As a member of a development team, youve been asked to develop and test the

new AIS.
Discuss the eight basic steps required in the implementation phase of the SDLC in
the proper order they should occur. (Points : 30)

The eight-step method to develop and test software programs in conjunction with the systems
implementation phase of the SDLC consists of the following:

consult with users and write an agreement about software requirements as a way to
determine user needs
create and document a development plan
identify the overall approach and major processing tasks at a high level before proceeding
to levels of greater detail; begin writing program instructions
test the program once program code has been written; this can be achieved in part
through debugging and desk checking
document the program; this will explain how the program works and assist analysts in
correcting and resolving errors
train program users; documentation developed in step five will be used at this time
install and use the system; program maintenance can take place as needed.
use and modify the system (program maintenance); revise existing programs

Explain the preparation of financial statements as the third step in the general
ledger and reporting system.

Preparing the financial statements as part of the general ledger system incorporates the
following:
income statement; this relies on data from revenue and expense accounts that have been
adjusted.
adjusted trial balance; used to provide the balances used on the income statement.
Revenue and expense accounts are "zeroed out" using closing entries, transferring any net
income or loss to the retained earnings account
prepare balance sheet
statement of cash flows is prepared after the balance sheet since it uses data obtained
from both the income statement and the balance sheet as well as other information about
the organization's investing and financing activities.
Advantages and disadvantages to consider include the following:
Advantages Not having to deal with complexity and changes in tax codes
Not having to worry about what to do if equipment crashes
Reduced likelihood of employees accessing the payroll files; increased confidentiality
Increased efficiencies and cost reductions.
Wider range of benefits.

Freed-up computer resources.

DisadvantagesLess control over the payroll files because they are stored off-site
Extra costs for any special reports
Slower response to ad-hoc queries

In addition to the advantages and disadvantages mentioned, the following should also be taken
into consideration:
How much does the service cost?
How would the data be submitted-online or hand carried?
What kind of reports and documents could be obtained from the service bureau?
How would the service interface with the existing general ledger system?
What resources are now being devoted to payroll and how could these resources be redeployed into other areas?
Could security and control be improved by the outsourcing?
What would be the time length of a contract for outsourcing services?
Could the service bureau system be integrated so that an online query could be made by
the organization?
What kind of track record does the service bureau have with other clients?
Are there new technologies and approaches that would become available to the company
via the service bureau?
Identify and discuss the common systems for approving vendor payments.

Vendor payments are commonly approved through the use of both Voucher and Non-voucher
systems

Voucher system - disbursement vouchers are prepared with summary information

contained in a set of vendor invoices and specify the general ledger accounts to be
debited; the voucher authorizes the cashier to make payment to the vendor. The voucher
system reduces the number of checks written since several invoices can be paid by one
check.
Non-voucher or open invoice system - approved invoices are posted to vendor records
and stored in an open invoice file. Checks are written for each individual invoice; when
paid, the documents are marked "paid" and placed in a paid invoice file.

Dinners-Done-Right is a very successful dinner service that delivers healthy dinners to

customers in a medium-sized city. D-D-R has four locations, one on each side of town (north,
south, east, and west.) In order to provide quick delivery (30 minutes or less or the customer gets
$5 off) and delicious food to the majority of the city, D-D-R owner, Jessica, frequently generates
and analyzes reports that give her information about her company's customers. Using these
reports, Jessica decides whether to change the menu items, prices, delivery areas, etc. She is
able to gauge relative performance of the four store locations. D-D-R has approximately sixty

employees. Order clerks take customer orders over the telephone and instruct the cooks on what
they need to prepare. The cooks prepare the requested food and give it to the order clerks who
package it for delivery. Delivery people take the final packaged orders to the customers'
residences using company-owned delivery vehicles. Delivery people accept credit card, check
and cash payments. Delivery people return a copy of the delivery ticket along with the
customer's remittance to the order clerk who records the payment using the company's electronic
cash register. Each days receipts are totaled and Jessica decides into which of D-D-R's bank
accounts those receipts should be deposited.
Required: (a) List the operating events and the decision/management events discussed in
this example; (b) Identify and discuss any risks associated with the events; (c) Propose at
least one or more internal controls that would mitigate the risks.
Operating events include:

Receive customer orders over the telephone

Prepare food
Package food
Deliver food to customer address

Decision/Management events include:

Analyze customer and competitor information

Decide what menu items, prices & delivery areas to offer
Analyze performance information from the different store locations
Decide which bank account to use for depositing the days receipts

One risk to consider is the possibility of running out of merchandise that customers want to buy.
A control to mitigate this risk would include accurate inventory control and ordering procedures.
Another risk would be to charge too much for goods resulting in their not selling. Controls to
mitigate this might include:

accurate market analyses

monitoring of sales and price reductions indicated by slow sales

The flip side to the previous risk is to charge too little for goods so profits are too low. Controls
to mitigate this risk would include:

accurate costing procedures

pricing policies based on accurate costing

Provide three reasons or benefits of AIS skills to any accounting-related career

Since accounting data comes from an AIS, having an understanding and knowledge of AIS
skills are critical to an accountants career success; interacting with an AIS is one of the most
important activities that accountants perform.
Being able to effectively interact with an AIS provides an accountant the ability to:

Improve decision making

Share knowledge - sharing knowledge and expertise can improve operations and
provide a competitive advantage.
Improve the internal control structure - with the proper internal control structure one
can protect systems from fraud, errors, system failures, and disasters.

For example, CPA firms use their information systems to share best
practices and to support communication between offices. Employees
can search the corporate database to
There are three (3) important business functions that are performed by the six (6)
components of an AIS.

The six components of an Accounting Information System include:

1. The people who operate the system and perform various functions
2. The procedures and instructions, both manual and automated, involved in
collecting, processing, and storing data about the organizations activities
3. The data about the organization and its business processes
4. The software used to process the organizations data
5. The information technology infrastructure, including computers, peripheral
devices and network communications devices used to collect, store, process and
transmit data and information
6. The internal controls and security measures that safeguard the data in the AIS.
These six components enable an Accounting Information System to fulfill three
important business functions:
1. Collect and store data about organizational activities, resources, and personnel
2. Transform data into information that is useful for making decisions so
management can plan, execute, control and evaluate activities, resources and
personnel
3. Provide adequate controls to safeguard the organizations assets, including its
data, to ensure that the assets and data are available when needed and the data are
accurate and reliable.
Discuss redundancy as it applies to database design and explain how redundancy
can be reduced.

In the case where multiple systems exist, numerous problems and

inefficiencies become problematic. Often the same data must be captured
and stored by more than one system, which not only results in
redundancy across systems but also can lead to discrepancies if data are

changed in one system but not in others. In addition, it is difficult to

integrate data from the various systems.
Enterprise resource planning (ERP) systems overcome these problems as
they integrate all aspects of a companys operations with a traditional AIS.
Most large and many medium-sized organizations use ERP systems to
coordinate and manage their data, business processes, and resources.
The ERP system collects, processes, and stores data and provides the
information managers and external parties need to assess the company.
Discuss the collection of evidence in audits.

A typical audit has a mix of audit procedures. For example, an internal

control audit makes greater use of observation, documentation review,
employee interviews, and reperformance of control procedures. A
financial audit focuses on physical examination, confirmation,
vouching, analytical review, and reperformance of account balance
calculations.
Most audit effort is spent collecting evidence and, because many audit tests cannot be
performed on all items under review, they are often performed on a sample basis. The
following includes some of the more common ways to collect audit evidence:

Observation of the activities being audited (e.g., watching how data control
personnel handle data processing work as it is received)
Review of documentation to understand how a particular process or internal
control system is supposed to function
Discussions with employees about their jobs and about how they carry out
certain procedures
Questionnaires that gather data
Physical examination of the quantity and/or condition of tangible assets, such as
equipment and inventory
Confirmation of the accuracy of information, such as customer account
balances, through communication with independent third parties
Re-performance of calculations to verify quantitative information (e.g.,
recalculating the annual depreciation expense)
Vouching for the validity of a transaction by examining supporting documents,
such as the purchase order, receiving report, and vendor invoice supporting an
accounts payable transaction
Analytical review of relationships and trends among information to detect items
that should be further investigated. For example, an auditor for a chain store
discovered that one stores ratio of accounts receivable to sales was too high. An
investigation revealed that the manager was diverting collected funds to her
personal use.

Evaluate the benefits of a database approach to data management over old fileoriented systems.

In file-oriented systems, programmers must know the physical location and layout of
records. In the past, companies typically created new files and programs each time a need
for information arose. This proliferation created problems such as storing the same data in
two or more master files, making it difficult to integrate and update data and to obtain an
organization-wide view of data. It also created problems because the data in the different
files were inconsistent.
Databases were developed to address the proliferation of master files. Database systems
overcome this problem by separating the storage of the data from the use of data elements.
The database approach provides two separate views of the data: the physical view and the
logical view. The logical view is how people conceptually organize and understand the
data. The physical view refers to how and where data are physically arranged and stored in
the computer system.
Several years ago a ring of foreign-based hackers broke into Town Banks system and stole $10
million from its customers accounts. Discuss how systems can become vulnerable to computer
crimes and then evaluate controls that strengthen those weaknesses.
Required:
a) Provide at least three weaknesses of AIS that hackers can exploit for gain
b) Suggest at least one control for each weakness

Cross-site scripting (XSS) is a vulnerability in dynamic Web pages that allows an attacker to
bypass a browsers security mechanisms and instruct the victims browser to execute code
thinking it came from the desired Web site.
The best way to protect against XSS is HTML sanitization, which is a process of validating
input and only allowing users to input predetermined characters.
A zero-day attack (or zero-hour attack) is an attack between the time a new software
vulnerability is discovered and the time a software developer releases a patch that fixes the
problem. When hackers detect a new vulnerability, they release it into the wild by posting
it on underground hacker sites. Word spreads quickly, and the attacks begin. It takes
companies time to discover the attacks, study them, develop an antidote, release the patch to
fix the problem, install the patch on user systems, and update antivirus software.
One way software developers minimize the vulnerability window is to monitor known hacker
sites so they know about the vulnerability when the hacker community does.
A man-in-the-middle (MITM) attack places a hacker between a client and a host and
intercepts network traffic between them. An MITM attack is often called a session hijacking
attack. MITM attacks are used to attack public-key encryption systems where sensitive and
valuable information is passed back and forth.

To prevent MITM attacks, most cryptographic protocols authenticate each communication

endpoint.

(TCO A) How can an AIS add value to the organization?

Student Answer:

Instructor
Explanation:

Points Received:

An AIS can add value to the organization by improving quality and

reducing the costs of products or services, improving efficiency or
operations, sharing knowledge and expertise that will improve
operations and competitive advantage, improving the efficiency and
effectiveness of its supply chain, improving the internal control
structure and improving decision making.
An AIS can increase the efficiency and effectiveness of the value chain by
improving the quality and lowering costs of products or services, improving
efficiency of operations, improving decision making, enhancing the sharing of
knowledge, improving the efficiency and effectiveness of its supply chain and
improving the internal control structure. (Ch. 1, p. 11)

0 of 5

Comments:
Question 7 Question :
.
Student Answer:

Instructor
Explanation:

(TCO A) Name two reasons why it is important to have a working

knowledge of DFDs and flowcharting.

First reason why it is important to have a working knowledge of

DFD and flowcharting because they are the two most frequently
used development and documentation tools. Second, because they
are tools that are used to simplify and create order in the extremely
complex system development.
First, data flow diagrams and flowcharts are the two most frequently used
development and documentation tools used today. Second, since systems
development is extremely complex, DFDs and flowcharts are tools that are
used to create order from chaos and complexity. (Ch 3, p. 50)

(TCO B) Why is computer fraud on the rise?

Student Answer:

Instructor

Computer fraud is on the rise because many instances of computer

fraud go undetected, a high percentage of fraud is not reported,
many networks are not secure, internet sites offer step by step
instructions on how to perpetrate computer fraud and abuse, law
enforcement cannot keep up with the growth of computer fraud,
calculating losses is difficult and not everyone agrees on what
constitutes computer fraud.
Chapter 5. Not everyone agrees on what constitutes computer fraud and

Explanation:

Points Received:

some people may commit computer fraud unwittingly and not be aware of it.
Many computer frauds go undetected. The belief that "it just can't happen to
us". Most networks have a low level of security. Many Internet sites provide
guidance on how to commit computer crimes. Law enforcement is unable to
keep up with the number of computer frauds. Most frauds are not reported.
The total dollar value of losses is difficult to calculate.

0 of 5

Comments:
Question 7 Question :
.
Student Answer:

Instructor
Explanation:

(TCO B) What is the difference between general and specific

authorization?

General authorization is a set of guidelines that allows employees to

handle routine transactions without special approval, whereas
specific authorization would require an individual to get written
permission or authorization from management for that single
transaction to be completed.
Authorizations are often documented by signing, initializing, or entering an
authorization code on a transaction document or record. Management may
deem that certain transactions are of a routine nature and as such may
authorize employees to handle such transactions without special approval.
This is known as general authorization. Other transactions may be of such
consequence that management grants specific authorization for them to
occur. Usually management must approve of such transactions and oversee
them to completion, requiring an additional signature required on checks
exceeding a given dollar amount. Management should have written policies
on both specific and general authorization for all type of transactions.
(Chapter 7, p. 196).
(TCO G)
Describe the function of a computer incident response team (CIRT) and
the steps that a CIRT should perform following a security incident.

Student Answer:

Instructor
Explanation:

A Computer incident response team (CIRT) function is to respond

to security incidents promptly and effectively and they are also
responsible with major incidents. The four steps that a CIRT should
perform following a security incident are the following:1.)
Recognize that a problem exists 2.) Contain the problem 3.)
Recover the damaged caused by the attack and 4.) Follow-up and
analyze how the incident occurred.
Answer: A CIRT is responsible for dealing with major security incidents and
breaches. The team should include technical specialists and senior
operations management. In response to a security incident, first the CIRT
must recognize that a problem exists. Log analysis, intrusion detection
systems can be used to detect problems and alert the CIRT. Second, the
problem must be contained, perhaps by shutting down a server or curtailing
traffic on the network. Third, the CIRT must focus on recovery. Corrupt
programs may need to be reinstalled and data restored from backups.
Finally, the CIRT must follow-up to discover how the incident occurred and to

design corrective controls to prevent similar incidents in the future.

Chapter 8, p. 239

Points Received:

0 of 5

Comments:
Question 7 Question :
.
Student Answer:

Instructor
Explanation:

Points Received:

(TCO G) Explain why the auditor's role in program development and

acquisition should be limited.

The auditor's role in program development and acquisition should

be limited because an auditor should remain impartial and objective
as possible in order to perform as an independent evaluator. If
auditor independence is impaired the audit itself may lose its value
and become questionable.
The auditor's role in any organization systems development should be limited
only to an independent review of systems development activities. The key to
the auditor's role is independence; the only way auditors can maintain the
objectivity necessary for performing an independent evaluation function is by
avoiding any and all involvement in the development of the system itself. If
auditor independence is impaired, the audit itself may be of little value and its
results could easily be called into question. (Chapter 11, p. 309)

0 of 5
(TCO D) In billing and accounts receivable, what documents are
commonly used?

Student Answer:

Instructor
Explanation:

Points Received:
Comments:

In billing and accounts receivable the documents commonly used is

the sales invoice, this notifies the customers of the amount to be
paid and when and where to send the payments. A sales invoice is
regularly compared with sales orders, picking tickets and shipping
documents, to reduce the risk of unintentional failure to bill.
Remittance advice and monthly statements are other documents
commonly used in billing and accounts receivable.The monthly
statements are lists of all transactions including both sales and
payments and inform customers of their current account balance.
Remittance advice is a turnaround document that is attached to the
invoice and need to be returned together with the payment.
Sales invoice notifies customer of amount to be paid. Monthly statement
summarizes all transactions that occurred during month . Credit memo
authorizes the billing department to credit the customer's account, should be
issued by credit manager. (Chapter 12, p.348-50)

0 of 5

Question 7 Question :
.
Student Answer:

Instructor
Explanation:

(TCO D) How can information technology be used to improve the vendor

invoice approval process?

Information technology can be used to improve the vendor invoice

approval process by eliminating vendor invoices. This invoiceless
approach is called evaluated receipt settlement (ERS). ERS saves
time and money by reducing the number of documents that need to
be matched, hence the number of potential mismatches. ERS
automates the two way matching process and automatically
generate payments, manual review is only necessary when there is
discrepancies between the receiving report and purchase order.
EDI eliminates the need to enter invoice data and the matching of payment
documents - all of this can be done using computers and network
technologies. Technology can eliminate the need for vendor invoices by
approving payment upon receipt of the goods. Imaging systems can
eliminate paper flow, and universal languages such as XML can provide a
paperless means of receiving and storing vendor invoices. Use of
procurement cards, credit cards, and electronic expense forms can improve
the efficiency of non-inventory purchases. ERS, which is invoice-less, is a
means to replace the traditional three-matching process (vendor invoice,
receiving report and purchase order) with a two-way match of the purchase
order and receiving report. (Chapter 13, p. 387)
(TCO E) What are some of the benefits of using incentives and bonuses?
What are some dangers?

Student Answer:

Instructor
Explanation:

Points Received:
Comments:

The advantages of using incentives and bonuses is that it often

improves performance by having a healthy competition among
employees, increase engagement, creativity, and retain employees
in the long run. But it can also leads to some dangers like unethical
behavior, fuel turnover, foster envy and discontent, frustration,
apathy and reduced productivity. Management should balance
incentives and bonuses and act fairly to achieve the results it desire
among its employees.
Sales staffs are often paid either on a straight commission basis or a
combination of a salary plus commissions. This is done to keep sales at a
certain level or to increase sales. The HRM/payroll system will need input
from the sales and other cycles to properly calculate commissions and
bonuses for such employees. It is important that an incentive and bonus
system sets realistic, attainable goals that are congruent with corporate
objectives. It is also important that managers monitor incentive and bonus
goals and ensure that the attainment of such goals is appropriate for the
organization and does not lead to undesirable behavior, which can result
from poorly designed incentive schemes. (Chapter 15, p. 443-444)

0 of 5

Question 7 Question :
.
Student Answer:

Instructor
Explanation:
Points Received:

(TCO F) What are the four basic activities involved in the general ledger
and reporting system?

The four basic activities involved in the general ledger and

reporting system are: 1) update general ledger 2) post adjusting
entries 3) prepare financial statements 4) produce managerial
reports. Updating general ledger consists of posting journal entries
that originate from accounting subsystems and treasurer. The
second activity of posting adjusting entries originate from the
controller's office after the initial trial balance has been prepared.
The third activity is preparing financial statements both monthly
and annually. And the final activity in the general ledger and
reporting system is to produce various managerial reports, including
budgets, to help managers plan and evaluate performance.
Update general ledger. Post adjusting entries. Prepare financial statements.
Produce managerial reports. (Chapter 16, p. 464, Figure 16-2).

0 of 5
(TCO H) What is the purpose of a conceptual systems design report?

Student Answer:

Instructor
Explanation:

Points Received:

The purpose of a conceptual systems design report is to

communicate ow all information needs will be met and helps the
steering committee assess feasibility by summarizing conceptual
design activities and guides physical design activities. The main
component of the report is a description of one or more
recommended system designs.
The purpose of this report is to a) summarize conceptual design activities, b)
guide physical systems design activities, c) communicate how management
and user information needs will be met, and d) help the steering committee
assess system feasibility. (Chapter 22, p. 643)

0 of 5

Comments:
Question 7 Question :
.
Student Answer:

Instructor

(TCO H) Explain the concept of an application service provider.

Application service provider is where companies can rent software

over the internet. This provides scalability as the business grows
and global access to information. It automates software upgrades,
allows companies to focus on core financial competencies rather
than information technology issues, and can reduce software costs
and administrative overhead.
An application service provider (or ASP) is a third-party provider of software
to organizations. An ASP is Web-based, providing delivery of software to its

Explanation:

clients over the Internet. An organization that uses an ASP "rents" the
software, thus eliminating the tasks of buying, installing, and maintaining the
software. Among the advantages to using this approach as opposed to the
outright purchase of software is a reduction of software costs and
administrative overhead, automated software upgrades, scalability as the
organization itself grows, global access to information, access to skilled IT
personnel, and ability to focus on core competencies rather than IT
requirements. (Chapter 21, p. 614)

90) Classify each of the following controls as preventive, detective, or corrective.

Periodic bank reconciliation
Separation of cash and accounting records
Maintaining backup copies of master and transaction files
Pre-numbering of sales invoices
Chart of accounts
Retina scan before entering a sensitive R & D facility
Resubmission of error transactions for subsequent processing
Internal auditor rechecking the debits and credits on the payment voucher
Depositing all cash receipts intact
Hiring qualified accounting personnel
Answer:
Detective.
Preventive.
Corrective.
Preventive.
Preventive.
Preventive.
Corrective.
Detective.
Preventive.
Preventive
What is the difference between file-oriented transaction processing systems and
relational databasesystems? Discuss the advantages and disadvantages of these
systems.

In file-oriented approaches, different users (or departments, units, etc.) maintain

their own data and usedifferent application programs. This results in a significant
increase in number of master files stored byan organization. The various
disadvantages of file-oriented organization include data redundancy,
datai n c o n s i s t e n c i e s , l a c k o f d a t a i n t e g r a t i o n , a l a r g e n u m b e r o f
d a t a fi l e s , s u b s t a n t i a l p r o g r a m - d a t a dependence, lack of
compatibility, and lack of data sharing. The database approach views
data as anorganizational resource that should be used and managed for the
entire organization. The program thatmanages and controls the data and
the interfaces between data and application programs is called
thed a t a b a s e m a n a g e m e n t s y s t e m ( D B M S ) . T h e v a r i o u s
a d v a n t a g e s o f d a t a b a s e a p p r o a c h i n c l u d e t h e following: minimal data
redundancy, fewer data inconsistencies, data integration, data sharing,
reportingflexibility, central management of data, cross-functional analysis, and
data independence
The seven characteristics of useful information are: relevant, reliable, complete,
timely, understandable, verifiable and accessible. These characteristics are qualitie
s
that information should possess to be useful in a business environment. Briefly
stated, in order for information to be useful it must be: 1) relevant, meaning that it
reduces uncertainty and adds to the decision-making process; 2) reliable informatio
n
is information that is free from error, and is accurate in its nature; 3) complete
information is information that does not omit any important data, facts, or aspects
about events or activities; 4) information is timely when it is fully available to enable
the decision-making process to proceed; 5) understandable information must be bot
h
in an intelligible and useful format; 6) information is considered verifiable if two
people, acting independently of each other, produce the same information or the sa
me
results. Information is accessible if it is available to users when they need it and in
a

format they can use.

How can information technology be used to improve the vendor invoice approval pr
ocess?
EDI eliminates the need to enter invoice data and the matching of payment docume
nts - all of
this can be done using computers and network technologies. Technology can elimin
ate the need
for vendor invoices by approving payment upon receipt of the goods. Imaging syste
ms can
eliminate paper flow, and universal languages such as XML can provide a paperless
means of

receiving and storing vendor invoices. Use of procurement cards, credit cards, and e
lectronic
expense forms can improve the efficiency of non-inventory purchases. ERS, which is
invoiceless,
is a means to replace the traditional three-matching process (vendor invoice, receivi
ng report
and purchase order)with a two-way match of the purchase order and receiving repor
t.
XBRL (Extensible Business Reporting Language) is a variation of XML, which is
designed to communicate the content of data. XML improves upon HTML by being
able to describe the content of the data presented. However, XML is limited when
communicating financial information. For financial purposes, XBRL identifies each
piece of data, along with how the data should be processed and how the data relate
to other data items. XBRL may soon become the universal standard computer
language for communicating financial data. XBRL enables organizations to publish
financial information only once, using standard XBRL tags. XBRL tagged information
is interpretable and doesn't need to be re-entered by users.