CPA review BEC Module 41Information Technology

2

Organization of Module 41

A. Information systems within a business

B. Characteristics of IT systems – general

C. Characteristics of IT systems – specific

D. Control objectives for information and related technology

E. Effect of IT on internal control

F. Flowcharting

3

Concept of Information Technology (IT)

• What do we mean by "IT"?• Any tool for manipulating data, information

- electronic: computer software and hardware - our focus

- paper: documents, filing techniques… still there, gradually transformed into electronic

4

Importance of IT and Computer Networks to Accountants• To use, evaluate, and develop a modern AIS, accountants must be familiar with IT

• Computers enable accountants to perform their duties more quickly, accurately, and consistently than by manual methods

• Software such as electronic spreadsheets aid accountants in analyzing financial statements and in developing budgets

5

Manual vs Computer Systems

• Manual• Exceptional/infrequent

transactions• Setting objectives and

policy-making judgments• New problems• Supervising employees• Social communications• Making complex strategic

decisions

• Computerized• Collecting and processing large

volumes of routine transactions• Storing large quantities of data

and information• Monitoring and controlling

continuous processes• Answering specific inquiries

based on stored data• Preparing complex analyses

and extensive reports• Helping gather data and

understanding the relationships between all types of decisions

6

Data

• A firm’s data resource involves four major functions:• Record & Repository Creation• Repository Maintenance through additions and updates

• Data Retrieval• Data Archival and Removal

7

File Classifications

• Master files: These contain (semi) permanent data (records) pertaining to entities (people, places, and things).

8

File-Oriented Approach to Data Storage• In the file-oriented approach to data storage computer applications maintain their own set of files

• This traditional approach focuses on individual applications, each of which have a limited number of users, who view the data as being “owned” by them

9

Deficiencies of the File-Oriented Approach• Files and data elements used in more than one application must be duplicated, which results in data redundancy

• As a result of redundancy, the characteristics of data elements and their values are likely to be inconsistent

• Outputs usually consist of preprogrammed reports instead of ad-hoc queries provided upon request. This results in inaccessibility of data

10

The Database Approach to Data Storage• A database is a set of computer files that minimizes data redundancy and is accessed by one or more application programs for data processing

• The database approach to data storage applies whenever a database is established to serve two or more applications, organizational units, or types of users

11

Documenting Data in Data-Base Systems• The Conceptual Data Model is the logical grouping of data on entities

• Two common Conceptual Data Modeling techniques are:• The Data Dictionary• Entity-Relationship Diagrams

12

Data Dictionary

• A data dictionary is a computer file that maintains descriptive information about the items in a database

• Each computer record of the data dictionary contains information about a single data item used in an AIS

13

Data Processing Methods

• Batch data processing involves the processing of data in groups (or batches) of like transactions at periodic intervals. Used when transaction activity is low or periodic

• Real-time processing consists of processing each transaction as it arises and is captured

14

Online Real-Time (also referred to as direct access processing) • Transactions are processed in the order in which they occur, regardless of type.

15

Types of Network Architectures

• Wide-Area Networks• Formed among computers and inter-connected devices that are geographically distant from one another

• Local-Area Networks• A type of distributed network created when two or more linked computers are grouped within a limited geographical area

16

Wide Area Networks

• Concentrates all application processing at one geographical location

• Consists essentially of one (or a cluster of) central mainframe computer(s) and one or more physically remote terminals

• Typically all hardware, software, and data processing personnel are located at corporate headquarters

17

Local Area Networks

• A LAN may be connected to other LANs and/or WANs via hardware devices known as gateways or bridges

• At the heart of a LAN is the workstation• Microcomputer-based workstation• Traditional workstation• Super workstation

18

Malicious Programs

• Unexpected changes in, or losses of, data may be an indication of the existence of a virus on one’s computer.

• E-mail attachments and public domain software (generally downloadable from the Internet at no cost to users) are notorious sources of viruses.

19

Malicious Programs

• Trojan horse—A malicious, security-breaking program that is disguised as something benign, such as a game, but actually is intended to cause IT damage

• Worm—A program that propagates itself over a network, reproducing itself as it goes

20

Electronic Commerce• Electronic Commerce (EC) is where business transactions take place via telecommunications networks, especially the Internet.• Electronic commerce describes the buying and selling of products, services, and information via computer networks including the Internet.

• The infrastructure for EC is a networked computing environment in business, home, and government.

• E-Business describes the broadest definition of EC. It includes customer service and intrabusiness tasks. It is frequently used interchangeably with EC.

21

• A global networked environment is known as the Internet

• A counterpart within organizations, is called an intranet

• An extranet extends intranets so that they can be accessed by business partners.

Electronic Commerce

22

• A market is a network of interactions and relationships where information, products, services, and payments are exchanged.

• The market handles all the necessary transactions.• An electronic market is a place where shoppers and sellers meet electronically.

• In electronic markets, sellers and buyers negotiate, submit bids, agree on an order, and finish the execution on- or off-line.

Electronic Markets

23

• An interorganizational information system (IOS) involves information flow among two or more organizations.

• Its major objective is efficient routine transaction processing, such as transmitting orders, bills, and payments using EDI or extranets.

• Scope: An IOS is a unified system encompassing two or several business partners.

• A typical IOS includes a company and its suppliers and and/or customers.

Interorganization Information Systems

24

• Electronic data interchange (EDI)• Extranets• Electronic funds transfer (EFT)• Integrated messaging systems• Shared databases• Electronically-supported supply chain management

Types of Interorganizational Systems

25

• Lack of sufficient system’s security, reliability, standards, and communication protocols

• Insufficient telecommunication bandwidth• The software development tools are still evolving and changing rapidly

• Difficulties in integrating the Internet and electronic commerce software with some existing applications and databases

• Technical Limitations of Electronic Commerce

The Limitations of Electronic Commerce

26

• The need for special Web servers and other infrastructures, in addition to the network servers (additional cost)

• Possible problems of interoperability, meaning that some EC software does not fit with some hardware, or is incompatible with some operating systems or other components

The Limitations of Electronic Commerce

Security for Transaction Processing Systems• Every firm must define, identify, and isolate frequently occurring hazards that threaten its hardware, software, data, and human resources

• Security measures provide day-to-day protection of computer facilities and other physical facilities, maintain the integrity and privacy of data files, and avoid serious damage or losses

• Security measures include those that protect physical non-computer resources, computer hardware facilities, and data/information

28

The COBIT 5 Framework• COBIT- control objectives for information and

related technology• COBIT 5 helps enterprises create optimal value

from IT by maintaining a balance between realising benefits and optimising risk levels and resource use.

29

COBIT 5 Principles

30

COBIT 5 Enablers

31

Governance and Management

• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives.

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body

32

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

Audit

COBIT1

COBIT evolution

2005/720001998

Evo

lutio

n o

f sc

op

e

1996 2012

Val IT 2.0(2008)

Risk IT(2009)

33

Five COBIT 5 Principles

1.Meeting Stakeholder Needs

2.Covering the Enterprise End-to-end

3.Applying a Single Integrated Framework

4.Enabling a Holistic Approach

5.Separating Governance From Management

34

1. Meeting Stakeholder Needs

Enterprises exist to create value for their stakeholders.

35

1. Meeting Stakeholder Needs

• Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them.

• Governance is about negotiating and deciding amongst different stakeholders’ value interests.

• The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.

• For each decision, the following can and should be asked:

­ Who receives the benefits? ­ Who bears the risk? ­ What resources are required?

35

36

2. Covering the Enterprise End-to-End

• COBIT 5 addresses the governance and management of information and related technology from an enterprise wide, end-to-end perspective.

37

Key components of a governance

system

2. Covering the Enterprise End-to-End

38

3. Applying a Single Integrated Framework

• COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises: • Enterprise: COSO, COSO ERM, ISO/IEC

9000, ISO/IEC 31000• IT-related: ISO/IEC 38500, ITIL, ISO/IEC

27000 series, TOGAF, PMBOK/PRINCE2, CMMI

39

4. Enabling a Holistic Approach

COBIT 5 enablers are:• Factors that, individually and collectively,

influence whether something will work—in the case of COBIT, governance and management over enterprise IT

• Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve

• Described by the COBIT 5 framework in seven categories

40

4. Enabling a Holistic Approach1.Processes2.Organisational structures3.Culture, ethics and behaviour4.Principles, policies and frameworks5.Information6.Services, infrastructure and applications7.People, skills and competencies

41

5. Separating Governance From Management

• The COBIT 5 framework makes a clear distinction between governance and management.

• These two disciplines:• Encompass different types of activities• Require different organisational structures• Serve different purposes

• Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

• Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.

42

COBIT 5 is not prescriptive, but it advocates that organizations implement governance and management processes such that the key areas are covered, as shown.

5. Separating Governance From Management

43

The Effect of Information Technology on Internal Control

44

Flowcharting Symbols