3qerfgrg
Payroll:
The HRM/Payroll cycle is a recurring set of business activities and related data processing operations associated with effectively managing the employee workforce
The most important tasks performed in the HRM/payroll cycle are:–Recruiting and hiring new employees–Training–Job assignment–Compensation (payroll)–Performance evaluation–Discharge of employees (voluntarily or involuntarily)•Payroll costs are also allocated to products and departments for use in product pricing and mix decisions
payroll system:–One of the largest and most important components of the AIS–Must be designed to meet:•Management’s needs•Government regulations–Incomplete or erroneous payroll records:•Impair decision making•Can results in fines and/or imprisonment
The design of the HRM system is also important because the knowledge and skills of employees are valuable assets, so HRM systems should:
–Help assign these assets to appropriate tasks; and
–Help monitor their continuous development.
INTRODUCTION
•There are five major sources of input to the payroll system:
–HRM department provides information about hirings, terminations, and pay-rate changes.
–Employees provide changes in discretionary deductions (e.g., optional life insurance).
–Various departments provide data about the actual hours worked by employees.
–Government agencies provide tax rates and regulatory instructions.
–Insurance companies and other organizations provide instructions for calculating and remitting various withholdings.
INTRODUCTION
•Principal outputs of the payroll system are checks:
–Employees receive individual paychecks.
–A payroll check is sent to the bank to transfer funds from the company’s regular account to its payroll account.
–Checks are issued to government agencies, insurance companies, etc., to remit employee and employer taxes, insurance premiums, union dues, etc.
•The payroll system also produces a variety of reports.
INTRODUCTION
•Employees are an organization’s most valuable assets:
–Their knowledge and skills affect quality and quantity of goods and services.
–Labor costs are a major expense in generating revenues and a key cost driver.
•The traditional AIS has not measured or reported on the status of a company’s human resources:
–Financial statements do not regard employees as assets.
–Under GAAP, the value of human services is not measured until they have been consumed.
INTRODUCTION
•However, some companies are now creating positions for a direction of intellectual assets.
•Some may even include HR info in their annual report, including reports on:
–Human capital: The knowledge employees possess, which can be enhanced.
–Intellectual capital: The knowledge that’s been captured and implemented in decision support systems, expert systems, or knowledge databases, so that it can be shared.
INTRODUCTION
•Because employees are so valuable, turnover is expensive:
–Average cost of replacement is 1.5 times the employee’s annual salary.
–Turnover rates need to be managed so they’re not excessive.
INTRODUCTION
•Employee morale is also important.
–Bad morale leads to high turnover.
–Employee attitudes affect customer interactions and are positively correlated with profitability.
–Employees need to:
•Believe they have the opportunity to do what they do best
•Believe their opinions count
•Believe their coworkers are committed to quality
•Understand the connection between their jobs and the company’s mission.
INTRODUCTION
•To effectively track intellectual capital and human resources, the AIS must do more than just record time and attendance and prepare paychecks.
•Payroll should be integrated with HRM so management can access data about employee-related costs and employee skills and knowledge.
PAYROLL CYCLE ACTIVITIES
•Let’s take a look at payroll cycle activities.
•The payroll application is processed in batch mode because:
–Paychecks are issued periodically.
–Most employees are paid at the same time.
PAYROLL CYCLE ACTIVITIES
•The seven basic activities in the payroll cycle are:
–Update payroll master file
–Update tax rates and deductions
–Validate time and attendance data
–Prepare payroll
–Disburse payroll
–Calculate employer-paid benefits and taxes
–Disburse payroll taxes and miscellaneous deductions
VALIDATE TIME AND ATTENDANCE DATA
•How can information technology help?
–Collecting time and attendance data electronically, e.g.:
•Badge readers
•Electronic time clocks
•Data entered on terminals
•Touch-tone telephone logs
–Using edit checks to verify accuracy and reasonableness when the data are entered.
DISBURSE PAYROLL
•Efficiency Opportunity: Direct Deposit
–Direct deposit can improve efficiency and reduce costs of payroll processing
•Employee receives a copy of the check and an earnings statement
•Each bank receives a record of the payroll deposits for that bank via EDI. The record includes:
–Employee number
–Social Security number
–Bank account number
–Net pay amount
DISBURSE PAYROLL
•Savings occur because:
–While the cashier does authorize release of funds, he/she does not sign each check.
–Eliminates costs of buying, processing, and distributing paper checks.
–Eliminates postage.
•Additional costs:
–Elimination of float between when check is distributed and when it is deposited by employee.
•Savings typically outweigh costs
OUTSOURCING OPTIONS
•Many entities outsource payroll and HRM to:
–Payroll service bureaus
•Maintain the payroll master file and perform payroll processing activities
–Professional employer organizations (PEOs)
•Perform the services of the payroll service bureau
•Also administer and design employee benefit plans
•Generally more expensive than payroll service bureaus
OUTSOURCING OPTIONS
•When organizations outsource payroll processing, they send the service bureau or PEO at the end of each period:
–Personnel changes
–Employee time and attendance data
•The service bureau or PEO then:
–Prepares paychecks, earnings statements, and a payroll register
–Periodically produces tax documents
OUTSOURCING OPTIONS
•Outsourcing is especially attractive to small and mid-size businesses because:
–It’s often cheaper for smaller companies
–The bureau or PEO may provide a wider range of benefits
–It frees up the company’s computer resources for other areas
•However, companies must carefully monitor service quality to ensure that these systems integrate HRM and payroll data in a manner that supports effective management of employees.
GENERAL THREATS
–Controls:
•Payroll files should be backed up regularly.
–At least one backup on site and one offsite.
•All disks and tapes should have external and internal file labels to reduce chance of accidentally erasing important data.
•Access controls should be utilized
–User IDs and passwords
–Logs of all activities, particularly those requiring specific authorizations, should be maintained.
–Default settings on ERP systems usually allow users far too much access to data, so these systems must be modified to enforce proper segregation of duties.
GENERAL THREATS – cont’d.
•Sensitive data should be encrypted in storage and in transmission.
•Websites should use SSL for secure employee communications.
•Payroll service bureaus and PEOs can help provide security for data.
•VPNs (virtual private networks) should be used to exchange data with service bureaus or PEOs.
•Acknowledgment messages and control totals should be used to ensure transmission accuracy.
KEY DECISIONS AND INFORMATION NEEDS
•The payroll system should be integrated with cost data and HR information so management can make decisions with respect to the following types of issues:
–Future work force staffing needs
–Employee performance
–Employee morale
–Payroll processing efficiency and effectiveness
KEY DECISIONS AND INFORMATION NEEDS
•Benefits of an integrated HRM/payroll model:
–Access to current, accurate information about employee skills and knowledge.
–HRM activities can be performed more efficiently and costs reduced.
•EXAMPLE: Employment application terminals in Wal-Mart.
–Recruiting costs can be reduced, when applicant data is electronically accessible.
Revenue cycle
The revenue cycle is a recurring set of business activities and related information processing operations associated with:
–Providing goods and services to customers
–Collecting their cash payments
•The primary external exchange of information is with customer.
REVENUE CYCLE BUSINESS ACTIVITIES
•The basic business activities of the revenue cycle:
–Sales order entry
•Credit/customer service
–Shipping
–Billing
•Accounts Receivable
–Cash collection
SALES ORDER ENTRY
(with Credit/Customer Service)
•Sales order entry involves the steps of:
–Taking the customer’s order
–Checking the customer’s credit
–Checking inventory availability
–Responding to customer inquiries
Manual Sales Process
(with some automation)
SALES ORDER ENTRY
1. Take customer orders
To reduce human error and to speed up the order process, customers should enter data themselves as much as possible.
Real-time Sales Order
Advantages of
Real-Time Processing
•Shortens the cash cycle of the firm by reducing the time between the order date and billing date
•Provides better inventory management which can lead to a competitive advantage
•Produces fewer clerical errors, reducing incorrect items being shipped and bill discrepancies
•Reduces the amount of expensive paper documents and their storage costs
•Can improve customer relationships with Catalina coupons, for example, to encourage repeat sales
SALES ORDER ENTRY
2. Credit sales should be approved before the order is processed any further.
•How can IT improve the process?
–Automatic checking of credit limits and balances
–Automated communication to the credit manager for accounts needing specific authorization
SALES ORDER ENTRY
3.Ensure there is sufficient inventory to fill the order and advise the customer of the delivery date.
•Accurate inventory records are needed so customers can be accurately advised of their order status.
–Requires careful data entry in the sales and shipping processes.
–But…there can be problems in retail establishments because:
•Clerks running a similar item over the scanner several times instead of running each item
•Mishandling of sales returns such that returned merchandise isn’t re-entered in inventory records
SALES ORDER ENTRY
4. Respond to customer inquiries:
•The quality of customer service can be critical to company success
–Rule of thumb: It takes 5+ times as much effort to attract a new customer as it does to retain an existing one
Sales Order Entry Processing
Threats
Controls
1.Incomplete/inaccurate orders
2.Invalid orders
3.Uncollectible accounts
4.Stockouts and excess inventory
1 a. Data entry edit controls
b. Restrict access to master data to maintain accuracy
2 a. Signature to authorize sale
3 a. Credit limits checked and if sale exceeds limit, specific authorization needed
4 a. Perpetual inventory system
b. RFID or bar code technology
c. Physical inventory counts
SHIPPING
•The next basic activity in the revenue cycle is filling customer orders and shipping the desired merchandise.
•The process consists of two steps
–Picking and packing the order
–Shipping the order
•The warehouse department typically picks the order
•The shipping departments packs and ships the order
•Both functions include custody of inventory and ultimately report to the VP of Manufacturing.
SHIPPING
•A picking ticket is printed by sales order entry and triggers the pick-and-pack process
•The picking ticket identifies:
–Which products to pick
–What quantity
•Warehouse workers record the quantities picked on the picking ticket, which may be a paper or electronic document.
•The picked inventory is then transferred to the shipping department.
SHIPPING
•The clerk then records online:
–The sales order number
–The item numbers ordered
–The quantities shipped
•This process:
–Updates the quantity-on-hand field in the inventory master file
–Produces a packing slip
–Produces multiple copies of the bill of lading
SHIPPING
•The shipment is accompanied by:
–The packing slip
–A copy of the bill of lading
–The freight bill
•(Sometimes bill of lading doubles as freight bill)
•One copy of the bill of lading is kept in shipping to track and confirm delivery
SHIPPING
•Technology can speed the movement of inventory and improve the accuracy of perpetual inventory records:
–Bar code scanners
–Conveyer belts
–Wireless technology so workers can receive instructions without returning to dispatch
–Radio frequency identification (RFID) tags:
•Eliminate the need to align goods with scanner
•Allow inventory to be tracked as it moves through warehouse
Shipping Process
Threats
Controls
5.Picking wrong item or quantity to ship
6.Theft
7.Fail to ship the goods
8.Ship to wrong address
1 a. Bar code technology
b. Reconcile picking list to sales order
2 a. Restrict physical access to inventory
b. Document inventory transfers
c. Physical counts of inventory and
reconcile to quantities recorded
3 a. Reconcile shipping documents to sales orders, picking lists, and packing slips
4 a. Data entry edit controls
BILLING
•The next revenue cycle activity is billing customers.
•This activity involves two tasks:
–Invoicing
–Updating accounts receivable
BILLING
•Accurate and timely billing is crucial.
•Billing is an information processing activity that repackages and summarizes information from the sales order entry and shipping activities
•Requires information from:
–Shipping Department on items and quantities shipped
–Sales on prices and other sales terms
BILLING
•The basic document created is the sales invoice. The invoice notifies the customer of:
–The amount to be paid
–Where to send payment
•Invoices may be sent/received:
–In paper form
–By EDI
•Common for larger companies
•Faster and cheaper than snail mail
BILLING
•When buyer and seller have accurate online systems:
–The invoicing process may be skipped
•Seller sends an email when goods are shipped
•Buyer sends acknowledgment when goods are received
•Buyer automatically remits payments within a specified number of days after receiving the goods
–Can produce substantial cost savings
Revenue Cycle:
Electronic Data Interchange and
Sophisticated Computer Systems
•EDI helps to expedite transactions
•With sophisticated computer systems, the customer’s computer can:
–determine that inventory is needed
–select a supplier with whom the business has a formal business agreement
–communicate with the supplier’s computer and places the order (via EDI)
•With sophisticated computer systems, the supplier’s computer:
–communicates with the customer’s computer and sends an invoice (via EDI)
•With sophisticated computer systems, these exchanges can be completely automated
–requires no human intervention or management at time of order or invoicing
BILLING
•The accounts receivable function reports to the controller
•This function performs two basic tasks
–Debits customer accounts for the amount the customer is invoiced
–Credits customer accounts for the amount of customer payments
BILLING:
IT Enhancements
•Image processing can improve the efficiency and effectiveness of managing customer accounts.
–Digital images of customer remittances and accounts are stored electronically
•Advantages:
–Fast, easy retrieval
–Copy of document can be instantly transmitted to customer or others
–Multiple people can view document at once
–Drastically reduces document storage space
BILLING
•EXCEPTION PROCEDURES: ACCOUNT ADJUSTMENTS AND WRITE-OFFS:
–Adjustments to customer accounts may need to be made for:
•Returns
•Allowances for damaged goods
•Write-offs as uncollectible
–These adjustments are handled by the credit manager
BILLING
•If there is a return, the credit manager:
–Receives confirmation from the receiving dock that the goods were actually returned to inventory
–Then issues a credit memo which authorizes the crediting of the customer’s account
•If goods are slightly damaged, the customer may agree to keep them for a price reduction
–Credit manager issues a credit memo to reflect that reduction
BILLING
•NOTE: Since accounts receivable handles the customer accounts, why does someone else have to issue the credit memos?
•Having the credit memos issued by the credit manager is good segregation of duties between:
–Authorizing a transaction (write-off)
–Recording the transaction
Billing Process
Threats
Controls
9.Failure to bill customer
10.Billing errors
11.Posting errors in accounts receivable
12.Inaccurate or invalid credit memos
1 a. Reconcile invoices with sales orders and shipping documents
b. Separate shipping and billing functions
2 a. Data entry edit controls
b. Configure system for automatically
enter price data
3 a. Reconcile subsidiary accounts receivable balance to the amount for accounts receivable in the general ledger
4 a. Segregation of authorization and
recording function for credit memos
CASH COLLECTIONS
•The final activity in the revenue cycle is collecting cash from customers
•The cashier, who reports to the treasurer, handles customer remittances and deposits them in the bank
•Because cash and checks are highly vulnerable, controls should be in place to discourage theft
–Accounts receivable personnel should not have access to cash (including checks)
Automation for the
Cash Receipts Process
•The mail room is a frequent target for automation.
•Companies send their customers preprinted envelopes and remittance advices.
•Upon receipt, these envelopes are set aside and information on the envelope is scanned and provides a control procedure against theft.
•Machines are also available to open the envelopes and scan the remittance advices and checks and separate the checks.
•Checks may be digitally captured.
•Artificial intelligence may be used to read handwriting, such as remittance amounts and signatures.
Manual Cash Receipts
(with some automated procedures)
CASH COLLECTIONS
•Possible approaches to collecting cash:
–Turnaround documents forwarded to accounts receivable
–Lockbox arrangements at banks
–Electronic funds transfer/payments
–Accept credit cards or procurement cards from customers
Point-of-Sale Systems
•Point of sale systems are used extensively in retail establishments.
–Customers pick the inventory from the shelves and take them to a cashier.
•The clerk scans the universal product code (UPC). The POS system is connected to an inventory file, where the price and description are retrieved.
–The inventory levels are updated and reorder needs can immediately be detected.
Cash Collection Process
Threats
Control
13.Theft of cash
14.Cashflow problems
1 a. Proper segregation of cash handling and posting to customer accounts, authorize credit memos, or reconcile bank account
b. Use lockbox
c. Deposit all cash receipts daily
2 a. Lockbox
b. Discounts for early payment
c. Cash flow budgeting
CONTROL: OBJECTIVES, THREATS, AND PROCEDURES – Rhyming Version
Internal control is just a ballad.
Are all recorded transactions valid?
Are all valid transactions recorded?
If not, there may be something sordid.
And it should cause severe distraction
If no one’s authorized the transaction.
GENERAL CONTROL ISSUES
•Two general objectives pertain to activities in every cycle:
–Accurate data should be available when needed
–Activities should be performed efficiently and effectively
REVENUE CYCLE INFORMATION NEEDS
•Information is needed for the following operational tasks in the revenue cycle:
–Responding to customer inquiries
–Deciding on extending credit to a customer
–Determining inventory availability
–Selecting merchandise delivery methods
•To manage and evaluate revenue cycle activities:
–both financial and non-financial information are needed
–both external and internal information are needed
REVENUE CYCLE INFORMATION NEEDS
•Information is needed for the following strategic decisions:
–Setting prices for products/services
–Establishing policies on returns and warranties
–Deciding on credit terms
–Determining short-term borrowing needs
–Planning new marketing campaigns
REVENUE CYCLE INFORMATION NEEDS
•When the AIS integrates information from the various cycles, sources, and types, the reports that can be generated are unlimited. They include reports on:
–Sales order entry efficiency
–Sales breakdowns by salesperson, region, product, etc.
–Profitability by territory, customer, etc.
–Frequency and size of backorders
–Slow-moving products
–Projected cash inflows and outflows (called a cash budget)
–Accounts receivable aging
–Revenue margin (gross margin minus selling costs)
pes of controls for online systems•Automatic Entry Controls: the system fills in data after the user has entered ‘cue’ data•Microsoft Dynamics examples:•Automatic Calculation and Posting Controls: the system performs computations on a form that the user does not have to do•Why is this important?•Microsoft Dynamics examples:•Complete Data Controls (aka Completeness checks): the system lets the user know that critical information is missing and that a transaction cannot be posted until that data is entered•Microsoft Dynamics examples: we all know this one!•Valid Data Controls (aka Validation and/or data entry edits): the system tries to determine if the data entered is valid•Microsoft Dynamics examples:•Exceeded Limits Controls: the system checks to see if authorization limits have not been exceeded •Microsoft Dynamics examples: did we see any of these?•Error Correction Controls: what is at the heart of these? Advantages? Disadvantage?•Access Controls/Separation of Duties: in a live system, users should be restricted to specific modules by the system administrator; importance
Expenditure Cycle
The time lag between events (purchase and cash disbursement) splits the expenditure transaction cycle into two phases:•physical phase (purchasing)
•financial phase (cash disbursements)
4
4
INTRODUCTION
•The primary external exchange of information is with suppliers (vendors).
•The primary objective of the expenditure cycle is to minimize the total cost of acquiring and maintaining inventory, supplies, and services.
4
4
A Manual Purchases System
4
4
A Manual Purchases System
•The purchases cycle begins in the Inventory Control department when inventory levels drop to reorder levels.
•A clerk prepares a purchase requisition and sends copies to Purchasing and Accounts Payable.
•The Purchasing department prepares a purchase order for each vendor and sends copies to Inventory Control, Accounts Payable, Receiving (blind copy), and the vendor.
A Purchase Requisition
A Purchase Order
A Blind Copy of a Purchase Order
A Manual Purchases System
•Upon receipt of the goods, the Receiving department counts and inspects the goods.
•One of the purposes of the blind copy of the purchase order is to force the workers to count the goods.
•A worker then prepares the receiving report and sends copies to the raw materials storeroom, Purchasing, Inventory Control, and Accounts Payable.
A Receiving Report
RECEIVING AND STORING GOODS
•The two major responsibilities of the receiving department are:
•Deciding whether to accept delivery
•Verifying the quantity and quality of delivered goods
•The first decision is based on whether there is a valid purchase order.
•Accepting un-ordered goods wastes time, handling and storage.
4
4
RECEIVING AND STORING GOODS
•Verifying the quantity of delivered goods is important so:
•The company only pays for goods received
•Inventory records are updated accurately
•The receiving report is the primary document used in this process:
•It documents the date goods received, shipper, supplier, and PO number
•Shows item number, description, unit of measure, and quantity for each item
•Provides space for signature and comments by the person who received and inspected
•Receipt of services is typically documented by supervisory approval of the supplier’s invoice.
4
4
RECEIVING AND STORING GOODS
•When goods arrive, a receiving clerk compares the PO number on the packing slip with the open PO file to verify the goods were ordered.
•Then counts the goods
•Examines for damage before routing to warehouse or factory
•Three possible exceptions in this process:
•The quantity of goods is different from the amount ordered
•The goods are damaged
•The goods are of inferior quality
4
4
A Manual Purchases System
•The Accounts Payable department has now received copies of the purchase requisition, purchase order, and receiving report.
•Upon receipt of the supplier’s invoice, Accounts Payable reconciles all documents (a 3-way match), posts to the purchases journal, and records the liability in the accounts payable subsidiary ledger.
•Periodically, the entries in the purchases journal are summarized in a journal voucher which is sent to the General Ledger department.
A 3-way Match
4
4
A Manual Cash Disbursements System
4
4
A Manual Cash Disbursements System
•The Cash Disbursements department
•prepares the check
•records the information in a check register (cash disbursements journal)
•returns paid vouchers to accounts payable, mails the check to the supplier
•sends a journal voucher to General Ledger
A Manual Cash Disbursements System
•The General Ledger department receives:
•the journal voucher from cash disbursements
•a summary of the accounts payable subsidiary ledger from Accounts Payable
•The journal voucher is used to update the general ledger.
•The accounts payable control account is reconciled with the subsidiary summary.
EXPENDITURE CYCLE BUSINESS ACTIVITIES
•The three basic activities performed in the expenditure cycle are:
•Ordering goods, supplies, and services
•Receiving and storing these items
•Paying for these items
4
4
ORDERING GOODS, SUPPLIES, AND SERVICES
•The order processing typically begins with a purchase requisition followed by the generation of a purchase order.
•A request to purchase goods or supplies is triggered by either:
•The inventory control function (reorder point or reorder quantity); or
•An employee noticing a shortage.
•Advanced inventory control systems automatically initiate purchase requests when the quantity falls below the reorder point.
4
4
ORDERING GOODS, SUPPLIES, AND SERVICES
•Key decisions in this process involve identifying what, when, and how much to purchase and from whom.
•Weaknesses in inventory control can create significant problems with this process:
•Inaccurate records cause shortages.
•One of the key factors affecting this process is the inventory control method, such as JIT or EOQ, to be used.
4
4
ORDERING GOODS, SUPPLIES, AND SERVICES
•IT can help improve efficiency and effectiveness of purchasing function.
•The major cost driver is the number of purchase orders processed. Time and cost can be cut here by:
•Using Electronic Data Interchange (EDI) to transmit purchase orders
•Using vendor-managed inventory systems
•Procurement cards for small purchases
4
4
EDI
Notice that you are now getting rid of the paper flow between the companies. Depending on the automation and reengineering, you can also get rid of the paper within the two companies to varying degrees.
Ordering Goods/Services
Threats
1.Stockouts and excess inventory
2.Purchasing items not needed
3.Purchasing items at inflated prices
4.Purchasing goods of poor quality
5.Unreliable suppliers
6.Purchasing from unauthorized suppliers
7.Kickbacks
Controls
1 a. Perpetual inventory system
b. Bar-coding, RFID
2 a. Review and approval of
purchase requisitions
3 a. Price lists
b. Competitive bids
4 a. Use approved suppliers
5 a. Monitor supplier
performance
b. Require quality certification
6 a. Purchase from approved
suppliers
7 a. Supplier audits
b. Prohibit gifts
25
25
RECEIVING AND STORING GOODS
•The receiving department accepts deliveries from suppliers.
•Normally reports to warehouse manager, who reports to VP of Manufacturing.
•Inventory typically stores the goods.
•Inventory also reports to warehouse manager.
•The receipt of goods must be communicated to the inventory control function to update inventory records.
25
25
RECEIVING AND STORING GOODS
•IT can help improve the efficiency and effectiveness of the receiving activity:
•Bar-coding
•RFID
25
25
RECEIVING AND STORING GOODS
Threats
8.Accepting unordered items
9.Mistakes in counting
10.Verifying receipt of services
11.Inventory theft
Controls
1 a. Authorized purchase orders
needed before receiving
goods
2 a. Bar codes or RFID
3 a. Budget controls and audits
4 a. Restrict physical access to
inventory
b. Document all inventory
transfers
c. Segregate custody vs.
receiving of inventory
25
25
PAYING FOR GOODS AND SERVICES
•There are two basic sub-processes involved in the payment process:
•Approval of vendor invoices
•Actual payment of the invoices
25
25
PAYING FOR GOODS AND SERVICES
•Approval of vendor invoices is done by the accounts payable department, which reports to the controller.
•The legal obligation to pay arises when goods are received.
•But most companies pay only after receiving and approving the invoice.
•This timing difference may necessitate adjusting entries at the end of a fiscal period.
25
25
PAYING FOR GOODS AND SERVICES
•Objective of accounts payable:
•Authorize payment only for goods and services that were ordered and actually received.
•Requires information from:
•Purchasing—about existence of valid purchase order
•Receiving—for receiving report indicating goods were received
25
25
3-way Match
25
25
PAYING FOR GOODS AND SERVICES
•Payment of the invoices is done by the cashier, who reports to the treasurer.
•The cashier receives a voucher package, which consists of the vendor invoice and supporting documentation, such as purchase order and receiving report.
•This voucher package authorizes issuance of a check or Electronic Funds Transfer (EFT) to the supplier.
25
25
PAYING FOR GOODS AND SERVICES
•Processing efficiency can be improved by:
•Requiring suppliers to submit invoices by EDI
•Having the system automatically match invoices to POs and receiving reports
•Eliminating vendor invoices
•Using procurement cards for non-inventory purchases
•Using company credit cards and electronic forms for travel expenses
•Preparing careful cash budgets to take advantage of early-payment discounts
•Using EFT to pay suppliers
25
25
PAYING FOR GOODS AND SERVICES
Threats
12.Errors in supplier invoice
13.Mistakes in posting to accounts payable
Control
1 a. Verify invoice accuracy
2 a. Data entry edit controls
b. Reconcile detailed accounts payable records to the general ledger accounts payable account
25
25
CONTROL: OBJECTIVES, THREATS, AND PROCEDURES
•In the expenditure cycle (or any cycle), a well-designed AIS should provide adequate controls to ensure that the following objectives are met:
•All transactions are properly authorized
•All recorded transactions are valid
•All valid and authorized transactions are recorded
•All transactions are recorded accurately
•Assets are safeguarded from loss or theft
•Business activities are performed efficiently and effectively
•The company is in compliance with all applicable laws and regulations
•All disclosures are full and fair
25
25
CONTROL: OBJECTIVES, THREATS, AND PROCEDURES
•There are several actions a company can take with respect to any cycle to reduce threats of errors or irregularities. These include:
•Using simple, easy-to-complete documents with clear instructions (enhances accuracy and reliability).
•Using appropriate application controls, such as validity checks and field checks (enhances accuracy and reliability).
•Providing space on forms to record who completed and who reviewed the form (encourages proper authorizations and accountability).
•Pre-numbering documents (encourages recording of valid and only valid transactions).
•Restricting access to blank documents (reduces risk of unauthorized transaction).
25
25
CORRUPTION
•Corruption cases often involve arrangements between a company’s purchasing agent and a sales representative for one of the company’s vendors.
•The vendor’s representative may try to induce the purchasing agent to buy goods that:
•Are over-priced
•Are of inferior quality
•Aren’t even needed
•Aren’t even delivered
•In exchange, the vendor’s rep typically offers the purchasing agent something of value. That “something” might be money, payment of a debt, a job offer, an expensive vacation, or anything the purchasing agent might value.
25
25
CORRUPTION
•According to the Fraud Examiner’s Manual published by the Association of Certified Fraud Examiners, these schemes usually take four forms:
•Bribery
•Conflict of interest
•Economic extortion
•Illegal gratuities
25
25
EXPENDITURE CYCLE INFORMATION NEEDS
•When the AIS integrates information from the various cycles, sources, and types, the reports that can be generated are unlimited. They include reports on:
•Supplier performance
•Outstanding invoices
•Performance of expenditure cycle employees
•Number of POs processed by purchasing agent
•Number of invoices processed by A/P clerk
•Number of deliveries handled by receiving clerk
•Number of inventory moves by warehouse worker
•Inventory turnover
•Classification of inventory based on contribution to profitability
rust Services Framework
•Security
▫Access to the system and data is controlled and restricted to legitimate users.
•Confidentiality
▫Sensitive organizational data is protected.
•Privacy
▫Personal information about trading partners, investors, and employees are protected.
•Processing integrity
▫Data are processed accurately, completely, in a timely manner, and only with proper authorization.
•Availability
▫System and information are available.
<number>
<number>
The Trust Services framework developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability:
1. Security
2. Confidentiality
3. Online privacy
4. Processing integrity
5. Availability
Trust Services Framework
3
3
Note the importance of security in this picture. It is the foundation of systems reliability. Security procedures:
▫Restrict system access to only authorized users and protect:
The confidentiality of sensitive organizational data.
The privacy of personal identifying information collected from customers.
4
4
Security procedures also:
▫Provide for processing integrity by preventing:
Submission of unauthorized or fictitious transactions.
Unauthorized changes to stored data or programs.
▫Protect against a variety of attacks, including viruses and worms, thereby ensuring the system is available when needed.
Trust Services Framework
5
5
SECURITY AS A MANAGEMENT ISSUE
The Trust Services framework identifies four essential criteria for successfully implementing the five principles of systems reliability:
1.Develop and document policies.
2.Effectively communicate those policies to all
authorized users.
3.Design and employ appropriate control procedures to implement those policies.
4.Monitor the system, and take corrective action to maintain compliance with the policies.
5
5
Management Issue:
Security Life Cycle
5
5
TIME-BASED MODEL OF SECURITY
•The time-based model of security focuses on implementing a set of preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised. The model provides management with a method to identify the most cost-effective approach to improving security by comparing the effects of additional investments in the three types of controls.
•All three types of controls are necessary:
1. Preventive
2. Detective
3. Corrective
5
5
TIME-BASED MODEL OF SECURITY
•The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables:
▫P = Time it takes an attacker to break through the organization’s preventive controls
▫D = Time it takes to detect that an attack is in progress
▫C = Time to respond to the attack
•These three variables are evaluated as follows:
▫If P > (D + C), then security procedures are effective.
▫Otherwise, security is ineffective.
5
5
TIME-BASED MODEL OF SECURITY
•EXAMPLE: For an additional expenditure of $25,000, the company could take one of four measures:
▫Measure 1 would increase P by 5 minutes.
▫Measure 2 would decrease D by 3 minutes.
▫Measure 3 would decrease C by 5 minutes.
▫Measure 4 would increase P by 3 minutes and reduce C by 3 minutes.
•Since each measure has the same cost, which do you think would be the most cost-effective choice? (Hint: Your goal is to have P exceed (D + C) by the maximum possible amount.)
5
5
TIME-BASED MODEL OF SECURITY
•You may be able to solve this problem by eyeballing it. If not, one way to solve it is to assume some initial values for P, D, and C.
•So let’s assume that P = 15 min., D = 5 min., and C = 8 min.
•At our starting point, P – (D + C) = 15 – (5 + 8) = 2 min.
•With Measure 1, P is increased by 5 minutes:
▫20 – (5 + 8) = 7 min.
•With Measure 2, D is decreased by 3 minutes:
▫15 – (2 + 8) = 5 min.
•With Measure 3, C is decreased by 5 min.
▫15 – (5 + 3) = 7 min.
•With Measure 4, P is increased by 3 minutes and C is reduced by 3 min.
▫18 – (5 + 5) = 8 min.
5
5
DEFENSE IN DEPTH SUPPORTS TIME-BASED MODEL OF SECURITY
•The idea of defense-in-depth is to employ multiple layers of preventive, detective, and corrective controls to avoid having a single point of failure.
•If one layer fails, another may function as planned.
•Computer security involves using a combination of preventive controls, such as firewalls, passwords, and other methods to restrict access.
•Redundancy also applies to detective and corrective controls.
5
5
These are some of the multiple layers of preventive controls that reflect the defense-in-depth approach to satisfying the constraints of the time-based model of security.
13
13
DEFENSE IN DEPTH:
PREVENTIVE CONTROLS
Major types of preventive controls used for defense in depth include:
▫Training (follow safe computing practices (including over devices), protect against social engineering)
▫Physical access controls (locks, guards, biometric devices)
▫Authentication controls: something person knows, something person has, some biometric characteristic, combination of all three (passwords, tokens, biometrics, MAC addresses)
▫Authorization controls (access control matrices and compatibility tests)
▫Remote access controls (intrusion prevention systems; authentication of remote users)
▫Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features)
▫Encryption
13
13
DEFENSE IN DEPTH:
DETECTIVE CONTROLS
•Unfortunately, preventive controls are never 100% effective in blocking all attacks.
•So organizations implement detective controls to enhance security by:
▫Monitoring the effectiveness of preventive controls; and
▫Detecting incidents in which preventive controls have been circumvented.
•Actual system use must be examined to assess compliance through:
▫Log analysis
▫Intrusion detection systems
▫Periodically testing the effectiveness of existing security procedures
13
13
•Log Analysis
▫Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed.
Logs form an audit trail of system access.
But logs are of value only if routinely examined!!!!!
Log analysis is the process of examining logs to monitor security.
•Intrusion Detection Systems
▫A major weakness of log analysis is that it is labor intensive and prone to human error.
▫Intrusion detection systems (IDS) represent an attempt to automate part of the monitoring.
13
13
•Security Testing
▫The effectiveness of existing security procedures should be tested periodically.
One approach is via vulnerability scans, which use automated tools designed to identify whether a system possesses any well-known vulnerabilities.
•Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security.
▫This testing involves an authorized attempt by either an internal audit team or external security consulting firm to break into the organization’s IS.
13
DEFENSE IN DEPTH:
CORRECTIVE CONTROLS
•Detection of attempted and successful intrusions is important but is worthless if not followed by corrective action.
•Two of the Trust Services framework criteria for effective security are the existence of procedures to:
▫React to system security breaches and other incidents.
▫Take corrective action on a timely basis.
13
13
•Three key components that satisfy the preceding criteria are:
1. Establishment of a computer incident response team (CIRT).
2. Designation of a specific individual with organization-wide responsibility for security.
3. An organized patch management system.
13
13
1. Computer Incident Response Team (CIRT)
▫A key component to being able to respond to security incidents promptly and effectively is the establish of a computer incident response team.
Responsible for dealing with major computer security incidents.
Should include technical specialists and senior operations management.
13
13
2.A chief information security officer (CISO):
▫Should be independent of other IS functions and report to either the COO or CEO.
▫Must understand the company’s technology environment and work with the CIO to design, implement, and promote sound security policies and procedures.
▫Works with the person in charge of building security, as that is often the entity’s weakest link.
▫Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the CIO’s security measures.
13
13
3. Patch Management
▫Another important corrective control involves regularly fixing known vulnerabilities and installing latest patches and updates to:
Anti-virus software
Firewalls
Operating systems
Application programs
13
•Technically-knowledgeable hackers often publish instructions for doing so (known as exploits) on the Internet.
•Although it takes skill to discover the original means to hack into or exploit a system, once published, it can be executed by almost anyone.
•Attackers who execute these programmed exploits are referred to as script kiddies who are usually less technically capable than the hackers who publish the exploits.
•A patch is code released by software developers to fix vulnerabilities that have been discovered.
13
13
•Patch management is challenging because:
▫Patches can have unanticipated side effects that cause problems, which means they should be tested before being deployed.
▫There are likely to be many patches each year for each software program, which may mean that hundreds of patches will need to be applied to thousands of machines.
Auditing Computer-Based Information Systems (CBISs)
•Negative effects of CBISs from audit perspective:
<number>
<number>
Auditing CBIS – continued
•Positive effects of CBISs from audit perspective:
<number>
<number>
AUDITING CBISs
•Auditors used to audit around the computer and ignore the computer and programs.
–Assumption: If output was correctly obtained from system input, then the processing must be reliable!!!!!
•Current approach: Audit through or with the computer.
–Uses the computer to check adequacy of system controls, data, and output.
<number>
<number>
Computer Audit Techniques
•Auditing ‘around’ the computer – use (paper) audit trail, usually in simple computer applications; focus on substantive test of transactions and balances
•Auditing ‘through’ the computer – test computer controls in more complex computer environments with computerized audit trail
•Auditing ‘with’ the computer – enables direct tests of transactions and balances for high volume transactions or highly computerized data
<number>
<number>
<number>
<number>
<number>
<number>
Test data for auditing
•Why use ‘test data’ for auditing?
–Need to test controls – are they working as they should?
–Need valid data as well as data that should violate ‘good’ data conditions to see what happens
–To ensure completeness of ‘test data’, the auditor should use a test data generator
<number>
<number>
Auditing With the Computer
2 techniques that are used:
–Generalized Audit Software (GAS)
•Data retrieval
•Calculations
•Edit checks
•Statistics
•Report Generation
–Using SQL to audit relational databases: for example, recalculate to verify accuracy of fields
<number>
<number>
COMPUTER SOFTWARE for AUDITORS
•Generalized audit software (GAS), AKA computer audit software (CAS) are computer programs that have been written especially for auditors.
•GAS/CAS is ideally suited for examination of large data files to identify records needing further audit scrutiny.
•The primary purpose of GAS/CAS is to assist the auditor in reviewing and retrieving information.
•When the auditor receives the GAS/CAS reports, most of the audit work still needs to be done.
–Items on exception reports must be investigated.
–File totals must be verified against other sources.
–Audit samples must be examined and evaluated.
•GAS CAS does not replace the auditor’s judgment or free the auditor from other phases of the audit.
<number>
<number>
INFORMATION SYSTEMS AUDITS
•When performing an information system audit, auditors should make sure that the following objectives are met:
–1. Security provisions exist that protect computer equipment, programs, communications, and data from unauthorized access, modification, or destruction.
–2. Program development and acquisition are performed in accordance with management’s general and specific authorization.
–3. Program modifications have management’s authorization and approval.
–4. Processing of transactions, files, reports, and other computer records is accurate and complete.
–5. Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies.
–6. Computer data files are accurate, complete, and confidential.
<number>
<number>
IS COMPONENTS AND AUDIT OBJECTIVES
<number>
<number>
OBJECTIVE 1: OVERALL SECURITY
•Audit Procedures: Tests of Controls
–Auditors test security controls by:
•Observing procedures.
•Verifying that controls are in place and work as intended.
•Investigating errors or problems to ensure they were handled correctly.
•Examining any tests previously performed.
–One way to test logical access controls is to try to break into a system WITH APPROPRIATE PERMISSION!!!!!
<number>
<number>
OBJECTIVE 2: PROGRAM DEVELOPMENT AND ACQUISITION
•Audit Procedures: Systems Review
–The auditor’s role in systems development should be limited to an independent review of system development activities.
•During the systems review, the auditor should gain an understanding of development procedures by discussing them with management, users, and IS personnel.
•Should also review policies, procedures, standards, and documentation for systems and programs.
<number>
<number>
OBJECTIVE 3: PROGRAM MODIFICATION
–Audit Procedures: To test for unauthorized program changes, auditors can use a source code comparison program to compare the current version of the program with the original source code.
•Any unauthorized differences should result in an investigation.
•If the difference represents an authorized change, the auditor can refer to the program change specifications to ensure that the changes were authorized and correctly incorporated.
<number>
<number>
OBJECTIVE 3: PROGRAM MODIFICATION
–Two additional techniques detect unauthorized program changes:
•Reprocessing
–On a surprise basis, the auditor uses a verified copy of the source code to reprocess data and compare that output with the company’s data.
–Discrepancies are investigated.
•Parallel simulation
–Similar to reprocessing except that the auditor writes his/her own program instead of using verified source code.
–Can be used to test a program during the implementation process.
<number>
<number>
OBJECTIVE 4: COMPUTER PROCESSING
•Audit Procedures: Several specialized techniques allow the auditor to use the computer to test processing controls:
–Processing test data
–Using concurrent audit techniques
–Analyzing program logic
•Each has its own advantages and disadvantages:
–Appropriateness of each technique depends on the situation
–No one technique is good for all circumstances
•Auditors should not disclose which technique they use.
<number>
<number>
OBJECTIVE 4: COMPUTER PROCESSING
•Processing Test Data
–Involves testing a program by processing a hypothetical series of valid and invalid transactions.
–The program should:
•Process all the valid transactions correctly.
•Identify and reject the invalid ones.
–All logic paths should be checked for proper functioning by one or more test transactions, including:
•Records with missing data
•Fields containing unreasonably large amounts
•Invalid account numbers or processing codes
•Non-numeric data in numeric fields
•Records out of sequence
<number>
<number>
OBJECTIVE 4: COMPUTER PROCESSING
•The following resources are helpful when preparing test data:
–A listing of actual transactions
–The transactions that the programmer used to test the program
–A test data generator program, which automatically prepares test data based on program specifications
<number>
<number>
OBJECTIVE 4: COMPUTER PROCESSING: Concurrent Audit Techniques
•Although processing test transactions is usually effective, it has the following disadvantages:
–The auditor must spend considerable time understanding the system and preparing an adequate set of test transactions. (Note: this is also true about analyzing program logic.)
–Care must be taken to ensure test data do not affect the company’s files and databases.
•The auditor can reverse the effects of the test transactions or process them in a separate run, using a copy of the file or database.
–Reversal procedures may reveal the existence and nature of the auditor’s test to key personnel.
–A separate run removes some of the authenticity.
<number>
<number>
OBJECTIVE 4: COMPUTER PROCESSING: Concurrent Audit Techniques
•Concurrent Audit Techniques — trend, used in companies with high volume of transactions (example: financial services company
–Millions of dollars of transactions can be processed in an online system without leaving a satisfactory audit trail.
–In such cases, evidence gathered after data processing is insufficient for audit purposes.
–Also, because many online systems process transactions continuously, it is difficult or impossible to stop the system to perform audit tests.
–Consequently, auditors use concurrent audit techniques to continually monitor the system and collect audit evidence while live data are processed during regular operating hours.
<number>
<number>
OBJECTIVE 5: SOURCE DATA
•Audit Procedures:
–Auditors should ensure the data control function:
–Is independent of other functions
–Maintains a data control log
–Handles errors
–Ensures overall efficiency of operations
<number>
<number>
OBJECTIVE 6: DATA FILES
•Audit Procedures: Review company’s controls over data files:
–Secure file library and restrictions on physical access to data files
–Logical access controls using passwords and access control matrix
–Encryption of highly confidential data
–Use of virus protection software
–Maintenance of backup copies of all data files in an off-site location
Concurrent Audit Techniques
Millions of dollars of transactions can be processed in an online system without leaving a satisfactory audit trail.
In such cases, evidence gathered after data processing is insufficient for audit purposes.
Also, because many online systems process transactions continuously, it is difficult or impossible to stop the system to perform audit tests.
Consequently, auditors use concurrent audit techniques to continually monitor and audit the system and collect audit evidence while live data are processed during regular operating hours.
One type of concurrent audit technique uses embedded audit modules (EAMs).
These are segments of program code that:
Perform audit functions;
Report test results to the auditor; and
Store collected evidence for auditor (and only auditor) review.
These are cheaper and easier to install if these are developed at the same time that the software is developed.