CORE CONCEPTS OF Accounting Information Systems Eleventh Edition Nancy A Bagranoff, DBA Professor Dean, College of Business and Public Administration Old Dominion University Mark G Simkin, Ph.D Professor Department of Accounting and Information Systems University of Nevada Carolyn Strand Norman, Ph.D., CPA Associate Professor Department of Accounting Virginia Commonwealth University JOHN WILEY & SONS, INC For Larry (Nancy Bagranoff) In memory of my father, Edward R Simkin (Mark G Simkin) Thank you to my students—especially the Spring 2009 class who helped select our cover design (Carolyn Strand Norman) VP and Publisher Associate Publisher Editorial Assistant Project Editor Media Editor Executive Media Editor Senior Marketing Manager Marketing Assistant Photo Editor Designer Production Manager Senior Production Editor George Hoffman Christopher DeJohn Kara Taylor Ed Brislin Greg Chaput Allison Morris Julia Flohr Laura Finley Hilary Newman RDC Publishing Group Sdn Bhd Janis Soo Joyce Poh Cover Credit: © Carol & Mike Werner/Visuals Unlimited This book was set by Laserwords Private Limited, and printed and bound by R.R Donnelley The cover was printed by R.R Donnelley This book is printed on acid free paper Copyright © 2010, 2008, 2005, 2001 John Wiley & Sons, Inc All rights reserved No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc 222 Rosewood Drive, Danvers, MA 01923, website www.copyright.com Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, (201)748-6011, fax (201)748-6008, website http://www.wiley.com/go/permissions To order books or for customer service please, call 1-800-CALL WILEY (225-5945) Library of Congress Cataloging-in-Publication Data Bagranoff, Nancy A Core concept of accounting information systems / Nancy A Bagranoff, Mark G Simkin, Carolyn Strand Norman.—11th ed p cm Includes index ISBN 978-0-470-50702-5 (pbk.) Accounting–Data processing Information storage and retrieval systems–Accounting I Simkin, Mark G II Norman, Carolyn Strand III Title HF5679.M62 2010 657.0285– dc22 2009026526 Printed in the United States of America 10 ABOUT THE AUTHORS Nancy A Bagranoff received her A.A degree from Briarcliff College, B.S degree from the Ohio State University, and M.S degree in accounting from Syracuse University Her DBA degree was conferred by The George Washington University in 1986 (accounting major and information systems minor) From 1973 to 1976, she was employed by General Electric in Syracuse, New York, where she completed the company’s Financial Management Training Program Dr Bagranoff passed the CPA examination in the District of Columbia in 1982 She spent fall 1995 as Faculty in Residence at Arthur Andersen where she worked for the Business Systems Consulting and Computer Risk Management groups Professor Bagranoff has published several articles in such journals as Journal of Information Systems, Journal of Accounting Literature, Computers and Accounting, The Journal of Accounting Education, Behavioral Research in Accounting, Journal of Accountancy, and The Journal of Accounting and EDP Dr Bagranoff is also co-author of Core Concepts of Consulting for Accountants and Core Concepts of IT Auditing She is currently Professor of Accounting and the Dean of the College of Business and Public Administration at Old Dominion University She was formerly President of the Information Systems section and Vice President—Education, of the American Accounting Association She is currently the President of the American Accounting Association Mark G Simkin received his A.B degree from Brandeis University and his MBA and Ph.D degrees from the Graduate School of Business at the University of California, Berkeley Before assuming his present position of professor in the Department of Accounting and Information Systems, University of Nevada, Professor Simkin taught in the Department of Decision Sciences at the University of Hawaii He has also taught at California State University, Hayward, and the Japan America Institute of Decision Sciences, Honolulu; worked as a research analyst at the Institute of Business and Economic Research at the University of California, Berkeley; programmed computers at IBM’s Industrial Development—Finance Headquarters in White Plains, New York; and acted as a computer consultant to business companies in California, Hawaii, and Nevada Dr Simkin is the author of more than 100 articles that have been published in such journals as Decision Sciences, JASA, The Journal of Accountancy, Communications of the ACM, Interfaces, The Review of Business and Economic Research, Decision Sciences Journal of Innovative Education, Information Systems Control Journal, and the Journal of Bank Research Carolyn Strand Norman received her B.S and M.S.I.A degrees from Purdue University and her Ph.D from Texas A&M University Dr Norman is a Certified Public Accountant, licensed in Virginia She is a retired Lieutenant Colonel who was a management analyst with the United States Air Force At the Pentagon, she developed compensation and entitlements legislation, working frequently with House and Senate staffers Prior to assuming her current position, Dr Norman taught at Seattle Pacific University where she co-authored the book, XBRL Essentials with Charles Hoffman, and was selected as Scholar of the Year for the School of Business and Economics Dr Norman has published more than 40 articles in such journals as Behavioral Research in Accounting, Journal of Accounting and Public Policy, Journal of Information Systems, Advances in Accounting Behavioral Research, Issues in Accounting Education, Journal of Accounting Education, and Research in Government and Nonprofit Accounting iii PREFACE Information technologies impact every aspect of accounting, including financial reporting, managerial accounting, auditing, and tax The nature of the work done by accountants continues to evolve as these technologies advance For example, less than 30 years ago, accountants could have spent much of their day footing ledgers and making hand calculations Today, of course, accountants use the many helpful functions in spreadsheet software, and update or change calculations instantly, instead of the days it would have taken with paper and pencil Internet technologies continue to change the way accountants things And because most accounting systems are now computerized, accountants must understand software and system processes to effect and evaluate systems of internal control Business and auditing failures continue to force the profession to emphasize internal controls and to rethink the state of assurance services As a result, the subject of accounting information systems (AIS) will continue to be an important part of the new vision of the accounting profession The purpose of this book is to help students understand basic AIS concepts Exactly what comprises these AIS concepts is subject to some interpretation, and is certainly changing over time, but most accounting professionals believe that it is the knowledge that accountants will need for understanding and using information technologies and for knowing how an AIS gathers and transforms data into useful decision-making information In this edition of our textbook, we include the core concepts of accounting information systems indicated by chapter in the table below The book is flexible enough that instructors may choose to cover the chapters in any order ACCOUNTING INFORMATION SYSTEMS COURSE CONTENT AREA COVERAGE Content Area AIS Applications Auditing Database Concepts Internal Control Management of Information Systems Management Use of Information Systems Development Work Technology of Information Systems Use of Systems Technology 7,8,9 7,8,9 14 4,5,6 10,11,12 1,2,13 1,3,7,8,9,15 13 2, All All About This Book Despite the commonality of subjects in the AAA study, the content of AIS courses continues to vary widely from school to school Some schools, for example, use their AIS courses to teach accounting students how to use computers In other colleges and universities, the course focuses on business processes and data modeling Other courses emphasize transaction processing and accounting as a communication system, and have little to with the technical aspects of how underlying accounting data are processed or stored Given the variety of objectives for an AIS course and the different ways that instructors teach it, we developed a textbook that attempts to cover only the core concepts of AIS In writing the text, we assumed that students have completed basic courses in financial and managerial accounting and have a basic knowledge of computer hardware and software v vi Preface concepts The text is designed for a one-semester course in AIS and may be used at the community college, baccalaureate, or graduate level Our hope is that individual instructors will use this book as a foundation for an AIS course, building around it to meet their individual course objectives Thus, we fully expect that many instructors will supplement this textbook with other books, cases, software, or readings The arrangement of the chapters permits flexibility in the instructor’s subject matter coverage Certain chapters may be omitted if students have covered specific topics in prior courses Part One introduces students to the subject of AIS In the first chapter, we lay the basic foundation for the remainder of the text and set the stage for students to think about the high degree of technology that is common to the accounting profession This chapter also includes a section on careers in AIS so that students can understand the career paths that combine accounting with the study of information systems Students taking the AIS course may or may not have had an earlier course in information technology Chapter allows those who did not have such a course to learn about the latest technologies and emphasizes their use in accounting For students who have had earlier courses in computers and/or information systems, this chapter serves as a review Chapter is about systems documentation, a matter of critical importance to the success of an AIS and also to the understanding of an accounting information system This chapter describes the various tools that accountants can use to document an AIS for their own and others’ understanding of information flows Part Two discusses databases and data modeling Chapter begins our coverage by discussing database concepts in general, describes the steps required to create database tables and records, and emphasizes such database concerns as security, privacy, and concurrency This chapter also responds to increasing instructor interest in teaching the REA approach to data modeling Chapter continues these discussions, focusing on such topics as normalization, and using Microsoft Access to illustrate uses of data definition languages and data manipulation languages Chapter continues the discussion of how to use Microsoft Access to develop database forms and reports This chapter is more ‘‘how to’’ than the other chapters in the book and it allows the instructor to guide students with hands-on experience in using software to implement the database concepts they have learned Business processes and software solutions for improving those processes are gaining in importance in today’s businesses Chapters and discuss several core business processes and highlight a number of Business Process Management (BPM) solutions that are currently available in the marketplace Instructors who focus on transaction cycles in their AIS courses may choose to use supplemental pedagogical tools, such as software and practice sets, to cover this material in more depth In Chapter we discuss accounting and enterprise software, also providing advice in AIS selection Part Four is an overview of the value of internal controls and the consequences when controls are not developed (or are weak) Chapter 10 focuses on computer crime, ethics, and privacy to help students understand the need for internal controls The next two chapters introduce the students to internal controls that are necessary at each level of the organization Although the subject of internal control appears repeatedly throughout the book, we examine this subject in depth in Chapters 11 and 12 The last section of the book examines special topics in AIS Recognizing that some students in current AIS courses may have taken a prior course in management information systems (MIS) and thus are already familiar with systems development topics, the emphasis in Chapter 13 is on the accountant’s role in designing, developing, implementing, and maintaining a system Information technology auditing is an increasingly important field Preface vii and represents a great career opportunity for students who understand both accounting and IT Chapter 14 extends our coverage of internal controls to the general subject of auditing in an IT environment Finally, although we have integrated Internet technology throughout this book, its influence on accounting information systems is so great that we devoted a special chapter to it Chapter 15 provides a basic overview of Internet concepts, discusses financial reporting on the Internet, including an expanded section on XBRL, explores the accounting components of ecommerce, and covers the issues of privacy and security Special Features This edition of our book uses a large number of special features to enhance the coverage of chapter material as well as to help students understand chapter concepts Thus, each chapter begins with an outline and a list of learning objectives that emphasize the important subject matter of the chapter This edition of the book also includes more real world cases-in-point, which are woven into the text material and illustrate a particular concept or procedure Each chapter also includes a more-detailed real-world case or concept in an end-of-chapter AlS-at-Work feature Each chapter ends with a summary and a list of key terms, and also includes multiple-choice questions for self-review with answers, and three types of end-of-chapter exercises to help students understand the material: discussion questions, problems, and cases This wide variety of questions, Test Yourself multiple choice questions and answers, problems, and cases enables students to examine many different aspects of each chapter’s subject matter and also enables instructors to vary the exercises they use each semester The end-of-chapter materials also include a list of references and recommended readings that allow interested students to explore the chapter material in greater depth In addition, instructors may wish to assign one or a number of articles listed in each chapter reference section to supplement chapter discussions These articles are also an important resource for instructors to encourage students to begin reading professional journals We include articles from Strategic Finance, The Journal of Accountancy, and The Internal Auditor, which represents the journals of three important accounting professional organizations There are two major supplements to this textbook One is an instructor’s manual containing suggested answers to the end-of-chapter discussion questions, problems, and cases There is also a test bank of true-false and multiple-choice questions What’s New in the Eleventh Edition This edition of our book includes a number of changes from prior editions These include: • Additional Test Yourself multiple choice questions at the end of each chapter to help students assess their understanding of the chapter material • Expanded coverage of topics that are increasingly impacting AIS, including a new discussion of suspicious activity reporting, updated narrative on business continuity planning and disaster recovery, new accounting frauds, the Sarbanes Oxley Act of 2002, an introduction of COBIT version 4.1, synergies that are available to organizations (i.e., ERPs, SOX, COBIT, and BPM), emphasis on risk and governance, lean production and lean accounting, and XBRL • An expanded section in Chapter on career paths for those majoring in AIS viii Preface • Increased usage of bullets and tables to review or explain material in an efficient format that appeals to students For example, all of the chapter summaries are now in bullet format • Many new Case-in-Points that identify examples of the discussion in the textbook These examples illustrate the topic to give students a better grasp of the material • Color! This edition uses color to offset cases and to make the book more interesting to read • Chapter reorganization, with database chapters moved closer to the front, as requested by our adopters Instructors still have the flexibility to integrate the database concepts and database development anywhere in their course • An updated glossary of AIS terms at the end of the book • One chapter on developing and implementing AISs, with a focus on the role of accountants in these studies Because many students cover these concepts in other MIS and computer courses, this allows the instructor to assign the chapter as a review, rather than as a major segment of the course • New AIS at Work features at the end of many chapters to help students better understand the impact of systems in a wide variety of contexts • A number of new cases at the end of chapters so that instructors have more choices of comprehensive assignments for students ACKNOWLEDGMENTS We wish to thank the many people who helped us during the writing, editing, and production of our textbook Our families and friends are first on our list of acknowledgments We are grateful to them for their patience and understanding as we were writing this book Next, we thank those instructors who read earlier drafts of this edition of our textbook and provided many useful suggestions for improving the final product In addition, we are indebted to the many adopters of our book who frequently provide us with feedback We sincerely appreciate Paula Funkhouser who revised chapters 4, 5, and on this edition as well as helped us with our supplementary materials on this and several previous editions We also thank our development editor, Chris DeJohn, and our production editor, Joyce Poh, for their contributions to this edition of our book Finally, we thank all of our many students who have given us feedback when we’ve used the book We listen! Nancy A Bagranoff Mark G Simkin Carolyn Strand Norman February 2009 478 PART FIVE / Special Topics in Accounting Information Systems automatically add their email address to a file that they use to regularly send out emails about sales and other promotions Kara and Scott are concerned about internal controls in their business They especially worry because they know that their web access creates some special risks They have asked one of their customers who is an accounting student at the university to evaluate the reliability of their information system, with respect to security, availability, and privacy Requirements: Identify two security, availability, and privacy risks that Basic Requirements faces For each risk identified above, describe two internal controls Basic Requirements should use to protect against these risks The accounting student who is evaluating the reliability of Basic Requirements’ information system is interested in becoming an IT auditor Describe some of the specific actions an IT auditor would take to verify that Kara and Scott have adequate controls in place concerning privacy 14-16 Tiffany Martin, CPA (Information Technology Audit Skills) Tiffany Martin is an audit manager in a medium-sized public accounting firm Tiffany graduated from college seven years ago with a degree in accounting She obtained her CPA certification soon after she joined the firm where she currently works Tiffany is a financial auditor; she has had little training in auditing computerized information systems The current engagement Tiffany is working on includes a complex information processing system with multiple applications The financial accounting transactions are processed on server The IT department employs 25 personnel, including programmers, systems analysts, a database administrator, computer operators, technical support personnel, and a director Tiffany has not spoken with anyone in the department because she is fearful that her lack of technical knowledge relative to IT will cause some concern with the client Because Tiffany does not understand the complexities of the computer processing environment, she is unable to determine what risks might result from the computerized system’s operations She is particularly worried about unauthorized changes to programs and data that would affect the reliability of the financial statements Tiffany has spoken to Dick Stanton, the partner who has responsibility for this audit client, about her concerns Dick has suggested that Tiffany conduct more substantive testing than she would undertake in a less complex processing environment This additional testing will hopefully ensure that there are no errors or fraud associated with the computer processing of the financial statements Requirements: Do you think that Dick Stanton’s suggested approach is the most efficient way to control risks associated with complex computer environments? How should Tiffany respond to Dick’s suggestion? CHAPTER 14 / Information Technology Auditing 479 What can a public accounting firm, such as the one in which Tiffany works, to ensure that audits of computerized accounting information systems are conducted efficiently and effectively? Should Tiffany be allowed to conduct this audit given her limited level of skills? How might she acquire new skills? 14-17 The Linz Company (Audit Program for User Accounts) Jack Herron is an IT auditor with McGee LLP, a large national public accounting firm His manager, Amanda McDermott, has assigned him to the Linz Company audit The McGee financial auditors have requested that the IT auditors complete several auditing steps so that they may make a decision about the scope of their audit work The IT auditors also need to evaluate IT controls to provide the financial auditors with information in order to garner an opinion on internal controls as part of Sarbanes-Oxley compliance The Linz Company manufactures automotive parts and supplies them to the largest auto-makers The company has approximately 600 employees and has manufacturing operations and offices in three locations Linz uses a mid-sized ERP software program for manufacturers that they acquired and implemented two years ago Amanda has asked Jack to develop an audit program to examine logical access to the ERP system According to the Security Administrator at Linz, each employee is assigned a unique User ID and password when they join the company The company is very concerned about security, so there is no remote access to the ERP system The ERP system requires that users change their passwords every six months System and group settings assigned to each User ID determine what parts of the ERP systems are available to each user Requirements: Explain how a deficiency in controls over User IDs and passwords might impact Linz’s financial statements Explain why auditing User IDs and passwords should be part of the overall IT audit program for Linz Describe at least four control procedures that Linz could have in place to ensure that only authorized users access the system and that user access is limited according to their responsibilities REFERENCES AND RECOMMENDED READINGS Aerts, Luc., ‘‘A Framework for Managing Operational Risk,’’ Internal Auditor (August 2001), pp 53–59 Alles, Michael G., Alexander Kogan, & Miklow A Vasarhelyi ‘‘Putting Continuous Auditing Theory into Practice: Lessons from Two Pilot Implementations,’’ Journal of Information Systems Vol 22, Iss (Fall 2008), pp 195– 215 Attaway, Morris C., ‘‘What Every Auditor Needs to Know About E-Commerce,’’ Internal Auditor (March 2000), pp 56–60 480 PART FIVE / Special Topics in Accounting Information Systems Campbell, Diane Sears ‘‘Focus on Cyber-Fraud,’’ Internal Auditor (February 2002), pp 28–33 Coe, Martin J ‘‘Trust Services: A Better Way to Evaluate I.T Controls,’’ Journal of Accountancy (March 2005), pp 69–73 Davis, Riccardo A ‘‘Technology: Risky Business,’’ Accounting Technology, Vol 22, Iss (March 2006), pp 32–35 Frieswick, Kris ‘‘How Audits Must Change,’’ CFO (July 2003), pp 42–50 Gallegos, Frederick ‘‘Red Teams: An Audit Tool, Technique and Methodology for Information Assurance,’’ Information Systems Audit and Control Journal, Vol (2006), pp 51–56 Hinson, Gary ‘‘The State of IT Auditing in 2007,’’ EDPACS (July 2007), Vol 36, Iss 1, pp 13–32 Hunton, James E., Stephanie M Bryant, & Nancy A Bagranoff, Core Concepts of Information Technology Auditing New Jersey: John Wiley and Sons, Inc 2004 Melber, Derek ‘‘Auditing User Accounts,’’ Internal Auditor (November/December 2005), pp 41–45 Nyberg, Alix ‘‘Sticker Shock—The True Cost of Sarbanes-Oxley Compliance,’’ CFO (September 2003), pp 51–62 Osheroff, Mike ‘‘SOX As Opportunity,’’ Strategic Finance, Vol 87, Iss 10 (April 2006), pp 19–20 Panko, R R ‘‘Applying Code Inspection To Spreadsheet Testing’’ Journal of Management Information Systems Vol 16, No (Fall 1999), pp 159– 176 Raff, Lawrence ‘‘Seeking SOX Software?’’ Strategic Finance Vol 87, Iss 11 (May 2006), pp 52–55 Ramaswamy, Vinita & John Leavins ‘‘Continuous Auditing, Digital Analysis, and Benford’s Law,’’ Internal Auditing (July/August 2007), Vol 22, Iss 4, pp 25– 32 Ramos, Michael ‘‘Auditors’ Responsibility for Fraud Detection.’’ Journal of Accountancy (January 2003), pp 28–35 Richards, Dave ‘‘Consultant Auditing: Charting a Course,’’ Internal Auditor (December 2001), pp 30–35 Searcy DeWayne, L., & Jon B Woodroof ‘‘Continuous Auditing: Leveraging Technology,’’ The CPA Journal (May 2003), pp 46–48 Sarva, Srinivas ‘‘Continuous Auditing Through Leveraging Technology,’’ Information Systems Control Journal, Vol (2006), pp 47–50 Warren, J Donald, Jr., & L Murphy Smith ‘‘Continuous Auditing: An Effective Tool for Internal Auditors,’’ Internal Auditing (March/April 2006), pp 27–35 Winters, Bruce I ‘‘Choose the Right Tools for Internal Control Reporting,’’ Journal of Accountancy (February 2004), pp 34–40 Worthen, Ben ‘‘A Funny Thing Happened on the Way to Compliance (It Got Easier),’’ CIO (December 2003), pp 1–7 ANSWERS TO TEST YOURSELF c b a c d d d b b 10 c Glossary Access control list a list of bona fide IP addresses in devices such as firewalls Access security a restriction of AIS access to bona fide users Accounting information system (AIS) the information subsystem within an organization that accumulates and processes information (both financial and non-financial) from the entity’s various subsystems and communicates this information to the organization’s users Action query (Microsoft Access) a query that manipulates, and typically alters, one or more tables in an Access database Activity-based costing systems help managers in describing processes, identifying cost drivers of each process, and then determining the unit costs of products associated with drivers Advanced electronic tags input technologies that replace manual data entry with automated technologies, such as barcode scanners, radio frequency(RF) technology, and RFIDs These input technologies can be used individually or combined to significantly reduce input errors and support fast, accurate, real-time production and data collection Advanced planning and scheduling systems (APS) systems that work to synchronize the flow of materials within the supply chain Alphanumeric codes codes that use numbers and letters Analysis paralysis the condition where a problem is studied to the point that the study overshadows the problem Antivirus software computer programs such as Norton Antivirus or MacAffee that end users typically install in their computers to guard against computer viruses Applet a small program that is stored in a Web page and is designed to run by Web browser software Friendly applets animate Web pages, allow users to play games, or perform processing tasks Application controls a major category of computer controls that are designed and implemented to prevent, detect, and correct errors and irregularities in transactions as they flow through the input, processing, and output stages of data processing work Application service provider (ASP) a source through which companies can rent rather than buy software Application software computer software that performs specific tasks such as accounting tasks, spreadsheet tasks, marketing tasks, or word-processing tasks Applications portfolio a set of software applications belonging to an organization Association of Certified Fraud Examiners (ACFE) an international professional organization committed to detecting, deterring, and preventing fraud and white-collar crime Attributes the characteristics of entities, or the data fields describing them Audio input computer inputs that use sound frequencies An alternate term is ‘‘speech recognition system.’’ Audit Control Language (ACL) specialized software for auditing tasks used in forensic accounting Audit trail enables information users within a company’s system to follow the flow of data through the system Auditing around the computer audit approach whereby an auditor follows a company’s audit trail up to the point where accounting data enter the computer and then picks these data up again when they reappear in processed form as computer output Auditing through the computer audit approach whereby an auditor follows a company’s audit trail through the internal computer operations phase of automated data processing Auditing with the computer audit approach whereby the auditor uses the computer to aid in performing various auditing procedures (e.g., selecting a sample of accounts receivable data for confirmation) Automated workpaper software software that aids an auditor in performing such accounting functions as generating trial balances, recording adjusting journal entries, and preparing income statements and balance sheets Back-office a reference to internal functions and processing within an organization, such as human resources and accounting Backup additional copies of data that may be used to restore computer operations (e.g., after a disaster or in the event that files are accidentally deleted or corrupted) Balanced scorecard an approach to performance measurement that uses measures in four categories (financial performance, customer knowledge, internal business processes, and learning and growth) to evaluate and promote certain activities and behaviors Bar code reader a device that interprets the familiar barcode stripes printed on merchandise packages, shipping labels, and similar documents, and inputs the data into a computer Batch control total (BCT) typically, a manual total that is compared to a computer total to determine whether data were processed correctly Benchmark test an approach for examining the operating efficiency of a particular system whereby a computer vendor’s system performs a data processing task that a company’s new system must perform and company representatives then examine the processing outputs for accuracy, consistency, and efficiency Best-of-breed an approach to systems development where each application may be acquired from a separate vendor and represents the best program in that category of need Biometric scanners a method of authenticating system users based on who they are Examples include voice and fingerprint recognition systems Block codes sequential codes in which specific blocks of numbers are reserved for particular uses Blogs (or Web logs) collaboration tools that allow users with Web browsers and easy-to-use software to publish a personalized diary online Bolt-ons software from a variety of suppliers when employing a ‘‘best-of-breed’’ approach Boot-sector virus a virus that hides in the boot sector of a disk, where the operating system (OS) accesses the virus every time the OS accesses the disk itself Bound control (databases) a form control such as a textbox or label that displays the underlying data from a database table 511 512 Glossary Business continuity plan (BCP) management’s policies and procedures to continue the organization This includes risk identification, scenario planning, and practicing the plan Business event an activity that may or may not impact financial statements, but is important to the business Business intelligence (BI) tools data analysis software that helps managers obtain the most information from their customer relationship management systems Business process a collection of activities or flow of work in an organization that creates value Business process management software software solutions that help companies collect corporate knowledge, data, and business rules into a business system to improve core business processes Business process outsourcing (BPO) an approach where an organization chooses to have some of its basic functions, often related to IT, performed by an external organization Business process reengineering (BPR) techniques used by organizations to redesign their business processes from scratch Business-to-business (or B2B) e-commerce businesses buying and selling goods and services to each other over the Internet Business-without-boundaries a new business model that arose from the combination of networked enterprises and globalization CAATs (computer-assisted audit techniques) used by auditors when auditing through the computer CAATs can aid in the performance of compliance testing to ensure that a company’s controls are in place and working as prescribed Canned software software acquired from independent vendors Cardinalities a notation reflecting the nature of relationships among entities as one-to-one, one-to-many, none-to one, none-to-many, or many-to-many CASE tools computer-assisted software engineering tools that automate documentation tasks such as drawing or modifying flowcharts, generating graphics and screen designs, and developing report formats Cash control physical safeguards for cash, which is especially susceptible to theft by employees, and to human error when employees handle large amounts of it CD-ROM an acronym for ‘‘compact disk-read only memory.’’ CD-ROM disks can store approximately 640 megabytes of data Central database a comprehensive database that holds all the data for multiple applications or processes Central processing unit (CPU) the component of a computer that performs the processing tasks of the system The processor part of the CPU is typically a single silicon chip that can manipulate data—e.g., perform mathematical functions such as addition, as well as logic operations such as comparing text or number values Certificate authority an entity that issues digital certificates—for example, to authenticate the legitimacy of a bid or financial purchase Certified Information Systems Auditor (CISA) a professional information systems auditor who meets certification requirements of the Information Systems Audit and Control Association Certified Information Technology Professional a designation given by the AICPA for CPAs who meet specified additional requirements related to information technologies Change management a systematic approach to introducing dynamic change or disruption in an organization Chart of accounts what provides the organizational structure for the general ledger The chart of accounts makes use of a block coding structure Checkpoint a control that is performed at periodic intervals during processing A company’s computer network system temporarily does not accept new transactions Instead, it completes updating procedures for all partially processed transactions and then generates an exact copy of all data values and other information needed to restart the system The checkpoint is recorded on a separate tape or disk file This process is executed several times per hour Should a hardware failure occur, the system is restarted by reading in the last checkpoint and then reprocessing only those transactions that have occurred since the checkpoint Child record the lower-level record of two adjacent records in a hierarchical data structure Client/server computing an alternate to mainframe computing in which processing tasks are shared between a centralized host computer called the ‘‘server’’ and a smaller microcomputer called the ‘‘client.’’ COBIT Control Objectives for Information and Related Technology (COBIT) is a project undertaken by the Information Systems Audit and Control Foundation to develop a definition of internal control Cold backup a backup that is performed while the database is off-line and unavailable to its users Cold site a location where power and environmentally controlled space are available to install processing equipment on short notice If a disaster recovery plan designates a cold site, then separate arrangements are also necessary to obtain computer equipment matching the configuration of equipment lost in the disaster Collaborative business partnerships situations in which organizations work with other businesses, even their competitors, to increase their power to meet customer demands Computer abuse the unauthorized use of, or access to, a computer for purposes contrary to the wishes of the owner of the computer Computer crime the manipulation of a computer or computer data, by whatever method, to dishonestly obtain money, property, or some other advantage of value, or to cause loss Computer facility controls policies and procedures that prevent both unintentional and intentional harm to the firm’s computer assets Computer Fraud and Abuse Act of 1986 the act that defines computer fraud as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution Computer record a set of data fields about one file entity—for example, one employee, one inventory item, or one sales transaction Computer Security Institute (CSI) the organization that conducts an annual survey to help determine the scope of computer crime in the United States Computer virus a computer program that rogue programmers embed in other programs, emails, or computer files, and that (when executed) typically perform such destructive acts as erasing files, disrupting emails, Glossary or interfering with operating system functions Computer worms reproducing programs that not actually destroy data, but replicate themselves repeatedly until the user runs out of internal memory or disk space Computer-assisted audit techniques (CAATs) used by auditors when auditing through the computer; CAAT’s can aid in the performance of compliance tests to ensure that a company’s controls are in place and working as prescribed Concurrency controls controls that prevent two or more users of a database from accessing the same record from the same file at the same time Consensus-based protocols a fault tolerant system that contains an odd number of processors If one processor disagrees with the others, it is thereafter ignored Context diagram high-level data flow diagram that provides an overall picture of an application or system Contingency planning the process of planning for events that could impede a company’s data processing function Continuous auditing the use of tools (such as embedded audit modules) that allow auditing to occur even when an auditor is not present; it is particularly effective when most of an application’s data are in electronic form Control Activities the policies and procedures that the management of a company develops to help protect all of the different assets of the firm Control break (databases) a change of value in an important data field (e.g., department number) of the records of a database table that requires additional computations in an output listing—for example, a subtotal Control environment a component of internal control that establishes the tone of a company, which influences the control awareness of the company’s employees Control Objectives for Information and Related Technology (COBIT) a project undertaken by the IT Governance Institute to develop a framework for internal control relative to information technology Cookie a small text file that stores information about your browsing habits and interests, as well as other information that you may supply by logging onto a website Corporate governance managing an organization in a fair, transparent, and accountable manner to protect the interests of all the stakeholder groups Corrective controls control procedures within a company’s internal control system that are designed to remedy problems discovered through detective controls COSO Report: 1992 a committee established by the Treadway Commission to develop a common definition for internal control and to provide guidance for judging the effectiveness of internal control as well as improving it COSO Report–2004 ‘‘Enterprise Risk Management—Integrated Framework’’ focuses on enterprise risk management (ERM) The ERM Framework includes the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and adds three additional components: objective setting, event identification, and risk response Cost accounting subsystem generally associated with manufacturing firms, this subsystem provides important control information (such as variance reports) and is usually either job costing or process costing CPA WebTrust a set of services offered through the AICPA where auditors provide third-party assurance over a client’s Web site and Internet services Critical path the longest path to project completion within a PERT diagram, which is also the shortest completion time of the entire project Customer relationship management (CRM) employed to gather, maintain, and use data about a company’s customers with the objective of improving customer satisfaction and company profitability Dashboards a graphic technique that shows an organization’s performance metrics and compares actual data with planned Data communications protocol the settings that create a communications standard for a specific data communications application Examples of such settings include the transmission speed, parity bit, duplex setting, or synchronous-versus-asynchronous transmission type Data definition language (DDL) part of a DBMS that enables its users to define the record structure of any particular database table Data dictionary a description of the data fields in each database record of a database system 513 Data diddling changing data before, during, or after they are entered into a computer system Data encryption scrambling the data in a message in a systematic way in order to prevent competitors from electronically monitoring confidential data transmissions Data encryption standard (DES) an encryption methodology initially adopted in 1976 and enjoying widespread usage It is now considered insecure because of a small (56-bit) key size Data flow diagram primarily used in the systems development process to document the flow of data through an AIS Data hierarchy storing data electronically in the following ascending order: bit, character, data field, record, table, database Data integrity controls edit tests contained in the software used to create databases that guard databases from erroneous data entries Data manipulation controls methods of controlling data processing, such as examining software documentation, system flowcharts, program flowcharts, data flow diagrams, and decision tables because they help systems analysts a thorough job in planning data processing functions Data manipulation language (DML—databases) commands that allow an end-user to perform queries and similar tasks on the records in a database Data mart a form of data warehouse that allows users to perform predefined analytical tasks on the data Data mining a set of data analysis and statistical tools that enables companies to detect relationships, patterns, or trends among stored data within a database Data modeling a term used to describe the process of designing databases Data raw facts about events that have no organization or meaning Data transcription the task of converting manually-prepared source documents such as credit-card application forms to computer-readable file records Where possible, AIS developers try to avoid data transcription because it is costly, labor intensive, time-consuming, and likely to introduce errors into the data Data type similar to data format, this term specifies whether data is, for example, numerical, text, or currency 514 Glossary Data validation rule a custom edit test that enables a spreadsheet or database to reject entries—e.g., regular hours worked that exceed 40 Data warehouses large collections of historical data that organizations use to integrate their functions, thus allowing managers (and to some extent external parties) to obtain the information needed for planning, decision making, and control Data-access controls processing controls that are used at the time of data access, such as batch control totals, hash totals, and financial control totals Database a large collection of related data that are typically stored in computerized, linked files and manipulated by specialized software packages called database management systems Database administrator the person responsible for supervising the design, development, and installation of a large database system; this person is also responsible for maintaining, securing, and revising the data within the database system Database management system (DBMS) a separate software system that enables users to create database records, delete records, access specific information, query records for viewing or analysis, alter database information, and reorganize records as needed Database structure the particular method used to organize the records in a database Decision table a matrix of conditions and processing tasks for a computer program that indicates the appropriate action to take for each possibility Decomposition (documentation) the creation of finer levels of detail in flowcharts and data flow diagrams Default value specifying a value, such as the number ‘‘40’’ for an hours-worked data field, as an input control on the data fields of new records Denial of service attack an attack on an online company (such as eBay) when hackers ‘‘flood’’ the company’s Web site with bogus traffic Detailed systems design the systems design work that involves specifying the outputs, processing procedures, and inputs for a new system Detective controls control procedures within a company’s internal control system that provide feedback to management regarding whether or not operational efficiency and adherence to prescribed managerial policies have been achieved Dialback systems a password safeguard that initially disconnects all login users but reconnects users after checking their passwords against lists of bona fide user codes Digital certificate an authenticating document issued by an independent third party called a certificate authority used, for example, to authenticate documents (such as purchase orders) by including a portion of a document’s message in an encrypted format (which reflects the digital signature) Digital signature standard (DSS) Federal Information Processing Standard 186 by which the presence of a digital signature authenticates a document Digital subscriber line (DSL) a set of technologies that enable users to send and receive digital messages over telephone lines Transmission rates range between 128 and 24,000 kbits per second Digital time stamping the process of attaching time stamps to business transactions to authenticate the time and possibly the place of individual transactions Digital video disk (DVD) an optically read disk similar in size and shape to a CD but that is capable of storing as much as 17 gigabytes of data Direct conversion method of systems implementation in which a company’s old system is immediately dropped and the new system takes over the complete processing of the company’s transactions Disaster recovery plan part of contingency planning that describes the procedures to be followed if a company’s data processing center becomes disabled Discrepancy report a way to note any differences between quantities or amounts on the purchase order, the receiving report, and the purchase invoice Disk mirroring also known as disk shadowing This process involves writing all data in parallel to two disks Should one disk fail, the application program can automatically continue using the good disk Disk shadowing also known as disk mirroring This process involves writing all data in parallel to two disks Should one disk fail, the application program can automatically continue using the good disk Distributed denial-of-service attacks a single virus or worm program which manages to enlist the aid of innocent ‘‘zombie computers’’ that then send email messages to, or request services from, the target system Document Control when certain organizational documents are valuable and must be protected by such means as fireproof safes or storage in rented vaults offsite Document flowchart a means of tracing the physical flow of documents through an organization Documentation all the flowcharts, narratives, and other written communications that describe the inputs, processing, and outputs of an AIS Domain address an Internet address, also referred to as a universal resource locator (URL) Dot-matrix printer an impact printer that uses a print head of tiny wires, arranged in a grid (e.g., wires in each of rows) to create our familiar letters and other printing characters Many cash registers still use dot-matrix printers today Dumpster diving stealing personal information from garbage cans Dynaset a subset of database information typically selected dynamically with a query A dynaset can be a set of selected records from a single, large table, a limited number of data fields selected from each record in a table, a set of related data fields from the records in several tables, or a combination of these items E-business conducting business over the Internet or dedicated proprietary networks E-commerce largely buying and selling transactions within e-business E-wallet software applications that store a consumer’s personal information, including credit card numbers, allowing them to pay for online purchases by providing their associated account numbers to online vendors Economic events those events that impact an organization’s financial statements and AISs therefore record data about them in accounting transactions Glossary Economic event an activity that involves an increase and/or decrease in dollar amounts on financial statements Economic feasibility the process of analyzing the cost-effectiveness of a proposed system Edit programs also called ‘‘input validation routines.’’ These are programs or subroutines that check the validity and accuracy of input data after the data have been entered and recorded on a machine-readable file Edit tests tests that examine selected fields of input data and reject those transactions (or other types of data input) whose data fields not meet the preestablished standards of data quality Electronic commerce conducting business (often over the Internet) with computers and data communications Electronic conferencing a means of enabling accountants and others to use computers and phone lines to communicate with clients, etc., through the use of high-end groupware communications packages Electronic Data Gathering and Retrieval (EDGAR) database the database that contains the financial report filings of U.S.publicly held companies Electronic Data Interchange (EDI) a communications technique that allows organizations to transmit standard business documents over high-speed data communications channels Electronic eavesdropping unauthorized access to a computer system and its data to observe transmissions intended for someone else Electronic funds transfer (EFT) a cash management technique whereby the transfer of funds is electronic or computer-to-computer Electronic mail (email) creating a message on your microcomputer and then sending it electronically to someone else using the recipient’s email address Electronic payments (e-payments) the use of a third party to act as an intermediary in an online transaction, thereby eliminating credit card use Electronic procurement the use of modern computer technology to purchase goods and raw materials electronically (e.g., over the Internet) Electronic Systems Assurance and Control (eSAC) a framework developed by the Institute of Internal Auditors for evaluating controls over e-business Electronic vaulting creating backup copies of files that are electronically transmitted to a remote site rather than physically delivered to an off-site storage location Encryption key a (typically long) set of bits that is used to encrypt a message for transmission over public data transmission lines End-user computing the ability of non-computer employees to create computer applications of their own Enterprise application integration (EAI) a useful interface to businesses that allows companies with legacy applications and databases to integrate and continue to use those systems Enterprise asset management (EAM) systems a means of automating the management of a broad spectrum of assets Enterprise-wide database a large repository of organizational data that comes from, and is available to, a wide range of a company’s employees Enterprise mashups a dashboard that managers use to quickly view critical business information that collects data from a variety of sources—both inside and outside the firm Enterprise resource planning (ERP) systems software (e.g., Oracle) that provides for integration among all of an organization’s major business processes through the use of a central database; ERP II systems are extended with e-business and other front-office capabilities Enterprise risk management (ERM) also called the 2004 COSO Framework ERM helps an organization determine if their objectives are aligned with their strategy and that goals are consistent with the level of risk the organization is willing to take Entities data about objects of interest contained in databases including business and economic events, plus information about ‘‘who’’ and ‘‘what’’ were involved in those activities Entity-relationship (E-R) diagram a graphical documentation technique used by database designers to depict database elements and their direct relationships Event-driven programming language a computer programming language such as Visual Basic, that enables 515 a computer to respond to specific events (e.g., clicking on a menu choice) E-wallet also known as a ‘‘digital wallet,’’ e-wallets function like conventional wallets, but enable their users to buy and sell merchandise over the Internet Exception report a report that lists exceptional condition(s) that typically draw management’s attention to a potential problem Expected loss an example of a loss measure, computed as: expected loss = risk x exposure Extended application interfaces (EAI) software application interfaces that allow different software applications to share information among them Extensible business reporting language see XBRL Extranets a means of enabling selected outside users to access organizations’ intranets Fault-tolerant systems systems designed to tolerate faults or errors that are often based on the concept of redundancy Feasibility evaluation the first major procedure in systems design work whereby the design team determines the practicality of alternative proposals Fidelity bond organizational coverage (from an insurance company) to reduce the risk of loss caused by employee theft of assets Field properties settings as ‘‘field size’’ and ‘‘format’’ in each data field specified in a table File server a computer whose principle task is to store and output the contents of computer files For example, most Internet applications use file servers to store and output Web page files Financial accounting information system the component of an AIS in which the major objective is to provide relevant information (primarily economic) to individuals and groups outside an organization’s boundaries Financial planning models information systems that aid financial managers in selecting an optimum strategy for acquiring and investing financial resources Financing process the process by which a company acquires and uses financial resources such as cash, other liquid assets, and investments Firewall a software program or hardware device designed to prevent unauthorized data communications between 516 Glossary hackers and the information resources within an internal, trusted network First normal form (1 NF) when all the record attributes (data fields) within a database are well defined and the information can thus be stored as a flat file Fixed asset management management of the purchase, maintenance, valuation, and disposal of an organization’s fixed assets Flat files files with no sequence or order to them, except perhaps a chronological sequence Flying-start site a disaster recovery location that includes everything contained in a hot site plus up-to-date backup data and software Follow-up and maintenance phase the continued monitoring of a newly implemented system to ensure that the system continues to operate properly and meets the organization’s information needs Foreign keys data fields within some accounting records that enable these records to reference one or more records in other tables Forensic accountants also called fraud auditors These individuals concern themselves with the prevention and detection of fraud and white-collar crime Form (databases) a user interface that typically uses text boxes, labels, and similar form controls to create or display records in a database table Fraud triangle three elements that create a fraud These are motive, opportunity, and the rationalization by the individual perpetrating the fraud that the behavior is appropriate or justified Front-office a reference to external functions and processes of an organization, such as those that involve customers, suppliers, and other business partners Gantt chart a tool for planning and controlling a systems implementation project Generalized audit software (GAS) computer packages that enable auditors to review computer files without continually rewriting processing programs General-use software the software used by auditors as productivity tools for improving their work; e.g., the use of a word processing program by an auditor when writing an audit report Gigabyte a unit of disk storage approximately equal to one billion bytes Graphical documentation the depiction, through the use of symbols and logic diagrams, of existing or proposed AISs by accountants, consultants, and system developers Graphical user interface (GUI) one or more visual computer screens that enable an end-user to communicate with a computer—typically by selecting items from menus or clicking on choices using a computer mouse Computer programs that did not use GUIs typically were command-driven systems that required users to memorize and type in system commands and instructions Group code is the combination of two or more subcodes creating a group code, which is often used as a product code in sales catalogs Groupware a means of allowing users to send and receive email, plus perform a wide range of other document-editing tasks Hacker a person who breaks into the computer files of others for fun or personal gain Hash total the manual and perhaps meaningless sum of the customers’ account numbers in a batch of transactions that is used for comparison purposes to control for missing or transposed numerical data Hierarchical structures the way accounting data may be organized, with successive levels of data in an inverted, tree-like pattern HIPAA the privacy requirements of the Health Insurance Portability and Accountability Act Hosted solution an approach to acquisition of software where the package is rented over the Internet, rather than purchased Hot backup a backup performed while the database is online and available for read/write Hot site a disaster recovery location that includes a computer system configured similarly to the system currently in use by a company for its data processing activities HTML an acronym for hypertext markup language—the editing language that tells a Web browser how to display information from the World Wide Web Human resource management an activity of an organization that includes the personnel function and the payroll function Hyperlink a word, phrase, or graphic that allows users to display new information in a Web browser or computer screen, typically by clicking on the hypertext element with a mouse Hypertext a text retrieval system enabling a user to access specific document locations Hypertext Markup Language (HTML) a language used to create Web pages Hypertext transfer protocol (HTTP) a communications protocol designed to transfer information on the World Wide Web I/O-bound computer a computer whose input speeds and/or output speeds are slower than its computational speed Ideal control a control procedure within a company’s internal control system that reduces to practically zero the risk of an undetected error or irregularity Identity theft the intentional misuse of someone else’s personal information with the intent to deceive another Identity Theft and Assumption Deterrence Act (ITADA) of 1998 the law under which the Department of Justice prosecutes ID theft violations Image processing storing, manipulating, or outputting the graphical information that usually first appear on hard-copy documents such as contracts, architectural plans, machinery schematics, or real-estate photos Information Systems Audit and Control Association (ISACA) the professional association of information technology auditors Information systems risk assessment method used by an auditor to evaluate the desirability of IT-related controls for a particular aspect of business risk Information technology (IT) the hardware and software used in computerized information systems Information technology (IT) auditing process that involves evaluating the computer’s role in achieving audit and control objectives Information technology (IT) auditors auditors who concern themselves with analyzing the risks associated with all aspects of information technologies IT governance the process of using IT resources effectively to meet organizational objectives Glossary Ink-jet printer a printer that uses very small nozzles to spray ink onto blank pages to create printed outputs An advantage of ink-jet printers over dot matrix printers is their ability to print in color But ink-jet printers are slower and more costly, per-page, than laser printers Input controls computer application controls that attempt to ensure the validity, accuracy, and completeness of the data entered into a company’s AIS; e.g., edit tests Input mask a set of characters that dictate the required format for input data For example, in Microsoft Access, the mask ‘‘(###) ###-####’’ specifies the sequence of numeric digits (represented by # signs) required for a phone Input validation routines programs or subroutines that check the validity and accuracy of input data after the data have been entered and recorded on a machine-readable file Input-processing-output cycle the three steps that a computer uses to process computer records—i.e., inputting a record, processing the information it contains, and outputting the results A classic example is creating payroll checks from timecard data Instant Messaging (IM) the use of special software to communicate with others over the Internet in real time Many IM programs such as MSN IM and Yahoo IM also support audio and video conferencing as well as text messaging Integrated accounting software programs software packages that can process all types of accounting transactions and provide a variety of reports, including financial statements and budgets Integrated Computer-Assisted Surveillance System (ICASS) designed to protect computer systems from crimes, abuses, and fraud by automatically searching for anomalies and printing exception conditions on control reports Integrated security an integrated approach to security involves managers combining a number of key security technologies to protect the organization This might include the following: firewalls, intrusion detection systems, content filtering, vulnerability management, virus protection, and virtual private networks Integrated services digital network (ISDN) lines high-speed data transmission lines, typically using fiber optics, that end users can rent from phone companies and that support transmission rates up to 1.5 million bits per second (Mbps) Integrated test facility (ITF) used by auditors to test a company’s computer programs; particularly useful for auditing in an operational setting and/or for evaluating integrated online systems or complex programming logic Interactive data and electronic applications (IDEA) managed by the Securities and Exchange Commission, IDEA is a particularly important source of financial information, containing XBRL data for over 10,000 companies Internal control defined by the COSOas a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories—effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations Internet a global collection of tens of thousands of interconnected business, government, military, and education networks that communicate with each other Internet connectivity software that permits small businesses to create Web sites and engage in electronic commerce Internet protocol (IP) address the numeric address into which a text-based domain address is converted for transmission purposes Internet service provider (ISP) the means of enabling users to connect to the Internet; examples are America Online, AT&T, and Sprint Intranets networks using the same software as the Internet, but which are in ternal (for communications purposes) to the companies that created them Intrusion detection system (IDS) computer software that enables users to identify, document, and perhaps mislead hackers attempting to access a protected system Inventory Control a means of protecting inventory by keeping it in a storage area accessible only to employees with custodial responsibility IT general controls controls over data processing to provide reasonable 517 assurance that (1) development of, and changes to, computer programs are authorized, tested, and approved before their usage, and (2) access to data files is restricted to authorized users and programs to increase the likelihood that processed accounting data are accurate and complete IT governance ensuring that information technology risks are controlled and also that IT in an organization is deployed strategically to meet objectives Job-costing information system a system of costing that keeps track of the specific costs for raw materials, labor, and overhead associated with each product or group of products Job stream the flow of electronic data through a computer system Just-in-Time System an inventory system whose objective is to minimize inventories at all levels of production K(kilobytes) exactly 1,024 bytes of computer storage Key performance indicators (KPIs) important metrics that convey information about operational performance against plans or budgets Knowledge management distribution of expertise within an organization via technologies such as groupware Knowledge process outsourcing (KPO) an approach where an organization chooses to have some of its functions and activities related to research and acquisition of knowledge performed by an external organization Laser printer a type of printer that uses a laser to sensitize portions of a rotating drum These sensitized portions attract small graphite particles called toner that can then be transferred to a blank piece of paper and permanently ‘‘fixed’’ to the page with heat Lean Accounting performance measurement systems used in lean manufacturing Lean production/manufacturing the concept that a company makes the commitment to eliminate waste throughout the organization (not just in production) Legacy system a business’s older, customized computer system that typically runs on a mainframe computer and is often too large and expensive to replace Legal feasibility determining whether or not there will be any conflict between 518 Glossary a newly proposed system and a company’s legal obligations Level data flow diagram the least detailed data flow diagram, showing only in broad terms what tasks a system performs Level data flow diagram the decomposition of a single symbol from within a level data flow diagram to more fully document the system Local area network (LAN) a collection of microcomputers, printers, file servers, and similar electronic components that are physically located near one another—for example, in the same building—and connected together for communication purposes Lock-box system a tool used by a company to reduce the float period during which checks clear the bank Lock-out system a password safeguard that disconnects telephone users after a set number of unsuccessful login attempts Logic bomb program computer programs that remain dormant until some specified circumstance or date triggers them Logical data flow diagram the depiction of the tasks conducted by participants within a systems development process Logical security the use of technology to limit access by authorized individuals only to the organization’s systems and information Macro program flowchart the highestlevel program flowchart, providing an overview of the data processing logic Magnetic (hard) disk a secondary storage device that enables a computer to store billions of bytes of information Unlike primary (RAM) memory, whose information is lost when its computer loses power, magnetic disk memory is permanent Magnetic ink character recognition (MICR) the technology used primarily by banks to encode magnetically readable symbols at the bottom of checks or similar financial documents Because the magnetic flux of the ink used in these symbols loses strength over time, MICR is not widely used elsewhere Mag-strip card a credit card, hotel ‘‘key,’’ employee badge, or similarlysized plastic card with a magnetic stripe on one side that has been encoded with information about the user and/or account Mainframe computer a large, multi-user computer that enables large companies to centralize processing power in a single device Make-or-buy decision determining whether it is more cost effective to purchase an AIS or develop one in-house Man trap a small antechamber room between a public corridor and the entrance to a data processing center, set up for security purposes Manufacturing resource planning (MRPII) system a more complex version of the material requirements planning system that not only coordinates the purchase and use of raw material inventories in production, but also integrates with the purchasing and revenue processes Mark-sense media documents such as academic test forms, surveys, and similar papers that users complete with simple pencils or pens but that can be read and evaluated by computerized input devices Master file a file that stores permanent information about file entities (e.g., employees, customers, or financial assets) Its opposite is a transaction file, which typically stores temporary information about the transactions for a limited period of time Material requirements planning (MRPI) system a system that monitors the acquisition and use of raw materials needed by production processes Megabyte a unit of computer storage approximately equal to one million bytes Message acknowledgment procedures a control for computer network systems that is useful in preventing the loss of part or all of a company’s transactions or messages on a computer network system Metadata data about data, contained in data dictionaries Microprocessor the portion of a CPU that performs the arithmetic and logic tasks of a computer, and that also interprets and executes computer instructions Minicomputer a multi-user computer with less processing power than a mainframe but typically more power than a personal, or microcomputer Mnemonic codes designed to help the user remember what they represent Modem (modulator/demodulator) a device for converting the digital data that a computer uses into sound pitches that can be transmitted over phone lines Modular conversion a method of systems implementation whereby the users involved in specific data processing tasks are divided into smaller units or modules; the data processing system is then installed module by module Multidimensional databases a means of storing large quantities of data, with the goal of enabling employees at various levels of an organization to define their own tables and reports in formats most useful to them Multimedia databases object-oriented databases that include graphics, audio information, and animation Near field communication (NFC) a means of enabling mobile devices such as cell phones, PDAs, and laptop computers to communicate with similar devices containing NFC chips Network structure used with AIS databases to link related records together and adequately capture the records’ relationships Non-value added waste eliminated or reduced to improve overall customer value and to increase the profitability of the products or services that the organization offers Normalization the process of examining and arranging file data in a way that helps avoid problems when these files are used or modified later; data can be in first, second, or third normal form Numeric codes codes that use numbers only Object-oriented database (OODB) a database that contains both the text data of traditional databases and information about the set of actions that can be taken on these data fields Object-oriented programming (OOP) languages computer programming languages that have strict rules (particularly ‘‘inheritance’’ and ‘‘encapsulation’’) that govern the properties, attributes, and operations of language objects (such as variables and form controls) OOP also includes the developer’s ability to create new objects with these characteristics that can be used by other procedures and programs Object-oriented software programs that contain modular, reusable code Glossary helping programmers avoid writing duplicate programs and facilitating changes when needed Offshoring moving jobs offshore (e.g., to countries like India, China, Canada, Mexico, or Malaysia) Online analytical processing (OLAP) a way to allow database users to extract multidimensional information from one or more database tables for the purpose of making complex decisions Operating System (OS) a set of software programs that helps a computer run itself as well as the application programs designed to run under it Examples include Windows 2000,Windows XP, and Unix Operational audits are audits performed by a company’s internal audit staff that focus on evaluating the efficiency and effectiveness of operations within a particular department Operational feasibility the examination of a proposed system’s compatibility with the current operating environment (e.g., ensuring that the organizational structure would support the new system) Optical character recognition (OCR) an older technique that enables computer input devices to interpret machine-printed (and to a limited extent, hand-written) data using optical technology Organization-level controls management’s philosophy, operating style, integrity, policies, and procedures that influence the tone of a company These characteristics help to establish the level of security and control consciousness in the organization, which is the basis for the control environment Output controls computer application controls that are designed to assure the validity, accuracy, and completeness of the output from a company’s computer systems; e.g., regulating the distribution and use of printed output Parallel conversion a method of systems implementation where both the old and new system of a company operate simultaneously for a period of time Parallel simulation technique used by auditors to test a company’s computer programs; the auditor uses live input data, rather than test data in a program that simulates all or some of the operations of the working program Parent record the higher-level record of two adjacent records in a hierarchical data structure Partner relationship management (PRM) software applications that track and coordinate various contacts and partners of an organization, including customers, suppliers, and other entities, such as not-for-profit organizational relationships Password codes general computer controls designed to limit access to a company’s computers only to those individuals authorized to have this access Payroll processing information systems a means of paying employees for their work, maintaining employee earnings records, complying with government tax and reporting requirements, reporting on various deduction categories, and interacting with other personnel functions Penetration testing also sometimes called ethical hacking, auditors may use this approach to see if they can access resources within an information system Performance measurement the use of metrics and data to evaluate the efficiency and effectiveness of people, technologies, or processes Peripheral equipment devices such as keyboards, display monitors, and printers, that typically physically surround a computer processor Personal data assistant (PDA) device a computerized device that includes such functions as calculator, address book, memo storage, daily planner, and perhaps even provides wireless Internet access Personal productivity software software that typically runs on microcomputers (e.g., word processing and spreadsheet programs) and that helps individuals perform their jobs faster, easier, and more accurately PERT (Program Evaluation and Review) a technique for scheduling and monitoring the activities in large systems implementation projects Phishing an email from someone who falsely claims to be an established, legitimate company Physical data flow diagram the depiction of the first level of detail within a system, focusing on physical entities such as employees involved in the system, and hard-copy inputs and outputs Physical security any measures that an organization uses to protect its 519 facilities, resources, or its proprietary data that are stored on physical media Pivot tables a feature that enables a database user to create two dimensional statistical summaries of database information Pixels (picture elements) the tiny dots that a monitor uses to create a complete screen image For example, a monitor might have a pixel resolution of 1024 x768, meaning the ability to display 1,024 pixels across the screen by 768 pixels down the screen Point-of-sale (POS) device an input device such as a barcode reader that enables a user to input data directly into a computer from a checkout stand in a supermarket or merchandise store and avoid manual keystrokes Point-scoring analysis an approach used to evaluate accounting software packages (as well as hardware) of vendors that meet most of a company’s major IT requirements Portals Web sites that allow outsiders with authorized access to view a company’s internal information systems Predictive analytics a technique using data stored in data warehouses to improve performance Preliminary investigation the first task performed by a systems study team whereby the team, for example, investigates current needs or problems in a company’s present system and reports findings to the steering committee Preventive controls control procedures that are designed and implemented within a company’s internal control system to prevent some potential problem from occurring when an activity is performed Primary memory the internal random access memory or RAM that a computer uses to temporarily store computer programs and immediate data Privacy policy a Web sites’ policy that states the information it does and does not collect about you and how they might use that information Process-costing information system a system that uses averages to calculate the costs associated with goods in process and finished goods produced Process map a special type of flowchart used to better understand and communicate a company’s current business processes 520 Glossary Processing controls computer application controls that focus on the manipulation of accounting data after they are input to a company’s computer system—for example, data-access controls Production process (sometimes called the conversion process) begins with a request for raw materials and ending with the transfer of finished goods to warehouses Program change control a set of internal control procedures developed to ensure against unauthorized program changes Program flowchart graphical documentation that outlines the processing logic for each part of a computer program and also indicates the sequence of processing steps Programming language a language such as Java or Visual Basic that enables a programmer to create instructions (called ‘‘code’’) that a computer can understand Project management software software that can aid in planning and controlling the tasks involved in a systems implementation project Prototyping an approach to systems design work that involves developing a simplified model of a proposed information system that is experimented with by the system’s users Proxy server a computer and related software that creates a transparent gateway to and from the Internet that can be used to control Web access Public key encryption encrypting messages using a scrambling key assigned by a public entity Purchasing process the process that begins with a request (or an order) for goods or services and ends with payment to the vendor Queries the means of allowing database users to create subschemas of interest to them Radio frequency technology an emerging technology that uses RFID tags (attached to products or pallets of products) for identification These tags (transponders) can hold much more information than barcodes Rapid application development (RAD) the use of CASE tools to speed the planning and development of computer information systems REA model an approach to data modeling that focuses on resources (R), events (E), and agents (A) Record keys may or may not be unique identifiers of individual or associated records Record structure the specific data fields in each record of a database table; this structure is fixed in many accounting applications Redundant array of independent disks (RAID) a set of magnetic disks that act as a single hard drive Reengineering business processes starting from scratch to redesign major processes in an organization (e.g., such as sales orders or purchasing) Referential integrity (databases) a control that denies a user the ability to create a child record with no parent, or to delete a parent record that has child records Relational database structure a means of enabling database users to identify relationships either at the time the data are initially created or at a future time as new informational requirements are ascertained Relationship table an approach to represent relationships between two database tables when you have many-to-many relationships between database entities Request for proposal (RFP) report sent to computer vendors in systems design work that outlines the specific requirements of a company’s desired system Responsibility system of computer program development and maintenance a series of steps that comprise a test of program change control It is designed to ensure accountability and adequate supervisory controls RFID tags are computer chips and tiny antennas that are used to manage inventory Right Networks ASP an add-on for QuickBooks, enabling remote hosting of desktop applications Risk assessment a component of internal control that considers the risk factor when designing controls for a company Risk matrix a tool especially useful for prioritizing large risks that classifies each potential risk by mitigation cost and also by likelihood of occurrence Risk-based audit approach used by auditors to evaluate a company’s internal control procedures Rollback processing a fault-tolerant system, at the transaction level, in which transactions are never written to disk until they are complete Routing verification procedures a control for computer network systems that helps to ensure that no transactions or messages of a company are routed to the wrong computer network system address Salami technique a computer crime whereby computer programmers steal small amounts of money from many accounts over a period of time Sales process a process that begins with a customer order for goods or services and ends with the collection of cash from the customer Sandwich rule (flowcharting) a rule that states that a processing symbol should always appear between an input symbol and an output symbol Sarbanes-Oxley Act of 2002 sweeping financial legislation that emphasizes organizational internal controls and accountability SAS No 94 ‘‘The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.’’ a SAS rule that cautions external auditors that the way firms use IT might impact any of the five internal control components Scalable the ability for a software user to migrate easily to packages that handle increasingly large volumes of data and transactions Scenario planning found under ‘‘Event Identification’’ (of ERM) is a way for management to identify scenarios (from minor concern to major disasters) that could occur Schedule feasibility an evaluation that involves estimating the time frame for a new or revised system to become operational Schema a reflection of the totality of the information in a database and the relationships of its tables (i.e., records) Scope creep a situation where the size of a task or project gradually becomes larger, and perhaps more complex and costly Second normal form (2 NF) when a database is in first normal form and all the data items in each record depend on the record’s primary record key Secondary record keys data fields that are typically not unique among records but that can also be used to search records for specific information Secondary storage computer equipment that stores data permanently Glossary (e.g., hard disks, CD Roms, and USB drives) Secret key cryptography a data encryption method that uses a single cryptographic key that is shared by the communicating parties Security policy a comprehensive plan that management must develop to help protect the enterprise from internal and external threats Select query the creation of a dynaset of database information based on two types of user-specified criteria: those that determine which records to include, and those that determine which data fields to include from those records Separation of duties an activity of an internal control system that focuses on structuring work assignments among employees so that one employee’s work activities serve as a check on those work activities of another employee Sequence code a sequential set of numbers used to identify customer accounts, employee payroll checks, customer sales invoices, and so forth Sibling records two records on the same level in a hierarchical data structure Signed checklists an example of establishing accountability by verifying that an accountant performed certain tasks, that a reviewer approved them, and that both individuals are accountable for their accuracy Slack time a description of the amount of delay time that can occur in each non-critical activity and still not delay a project Smishing a scam similar to phishing using text messages on cell phones in an attempt to get you to provide or ‘‘update’’ your personal information such as account number, credit card number, or password Social engineering a tactic hackers use to gain access to passwords, such as posing as a bona fide employee to convince a network administrator to give passwords over the telephone Soft copy output computer output on video screens, billboards, and similar devices; the opposite of hard copy (printed) output Source code the program commands that underlie a software application Source document a piece of paper or an electronic form that becomes the source of subsequent computer records and processing activities Examples of source documents include time cards in payroll systems, employee application forms, doctor medical diagnoses, insurance claim forms, and personal bank checks SOX, Section 404 a statement that management is responsible for establishing and maintaining an adequate internal control structure and at the end of each fiscal year must attest to the effectiveness and completeness of that structure Spam annoying, unsolicited email messages that are often illegal and increasingly costly to organizations Spend management a systematic approach to controlling an organization’s expenses Spoofing masquerading as an authorized Internet user Steering committee a group consisting of a company’s top management personnel and possibly one or more staff auditors that works with the systems study team throughout all phases of system development activities Strong passwords passwords that contain a variety of characters (letters, numbers, and symbols) and are 14 characters or longer A 15-character password composed of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard Structured programming techniques used to develop large computer programs in a hierarchical fashion Structured query language (SQL) a popular data manipulation language for retrieving and manipulating data; auditors can use SQL to retrieve a client’s data and display these data in a variety of formats for audit purposes Structured walkthrough a meeting in which the attendees review the logic of a computer program Supercomputer a computer that is faster and more powerful than a mainframe, and capable of performing trillions of operations per second Supply chain management (SCM) applications that enable an ERP system or other software to interface with a company’s suppliers and customers System development life cycle (SDLC) comprised of the planning, analysis, design, and implementation phases of acquiring or developing a new information system 521 System flowchart graphical documentation that depicts the logical flow of data and processing steps in an AIS System maintenance ensuring the continuing operations of a system Systems analysis the phase of a systems study in which the study team thoroughly familiarizes itself with a company’s current operating system by focusing on strengths and weaknesses within the system Systems approach using a broad point of view in performing a systems study Systems Auditability and Control (SAC) report a guide developed by the Institute of Internal Auditors that provides auditors with guidance in the evaluation of IT-related internal controls Systems implementation the phase of a systems study in which the recommended changes from analysis, design, and development work are now put into operation Systems specification report a document that summarizes the findings of a design team regarding the needs for a new information system Systems study a formal investigation of a company’s existing information systems Systems survey part of systems analysis in which the study team obtains a more complete understanding of a company’s current operation information system and its environment SysTrust an assurance service introduced by the AICPA that evaluates the reliability of information systems with respect to their availability, security, integrity, and maintainability Table (databases) a set of related records that are stored together in a file using a database management system such as Microsoft Access Technical feasibility an analysis of the technical resources required by a particular information system Test data a set of transactions that examine the range of exception situations that might occur under normal processing conditions Third normal form (3 NF) a database that is in second normal form and that contains no transitive dependencies Third party assurance services audit and assessment services offered by independent third parties to provide business users and individual consumers with some level of comfort over Internet transactions 522 Glossary Time and billing information systems similar to job order costing systems, tracking hours and costs associated with each job (i.e., each client) and each employee (i.e., professional staff) Transaction controls needed by AISs to ensure that the database system performs each transaction accurately and completely Transaction file a temporary file of accounting records that typically stores the transactions for a specific period of time Transitive dependencies when the same record does not contain two data fields in which data field A determines data field B Trojan horse program a destructive or deceptive computer program hidden inside an accepted program Trust services third party assurance services offered through the AICPA that provide guidance to practitioners to evaluate organizations in terms of their reliability, privacy, and security Turnaround document a hard-copy document such as a bank check or confirmation slip that a business creates, sends to a second party for completion or approval, and then receives back for further processing For convenience, most turnaround documents are computer readable Turnkey system a computer system acquired from independent vendors that includes both software and hardware Uninterruptible power system (UPS) an auxiliary power supply that can smooth the flow of power to the computer, thereby preventing the loss of data due to momentary surges or dips in power Universal resource locator (URL) a text Internet address such as www.Wiley.com Utility programs computer programs that are typically included with computer operating systems, but which perform specific end-user tasks Examples include programs that format disks, transfer file data from one medium to another, or test emails for viruses Val IT a governance framework developed by IT Governance Institute (ITGI) as a formal statement of principles and processes for IT management; it is tightly integrated with COBIT Validation rule see data validation rule Value cards credit-card size or key-ring size cards from retailers that have a barcode on the back side for the merchant to track purchases In some cases, the merchant offers discounts or points that may be exchanged for goods or services In other cases customers simply receive advance information for upcoming sales before the general public Value-added networks (VANs) proprietary networks that large IT organizations design and maintain for their customers in order to implement EDI or intranet applications Value-added resellers (VARs) special type of systems consultants who are licensed to sell particular software packages and provide organizations with consulting services related to those packages Value stream management a management process that controls activities that generate value in a product or service rather than by functional area Vertical market markets or industries that are distinct in terms of the services they provide or the goods they produce View controls a security feature within a database system that limits each user’s access to information on a need-to know basis Virtual PBXs are Internet-based PBX systems that enable organizations to outsource their PBX services Virtual private network (VPN) a mimic of a value-added network in many of its security features, but enjoys the benefit of transmitting messages cheaply over existing Internet connections Virtual storage a computer operating system technique that uses magnetic disk storage as a virtual extension of primary storage Virus a computer program that rogue programmers embed in other programs, emails, or computer files, and that (when executed) typically perform such destructive acts as erasing files, disrupting emails, or interfering with operating system functions Voice over Internet Protocol (VoIP) a technology that allows you to make telephone calls using a broadband Internet connection instead of a regular telephone line Voice recognition system computer hardware and software that enables a computer to hear and interpret voice commands Volatile memory computer memory that becomes inoperative when it loses power VPN a security appliance that runs behind an organization’s firewall and allows remote users to access entity resources by using wireless, hand-held devices Watchdog processor a fault-tolerant system that uses two processors If something happens to the first processor, the second processor takes over the processing work Web browser a software application that enables a user to display and interact with sites on the World Wide Web Wide area network (WAN) computer networks spanning regional, national, or global geographic areas Wi-fi technology technology that allows transmission and receipt of voice and data messages remotely and without hard-wired connections to a phone line Wireless application protocol (WAP) a data communication protocol mostly used by mobile phones and PDAs to connect to the Internet World Wide Web the graphics portion of the Internet Worm program a program that disrupts normal data processing and is usually able to replicate itself onto other files, computer systems, or networks Examples of these viruses are boot sector viruses, worm programs, Trojan horse programs, and logic bomb programs XBRL an acronym for ‘‘extensible business reporting language’’—a standardized set of markup (editing) tags and rules created with XML used by the financial reporting industry XBRL instance document an XML document that was created using XBRL standards XBRL International Consortium an organization of about 450 members, including many U.S accounting firms; it is in charge of developing XBRL standards XML an acronym for extensible markup language—an extension of HTML that allows users to create their own markup (editing) tags ... Research in Accounting, Journal of Accountancy, and The Journal of Accounting and EDP Dr Bagranoff is also co-author of Core Concepts of Consulting for Accountants and Core Concepts of IT Auditing... Auditing Database Concepts Internal Control Management of Information Systems Management Use of Information Systems Development Work Technology of Information Systems Use of Systems Technology... TO ACCOUNTING INFORMATION SYSTEMS/ Accounting Information Systems and the Accountant/ CHAPTER Introduction/ What are Accounting Information Systems? / What’s New in Accounting Information Systems? /