (17) Tests of controls: Tests that establish whether internal controls are functioning properly. (17) Third normal form (3NF): The normalization that occurs by dividing an unnormalized database into

48 Glossary G-19 smaller tables until all attributes in the resulting tables are uniquely and wholly dependent on (explained by) the primary key. (9) Third-generation languages: Procedural languages in which the programmer must specify the sequence of events used in an operation. (14) Three-tier model: A model where the database and application functions are separated. (11) Time cards: Captures the time the employee is at work. (6) Timeliness: Information must be no older than the time period of the action it supports. (3) Toyota Production System (TPS): The lean manufacturing based on the just-in-time production model. (7) Tracing: Test data technique that performs an electronic walk-through of the application s internal logic. (17) Trading partners: Category of external user, including customer sales and billing information, purchase information for suppliers, and inventory receipts information. (1) Traditional systems: Include flat-file and early database systems. (1) Transaction: An event that affects an organization and that is processed by its information system as a unit of work. (1) Transaction authorization: Procedure to ensure that employees process only valid transactions within the scope of their authority. (3) Transaction file: Temporary file that holds transaction records that will be used to change or update data in a master file. (2) Transaction fraud: Involves deleting, altering, or adding false transactions to divert assets to the perpetrator. (3) Transaction level: Organizations involved in this use the Internet to accept orders from customer and/ or to place them with their suppliers. (12) Transaction log: A feature providing an audit trail of all processed transactions. (16) Transaction processing system (TPS): Activity comprising three major subsystems the revenue cycle, the expenditure cycle, and the conversion cycle. (1) Transcription errors: Type of errors that can corrupt a data code and cause processing errors. (17) Transfer Control Protocol/Internet Protocol (TCP/ IP): The basic protocol that permits communication between Internet nodes. (12) Transitive dependency: The purchase order and receiving report entities contain attributes that are redundant with data in the inventory and supplier entities. (9) Transposition error: Error that occurs when digits are transposed. (17) Triple-DES encryption: An enhancement to an older encryption technique for transmitting transactions. (16) Turnaround documents: Product documents of one system that become source documents for another system. (2) Turnkey systems: Completely finished and tested systems that are ready for implementation. (1) Two-tier model: A model where the server handles both application and database duties. (11) U Uniform Resource Locator (URL): The address of the target site in the web browser to access the website. (12) Uninterruptible power supplies: In the event of a power supply failure, help prevent data loss and system corruption. (15) Universal product code (UPC): A label containing price information (and other data) that is attached to items purchased in a point-of-sale system. (4) Unstructured problem: Problem for which there are no precise solution techniques. (8) Update anomaly: The unintentional updating of data in a table, resulting from data redundancy. (9) User view (subschema): The set of data that a particular user needs to achieve his or her assigned tasks. (9) User handbook: A reference manual of commands for getting started. (14) User-defined procedure: Allows the user to create a personal security program to provide more positive user identification than a password can. (16) Users: Select data visually by pointing and clicking at the desired attributes. (9) V Valid vendor: Vendors with whom the firms do regular business. (5) Valid vendor file: A file containing vendor mailing information. (5)

49 G-20 Glossary Valuation or allocation: The process of stating accounts receivable at net realizable value. (17) Value-added network: A value-added network (VAN) is a hosted service offering that acts as an intermediary between business partners sharing standards based or proprietary data via shared business processes. (12) Value chain: Activities that use cash to obtain resources and employ those for revenues. (10) Value chain analysis: An organization can look beyond itself and maximize its ability to create value. (10) Value stream: A process that includes all the essential to in producing a product. (7) Value stream accounting: The complexity of ABC has caused many firms to abandon and favored a simpler one where it captures costs by its value rather than activity. (7) Value stream map (VSM): A graphical representation of the business process to identify aspects that are wasteful and should be removed. (7) Variance: The difference between the expected price the standard and the price actually paid. (8) Vendor-supported systems: Custom systems that organizations purchase from commercial vendors. (1) Vendor s invoice: A commercial document issued by a vendor to a buyer, indicating the products, quantities, and agreed prices for products or services with which the vendor has already provided the buyer. An invoice indicates that payment is due from the buyer to the vendor, according to the payment terms. (5) Verification model: Uses a drill-down technique to either verify or reject a user s hypothesis. (8) Verification procedures: Independent checks of the accounting system to identify errors and misrepresentations. (3) Verified stock release: After picking the stock, the order is verified for accuracy and the goods are released. (4) View integration: Combining the data needs of all users into a single schema or enterprise-wide view is called view integration. (9) View modeling: Determines the associations between entities and document them with an ER diagram. (9) Virtual private network (VPN): A private network within a public network. (12) Virtual storage access method (VSAM): Structure used for very large files that require routine batch processing and a moderate degree of individual record processing. (2) Voucher packet: A packet that contains the voucher and/or supporting documents. (5) Voucher register: A register reflecting a firm s accounts payable liability. (5) Vouchers payable file: Equivalent to the open AP file. (5) Vouchers payable system: Under this system, the AP department uses cash disbursement vouchers and maintains a voucher register. (5) W Walk-through: Analysis of system design to ensure the design is free from conceptual errors that could become programmed into the final system. (14) Wall of code: An impenetrable wall of code around the data that prevents direct access to the object s internal structure. (14) Web page: The fundamental format for the web is a text document called a web page that has embedded Hypertext Markup Language (HTML) codes that provide the formatting for the page as well as hypertext links to other pages. (12) Websites: Computer servers that support Hypertext- Transfer Protocol (HTTP). The pages are accessed and read via a web browser such as Internet Explorer. (12) Work order: A document that draws from bills of materials and route sheets to specify the materials and production for each batch. (7) World-class company: A company that profitably meets the needs of its customers. Its goal is not simply to satisfy customers, but to positively delight them. (7) X XBRL (extensible Business Reporting Language): An XML-based language that was designed to provide the financial community with a standardized method for preparing, publishing, and automatically exchanging financial information, including financial statements of publicly held companies. (12)

50 Glossary G-21 XBRL instance document: The mapping of the organization s internal data to XBRL taxonomy elements. (12) XBRL taxonomies: Classification schemes that are compliant with the XBRL Specifications to accomplish a specific information exchange or reporting objective such as filing with the Securities and Exchange Commission. (12) XML (extensible Markup Language): Metalanguage for describing markup languages which can be used to model the data structure of an organization s internal database. (12) Z Zombie: A virtual army of so-called bot (robot) computers used to launch a DDos attack. (12) Zones: Areas on the form that contain related data. (14)

51

52 Glossary Index A ABC (activity-based costing), See also cost accounting system access authority, 769 equity of, 116 method, 86, 438 privileges, 762 tests, 816 time, 83, 92 token, 761 unauthorized, 766 access control, database management and, electronic commerce and, electronic data interchange (EDI) and, 783 enterprise resource planning (ERP) and, expenditure cycle and, 248, 263 financial reporting system (FRS) and, 393 list, 761 in manufacturing environment, payroll system and, 295 revenue cycle and, 180, 202, 204 segregation of duties and, 730 testing of, 785 accountability, , 766 accountants data normalization and, 454 distributed databases and, 470 documentation, 687 fraud and, role in managing SDLC, , roles of in information systems, accounting electronic commerce and, function, independence, 21 lean manufacturing and, oversight board, 127 accounting information systems (AIS). See also accounting systems definition, 8 difference from MIS, 6 general model, 10 15, 131 subsystems, 8 10 accounting records, in computer-based systems, 55 57, controls and, 144, 204 enterprise resource planning (ERP) and, 550 expenditure cycle and, , 263 financial reporting system (FRS) and, 393 in manual systems, in manufacturing environment, 347 payroll system and, 295 revenue cycle and, subsidiary ledger, 175 accounting systems computer-based, 55 57, 73 82, , , , manual, 47 54, , , accounts payable (AP). See also expenditure cycle; purchases system in cash disbursements system, 251, 259 closed file, 258 general ledger and, 243 independent verification and, 248 open file, 241, 251 pending file, 238 subsidiary ledger, 240, 241 accounts receivable (AR). See also cash receipts; revenue cycle department, 195, 197 subsidiary ledger, , 180 updating, 173, 175, 184, 185, 207, 208 accuracy, 14, , 404, 673, 815 accuracy tests, 816 ACFE (Association of Certified Fraud Examiners), 122, 125, 128, 129 acquisition procedures, action plan, activity-based costing (ABC), See also cost accounting system activity driver, 357 actual cost inventory ledger, 240 Adelphia Communications, 126 ad hoc reports, 405 advanced encryption standard (AES), 588, agents, 498, 499, agents, economic, AICPA (American Institute of Certified Public Accountants), 744, 745 AICPA/CICA SysTrust, 571, 592 AICPA/CICA WebTrust, 592 air-conditioning, 735 airline industry, 547 AIS. See accounting information systems (AIS) algorithm, 588 alphabetic coding schemes, alphanumeric codes, American Competitiveness and Corporate Accountability Act of See Sarbanes-Oxley Act (SOX) I-1

53 I-2 Index American Institute of Certified Public Accountants (AICPA), 744, 745 America Online, 567 analysis cost-benefit, systems, analytical review, 551 anomalies, antiviral software, 765 AOL, 564 Apple Computer, 548 application controls, 142, 726. See also controls input controls, IT controls and, output, testing, application-level firewall, 590, 772 applications critical, 739, 742 errors, approved credit memo, 172 approved sales order, 166 architecture description, archive file, 57 Arthur Andersen, 126 artificial intelligence, 117, 197 AS/RS (automated storage and retrieval systems), 352 assets. See also fixed asset system access to, acquisition of, 302 custody of, 178 disposal of, 305, 307 inspection of, 247 maintenance, , 307 misappropriation, record keeping, 178 status report, 308 theft of, 247 association, , 506 9, , 516 Association of Certified Fraud Examiners (ACFE). See ACFE (Association of Certified Fraud Examiners) assurance seals of, services, 36, attendance file, 298 attest function, 36 attest services, attributes, 444, 458, 460, , 667 auditing access controls, application errors, backup controls, 771 black box approach, 815 computer center security and, 736 continuous, 594 data warehouse, definition, 36 destructive programs and, 765 disaster recovery planning and, electronic data interchange (EDI) and, elements of, enterprise resource planning (ERP) and, equipment failure and, 781 external, 36, insurance coverage and, 737 IT audit, 36, objectives, operator documentation and, 737 organizational structure and, 734 participation, 798 passwords and, 764 physical security controls, 736 planning, procedures, 815 program changes, risk and, , 822 Sections 302 and 404, software, , standards, 745 subversive threats and, system maintenance objectives, 804 tools, 780 white box approach, XBRL, implications of, 594 audit log, auditor, 36, 54 auditor independence, 126, audit trail, 54, 144 controls and, 762, , 811 controls testing, 785 definition, 393 digital, 57 electronic, electronic data interchange (EDI) and, expenditure cycle and, 246, 247, 258 financial reporting system (FRS) and, 392 general ledger system (GLS) and, 389 implementation, management reports and, objectives, 766 payroll system and, 295, 305 procedures, 767 revenue cycle and, , 182 tests, 816 authentication, 588, 590, 595 authenticity tests, 816 authority, 397 authority tables, 768, 769, 806 authorization, 201 authorization control, 166, , 785, 798 automated storage and retrieval systems (AS/RS), 352 automation cash disbursement system, cash receipts system,

54 Index I-3 definition, 188 expenditure cycle, , fixed assets system, of manufacturing environment, payroll systems and, purchase system, revenue cycle, sales order processing, automation continuum, 352 B Baan, 34, 536 backbone systems, 15, 692 back door, 764, back-order, 166 back-order file, 180 backup, 202 controls, 767, database, 77 78, 770 database conversion and, direct access, 98, , 789 internally provided, 739 procedures, 740 second-site, , sequential files and, 97 balanced scorecard (BSC), 633, bar graph, 707, 709 base case system evaluation (BCSE), batch controls, 205, 809 batch processing, activities, data flow diagram of, 335 direct access files, documents, in manufacturing, payroll systems and, purchases system and, run, 95 sales order processing and, sequential files, 95 97, using real-time data collection, batch systems, 74 BCSE (base case system evaluation), benchmark problems, 695 benefits, Berners-Lee, Tim, 566 Better Business Bureau, 591 big bang implementation method, 544, 688 billing customer, billing department, 184 bill of lading, 166, 167 bill of materials (BOM), 334, 336 biometric controls, 769 black box approach, 815 blind copy (of purchase order), , 239, 249 block codes, Boeing, 548 bolt-on software, 34, BOM (bill of materials), 334, 336 botnets, 584 BP Amoco, 551 bribery, BSC (balanced scorecard), 633, budget master file, 389 budget process, 406 business culture, business ethics. See ethics business segments, bus topology, 601, 602 C CAATTs (computer-assisted tools and techniques), 818, 826 CAD (computer-aided design), Caesar cipher, 588 call-back device, 779 CAM (computer-aided manufacturing), 353 capital assets. See fixed asset system cardinality, 60, , 480, carrier sensing, 604 CASE (computer-aided software engineering), 663, 698 advantages/disadvantages of, models, tools, cash disbursement system, 46, See also purchases system accounts payable, 252, 259 automation and, conceptual systems, data flow diagrams, 244 general ledger, 245, 252 journal, 243, 245. See also check register liabilities due, 243 manual systems, payroll system and, , 294 preparation of, REA model and, reengineering, segregation of duties and, 247 transaction authorization and, 246 vouchers, 242 cash prelist. See remittance lists cash receipts, 47 automation, data flow diagrams (DFDs), 174 journal, 176 in point-of-sale (POS) systems, procedures, , , 197, reengineering of, 197 CD-ROM, 86

55 I-4 Index Center for Democracy and Technology (CDT), 582 centralized data processing, 21 23, central repository, 700 Cerf, Vinton, 569 CERN (European Center for Nuclear Research), 566 certification authorities (CAs), 590, 777 certified public accountant (CPA), 744 chain value analysis, change, opposition to, changed data capture, 538 chart of accounts, 384 charts and graphs, check digit, checkpoint feature, 771 check register, 243, 245 CIM (computer-integrated manufacturing), client-server-based applications, 75. See also modern systems client-server model, 532 client-server topology, closed AP file, 258 closed database architecture, 529 closed sales order file, 194 closed voucher file, 245 CNC (computer numerical controlled), 351 coding model, 704 Cognos Inc., 536 cohesion, 680 cold site plan, 738 cold turkey cutover, 688 collusion, 179 Comdisco, 738 commercial software packages advantages/disadvantages of, 693 central test of, 732 growth of, 691 maintenance and support, 698 selection of, trends, Committee of Sponsoring Organizations of the Treadway Commission (COSO), , , 725 compensating control, 144 compensation, executive, 126 competency analysis, 628 compilers, 760 completeness, 14, , 404, 673, 806, 815 completeness tests, 816 compliance, 118 composite key, 477 CompuServe, 564, 567 computer-aided design (CAD), computer-aided manufacturing (CAM), 353 computer-aided software engineering (CASE). See CASE (computer-aided software engineering) computer-assisted tools and techniques (CAATTs), 818, 826 computer-based accounting systems, 55 57, batch systems vs. real-time systems, control considerations, expenditure cycle, PC-based accounting systems, revenue cycle, computer center security, computer-integrated manufacturing (CIM), computer numerical controlled (CNC), 351 computers ethics, See also ethics fraud, See also fraud operations, 74, 117 security. See security waste, 814 Computer Security Institute (CSI), 580 conceptual systems, 35 expenditure cycle, fixed assets, payroll system, revenue cycle, conceptual user views, 670 conceptual view, 436, 670 conciseness, 404, 673 concurrency control, conflicts of interest, 118, 129 Consideration of Fraud in a Financial Statement Audit, 119 consolidation, 534, construct phase, 664 consultants, consumers, risks to, contingency planning, continuous processing, 334 control activities expenditure cycle, , financial reporting system (FRS), fixed assets system, inventory, payroll system, revenue cycle, in traditional manufacturing environment, control environment, controller, 177, 185, 188 controls, , 637. See also control activities; internal control; IT controls; Sarbanes- Oxley Act (SOX) access. See access control application. See application controls audit trail. See audit trail authorization, 166, , 785, 798 backup, 767, batch, 809 biometric, 769

56 Index I-5 computer center security and, concurrency, corrective, 138 database management system (DBMS), detective, electronic data interchange (EDI), end users, 814 equipment failure, fault tolerance, in flat-file environment, input, networks, 603, operating system, operational decisions and, organizational structure, output, passwords, 761, , 802 PC-based accounting systems and, 204 physical, preventive-detective-corrective (PDC) internal control model, processing, production, 338 program changes, run-to-run, 810 security and access, subversive threats and, testing, , 800, 804, conversion cycle, 19, 235, cost accounting system and, , 345 data flow diagram of, 333 definition, lean manufacturing, in traditional manufacturing environment, cookies, copyright laws, 116 core applications, 531 corporate governance, 128 corporate IT function, corrective action, 401 corrective controls, 138 corruption, See also fraud COSO (Committee of Sponsoring Organizations of the Treadway Commission), , , 725 cost accounting system, 20 activities, , 345 batch processing and, 334 conversion cycle and, 46 independent verification, 347 lean manufacturing and, 355 payroll system and, 298 production and, 286, 298, 339 segregation of duties, 346 cost-benefit analysis, cost centers, 408 cost objects, 357 cost overruns, costs. See also cost accounting system compared to benefits, database conversion, 548 identification, 643 one-time, recurring, 645 system testing and integration, 547 coupling, 679 credit authorization, 182 credit card information, theft of, 581 credit card purchases, 570 credit check, , 177 credit department, 182, 189 credit memo, 169, 172, 185 credit records file, 180 critical applications, 739, 742 currency of information, 27, 28 29, 431 customer open order file, 163 customer order, 163 customer perspective, 634 cutover, cycle billing, 207 D data, analysis, 542 attributes, 12 13, 431 centralized processing, 21 23, cleansing, 540 collection, 12, confidentiality of, 595 currency, 27, 28 29, denormalized, , 539 dictionary, 441, 682 distributed processing, encryption, flows, 637 fraud and, hierarchy, 13 information versus, 11 integration, 29 integrity, 595 library, 22 mart, 537 mining, 405, 536, 537, 543 model, 60 61, 444, , 670 normalization, 454, 459, 461, organization, 86 redundancy, 431 sources, 12, stabilized, 538 storage, 27, 431, 637 structures, 86 95, 473 task-data dependency, updating, 27 28, 431 warehouse, 405

57 I-6 Index database access control, 433 access to, 580 administration, 21 anomalies, authorization table, 768, 769 backup, 770 backup procedures, centralized, closed architecture, 529 conceptual models, 434 configuration, 535 conversion, 548, in distributed environment, elements, hierarchical model, , lockout, 466 management, 12 14, 133, 529. See also database management system (DBMS) model, navigational, 434, network model, 434, operational, 538 partitioned, physical, , , REA model. See REA (resources, events, and agents) model replicated, 468 structures, tables, database administrator (DBA), , 730, database management system (DBMS), 29, compared to SPLMS, 802 conceptual models, 434 controls, in distributed environment, elements of, flat-file model comparison, operation, relational database design, relational database model, software, , 436, database model, relational. See relational database model data coding schemes, data collision, data definition language (DDL), Data Encryption Standard (DES), 775 data entry devices, 677 data flow diagrams (DFDs), 58 60, cash receipts, 174 compared to document flowcharts, 687 context-level, 701 elementary-level, 702, 703, 704 and entity relationship diagrams, 61 intermediate-level, model, 701 data management controls, data manipulation language (DML), 438 data processing, 12 alternative approaches, cash disbursement system and, centralization, department, 197 distributed, fraud and, payroll systems and, 301 purchases system and, 253, 258 data warehouse, 531, access to, 550 auditing, cleansing extracted data, 540 data extraction, 538 decisions supported by, 542 loading data, modeling data for, supply chain decisions and, transforming data for, DBMS. See database management system (DBMS) DDL (data definition language), DDos (distributed denial of service attacks), , 772, 774, 780 DDP (distributed data processing), 23 26, , deadlock phenomenon, decision-making process, 404 deep packet inspection (DPI), 774, 780 deletion anomaly, 450 deletion of data, 14 Dell Computer, 548 Deloitte Consulting, 548 denial of service attacks (DOS), 583, denormalized data, , 539 deposits, 175 deposit slip, 175 depreciation, 302, 304, 309 DES (Data Encryption Standard), 775 designer documentation, 685 design model, 703 design phase, destructive programs, 762, , destructive replacement, destructive updates, 77 detailed design report, 682 detailed feasibility study, detective controls, DFD. See data flow diagrams (DFDs)

58 Index I-7 digest, 777 digital audit trail, 57 digital authentication, 588, 590 digital certificate, 590, 777, 778 digital envelope, 588, 777 digital IDs, 590 digital output, 814 digital signature, 588, 590, 777, 778 direct access, 248 to assets, file backup, 98, , 789 files, 97 98, 102, 192 structures, 88 direct input, director independence, 126 disaster recovery planning (DRP), disclosure, 118, 128 discovery model, 405 discretionary access privileges, 761 disk address, disk pack, 85 displacement, 117 disseminating, 698 distributed databases, distributed data processing (DDP), 23 26, , distributed denial of service (DDos) attacks, , 772, 774, 780 distribution, 20 distribution level, 578 documentation data flow diagrams, entity relationship (ER) diagrams, flowcharts, inadequate, online, 686 operator, , 737 record layout diagrams, system, techniques, users, document flowchart, 61, 687 document name, 567 documents, 47 49, 179, 638 domain name, 567 Domino s Pizza, 536 Dow Chemical, 548 drill-down, 534, 542 DRP (disaster recovery planning), dual-homed firewall, 772, 773 duality, dynamic virtual organization, 578, 579 E EAM (embedded audit module), eavesdropping, 134 Ebbers, Bernie, 113 echo check, 780 economic agents, economic events, 31 economic feasibility, 631, 643 economic order quantity (EOQ), EDE3 encryption, EDI. See electronic data interchange (EDI) edit run, 96, 207 EEE3 encryption, EFF (Electronic Frontier Foundation), 582 effectiveness, 75 efficiency, 12, 75, 132, 541 electronic commerce systems, access control, electronic data interchange (EDI), implications of, Internet commerce, intra-organizational networks, 564, legal issues, 596 open system interface (OSI) network protocol, risks of, security, electronic data interchange (EDI), benefits of, controls, definition, 200 financial, intra-organizational networks and, 564 lean manufacturing and, 363 overview, purchasing and, 256, 258 standards, 607 Electronic Frontier Foundation (EFF), 582 electronic input techniques, 675 Electronic Privacy Information Center (EPIF), 582 , embedded audit module (EAM), embedded foreign keys (FK), 32 embedded instructions, 675 employee. See also personnel ethics hotline, file, 301 fraud, 120. See also fraud payroll records, 287, 292 empty shell backup, 738 encryption, 588, , 770, end users, 10 11, 22, 627, 814 Enron, 113, enterprise resource planning (ERP), 15, access control, costs, data warehouse, definition, 34 disruptions and, implementation, internal control and auditing,

59 I-8 Index leading products, lean manufacturing and, 360, 363 overview, performance measures, 548 selection of, system configurations, systems, 692 entities, 60, agents, associations, , events, identification, resources, 504 entity relationship (ER) diagrams, 60 61, 444, 501 environmental issues, 116 EPIF (Electronic Privacy Information Center), 582 equipment failure, equity in access, 116 ER (entity relationship) diagrams, 60 61, 444, 501 error rates, 637 ethics, European Center for Nuclear Research (CERN), 566 event-driven languages, events economic, 31, 498 entities, monitoring, 766 reconstruction, 766 exception orientation, 404 executive compensation, 126 existence or occurrence assertions, 815 expenditure cycle, computer-based, , conceptual system, , , controls, , independent verification and, 248 inventory control, 249 manual systems, , payroll and fixed assets, physical system, , , purchases and cash disbursements, reengineering, segregation of duties, 262 expense accounts, expert systems, 117 exposure, extensible Business Reporting Language (XBRL). See XBRL (extensible Business Reporting Language) extensible Markup Language (XML). See XML (extensible Markup Language) external agent, 499 external auditing, 36 extortion, economic, 129 extranets, F fact-gathering techniques, Fastow, Andy, 113 fault tolerance, feasibility, feasibility study, feedback, file allocation table, 83 files, 13 file transfer protocol (FTP), 569 filtering, 779 finance, 20 Financial Accounting Standards Board (FASB), 744 financial institutions, 587 financial perspective, 634 financial reporting system (FRS), 8, 10 controls, data coding schemes, general ledger system (GLS), IT controls and, overview, financial transactions, 7, 45 finished goods (FG), 339 fire suppression, firewalls, 550, 590, first normal form (1NF), 448 fixed asset system, 47. See also assets acquisition procedures, computer-based, conceptual systems, controls, data flow diagram of, 303 depreciation report, 309 disposal of, 303, 305 logic of, physical systems, subsidiary ledger, , 307, 309 flat-file model, 27 29, 86, , , flexibility, 779 flowcharts document, 61, program, system, 61, 68 70, 73 flows, of information, 3 Ford Motor Company, 259 foreign keys, 447, 459, , formalization of tasks, Fortune 500 companies, 548 fraud, 178 accountants and, accounting oversight board and, 127 accounting practices and, 127 auditor independence and, 126, collusion effect, 124 computer, conclusions,

60 Index I-9 corporate governance and, 128 criminal penalties, 128 database management and, 133 data collection and, definition, director independence and, 126 disclosure and, 118, 128 employee, 120 executive compensation and, 126 factors contributing to, financial losses from, 122 Internet and, losses, 124 losses by position within organization, management and, 120, 125 motivation for, operations, 133 payroll system and, 289, 294 performance, 120 perpetrators of, program, , 731 salami, Sarbanes-Oxley Act (SOX) and, schemes, statements, 125 transaction, 130 fraudulent statements, 125 FTP (File Transfer Protocol), 569 functional segmentation, G GAAS (generally accepted auditing standards), 745 Gantt chart, 664, 665 Gartner Group, 529 gathering, 698 general accounting systems, 692 general controls, 142, 726 General Electric (GE), 140 generalized audit software (GAS), , general ledger accounts payable, 243 accounts receivable, , 175 batch processing, 207 cash disbursements, 245, 252 cash receipts, 173, 180, 184, 185 change report, 393, 395 database, history file, 388 independent verification and, 248 master file, 388 payroll system, 289, 294 purchasing system, 251 relationship to subsidiary ledger, 55 sales order processing, 194 general ledger/financial reporting system (GL/FRS), 8, 10 generally accepted auditing standards (GAAS), 745 General Motors (GM), 543 generic top-level domain (gtld), 566 give event, GL/FRS (general ledger/financial reporting system), 8, 10 goal congruence, 409 goods, receipt of, governance, IT. See IT governance controls GPC backup technique, 787, 788 graphs, gratuities, illegal, 129 group codes, 385 group memory, 698 H hard copy documents, 674, hashing structure, hash total, 811 HealthSouth, 113 help features, 687 Hershey Foods Corporation, hierarchical database model, 434, , hierarchical topology, 600 home page, 566 HTML (HyperText Markup Language), 566, 570, 571 HTTP (HyperText Transfer Protocol), 566, 570 HTTP-NG (HyperText Transport Protocol-Next Generation), 570 human resource management (HRM) system, 299. See also personnel Hyperion Solutions Corp., 536 HyperText Markup Language (HTML), 566, 570, 571 HyperText Transfer Protocol (HTTP), 566, 570 HyperText Transport Protocol- Next Generation (HTTP-NG), 570 I IAHC (Internet Ad Hoc Committee), 566 IBM, 570 iceberg effect, 705 ICSA (International Computer Security Association), 592 IMAP (Internet Messages Access Protocol), 569 implementation, 398 imprest account, 289 inappropriate performance measures, incompatibility, 732 incompatible activities, consolidation of, 732 independence, accounting, 21

61 I-10 Index independent verification, 145, 181, 203 enterprise resource planning (ERP) and, 551 expenditure cycle controls and, 248 financial reporting system (FRS) and, 393 fixed asset systems and, 309 general ledger, 248 in manufacturing environment, 347 payroll system and, 295 indexed random file, indexed sequential file, 441 indexed structures, indirect access, 248 industry analysis, 628 information access control over, 180 currency, 27, 28 29, 431 data versus, 11 environment, 3 16 flow of, gathering, generation, 14, level, 577 needs assessment, overload, 410 processing services, 24 value of, informational content, 403 information flows, 3 information processing units (IPU), 23 information systems, 2 37 acquisition, definition, 6 evolution of, framework, 6 9 lean manufacturing and, objectives, 15 software, types of, information technology, information technology controls. See IT controls inheritance, input, direct, input controls, insertion anomaly, 450 instance, Institute of Internal Auditors, 746 insurance coverage, 737 intangible benefits, 647 integrated test facility (ITF), integrity, data, 595 intelligent control agents, 594 intelligent forms, 676 internal agent, 499 internal auditing. See auditing internal business process perspective, 634 internal control, , See also controls internal corporate database, 573 internal efficiency, 541 internal reporting, 118 internal view, 436 International Computer Security Association (ICSA), 592 International Standards Organization (ISO), 569 Internet addresses, business models, commerce, , fraud and, protocols, risks, technologies, Internet Ad Hoc Committee (IAHC), 566 Internet Explorer, 564, 566 Internet Relay Chat (IRC), 584 Internet service providers (ISPs), 564 interpreters, 760 intranet risks, intra-organizational networks, 564, Intrusion Prevention Systems (IPS), 774, 780 inventory actual cost inventory ledger, 240 alternative ordering procedures, 257 controls, 184, 247, 249, database design and, 456 of materials, 19 monitoring records, 235 records, 169, 173 reduction, 349 reorder report, 673 security, 202 status report, 449, 456, 519 subsidiary file, 253 subsidiary ledger, 169, 180, 240 updating records, 207, 209, 238, 240 usage, 343 valuation method, 241 investment centers, 409 IP address, 567 IP broadcast address, 584 IP spoofing, 583, 584, 772 IPU (information processing units), 23 IRC (Internet Relay Chat), 584 islands of technology, 351 ISO (International Standards Organization), 569 ISPs (Internet service providers), 564 IT auditing, 36, IT controls, 142, , See also controls for applications, for system development, testing, testing techniques, iterative design approach, 670 ITF (integrated test facility), IT governance controls, 728

62 Index I-11 J J.D. Edward & Co., 34, 363, 556 JIT (just-in-time), 348 job tickets, 286, 289 journals, cash receipts, 177 general, purchase, 241 sales, 50, 168, 173 special, 50, 180 journal voucher, 51, 241, file, 169, 180, 388 history file, 388 listing, 393, 394 sales, 168 justice, 113 just-in-time (JIT), 348 K Kah, Bob, 569 key, 588 keystroke monitoring, 766 keystrokes, 96, 205 knowledge management, 698 Kozlowski, Dennis, 113 Kronos Inc., 536 L labor distribution summary, 287 labor usage file, 299 LAN (local area networks), 80, 597, 598 languages. See programming languages lapping, 130 layer chart, 710 layer functions in protocols, lean manufacturing, accounting in, information systems, principles of, techniques and technologies that promote, learning and growth perspective, 634 ledgers, See also general ledger; subsidiary ledger legacy systems, 27, 29, data structures and, integration with data warehouse, 541 modern systems vs., systems development and, legal feasibility, 631, legal issues of electronic commerce, 596 liabilities due, 243 line errors, 780 line graph, 707, 708 local area networks (LAN), 80, 597, 598 logical key pointer, 95 logic bombs, 587, 764, 786 log-on procedure, 761, 765 M magnetic disks, magnetic tape, mail protocols, 569 mail room, 195 mainframe-based applications, 75. See also legacy systems maintenance, 19 audit objectives, 804 authorization, 805 commands, 804 model, systems development and, make-to-order processing, 334 malicious programs, , management control decisions, 400 by exception, 398 fraud, 120 principles of, proactive, 630 reactive, 630 management assertions, 815 management information systems (MIS), 6, 8 9 management reporting systems (MRS), 8, 10, behavioral considerations, management by exception, 398 management principles, responsibility and authority, 397 span of control, management reports, manual process model, manual systems, accounting records and, cash disbursements and, expenditure cycle and, payroll systems, revenue cycle, manufacturing environment accounting records, 347 automation of, batch processing, computer-aided manufacturing (CAM), 353 computer-integrated manufacturing (CIM), control activities in traditional, flexibility, 350 independent verification, 347 just-in-time (JIT), 348 lean. See lean manufacturing segregation of duties, supervision, 346 traditional, , transaction authorization, 345 manufacturing overhead (MOH), 344

63 I-12 Index manufacturing resources planning (MRP II), , 529 Manugistics Inc., 536 marketing, MasterCard, 570 master file, 55, materials management, 19 materials requirements planning (MRP), 360 materials requisition, 336, 338 matrices, 706, 708 MCI, 564 messages, interception of, 580 message sequence numbering, 777 message transaction log, 779 methods, 667 Microsoft, , 564, 570 MIM Health Plans Inc., 543 mirrored data center, 739 MIS (management information systems), 6, 8 9 mission, 628 mnemonic codes, 386 modern systems, modules, standard, 667 systems design and, 670 testing, monitoring, 142 move ticket, 336, 338 MRP (materials requirements planning), 360 MRS (management reporting systems). See management reporting systems (MRS) N navigational database model, 434, needs assessment, , 694 net present value method, Netscape, 570 network controls, 603, database model, 434, , topologies, network interface cards (NIC), 597 network-level firewall, 590, 772 Network News Transfer Protocol (NNTP), 570 NIC (network interface cards), 597 NNTP (Network News Transfer Protocol), 570 nonfinancial transactions, 8 nonrepudiation, 595 normalization process, tables, , 462, 480, 516, 670 numeric coding schemes, O object class, object-oriented design, object-oriented programming (OOP) language, 683 observation, 637 occurrence, 444 office automation systems, 692 off-site storage, 738, 740 OLAP (online analytical processing), OLTP (online transaction processing), 531, on-demand reports, 403 one-time costs, one-time passwords, online analytical processing (OLAP), online documentation, 686 online transaction processing (OLTP), 531, OOP (object-oriented programming) language, 683 open accounts payable file, 241 open/closed purchase order file, 235, 238 open purchase requisition file, 249 open sales order file, 180 Open System Interface (OSI), 569, open vouchers payable (AP) file, 251 operating system, 726 controls, , 802 definition, 760 security, threats to integrity of, operational control decisions, operational databases, 538 operational efficiency, 75 operational feasibility, 631, 643 operations control reports, operations fraud, 133 operator documentation, , 737 optical disks, 86 Oracle, 15, 34, 363, 536, organizational chart, organizational structure, 16 26, organizing, 698 OSI (Open System Interface), 569, output attributes, 672 controls, reporting alternatives, 706 reporting techniques, 674 views, output controls, output spooling, overbooking flights, 547 overhead, allocation under ABC, 357

64 Index I-13 oversight board, 127 ownership, 115 P packet switching, packing slip, 166 para computer ethics, 115 parallel operation cutover, parallel simulation, parity check, partial dependencies, 450, partitioned databases, password, 582, 761, , 802 payback method, paychecks, 289, 293 payroll system, accounting records, 295 batch processing, cash disbursement system and, 290, 295 computer-based, conceptual systems, controls, , 301 cost accounting and, 298 data flow diagram of, 287 employee records, 287 fraud, 289, 294 general ledger, 294 imprest account, 289 manual systems, personnel and, 286, 298 physical systems, real-time systems, 300 REA model and, reengineering, register, 289, 291 segregation of duties, PCAOB (Public Company Accounting Oversight Board), 127, PC-based accounting systems, See also computerbased accounting systems PCT (Private Communications Technology), 570 PEM (Privacy Enhanced Mail), 570 PeopleSoft Inc., 34, 363, 536, perfect quality, performance evaluation, , 406 performance fraud, 120 performance measures, , 548 Pershing, 739 personal accountability, 766 personal interviews, 638 personnel, 20, 286, 298, 734. See also human resource management (HRM) system personnel action forms, 286, 288 PERT chart, phased cutover, 688 phased-in implementation, 544 physical address pointer, 94 physical controls, physical database tables, , , physical systems, 35, expenditure cycle and, fixed assets, payroll system and, revenue cycle, 181 physical user views, picking ticket, 166 pie chart, 707, 710 PKI (public key infrastructure), 590 planning, 19, 338, PO (purchase order). See purchase order (PO) pointer structure, point-of-sale (POS) systems, polling, 603, 604 POP (Post Office Protocol), 569 pop computer ethics, POS systems, Post Office Protocol (POP), 569 power supplies backup. See uninterruptible power supplies prenumbered documents, 179 Prescient Systems Inc., 536 presentation and disclosure assertions, 815 preventive-detective-corrective (PDC) internal control model, primary keys (PK), 32, 76, 96, 188, 447, , 460 in REA model, primary manufacturing activities, 19 print programs, privacy, 115 Privacy Enhanced Mail (PEM), 570 privacy violations, Private Communications Technology (PCT), 570 private key, 588, privileged employees, 580, 762 proactive management, 630 probe for weaknesses, 780 problem recognition, problem structure, procedural language, 682 processes, 637 processing capacity, 75 processing controls, product design, product documents, product family, 358 production, 19, 46 control, 338 facilities reorganization, 350 flexibility of, 349 materials and operations requirements, order, 335 payroll system and, 286 planning, 19, 338 schedule, 334, 336, 339 support activities, 19

65 I-14 Index professionals, 732 profit centers, program application software, program changes controlling, unauthorized, program flowcharts, program fraud, , 731 programmed reports, 403, 404 programmer documentation, 685 programming languages, program version numbers, project feasibility, project initiation, 635 property ownership, 116 proportionality, 113 protocol prefix, 567 protocols, , prototype model, 702 prototyping, 662 proxy services, 779 pseudocode, 681 Public Company Accounting Oversight Board (PCAOB), 127, , 725, 744 public key encryption, 588, 589, 774, public key infrastructure (PKI), 590 pull processing, 348 purchase activities, purchase journal, 241 purchase order (PO), 248, 455, 456 blind copy, , 239, 249 open/closed file, 235, 238 purchase requisition, 235, 237, 249 purchases system, 46, accounts payable and, automation and, batch processing, data flow diagram for, 236 documents, 455 general ledger, 251 inventory records, 235, 238, 240 purchase order, 235, 237 REA model and, receipt of goods, receiving department and, 249, 258 reengineering, repeating group data and, 459 transaction authorization and, 246 purchasing, 19 purchasing agent, 456 Q quality assurance group, 681 quality control, 19 query language, R RAID (redundant arrays of independent disks), raw material (RM), 334 REA (resources, events, and agents) model, 31 33, cash disbursements and, chain value analysis, developing, diagram, 498, 501 9, elements of, financial statement production, 517 journal entries, 518 management reports, 518, 519 overview, in practice, 521 view integration, reactive management, 630 real-time systems, advantages of, 195 batch processing, definition, 74 payroll and, 300 sales order processing and, 193 receive event, receiving clerk, 456 receiving department, 19, 185, 247, 249, 258 receiving report, 238, 239, 248 reconciliation, 687 record, 13 record layout diagrams, recovery module, 771 recovery operations center (ROC), 738 recurring costs, 645 red-flag checklist, 120 redundancy, 637, 732 redundancy tests, 816 redundant arrays of independent disks (RAID), reengineering of cash receipts, 197 definition, 188 expenditure cycle, payroll systems and, purchases/cash disbursement systems, using EDI (electronic data interchange), 200 using the Internet, reference file, 56 refining, 698 register, 50 relational database model, 30 31, 434, anomalies, concepts, design, normalizing tables, relational tables, relative address pointer, 94 relevance, 12, 14, , 403, 672 reliability, 20 reluctance to prosecute, 581 remittance advices, 48 49, 173, 176

66 Index I-15 remittance lists, , 178 reorder point (ROP), 249, 342 repeating group data, 459, replicated databases, 468 reports ad hoc, 405 attributes, colors, customer inquiry, 520 distribution, 814 management, 403 5, objectives, 403 on-demand, 403 operations control, production, programmed, 403, 404 receiving, 238, 239, 248, 455, 457 responsibility, 406 scheduled, 403 summarization, 403 timeliness, 404 request for proposal (RFP), 694 request-response technique, 779 resources costs, 637 economic, 31, 498 entities, 504 organizational, resources, events, and agents (REA) model. See REA (resources, events, and agents) model responsibility, 397 accounting, center file, 389 centers, 406, reports, 406 retrieval, 14 return on investment (ROI), 410 return policy, 177 return procedures, , return slip, 172 reusable passwords, 763 revenue cycle, 47, , 235 computer-based accounting systems, conceptual systems, controls, manual systems, overview of activities, physical systems, RFP (request for proposal), 694 Rigas family, 126 rights and obligations assertions, 815 Rijndael, 588 ring topology, risk, , 579 assessment, 141, detection, 750 implementation and, inherent, minimization, 114 Rivest-Shamir-Adleman (RSA), 588, 777 robotics, 352 ROC (recovery operations center), 738 ROI (return on investment), 410 ROP (reorder point), 249, 342 rounding error tests, 816 route sheet, 334, 337 Royal Bank of Scotland, 587 RSA (Rivest-Shamir-Adleman), 588, 777 run, in batch systems, 95 run manual, 685 run-to-run control, 810 S Safe Harbor Agreement, 593 safety stock, 344 Sage Software, 557 salami fraud, sales department, 182, 185, 189 invoice, 168 journal, 50, 168, 173 journal voucher, 168 order, 163, , 168 sales order file, closed, 194 sales order pending file, 180 sales order processing, 47, , batch technology and, data flow diagram of, 59, 164 real-time technology and, 193 sales procedures, 194 sales return procedures, , SAP, 34, 363, 536, 551, Sarbanes-Oxley Act (SOX), 2, 9 access control, 202 computer center security and controls, disaster recovery planning, ethical issues, external audit and, 744 financial reporting and, 391 fraud, internal control and, IT governance and, , 728 organizational structure controls, Section 302, Section 404, XBRL and, 572, 577 SAS No. 1, 745 SAS No. 5, 725, 727, 728 SAS No. 78, 138 COSO framework and, , , 725 expenditure cycle, internal controls, 138, 139 SAS No. 99, 119 scalability, scatter graph, 707, 709 scavenging, 134 scheduled reports, 403 schedule feasibility, 631, 643 SCM (supply chain management), ,

67 I-16 Index screening router, 772 Scrushy, Richard, 113 SDLC (systems development life cycle), 15, , accountant s role in, , action plan creation, alternative designs, analysis, CASE tools, commercial software packages, 626, construction, delivery, development, evaluation and selection, failures, information needs assessment, in-house development, 626 maintenance and support, 626, 698, 730 output report alternatives, overview, participants, plan development, project announcement, 650 project initiation, 626, 635 selection, strategy, 626, 627 user involvement, SEC (Securities and Exchange Commission), , 571, 725 secondary keys (SK), 76, 96, 189, 191, 207 second normal form (2NF), 448 second-site backup, , Section 301, Section 302, 138, Section 404, 138, Section 406, Section 806, 118 Secure Electronic Transmission (SET), 570 Secure Sockets Layer (SSL), 570 Securities and Exchange Commission (SEC). See SEC (Securities and Exchange Commission) security, , 202. See also controls; IT controls computer, digital authentication, 588, 590 encryption, 588 firewalls, 590 protocols, segmentation, functional, segments, business, segregation of duties, 143 access control and, 730 cash disbursements and, 247 computer-based systems, 201, 204 enterprise resource planning (ERP), 549 expenditure cycle and, 262 financial reporting system (FRS), 393 inventory control and, 247 in manufacturing environment, payroll system and, revenue cycle, segregation of systems, 779 semantic models, 497 September 11 terrorist attacks, 738 sequential access method, sequential codes, sequential files, 87 backup procedures, 97 batch processing, 95 97, indexed, 441 update, sequential structure, server configurations, 532 servers, 597 SET (Secure Electronic Transmission), 570 shipping department, 182, 191, 194 shipping goods, 166 shipping log, 180 shipping notice, 166 Simple Network Mail Protocol (SNMP), 569 single-view model, 29 slicing and dicing, 534 smurf attack, 584, 585, 772 SNMP (Simple Network Mail Protocol), 569 SoftBrands, software, 15 16, antiviral, 765 auditing, , bolt-on, 34, commercial packages, , 732 database management system (DBMS), , 436, engineering, 663, SPL management system (SPLMS), testing, transaction validation, 197 S.O. pending file, 168 sophisticated users, 389 sort runs, 96, 207 source code, source documents, 47, 48 source program library (SPL), 801 2, 806 SOX. See Sarbanes-Oxley Act (SOX) span of control, special journals, 50, 180 special-purpose entities (SPEs), 127 special-purpose systems, 692 SPL (source program library), 801 2, 806 SPL management system (SPLMS) software, 802 6

68 Index I-17 spooling, Sprint, 564 SQL (structured query language), 438 SSL (Secure Sockets Layer), 570 stabilized data, 538 stakeholders, 4, 23, 627 standard cost system, 238, 240 standards, 400, 732 standard-setting body, 733 star network, 599 star topology, Statement on Auditing Standards (SAS), 745. See also specific SAS numbers steering committee, 627 stock flow, 498 stock options, 126 stock-outs, 344 stock records, 166 stock release, 166 storage, 14 devices, off-site, 738, 740 secondary, storekeeping, stores, 19 strategic business needs, strategic planning decisions, 399 strategic systems plan, structured database model, 434 structured design, structure diagram, 679, 680 structured problems, structured query language (SQL), 438 subdirectory name, 567 subschemas, 769 subsidiary ledger accounts payable, 240, 241 accounts receivable, , 179 inventory, 169, 179, 240, 253 relationship to general ledger, 55 substantive tests, 749, 750 subsystems, 5, 6 subversive threats, summarization, 14, , 403, 672 supervision, , 179, enterprise resource planning (ERP) and, fixed asset systems and, in manufacturing environment, 346 payroll system and, 295 receiving department and, 247 supplier analysis chart, 707 supplier relations, 349 suppliers, 456 supplier s invoice, 240, 248 supply chain management (SCM), , support events, 498 survey, symbol set for data flow diagram, 58 for flowcharts, 68, 71 symmetric key, 588 SYNchronize ACKnowledge (SYN-ACK), 583 SYN flood attack, , 772 system analysis report, system auditors, accountants as, 36 system audit trails, system configurations, ERP, system designers, accountants as, 35 system flowcharts, 61, 68 70, 73 systems alternative designs, analysis, architecture, conceptual, 35 construction, decomposition, 6 definition, 4 development, , documentation, elements of, 4 5 evaluation and selection, example of, 5 6 objectives, 630 output, 671 physical, 35 professionals, 22, 627 strategy, 627 systems design, See also SDLC (systems development life cycle) adequacy, commercial packages, 691 controls, 681 conversion to new system, database conversion, delivery, diagrams, 679, 680 documentation, 682, modular approach, post-implementation review, process, programming, 683 testing, walk-through, systems development. See also SDLC (systems development life cycle); systems design controlling activities, controls, controls testing, 800 database administrator and, 730 maintenance and, resources and, 74 segregation from computer operations, 729 segregation from maintenance, superior structure for, 731 systems project proposal, 631 systems selection report, 649 system survey, 636

69 I-18 Index T tables, 462, 706 tactical planning decisions, 400 tangible benefits, task-data dependency, 29, task participation, 637 taxonomy mapper, 574 TCO (total cost of ownership), 547 TCP/IP (Transfer Control Protocol/Internet Protocol), 569 team attitude, 350 technical design, 798 technical feasibility, 631, 642 telecommunications companies, 564 TELNET, 569 test data method, testing of program modules, techniques, white box techniques, test libraries, tests of controls, 804 theoretical computer ethics, 115 third-generation languages, 682 third normal form (3NF), 448, 516 three-tier model, 532, 534 time cards, 287, 290 time-keeping, 298 time lag, timeliness, 14, , 404, 673 token passing, 603 4, 605 topologies, total cost of ownership (TCO), 547 Toyota Production System (TPS), 348 TPS (transaction processing systems). See transaction processing systems (TPS) tracing, 821 trading partners, 4 traditional systems, 30, 529 transaction cycles, file, 56 fraud, 130 level, 577 listing, 812 logs, 770, transaction authorization, 143, cash disbursements and, 246 electronic data interchange (EDI), 783 enterprise resource planning (ERP), 549 financial reporting system (FRS), 393 in manufacturing environment, 345 payroll system and, 294 purchases system, 246 transaction processing systems (TPS), 8, 9 10, , 178 accounting records, computer-based systems, 55 57, documentation techniques, overview, procedures, 194 transactions, 6 8 transactions cycles, 9 transaction validation software, 197 transaction volumes, 637 transcription errors, 807 Transfer Control Protocol/Internet Protocol (TCP/IP), 569 transitive dependency, , 459, transposition errors, 807 trap door. See back door triple-des encryption, 775 Trojan horses, 587, 764, 765, 787 TRUSTe, 591 turnaround documents, 48 49, 173 turnkey systems, 15, tutorials, 687 two-tier model, 532, 533 Tyco, 113 U unemployment, 117 Uniform Resource Locator (URL), 566, 567 uninterruptible power supplies, universal product code (UPC), 198 unstructured problems, UPC (universal product code), 198 update anomaly, update runs, URL (Uniform Resource Locator), 566, 567 user access privileges, 762 user-defined procedures, 768 users authority, 29 in database environment, documentation, fact-gathering and, 637 feedback, , groups, 696 handbook, 686 ID, 761 roles, 549 specifications, 798 support, 698 test and acceptance procedures, 800 user services, 733 user views access control, database administrator and, 730 database construction and, data definition language (DDL) and, 437 design of, normalized tables and, overview, 447 physical, preparation of, 463

70 Index I-19 REA (resources, events, and agents) model and, 497 UUNET, 564 V validation, 687, 783, 785 valid vendor, 237 valid vendor file, 253 valuation or allocation assertions, 815 value-added network (VAN), , 607, value chain, 503, value stream, , value stream map (VSM), VAN (value-added network), , 607, variance, vendor presentations, vendor s invoice, 261 vendor support, vendor-supported systems, 15 16, 692 verification model, 405 verified stock release, 166 Veri-Sign, Inc., 590, view integration, 464, view modeling, , virtual private networks (VPN), 565 virtual storage access method (VSAM), viruses, 587, 762, 764, 786 Visa, 570 vision, 628 voucher file, closed, 245 voucher packet, 243 voucher register, vouchers payable system, VPN (virtual private networks), 565 VSAM (virtual storage access method), W walk-through, wall of code, 669 WAN (wide area networks), 80, 597, 598 warehouse procedures, 182, 190, 194 waste, 814 Waste Management, 548 waste minimization, 349 web browsers, 564, 566 web page, 566 websites, 566 weighted factor matrix, Western Digital Corporation, 542 Whirlpool Corporation, 548 white box approach, wide area networks (WAN), 80, 597, 598 WIP (work-in-process), 339, 344 WIP account, 286 work centers, 339 work-in-process (WIP), 339, 344 work order, 335, 337 world-class companies, WorldCom, 113, 126, 127 World Wide Web, 566 WORM (write-once, read-many), 86 worms, 587, 764, 786 X XBRL (extensible Business Reporting Language), 571 audit implications, 594 instance document, 572, 576, 577 tags, 575 taxonomies, 571 XML (extensible Markup Language), Z zombie, 584 zones, 675, 676

71

72

73

74

75