What is an accounting information system? We will first define a system, define an information system and, finally define an accounting information system. It should be obvious that all information systems are systems but not all systems are information systems. A vending machine, for example, is a system that is not an information system. Similarly, all accounting information systems are information systems, but the reverse is not always the case. Human resource information systems, production scheduling systems, strategic planning systems are examples of information systems that are not accounting information systems. What is a system? A system is a set of inter-dependent components (some of which may be systems in their own right) which collectively accomplish certain objectives. Component Inter-dependency objectives (functions)
What is an information system? An information system differs from other kinds of systems in that its objective is to monitor/document the operations of some other system, which we can call a target system. An information system cannot exist without such a target system. For example, production activities would be the target system for a production scheduling system, human resources in the business operations would be the target system of a human resource information system, and so on. It is important to recognize that within a vending machine there is a component/sub-system that can be considered an information system. In some sense, every reactive system will have a subsystem that can be considered an information system whose objective is to monitor and control such a reactive system. A Contextual view Any system operates by interacting with its environment. The contextual view describes graphically the interaction of the system with the various entities in its environment. The interactions consist of data flows from and to such entities. The contextual view clarifies the boundary of the system and its interfaces with the environment in which it operates.
Figure: Contextual View
A Control view Any system must manipulate certain variables in order to achieve its objectives. It determines the manipulation needed by processing its outputs/states in relation to certain control parameters.
Attributes of Complex Systems: (Booch, 1994) Frequently, complexity takes the form of a hierarchy, whereby a complex system is composed of interrelated subsystems that have in turn their own subsystems, and so on, until some lowest level of elementary components is reached (Courtois, 1985). The choice of what components in a system are primitive is relatively arbitrary and is largely up to the discretion of the observer of the system. Intracomponent linkages are generally stronger than intercomponent linkages (components of a system are loosely coupled, but components themselves are cohesive) (Simon, 1985). Hierarchical systems are usually composed of only a few different kinds of subsystems in various combinations and arrangements (same components can be reused)(Simon, 1985). A complex system that works is invariably found to have evolved from a simple system that worked..... A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over, beginning with a system that works (Gall, 1986).
Some basic concepts & strategies in the study of systems •
• • • •
• • • • •
Abstraction: ``We have developed an exceptionally powerful technique for dealing with complexity. We abstract from it. Unable to master the entirety of a complex object, we choose to ignore the inessential details, dealing instead with the generalized, idealized model of the object" Wulf in Shaw, 1981). Formality: Rigor at each stage in the development of a system. Divide and conquer: Divide a complex problem into a set of simpler problems that can be solved. Hierarchical ordering: Order the simplification of the problem in ``divide & conquer" in hierarchies. Cohesion & coupling: Modularise the system such that interactions within components (cohesion) is maximised and interactions between components (coupling) is minimised. This way, the impact of errors, when they arise, is localised and does not cascade through the system. Diagnosis of offending components is also made easier. Information hiding: Each module (or subsystem) must have available to it just the information that is needed by it. Conceptual integrity: Consistency in design. Completeness: Ensuring that the design meets all the specifications. Logical independence: Emphasis on the statement of system objectives in terms of logical functions independent of physical implementation. Correctness & Efficiency: Correct in the sense that the design meets all the user requirements. Efficient in that the system accomplishes the objectives with minimum computing resources.
References Booch, G. (1994) bf Object-Oriented Analysis and Design with Applications, 2nd ed. Redwood City, California: The Benjamin Cummings Publishing Company, Inc. Courtois, P. (1985) On Time and Space Decomposition of Complex Structures. Communications of the ACM, vol. 28(6), p.596. Gall, J. (1986) Systemantics: How Systems Really Work and How They Fail, 2nd ed. Ann Arbor, MI : The General Systemantics Press. Simon, H. (1982) The Sciences of the Artificial. Cambridge, MA : The MIT Press.
Martin, J. and McClure, C. (1988) Structured Techniques: The Basis for CASE, Revised ed. Englewood Cliffs, NJ : Prentice Hall. Shaw, M. (1981) ALPHARD: Form and Content. New York, NY: Springer-Verlag.
Introduction to Systems II My experience has shown that many people find it hard to make their design ideas precise. They are willing to express their ideas in loose, general terms, but are unwilling to express them with the precision needed to make them into patterns. Above all, they are unwilling to express them as abstract spatial relations among well-defined spatial parts. I have also found that people aren't always very good at it; it is hard to do..... If you can't draw a diagram of it, it isn't a pattern. If you think you have a pattern, you must be able to draw a diagram of it. This is a crude, but vital rule. A pattern defines a field of spatial relations, and it must always be possible to draw a diagram for every pattern. In the diagram, each part will appear as a labeled or colored zone, and the layout of the parts expresses the relation which the pattern specifies. If you can't draw it, it isn't a pattern. Christopher Alexander (1979) in The Timeless Way of Building.
• •
•
• •
Introduction Types of Information Systems o Classification by mode of processing o Classification by System Objectives o Classification based on the nature of interaction with environment Specification of Information Systems o Why specifications? o Formal vs. Informal Specifications o Components of specifications Methodologies for Systems Development o Systems Development Life Cycle References
Booch, G. (1994) bf Object-Oriented Analysis and Design with Applications, 2nd ed. Redwood City, California: The Benjamin Cummings Publishing Company, Inc. Courtois, P. (1985) On Time and Space Decomposition of Complex Structures. Communications of the ACM, vol. 28(6), p.596. Gall, J. (1986) Systemantics: How Systems Really Work and How They Fail, 2nd ed. Ann Arbor, MI : The General Systemantics Press. Simon, H. (1982) The Sciences of the Artificial. Cambridge, MA : The MIT Press. Martin, J. and McClure, C. (1988) Structured Techniques: The Basis for CASE, Revised ed. Englewood Cliffs, NJ : Prentice Hall. Shaw, M. (1981) ALPHARD: Form and Content. New York, NY: Springer-Verlag.
INTRODUCTION In recent years, the popular accounting press has begun publishing regular columns reviewing computer hardware and software for all types of accounting applications. It is apparent that the nature of recording, reviewing, and safeguarding accounting information is changing rapidly and this makes the job of the accountant, auditor or accounting professor more challenging. Further, more and more articles are appearing in these publications discussing security methods for the new technologies. As accounting systems become more sophisticated and more readily available to all types and sizes of businesses, the need to understand and to employ adequate systems security becomes an issue no business owner can ignore. In the event of a security breach, management may be held personally liable for the loss of organizational data (FEMA, 1993; Schreider, 1996). Recently, even the United States General Accounting Office noted a fiduciary responsibility to provide information in federal information systems (1997). Discussions of security issues in the accounting press, however, do not always manifest themselves in actual practice. To ascertain the degree of correspondence between theory and practice, this author undertook a survey of businesses in Hampton Roads, Virginia to determine the nature of their accounting systems and security methods in use. The area of Hampton Roads, in the eastern Tidewater region of Virginia, has a population of more than one and a half million people and comprises several Virginia cities including Norfolk, Virginia Beach, Chesapeake, Portsmouth, Suffolk, Hampton, Newport News, and Poquoson. This area is home to over 7,500 businesses with annual revenues of one million dollars or more, including an amazing variety of manufacturing and service companies, as well as numerous government agencies. These organizations are of all sizes and ownership types. With the largest trading port in the United States, and a superior intermodal system, the region's economy is growing. Thus, the area provides a thriving, and varied business population for ascertaining the current technology and security practices in use in accounting information systems. RESEARCH IN ACCOUNTING TECHNOLOGY TRENDS For almost 500 years, accounting was a manual process of handwritten entries in journals and ledgers. With the invention of the ENIAC mainframe computer in 1946, a new technology became available for processing accounting data. Mainframe accounting systems proliferated throughout the 1960s, 1970s and 1980s. In 1975, the first microcomputer was developed and by 1980, the first "packaged" software (spreadsheet, word processing, and database) for these machines became available. Since then, technology and software have evolved at an ever accelerating pace and are increasingly used for recording accounting information. The Journal of Accountancy (JOA), for the last several years, has annually surveyed CPAs at AICPA sponsored events on their use of computers and software. These individuals, however, were often attending seminars on accounting technology and may be more informed on the subject than the average business person.
The JOA surveys of technology show widespread use of personal computers with increasing use of laptops (from 53 percent in 1994 to 83 percent in 1995), modems (62 percent in 1995), and local area networks by CPAs in public accounting firms (34 percent in 1993, 78 percent in 1994, 87 percent in 1995) and industry (48 percent in 1993, 70 percent in 1994, 80 percent in 1995) (Gallun, Heagy & Lindsey, 1993a; Khani & Zarowin, 1994, 1995). Operating systems may be DOS or Windows with a slightly larger percentage using Windows (Khani & Zarowin, 1994, 1995). Processing may include either batch (periodic processing) or online real-time modes (immediate processing) (Ott, Boomer & Pottroff, 1993). By 1994, CPAs were beginning to use optical scanning (22 percent), bar coding (12 percent), document imaging (24 percent), and electronic data interchange (6 percent) (Khani & Zarowin, 1994). These trends toward increasing use of a variety of technologies in accounting continued in 1995 (Khani & Zarowin, 1995). JOA software surveys are generally oriented toward CPA firm functions and include tax, time and billing, and audit packages, as well as accounting applications. In 1994, 52 percent of accountants used custom software and 85 percent were using "off the shelf" accounting products (Khani & Zarowin, 1994). Popular accounting packages include ACCPAC, DacEasy, Creative Solutions, Macola, One-Write Plus, Great Plains, CYMA, Open Systems, Peachtree, Platinum, Prentice-Hall, Quick Books, Real World, Solomon and MAS90 (Courtney & Flippen, 1995; Khani & Zarowin, 1994, 1995; Luzi, Marshall & McCabe, 1994) The firms also noted use "off the shelf" word processing (100 percent in 1995), spreadsheet (100 percent in 1995), database (60 percent in 1995), presentation (31 percent in 1995), and scheduling software (32 percent in 1995) (Gallun, Heagy & Lindsey, 1993b; Khani & Zarowin, 1994, 1995). With the steady decline in the price of information technology and the increasing availability of "off the shelf" accounting software, more and more businesses of any size are able to automate all or part of their accounting functions. Further, in an effort to be extremely "user friendly" some of the accounting software requires little knowledge of accounting to be put to effective use. It is doubtful these users would have direct knowledge of security issues in accounting systems and must he made aware of potential security problems and solutions by the accounting, auditing or tax professionals they may occasionally consult. TECHNOLOGY AND SECURITY The concept of internal control or security is as old as accounting itself. The purpose of accounting was to report accurate financial information on business ventures to interested parties and to provide information on stewardship of assets. The very development of double entry accounting was specifically aimed at controlling errors. The first formal definition if internal control or security by the accounting profession was in 1949 and a Statement of Auditing Standards on such controls was issued in 1958. However, United States businesses were under no legal obligation to institute such a system of internal controls until the passage of the Foreign Corrupt Practices Act of 1977. Since that time, the concept and methods of internal control in accounting information systems have evolved and changed as new technological innovations have been incorporated by the accounting profession. No matter the type of technology employed, all accounting information systems seek five basic results: to record an actual, valid transaction; to accurately classify the nature of the transaction; to record the correct value of the transaction; to place the transaction in the proper accounting period; and to generate financial statements containing information about the transaction. In any accounting information system, some form of controls are required to prevent and detect errors, and prevent and detect both accidental and intentional loss of assets and information. Over time, manual accounting systems developed well established controls and security methods to realize these ends that were often based in segregation of duties, comparison of documents and repeated checking of totals. With the proliferation of mainframe accounting systems, these controls were
adapted to the centralized, automated environment of data processing. The new technology of the 1990's, however, distributes information ownership and processing to all possible users, both within and without the organization. Further, fewer and fewer paper documents exist as organizations migrate to computer media. A 1996 survey of specialists in computerized accounting information systems noted increased use of networked personal computers with shared data, networks and stand-alone computers with modem connections to external users, and mainframe access to and from remote locations. These individuals rated the risk of security problems as moderate with stand-alone personal computers (49.7 percent), moderate with internal networks (63.8 percent), moderate with mainframes (71.1 percent) but high with any computer with external communications connections (71.4 percent) (Davis, 1996). This unlimited access from virtually anywhere and by anyone to electronically recorded data requires a change in the focus of controls and security methods that are often not fully understood or appreciated by the business owner. Statistics suggest that the loss of accounting information with the new technology can be caused by a variety of exposures: software may malfunction or be in error (14 percent), hardware may malfunction or be stolen (44 percent), destructive natural forces may occur (3 percent), human error (32 percent), and man-made disasters such as computer viruses (7 percent) (Ontrack Computer, 1996). A few simple security methods may be employed to limit the possibility or outcome of such occurrences. Physical security of assets is an element of any accounting system. Computers and the information they contain or process are valuable assets to any business. Locking buildings and rooms containing these assets are the most basic methods of deterring loss. If not cost prohibitive, alarms, video cameras and motion detectors may be included as part of the security system. As computers become more and more portable, however, it becomes necessary to secure them to tables and desks with cables and plate locks. Computer media such as disks and tapes should not be neglected in this process; lock these items in a secure storage area. Some form of fire protection and detection is extremely important to safeguard both data and equipment, as is an unitterupted power supply to maintain processing and data integrity. (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). Limiting logical access to data and programs through the computer and communications devices is the next level of security and has become increasingly important with the ease of remote access to computer via modem. Passwords have been in use for 30 years to identify users in the computer environment and are still a very useful tool. Employees should be made aware of the importance of keeping their password secret and logging off the system when they are not using it. Passwords should be changed regularly, and after a certain number of attempts at entering a password, the system should no longer allow access. Another valuable security method utilizes the capability of security software by providing a user access control matrix. This program determines who may have access to data and programs and what the nature of that access may be (able to read data, able to change data, able to delete data). This is particularly important with the increasing use of databases and electronic data interchange. Security software can also record all user activity and the terminal that was used to access data or programs. This activity log must be carefully monitored, however, to provide the security desired (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). An outgrowth of limiting logical access, is limiting changes to programs or the development of new programs. All systems changes should be authorized by upper management and should be duly documented. Encryption, the coding of text into an unreadable string of characters based on math algorithms, is an effective method of preventing browsing of confidential data. A decoding key is needed to be able to read the original message. This method can be employed when storing sensitive data or programs and when transmitting or receiving data from external sources. Two types of encryption systems are
available: the secret key system requires both parties to have the decoding key, and the public key system where the message is encrypted with a public key and the receiver decodes the message with a private key (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). Computer viruses are lines of code that reproduce and attach themselves to other programs. In some cases they simply fill memory and slow system processing, while in other cases they are designed to destroy or change data and programs. Viruses may be introduced through external communications systems or by using floppy disks or CD-ROMS that are infected with the virus. They are particularly problematic with networked computers. Virus protection/detection software is usually included in newer computer operating systems, and is readily available from reputable vendors for older systems. This software should be updated on a regular basis to take advantage of its detection of newer viruses. Such software should be set to automatically scan computer files when the system is first turned on. Employees should be trained to also scan any external media they introduce to the system during their daily activities (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). As accounting systems become less and less document driven and place more reliance on electronically stored data, the concept of backing up this data is tantamount to business survival. Most personal computer operating systems have a method of backing up the hard drive to floppy disks, but as the size of storage on these machines continues to grow, this is a slow process. Tape and Zip drives are now available at an affordable price to speed the backup process and supporting software enables the user to set a given interval or time to perform regular backup procedure. Several series of backups should be maintained as an added security measure, and backup should be stored off site. With the increase in computer communications systems, it is now possible to backup data using these communications capabilities to vaulted storage at another location (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). A final security method for the newer technology is periodic audits of the accounting information system. Whether the audit is performed by external auditors or internal auditors, a regular review of internal controls and security methods should be conducted with an eye toward improving the existing system (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). Business owners have a fiduciary responsibility to provide accurate accounting information and safeguard the assets of the organization. There is no 100 percent foolproof method of assuring no errors or irregularities will occur in the accounting information system with the continuing advances in technology. The simple security measures suggested may provide at least some assurance that accounting data will not be lost or corrupted. RESEARCH IN ACCOUNTING INFORMATION SECURITY A 1993 survey of security methods showed CPAs in public accounting firms used virus protection 25 percent of the time, passwords 43 percent of the time, and backup 80 percent of the time. CPAs in industry were more security conscious using virus protection approximately 50 percent of the time, passwords 84 percent of the time, and backup 80 percent of the time (Gallun, Heagy & Lindsey, 1993a). By 1994, CPAs in public accounting firms were more aware of virus protection (37 percent), but showed little improvement in the use of passwords (40 percent)and backup (83 percent) (Khani & Zarowin, 1994). In 1995, the use of backup took a dramatic jump for public accountants to 93 percent while CPAs in industry hovered at the 80 percent mark (Khani & Zarowin, 1995). This lack of security in CPA firms should be a concern for the profession as a whole. If professional accountants are either unaware or unconcerned about accounting systems security, how can we impress on the average business person the need for security over accounting information. If the situation is one of management's concern for costs versus benefits, then an effort must be put forth to quantify this information for the system's user. Furthering the dilemma is the fact that the respondents to these surveys were individuals attending accounting information system seminars that suggest they
are more knowledgeable about automated accounting systems than the average individual and should be well aware of the potential for loss or corruption of accounting data. RESEARCH METHODOLOGY To collect information on accounting systems and their security methods in Tidewater Virginia, a one page survey was developed by the author and mailed to 1000 businesses in Hampton Roads, Virginia. A convenience sample of businesses was selected from the 1995 Corporate America CD Rom Database and the yellow pages of the Bell Atlantic telephone book. The database includes only businesses with annual sales more than one million dollars and employing twenty or more persons, therefore the telephone book provided smaller businesses for the sample. The survey was distributed in two mailings, with one in February 1995 and one in May 1995, in an attempt to avoid tax and year-end reporting cycles for the businesses. Any surveys returned as undeliverable were replaced with another subject to maintain an outstanding sample of 1000. Two hundred sixty-one usable surveys were returned (26.1 percent). The Survey and Analyses The survey instrument consisted of four parts (See Exhibit 1). Part one collected basic demographics on the company's business type, numbers of employees, and revenues. Part two was designed to collect data about the nature of the processing of accounting transactions, the business' specific accounting applications, and any accounting software utilized. Part three reported types of hardware used by the accounting system, and part four described basic security measures used with the accounting systems. Respondents were also asked to report whether their accounting system had undergone major changes in the past year and if the company had suffered any losses from employees or outsiders in the past year. Finally, respondents who were interested in discussing their accounting systems further were requested to provide their name, address and telephone number. This information was masked on the survey after it was recorded in a separate database to provide confidentiality to the respondents. Univariate analysis of the results was conducted to assess the nature of accounting systems in the Hampton Roads area. RESEARCH FINDINGS Business Demographics Table 1 presents the demographics of the 261 respondents. Much of the sample (47.5 percent) consisted of service organizations providing repair, accounting, engineering, legal, health care, finance, entertainment, research, personal service and a variety of other functions. The next largest sample was retailing (19.6 percent), followed by manufacturing (11.6 percent) and then wholesaling (10.1 percent). Review of the number of employees and revenues suggests the sample represented both small, medium and large organizations with an almost equal representation over the categories. Fifty of the businesses (19.2 percent) reported a major change to their accounting systems in the past year. Part of the group was moving from a manual system to a more automated system, while the rest were undergoing a change in their already computerized system. Twenty of these companies made more than five million dollars in revenue annually. It is interesting to note that two companies reported suffering losses due to employee actions and two companies reported losses due to the actions of an outsider. One of the outsider losses was to a business making less than one half million dollars in revenue annually while the rest of the losses were to businesses making between one and five million dollars in revenues annually. Further review
of the nature of the accounting system hardware in the outsider losses shows one business utilizes a network and one utilizes a client/server system, but neither appear to use external communications. Technology and Software in Use The nature of the accounting systems is presented in Table 2. Approximately ten percent of the respondents used only a manual accounting system. Surprisingly, not all of these companies were in the smallest revenue classification of less than one half million dollars annually (See Table 4). More than 50 percent of the businesses described their accounting systems as highly automated. Companies using computers were as likely to process accounting information using batch techniques as online batch or online real-time techniques. Technology Stand alone personal computers were used by 213 of the respondents with an almost equal distribution utilizing DOS and Windows. Approximately 43 percent of the computerized organizations used networked personal computers and 24.8 percent used client/server systems. More than 40 percent of the businesses employed a mainframe computer in their accounting system with the majority (74) operating centralized facilities and 17 operating through distributed facilities. Of interest is the fact that four companies outsourced their mainframe computing. Over 30 percent of the companies utilize databases in their accounting systems and 18.8 percent operate electronic data interchange systems. Many employ a variety of communications equipment with the most popular method of communications being a modem (44.0 percent). More sophisticated communications hardware included fiber optics (5.1 percent), satellites (3.0 percent), and microwaves (.8 percent). Other technologies employed with the accounting systems include image processing, bar coding, OCR scanners, and radio tracking devices. All types of accounting applications were captured in the companies' accounting information systems including the revenue cycle, procurement cycle, production cycle, personnel cycle, and financial/general ledger cycle. Of particular interest was the number of respondents (15.8 percent) capturing total quality information or customer satisfaction within the accounting information system. TABLE 1 DEMOGRAPHICS N = 261 BUSINESS(*) Communication Construction Government Manufacturing-see detail Retail Service-see detail Transportation Wholesaling Utility
Number 4 19 4 32 54 131 3 28 1
Percent 1.4 6.9 1.4 11.6 19.6 47.5 1.1 10.1 0.4
* Total number of companies exceeds 261 as some organizations encompassed more than one business. MANUFACTURING Healthcare Products
Number
Percent
4
12.5
Food Preparation Print Products Furniture Computers/Software Machinery Metal Products Chemicals Textiles, Lumber, Agriculture, Pkging, Films, Ice Not stated
3 3 3 3 3 2 2
9.4 9.4 9.4 9.4 9.4 6.2 6.2
6 3
18.7 9.4
EMPLOYEES Less than 10 10-25 26-100 101-500 More than 500 Not given
Number 83 60 56 43 18 1
Percent 31.9 23.1 21.5 16.5 6.9 0.1
REVENUES
Number
Percent
62 40 65 76 18
23.8 15.3 24.9 29.1 6.9
Number
Percent
23 14 14 10 10 7 7 6 5 5 3 3 2 2 2 2
17.6 10.7 10.7 7.6 7.6 5.3 5.3 4.6 3.9 3.9 2.3 2.3 1.5 1.5 1.5 1.5
13 3
9.9 2.3
Less than .5 million .5-1 million 1-5 million More than 5 million Not given SERVICE Repair Professionals Healthcare Cleaning Banking/Finance Insurance Entertainment Realty Storage/Freight Heating/AC Advertising/Printing Computers/Software Contracting Temp. Employment Housing Personal Grooming Auction, Security, Lawn, Pets, Marine, Research, Vending, Testing, Warehouse Not stated TABLE 2 NATURE OF THE ACCOUNTING SYSTEMS NATURE N = 261
Number
Percent
Manual Manual & Computer Computerized
27 99 135
10.4 38.1 51.5
HARDWARE N = 234
Number
Percent
106 6
45.3 2.6
Stand alone PC: DOS Macintosh
Windows
101
43.2
Networked PCs Client Server System
102 58
43.5 24.8
74 17 4
31.6 7.3 1.7
103 29 12 7 2 44 72 11 29 9 2 7
44.0 12.4 5.1 3.0 0.8 18.8 30.8 4.7 12.4 3.8 0.8 3.0
Number
Percent
Mainframe: At the company Distributed site Outsourced Modem Coaxial Cable Fiber Optics Satelite system Microwave system Electronic Data Interch. Database Image Processing Barcoding OCR Scanners Radio tracking Unique technology SECURITY N = 234
INTRODUCTION In recent years, the popular accounting press has begun publishing regular columns reviewing computer hardware and software for all types of accounting applications. It is apparent that the nature of recording, reviewing, and safeguarding accounting information is changing Ads by Google Free Inventory Software
Track inventory, sales, customers. Get inFlow Inventory Free Edition! www.inflowinventory.com Top Accounting Software
Free software evaluation tool. Compare top 100 Accounting Systems! SoftwareResearchTools.com/Accountng Compliant Email Archiving
SAAS email Security and compliant email archiving solutions www.247online.co.za
rapidly and this makes the job of the accountant, auditor or accounting professor more challenging. Further, more and more articles are appearing in these publications discussing security methods for the new technologies. As accounting systems become more sophisticated and more readily available to all types and sizes of businesses, the need to understand and to employ adequate systems security becomes an issue no business owner can ignore. In the event of a security breach, management may be held personally liable for the loss of organizational data (FEMA, 1993; Schreider, 1996). Recently, even the United States General Accounting Office noted a fiduciary responsibility to provide information in federal information systems (1997). Discussions of security issues in the accounting press, however, do not always manifest themselves in actual practice. To ascertain the degree of correspondence between theory and practice, this author undertook a survey of businesses in Hampton Roads, Virginia to determine the nature of their accounting systems and security methods in use.
The area of Hampton Roads, in the eastern Tidewater region of Virginia, has a population of more than one and a half million people and comprises several Virginia cities including Norfolk, Virginia Beach, Chesapeake, Portsmouth, Suffolk, Hampton, Newport News, and Poquoson. This area is home to over 7,500 businesses with annual revenues of one million dollars or more, including an amazing variety of manufacturing and service companies, as well as numerous government agencies. These organizations are of all sizes and ownership types. With the largest trading port in the United States, and a superior intermodal system, the region's economy is growing. Thus, the area provides a thriving, and varied business population for ascertaining the current technology and security practices in use in accounting information systems. RESEARCH IN ACCOUNTING TECHNOLOGY TRENDS For almost 500 years, accounting was a manual process of handwritten entries in journals and ledgers. With the invention of the ENIAC mainframe computer in 1946, a new technology became available for processing accounting data. Mainframe accounting systems proliferated throughout the 1960s, 1970s and 1980s. In 1975, the first microcomputer was developed and by 1980, the first "packaged" software (spreadsheet, word processing, and database) for these machines became available. Since then, technology and software have evolved at an ever accelerating pace and are increasingly used for recording accounting information. The Journal of Accountancy (JOA), for the last several years, has annually surveyed CPAs at AICPA sponsored events on their use of computers and software. These individuals, however, were often attending seminars on accounting technology and may be more informed on the subject than the average business person. The JOA surveys of technology show widespread use of personal computers with increasing use of laptops (from 53 percent in 1994 to 83 percent in 1995), modems (62 percent in 1995), and local area networks by CPAs in public accounting firms (34 percent in 1993, 78 percent in 1994, 87 percent in 1995) and industry (48 percent in 1993, 70 percent in 1994, 80 percent in 1995) (Gallun, Heagy & Lindsey, 1993a; Khani & Zarowin, 1994, 1995). Operating systems may be DOS or Windows with a slightly larger percentage using Windows (Khani & Zarowin, 1994, 1995). Processing may include either batch (periodic processing) or online real-time modes (immediate processing) (Ott, Boomer & Pottroff, 1993). By 1994, CPAs were beginning to use optical scanning (22 percent), bar coding (12 percent), document imaging (24 percent), and electronic data interchange (6 percent) (Khani & Zarowin, 1994). These trends toward increasing use of a variety of technologies in accounting continued in 1995 (Khani & Zarowin, 1995). JOA software surveys are generally oriented toward CPA firm functions and include tax, time and billing, and audit packages, as well as accounting applications. In 1994, 52 percent of accountants used custom software and 85 percent were using "off the shelf" accounting products (Khani & Zarowin, 1994). Popular accounting packages include ACCPAC, DacEasy, Creative Solutions, Macola, One-Write Plus, Great Plains, CYMA, Open Systems, Peachtree, Platinum, Prentice-Hall, Quick Books, Real World, Solomon and MAS90 (Courtney & Flippen, 1995; Khani & Zarowin, 1994, 1995; Luzi, Marshall & McCabe, 1994) The firms also noted use "off the shelf" word processing (100 percent in 1995), spreadsheet (100 percent in 1995), database (60 percent in 1995), presentation (31 percent in 1995), and scheduling software (32 percent in 1995) (Gallun, Heagy & Lindsey, 1993b; Khani & Zarowin, 1994, 1995). With the steady decline in the price of information technology and the increasing availability of "off the shelf" accounting software, more and more businesses of any size are able to automate all or part of their accounting functions. Further, in an effort to be extremely "user friendly" some of the accounting software requires little knowledge of accounting to be put to effective use. It is doubtful these users would have direct knowledge of security issues in accounting systems and must he made aware of potential security problems and solutions by the accounting, auditing or tax professionals they may occasionally consult.
TECHNOLOGY AND SECURITY The concept of internal control or security is as old as accounting itself. The purpose of accounting was to report accurate financial information on business ventures to interested parties and to provide information on stewardship of assets. The very development of double entry accounting was specifically aimed at controlling errors. The first formal definition if internal control or security by the accounting profession was in 1949 and a Statement of Auditing Standards on such controls was issued in 1958. However, United States businesses were under no legal obligation to institute such a system of internal controls until the passage of the Foreign Corrupt Practices Act of 1977. Since that time, the concept and methods of internal control in accounting information systems have evolved and changed as new technological innovations have been incorporated by the accounting profession. No matter the type of technology employed, all accounting information systems seek five basic results: to record an actual, valid transaction; to accurately classify the nature of the transaction; to record the correct value of the transaction; to place the transaction in the proper accounting period; and to generate financial statements containing information about the transaction. In any accounting information system, some form of controls are required to prevent and detect errors, and prevent and detect both accidental and intentional loss of assets and information. Over time, manual accounting systems developed well established controls and security methods to realize these ends that were often based in segregation of duties, comparison of documents and repeated checking of totals. With the proliferation of mainframe accounting systems, these controls were adapted to the centralized, automated environment of data processing. The new technology of the 1990's, however, distributes information ownership and processing to all possible users, both within and without the organization. Further, fewer and fewer paper documents exist as organizations migrate to computer media. A 1996 survey of specialists in computerized accounting information systems noted increased use of networked personal computers with shared data, networks and stand-alone computers with modem connections to external users, and mainframe access to and from remote locations. These individuals rated the risk of security problems as moderate with stand-alone personal computers (49.7 percent), moderate with internal networks (63.8 percent), moderate with mainframes (71.1 percent) but high with any computer with external communications connections (71.4 percent) (Davis, 1996). This unlimited access from virtually anywhere and by anyone to electronically recorded data requires a change in the focus of controls and security methods that are often not fully understood or appreciated by the business owner. Statistics suggest that the loss of accounting information with the new technology can be caused by a variety of exposures: software may malfunction or be in error (14 percent), hardware may malfunction or be stolen (44 percent), destructive natural forces may occur (3 percent), human error (32 percent), and man-made disasters such as computer viruses (7 percent) (Ontrack Computer, 1996). A few simple security methods may be employed to limit the possibility or outcome of such occurrences. Physical security of assets is an element of any accounting system. Computers and the information they contain or process are valuable assets to any business. Locking buildings and rooms containing these assets are the most basic methods of deterring loss. If not cost prohibitive, alarms, video cameras and motion detectors may be included as part of the security system. As computers become more and more portable, however, it becomes necessary to secure them to tables and desks with cables and plate locks. Computer media such as disks and tapes should not be neglected in this process; lock these items in a secure storage area. Some form of fire protection and detection is extremely important to safeguard both data and equipment, as is an unitterupted power supply to
maintain processing and data integrity. (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). Limiting logical access to data and programs through the computer and communications devices is the next level of security and has become increasingly important with the ease of remote access to computer via modem. Passwords have been in use for 30 years to identify users in the computer environment and are still a very useful tool. Employees should be made aware of the importance of keeping their password secret and logging off the system when they are not using it. Passwords should be changed regularly, and after a certain number of attempts at entering a password, the system should no longer allow access. Another valuable security method utilizes the capability of security software by providing a user access control matrix. This program determines who may have access to data and programs and what the nature of that access may be (able to read data, able to change data, able to delete data). This is particularly important with the increasing use of databases and electronic data interchange. Security software can also record all user activity and the terminal that was used to access data or programs. This activity log must be carefully monitored, however, to provide the security desired (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). An outgrowth of limiting logical access, is limiting changes to programs or the development of new programs. All systems changes should be authorized by upper management and should be duly documented. Encryption, the coding of text into an unreadable string of characters based on math algorithms, is an effective method of preventing browsing of confidential data. A decoding key is needed to be able to read the original message. This method can be employed when storing sensitive data or programs and when transmitting or receiving data from external sources. Two types of encryption systems are available: the secret key system requires both parties to have the decoding key, and the public key system where the message is encrypted with a public key and the receiver decodes the message with a private key (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). Computer viruses are lines of code that reproduce and attach themselves to other programs. In some cases they simply fill memory and slow system processing, while in other cases they are designed to destroy or change data and programs. Viruses may be introduced through external communications systems or by using floppy disks or CD-ROMS that are infected with the virus. They are particularly problematic with networked computers. Virus protection/detection software is usually included in newer computer operating systems, and is readily available from reputable vendors for older systems. This software should be updated on a regular basis to take advantage of its detection of newer viruses. Such software should be set to automatically scan computer files when the system is first turned on. Employees should be trained to also scan any external media they introduce to the system during their daily activities (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). As accounting systems become less and less document driven and place more reliance on electronically stored data, the concept of backing up this data is tantamount to business survival. Most personal computer operating systems have a method of backing up the hard drive to floppy disks, but as the size of storage on these machines continues to grow, this is a slow process. Tape and Zip drives are now available at an affordable price to speed the backup process and supporting software enables the user to set a given interval or time to perform regular backup procedure. Several series of backups should be maintained as an added security measure, and backup should be stored off site. With the increase in computer communications systems, it is now possible to backup data using these communications capabilities to vaulted storage at another location (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994). A final security method for the newer technology is periodic audits of the accounting information system. Whether the audit is performed by external auditors or internal auditors, a regular review of internal controls and security methods should be conducted with an eye toward improving the existing system (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
Business owners have a fiduciary responsibility to provide accurate accounting information and safeguard the assets of the organization. There is no 100 percent foolproof method of assuring no errors or irregularities will occur in the accounting information system with the continuing advances in technology. The simple security measures suggested may provide at least some assurance that accounting data will not be lost or corrupted. RESEARCH IN ACCOUNTING INFORMATION SECURITY A 1993 survey of security methods showed CPAs in public accounting firms used virus protection 25 percent of the time, passwords 43 percent of the time, and backup 80 percent of the time. CPAs in industry were more security conscious using virus protection approximately 50 percent of the time, passwords 84 percent of the time, and backup 80 percent of the time (Gallun, Heagy & Lindsey, 1993a). By 1994, CPAs in public accounting firms were more aware of virus protection (37 percent), but showed little improvement in the use of passwords (40 percent)and backup (83 percent) (Khani & Zarowin, 1994). In 1995, the use of backup took a dramatic jump for public accountants to 93 percent while CPAs in industry hovered at the 80 percent mark (Khani & Zarowin, 1995). This lack of security in CPA firms should be a concern for the profession as a whole. If professional accountants are either unaware or unconcerned about accounting systems security, how can we impress on the average business person the need for security over accounting information. If the situation is one of management's concern for costs versus benefits, then an effort must be put forth to quantify this information for the system's user. Furthering the dilemma is the fact that the respondents to these surveys were individuals attending accounting information system seminars that suggest they are more knowledgeable about automated accounting systems than the average individual and should be well aware of the potential for loss or corruption of accounting data. RESEARCH METHODOLOGY To collect information on accounting systems and their security methods in Tidewater Virginia, a one page survey was developed by the author and mailed to 1000 businesses in Hampton Roads, Virginia. A convenience sample of businesses was selected from the 1995 Corporate America CD Rom Database and the yellow pages of the Bell Atlantic telephone book. The database includes only businesses with annual sales more than one million dollars and employing twenty or more persons, therefore the telephone book provided smaller businesses for the sample. The survey was distributed in two mailings, with one in February 1995 and one in May 1995, in an attempt to avoid tax and year-end reporting cycles for the businesses. Any surveys returned as undeliverable were replaced with another subject to maintain an outstanding sample of 1000. Two hundred sixty-one usable surveys were returned (26.1 percent). The Survey and Analyses The survey instrument consisted of four parts (See Exhibit 1). Part one collected basic demographics on the company's business type, numbers of employees, and revenues. Part two was designed to collect data about the nature of the processing of accounting transactions, the business' specific accounting applications, and any accounting software utilized. Part three reported types of hardware used by the accounting system, and part four described basic security measures used with the accounting systems. Respondents were also asked to report whether their accounting system had undergone major changes in the past year and if the company had suffered any losses from employees or outsiders in the past year. Finally, respondents who were interested in discussing their accounting systems further were requested to provide their name, address and telephone number. This information was masked on the survey after it was recorded in a separate database to provide confidentiality to the respondents.
Univariate analysis of the results was conducted to assess the nature of accounting systems in the Hampton Roads area. RESEARCH FINDINGS Business Demographics Table 1 presents the demographics of the 261 respondents. Much of the sample (47.5 percent) consisted of service organizations providing repair, accounting, engineering, legal, health care, finance, entertainment, research, personal service and a variety of other functions. The next largest sample was retailing (19.6 percent), followed by manufacturing (11.6 percent) and then wholesaling (10.1 percent). Review of the number of employees and revenues suggests the sample represented both small, medium and large organizations with an almost equal representation over the categories. Fifty of the businesses (19.2 percent) reported a major change to their accounting systems in the past year. Part of the group was moving from a manual system to a more automated system, while the rest were undergoing a change in their already computerized system. Twenty of these companies made more than five million dollars in revenue annually. It is interesting to note that two companies reported suffering losses due to employee actions and two companies reported losses due to the actions of an outsider. One of the outsider losses was to a business making less than one half million dollars in revenue annually while the rest of the losses were to businesses making between one and five million dollars in revenues annually. Further review of the nature of the accounting system hardware in the outsider losses shows one business utilizes a network and one utilizes a client/server system, but neither appear to use external communications. Technology and Software in Use The nature of the accounting systems is presented in Table 2. Approximately ten percent of the respondents used only a manual accounting system. Surprisingly, not all of these companies were in the smallest revenue classification of less than one half million dollars annually (See Table 4). More than 50 percent of the businesses described their accounting systems as highly automated. Companies using computers were as likely to process accounting information using batch techniques as online batch or online real-time techniques. Technology Stand alone personal computers were used by 213 of the respondents with an almost equal distribution utilizing DOS and Windows. Approximately 43 percent of the computerized organizations used networked personal computers and 24.8 percent used client/server systems. More than 40 percent of the businesses employed a mainframe computer in their accounting system with the majority (74) operating centralized facilities and 17 operating through distributed facilities. Of interest is the fact that four companies outsourced their mainframe computing. Over 30 percent of the companies utilize databases in their accounting systems and 18.8 percent operate electronic data interchange systems. Many employ a variety of communications equipment with the most popular method of communications being a modem (44.0 percent). More sophisticated communications hardware included fiber optics (5.1 percent), satellites (3.0 percent), and microwaves (.8 percent). Other technologies employed with the accounting systems include image processing, bar coding, OCR scanners, and radio tracking devices. All types of accounting applications were captured in the companies' accounting information systems including the revenue cycle, procurement cycle, production cycle, personnel cycle, and
financial/general ledger cycle. Of particular interest was the number of respondents (15.8 percent) capturing total quality information or customer satisfaction within the accounting information system. TABLE 1 DEMOGRAPHICS N = 261 BUSINESS(*) Communication Construction Government Manufacturing-see detail Retail Service-see detail Transportation Wholesaling Utility
Number 4 19 4 32 54 131 3 28 1
Percent 1.4 6.9 1.4 11.6 19.6 47.5 1.1 10.1 0.4
* Total number of companies exceeds 261 as some organizations encompassed more than one business. MANUFACTURING Healthcare Products Food Preparation Print Products Furniture Computers/Software Machinery Metal Products Chemicals Textiles, Lumber, Agriculture, Pkging, Films, Ice Not stated EMPLOYEES Less than 10 10-25 26-100 101-500 More than 500 Not given REVENUES Less than .5 million .5-1 million 1-5 million More than 5 million Not given SERVICE Repair Professionals Healthcare Cleaning Banking/Finance Insurance Entertainment Realty
Number
Percent
4 3 3 3 3 3 2 2
12.5 9.4 9.4 9.4 9.4 9.4 6.2 6.2
6 3
18.7 9.4
Number
Percent
83 60 56 43 18 1
31.9 23.1 21.5 16.5 6.9 0.1
Number
Percent
62 40 65 76 18
23.8 15.3 24.9 29.1 6.9
Number
Percent
23 14 14 10 10 7 7 6
17.6 10.7 10.7 7.6 7.6 5.3 5.3 4.6
Storage/Freight Heating/AC Advertising/Printing Computers/Software Contracting Temp. Employment Housing Personal Grooming Auction, Security, Lawn, Pets, Marine, Research, Vending, Testing, Warehouse Not stated TABLE 2
5 5 3 3 2 2 2 2
3.9 3.9 2.3 2.3 1.5 1.5 1.5 1.5
13 3
9.9 2.3
NATURE OF THE ACCOUNTING SYSTEMS NATURE N = 261
Number
Percent
Manual Manual & Computer Computerized
27 99 135
10.4 38.1 51.5
HARDWARE N = 234
Number
Percent
DOS Macintosh Windows
106 6 101
45.3 2.6 43.2
Networked PCs Client Server System
102 58
43.5 24.8
74 17 4
31.6 7.3 1.7
103 29 12 7 2 44 72 11 29 9 2 7
44.0 12.4 5.1 3.0 0.8 18.8 30.8 4.7 12.4 3.8 0.8 3.0
Number
Percent
15 174 188 100 85 71 105
6.4 74.4 80.3 42.7 36.3 30.3 44.9
Number
Percent
104 85
39.8 32.6
Stand alone PC:
Mainframe: At the company Distributed site Outsourced Modem Coaxial Cable Fiber Optics Satelite system Microwave system Electronic Data Interch. Database Image Processing Barcoding OCR Scanners Radio tracking Unique technology SECURITY N = 234 Encryption Password Backup Virus Protection Change Authorization Physical Security Periodic Audits PROCESSING(*) Batch Online Batch
Online Realtime
74
28.4
* Two companies reported using Batch and Online Realtime APPLICATIONS N = 234 Order Entry Billing Purchasing Cash Receipts Payroll General Ledger Production Process Quality Management Sales Credit Tracking Payables Cash Disbursements Inventory Taxes
Number
Percent
98 199 153 178 199 198 59 37 172 117 194 168 110 127
41.8 85.0 65.4 76.1 85 84.6 25.2 15.8 73.5 50.0 82.9 71.8 47.0 54.3
Number
Percent
166 143 61 155 31 35 125 34 3 23
70.9 61.1 26.1 66.2 13.2 14.9 53.4 14.5 1.3 9.8
SOFTWARE OTHER N = 234 THAN ACCOUNTING Spreadsheets Word processing Graphics Report writers Destop publishing Personal organizers Databases Audit software Fixed asset mgt. Other: not described
Total percentages for Hardware, Security, Applications and Software exceed 100% due to companies reporting combinations of usage.
Types of Software Table 2 notes the variety of software used to support the accounting function. This included spreadsheets, word processing, report writers and graphics, databases, desktop publishing, and audit packages.
Accounting information system From Wikipedia, the free encyclopedia
An accounting information system (AIS) is the system of records a business keeps to maintain its
accounting system. This includes the purchase, sales, and other
financial processes of the business. The purpose of an AIS is to accumulate data and provide decision makers (investors, creditors, and managers) with information.
While this was previously a paper-based process, most businesses now use
accounting software. In an electronic financial
accounting system, the steps in the accounting cycle are dependent upon the system itself. For example, some systems allow direct journal posting to the various ledgers and others do not. Accounting Information Systems (AISs) combine the study and practice of accounting with the design, implementation, and monitoring of information systems. Such systems use modern information technology resources together with traditional accounting controls and methods to provide users the financial information necessary to manage their organizations.
AIS TECHNOLOGY Input The input devices commonly associated with AIS include: standard personal computers or workstations running applications; scanning devices for standardized data entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In addition, many financial systems come "Web-enabled" to allow devices to connect to the World Wide Web.
Process Basic processing is achieved through computer systems ranging from individual personal computers to large-scale enterprise servers. However, conceptually, the underlying processing model is still the "double-entry" accounting system initially introduced in the fifteenth century.
Output Output devices used include computer displays, impact and nonimpact printers, and electronic communication devices for EDI and e-commerce. The output content may encompass almost any type of financial reports from budgets and tax reports to multinational financial statements.
MANAGEMENT INFORMATION SYSTEMS (MIS) MISs are interactive human/machine systems that support decision making for users both in and out of traditional organizational boundaries. These systems are used to support an organization's daily operational activities; current and future tactical decisions; and overall strategic direction. MISs are made up of several major applications including, but not limited to, the financial and human resources systems. Financial applications make up the heart of an AIS in practice. Modules commonly implemented include: general ledger, payables, procurement/purchasing, receivables, billing, inventory, assets, projects, and budgeting.
Human resource applications make up another major part of modern information systems. Modules commonly integrated with the AIS include: human resources, benefits administration, pension administration, payroll, and time and labor reporting.
AIS—INFORMATION SYSTEMS IN CONTEXT AISs cover all business functions from backbone accounting transaction processing systems to sophisticated financial management planning and processing systems. Financial reporting starts at the operational levels of the organization, where the transaction processing systems capture important business events such as normal production, purchasing, and selling activities. These events (transactions) are classified and summarized for internal decision making and for external financial reporting. Cost accounting systems are used in manufacturing and service environments. These allow organizations to track the costs associated with the production of goods and/or performance of services. In addition, the AIS can provide advanced analyses for improved resource allocation and performance tracking.
Management accounting systems are used to allow organizational planning, monitoring, and control for a variety of activities. This allows managerial-level employees to have access to advanced reporting and statistical analysis. The systems can be used to gather information, to develop various scenarios, and to choose an optimal answer among alternative scenarios. DEVELOPMENT
The development of an AIS includes five basic phases: planning, analysis, design, implementation, and support. The time period associated with each of these phases can be as short as a few weeks or as long as several years. Planning—project management objectives and techniques The first phase of systems development is the planning of the project. This entails determination of the scope and objectives of the project, the definition of project responsibilities, control requirements, project phases, project budgets, and project deliverables.
Analysis The analysis phase is used to both determine and document the accounting and business processes used by the organization. Such processes are redesigned to take advantage of best practices or of the operating characteristics of modern system solutions. Data analysis is a thorough review of the accounting information that is currently being collected by an organization. Current data are then compared to the data that the organization should be using for managerial purposes. This method is used primarily when designing accounting transaction processing systems.
Decision analysis is a thorough review of the decisions a manager is responsible for making. The primary decisions that managers are responsible for are identified on an individual basis. Then models are created to support the manager in gathering financial and related information to develop and design alternatives, and to make actionable choices. This method is valuable when decision support is the system's primary objective.
Process analysis is a thorough review of the organization's business processes. Organizational processes are identified and segmented into a series of events that either add or change data. These processes can then be modified or reengineered to improve the organization's operations in terms of lowering cost, improving service, improving quality, or improving management information.
This method is appropriate when automation or reengineering is the system's primary objective. Design The design phase takes the conceptual results of the analysis phase and develops detailed, specific designs that can be implemented in subsequent phases. It involves the detailed design of all inputs, processing, storage, and outputs of the proposed accounting system. Inputs may be defined using screen layout tools and application generators. Processing can be shown through the use of flowcharts or business process maps that define the system logic, operations, and work flow. Logical data storage designs are identified by modeling the relationships among the organization's resources, events, and agents through diagrams. Also, entity relationship diagram (ERD) modeling is used to document large-scale database relationships. Output designs are documented through the use of a variety of reporting tools such as report writers, data extraction tools, query tools, and on-line analytical processing tools. In addition, all aspects of the design phase can be performed with software tool sets provided by specific software manufacturers.
Reporting is the driving force behind an AIS development. If the system analysis and design are successful, the reporting process provides the information that helps drive management decision making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports can be tabular, showing data in a table or tables; graphic, using images to convey information in a picture format; or matrices, to show complex relationships in multiple dimensions.
There are numerous characteristics to consider when defining reporting requirements. The reports must be accessible through the system's interface. They should convey information in a proactive manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the information processing (cognitive) style of the audience they are to inform.
Reports are of three basic types: A filter report that separates select data from a database, such as a monthly check register; a responsibility report to meet the needs of a specific user, such as a weekly sales report for a regional sales manager; a comparative report to show period differences, percentage breakdowns and variances between actual and budgeted expenditures. An example would be the financial statement analytics showing the expenses from the current year and prior year as a percentage of sales.
Screen designs and system interfaces are the primary data capture devices of AISs and are developed through a variety of tools. Storage is achieved through the use of normalized databases that assure functionality and flexibility. Business process maps and flowcharts are used to document the operations of the systems. Modern AISs use specialized databases and processing designed specifically for accounting operations. This means that much of the base processing capabilities come delivered with the accounting or enterprise software.
Implementation The implementation phase consists of two primary parts: construction and delivery. Construction includes the selection of hardware, software and vendors for the implementation; building and testing the network communication systems; building and testing the databases; writing and testing the new program modifications; and installing and testing the total system from a technical standpoint. Delivery is the process of conducting final system and user acceptance testing; preparing the conversion plan; installing the production database; training the users; and converting all operations to the new system. Tool sets are a variety of application development aids that are vendor-specific and used for customization of delivered systems. They allow the addition of fields and tables to the database, along with ability to create screen and other interfaces for data capture. In addition, they help set accessibility and security levels for adequate internal control within the accounting applications.
Security exists in several forms. Physical security of the system must be addressed. In typical AISs the equipment is located in a locked room with access granted only to technicians. Software access controls are set at several levels, depending on the size of the AIS. The first level of security occurs at the network level, which protects the organization's communication systems. Next is the operating system level security, which protects the computing environment. Then, database security is enabled to protect organizational data from theft, corruption, or other forms of damage. Lastly, application security is used to keep unauthorized persons from performing operations within the AIS.
Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of individual modifications. Program testing involves the interaction between the individual modification and the program it enhances. System testing is used to determine that the program modifications work within the AIS as a whole. Acceptance testing ensures that the modifications meet user expectations and that the entire AIS performs as designed.
Conversion entails the method used to change from an old AIS to a new AIS. There are several methods for achieving this goal. One is to run the new and old systems in parallel for a specified period. A second method is to directly cut over to the new system at a specified point. A third is to phase in the system, either by location or system function. A fourth is to pilot the new system at a specific site before converting the rest of the organization.
Support The support phase has two objectives. The first is to update and maintain the AIS. This includes fixing problems and updating the system for business and environmental changes. For example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate changes to conversion or reference tables used for financial reporting. The second objective of support is to continue development by continuously improving the business through adjustments to the AIS caused by business and environmental changes. These changes might result in future problems, new opportunities, or management or governmental directives requiring additional system modifications. ATTESTATION
AISs change the way internal controls are implemented and the type of audit trails that exist within a modern organization. The lack of traditional forensic evidence, such as paper, necessitates the involvement of accounting professionals in the design of such systems. Periodic involvement of public auditing firms can be used to make sure the AIS is in compliance with current internal control and financial reporting standards. After implementation, the focus of attestation is the review and verification of system operation. This requires adherence to standards such as ISO 9000-3 for software design and development as well as standards for control of information technology. Periodic functional business reviews should be conducted to be sure the AIS remains in compliance with the intended business functions. Quality standards dictate that this review should be done according to a periodic schedule. ENTERPRISE RESOURCE PLANNING (ERP) ERP systems are large-scale information systems that impact an organization's AIS. These systems permeate all aspects of the organization and require technologies such as client/server and relational databases. Other system types that currently impact AISs are supply chain management (SCM) and customer relationship management (CRM). Traditional AISs recorded financial information and produced financial statements on a periodic basis according to GAAP pronouncements. Modern ERP systems provide a broader view of organizational information, enabling the use of advanced accounting techniques, such as activity-based costing (ABC) and improved managerial reporting using a variety of analytical techniques.
Subsystem of a Management Information System (MIS) that processes financial transactions to provide (1) internal reporting to managers for use in planning and controlling current and future operations and for nonroutine decision making; (2) external reporting to outside parties such as to stockholders, creditors, and government agencies. Accounting Information Systems (AISs) combine the study and practice of accounting with the design, implementation, and monitoring of information systems. Such systems use modern information technology resources together with traditional accounting controls and methods to provide users the financial information necessary to manage their organizations. Ais Technology Input The input devices commonly associated with AIS include: standard personal computers or workstations running applications; scanning devices for standardized data entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In addition, many financial systems come "Web-enabled" to allow devices to connect to the World Wide Web. Process Basic processing is achieved through computer systems ranging from individual personal computers to large-scale enterprise servers. However, conceptually, the underlying processing model is still the "double-entry" accounting system initially introduced in the fifteenth century. Output Output devices used include computer displays, impact and nonimpact printers, and electronic communication devices for EDI and e-commerce. The output content may encompass almost any type of financial reports from budgets and tax reports to multinational financial statements. Management Information Systems (MIS) MISs are interactive human/machine systems that support decision making for users both in and out of traditional organizational boundaries. These systems are used to support an organization's daily operational activities; current and future tactical decisions; and overall strategic direction. MISs are made up of several major applications including, but not limited to, the financial and human resources systems. Financial applications make up the heart of an AIS in practice. Modules commonly implemented include: general ledger, payables, procurement/purchasing, receivables, billing, inventory, assets, projects, and budgeting. Human resource applications make up another major part of modern information systems. Modules commonly integrated with the AIS include: human resources, benefits administration, pension administration, payroll, and time and labor reporting. Ais—information Systems in Context AISs cover all business functions from backbone accounting transaction processing systems to sophisticated financial management planning and processing systems. Financial reporting starts at the operational levels of the organization, where the transaction processing systems capture important business events such as normal production, purchasing, and
selling activities. These events (transactions) are classified and summarized for internal decision making and for external financial reporting. Cost accounting systems are used in manufacturing and service environments. These allow organizations to track the costs associated with the production of goods and/or performance of services. In addition, the AIS can provide advanced analyses for improved resource allocation and performance tracking. Management accounting systems are used to allow organizational planning, monitoring, and control for a variety of activities. This allows managerial-level employees to have access to advanced reporting and statistical analysis. The systems can be used to gather information, to develop various scenarios, and to choose an optimal answer among alternative scenarios. Development The development of an AIS includes five basic phases: planning, analysis, design, implementation, and support. The time period associated with each of these phases can be as short as a few weeks or as long as several years. Planning—project management objectives and techniques The first phase of systems development is the planning of the project. This entails determination of the scope and objectives of the project, the definition of project responsibilities, control requirements, project phases, project budgets, and project deliverables. Analysis The analysis phase is used to both determine and document the accounting and business processes used by the organization. Such processes are redesigned to take advantage of best practices or of the operating characteristics of modern system solutions. Data analysis is a thorough review of the accounting information that is currently being collected by an organization. Current data are then compared to the data that the organization should be using for managerial purposes. This method is used primarily when designing accounting transaction processing systems. Decision analysis is a thorough review of the decisions a manager is responsible for making. The primary decisions that managers are responsible for are identified on an individual basis. Then models are created to support the manager in gathering financial and related information to develop and design alternatives, and to make actionable choices. This method is valuable when decision support is the system's primary objective. Process analysis is a thorough review of the organization's business processes. Organizational processes are identified and segmented into a series of events that either add or change data. These processes can then be modified or reengineered to improve the organization's operations in terms of lowering cost, improving service, improving quality, or improving management information. This method is appropriate when automation or reengineering is the system's primary objective. Design The design phase takes the conceptual results of the analysis phase and develops detailed, specific designs that can be implemented in subsequent phases. It involves the detailed design of all inputs, processing, storage, and outputs of the proposed accounting system. Inputs may be defined using screen layout tools and application generators. Processing can be shown through the use of flowcharts or business process maps that define the system logic, operations, and work flow. Logical data storage designs are identified by modeling the relationships among the organization's resources, events, and agents through diagrams. Also, entity relationship diagram (ERD) modeling is used to document large-scale database relationships. Output designs are documented through the use of a variety of reporting tools such as report writers, data extraction tools, query tools, and on-line
analytical processing tools. In addition, all aspects of the design phase can be performed with software tool sets provided by specific software manufacturers. Reporting is the driving force behind an AIS development. If the system analysis and design are successful, the reporting process provides the information that helps drive management decision making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports can be tabular, showing data in a table or tables; graphic, using images to convey information in a picture format; or matrices, to show complex relationships in multiple dimensions. There are numerous characteristics to consider when defining reporting requirements. The reports must be accessible through the system's interface. They should convey information in a proactive manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the information processing (cognitive) style of the audience they are to inform. Reports are of three basic types: A filter report that separates select data from a database, such as a monthly check register; a responsibility report to meet the needs of a specific user, such as a weekly sales report for a regional sales manager; a comparative report to show period differences, percentage breakdowns and variances between actual and budgeted expenditures. An example would be the financial statement analytics showing the expenses from the current year and prior year as a percentage of sales. Screen designs and system interfaces are the primary data capture devices of AISs and are developed through a variety of tools. Storage is achieved through the use of normalized databases that assure functionality and flexibility. Business process maps and flowcharts are used to document the operations of the systems. Modern AISs use specialized databases and processing designed specifically for accounting operations. This means that much of the base processing capabilities come delivered with the accounting or enterprise software. Implementation The implementation phase consists of two primary parts: construction and delivery. Construction includes the selection of hardware, software and vendors for the implementation; building and testing the network communication systems; building and testing the databases; writing and testing the new program modifications; and installing and testing the total system from a technical standpoint. Delivery is the process of conducting final system and user acceptance testing; preparing the conversion plan; installing the production database; training the users; and converting all operations to the new system. Tool sets are a variety of application development aids that are vendor-specific and used for customization of delivered systems. They allow the addition of fields and tables to the database, along with ability to create screen and other interfaces for data capture. In addition, they help set accessibility and security levels for adequate internal control within the accounting applications. Security exists in several forms. Physical security of the system must be addressed. In typical AISs the equipment is located in a locked room with access granted only to technicians. Software access controls are set at several levels, depending on the size of the AIS. The first level of security occurs at the network level, which protects the organization's communication systems. Next is the operating system level security, which protects the computing environment. Then, database security is enabled to protect organizational data from theft, corruption, or other forms of damage. Lastly, application security is used to keep unauthorized persons from performing operations within the AIS. Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of individual modifications. Program testing involves the interaction between the individual modification and the program it enhances. System testing is used to determine that the program
modifications work within the AIS as a whole. Acceptance testing ensures that the modifications meet user expectations and that the entire AIS performs as designed. Conversion entails the method used to change from an old AIS to a new AIS. There are several methods for achieving this goal. One is to run the new and old systems in parallel for a specified period. A second method is to directly cut over to the new system at a specified point. A third is to phase in the system, either by location or system function. A fourth is to pilot the new system at a specific site before converting the rest of the organization. Support The support phase has two objectives. The first is to update and maintain the AIS. This includes fixing problems and updating the system for business and environmental changes. For example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate changes to conversion or reference tables used for financial reporting. The second objective of support is to continue development by continuously improving the business through adjustments to the AIS caused by business and environmental changes. These changes might result in future problems, new opportunities, or management or governmental directives requiring additional system modifications. Attestation AISs change the way internal controls are implemented and the type of audit trails that exist within a modern organization. The lack of traditional forensic evidence, such as paper, necessitates the involvement of accounting professionals in the design of such systems. Periodic involvement of public auditing firms can be used to make sure the AIS is in compliance with current internal control and financial reporting standards. After implementation, the focus of attestation is the review and verification of system operation. This requires adherence to standards such as ISO 9000-3 for software design and development as well as standards for control of information technology. Periodic functional business reviews should be conducted to be sure the AIS remains in compliance with the intended business functions. Quality standards dictate that this review should be done according to a periodic schedule. Enterprise Resource Planning (ERP) ERP systems are large-scale information systems that impact an organization's AIS. These systems permeate all aspects of the organization and require technologies such as client/server and relational databases. Other system types that currently impact AISs are supply chain management (SCM) and customer relationship management (CRM). Traditional AISs recorded financial information and produced financial statements on a periodic basis according to GAAP pronouncements. Modern ERP systems provide a broader view of organizational information, enabling the use of advanced accounting techniques, such as activitybased costing (ABC) and improved managerial reporting using a variety of analytical techniques. (See also: Accounting; Internal Control Systems) THEODORE J. MOCK ROBERT M. KIDDOO An accounting information system (AIS) is the system of records a business keeps to maintain its accounting system. This includes the purchase, sales, and other financial processes of the business.
The purpose of an AIS is to accumulate data and provide decision makers (investors, creditors, and managers) with information. While this was previously a paper-based process, most businesses now use accounting software. In an electronic financial accounting system, the steps in the accounting cycle are dependent upon the system itself. For example, some systems allow direct journal posting to the various ledgers and others do not. Accounting Information Systems (AISs) combine the study and practice of accounting with the design, implementation, and monitoring of information systems. Such systems use modern information technology resources together with traditional accounting controls and methods to provide users the financial information necessary to manage their organizations. AIS TECHNOLOGY Input The input devices commonly associated with AIS include: standard personal computers or workstations running applications; scanning devices for standardized data entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In addition, many financial systems come "Web-enabled" to allow devices to connect to the World Wide Web. Process Basic processing is achieved through computer systems ranging from individual personal computers to large-scale enterprise servers. However, conceptually, the underlying processing model is still the "double-entry" accounting system initially introduced in the fifteenth century. Output Output devices used include computer displays, impact and nonimpact printers, and electronic communication devices for EDI and e-commerce. The output content may encompass almost any type of financial reports from budgets and tax reports to multinational financial statements. MANAGEMENT INFORMATION SYSTEMS (MIS) MISs are interactive human/machine systems that support decision making for users both in and out of traditional organizational boundaries. These systems are used to support an organization's daily operational activities; current and future tactical decisions; and overall strategic direction. MISs are made up of several major applications including, but not limited to, the financial and human resources systems. Financial applications make up the heart of an AIS in practice. Modules commonly implemented include: general ledger, payables, procurement/purchasing, receivables, billing, inventory, assets, projects, and budgeting. Human resource applications make up another major part of modern information systems. Modules commonly integrated with the AIS include: human resources, benefits administration, pension administration, payroll, and time and labor reporting. AIS—INFORMATION SYSTEMS IN CONTEXT AISs cover all business functions from backbone accounting transaction processing systems to sophisticated financial management planning and processing systems. Financial reporting starts at the operational levels of the organization, where the transaction processing systems capture important business events such as normal production, purchasing, and selling activities. These events (transactions) are classified and summarized for internal decision making and for external financial reporting. Cost accounting systems are used in manufacturing and service environments. These allow organizations to track the costs associated with the production of goods and/or performance of services. In addition, the AIS can provide advanced analyses for improved resource allocation and performance tracking. Management accounting systems are used to allow organizational planning, monitoring, and control for a variety of activities. This allows managerial-level employees to have access to advanced reporting and statistical analysis. The systems can be used to gather information, to develop various scenarios, and to choose an optimal answer among alternative scenarios. DEVELOPMENT
The development of an AIS includes five basic phases: planning, analysis, design, implementation, and support. The time period associated with each of these phases can be as short as a few weeks or as long as several years. Planning—project management objectives and techniques The first phase of systems development is the planning of the project. This entails determination of the scope and objectives of the project, the definition of project responsibilities, control requirements, project phases, project budgets, and project deliverables. Analysis The analysis phase is used to both determine and document the accounting and business processes used by the organization. Such processes are redesigned to take advantage of best practices or of the operating characteristics of modern system solutions. Data analysis is a thorough review of the accounting information that is currently being collected by an organization. Current data are then compared to the data that the organization should be using for managerial purposes. This method is used primarily when designing accounting transaction processing systems. Decision analysis is a thorough review of the decisions a manager is responsible for making. The primary decisions that managers are responsible for are identified on an individual basis. Then models are created to support the manager in gathering financial and related information to develop and design alternatives, and to make actionable choices. This method is valuable when decision support is the system's primary objective. Process analysis is a thorough review of the organization's business processes. Organizational processes are identified and segmented into a series of events that either add or change data. These processes can then be modified or reengineered to improve the organization's operations in terms of lowering cost, improving service, improving quality, or improving management information. This method is appropriate when automation or reengineering is the system's primary objective. Design The design phase takes the conceptual results of the analysis phase and develops detailed, specific designs that can be implemented in subsequent phases. It involves the detailed design of all inputs, processing, storage, and outputs of the proposed accounting system. Inputs may be defined using screen layout tools and application generators. Processing can be shown through the use of flowcharts or business process maps that define the system logic, operations, and work flow. Logical data storage designs are identified by modeling the relationships among the organization's resources, events, and agents through diagrams. Also, entity relationship diagram (ERD) modeling is used to document large-scale database relationships. Output designs are documented through the use of a variety of reporting tools such as report writers, data extraction tools, query tools, and on-line analytical processing tools. In addition, all aspects of the design phase can be performed with software tool sets provided by specific software manufacturers. Reporting is the driving force behind an AIS development. If the system analysis and design are successful, the reporting process provides the information that helps drive management decision making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports can be tabular, showing data in a table or tables; graphic, using images to convey information in a picture format; or matrices, to show complex relationships in multiple dimensions. There are numerous characteristics to consider when defining reporting requirements. The reports must be accessible through the system's interface. They should convey information in a proactive manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the information processing (cognitive) style of the audience they are to inform. Reports are of three basic types: A filter report that separates select data from a database, such as a monthly check register; a responsibility report to meet the needs of a specific user, such as a weekly sales report for a regional sales manager; a comparative report to show period differences, percentage breakdowns and variances between actual and budgeted expenditures. An example would be the financial statement analytics showing the expenses from the current year and prior year as a percentage of sales.
Screen designs and system interfaces are the primary data capture devices of AISs and are developed through a variety of tools. Storage is achieved through the use of normalized databases that assure functionality and flexibility. Business process maps and flowcharts are used to document the operations of the systems. Modern AISs use specialized databases and processing designed specifically for accounting operations. This means that much of the base processing capabilities come delivered with the accounting or enterprise software. Implementation The implementation phase consists of two primary parts: construction and delivery. Construction includes the selection of hardware, software and vendors for the implementation; building and testing the network communication systems; building and testing the databases; writing and testing the new program modifications; and installing and testing the total system from a technical standpoint. Delivery is the process of conducting final system and user acceptance testing; preparing the conversion plan; installing the production database; training the users; and converting all operations to the new system. Tool sets are a variety of application development aids that are vendor-specific and used for customization of delivered systems. They allow the addition of fields and tables to the database, along with ability to create screen and other interfaces for data capture. In addition, they help set accessibility and security levels for adequate internal control within the accounting applications. Security exists in several forms. Physical security of the system must be addressed. In typical AISs the equipment is located in a locked room with access granted only to technicians. Software access controls are set at several levels, depending on the size of the AIS. The first level of security occurs at the network level, which protects the organization's communication systems. Next is the operating system level security, which protects the computing environment. Then, database security is enabled to protect organizational data from theft, corruption, or other forms of damage. Lastly, application security is used to keep unauthorized persons from performing operations within the AIS. Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of individual modifications. Program testing involves the interaction between the individual modification and the program it enhances. System testing is used to determine that the program modifications work within the AIS as a whole. Acceptance testing ensures that the modifications meet user expectations and that the entire AIS performs as designed. Conversion entails the method used to change from an old AIS to a new AIS. There are several methods for achieving this goal. One is to run the new and old systems in parallel for a specified period. A second method is to directly cut over to the new system at a specified point. A third is to phase in the system, either by location or system function. A fourth is to pilot the new system at a specific site before converting the rest of the organization. Support The support phase has two objectives. The first is to update and maintain the AIS. This includes fixing problems and updating the system for business and environmental changes. For example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate changes to conversion or reference tables used for financial reporting. The second objective of support is to continue development by continuously improving the business through adjustments to the AIS caused by business and environmental changes. These changes might result in future problems, new opportunities, or management or governmental directives requiring additional system modifications. ATTESTATION AISs change the way internal controls are implemented and the type of audit trails that exist within a modern organization. The lack of traditional forensic evidence, such as paper, necessitates the involvement of accounting professionals in the design of such systems. Periodic involvement of public auditing firms can be used to make sure the AIS is in compliance with current internal control and financial reporting standards. After implementation, the focus of attestation is the review and verification of system operation. This requires adherence to standards such as ISO 9000-3 for software design and development as well as standards for control of information technology. Periodic
functional business reviews should be conducted to be sure the AIS remains in compliance with the intended business functions. Quality standards dictate that this review should be done according to a periodic schedule. ENTERPRISE RESOURCE PLANNING (ERP) ERP systems are large-scale information systems that impact an organization's AIS. These systems permeate all aspects of the organization and require technologies such as client/server and relational databases. Other system types that currently impact AISs are supply chain management (SCM) and customer relationship management (CRM). Traditional AISs recorded financial information and produced financial statements on a periodic basis according to GAAP pronouncements. Modern ERP systems provide a broader view of organizational information, enabling the use of advanced accounting techniques, such as activity-based costing (ABC) and improved managerial reporting using a variety of analytical techniques.
Lecture Notes on Analysis & Design of Accounting Information Systems Jagdish S. Gangolly Department of Accounting & Law State University of New York at Albany PREFACE
The main object of teaching is not to give explanations, but to knock at the doors of the mind. If any boy is asked to give an account of what is awakened in him by such knocking, he will probably say something silly. For what happens within is much bigger than what comes out in words. Those who pin their faith on university examinations as the test of education take no account of this. Rabindranath Tagore These notes are prepared exclusively for the benefit of the students in the course Acc 681 Accounting Information Systems in the Department of Accounting & Law at the State University of New York at Albany, and are not to be used by others for any purpose without the express permission of the author. I shall be adding to these notes as we go along. You can download the file and print the pages that you need. You will find the instructions for viewing postscript files on the course homepage at http://www.albany.edu/faculty/gangolly/acc682/fall99/ Jagdish S. Gangolly Albany, NY 12222
• •
•
•
•
Contents Introduction to Systems I o Introduction o What is an accounting information system? What is a system? What is an information system? What is an accounting information system? o Different views of a system A Contextual view A Control view o Attributes of Complex Systems: (Booch, 1994) Some basic concepts & strategies in the study of systems o References Introduction to Systems II o Introduction o Types of Information Systems Classification by mode of processing Classification by System Objectives Classification based on the nature of interaction with environment o Specification of Information Systems Why specifications? Formal vs. Informal Specifications Components of specifications o Methodologies for Systems Development Systems Development Life Cycle o References The Functional Model o Introduction o The Strategy in Functional Modeling o Dataflow Diagrams o Guidelines for Drawing Dataflow Diagrams o A Toy Sales Order Entry & Processing System (Example): o References About this document ...
Chapter 1: Introduction Chapter 2: Overview of Accounting Data Processing Chapter 3: International Issues and the World Wide Web Chapter 4: Computer Hardware and Software Chapter 5: Decision Support Tools and Expert Systems Chapter 6: E-Business and Communication Systems Chapter 7: File Processing and the Database Approach Chapter 8: Ethics, Computer Crime, and Internal Control Chapter 9: Auditing the AIS Chapter 10: Systems Development Overview Chapter 11: Revenue (Marketing) Cycle Chapter 12: Expenditure Cycle Chapter 13: Conversion (Production) Cycle Chapter 14: Financial Cycle