CHAPTER 4: DOCUMENTING INFORMATION SYSTEMS

TWO TYPES OF SYSTEMS DOCUMENTATION

1. DATA FLOW DIAGRAMS - graphical representation of a process depicts a system’ s components;

the data flows among the components; and the sources, destinations, and storage of data
 Bubble Symbol - depicts an entity or a process
 Data Flow Symbol - represents a pathway for data
 External Entity Symbol - portrays a source or a destination of data outside the system
 Data Store Symbol - represents a place where data are stored

CONTEXT DIAGRAM the least detailed picture of a system that defines the process being documented
and shows the data flows into and out of the process to external entities

PHYSICAL DATA FLOW DIAGRAM a graphical representation of a system that shows the system ’ s
internal and external entities and the flows of data into and out of these entities

LOGICAL DATA FLOW DIAGRAM a graphical representation of a system that shows the system ’ s
processes (as bubbles), data stores, and the flows of data into and out of the processes and data stores.

2. SYSTEMS FLOWCHARTS - a graphical representation of a business process, including information

processes (inputs, data processing, data storage, and outputs), as well as the related operations
processes (people, equipment, organization, and work activities)

PREPARING SYSTEMS DOCUMENTATION

PREPARING DATA FLOW DIAGRAM – Data flow diagrams are drawn to document an existing system or
one that is created from scratch when developing a new system. It uses defined symbols like rectangles,
circles, arrows, etc.

PREPARING SYSTEMS FLOWCHARTS - Systems flowcharts are drawn to visually display the sequence of
activities in a process and who is responsible for those activities. (a) To simplify and clarify a narrative (b)
To better analyze and understand a system (c) to portray a system’s logic and implementation
accurately, there can be many correct solutions.

DOCUMENTING ENTERPRISE SYSTEMS

An enterprise system facilitates the streamlining of business processes, the replacement of paper
reports with online “ electronic reports, ” and the automation of manual processes

CHAPTER 5: DATABASE MANAGEMENT SYSTEMS

TWO APPROACHES TO BUSINESS EVENT

APPLICATIONS APPROACH - concentrates on the process being performed. In this case, data
play a secondary or supportive role to the programs that run in each application system. Each
application user collects and manages its own data, generally in dedicated, separate, physically
distinguishable files for each application.

CENTRALIZED DATABASE APPROACH - data are stored in relational database tables instead of
separate files, solves many of the problems caused by data redundancy.
DATABASE MANAGEMENT SYSTEM

A database management system (DBMS) is a set of integrated programs designed to simplify the tasks of
creating, accessing, and managing a centralized database

Functions of DBMS

 Define
 Construct
 Manipulate
 Share

SCHEMA AND SUBSCHEMA

SCHEMA

A complete description of the configuration of record types, data items, and the relationships
among them. The schema defines the logical structure of the database. The schema, therefore,
defines the organizational view of the data.

SUBSCHEMA

A description of a portion of a schema.

DBMS LANGUAGES

DATA DEFINITION LANGUAGE (DDL) - It describes the structure of the database,i.e. tables
(attributes, domain, key) and constraints.

DATA MODIFICATION LANGUAGE (DML) - It manipulates data in the table (or) selects data from
the table.

DATA CONTROL LANGUAGE (DCL) - It is used to access stored or saved data

TRANSACTION CONTROL LANGUAGE (TCL) - They are used for controlling transactions.

LOGICAL VERSUS PHYSICAL DATABASE MODEL

DATA INDEPENDENCE - Defined as a property of DBMS that helps to change the database schema at
one level of a database system without requiring to change the schema at the next higher level.

THREE-TIER ARCHITECTURE - There is no direct communication between client and server. Used for
large applications on the web. The features are data backup, recovery, security, and concurrency
control.

LOGICAL DATABASE MODELS

1. HIERARCHICAL
 organized in a pyramid structure
 records at or near the top of the structure contains records below them
 parent records include the lower-level child records
2. NETWORK
  a child record can have more than one parent record
 adopted by organizations that had been frustrated by the limitations of hierarchical DBMSs
3. RELATIONAL
 logically organized in two-dimensional tables
 each individual fact or type of information is stored in its own table
4. OBJECT-ORIENTED
 both simple and complex objects can be stored
 includes abstract data types that allow users to define characteristics of the data

ELEMENTS OF RELATIONAL DATABASES

 TABLES - a place to store data

 QUERIES - tools that allow users to access data stored in various tables
 FORMS - onscreen presentations that allow users to view data
 REPORTS - provide printed lists and summaries of data stored in table

NORMALIZATION OF RELATIONAL DATABASES

FIRST NORMAL FORM (1NF)

does not contain repeating groups

each sales order is presented in the number of rows required.

SECOND NORMAL FORM (2NF)

solves the anomalies in first normal form by reducing the redundancy of data.

1st step: create new table for each subset of a table.

2nd step: place each of the non-key attributes that are dependent on a part of composite key

THIRD NORMAL FORM (3NF)

exists if it is in 2NF and has no transitive dependencies

transitive dependency exists in a table when non-key attribute is functionally dependent on

another non-key attribute

DECISION SUPPORT SYSTEM

1. COMMUNICATION-DRIVEN
2. DATA-DRIVEN
3. DOCUMENT-DRIVEN
4. KNOWLEDGE-DRIVEN
5. MODEL-DRIVEN

NEURAL NETWORKS (NNs) are computer hardware and software systems that mimic the human brain’s
ability to recognize patterns or predict outcomes using less-than-complete information.

INTELLIGENT AGENT - a software program that may be integrated into DSS or other software tools (such
as word processing, spreadsheet, or database packages)
DATA - the raw bits and pieces of information with no context, By itself, data is not that useful. To be
useful, it needs to be given context. Once we have put our data into context, aggregated and analyzed it,
we can use it to make decisions for our organization

DATABASES - an organized collection of related information. It is an organized collection, because in a

database, all data is described and associated with other data. All information in a database should be
related as well; separate databases should be created to manage unrelated information

DATA WAREHOUSES - the use of information systems facilities to focus on the collection, organization,
integration, and long-term storage of entity-wide data. Its purpose is to provide users with easy access
to large quantities of varied data from across the organization for the sole purpose of improving
decision-making capabilities

DATA MINING - the exploration, aggregation, and analysis of large quantities of varied data from across
the organization. Data mining is used to better understand an organization ’ s business processes, trends
within these processes, and potential opportunities to improve the effectiveness and efficiency of the
organization

KNOWLEDGE MANAGEMENT SYSTEM - the process of capturing, storing, retrieving, and distributing the
knowledge of the individuals in an organization for use by others in the organization to improve the
quality and efficiency of decision making across the firm

DASHBOARDS Business dashboards (or simply dashboards) can be defined applying the input-process-
output approach: The inputs to dashboards are the key information for decisions; the processes of
dashboards are the various forms of graphical presentations (e.g., bar charts, pie charts, and
infographics) and user interactivities (e.g., slider bar, drilldown button, and dropdown list); and the
outputs from the dashboards are the decisions made by managers which may improve organizations ’
performance.

CHAPTER 6: RELATIONAL DATABASES AND SQL

BUSINESS INTELLIGENCE (BI)

 Provides analytical and reporting capability to enable the analysis of data warehouses and to
help managers make the best possible decisions for their companies.
 Natural extension of enterprise systems.

BI IN THE ERA OF BIG DATA

BUSINESS ANALYTICS

 a set of disciplines and technologies for solving business problems.

 used detect fraud occurrences in near real time.

Advanced Business Analytics

 predict future occurrences of fraud.

Two major revolutions of bi in big data era

1. Real-time analytics - encompasses the technology enabling users to leverage data the second it
enters the database.

2. Predictive analytics - similar to the “precrime” predicting tool where agents can use it to visualize
future murder cases.

Group 2 AIS

Chapter 6
Relational Databases and SQL

Business Intelligence (BI)

Provides analytical and reporting capability to enable the analysis of data warehouses and to
help managers make the best possible decisions for their companies because it is designed to
support managers in making tactical, strategic and data driven  decisions. Unlike enterprise
systems, which was discussed in the previous chapter that primarily focus on assisting
companies on their day-to-day operations and transactions, BI parses all of the data of the
business and presents reports that are easy to digest, performance measures, and trends that
inform management decisions.

As we go on with the topic we will realize that BI a natural extension of enterprise systems and
not as a completely new development because BI is often installed into an existing ERP as an
additional module. Also, with the use of spreadsheets, BI can improve internal controls within a
company.

For example, if data of an enterprise system is transferred into a spreadsheet that is not an
integrated part of the enterprise system there is a possibility that they will face numerous errors
in that spreadsheet so By increasing spreadsheet use within the system BI increases the
available control a company can exert over spreadsheet use, which in turn increases its
compliance with the Sarbanes-Oxley Act (Section 404).

BI in the Era of Big Data

In the era of big data Business analytics were developed which is a set of disciplines and
technologies for solving business problems using data analysis, statistical models and other
quantitative methods. It is also used to detect fraud occurrences in near real time.  Furthermore,
advanced business analytics can actually predict future occurrences of fraud. There are two
major revolutions of BI in the era of big data are real-time analytics and predictive analytics.
Real-time analytics encompasses the technology and processes that quickly enables users to
leverage data the second it enters the database because it uses real-time in-memory
databases. Example, companies use real-time data analytics to prevent hackers by using the
analytics to monitor the way data is accessed and spot unusual or suspicious activities, then
shut hackers and data thieves down before data is lost or security concerns fester. Predictive
analytics on the other hand  is similar to the “precrime” predicting tool in the movie Minority
Report, where agents can use it to visualize future murder cases. In simple words it is the use of
data to predict future trends and events and historical data to forecast potential scenarios that
can help drive strategic decisions. For example, a hotel uses predictive analytics by developing
multiple regression models that consider several factors to determine the number of staff
needed in a specific time to avoid overstaffing or understaffing because overstaffing may cause
too much cost while understaffing could cause a bad customer experience, overworked
employees, and costly mistakes.
Health Care Fraud
Last 2009, health care fraud in the United States cost an estimated $125–$175 billion annually,
being the second largest component in healthcare spendings. However, currently only 3 to 5
percent of healthcare fraud is detected, making only a small fraction of the lost money
recovered. Healthcare organizations and government agencies must take advantage of the
capabilities of big data and business analytics can be used to review large amounts of
healthcare claims and related billing information to find the indicators of healthcare fraud by the
use of pattern tracking, anomaly detection, and correlation analysis for fraud detection that can
be done in real time and near-real time.

REA Modeling

 Entities and Attributes 

Entity in an accounting system can be classified as (REA) resources which have
economic value to the organization like merchandise inventory, equipment, and cash;
events or business activities like order sales and purchases; or agents which are the
people and the organization such as customers and employees; which the data is
collected. Instance of an entity is one specific thing of the type defined by the entity.
For example, Andrew and Kathy are employees, they are the instances of the Employee
entity, another is Manila and Quezon city, examples of instances of the entity City. Data
models describe entities by capturing their essential characteristics. used to identify
user requirements for data in a database.
Attribute is an item of data that characterises an entity or relationship. Example
Employee = Name, Address, Birthdate (Age), Salary. Key attribute is the attribute
whose value is unique for every entity that will ever appear in the database and is the
most meaningful way of identifying each entity.
(Pic of Attribute hierarchy for the Entity CLIENT)
(Pic of Symbols Used in E-R and REA Diagrams)
 Relationships
Relationships are the associations between entities. Entities from the database must be
able to logically present the relationships that exist within them in order to make the data
stored in them available to users who want to reconstruct descriptions of various
business events through the use of relationship mapping.
*go back to the previous slide (Pic of Symbols Used in E-R and REA Diagrams)
Three-step strategy:
1. Identify users’ existing and desired information requirements to determine
whether relationships in the data model can fulfil those requirements.
2. Evaluate each of the entities in pairs to determine which entity in the pair
provides a better location to include an attribute.
3. Evaluate each entity to determine if there would be any need for two
occurrences of the same entity type to be linked.
(Pic of Relationship Types in the REA Model of the Client-Billing Business Process)
The relationship Supervises is called a recursive relationship which occurs between
two different instances of an entity.
 Model Constraints
In model constraints we explore different relationships and identify the constraints used
to specify relationships.
 Three relationship types: 
1. 1:N (one-to-many), 
2. M:N (many-to-many), 
3. 1:1 (one-to-one)
Cardinality is the most common constraint specified in E-R diagrams. The participation
constraint specifies the degree of minimum participation of one entity in the relationship
with the other entity. This constraint is either 1 or 0, meaning that a relationship between
the two entities is either mandatory (1) or optional (0).
(Pic of Relationship Constraints in the Client Billing Business Process)
 REA Data Models and E-R Diagrams

Relational Databases 
 Relational Database Concepts
 Mapping an REA Model to a Relational DBMS 

—--------------------------------------------------------

REA Data Models and E-R Diagrams 

REA Model Components
 The data included in  the exchange.
o Resources are the assets of a business.
 They are scarce economic resources and are within the control of the
entity concerned. Examples of economic resources are cash and
cash equivalents, properties, plants, and equipment. However, for the
REA model, accounts receivable are not regarded as resources.
o Events are activities that influence changes in economic resources.
 They are the result of production, exchange, consumption, and
distribution.
 For example, when a sale is made, it changes the economic resources of
the entity. Sales mean an increase in revenue on one hand and an
increase in cash and cash equivalents on the other hand. Therefore,
economic events are the critical aspect of the REA model.
o Agents are people that are involved in an economic event.
 Economic agents have the power to use or dispose of economic
resources.
 These agents can be within or outside an organization.
 Examples of agents include sales clerks, production workers, shipping
clerks, customers, and vendors. 

RECAP: Resources, Events, Agents (REA) Models

 The REA data model was developed specifically for use in designing accounting
information systems.
o It is still more of a theoretical model than practical as most accounting
information systems maintain the classical accounting style such as double entry
and ledger.
 The use of debits and credits are not the focus and are not required.
o The data are collected and stored in a database that can then be used to
provide reports and financial statements.
 How? Since REA databases do not employ journals and ledgers, how can
they support financial statement reporting?
  Journals, ledgers, and double-entry bookkeeping are the traditional
mechanisms for formatting and transmitting accounting data, but they are
not essential elements of an accounting database.
 REA systems capture the essence of what accountants account for by
modeling the underlying economic phenomena directly.
 Organizations employing REA can thus produce financial statements,
journals. ledgers, and double-entry accounting reports directly from
event database tables via user views.
o For financial  events / transactions.
 It focuses on business semantics underlying an organization's value chain
activities.
o A value chain is a step-by-step business model for transforming a product or
service from idea to reality.
o Value chains help increase a business's efficiency so the business can deliver
the most value for the least possible cost.
o The end goal of a value chain is to create a competitive advantage for a
company by increasing productivity while keeping costs reasonable.
o The value-chain theory analyzes a firm's five primary activities and four
support activities.
 It provides guidance for identifying the entities to be included in a database and
structuring the relationships among the entities.
 A fundamental requirement for moving toward an event-driven model, such as REA, is
the complete integration of data related to an organization’s business events.

Entity Relationship (ER) Diagrams

 A graphical representation that depicts relationships among people, objects,
places, concepts, or events within an information technology (IT) system.
 A model of how an accounting system can be re-engineered for the computer age.
o Entity relationship diagrams provide a visual starting point for database design
that can also be used to help determine information system requirements
throughout an organization.
o For example, an ERD representing the information system for a company's sales
department might start with graphical representations of entities such as the
sales representative, the customer, the customer's address, the customer's
order, the product and the warehouse.
o Then lines or other symbols can be used to represent the relationship between
entities, and text can be used to label the relationships.

Main Objectives in the Development of Resources, Events, Agents (REA) Models

1. To identify the data required by managers and other users to perform effectively and;
a. Easily incorporate financial and non-financial data, and accounting and non-
accounting data.
2. To integrate the data in a way that allows those users to efficiently access the
information needed. 
INTEGRATION OF TWO BUSINESS PROCESSES
1. Client Billing
o For service organizations such as public accounting or consultancy firms.
i. Track the person-hours spent by each employee.
ii. Record each employee’s work for a specific client.
iii. Capture data about all employees who provided client services.
 iv. The database must aggregate each employee’s time worked, each employee’s
billing rate, and sufficient information about the client to deliver the billing
statement.
o Three entities are involved in the billing process:
i. the agent EMPLOYEE,
ii. the agent CLIENT, and
iii. the event WORK_COMPLETED.
o The process here is that when a customer place order, the sales clerk checks for
the availability of the product, prepares sales order and many other bills, updates
different accounts, ships the product and they receive cash. In REA diagram, it
should not be showing all the accounting details, hence only the important
activities are shown.
o • The important activities which should be recorded are Customer places order to
sales clerk, Warehouse Employee ships the product to Customer and Customer
makes the payment (by checks) to Cash Receipts Clerk.
o • The Resources are Computer Inventory and Cash. (Though customers can pay
by credit card, online payment, or checks, it can consider all as one entity)
o • Events are Place Order, Ship Product, and Receive Payment.
o • Agents are Customer, Sales Clerk, Warehouse Employee, and Cash Receipts
Clerk.

2. Human Resources
 Service businesses also are interested in tracking employee work activities as part of the
human resources process.
 The human resources process includes payroll activities, employee education and
development, and other activities.
o REA terms the HR business process is identified (Fig. 2) as a special case of the
acquisition/payment cycle, consisting of four key business events; labor
requisition, labor schedule, labor acquisition and cash disbursement [7].
 Two Additional Entities:
o RELEASE_TIME and TRAINING_COMPLETED, which are added to the model
that also includes the previously identified agent entity EMPLOYEE and event
entity WORK_COMPLETED.
 These four entities enable the database to aggregate the information it needs to
determine the employee's pay rate, hours worked, hours spent in training, and hours of
sick time and vacation time used.
o The human resources department needs information about employee education
and development so it can monitor training activities and ensure that the
employee is receiving enough continuing education to comply with state licensing
requirements and the firm’s policies.
o Human resources also will monitor the percentage of billable hours the
employee has accumulated as a measure of job performance.
 To accomplish these activities, human resources must be able to link data about
completed work activities and training programs to specific employees. This information
can be drawn from the agent entity EMPLOYEE, the event entity
TRAINING_COMPLETED, and the event entity WORK_COMPLETED.
 Human resources can use this information to accumulate a given employee’s training
record and calculate that employee’s percentage of hours worked that were billable
hours.
 REA data model will continue to expand through an explosion of entities and relationships.
Many organizations have moved toward the integration of all data across the organization. 
 Use of the REA approach can yield:
 More efficient operations by helping identify non-value-added activities, by storing
financial and nonfinancial data in the same central database, and greater support for
management decisions;
 increased productivity through the elimination of non-value-added activities;
 competitive advantages.

Relational Databases
Legacy Systems
 Systems that have existed in an organization over a long period of time and were
developed using an organization’s previous computer hardware and software platforms.
o Legacy system is software that was created many years ago, but it continues to
work on older technologies pretty well. 
o They are implemented on old technologies and platforms.
o Outdated development, design, and architecture approaches are used.
o No unit and integration tests.
o The system is difficult to make changes to.
o The system breaks down unexpectedly.
o Bad unreadable code that calls into question the operation of the entire system.
o Routine operations are not automated, which periodically leads to the same type
of errors and increases the bus factor, which is the level of specific knowledge
that certain team members have. The higher this factor, the more difficult it
becomes to continue developing the project after those team members are
replaced by others.
o System and infrastructure not properly documented.
 HOW SYSTEMS BECOME LEGACY
o Since the launch of the system, many new innovations have been created, but
the system continues to work on older technologies and platforms.
o The team that created the system did not cope with the task due to low technical
competence, and now the project is dead weight.
o As in the previous case, the system was created without a proper technical
knowledge base, but it was launched, and in general, it works.

Relational Database Concepts

 Relational databases often are perceived by users as a collection of tables. 
 A relation is a collection of data representing multiple occurrences of a resource, event,
or agent.
 A tuple is a set of data that describes a single instance of the entity represented by a
relation (e.g., one employee is an instance of the EMPLOYEE relation). 
o To identify a tuple uniquely, each tuple must be distinct from all other tuples. This
means that each tuple in a relation must be identified uniquely by a single
attribute or some combination of multiple attributes. 
 A relational database is a type of database that stores and provides access to data
points that are related to one another. Relational databases are based on the relational
model, an intuitive, straightforward way of representing data in tables. In a relational
 database, each row in the table is a record with a unique ID called the key. The columns
of the table hold attributes of the data, and each record usually has a value for each
attribute, making it easy to establish the relationships among data points. 

Referential integrity
 Specifies that for every attribute value in one relation that has been specified to allow
reference to another relation, the tuple being referenced must remain intact. 
o To ensure that data is always accurate and accessible, relational databases
follow certain integrity rules. For example, an integrity rule can specify that
duplicate rows are not allowed in a table in order to eliminate the potential for
erroneous information entering the database.
o Relational model and data consistency
 The relational model is the best at maintaining data consistency across
applications and database copies (called instances). For example, when
a customer deposits money at an ATM and then looks at the account
balance on a mobile phone, the customer expects to see that deposit
reflected immediately in an updated account balance. Relational
databases excel at this kind of data consistency, ensuring that multiple
instances of a database have the same data all the time.

Mapping a REA Model to a Relational DBMS

 Put these two concepts together.
 Mapping the REA model onto a logical database model.

1. Create a separate relational table for each entity.

a. First, specify the database schema.
2. Determine the primary key for each of the relations.
a. The primary key must uniquely identify any row within the table.
3. Determine the attributes for each of the entities.
a. The key attribute specified in the REA model is matched to the corresponding
attribute in the relation.
4. Implement the relationships among the entities.
a. The mapping of the relationships in the model to the relationships in the relational
schema is straightforward.
i. One-to-many (1:N or N:1) relationships 
1. Sales (many) and Cash Receipts 
2. One to many relationship is a type of cardinality that refers to a
relationship between two entities in an entity relational diagram
(between two tables in a database).
3. A simple example would be a binding between the entities person
and birth_certificate. Each person must have their own birth
certificate.
ii. One-to-one (1:1) relationships 
1. Sales and Cash Receipts
2. One to many relationship is a type of cardinality that refers to a
relationship between two entities in an entity relational diagram
(between two tables in a database).
 3. A simple example would be a binding between the entities order
and item. Each order may have multiple items, but a product (e.g.,
a TV) may be delivered within a single order.
iii. Many-to-many (M:N) relationships 
1. Sales (many) and CR (many)
2. Many-to-many relationship is a type of cardinality that refers to a
relationship between two entities in an entity relational diagram
(between two tables in a database). A simple example would be a
relationship between the entities student and course. Each
student can have multiple courses and each course is for multiple
students.
5. Determine the attributes, if any, for each of the relationship tables.

Benefits of relational database management system

The simple yet powerful relational model is used by organizations of all types and sizes for a
broad variety of information needs. Relational databases are used to track inventories, process
e-commerce transactions, manage huge amounts of mission-critical customer information, and
much more. 

—-------------------------------

SQL: A Relational Database Query Language

SQL is a powerful database language that can be used to define database systems, query the
database for information, generate reports from the database, and access databases from
within programs using embedded SQL commands.

It has become the de facto standard database language—evidenced by continual efforts by the
industry to provide standardization guidelines for vendors and the number of variations of the
language that exist in databases from supercomputers to personal computers.

Constructing Relational Databases

CREATE command - used to create the relations that form the database structure.

1.   Assign the relation a name

2.   Assign each attribute a name.

3.   Specify the data type for each attribute.

Data type descriptions - combination of alphanumeric or numeric values.

Alphanumeric types

·       CHAR (for fixed-length strings)

·       VAR-CHAR (for varying length alphanumeric strings).

Numeric data types

 ·       INTEGER

·       FLOAT (which has a floating decimal point).

4.   Specify constraints, when appropriate, on the attributes.

Most notably, we need to make sure that the primary key values are not left empty (i.e., null);
otherwise, there will be no key value by which to identify and pull the tuple’s record from the
database. We may want to require that other attributes be assigned some value rather than
having the option of being null. In each of these cases, we can assign a value of NOT NULL as
the constraint.

Populating the Database

Data can be changed in the database in three ways:

1. INSERT – used to add a single tuple to an existing relation.

The INSERT command in its simplest form only requires the user to specify the SQL table and
the values to be inserted for each attribute if a value is provided for every attribute.

2. DELETE - method by which we delete a tuple from a relation.

The DELETE command requires specification of the table name and inclusion of a WHERE
condition, which is used to identify the unique tuple(s) for deletion.

3. UPDATE - used when we want to change one or more attribute values for one or more tuples
in a table.

To accomplish a change of an attribute value, the UPDATE command must be able to identify
the table with the value to be updated, the new values to be placed in the database, and the
conditions for identifying the correct tuple for UPDATE.

To make the change, we identify the tuple using the WHERE condition we just used for deletion,
and we change the existing values by using a SET command to set the new values for the
database.

Basic Querying Commands

SELECT

 SELECT commands retrieve the values for a list of attributes from the tuples of a single
relation.
  SELECT commands allow us to join data across multiple tables to link specific pieces of
information that are of interest
 1. a list of attributes that we want to SELECT from the database (SELECT)
2. a list of tables where these attributes can be found (FROM)
3. a WHERE clause that sets the conditions under which attribute values are to be
retrieved. (WHERE)

Chapter 7
Controlling Information Systems: Introduction to Enterprise Risk Management and
Internal Control

Organizational Governance

A process by which organizations select objectives, establish processes to achieve objectives,

and monitor performances.

Objective setting includes defining mission, vision, purpose, and strategies to establish
relationships.

Internal control and monitoring activities are implemented to review performance and provide
feedback to provide a reasonable assurance that objectives are being achieved.

Enterprise Risk Management

A framework that has proven to be an effective process for organizational governance.

A process, effected by an entity’s board of directors, management, and other personnel, applied
in strategy settings and across the enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.

The ERM framework addresses four categories of management objectives:

 Strategic: High-level goals aligned with and supporting its mission.

 Operations: Effective and efficient use of its resources.
 Reporting: Reliability of reporting.
 Compliance: Compliance with applicable laws and regulations.

Components of Enterprise Risk Management

The ERM process starts with the first component, the

1. Internal environment: The internal environment encompasses the tone of an

organization and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
2. Objective setting: Objectives such as mentioned a while ago, the strategic and related
objectives, must exist before management can identify potential events affecting their
achievement. ERM ensures that management has a process in place to set objectives
and that the chosen objectives support and align with the entity’s mission and are
consistent with its risk appetite.
 3. Event identification: Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and opportunities.

Risks - events that would have a negative impact on the organization’s objectives –
require assessment and response

Opportunities - events that would have a positive impact on organization’s objectives –

channeled back to the strategy-setting process

4. Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis for
determining how they should be managed. Likelihood is the possibility that an event will
occur, and impact is the effect of an event’s occurrence. Risks are assessed on an
inherent and a residual basis.
5. Risk response: Management selects risk responses from the four response types:
avoiding, accepting, reducing, or sharing risk—developing a set of actions to align risks
with the entity’s risk tolerances and risk appetite.
 We can avoid a risk by leaving the activity that is giving rise to the risk.
 We can reduce a risk by taking actions that reduce the likelihood of an event or
reduce the impact
 We can share a risk by, for example, buying insurance or outsourcing the activity.
 We can accept a risk by taking no action 
6. Control activities: Policies and procedures are established and implemented to help
ensure the risk responses are effectively carried out.
7. Information and communication: Relevant information is identified, captured, and
communicated in a form and time frame that enable people to carry out their
responsibilities. Effective communication requires that appropriate, timely, and quality
information from internal and external sources flows down, up, and across the entity to
facilitate risk management and intelligent decision making.
8. Monitoring: The entirety of ERM is monitored, and modifications are made as
necessary. Monitoring is accomplished through ongoing management activities,
separate evaluations, or both.

 The Sarbanes-Oxley Act of 2002

THE SARBANES OXLEY ACT

  A U.S. law passed on July 30, 2002 to protect investors from corporate accounting fraud
by improving financial reporting and auditing standards
 Bill Sponsors: Sen. Paul S. Sarbanes and Rep. Michael G. Oxley
 Enacted primarily due to financial statement fraud that was occurring in the early 2000s
(Enron, WorldCom, Tyco, Sunbeam)
 Emphasis placed on need for effective internal controls

KEY PROVISIONS OF SOX

 Created a new accounting oversight board (Public Company Accounting Oversight

Board or PCAOB)
  Strengthened auditor independence rules
 Increased accountability of company officers and directors
 Mandated upper management to take responsibility for the company’s internal control
structure
 Enhanced the quality of financial reporting
 Put teeth into white-collar crime penalties

OUTLINE OF SOX

Title I—Public Company Accounting Oversight Board:

Section 101: establishes the Public Company Accounting Oversight Board (PCAOB), an
independent board to oversee public company audits.

Section 107: assigns oversight and enforcement authority over the board to the Securities and
Exchange Commission (SEC).

Title II—Auditor Independence:

Section 201: prohibits a CPA firm that audits a public company from engaging in certain
nonaudit services with the same client. Most relevant to AIS is the prohibition of providing
financial information systems design and implementation services to audit clients.

Section 203: requires audit partner rotation in their fifth, sixth, or seventh year, depending on
the partner’s role in the audit.

Section 206: states that a company’s chief executive officer (CEO), chief financial officer
(CFO), controller, or chief accountant cannot have been employed by the company’s audit firm
and participated in an audit of that company during the prior one-year period.

Title III—Corporate Responsibility:

Section 302: requires a company’s CEO and CFO to certify quarterly and annual reports. They
are certifying that they reviewed the reports; the reports are not materially untruthful or
misleading; the financial statements fairly reflect in all material respects the financial position of
the company; and they are responsible for establishing, maintaining, and reporting on the
effectiveness of internal controls, including significant deficiencies, frauds, or changes in internal
controls.

Title IV—Enhanced Financial Disclosures:

Section 404: requires each annual report filed with the SEC to include an internal control report.
The report shall state the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting. The report must also
contain management’s assessment, as of the end of the company’s fiscal year, of the
effectiveness of the internal control structure and procedures of the company for financial
reporting.

Section 406: requires that companies disclose whether or not they have adopted a code of
ethics for senior financial officers.

Section 407: requires that companies disclose whether or not their audit committee contains at
least one member who is a financial expert.

Section 409: requires that companies disclose information on material changes in their financial
condition or operations on a rapid and current basis.

Title V—Analysts’ Conflicts of Interests:

Requires financial analysts to properly disclose in research reports any conflicts of interest they
might hold with the companies they recommend.

Title VI—Commission Resources and Authority:

Section 602: authorizes the SEC to censure or deny any person the privilege of appearing or
practicing before the SEC if that person is deemed to be unqualified, have acted in an unethical
manner, or have aided and abetted in the violation of federal securities laws.

Title VII—Studies and Reports:

Authorizes the Government Accountability Office (GAO) to study the consolidation of public
accounting firms since 1989 and offer solutions to any recognized problems.

Title VIII—Corporate and Criminal Fraud Accountability:

Section 802: makes it a felony to knowingly destroy, alter, or create records or documents with
the intent to impede, obstruct, or influence an ongoing or contemplated federal investigation.

Section 806: offers legal protection to whistleblowers who provide evidence of fraud.

Section 807: provides criminal penalties of fines and up to 25 years’ imprisonment for those
who knowingly execute, or attempt to execute, securities fraud.

Title IX—White-Collar Crime Penalty Enhancements:

Section 906: requires that CEOs and CFOs certify that information contained in periodic reports
fairly presents, in all material respects, the financial condition and results of the company’s
operations. The section sets forth criminal penalties applicable to CEOs and CFOs of up to $5
million and up to 20 years in prison if they knowingly or willfully falsely so certify

Title X—Corporate Tax Returns:

Section 1001: conveys a “sense of the Senate” that the corporate federal income tax returns
are signed by the CEO.

Title XI—Corporate Fraud and Accountability:

Section 1102: provides for fines and imprisonment of up to 20 years for individuals who
corruptly alter, destroy, mutilate, or conceal documents with the intent to impair the documents’
integrity or availability for use in an official proceeding, or to otherwise obstruct, influence, or
impede any official proceeding.

Section 1105: authorizes the SEC to prohibit anyone from serving as an officer or director if the
person has committed securities fraud.

Section 404: Management Assessment of Internal Controls

Requires each annual report to contain an “internal control report”, which must include:

 Statement of management’s responsibility for establishing and maintaining adequate

internal control for financial reporting
 Statement identifying the framework by management to evaluate the effectiveness of the
internal control over financial reporting
 Management’s assessment of the effectiveness of the company’s internal control over
financial reporting as of the end of the company’s most recent fiscal year
 Statement that the external auditor has issued an attestation report

Defining Internal Control

 The COSO Definition of Internal Control 

INTERNAL CONTROL

In 1992, the COSO organization introduced a framework, Internal Control—Integrated

Framework, which itself became known as COSO. The definition of internal control contained in
COSO 1992 has become widely accepted and is the basis for definitions of control adopted for
other international control frameworks:
Internal control is a process—effected by an entity’s board of directors, management,
and other personnel—designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

• Effectiveness (the degree to which an objective is accomplished) and efficiency (the ability to
accomplish an objective with minimal waste of resources) of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

COMPONENTS OF INTERNAL CONTROL

• Control environment: Sets the tone of an organization, influencing the control consciousness of
its people. It is the foundation for all other components of internal control, providing discipline
and structure.

• Risk assessment: The entity’s identification and analysis of relevant risks to the achievement
of its objectives, forming a basis for determining how the risks should be managed.

• Control activities: The policies and procedures that help ensure that management directives
are carried out.

• Information and communication: The identification, capture, and exchange of information in a

form and time frame that enables people to carry out their responsibilities.

• Monitoring activities: A process that assesses the quality of internal control performance over
time.

17 PRINCIPLES OF INTERNAL CONTROL

Control Environment

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises

oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent

individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the
pursuit of objectives.
 

Risk Assessment

6. The organization specifies objectives with sufficient clarity to enable the identification and
assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives across the entity and
analyzes risks as a basis for determining how the risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of
objectives.

9. The organization identifies and assesses changes that could significantly impact the system
of internal control

Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of
risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support
the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected
and procedures that put policies into action.

Information and Communication

13. The organization obtains or generates and uses relevant, quality information to support the
functioning of internal control.

14. The organization internally communicates information, including objectives and

responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the
functioning of internal control

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking corrective action, including senior management
and the board of directors, as appropriate.
FRAUD AND ITS RELATIONSHIP TO CONTROL 
 
By its meaning, fraud is an intentional act or deception meant for unethical or unlawful gain.
Fraud always entails manipulating information for criminal purposes. Foreign Corrupt Practices
Act is the law that is implied to prevent irregularities and states that “a fundamental aspect of
management’s stewardship responsibility is to provide shareholders with reasonable assurance
that the business is adequately controlled”. 

Title XI of the Sarbanes-Oxley Act

Based on the Title XI of the Sarbanes-Oxley Act

Title eleven is also known as the "Corporate Fraud Accountability Act of 2002" and reviews
additional guidelines regarding the rules and punishments concerned with fraudulent corporate
activities. This title gives the commission authority to freeze the funds of a company suspected
of committing violations of securities laws. The funds can be held in an interest bearing escrow
account until a full investigation is able to be completed. This title also grants the Commission
the authority of prohibiting a person from serving as a director or officer of a securities issuer if a
cease-and-desist proceeding is filed concerning the violations of securities law. The
Commission may bar a person from such activities as long as "the conduct of that person
demonstrates unfitness to serve as an officer or director of any such issuer."  

The act was made because they want to prevent fraud in the company by doing research and
brainstorming ideas to evaluate the risk of misstatement to consider the valuation of the entity to
the fraudulent activity. The person assigned is the auditor who should take into account the
results of his or her assessment. 

The PwC report also indicates that fraud is a worldwide problem that is on a rising trend,
particularly during recessions. Both reports show that the losses are significant. Furthermore,
both reports concur that internal controls and audits are insufficient for detecting fraud. To
address the risk, fraud-prevention programs and detection measures, such as hotlines, are
required.

2012 ACFE REPORT TO THE NATION ON OCCUPATIONAL FRAUD AND ABUSE

Between October and December 2011, the Association of Certified Fraud Examiners (ACFE)
gathered data from Certified Fraud Examiners (CFEs) from 96 countries reporting fraud cases
they had personally investigated. Over half of the cases or 57.2%  were from the United States
alone, an increase of 39% from 2010. The CFEs reported 1,388 cases of fraud, with a median
loss of $140,000. Almost one-fifth of these cases resulted in losses of at least $1 million. We
learn the following from the report summarizing these frauds:
 When projected to the entire global economy, respondents indicated that fraud costs the
average business 5% of its annual sales, amounting to a total loss of $3.5 trillion.
 Frauds were more likely to be detected by tips (e.g., through hotlines such as those
required by SOX) than through audits or internal controls.
 77% of the frauds were committed by individuals in accounting, operations, sales,
executive/upper management, customer service, or purchasing.
 Most fraudsters were first-time offenders with previously clean employment records.
 The most common red flags displayed by fraud perpetrators were living beyond their
means (44 percent of cases) and experiencing financial difficulties (30 percent of cases).
  Small businesses (less than 100 employees) were disproportionately victimized by fraud
(32 percent of cases) due to relatively weak anti-fraud controls.

IMPLICATIONS OF COMPUTER FRAUD AND ABUSE 

There are now more prospects for criminal infiltration thanks to the widespread use of
computers in commercial settings and their interconnection with one another and the Internet.
Numerous crimes, including identity theft, fraud, larceny, and embezzlement, have been
committed using computers. Computer fraud, computer abuse, or computer crime are common
terms used to describe crimes using computers. When an organization conducts E-business,
certain of these frauds become more common. For instance, if a transaction is fraudulent, the
company that accepts payment by credit card and when the credit card is not physically present
during the transaction (such as sales made over the phone or online) must suffer the loss. 

Computer Crime
Computer crime refers to any crime in which a computer is the intended victim or the means by
which the crime is carried out. The majority of computer crimes fall into these two basic types
where:
 The computer is used as a tool for the criminal to accomplish the illegal act. For
example, are those criminals who are using computers to hack an account in the bank.
In the Philippines where E-wallets like G-Cash and Paypal become rampant when it
becomes to paying, these applications are still weak when it comes to internal control
because there are a lot of users that are having problems like their money in the account
missing or being hacked.
 The computer or the information stored in it is the target of the criminal. Computer
viruses fall into this category. 

Malware- designed specifically to damage or disrupt a computer system

 Salami Slicing- computer crime refers to any crime in which a computer is the intended
victim or the means by which the crime is carried out. 
 Back Door- A backdoor refers to any method by which authorized and unauthorized
users are able to get around normal security measures and gain high-level user access
(aka root access) on a computer system, network, or software application.
 Trojan Horse- Trojan Horse (Trojan) is a type of malware that disguises itself as
legitimate code or software. Once inside the network, attackers are able to carry out any
action that a legitimate user could perform, such as exporting files, modifying data,
deleting files, or otherwise altering the contents of the device.
 Logic Bomb- A logic bomb is a set of instructions in a program carrying a malicious
payload that can attack an operating system, program, or network. It only goes off after
certain conditions are met. A simple example of these conditions is a specific date or
time.
 Worm- A computer worm is a subset of the Trojan horse malware that can propagate or
self-replicate from one computer to another without human activation after breaching a
system. Typically, a worm spreads across a network through your Internet or LAN (Local
Area Network) connection.
 Zombie- A zombie a malicious program that is installed on a device that transforms it
into a “zombie” that attacks other systems. A computer or other device transformed by
zombie malware is first infected by a virus or Trojan.
 Before we proceed into the ethical consideration and the control environment, I want you
all to know what a computer virus is. A computer virus is a piece of program code that
can attach itself to other programs and "infect" them. Viruses can replicate themselves in
the same way that biological viruses do. When you run an infected program, open an
infected document, or boot a computer from an infected disk, viruses are activated.
Computer viruses modify their "host" programs, destroy data, or make computer
resources inaccessible. 

ETHICAL CONSIDERATIONS AND THE CONTROL ENVIRONMENT 

Ethical behavior and managerial integrity are outcomes of "corporate culture," which includes
ethical and behavioral standards, how they are communicated, and how they are reinforced in
practice. Official policies specify what management desires to occur. What actually happens
and which rules are followed, bent, or ignored are determined by corporate culture.
Management is in charge of internal control and can respond to this requirement either legally or
by creating a "control environment." In other words, management can either follow the "letter of
the law" (by form) or respond substantively to the need for control. The control environment
reflects the organization's general awareness of and commitment to the importance of control
throughout the organization (primarily the board of directors and management). In other words,
management can make an organization's control conscious by leading by example and
addressing the need for control at the top of the organization.

A FRAMEWORK FOR ASSESSING THE DESIGN OF A SYSTEM OF INTERNAL CONTROL 

In this chapter's final major section, we begin our presentation of a framework for assessing the
design of an internal control system, including defining control goals and control plans. We are
still using a matrix to help us with our analysis. This type of matrix is known as a control matrix,
and it is a tool designed to help you evaluate the potential effectiveness of controls in a
business process by matching control goals with relevant control plans. If you remember the
Suprina system flowchart tackled in chapter 4 of the book and now let’s use this process to
understand how internal controls are working. But before that, place yourself as a manager,
what are your concern objectives and the related risks? There are concerns we want to know
as: 
 We want all of the orders to be entered in a timely manner, but orders might be lost,
stolen, or delayed.
 We want all of the orders to be recorded correctly, but we might miss some orders,
record orders we didn’t get from a customer, or record order amounts incorrectly.
 We want all inventory changes to be recorded correctly.
 We want to accomplish all this with a minimum of resources
A constant theme throughout this text has been that an organization defines goals, assesses
risks, and then implements processes and controls to provide reasonable assurance that those
goals are met. The topic also wants to be consistent to know the purpose of internal control
where the purpose is to provide reasonable assurance of achieving objectives in 3 categories
such as operations, reporting, and compliance with applicable laws and regulations. For our
control framework, we convert those three categories into control goals for two categories,
operations process control goals and information process control goals.

(Pic of Suprina Systems Flowchart)

Control Goals of Operations Processes
 business process objectives that relate to guaranteeing efficiency and effectiveness of
operations

1. Ensure effectiveness of operations - aims to ensure that a given operational

process is fulfilling the purpose for which it was created.
Effectiveness: A measure of success in meeting one or more goals for the
operations process. 

2. Ensure efficient employment of resources - This refers to efficient utilisation of

business resources to meet business goals.

Efficiency: A measure of the productivity of the resources applied to achieve a

set of goals

3. Ensure security of resources 

Security of resources: Protecting an organisation’s resources from loss,

destruction, disclosure, copying, sale, or other misuse.

Control Goals of Information Processes 

 business process objectives for reliable reporting 
1. Ensure Input Validity

Input validity: Input data are appropriately authorized and represent actual
economic events and objects.

2. Ensure Input Completeness

Input completeness: All valid events or objects are captured and entered into a
system once and only once.

3. Ensure Input Accuracy

Input accuracy: All valid events must be correctly captured and entered into a
system.

4. Ensure Update Completeness

Update completeness: All events entered into a system must be reflected in the
respective master data once and only once.

5. Ensure update accuracy

Update accuracy: Data entered into a system must be reflected correctly in the
respective master data

Types of Error

Programming Error - logical or technical errors may exist in the program software
 Operational Error - This may happen if input data are used for more than one
application, and we fail to use the inputs for all of the intended processes. 

Control Plans
- reflect information-processing policies and procedures that assist in accomplishing control
goals.

Control Plans classified:

based on Control Hierarchy:

1.    Control Environment

2.    Pervasive Control Plans

3.    Business Process Control Plans

In Relation to to the Timing of their Occurrence:

1.    Preventive Control Plans

2.    Detective Control Plans

3.    Corrective Control Plans

CHAPTER 8: CONTROLLING INFORMATION SYSTEMS: INTRODUCTION TO PERVASIVE CONTROLS

FOUR IMPORTANT PERVASIVE CONTROLS

1. Organizational design with a focus on segregation of duties

2. Corporate policies with a focus on personnel policies
3. Monitoring controls; and
4. IT general controls.
1. Organizational Design Control Plans
Organizational design involves the creation of roles, processes, and formal reporting relationships in an
organization. Organizational design is a key component of a company’s internal control structure.

Aspects:

● Establishing departmental relationships

● Personnel reporting structures

Organizational design involves the creation of roles, processes, and formal reporting
relationships in an organization. One aspect of organizational design includes establishing departmental
relationships, including the degree of centralization in the organization. Another aspect involves
personnel reporting structures such as chain of command and approval levels. An example of
organizational design has the upper management of a company reporting to the board of directors.
Another example is separation of operating units such as sales, production from accounting units.
Additionally, we must also bear in mind that organizational design is a key component of a company’s
internal control structure.

THE SEGREGATION OF DUTIES CONTROL PLAN

Segregation of duties consists of separating the four basic functions of event processing:

• Function 1: Authorizing events.

• Function 2: Executing events.
• Function 3: Recording events.
• Function 4: Safeguarding resources resulting from consummating events.

Through the design of an appropriate organizational structure, no single employee should be in a

position both to perpetrate and to conceal frauds, errors, or other kinds of system failures.
 Summary of Organizational Control Plans

The figure as shown on your screen summarizes a general model of the segregation of duties
control plan. As I have mentioned a while ago, segregation of duties is an internal control built for the
purpose of preventing fraud and error in financial transactions. Accordingly, it applies not only to classic
accounting transactions, such as a cash disbursement or credit sale, but also to other events and
activities, such as planning a company dinner or implementing a new general ledger system. In the
simplest way possible, segregation of duties only implies that no matter what the event, for proper
control, more than one person must be involved and functions must be separated.
 Illustration of Segregation of Duties

Ideal segregation of duties requires that different units (departments) of an

organization carry out each of the four phases of event processing. In this way, collusion
would need to occur between one or more persons (or departments) to exploit the
system and conceal abuse.

The top half of the table defines the four basic functions. Controls to prevent unauthorized
execution of events help prevent fraud by ensuring that only valid events are recorded. Therefore,
Function 1, authorizing events, takes on particular significance in our segregation of duties model.
Control plans for authorizing or approving events empower individuals or computers to initiate events
and to approve actions taken subsequently in executing and recording events. Meanwhile, the bottom
half of the table extends the coverage of segregation of duties by illustrating the processing of a credit
sales event.

Segregation of duties is a key internal control intended to minimize the occurrence of errors or
fraud by ensuring that no employee has the ability to both perpetrate and conceal errors or fraud in the
normal course of their duties. That being said, an organization must be large enough to support at least
four independent units to implement segregation of duties effectively. For example, the customer
service department might be responsible for accepting customer orders and completing sales orders.
The credit department might be responsible for determining the existence of customers and approving
their creditworthiness. The warehouse might be responsible for safeguarding inventory while it is being
stored. The shipping department might be responsible for protecting inventory while it is awaiting
shipment and for executing the shipment.

HOW WOULD WE ACCOMPLISH SEGREGATION OF DUTIES IN SMALL AND

LARGE ORGANIZATIONS?

● SMALL ORGANIZATIONS - separate the most critical duties.

● LARGE ORGANIZATIONS - automation of segregation of duties.

2. Personnel Policy Control Plans

● Selection and Hiring Control Plans
● Retention Control Plans
● Personnel Development Control Plans
● Personnel Management Control Plans
● Personnel Termination Control Plans

Personnel Policy Control Plans consist of the Selection and Hiring Control Plans, Retention
Control Plans, Personnel Development Control Plans, Personnel Management Control Plans, and
Personnel Termination Control Plans, and we are going to discuss it one by one but before that, let us
first define what is policy.

WHAT IS POLICY?
A policy is a plan or process put in place to guide actions and thus achieve goals. The term policy
applies to company activities in a variety of areas.

A policy is a plan or process put in place to guide actions and thus achieve goals. The term policy
applies to company activities in a variety of areas. Accordingly, law can compel behaviors and enforce
penalties for noncompliance such as a law requiring the payment of taxes, policies guide behavior
toward the actions that are most likely to achieve desired goals. One major policy area that significantly
affects internal control in an organization is the area of personnel policies. While all departments within
a company should implement personnel policies, rigorous application of these policies is particularly
important to both fields related to Accounting Information systems.

1. Selection and Hiring Control Plans

Ensure that candidates applying for positions be carefully screened, selected, and hired.
Selection and hiring policies ensure that candidates applying for positions be carefully screened,
selected, and hired. This is common knowledge. Companies must choose which plans to employ based
on the salary level and job duties for the position for which the candidate is applying.
Summary of Personnel Control Plans

The figure above are just some of the multitude of control plans that exist for selection and
hiring as well as the number of personnel control plans aimed at mitigating the effects of these types of
risks.

2. Retention Control Plans

Aimed at keeping qualified personnel. Interviewing, hiring and training employees is costly, thus
once an appropriate employee has been hired, organizations want to retain them.

Companies develop policies to provide creative and challenging work opportunities in which the
significance of Retention Control Plans comes along. Apparently, Retention plans are aimed at keeping
qualified personnel. Interviewing, hiring and training employees is costly, thus once an appropriate
employee has been hired, organizations want to retain them.

3. Personnel Development Control Plans

Training and Evaluation

● Determines whether an employee is satisfying the requirements of a position

● Assesses an employee’s strengths and weaknesses
● Assists management in determining whether to make salary adjustments and promote an
employee
● Identifies opportunities for training and for personal growth.
 Personnel Development Control Plans which consist of two major personnel development plans:
training and evaluation. Training must be adequate so that employees have the appropriate skills to
perform their work functions. The other factor in development is evaluation of current performance to
determine where training is needed. The formal review generally uses a standard format for all
employees and is performed for the following reasons: First, a review determines whether an employee
is satisfying the requirements of a position as indicated by a job description; second, it assesses an
employee’s strengths and weaknesses; third, it assists management in determining whether to make
salary adjustments and promote an employee; finally, it identifies opportunities for training and for
personal growth.

4. Personnel Management Control Plans

A personnel management plan is a portion of a business plan that details how a new business
intends to hire, compensate, and utilize its potential employees.

● Personnel planning control plans

● Management controls plans
● Job description control plans
● Supervision control plans
● Personnel security control plans

Personnel planning control plans identify the skill requirements needed in employees to
accomplish the firm’s goals; management controls plans are also put in place to forecast the number of
employees needed in each position, taking potential turnover into consideration, and develop a strategy
for filling necessary positions; job description control plans lay out the responsibilities for each position
on an organization chart and identify the resources to be used in performing those responsibilities; and
supervision control plans involve the processes of approving, monitoring, and observing the work of
others. Personnel security control plans help prevent the organization’s own personnel from committing
acts of fraud or theft of assets. In a nutshell, A personnel management plan is a portion of a business
plan that details how a new business intends to hire, compensate, and utilize its potential employees.

5. Personnel Termination Control Plans

Personnel Termination Control Plans address the policies in place when an employee leaves the
organization either voluntarily or involuntarily. Voluntary termination occurs when an employee retires
or leaves to pursue other opportunities. Involuntary termination occurs when an employee is laid off or
fired for cause. Termination control plans are particularly important when employees are fired for cause
because the employee is likely to be upset or angry and thus likely to do damage to the organization.
Termination control plans include collecting any items displaying the company’s identification such as
the letterhead, reclaiming office and building keys, and removing password access to data.

3. Monitoring Control Plans

● Monitoring in an internal control system means assessment by management to determine

whether the control plans in place are continuing to function appropriately over time.
 ● Monitoring control plans lead to the identification of the root cause of the error and, ideally, the
implementation of normal control plans to prevent future errors.
● A project monitoring and control plan integrates factors such as success, scope, schedule,
resources, risk, and costs.

4. IT General Controls and the COBIT Framework

- organizational governance is the process in which the processes employed by organizations to

select objectives, establish control processes to achieve objectives, and monitor
performance. This chapter is all about about IT General Control and COBIT Framework

IT Governance - is a process that ensures that the enterprise’s IT supports the organization’s strategies
and objectives as well as protects the organization's assets.

WHAT IS HYPOTHETICAL COMPUTER SYSTEM?

A system having multiple connections among the IT resources within and outside

the organization.

In Hypothetical Systems, IT resources are typically configured with some, or all of the elements
in this figure. This computer system consists of one or more servers clustered together and housed in a
computer room within the organization’s headquarters. This computer is connected to printers, external
storage devices, and PCs, usually called clients, located within the building, and to PCs located in the
organization’s other facilities. All of these connections are via networks, often referred to as local area
networks (LANs) or wide area networks (WANs). Finally, computer facilities operated by other
organizations are connected, perhaps via the Internet and through firewalls, to the internal servers, PCs,
and other equipment.

Information Systems or IT Department

The first pervasive control plan was organizational design. Now we will summarize the structure
and segregation of duties within the organizational unit that is charged with developing, operating and
controlling an organization's information systems. This department is commonly known as the
Information Technology Department or IT Department.

WHY IT DEPARTMENT IS IMPORTANT?

The IT department is crucial to provide the technology required for a modern company to
support organizational objectives and to provide an environment in which business process control plans
can be effective. The structure of the department helps protect the company from data loss, data theft,
and other misuse, whether intentional or unintentional, from inside and outside the organization. An IT
department makes sure that technology is working for every member of the team so that there are
minimal interruptions to company workflow. The IT department is what keeps a business continuity
strong. They are the ones who make sure the road is paved so the employees can drive their cars on it.

Information Systems or IT Department Organizational Design

The figure depicts a hypothetical IT department and their hierarchy, and their duties will be
discussed extensively in the next slides. As in any organization, the titles or reporting structures may vary
from company to company as it depends on the size and geographical locations of the company.
However, it is important to be familiar with the functionality of the positions that should exist in most IT
departments.
Segregation of Duties within the IT Department

The figure shows the segregation of duties in the IT department. While users oversee
transaction processing. The IT department is in charge of making the applications work to the
satisfaction of the users through application, data, and control processes. Thus, the IT department is
responsible for implementing and updating programs based on authorized user requests
(implementation), protecting data and computer equipment (security), and accurately and completely
processing data for users (operations). When considering the IT department's responsibilities, keep in
mind the four basic functions of events namely: authorizing events, executing events, recording events,
and safeguarding resources. These responsibilities are treated as events within the IT department and
must be appropriately divided. Programmers, for example, should not be able to authorize a program
change, write the code to change the program, test their own changes, run a program, or have unlimited
data access. Since if they could, a programmer might authorize a change to the payroll program to
double his salary each pay period, execute that change into the computer program code, run the
program, and hide the overpayment by changing the data

IT Organization Function
 There are various control issues that are faced by each position within the IT
Department. Hence, the reason why companies implement IT general Controls.

The top of the Organization chart is the CEO of the company. The CEO sets the tone of the
company. Her job would be to set the strategic vision for the company. IT control plans implemented by
the CEO include ensuring that an IT steering committee exists, hiring a qualified CIO, and making sure
that the CIO puts in place an appropriate IT organization and technology infrastructure.

Also, at the top of the Organization chart, we see the IT Steering Committee. The steering
committee guides the IT organization in establishing and meeting user information requirements and in
ensuring the effective and efficient use of its resources. The key control concern of the committee is that
IT is not able to support the organization's objectives. High level interface of executives is an IT control
plan to help keep the committee in touch with organizational objectives. Another IT control process used
by the committee is the IT strategic planning process. As part of the planning process, the IT steering
committee matches the organizational and IT strategic plans and reviews and approves the strategic IT
plan. The strategic plan is then used to set the direction for the IT projects and authorizes the use of
company resources. As part of the planning process, the IT steering committee must also investigate a
competitor’s use of IT and be willing to take advantage of emerging technologies. The strategic IT plan
should not be a static document. Rather, the committee must meet regularly to keep the IT strategic
plan up to date to accommodate changes in organizational objectives and to leverage opportunities to
apply information technology for the strategic advantage of the organization. As you saw in Table 8.2,
the steering committee and the CIO are the main authorizing bodies for the IT department.

The CIO is the most senior executive in an organization responsible for the information
technology that supports the organization’s goals. If any part of the information system suffers a control
failure the CIO is ultimately held responsible. The CIOs responsibilities include: designing the IT
organization, hiring people into the organization, controlling the IT budget, working with vendors, and
responding to IT issues. And as mentioned earlier, the CIO must properly design the IT department to
ensure that IT services are delivered in an efficient and effective manner. IT budget control is also
important as CIO’s must justify IT expenditures compared to IT performance and risks. We previously
discussed the pervasive control of monitoring. The CIO is responsible for ensuring monitoring the
performance of IT services and controls.

Under the CIO is Implementation Supervisor, Security Supervisor, and Operation Supervisor. The
main task of the Implementation Supervisor is to identify, develop or acquire, and implement IT
solutions. He must ensure that projects are undertaken in order of importance, completed on time, and
completed within budget. Projects include both new systems implementations and changes to existing
systems Implementation of software changes is often referred to as the systems development life cycle
(SDLC). The SDLC covers the progression of an information system through the systems development
process, through implementation, to ongoing use and modification. The key control issue in this position
is systems changed or implemented without management approval; systems not implemented on a
timely basis; systems that fail to meet user needs; and systems that cost more than budgeted. Should
unauthorized or untested changes be made to such systems, the results could be disastrous.

The first control plan that must occur in implementation of IT relates to the three analyst
positions which will be discussed thoroughly by our next reporter. But why do we need to have three
analysts? We need three analysts to ensure the segregation of duties within the implementation
process. Having three analysts helps ensure that the system will meet user needs and be implemented
without fraud. Another key control is establishing and using a project-management framework to ensure
that project selection is in line with plans and budgets and that the framework is applied to each project
undertaken. Activities within the project management framework include ensuring impact assessment,
program change controls, release and distribution policies, and methods to ensure that the project
management framework is being utilized. Program change controls provide assurance that all
modifications to programs are authorized and documented and that the changes are completed, tested,
and properly implemented. Changes in documentation should mirror the changes made to the related
programs. As we discussed earlier, improper segregation of duties and improper change controls could
allow a programmer to change a program for her own benefit.

SUMMARY OF THE IT DEPARTMENT FUNCTIONS

 Figure 8.5 depicts the stages through which programs should progress to ensure that only
authorized and tested programs are placed in production. Again, notice the segregation of duties within
both the IT department and the implementation process.

BUSINESS ANALYST
The role of the Business Analyst within the system implementation function is to ensure that the
system meets user needs. The key control risk for the analyst, then, is that a system is developed that
does not meet user needs. The Business Analyst defines information and processing requirements
including inputs, outputs, processes, and data. To ensure that applications will satisfy users’ IT
requirements, the specifications should be developed with system users and be approved by
management and user departments.

SERVICE-LEVEL AGREEMENTS
If a third party is involved in the solution, a service-level agreement must be prepared and
approved. Service-level agreements include such items as the vendor’s responsibility with respect to
system availability, reliability, performance, capacity for growth, levels of user support, disaster
recovery, security, minimal system functionality, and service charges. Even if a third party is not involved
in the system, service-level agreements can be used to communicate IT department responsibilities and
capabilities to the organization’s various business units.

TESTING QUALITY ASSURANCE ANALYST AND TESTING

PLAN
The job of the Testing Quality Assurance Analyst is to ensure the new system works properly and
prepare the system for turnover to the users. One of the first and most important tasks is the creation of
a testing plan, which includes the development of test data, follow up procedures related to testing
failures, and the preparation of documentation.
 As part of the testing plan, the Testing Quality Assurance Analyst will create test data either
using existing data or creating hypothetical data. One key element of the plan is to ensure that high-risk
areas are tested.

CONTROL PROCEDURE
Another control procedure important in testing is the documentation of defects. We keep
metrics on the number, types and sources of defects. Type refers to where the defect occurred: input
screen, processing step, output report, data storage. Source refers to the analyst responsible for the
system or part of the system. If there is a consistent pattern of defects, then remediation may be
required in the Systems Analyst position or a database design flaw may exist.

APPLICATION DOCUMENTATION
Systems documentation: Provides an overall description of the application, including the system’s
purpose; an overview of system procedures; and sample source documents, outputs, and reports.

Program documentation: Provides a description of an application program and usually includes the
following: The program’s purpose; program flowcharts; source code listings; descriptions of inputs, data,
and outputs; program test data and test results; and a history of program changes and approvals of such
changes.

Operations run manual: Gives detailed instructions to computer operators and to data control about
a particular application. These manuals typically specify input source, form, and when received; output
form and distribution; and computer operation instructions, including setup, required data, restart
procedures, and error messages.

User manual: Describes user procedures for an application. These instructions, which assist users in
preparing inputs and using outputs, include a description of the application, procedures for completing
source documents, instructions on how to input data to the computer, descriptions of manual files and
computerized data, instructions on how to perform manual and automated processing, explanations of
controls and procedures for distributing and using normal outputs.

USER TRAINING
The final step in a new system implementation is user training. Either the Business Analyst or the
Testing Quality Assurance Analyst generally performs user training. Alternatively, if the new system is
provided by a vendor, the vendor might provide user training. User training is important to help users
learn their jobs and perform consistently in those jobs. User training has consistently been found to be a
key factor in any new system’s success.

CONVERSION
Conversion to the new system is the last step in system implementation. At some scheduled
point in time, the old system will be removed and users will start processing in the new system.
MODEL DEVELOPED BY THE BUSINESS CONTINUITY
INSTITUTE
1. Define the scope of the BCP and assign the BCP team responsibilities under the
direction of the Disaster Recovery Manager. The BCP team should be ready to respond in an
emergency.
2. Prioritize the activities and processes and specify the order and the time frame in which
they need to be restored if they are interrupted.

3. Define the recovery facilities 4. Formalize and document a

response plan
5. Periodically rehearse the plan with affected parties and update as needed to make sure
that the plan is operating effectively.
6. Train employees so that they are prepared to respond to any business interruption in an
effective manner.

The Access Control Software for online resources has 4 parts. The first one is Identification and
Authentication. Surely, we all know what user IDs and passwords work but one concern about this is
that passwords are notoriously a weak method for authenticating user identifications since a lot of users
just create simple passwords for easier use or recollections. There even exists free software that can
decode simple word passwords in seconds. Companies combat this through applying a password
policy which requires longer passwords and use of random characters. They also train employees not
to write down and divulge or leak their passwords. However, these methods can only do so much. The
best way to mitigate aforementioned password risks is through the second part of the first step:
Authentication.

Authentication combines physical and logical identification control plans to verify a user’s identity. Best
example is a physical control plan where you combine something you are which is a biological part of
you that cannot be taken by anybody else like fingerprints and facial recognition with something you can
possess like a smartcard or token with unique IDs and passwords.

Although the access control software itself is already reliable, most companies employ another method
of protection called Firewall. It is a program or hardware device that filters the information coming
through the Internet connection. It acts like a literal wall blocking unwanted or unknown information
from coming into a private network or computer system.

The last part of the access control software is the Intrusion-detection system which logs and monitors
who is on or trying to access the network. Typical user behavior is accumulated in user profiles.
Subsequently, when usage patterns differ from the normal profile, the exceptional activity is flagged and
reported. Organizations who do not want to wait until an unauthorized activity has occurred might
employ an intrusion-prevention system (IPS) to actively block unauthorized traffic using rules specified
by the organization.

Intrusion-detection system Intrusion-prevention

system
(IDS)
(IPS)

logs and monitors who is on or trying

actively blocks unauthorized
to access the network
traffic using rules specified by
the organization

*user profiles - accumulation of

typical user
behavior

flags and reports usage patterns that

differs from normal profile

Another option to protect data is Data encryption which takes plaintext and translates it to a coded text
form or ciphertext which cannot be read or is unintelligible until it is decrypted. Thus, if the access
control software, firewall, IDS, IPS, and data librarian all fail, unauthorized users still cannot read the
data.
The following are two types of encryption:

1.Symmetrical key or symmetric encryption

- The key used both by the sender to encrypt and by the receiver to decrypt the message is
the same. The drawback to having a single key is that it has to be transmitted by secure
channels. If the key is not kept secret, the security of the entire system is compromised
since anyone who knows the key may access it. To avoid this, companies use the second
type:

2.Public key cryptography or asymmetrical encryption

- This employs a pair of matched keys for each system user, one private (i.e., known only to the
party who possesses it) and one public. The public and private keys are not the same but the
public key corresponds to the user’s public key.
Another job in the security function is preventing unauthorized break-ins to information systems, usually
referred to as hacking or cracking.

Hacker Cracker

has a malicious
breaks into a computer intent
system but does not
hold malicious intent (e.g., theft of data)

Technique
Name What the Hacker Does
Shoulder Surfing Watches users type in
passwords or user IDs or listens
as they give account
information over the phone.

Searches through rubbish for system

Scavenging or information such as passwords.

Dumpster Diving

Calls and requests a password based on

Smoozing some pretext.

Password
Cracking Uses software to decode passwords.
Programs match an encrypted version

of a password to a list generated using

common encryption algorithms.

Phishing
Sends out an e-mail pretending to be a
legitimate business asking for information
about the user’s account.

Gets a user to load software that captures

Spyware usernames, passwords, and other
information.

The table above provides examples of hacking techniques wherein some are called technical
hacking. An example is phishing which would send an email probably containing a link that will
download a malware to your device. Throughout this topic, we will be introduced to hypothetical job
positions which will help us see which control risks and plans positions like theirs are responsible for.
The first one deals with defeating these kinds of technical hacking. To do that, the company’s Security
Supervisor implements an Antivirus software. It is a program designed to detect and remove
viruses and other kinds of malicious software from your computer or laptop.

- It looks for malware such as:

o ransomware: shuts down a computer until money is paid o keystroke

loggers: tracks each keystroke o backdoors: a method to surreptitiously

enter a system o worms: software that replicates itself and spreads o

adware: software that downloads or displays unwanted ads, and

o spyware: software that enables a user to obtain information about another

user’s computer activities

- It also tries to prevent attacks of:

o Spam: irrelevant or inappropriate messages, and

o Phishing: messages that attempt to learn information such as login

credentials or account information by masquerading as a reputable entity

Aside from the given techniques of hacking, there is a non-technical one called social engineering
relies on tricking people into breaking normal security procedures which is harder to give a concrete
solution or prevention to. In fact, one of the biggest business security risks lists is careless or uninformed
employees. The control solution to social engineering risks is to conduct training and enact security
policies (e.g., password policy, shredding documents policy, clear desk and locked office policies).

Another threat described as a “final serious” one that can affect the ability of Internet-based businesses
is a DoS. In a DoS attack, malicious connection requests are sent from just one compromised device
meaning the attack is coming from one location only. As compared to one of its variants called a DDos
which uses multiple compromised devices to attack. This is the more effective way of attacking because
each computer has its own IP address, meaning it is more difficult to detect that an attack is taking place
than it would be if all the messages were coming from one address.

DOS are attacks that start with fake consumer engagements to cause traffic to the website, therefore
not letting it perform its normal activities which usually are of service to their customers, hence its name
Denial of Service. Its primary goal is not to steal information but to slow down or eventually take down
the website. It is said that the reason hackers do this are diverse; it could be simple fun, financial gain, or
even an ideology or message they want to get across.
Operations Supervisor
To deliver services efficiently and effectively means that computer equipment is functional and in place,
that required data is entered correctly and accurately and is available to users, and that users know how
to operate their systems or can get technical help as needed.

Infrastructure and Network Manager

The advanced state of today’s hardware technology results in a high degree of equipment reliability;
unless the system is quite old, hardware malfunctions are rare. Even if a malfunction occurs, it is usually
detected and corrected automatically. In addition to relying on the controls contained within the
computer hardware, organizations should perform regular preventive maintenance (which involves
periodic cleaning, testing, and adjusting of computer equipment) to ensure their equipment’s continued
efficient and correct operation.

Cloud Computing
Main control concerns:

- Support and overall control of the cloud computing services are largely in the hands of the third-
party cloud service provider. There is typically no 24/7 on-call support, with one-hour response
time common

- Much of the cloud communication occurs over the Internet. Unless a secure network
connection or encrypted line is used, the communication is in clear text with associated security
risks.

- Cloud users commonly use browsers, including older versions that have known security
vulnerabilities.

- Cloud service providers’ employees might have loosely controlled access to sensitive data
stored on their servers.

- Cloud services have been known to go down for up to an hour, and some startup cloud vendors
have even failed.

Database Administrator
Database administrators define data elements, configure data relationships, make sure the database is
normalized, modify the database structure, as necessary for new applications, produce entity
relationship and data flow diagrams, and generate various reports as needed by querying the database.
The Database Administrator and the Access Control Officer must work closely together to ensure
appropriate access to the data in the database. In fact, in some organizations these jobs are joined
together.

Help Desk Manager

Help desk managers ensure that users make effective use of IT. To do that, the users must be trained,
ready, and able to use the systems therefore, managers help identify the training needs of all personnel,
internal and external, who use the organization’s IT services, and should see that timely training sessions
are conducted.

Operations Quality Assurance Analyst

Is in charge of monitoring IT operations to ensure IT controls are working properly and that follow up
actions are taken as needed

Quality Assurance Manager

Monitors key performance indicators on the expectations and experiences of users regarding their IT
then communicates issues to management.

COBIT (Control Objectives for Information and Related Technology)

With all that was discussed about IT organization, we have already established the fact that it is a critical
and complex resource for organizations. Over the years, several frameworks have been developed to
manage and audit IT. The most well-known framework that exists for that task is the Control
Objectives for Information and Related Technology or COBIT which was developed by a
nonprofit professional association which engages in the preparation and dissemination of knowledge
and tools for information systems professionals called Information Systems Audit and Control
Association or ISACA. (It is the certification body for Information systems professionals.)

The IT control document known as COBIT has had five major releases since its inception in 1996. Each
version of COBIT has taken a more encompassing view of the control of information technology. The
broadening of COBIT model has was released in June 2012 and finalized in June 2013

Thus, COBIT has shifted the center of focus from “IT” to “governance” and is more inclusive than
previous or other competing IT management models. COBIT 5 uses what it calls a “holistic” approach.
This is a complete, comprehensive approach that an enterprise tailors to its own specific needs, putting
IT control within the larger context of enterprise-wide governance and management. occurred as a
result of the increasing importance of IT in organizations.
Meeting Stakeholder Needs. Since enterprises exist to create value for their stakeholders, it makes
sense that THE key objective of governance and management should be value creation. In turn, value
creation has three objectives or components: benefits realization, risk optimization, and resource
optimization.

Principle 2: Covering the Enterprise End-to-End. COBIT 5’s holistic and enterprise orientations
make integrating GEIT into overall enterprise governance a top priority. COBIT 5 is not “IT focused” but
instead takes an enterprise-wide view. It covers all functions and processes in the enterprise and views
all IT governance and management enablers to apply to the entire enterprise—end to end.

Principle 3: Applying a Single, Integrated Framework. COBIT 5 can align with any IT standard,
practice, and guidance procedures available to enterprises at a high level and thereby provide an
enterprise with a single, integrated, overarching framework for IT governance and management. This
overall framework is context and principles based, allowing for flexibility and dealing with open-ended
situations.

Enabling a Holistic Approach. Enablers are the means to achieving COBIT 5’s governance objectives
for the enterprise. Specifically, enablers support the implementation in an enterprise of an all-inclusive
governance and management structure for IT. The COBIT 5 framework specifies seven categories of
enablers as seen on this figure:
PPF applied to (the three above) which are concerned with the organizations’ framework and

roots, and to the organizations’ resources, (the three below)

Principle 5: Separating Governance from Management. COBIT 5 strongly differentiates

governance and management. These two functions have different activities, organizational structures,
and purposes. This distinction is critical to COBIT 5.

Governance: ensures that stakeholder needs, conditions and options are evaluated to determine
balanced, agreed-on enterprise objectives to be achieved; setting directions through prioritization and
decision making; and monitoring performance and compliance against agreed-on direction and
objectives.

Management: plans, builds, runs, and monitors activities in alignment with the direction set by the
governance body to achieve the enterprise objectives.
Differentiation between a process and a domain. A process is a set of procedures and practices,
whereas a domain is a set of processes. COBIT has 5 domains and 37 high-level practices.

5 domains:

1.Evaluate, Deliver, and Monitor (EDM)

Also known as the governance domain. This is where stakeholder needs are evaluated by
identifying and agreeing on objectives to be achieved, which is directed by prioritization and
are also monitored for performance against objective.

2.Align, Plan, and Organize (APO);

Deals with the use of IT and determining and applying it in ways that it can best be used by
the company in achieving its goals and objectives. Here, organizational and infrastructural
aspects are highlighted to achieve optimal results.
3.Build, Acquire, and Implement (BAI);
Identifies IT requirements, acquiring the technology, and implementing it within the
company’s current business processes.

4.Deliver, Service, and Support (DSS);

Focuses on the delivery aspects of the IT environment such as execution of the applications
and their results, and the support processes that enable the effective and efficient execution
of these IT systems.

5. Monitor, Evaluate, and Assess (MEA).

Is the domain that assesses the company’s needs. It also observes and evaluates the current
IT system if it is still in line with the company objectives.
CHAPTER 9: Controlling Information Systems: Business Process and Application
Controls

Learning Objectives
● Describe the steps required to build a control matrix.
● Prepare a control matrix.
● Write explanations that describe how the business process and application controls introduced
in this chapter accomplish control goals.
● Describe the importance of business process and application controls to organizations with
enterprise systems including those engaging in E-business.

Implementing the Control Framework

The Control Matrix

A control matrix is a tool designed to assist you in evaluating or assessing the potential
effectiveness of controls in a particular business process by matching control goals with their associated
control plans. PCAOB Auditing Standard No. 5 calls this “Effectiveness of Control Design.” Assessing the
effectiveness of control design is required to comply with SOX Section 404. When management and
independent auditors perform this assessment, they will use a control matrix that is a variation of the
one used in our control framework.

Figure 9.1 simple example of control matrix

 Figure 9.1 presents a simple example of a control matrix. There are 4 elements of the control
matrix: Control goals, recommended control plans, cell entries, and explanation of cell entries.

The control matrix provides a means to document, explain, and analyze the controls that have
been annotated on a systems flowchart. The intention here in Figure 9.1 is to demonstrate the process
which provides us with an overview of the control matrix elements and how they relate to each other,
and walk us through the steps in preparing the matrix.

Steps in Preparing the Control Matrix

STEP 1: Specify Control Goals

1. Identify operations process control goals:

a. Effectiveness goals (there may be more than one)
b. Efficiency goals (usually people and computers)
c. Security goals (consider all affected data and tangible assets)
2. Identify information process control goals:
a. Input goals (validity, completeness, and accuracy)
b. Update goals (completeness and accuracy), if the process is periodic

STEP 2: Identify Recommended Control Plans

 Here is an example of the system's flowchart. Reviewing the Suprina systems flowchart (Figure
9.2), you will find that the first process is entitled “Enter customer order data.” Can this help us
accomplish a control goal? As we will learn later in the chapter, the location of the data entry process
can be important. In this case, by entering the customer orders on their laptops, sales reps can ensure
more timely inputs, enter the orders in an efficient manner, and reduce the number of lost and incorrect
orders. Because this process appears on the flowchart, this control plan already exists, meaning that it is
present as opposed to missing. Accordingly, we annotate the system's flowchart with a P-1—a P
indicating that it is present, and an 1 because it is the first present control plan on the flowchart.

1. Identify present control plans and annotate them on the systems flowchart.
2. Evaluate present control plans.
3. Identify and evaluate missing control plans (M-1, M-2, through M-n).
a. Examine the control matrix
b. Analyze the systems flowchart for further risk exposures
P-1: Enter data close to the location where the customer order is prepared.

• Effectiveness goal A, efficient employment of resources:

• Customer order input completeness:
• Customer order input accuracy:

P-1: Customer credit check

• Effectiveness goal B:
• Security of resources:

• Sales order input validity:

M-1: Agreement of run-to-run totals.

• Update completeness, update accuracy:

M-2: Programmed edit checks.

• Efficient employment of resources:

• Customer order input accuracy:
Sample Control Plans for Data Input
Two methods for processing input data:

(1) manual and automated data entry and

(2) data entry with batches of input data

Data entry, as the first step in processing information, is also the phase where most errors are
introduced. Since it mostly requires manual entries that only humans can enter, mistakes are inevitable
when doing so. There are two methods for processing input data which is either through manual and
automated data entry and data entry with batches of input data.

Improvements that have been made to address the errors and inefficiencies of the data entry process:

● The data entry process is frequently automated to reduce or eliminate manual keying
● Business events done via the Internet or electronic data interchange (EDI)
● Multiple steps in a business process may be tightly integrated, as in an enterprise system

The first one is the automation of the data entry process itself with its aim to reduce or fully
eliminate manual keying. The second improvement involves business events processing via the internet
or electronic data interchange wherein buyers and sellers discuss their terms through the internet and
there is no need for manual keying of data. The third improvement is the integration of multiple steps in
an enterprise system as a reduced or even a single step.

System Description and Flowchart

Assume that the document is designed to simplify the data entry process and that it
includes the signature of an authorizing individual
 First, in describing the system, we will use an annotated systems flowchart. The first step
starting from the upper left part involves the data entry clerk which is presented with a preformatted
input screen for them to key in certain data such as identification numbers, customer codes and item
numbers. Once all necessary data is placed, the computer displays the master data associated with the
record ID. Next, it is the task of the clerk to ensure that the information presented is correct by
comparing what was manually entered and automatically shown. If there’s an error, corrective measures
may be taken (“Error routine not shown”) such as entering the corrected code. Then, the data entry
clerk would enter the remaining data regarding the order details. If all manual entries pass the edits, a
message will be displayed indicating that the input has been accepted for processing.

The right side of the flowchart indicates the automated data entry process which roughly
parallels the manual entry by the data entry clerk, with a few exceptions. The first data entry is not
through a data entry clerk but through the customer’s computer system and is submitted via the
Internet to the seller’s computer. The signature is needed for verifying that the order is from a legitimate
customer. Then we proceed to compare the input data to the master data. If all automated entries pass
the edits, a message will be sent back to the business partner or customer through the web server
indicating that the input has been accepted for processing.

Applying the Control Framework

Apply the control framework to the generic data entry system

The sample control matrix included only one effectiveness goal which is to ensure timely input of a
specific event data. The recommended control plans are listed in the first column and the Update
Completeness and Update Accuracy control goals of the information process in the last two columns
have been shaded to emphasize that they do not apply to this analysis because there is no update of any
master data based on the flowchart presented.

1. Document design - a source document is designed to make it easier to prepare the

document initially and later to input data
2. Written approvals - ensures that the data input arises from a valid business event and that
appropriate authorizations have been obtained electronic approvals - business events are
routed to persons authorized to approve the event
The first control plan is the document design which pertains to a source document designed for an
easier preparation of the document initially and subsequently to input data from the document into a
computer or other input device. In the control matrix, P-1 control number annotated across, meaning, it
is the first present control plan. It achieves effectiveness goal A, efficient employment of resources and
input accuracy to ensure the correctness of the data put into the system.

Written approvals ensure that the data input arises from a valid business event and that appropriate
authorizations have been obtained by taking the form of signature or initials on a document to indicate
that someone has authorized the transaction. Electronic approvals also exist. The P-2 control number is
under security of resources and input validity.

3. Preformatted screens - defining the acceptable format of each data field

4. Online prompting - Requests user input or asks questions that the user must answer

The third control plan is preformatted screens which control the entry of data by defining the acceptable
format of each data field. Looking at the matrix, the P-3 control number is under effectiveness goal A,
efficient employment of resources and input accuracy because it reduces the number of keystrokes
required, making data entry quicker and more efficient.

Next control plan is for online prompting wherein the system requests user input or asks questions that
the user must answer. For example, after entering all the input data for a particular customer order, you
might be presented with three options: “Accept” the completed screen, “Edit” the completed screen, or
“Reject” the completed screen. On the matrix, the P-4 control number is under effectiveness goal A,
efficient employment of resources and Input accuracy.

5. Populate input screens with master data - by entering an identification code, the system
automatically provides data from the master data
6. Compare input data with master data - manual and automated input of data to determine
its accuracy and validity a. Input/master data match
b. Input/master data dependency checks
c. Input/master data validity and accuracy checks

For the fifth control plan, the system automatically provides data from the master data because with
fewer keystrokes and using the existing data, fewer keying mistakes are expected. It is present under
four cells which are Effectiveness goal A, efficient employment of resources, input validity and input
accuracy.

Next, when the master data is prompted to appear on the screen, it advises the user to determine the
manual data’s accuracy and validity. Under this plan, we have three comparisons: first is Input/master
data match (to test whether the code manually entered will display the existing information about the
same customer). Second is Input/master data dependency checks (to test whether the contents of two
or more data elements of the event have the correct logical relationship). Last type of comparison is
Input/master data validity and accuracy checks (to test whether master data supports the validity and
accuracy of the input). On the matrix, the
P-6 control number is under the same control goals as the fifth plan since it is interrelated.

7. Procedures for rejected inputs - to ensure that erroneous data are corrected and
resubmitted for processing.
8. Programmed edit checks - Erroneous data may be highlighted on the input screen to allow
the operator to take corrective action immediately a. Limit checks
b. Document/record hash totals
c. Mathematical accuracy checks
d. Check digits

Procedures for rejected inputs are designed in case an error was found and that it should be
resubmitted for processing. To make sure that the corrected input does not contain errors anymore, the
corrected input data should undergo all routines through which the input was processed originally. P-7 is
placed under input completeness and input accuracy.

Programmed edit checks is an automated action by the system for immediate rechecking of data input.
The most common types of programmed edit checks are limit checks in which the data contents must
fall within the predetermined limit (for example, the value should only be between the range of 1 and
100). Next is document/record hash totals pertaining to a summary of any numeric data field within the
input document or record. Third is Mathematical accuracy checks used to compare whether the manual
computations tally those automated calculations. Last is Check digits, that refers to an extra digit added
to the identification number of entities, such as a customer number or vendor number calculated
originally by applying a formula to an identification number; the check digit then is appended to the
identification number. P-8 control number is under effectiveness goal A, efficient employment of
resources and input accuracy.

9. Confirm input acceptance - causes the data entry program to inform the user that the input
has been accepted for processing
10. Automated data entry - use of fewer human resources and capture more data in a period of
time than is possible with manual entry.

Confirming input acceptance causes the data entry program to inform the user that the input has been
accepted for processing. By advising the user that input has been accepted, this confirmation helps
ensure input completeness where P-9 is placed in the control matrix.

Automated data entry falls under Effectiveness goal A, efficient employment of resources and input
accuracy.

11. Enter data close to the originating source - strategy for the capture and entry of event-
related data close to the place and time that an event occurs
12. Digital signatures - confirms the identity of the sender and the integrity of an electronic
message to reduce the risk that a communication was sent by an unauthorized user or system
Entering data close to the originating source focuses on real time entries intended for risk free transport
of data since the data is close to the place and time that an event occurs. Input can be more accurate
because the data entry person may be in a position to recognize and immediately correct input errors.

Digital signatures make it possible to confirm the identity of the sender and the integrity of an electronic
message to reduce the probability that a communication was sent by an unauthorized user or system. It
also validates that the communication was not intercepted nor modified in transit. This falls under
security of resources along with input validity and input accuracy.

Control Plans for Data Entry with Batches

Manual Automated

needs external effort self- operating system

less reliable and efficient more reliable and efficient

continuous working is not possible because decreases work time but is more complex to
humans operate this develop

needs trained and well-skilled staff to yield requires more maintenance; thus, it is costly
effective results

suitable for high volume of transactions

additional risks arise; susceptible to human error

Similarities:
1. Minimize risks
2. Improve data and outputs
3. Ensure accuracy and validity

Systems that are commonly used today incorporate immediate mode wherein data is simultaneously
entered into a system as a business event happens. There are still systems that collect data in groups or
batches and then once ready in a subsequent time, is processed.

Manual Controls → those that depend on the ability, training, and diligence of the data entry
personnel. Basically, it needs human interaction or intervention to be able to be effective. That is why
training and knowledge is important among data entry clerks, since they must be familiar with the
technicalities and the concepts towards data entry.

For example, written approvals will only be effective if the clerk is informed of the validity and approval
of documents to be inputted, further, they must know when there are errors between the master data
and the inputs formerly recorded and then fix the said differences.
Automated controls → everything that is performed by the computer system which depends on
general controls or ITGCs. Thus, the company must ensure that these automated controls work well as
planned or as designed, considering that these are prone to technical issues, as

they only release desirable results if checked regularly

Automated control example is an ERP system three-way matching where the ERP system automatically
reconciles the purchase invoice to the underlying purchase order and goods receipt. Other examples
include electronic approvals, comparing inputs with master data, digital signatures, and so on.

In conclusion, Manual needs human actions, whereas in Automated, it works on computerized actions.

Batch Processing System

Above is an example of a batch processing system. The procedure of the batch processing system is
reflected in the flowchart. From the left side, in the first column, the shipping department receives the
picking tickets from the warehouse together with the goods bound for shipment. Then this is where
batches come into action. Upon receiving the tickets, an employee combines these into groups of 25, for
example and then calculate the batch totals. Batch total, to reiterate, is the sum of a particular field in a
collection of items used as a control total to ensure that all data has been entered into the computer.
Then, the batch of documents is scanned. Along with the recording of the batch, the program calculates
totals for the batch and then displays that to the shipping clerk. The inputs and outputs are then
reconciled by the clerk, if there are errors, an error-correcting routine is done. The process repeats on a
daily basis, whenever picking tickets are released.
On a periodic basis, the computer receives shipment data for processing. The program records the
inputs on the sales journal and updates the accounts receivable master data to create a new open
receivable. Invoices are printed and sent to the customer along with the packing slips sent to the
shipping department before the goods are delivered to the customer.

In this type of system, an output usually produced is what we call an exception and summary report
which shows the events that happened in a detailed or summarized form, or can be both in which the
data accepted or rejected by the system are also reflected.

Control Framework Application

Shown above is the Application of the Control Framework to the system previously discussed. In this
table, a complete control matrix is shown for flowchart provided earlier. It shows the location where the
recommended control plans must be placed in the system. You can see the codes P-1, P-2 and so on the
screen, and the other codes there, M-1 and M-2, are controls assumed to be missing that the process
description failed to specify.
 Batch Control Plans - regulate information processing. For it
to be effective, the following must be ensured:

A. All documents are batched

B. All batches are submitted for processing
C. All differences disclosed by reconciliations are investigated and corrected in a timely manner.
D. All batches are accepted by the computer.

Types of Batch Totals:

A. Document/Record Counts - simple counts of the number of documents entered
B. Item/ Line Counts - counts of the number of items or lines of data entered
C. Dollar Totals - summation of the dollar value of items in the batch
D. Hash Totals - summation of any numeric data existing for all documents in the batch

Each of the recommended control plans shown earlier in the matrix has its own use. To define Batch
control plans, these are those that regulate the processing of information by calculating control totals
at various points in a processing run and then after, the totals will be compared. Batch totals must be
reconciled manually or digitally.

There are various types of batch totals, and each one is used more appropriately than the other in
certain situations. First one is the Document/Record counts, wherein simple counts of the number
of documents are entered into the system. It shows the minimum level required to be able to control
input completeness but since only one document is used, accuracy, validity, and completeness cannot
be effectively satisfied. Second is the Item or Line count which are counts of the number of items or
lines of data entered, for example, the different items on a sales document. Though it improves the
three, it does not guarantee absolute accuracy because of human error in entering a line. Next one is
Dollar totals that serve as summation of the dollar value of items in the batch, this reduces the
possibility of several errors, thus improves the three criteria earlier. Lastly, Hash totals are the
summation of any number data existing for all documents in the batch. This can determine if inputs have
been altered, added, duplicated or deleted.

Control Plans:

1. Turnaround documents - Turnaround documents are used to be able to capture and input a
subsequent event. Examples of this include picking tickets, inventory count sheets and remittance
advice stubs that are attached with the customer invoices. It is used for the input of individual items
more than batches.
2. Key Verification - Key verification is when input documents are keyed by one individual and then
rekeyed by another one. This is done to compare the keystrokes done by the first clerk, with that,
differences can be identified and errors are assumed to be done by the other person.
3. Sequence Checks - Sequence checks are done when documents are numbered sequentially when
prepared or received from an external source or the input document is prenumbered. This is applied
to determine that all the documents have been processed, no extras, and duplicates.

a. Batch Sequence Check

b. Cumulative Sequence Check

4. Manual Reconciliation of Batch totals - operates in such a manner where one or more of , it
operates in such a manner where one or more of the batch totals are established manually, then
individual event descriptions are entered. The computer produces reports at the end of the process
and then the batch totals are reconciled by determining why the totals do not coincide while making
corrections to the input data.

5. Computer Agreement of batch totals - example shown below:

6. Agree run-to-run totals - A variation of the reconciliation/agreement of batch totals control is

called the Agree run to run totals which is useful when there are many intermediate steps between
the start and end of the process.

7. Tickler File (Review Tickler file) - It is a manual file of documents containing business event data
that is pending for further action.

8. One-for-one checking - It is a detailed comparison of the individual elements of two or more data
sources to determine that they agree.