Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1. The revenue cycle, where goods and services are sold for cash or a future promise to receive
cash
2. The expenditure cycle, where companies purchase inventory for resale or raw materials to
use in producing products in exchange for cash or a future promise to pay cash. This cycle is
discussed in Chapter 13.
3. The production or conversion cycle, where raw materials are transformed into finished
goods. This cycle is discussed in Chapter 14.
4. The human resources/payroll cycle, where employees are hired, trained, compensated,
evaluated, promoted, and terminated. This cycle is discussed in Chapter 15.
5. The financing cycle, where companies sell shares in the company to investors and borrow
money, and where investors are paid dividends and interest is paid on loans.
Pengertian SIA: A system that collects, records, stores, and processes data to produce information
for decision makers. It includes people, procedures and instructions, data, software, information
technology infrastructure, and internal controls and security measures.
Pengertian Data Processing System : The four operations (data input, data storage, data processing,
and information output) performed on data to generate meaningful and relevant information.
a. Input : The first step in processing input is to capture transaction data and enter them into
the system. The data capture process is usually triggered by a business activity. Data must be
collected about three facets of each business activity:
1. Each activity of interest
2. The resource(s) affected by each activity
3. The people who participate in each activity0
For example, the most frequent revenue cycle transaction is a sale, either for cash or on
credit. S&S may find it useful to collect the following data about a sales transaction:
b. Storage
A company’s data are one of its most important resources. However, the mere existence of
relevant data does not guarantee that they are useful. To function properly, an organization
must have ready and easy access to its data. Therefore, accountants need to understand
how data are organized and stored in an AIS and how they can be accessed. In essence, they
need to know how to manage data for maximum corporate use.
c. Processing
Once business activity data have been entered into the system, they must be processed to
keep the databases current. The four different types of data processing activities, referred to
as CRUD, are as follows:
1. Creating new data records, such as adding a newly hired employee to the payroll
database.
2. Reading, retrieving, or viewing existing data.
3. Updating previously stored data. Figure 2-4 depicts the steps required to update an
accounts receivable record with a sales transaction. The two records are matched using the
account number. The sale amount ($360) is added to the account balance ($1,500) to get a
new current balance ($1,860).
4. Deleting data, such as purging the vendor master file of all vendors the company no
longer does business with.
d. The final step in the data processing cycle is information output. When displayed on a
monitor, output is referred to as “soft copy.” When printed on paper, it is referred to as
“hard copy.” Information is usually presented in one of three forms: a document, a report,
or a query response.
1. document - A record of a transaction or other company data. Examples include checks,
invoices, receiving reports, and purchase requisitions.
2. reports - System output, organized in a meaningful fashion, that is used by employees to
control operational activities, by managers to make decisions and design strategies, and
by investors and creditors to understand a company’s business activities
3. query - A request for the database to provide the information needed to deal with a
problem or answer a question. The information is retrieved, displayed or printed, and/or
analyzed as requested.
ERP :
Advantages :
● Data input is captured or keyed once, rather than multiple times, as it is entered into different
systems. Downloading data from one system to another is no longer needed.
● Management gains greater visibility into every area of the enterprise and greater monitoring
capabilities. Employees are more productive and efficient because they can quickly gather data from
both inside and outside their own department.
● The organization gains better access control. An ERP can consolidate multiple permissions and
security models into a single data access structure.
● Procedures and reports are standardized across business units. This standardization can be
especially valuable with mergers and acquisitions because an ERP system can replace the different
systems with a single, unified system.
● Customer service improves because employees can quickly access orders, available inventory,
shipping information, and past customer transaction details.
● Manufacturing plants receive new orders in real time, and the automation of manufacturing
processes leads to increased productivity.
Disadvantages :
● Cost. ERP hardware, software, and consulting costs range from $50 to $500 million for a Fortune
500 company and upgrades can cost $50 million to $100 million. Midsized companies spend
between $10 and $20 million.
● Amount of time required. It can take years to select and fully implement an ERP system,
depending on business size, number of modules to be implemented, degree of customization, the
scope of the change, and how well the customer takes ownership of the project. As a result, ERP
implementations have a very high risk of project failure.
● Changes to business processes. Unless a company wants to spend time and money customizing
modules, they must adapt to standardized business processes as opposed to adapting the ERP
package to existing company processes. The failure to map current business processes to existing
ERP software is a main cause of ERP project failures.
● Complexity. This comes from integrating many different business activities and systems, each
having different processes, business rules, data semantics, authorization hierarchies, and decision
centers.
● Resistance. Organizations that have multiple departments with separate resources, missions,
profit and loss, and chains of command may believe that a single system has few benefits. It also
takes considerable training and experience to use an ERP system effectively, and employee
resistance is a major reason why many ERP implementations do not succeed. It is not easy to
convince employees to change how they do their jobs, train them in new procedures, master the
new system, and persuade them to share sensitive information. Resistance, and the blurring of
company boundaries, can cause problems with employee morale, accountability, and lines of
responsibility.
● Financial (general ledger and reporting system)—general ledger, accounts receivable, accounts
payable, fixed assets, budgeting, cash management, and preparation of managerial reports and
financial statements
● Human resources and payroll—human resources, payroll, employee benefits, training, time and
attendance, benefits, and government reporting
● Order to cash (revenue cycle)—sales order entry, shipping, inventory, cash receipts, commission
calculation
● Project management—costing, billing, time and expense, performance units, activity management
● System tools—tools for establishing master file data, specifying flow of information, access
controls, and so on
SOAL 2
● Create an organizational culture that stresses integrity and commitment to ethical values and
competence.
● Adopt an organizational structure, management philosophy, operating style, and risk appetite
that minimizes the likelihood of fraud.
● Require oversight from an active, involved, and independent audit committee of the board of
directors.
● Assign authority and responsibility for business objectives to specific departments and
individuals, encourage them to use initiative to solve problems, and hold them accountable for
achieving those objectives.
● Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or
accept that risk.
● Develop and implement a fraud risk assessment program that evaluates both the likelihood
and the magnitude of fraudulent activity and assesses the processes and controls that can deter
and detect the potential fraud.
● Create an audit trail so individual transactions can be traced through the system to the
financial statements and financial statement data can be traced back to individual transactions.
● Conduct periodic external and internal audits, as well as special network security audits; these
can be especially helpful if sometimes performed on a surprise basis.
● Develop comprehensive fraud contingency, disaster recovery, and business continuity plans.
● Store backup copies of program and data files in a secure off-site location.
Computer Abuse:
Although effective information security requires the deployment of technological tools such as
firewalls, antivirus, and encryption, senior management involvement and support throughout all
phases of the security life cycle (see Figure 8-2) is absolutely essential for success.
The first step in the security life cycle is to assess the information security-related threats that the
organization faces and select an appropriate response. Information security professionals possess
the expertise to identify potential threats and to estimate their likelihood and impact. However,
senior management must choose which of the four risk responses described in Chapter 7 (reduce,
accept, share, or avoid) is appropriate to adopt so that the resources invested in information
security reflect the organization’s risk appetite.
Step 2 involves developing information security policies and communicating them to all employees.
Senior management must participate in developing policies because they must decide the sanctions
they are willing to impose for noncompliance. In addition, the active support and involvement of top
management is necessary to ensure that information security training and communication are taken
seriously. To be effective, this communication must involve more than just handing people a written
document or sending them an e-mail message and asking them to sign an acknowledgment that they
received and read the notice. Instead, employees must receive regular, periodic reminders about
security policies and training on how to comply with them.
Step 3 of the security life cycle involves the acquisition or building of specific technological tools.
Senior management must authorize investing the necessary resources to mitigate the threats
identified and achieve the desired level of security.
Finally, step 4 in the security life cycle entails regular monitoring of performance to evaluate the
effectiveness of the organization’s information security program. Advances in IT create new threats
and alter the risks associated with old threats. Therefore, management must periodically reassess
So with that, let's look at what the 5 Trust Service Principles are and give a high level definition of
them:
Security - The system is protected against unauthorized access, both physical and logical
Availability - The system is available for operation and use as committed or agreed
Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity
with the commitments in the entity's privacy notice and with the criteria set forth in Generally
Accepted Privacy Principles (GAPP)
SOAL 4
A failure to have internal controls in place results in front-page news stories that no company wants
to be a part of. Enron, Worldcom, and Equifax are few examples of organizations that made news
headlines due to a lack of internal control. Similarly, there are dozens of cases each year of
companies who privately lose millions of dollars due to control failures, fraud, and misconduct.
Having a strong internal control environment can provide management and stakeholders reasonable
assurance that the organization is operating in accordance with company policies, industry
standards, and regulatory requirements.
Control Environment—is a set of standards, structures, and processes that provide the foundation
for performing internal control within the entity
Risk Assessment—is a process used to identify (on an iterative basis), assess, and manage risks to the
achievement of the entity’s objectives
Monitoring Activities—are ongoing evaluations of the implementation and operation of the five (5)
components of internal audit
Hazard risk
Financial risk
Operational risk
Customer satisfaction, Product failure, Integrity, Reputational risk; Internal Poaching; Knowledge
drain
Strategic risks
Senior management and the board of directors have integral roles in the Model. Senior management
is accountable for the selection, development, and evaluation of the system of internal control with
oversight by the board of directors. Although neither senior management nor the board of directors
Although external parties are not formally considered to be among an organization’s three lines of
defense, groups such as external auditors and regulators often play an important role regarding the
organization’s overall governance and control structure. Regulators establish requirements often
intended to strengthen governance and control, and they actively review and report on the
organizations they regulate. Similarly, external auditors may provide important observations and
assessments of the organization’s controls over financial reporting and related risks.
When coordinated effectively, external auditors, regulators, and other groups outside the
organization could be considered as additional lines of defense, providing important views and
observations to the organization’s stakeholders, including the board of directors and senior
management. However, the work of these groups has different and generally more focused or
narrow objectives, such that the areas addressed are less extensive than those evaluated by the
organization’s internal lines of defense. For example, specific regulatory audits may focus solely on
compliance issues, safety, or other limited-scope issues; while the three lines of defense are
intended to address the entire range of operational, reporting, and compliance risks facing an
organization. Parties such as external auditors and regulators, while they contribute valuable
information, should not be considered as substitutes for the internal lines of defense as it is an
organization’s responsibility to manage its risks, not an outside party’s responsibility.