Review

Chapter 4
2. Distinguish between the sales order, billing, and AR departments. Why cant the sales order or AR

departments prepare the bills?

The sales order department (included in the sales department in the text) is responsible for taking the customer

order and placing it into a standard format. This department records information such as the customers name,

address, account number, quantities and units of each item, discounts, freight preferences, etc. The sales order

processing may, in some instances, play a role in verifying or determining the promised shipping date. The billing

department receives a copy of the sales order from the sales department. Upon receipt of the shipping notice and

the stock release documents, the billing department prepares the sales invoice, which is the customers bill reflecting

charges for items shipped, which may be different from items ordered, taxes and freight, and any discounts offered.

The sales order department should not prepare the bills because the salespeople may bill their favorite clients less

than they should be billed. The salespeople place the order, and thus start the wheels in motion for inventory to be

shipped. Further, the salespeople should not be allowed to determine how much the customers pay for their

inventory, because they may be tempted to charge lower prices and receive kickbacks.

The accounts receivable department receives the sales orders and posts them to the accounts receivable subsidiary

ledger. As remittance advices are received, they are posted to the customers account in the accounts receivable

subsidiary ledger. The accounts receivable department should not be allowed to prepare the bills since this

department has custody over the accounts receivable assets. Accounts receivable personnel record customer

payments and track unpaid bills by customers. If they were allowed to prepare the bills, they might not bill certain

customers and receive a kickback from the customers for the free goods.

3. Explain the purpose of having mail room procedures.

The mail room clerk places batches of unopened envelopes into a machine that automatically opens them and separates

their contents into remittance advices and checks. Because the remittance advice contains the address of the payee, the

customer will need to place it at the front of the envelope so it can be displayed through the window. When the envelope

is opened, the machine knows that the first document in the envelope is the remittance advice. The second is, therefore,

the check. The process is performed internally and, once the envelopes are opened, mail room staff cannot access their

contents. So the mail room procedures are to effectively reduce the risk and the cost of organization.

Chapter 5
7. Discuss the objective of eliminating the receiving function. What accounting/audit problems result need to be

resolved?
1
Page

The elimination of receiving function serves the purpose that this is to send goods directly to the production department
 Review
and thus bypass the receiving area and avoid production delays and the associated handling costs.

An accounting and auditing problem that must be overcome is how to account for inventory receipts when there is no

receiving function and no receiving report. One way of dealing with this is to calculate the number of parts received based

on the products produced in which the parts are components. Supplier payments are distributed based on production, and

by having only one supplier per part, the question of which supplier to pay is self-evident.

8. What purpose does multilevel security control play in an integrated purchases/cash disbursements system?

Multilevel security is a means of achieving segregation of duties in an integrated data processing environment where

multiple users simultaneously access a common central application. Two methods for achieving multilevel security

are the access control list (ACL) and role-based access control (RBAC). Through these techniques, purchasing,

receiving, accounts payable, cash disbursements, and general ledger personnel are limited in their access based on

the privileges assigned to them.

Chapter 6
4. Discuss the main advantage of payroll outsourcing.

The primary advantage of payroll outsourcing is cost savings. By transferring this function to a third party, the client

organization avoids the salaries and benefit costs of running an in-house payroll department. Also, the cost of

continuing education for payroll staff is a financial burden. An in-house payroll department needs to be up to date on

an ever-changing array of legal and technical matters. Such training is disruptive, costly, and can be avoided by

outsourcing the payroll function.

13. Describe an internal control that would prevent the acquisition of office equipment that the firm does not

need.

The departmental manager (user) recognizing the need to obtain a new asset or replace an existing one. Authorization and

approval procedures over the transaction will depend on the assets value. Department managers typically have authority

to approve purchases below a certain materiality limit. Capital expenditures above the limit will require approval from the

higher management levels. This may involve a formal cost-benefit analysis and the formal solicitation of bids from

suppliers.

Chapter 7
11. Discuss how an emphasis on financial performance of cost centers, as measured by traditional cost accounting

information, may lead to inefficient and ineffective production output.

Traditional standard costing techniques emphasize financial performance rather than manufacturing performance. The

techniques and conventions used in traditional manufacturing do not support the objectives of lean manufacturing firms.
2
Page

The most commonly cited deficiencies of standard accounting systems are inaccurate cost allocations, promotes nonlean
 Review
behavior, time lag, and financial orientation.

18. Explain why traditional cost allocation methods fail in a computer-integrated manufacturing environment.

Traditional accounting systems do not accurately trace costs to products and processes. One consequence of new

technologies is a changed relationship between direct labor and overhead costs. In the traditional manufacturing

environment, direct labor is a much larger component of total manufacturing costs than in the CIM environment.

Overhead, on the other hand, is a far more significant element of cost in advanced technology manufacturing. In this

setting, traditional cost accounting procedures are inadequate. For traditional allocations to be correct, a direct

relationship between labor and technology needs to exist. In CIM, this relationship is diametric rather than

complementary. When the cost pool is large and the allocation method ambiguous, any miscalculation in assigning

labor is magnified many times in the calculation of overhead.

Chapter 8
3. Explain how erroneous journal vouchers may lead to litigation and significant financial losses for a firm?

If journal vouchers are missing, or are fabricated, or are erroneous, and information is misrepresented in the financial

statements, then any decisions made by investors and governmental agencies are based upon bad data. If an investor

provides capital to a firm based upon its financial statements and these financial statements are incorrect, if the

investor loses money once the corrections are made, the external user which suffered a loss may claim the firm was

either fraudulent or negligent and sue for the lost amount. Governmental agencies, such as the IRS, may impose

severe penalties for inaccurate reporting of data.

5. Describe the role of the journal voucher in both batch and real-time GL systems ?

In batch GL system, transaction processing applications summarize and capture transactions in journal vouchers where

they are held, reviewed, and later posted to the GL. In such systems, journal vouchers are the authority and the source of

all GL posting. On contrast, a real-time GL system posts each transaction directly to the general ledger and concurrently

creates a journal voucher. The journal voucher in this system does not authorize a GL entry in the traditional sense. Rather,

it provides a posting reference and audit trail, which links GL summary account balances to specific transactions.

Chapter 11
1. How are OLTP and OLAP different? Provide some examples to explain.

On-line Transaction Processing (OLTP) are the core business applications that operationally support the day-to-day

activities of the organization. If these applications fail, so does the business. Typical core applications would include

(but are not limited to): Sales and Distribution, Business Planning, Production Planning, Shop Floor Control, and

Logistics. On-line Analytical Processing (OLAP) includes: decision support, modeling, information retrieval, ad-hoc
3
Page

reporting/analysis, and what-if analysis. These are used for analysis and planning purposes.
 Review
3. Why do ERP systems need bolt-on software? Give an example of bolt-on software.

Many organizations have found that ERP software alone cannot drive all the processes of the company. These firms use a

variety of bolt-on software that third-party vendors provide. The decision to use Bolton software requires careful

consideration. Most of the leading ERP vendors have entered into partnership arrangements with third-party vendors that

provide specialized functionality. The least risky approach is to choose a bolt-on that is endorsed by the ERP vendor. Some

organizations, however, take a more independent approach. Dominos Pizza is a case in point.

Example: Dominos Pizza

Dominos U.S. distribution delivered 338 million pizzas in 1998. The company manufactures an average of 4.2 million

pounds of dough per week in its 18 U.S. distribution centers. A fleet of 160 trucks carries the dough along with other food

and paper products to the 4,500 U.S. Dominos franchises. Dominos has no cutoff time for ordering supplies. Therefore, a

franchise can call and adjust its order even after the truck has rolled away from the distribution center. To help anticipate

demand, Dominos uses forecasting software from Prescient Systems Inc., which bolts on to their PeopleSoft ERP system.

In addition, they use a system from Manugistics Inc. to schedule and route the delivery trucks. Each truck has an onboard

computer system that feeds data into a time-and-attendance system from Kronos Inc., which connects to the PeopleSoft

human resources module. Dominos also has an extensive data warehouse. To anticipate its market, Dominos performs

data mining with software from Cognos Inc. and Hyperion

Solutions Corp.

Dominos had been using these and other applications before it implemented an ERP. The company did not want to retire

its existing applications, but discovered that the legacy system required data fields that the ERP did not provide. For

instance, the routing system tells the truck drivers which stores to visit and in what order. The ERP system did not have a

data field for specifying the delivery stop sequence. The warehousing system needs this information, however, to tell

loaders what to put in the trucks and in what order. Having confidence in its in-house IT staff, Dominos management

decided to take the relatively drastic step of modifying the ERP software to include these fields.

Chapter 13
10. What purposes does the systems project proposal serve? How are these evaluated and prioritized? Is the

prioritizing process objective or subjective?

The system project proposal provides management with a basis for deciding whether to proceed with the project.

The formal proposal serves two purposes. First, it summarizes the findings of the study conducted to this point into a

general recommendation for a new or modified system. This enables management to evaluate the perceived

problem along with the proposed system as a feasible solution. Second, the proposal outlines the linkage between
4

the objectives of the proposed system and the business objectives of the firm. It shows the proposed new system
Page
 Review
complements the strategic direction of the firm.

The assessment of the proposed system is done by evaluating the projects feasibility before committing large

amounts of financial and human resources. The evaluation analyse the project in five aspects.

1) Technical feasibility: is concerned with whether the system can be developed under existing technology or

whether new technology is needed.

2) Economic feasibility: pertains to the availability of funds to complete the project.

3) Legal feasibility: involves ensuring that the proposed system is not in conflict with the companys ability to

discharge its legal responsibilities.

4) Operational feasibility: pertains to the degree of compatibility between the firms existing procedures and

personnel skills and the operational requirements of the new system.

5) Schedule feasibility: relates to the firms ability to implement the project within an acceptable time.

The prioritizing process is subjective due to the fact that the system objectives vary according to the organizations

circumstance. Hence, the evaluation of proposed system can be different from one company to the others.

13. Many new systems projects grossly underestimate transaction volumes because they do not take into

account how the new, improved system can actually increase demand. Explain how this can happen, and give

an example.

A system that is easier to access and provides information easily may generate more inquiries than the old system

did. Take for example the account balance inquiry systems offered by most credit card companies. The old method

of account balance inquiry by cardholder involved a conversation between the cardholder and an account

representative. The account representative would ask the cardholder for information and then proceed to give the

information to the cardholder. Many of these companies only provided this service during certain hours. The new

systems allow account balance inquiries 24 hours a day and no human representative is involved. The customer uses

the telephone keypad as an input device and can obtain account balance information very rapidly and conveniently.

The demand for this service has increased since the new system was implemented as a result of the convenient

times and the privacy of retrieving the information oneself versus having to discuss it with a representative.

Chapter 15
9. Explain at least three forms of computer fraud.

The term computer fraud has not been clearly defined since different entities hold various views toward the same

issue. Regardless of how narrowly or broadly computer fraud defined, it is a rapidly growing phenomenon.

Computer fraud can take place in the following forms:

5

1) Data collection fraud: The most common access point for perpetrating computer fraud of altering electronic
Page
 Review
records is at the data collection stage which is the first operational stage in the information system. This is because

no or little computer skills are required to commit the fraud, but it does require poorly designed controls. Example

for data collection fraud would be creating a fraudulent accounting in the payroll system for a non-existed employee,

so the perpetrator could receive extra payment from the company until proper internal control is in place.

2) Database management fraud: This form of computer fraud normally takes place at the database management

stage. The organizations database is its physical repository for financial and nonfinancial data, and it plays an

important role in daily business operation. This valuable inventory can be damaged by disgruntled employees who

intentionally insert a logic bomb into a program. When certain conditions are met, the logic bomb erases the data

files that the program accesses.

3) Operations fraud: is the misuse or theft of the firms computer resources. This often involves using the computer

to conduct personal business. For example, a programmer may use the firms computer time to write software that

he sells commercially. A CPA in the controllers office may use the companys computer to prepare tax returns and

financial statements for her private clients.

10. A bank in California has 13 branches spread throughout northern California, each with its own minicomputer

where its data are stored. Another bank has 10 branches spread throughout California, with the data being stored

on a mainframe in San Francisco. Which system do you think is more vulnerable to unauthorized access? Excessive

losses from disaster?

The bank that has the data for all of its branches stored on one mainframe computer is at greater risk of access

control. All of the firms records are centrally housed. Once a perpetrator gains unauthorized access to the system,

the data for all 10 branches are at risk. For the other bank the perpetrator would have to breach security for each of

the 13 branch computers. Thus, the bank with all of its data centrally stored on a mainframe is more vulnerable to

access control. The primary disasters of concern in California are earthquakes and fires. The bank with a central

mainframe in San Francisco is probably at the greatest risk of damage from both earthquakes and fires. If that

system is destroyed, all of the branches lose their processing capability and, possibly, stored data.

13. Discuss the differences between the attest function and assurance services.

The attest service is defined as an engagement in which a practitioner is engaged to issue, or does issue, a written

communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of

another party. The following requirements apply to attestation services:

o Attestation services require written assertions and a practitioners written report.

o Attestation services require the formal establishment of measurement criteria or their description in the
6

presentation.
Page
 Review
o The levels of service in attestation engagements are limited to examination, review, and application of

agreed-upon procedures.

Assurance services constitute a broader concept that encompasses, but is not limited to, attestation. Assurance

services are professional services that are designed to improve the quality of information, both financial and

nonfinancial, used by decision makers. Assurance services are intended help people make better decisions by

improving information. This information may come as a by-product of the attest function or it may ensue from an

independently motivated review.

Chapter 16
6. Discuss six ways that threats from destructive programs can be substantially reduced through a

combination of technology controls and administrative procedures.

The following examples controls and procedure that can reduce the threat from destructive programs:

Purchase software only from reputable vendors and accept only those products that are in their original,

factory-sealed packages.

Issue an entity-wide policy pertaining to the use of unauthorized software or illegal (bootleg) copies of copyrighted

software.

Examine all upgrades to vendor software for viruses before they are implemented.

Inspect all public-domain software for virus infection before using.

Establish entity-wide procedures for making changes to production programs.

Establish an educational program to raise user awareness regarding threats from viruses and malicious programs.

Install all new applications on a standalone computer and thoroughly test them with antiviral software prior to

implementing them on the mainframe or LAN server.

Routinely make backup copies of key files stored on mainframes, servers, and workstations.

Wherever possible, limit users to read and execute rights only.

Require protocols that explicitly invoke the operating systems logon procedures in order to bypass Trojan horses.

Some operating systems allow the user to directly invoke the operating system logon procedure by entering a key

sequence such as CTRL + ALT + DEL. The user then knows that the logon procedure on the screen is legitimate.

Use antiviral software (also called vaccines) to examine application and operating system programs for the presence

of a virus and remove them from the affected program.

7. Explain the three ways that audit trails can be used to support security objectives.

DETECTING UNAUTHORIZED ACCESS. Detecting unauthorized access can occur in real time or after the fact. The primary
7

objective of real-time detection is to protect the system from outsiders attempting to breach system controls. A real-time
Page
 Review
audit trail can also be used to report changes in system performance that may indicate infestation by a virus or worm.

Depending on how much activity is being logged for review, real-time detection can add significantly to operational

overhead and degrade performance. After the-fact detection logs can be stored electronically and reviewed periodically or

as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or

attempted and failed.

RECONSTRUCTING EVENTS . Audit trail analysis can be used to reconstruct the steps that led to events such as system

failures or security violations by individuals. Knowledge of the conditions that existed at the time of a system failure can be

used to assign responsibility and to avoid similar situations in the future.

PERSONAL ACCOUNTABILITY. Audit trails can be used to monitor user activity at the lowest level of detail. This capability is

a preventive control that can influence behavior. Individuals are less likely to violate an organizations security policy when

they know that their actions are recorded in an audit log. A system audit log can also serve as a detective control to assign

personal accountability for actions taken such as abuse of authority. For example, consider an accounts receivable clerk

with authority to access customer records. The audit log may disclose that the clerk has been printing an inordinate

number of records, which may indicate that the clerk is selling customer information in violation of the companys privacy

policy.
8
Page