Solution Manual for Accounting Systems Textbook Ch. 10. Core Concepts of Accounting Information SystemsISBN-13: 9781118022306ISBN: 1118022300Edition: 12Pub Date: 2011Publisher: WileySummary: Mark G. Simkin is the author of Core Concepts of Accounting Information Systems, published 2011 under ISBN 9781118022306 and 1118022300.
Chapter 8
Chapter 10Computer Controls For Organizations And Accounting
Information Systems
Discussion Questions10-1.
A security policy is a comprehensive plan that helps protect the
organization from internal and external threats. More and more
organizations have become dependent on networks (of all sorts) to
conduct business, share data, and communicate with suppliers,
customers, business partners, and employees who are traveling or
working at home.
As a result, more proprietary data and organizational
information must be accessible to a wide variety of individuals.
However, very real risks are present and more prevalent than ever
before. Firms are realizing that the traditional approach to
security is not efficient or sufficient. That is, even if a firm
has several products, they are usually not integrated and do not
work together. The result is that integrated security has emerged
as the most useful plan to protect the firm. By adopting a
comprehensive, holistic strategy that addresses network security at
the gateway, server, and client tiers, organizations may be able to
reduce costs, improve manageability, enhance performance, tighten
security, and reduce the risk of exposure
(enterprisesecurity.symantec.com, article ID 1128). This article
claims that the following key security technologies can be
integrated to more efficiently protect the firm against a variety
of threats at each tier to minimize the effects of network attacks:
firewalls, intrusion detection, content filtering, virtual private
networks, vulnerability management, and virus protection.
In general, integrated security is getting a lot more attention
in the business press and in technical journals. The reason is
obvious companies are more aware than ever before that security
breaches can be very costly! As a result, organizations are
becoming more attentive to such precautions as: physical security
of computers and networks (access controls), authentication
procedures for access to applications and data, and encryption
procedures.
10-2.The concept of convergence of physical and logical security
means that an organization has integrated these two forms of
security. Thus, incidents that might individually go unnoticed do
not go undetected when they are combined. Referring again to Figure
10-3 in the textbook, we can see how the combination of these two
forms of security can make an organization less vulnerable to
embezzlement or fraud. 10-3.To help organizations comply with SOX
and the PCAOB requirements, the IT Governance Institute (ITGI)
issued IT Control Objectives for Sarbanes-Oxley in April 2004.
Neither the SOX legislation, nor PCAOB Standards No. 2 or No.5,
includes detailed guidance for organizations. The ITGI publication
provides that detail by starting with the IT controls from COBIT
and linking those to the IT general control categories in the PCAOB
standard, and then the control objectives are linked to the COSO
framework. As we discussed in Chapter 9, COBIT is an IT governance
framework that provides company-level objectives and controls
around those objectives, as well as activity-level objectives and
controls. Thus, it may be used effectively by managers at all
levels of the firm. It is important to remind students that COBIT
identifies controls that may be used for both operational and
compliance objectives. The ITGI document only focuses on controls
that support financial reporting.
10-4.First, we should probably define a Local Area Network
(LAN). A LAN is where you have a number of computers that are
geographically close together usually in the same building or a
group of buildings. However, one LAN can be connected to other LANs
over any distance via telephone lines and radio waves (which is
then called a Wide Area Network or WAN). LANs are capable of
transmitting data at very fast rates, much faster than data can be
transmitted over a telephone line; but the distances are limited,
and there is also a limit on the number of computers that can be
attached to a single LAN.
Probably the primary difference between a wireless LAN and a
hard-wired LAN is the method used to transmit information. Wireless
LAN technology is based on radio wave transmission, whereas
hard-wired LANs might be based on twisted-pair cable (used by older
telephone networks), coaxial cables (more expensive than standard
telephone wire, but is much less susceptible to interference and
can carry much more data), or fiber optic cables (very popular for
LANs data can be transmitted in digital form).Wireless LAN
technology is relatively new, whereas hard-wired LANs (using
twisted-pair cable) have been in use for quite some time.
Security risks are important considerations for both types of
LANs, and the technology for each is different. A wireless local
area network (WLAN) must have a secure gateway, such as a Virtual
Private Network (VPN), so that users may safely access the network.
Such a VPN handles authentication of users and appropriately
encrypts the information that is transmitted.
Of course, data encryption is an important control for all
networks. Others include a checkpoint control procedure, routing
verification procedures, and message acknowledgment procedures
(These procedures are discussed in the chapter).
10-5.
Business continuity planning (BCP) is also called contingency
planning and disaster planning. A business continuity plan is
necessary because a variety of unforeseen disasters might occur
that would cause a data processing center to not be operational.
Examples of these disasters include natural events such as fires,
floods, hurricanes, earthquakes, and manmade catastrophes such as
terrorist attacks.
A companys BCP should describe procedures to be followed in the
event of an emergency, as well as the role of every member of the
disaster recovery team (which is made up of specific company
employees). The companys management should appoint one person to be
in charge of disaster recovery and one person to be
second-in-command.
Part of BCP specifies backup sites to use for alternate computer
processing. These backup sites may be other locations owned by the
company, such as another branch of the same bank. Alternatively,
these sites may be owned by other organizations and used for
short-term periods in the event of a disaster. It is a good idea
for the various hardware locations for data processing to be some
distance away from the original processing sites in case a disaster
affects a regional location. An example would be companies located
near the San Andreas Fault in California. Since a severe earthquake
could destroy the data processing centers of those companies within
the earthquake area, organizations within this area should have
disaster recovery arrangements with organizations located outside
any area likely to be affected by an earthquake.There are a number
of reasons to test the business continuity plan on a regular basis
and these are identified below. To practice a succession plan for
the CEO, in the event something happens to the CEO.
To train backup employees to perform emergency tasks. The
employees a firm counts on to lead in an emergency may not always
be available.
To practice crisis communication with employees, customers, and
the outside world.
To determine alternate means of communication in case the
telephone networks go down.
To involve all employees in the exercises so that they get
practice in responding to an emergency.
To make exercises realistic to tap into employees' emotions so
that you can see how they'll react when the situation gets
stressful.
To form partnerships with local emergency response groups (such
as firefighters, police and EMTs) and establish a good working
relationship. Let them become familiar with your company and
site.
To evaluate your company's performance during each test, and
work toward constant improvement. Continuity exercises should
reveal weaknesses.
To reveal and accommodate changes. Technology, personnel, and
facilities are in a constant state of flux at any company.
10-6.Backup is an example of a control designed to mitigate or
reduce business risk. As pointed out in the chapter, backup is
similar to redundancy in creating fault tolerant systems. Through
backup, a duplicate copy of a data file is created. To illustrate,
data that you currently have stored on your hard drive could be
copied onto a CD, flash drive, or other portable media for backup
purposes. An example was provided in this chapter of a common
control procedure that companies use for backing up accounting data
called the grandfather-parent-child procedure of file security.
Backup is extremely important when operating a computerized
accounting system. If, for example, backup copies containing
important accounting data become corrupted or lost, all of the
accounting data will be lost. Within a company's computerized
accounting system, the loss of data that is not backed up could
result in a severe interruption of business and loss of income.
The term "backup" is not limited to just the backup of data. A
company can also back up its hardware and electrical power. For
example, through its disaster recovery plan, a company might
provide for backup of its hardware by making arrangements for
renting computer time from another organization should the
company's own computer become inoperative. Regarding electrical
power backup, surge protectors, for instance, provide protection
should short, intermittent power shortages or failures occur.
10-7.The unique control risks associated with the use of PCs and
laptops compared to mainframes occur in two basic areas: (1)
hardware, and (2) data and software.
Regarding hardware, because laptops are portable, they or any
part of their peripheral equipment can easily be stolen or
destroyed. Limiting access to such equipment is difficult. It is
not difficult to remove the hard drive from a PC or take a monitor
home. The problem is compounded further with laptop computers since
many powerful laptops can now be hidden inside a briefcase.
Regarding data and software, these two items are easy to access,
modify, copy, or destroy, and thus are difficult to control. A
person with reasonable computer know-how and access to a PC can
access all the data and software on the machine. Consequently,
there is a danger that an employee of the organization using PCs
might make unauthorized access to records and manipulate the data,
or that a disgruntled employee might decide to reformat a PCs hard
disk, destroying all software and data it contained.
Students will likely come up with different lists of the three
most important control procedures that should be implemented for
laptops and the reasons these procedures are important. A suggested
list with reasons is presented below.Control Procedures
Reasons
1.An inventory should be taken of all laptops used in a company
along with the various applications for which each laptop is
used.This control procedure is important because a company is able
to physically account for all of its laptops and based on the
various applications for which each laptop is used, a determination
can be made of the types of risks and exposures associated with
every laptops applications. For those laptops whose applications
are subject to greater risks and exposures, stronger control
procedures are required.
2.Secret passwords that are periodically changed should be
required for all authorized users of laptops.This control procedure
is important because it prevents unauthorized individuals from
using laptops to access data files and possibly tamper with the
data within the files.
3.Each employee having a laptop should be required to place his
or her laptop in a locked cabinet before leaving at night.This
control procedure is important because of the size of laptops. The
laptops smallness of size makes them susceptible to theft if left
on employees desks when they go home at night.
10-8.
1)Test of completeness: The number should be exactly eight
digits. 2)Test of sign: The number should be positive.
3)Test of numeric field content: The number should contain only
numeric data; no letters or special characters.
4)Test of reasonableness: Each eightdigit number should fall
within a range of allowable values.
5)Redundancy test: The fourdigit product number should be valid
for the four-digit "majorcategory" number.
6) Check digit: A ninth digit can be added to the eightdigit
number for checking purposes.
10-9.
a)Edit tests are computer routines that examine selected fields
of input data for such attributes as accuracy, completeness,
reasonableness, and sequence. They reject those data items that
fail preestablished standards of data quality.
b)A check digit helps ensure the accurate and complete input of
an important number, such as an account number. If the check digit
computed by a computer fails to match the associated check digit
input by the user, the number (and perhaps the associated
transaction) is rejected. Check digits thus help guard against the
accidental alteration of the wrong master file record when an
incorrect account number was input.
c)Passwords are sets of numbers or letters that computer system
users must input to gain access to further computer time or files.
Wellconstructed passwords and associated lockout and dialback
systems guard against unauthorized computer access by denying
computer time to "hackers" or other unwarranted users.
d)Activity or proof listings are detailed listings of
computerized data processing. Typically, these listings indicate
what data processing was performed for each transaction or account
in the system. Thus, these listings help assure data processing
accuracy by providing system users with hardcopy evidence (and
therefore an audit trail) of processing results.
e)Control totals are financial, nonfinancial, hash, or
recordcount totals that are computed from input data. The initial
control totals, input separately, are recomputed during actual data
processing and ultimately compared. Unmatched values are
investigated for causes. Thus, control totals guard against the
loss of data during data processing activities. Matching control
totals also helps assure users that data input was accurate and
complete.
10-10.Logical access to the computer is typically performed by
using a remote terminal to log onto the computer system to obtain
access to software and data. Control of such access is usually
accomplished by having procedures that limit access to only those
individuals who are properly authorized (i.e., properly identified
and authenticated by the computer system). Physical access to the
computer means being physically able to gain access to the computer
system or the data processing center. Good security requires that
both logical and physical access to the computer system be
restricted to only those individuals who have authorization for
such access. Computerized accounting information systems require
human interaction with computers at many levels, including the
input of data, the distribution of output, the programming of
computer runs, and the inquiry of the system. However, not everyone
involved with the accounting information system needs logical
access to the computer system and few of the above activities
require physical access to the computer. Restrictions on logical
access safeguard computer time and maintain the privacy of the data
files available to remote users. Restrictions on physical access
protect the physical assets of the computer system and the data
processing center.
10-11.The separation of duties control is intended to deter an
individual from committing an intentional accounting error and
concealing this error in the normal course of his or her duties. To
the extent that computerized accounting systems will handle
functions that would be performed by more than one person under a
manual system, the computerized version of the accounting
information system can not entirely adhere to this policy of
separate responsibilities for related accounting processing
functions. On the other hand, strict control over the development
and use of computer programs, for instance, through the requirement
of authorization for program changes and through the strict
distinction between programmers and operators, is an example of
effective separation of duties. Good separation of duties in the
data processing center, for example, would require that a computer
operator would not have authority to make computer program changes
and that a programmer would not have access to the computer for
running programs. A computerized accounting information system will
tend to combine certain traditionally separated accounting tasks in
its data processing, but use alternate means for the application of
the separation of duties control.
10-12.The purpose of the hash total in accounting information
systems is to ensure completeness in a set of accounting data. Hash
totals, compute meaningless values such as the sum of customer
account numbers.
Problems
10-13.We agree with the seminar leader's statement that all
errors in processing accounting data can be classified as either
accidental or intentional. A key point to emphasize is that many of
the controls installed in an accounting information system are
designed to detect accidental errors, not intentional errors. Edit
tests are particularly important in this regard inasmuch as they
are performed at the time of data input and therefore early in the
processing stream of the system.
Not all personnel controls are concerned with intentional
errors, but the vast majority of them are concerned with this
matter. An example of a personnel control which is not necessarily
aimed at thwarting intentional errors is the requirement that
employees take their earned vacations to relax from a stressful
job. Nonetheless, intentional errors are, by definition, not
accidents. If an error is intentional, it is committed purposefully
and therefore involves an individual. Controls that limit the
amount of harm an employee or outsider can do to a company's
accounting information system are aimed at thwarting intentional
errors.
10-14.Among other things, this question is intended to emphasize
the importance of employee relations as a component of computer
security. Thus, perhaps the most important control which the
organization might have used would be adherence to the general
policy of dismissing employees who are not happy with their jobs.
Additional controls are also possible, however. The pre-testing of
computer programs by alternate programming staff members and the
requirement that only authorized versions of computer programs be
used to update and maintain computer files might also have
prevented the problem. It is also likely that record counts were
not being used since, if they were, there would have been a
discrepancy between the number of records written on the new file
and the number of records read from the old file.
10-15.These transactions might have been discovered by the
absence of merchandise in the company warehouse. However, the
problem with this is timing: the final proof of fraud could only be
established after it had been established that the merchandise was
not lost in shipment or misplaced at the warehouse. A perpetual
inventory system with close monitoring of discrepancies between
actual physical inventory on hand and the quantity balances
recorded in the accounting records would be an effective control
for the present situation. Also, the company should require cash
disbursement checks be issued for merchandise purchases only after
the purchase order, the purchase invoice, and the inventory
receiving report have all been reviewed by an authorized employee,
other than the check writer.
Other effective controls would include:
1) Requiring a supervisors authorization for creation of all
accounts payable masterfile records.
2) Requiring a supervisors authorization for all orders
exceeding a pre-determined level.
3) Requiring a computer printout of all orders exceeding a given
dollar level.
4) Authorizing payment for merchandise only upon documented
receipt of merchandise in good condition. The receipts voucher must
include a signature of the person receiving the merchandise.
10-16.
a. An edit test for a reasonable number of hours worked would
guard against this problem. Requiring a supervisor to verify hours
worked would also be useful.
b. A control should be programmed into the computer enabling the
credit manager to cut off credit sales to delinquent accounts. The
account representative for Grab and Run Electronics should also be
notified that no new sales on credit are to be made to this
account.
c. This problem could be solved through a separation of duties
control procedure and insistence on the twoweek vacation rule.
d. The system should prompt any key-entry operator about which
account is being accessed. The system should also be programmed
to:
1. Require the input of the account number as part of the update
process
2. Indicate an error message when account numbers fail to
match
3. Refuse to create multiple account records with identical
account numbers.
e. The creation of vendor records for suppliers eligible for
payments should require an authorization procedure. This controls
against the creation of dummy companies. Also, the existence of
damaged merchandise should be confirmed by more than one person;
for example, through a supervisory control. Finally, an informal
knowledge of Ben Landsford may have provided clues to his
fraud.
10-17.
a. Bank transactions should be pre-coded with either a deposit
code or withdrawal code. Transactions encoded on different colored
paper may help. Also, the bank should batch transactions by type.
Finally, the error would cause a teller to be out of balance at the
end of the day.
b. An edit test of length would guard against this error.
c. An edit test of reasonableness should be used.
d. This is a programming error. The program should also be
tested first with a test deck. The program should not be permitted
to withhold deductions in excess of earnings and a sign test would
be useful.
e. A check digit with ordering of digits feature would catch
this error at run time.
f. The computer program which processes this form should compare
the first two digits of the employee number against a list of
acceptable codes by performing an edit check. The input should be
rejected if a nonexistent department was encoded on the form.
g. The computer system involved should use passwords (or ID
cards and passwords) limiting access to authorized users.
h. A batch control total should be used.
10-18. Some of the ways that this separation of duties is
achieved is as follows:
1. All systems changes and transactions should be initiated and
authorized by user departments.
2. Asset custody should reside with designated operational
departments.
3. Corrections for errors detected in processing data should be
entered on an error log, referred back to the specific user
department for correction, and subsequently followed up on by the
data control group.
4. Changes to existing systems as well as all new systems should
involve a formal written authorization from the user
department.
10-19.
a.It is likely that former employees are going to work for the
competition - and taking proprietary information with them! The
former employees may even continue to have remote access to
Bristol's information system. b.There are several controls that
could help here. One is to have each employee sign a
confidentiality agreement or a non-compete agreement. Another is to
allow employees limited access only to the database on a "need to
know" basis. A third control would be to make sure that employee
user IDs (access privileges) are deactivated upon termination with
the company.
10-20.
-----------------------------------------Test
for---------------------------------
APPLICATIONS:
Field nameNumerical DataAlphabetic
DataReasonablenessCompletenessSignRedundancyCode from Internal
TableSequenceConsistency
INVOICING:
Customer numberXXXXXX
Customer nameX
Salesperson numberXXXXXXX
Invoice numberXXXX
Item catalog numberXXXXXXX
Quantity soldXXXXXXX
Unit priceXXXXX
Total priceXXXX
SALESPERSON ACTIVITY:
Salesperson numberXXXXXXX
Salesperson nameX
Department numberXXXXX
Sales volumeXXXX
Regular hours workedXXXX
Overtime hours workedXXXX
INVENTORY CONTROL:
Item catalog numberXXXXXXX
Item descriptionX
Unit costXXXX
Units outXXXX
Units inXXXX
PURCHASING:
Vendor catalog numberXXXXX
Item descriptionX
Vendor numberXXXXXX
Number orderedXXXX
Cost per unitXXXX
Total amountXXXX
Case Analyses
10-21.The Big Corporation (Controls in Large, Integrated
Systems)1.The Big Corporation could experience several data
security problems if proper controls are not instituted with the
new system. Without proper controls, unauthorized employees could
gain access to the data files, authorized employees could gain
access to the data files outside their jurisdiction and
responsibility, or outsiders could monitor data transmission lines
without the managements knowledge. As a result, data could be used
improperly, interpreted improperly, or altered, causing significant
problems for the company.
Confidential data files of a sensitive nature should be
protected from unauthorized use. Personal data, such as personnel
records (health records, salary) and customer records (account
balance, credit rating), could be damaging to the company if they
were disseminated improperly. If proprietary information (i.e.,
product profit margin) were not restricted, competitors eventually
would learn of this information, which could put The Big
Corporation at a competitive disadvantage.
2.The Big Corporation must incorporate control measures to limit
access to the system itself and to the data files. Only those
individuals who need to use the system should be provided access to
the system and data files. Access can be restricted by the use of
secret password codes or by the use of both ID cards and passwords,
or by the use of biometric identifications.
Some users may be authorized to use the system, but are not
authorized to access all data within the files. Protective
techniques can be extended below the file level at the dataset
level. This entails an examination of the field of each record
involved before data are released for use. If the company is
concerned with unauthorized access by outsiders, data encryption
could be employed.
3.
(a)The following are some of the physical safeguards The Big
Corporation could adopt to protect its computer equipment:
1)Restrict access to only those who are authorized to use the
equipment.
2)Protect against fire damage by installing waterfed sprinkler
or carbon dioxide systems.
3)Protect against water damage by providing a proper water
drainage system under the floor of the computer room. In addition,
plastic covers should be available to place over the equipment to
provide protection from overhead leakage.
4)Properly insure all equipment.
(b)Some physical safeguards which can be employed to provide
protection for the data are as follows:
1)Protect the files from deliberate damage by limiting the
number of people who have access to them, by limiting access to the
data processing facilities, and by establishing a strong librarian
function.
2)Files should be stored in a fireresistant cabinet or vault
when not in use. In addition, the company should have regularly
scheduled backup of files (and they should be stored in a safe
location perhaps electronic vaulting) in case the current copy of a
file is damaged or destroyed.
3)All files should have external labels for easy
identification.
(c)Possible measures which can be employed to provide physical
security for the data processing center facilities are listed
below:
1)Select a location for the data processing facilities that is
away from possible hazards or high risk areas. Factors which should
be considered are location above anticipated flood levels, location
away from steam lines, water lines, and windows, and limit the
number of doors.
2)Limit access to the data processing center facilities by
employing guards, by requiring personnel to wear security badges,
and/or by the use of dial-lock combinations.
3)Fireresistant materials should be employed in the construction
of the facilities. Smoke detectors and/or heat sensors should be
installed to detect fires; water-fed sprinkler or carbon dioxide
systems should be installed to extinguish fires.
4)The company should make arrangements for backup sites (or
electronic vaulting) in case there is a major breakdown for an
extended period of time. Arranging for backup sites should be part
of the companys development of a formal disaster recovery plan.
10-22.MailMed Inc. (Control Weaknesses and a Disaster Recovery
Plan)1.At least four computer control weaknesses that existed at
MailMed Inc. prior to the flood occurrence include:
1)Systems documentation being prepared only when time is
available; consequently, documentation will likely be incomplete
and not current.
2) The systems and programming staff having access to the data
processing center without supervision of the operations staff;
programmers could alter data files or operational programs.
3) The location of the facility on the ground floor behind large
plate glass windows which invites attention and possible exposure
risk, as well as failure to protect against flooding.
4)No regularly scheduled backups being prepared, thus exposing
the company to loss of data processed between backups.
2. At least five components that should be incorporated in a
formal disaster recovery plan in order for MailMed Inc. to become
operational within 72 hours after a disaster affects its computer
operations capability include:
1)Off-site alternatives for continuation of service (e.g.,
contingency plans for operations on a temporary basis) and backup
hardware sites such as hot sites.
2)Off-site storage of program and data files, documentation
(systems and operations), and supplies.
3)Detailed written procedures for recovery of operations, which
should include instructions on obtaining critical information from
off-site storage, planning of a communications link between
headquarters and the emergency site, as well as telephone numbers
of all the team members.
4)Procedures for on-going control and maintenance of a temporary
site.
5)The testing and training for plan implementation, including
testing each department individually, testing the whole plan (mock
disaster), trial runs, testing backup procedures, testing restore
operations, and recording test results.
3. At least three factors, other than the plan itself, that
MailMed Inc.s management should consider in formulating a formal
disaster recovery plan include:
1)Maintaining business operations and cash flows as well as
meeting obligations and contractual requirements.
2) Maintaining customer service and competitive position.
3) Determining appropriate levels of business interruption
insurance and/or other insurance.
10-23.Bad, Bad Benny: A True Story (Identifying Controls for a
System)1. The same person handles all cash functions/lack of
segregation of duties, lack of sufficient oversight or reviews
(e.g., internal/external audits), no control infrastructure, no
forced vacations or cross-training, improper monitoring of key
employee, organizational structure not set up to encourage ethical
behavior, too much trust put in family for sensitive positions, too
much authority given to one employee.
2. Set policies for cash handling (e.g., require two signatures
on checks over a certain amount, procedures for vendor selection),
mandatory vacations and cross-training; separate recording,
reconciliation, custody functions; institute regular audits (both
internal and external); set up an internal control structure to
include authorization/signature requirements; define organizational
structure and responsibilities; keep updated list of approved
vendors and customers; segregate duties related to cash and liquid
asset oversight.
3. Testing audit trails (transactions from origination to
destination), reconciliations of account balances, confirmation of
bank balances, accounts receivable and accounts payable, physical
counts of inventory compared to records, visit vendors, tests of
logical relationship with business activity, review of procedures
for purchases and cash disbursements.
Source: http://www.csoonline.com/article/print/204450.
SM 10.1
