Accounting Information System 2
Accounting Information System 2
Accounting Information System 2
We will first define a system, define an information system and, finally define an accounting
information system. It should be obvious that all information systems are systems but not all systems
are information systems. A vending machine, for example, is a system that is not an information
system. Similarly, all accounting information systems are information systems, but the reverse is not
always the case. Human resource information systems, production scheduling systems, strategic
planning systems are examples of information systems that are not accounting information systems.
What is a system?
A system is a set of inter-dependent components (some of which may be systems in their own right)
which collectively accomplish certain objectives.
An information system differs from other kinds of systems in that its objective is to
monitor/document the operations of some other system, which we can call a target system. An
information system cannot exist without such a target system. For example, production activities
would be the target system for a production scheduling system, human resources in the business
operations would be the target system of a human resource information system, and so on. It is
important to recognize that within a vending machine there is a component/sub-system that can be
considered an information system. In some sense, every reactive system will have a subsystem that
can be considered an information system whose objective is to monitor and control such a reactive
system.
A Contextual view
Any system operates by interacting with its environment. The contextual view describes graphically
the interaction of the system with the various entities in its environment. The interactions consist of
data flows from and to such entities. The contextual view clarifies the boundary of the system and its
interfaces with the environment in which it operates.
Figure: Contextual View
A Control view
Any system must manipulate certain variables in order to achieve its objectives. It determines the
manipulation needed by processing its outputs/states in relation to certain control parameters.
Attributes of Complex Systems: (Booch, 1994)
Frequently, complexity takes the form of a hierarchy, whereby a complex system is composed of
interrelated subsystems that have in turn their own subsystems, and so on, until some lowest level of
elementary components is reached (Courtois, 1985). The choice of what components in a system are
primitive is relatively arbitrary and is largely up to the discretion of the observer of the system.
Intracomponent linkages are generally stronger than intercomponent linkages (components of a
system are loosely coupled, but components themselves are cohesive) (Simon, 1985). Hierarchical
systems are usually composed of only a few different kinds of subsystems in various combinations
and arrangements (same components can be reused)(Simon, 1985). A complex system that works is
invariably found to have evolved from a simple system that worked..... A complex system designed
from scratch never works and cannot be patched up to make it work. You have to start over,
beginning with a system that works (Gall, 1986).
References
Booch, G. (1994) bf Object-Oriented Analysis and Design with Applications, 2nd ed. Redwood City,
California: The Benjamin Cummings Publishing Company, Inc.
Gall, J. (1986) Systemantics: How Systems Really Work and How They Fail, 2nd ed. Ann Arbor,
MI : The General Systemantics Press.
Simon, H. (1982) The Sciences of the Artificial. Cambridge, MA : The MIT Press.
Martin, J. and McClure, C. (1988) Structured Techniques: The Basis for CASE, Revised ed.
Englewood Cliffs, NJ : Prentice Hall.
Shaw, M. (1981) ALPHARD: Form and Content. New York, NY: Springer-Verlag.
Introduction to Systems II
My experience has shown that many people find it hard to make their design ideas precise. They are
willing to express their ideas in loose, general terms, but are unwilling to express them with the
precision needed to make them into patterns. Above all, they are unwilling to express them as
abstract spatial relations among well-defined spatial parts. I have also found that people aren't always
very good at it; it is hard to do..... If you can't draw a diagram of it, it isn't a pattern. If you think you
have a pattern, you must be able to draw a diagram of it. This is a crude, but vital rule. A pattern
defines a field of spatial relations, and it must always be possible to draw a diagram for every pattern.
In the diagram, each part will appear as a labeled or colored zone, and the layout of the parts
expresses the relation which the pattern specifies. If you can't draw it, it isn't a pattern.
• Introduction
• Types of Information Systems
o Classification by mode of processing
o Classification by System Objectives
o Classification based on the nature of interaction with environment
• Specification of Information Systems
o Why specifications?
o Formal vs. Informal Specifications
o Components of specifications
• Methodologies for Systems Development
o Systems Development Life Cycle
• References
Booch, G. (1994) bf Object-Oriented Analysis and Design with Applications, 2nd ed. Redwood City,
California: The Benjamin Cummings Publishing Company, Inc.
Gall, J. (1986) Systemantics: How Systems Really Work and How They Fail, 2nd ed. Ann Arbor,
MI : The General Systemantics Press.
Simon, H. (1982) The Sciences of the Artificial. Cambridge, MA : The MIT Press.
Martin, J. and McClure, C. (1988) Structured Techniques: The Basis for CASE, Revised ed.
Englewood Cliffs, NJ : Prentice Hall.
Shaw, M. (1981) ALPHARD: Form and Content. New York, NY: Springer-Verlag.
INTRODUCTION
In recent years, the popular accounting press has begun publishing regular columns reviewing
computer hardware and software for all types of accounting applications. It is apparent that the nature
of recording, reviewing, and safeguarding accounting information is changing rapidly and this makes
the job of the accountant, auditor or accounting professor more challenging. Further, more and more
articles are appearing in these publications discussing security methods for the new technologies. As
accounting systems become more sophisticated and more readily available to all types and sizes of
businesses, the need to understand and to employ adequate systems security becomes an issue no
business owner can ignore. In the event of a security breach, management may be held personally
liable for the loss of organizational data (FEMA, 1993; Schreider, 1996). Recently, even the United
States General Accounting Office noted a fiduciary responsibility to provide information in federal
information systems (1997).
Discussions of security issues in the accounting press, however, do not always manifest themselves
in actual practice. To ascertain the degree of correspondence between theory and practice, this author
undertook a survey of businesses in Hampton Roads, Virginia to determine the nature of their
accounting systems and security methods in use.
The area of Hampton Roads, in the eastern Tidewater region of Virginia, has a population of more
than one and a half million people and comprises several Virginia cities including Norfolk, Virginia
Beach, Chesapeake, Portsmouth, Suffolk, Hampton, Newport News, and Poquoson. This area is
home to over 7,500 businesses with annual revenues of one million dollars or more, including an
amazing variety of manufacturing and service companies, as well as numerous government agencies.
These organizations are of all sizes and ownership types. With the largest trading port in the United
States, and a superior intermodal system, the region's economy is growing. Thus, the area provides a
thriving, and varied business population for ascertaining the current technology and security practices
in use in accounting information systems.
For almost 500 years, accounting was a manual process of handwritten entries in journals and
ledgers. With the invention of the ENIAC mainframe computer in 1946, a new technology became
available for processing accounting data. Mainframe accounting systems proliferated throughout the
1960s, 1970s and 1980s. In 1975, the first microcomputer was developed and by 1980, the first
"packaged" software (spreadsheet, word processing, and database) for these machines became
available. Since then, technology and software have evolved at an ever accelerating pace and are
increasingly used for recording accounting information.
The Journal of Accountancy (JOA), for the last several years, has annually surveyed CPAs at AICPA
sponsored events on their use of computers and software. These individuals, however, were often
attending seminars on accounting technology and may be more informed on the subject than the
average business person.
The JOA surveys of technology show widespread use of personal computers with increasing use of
laptops (from 53 percent in 1994 to 83 percent in 1995), modems (62 percent in 1995), and local area
networks by CPAs in public accounting firms (34 percent in 1993, 78 percent in 1994, 87 percent in
1995) and industry (48 percent in 1993, 70 percent in 1994, 80 percent in 1995) (Gallun, Heagy &
Lindsey, 1993a; Khani & Zarowin, 1994, 1995). Operating systems may be DOS or Windows with a
slightly larger percentage using Windows (Khani & Zarowin, 1994, 1995). Processing may include
either batch (periodic processing) or online real-time modes (immediate processing) (Ott, Boomer &
Pottroff, 1993). By 1994, CPAs were beginning to use optical scanning (22 percent), bar coding (12
percent), document imaging (24 percent), and electronic data interchange (6 percent) (Khani &
Zarowin, 1994). These trends toward increasing use of a variety of technologies in accounting
continued in 1995 (Khani & Zarowin, 1995).
JOA software surveys are generally oriented toward CPA firm functions and include tax, time and
billing, and audit packages, as well as accounting applications. In 1994, 52 percent of accountants
used custom software and 85 percent were using "off the shelf" accounting products (Khani &
Zarowin, 1994). Popular accounting packages include ACCPAC, DacEasy, Creative Solutions,
Macola, One-Write Plus, Great Plains, CYMA, Open Systems, Peachtree, Platinum, Prentice-Hall,
Quick Books, Real World, Solomon and MAS90 (Courtney & Flippen, 1995; Khani & Zarowin,
1994, 1995; Luzi, Marshall & McCabe, 1994) The firms also noted use "off the shelf" word
processing (100 percent in 1995), spreadsheet (100 percent in 1995), database (60 percent in 1995),
presentation (31 percent in 1995), and scheduling software (32 percent in 1995) (Gallun, Heagy &
Lindsey, 1993b; Khani & Zarowin, 1994, 1995).
With the steady decline in the price of information technology and the increasing availability of "off
the shelf" accounting software, more and more businesses of any size are able to automate all or part
of their accounting functions. Further, in an effort to be extremely "user friendly" some of the
accounting software requires little knowledge of accounting to be put to effective use. It is doubtful
these users would have direct knowledge of security issues in accounting systems and must he made
aware of potential security problems and solutions by the accounting, auditing or tax professionals
they may occasionally consult.
The concept of internal control or security is as old as accounting itself. The purpose of accounting
was to report accurate financial information on business ventures to interested parties and to provide
information on stewardship of assets. The very development of double entry accounting was
specifically aimed at controlling errors.
The first formal definition if internal control or security by the accounting profession was in 1949
and a Statement of Auditing Standards on such controls was issued in 1958. However, United States
businesses were under no legal obligation to institute such a system of internal controls until the
passage of the Foreign Corrupt Practices Act of 1977. Since that time, the concept and methods of
internal control in accounting information systems have evolved and changed as new technological
innovations have been incorporated by the accounting profession.
No matter the type of technology employed, all accounting information systems seek five basic
results: to record an actual, valid transaction; to accurately classify the nature of the transaction; to
record the correct value of the transaction; to place the transaction in the proper accounting period;
and to generate financial statements containing information about the transaction.
In any accounting information system, some form of controls are required to prevent and detect
errors, and prevent and detect both accidental and intentional loss of assets and information. Over
time, manual accounting systems developed well established controls and security methods to realize
these ends that were often based in segregation of duties, comparison of documents and repeated
checking of totals. With the proliferation of mainframe accounting systems, these controls were
adapted to the centralized, automated environment of data processing. The new technology of the
1990's, however, distributes information ownership and processing to all possible users, both within
and without the organization. Further, fewer and fewer paper documents exist as organizations
migrate to computer media.
A 1996 survey of specialists in computerized accounting information systems noted increased use of
networked personal computers with shared data, networks and stand-alone computers with modem
connections to external users, and mainframe access to and from remote locations. These individuals
rated the risk of security problems as moderate with stand-alone personal computers (49.7 percent),
moderate with internal networks (63.8 percent), moderate with mainframes (71.1 percent) but high
with any computer with external communications connections (71.4 percent) (Davis, 1996). This
unlimited access from virtually anywhere and by anyone to electronically recorded data requires a
change in the focus of controls and security methods that are often not fully understood or
appreciated by the business owner.
Statistics suggest that the loss of accounting information with the new technology can be caused by a
variety of exposures: software may malfunction or be in error (14 percent), hardware may
malfunction or be stolen (44 percent), destructive natural forces may occur (3 percent), human error
(32 percent), and man-made disasters such as computer viruses (7 percent) (Ontrack Computer,
1996). A few simple security methods may be employed to limit the possibility or outcome of such
occurrences.
Physical security of assets is an element of any accounting system. Computers and the information
they contain or process are valuable assets to any business. Locking buildings and rooms containing
these assets are the most basic methods of deterring loss. If not cost prohibitive, alarms, video
cameras and motion detectors may be included as part of the security system. As computers become
more and more portable, however, it becomes necessary to secure them to tables and desks with
cables and plate locks. Computer media such as disks and tapes should not be neglected in this
process; lock these items in a secure storage area. Some form of fire protection and detection is
extremely important to safeguard both data and equipment, as is an unitterupted power supply to
maintain processing and data integrity. (Graves & Torrence, 1997; Institute of Internal Auditors,
1991, 1994).
Limiting logical access to data and programs through the computer and communications devices is
the next level of security and has become increasingly important with the ease of remote access to
computer via modem. Passwords have been in use for 30 years to identify users in the computer
environment and are still a very useful tool. Employees should be made aware of the importance of
keeping their password secret and logging off the system when they are not using it. Passwords
should be changed regularly, and after a certain number of attempts at entering a password, the
system should no longer allow access. Another valuable security method utilizes the capability of
security software by providing a user access control matrix. This program determines who may have
access to data and programs and what the nature of that access may be (able to read data, able to
change data, able to delete data). This is particularly important with the increasing use of databases
and electronic data interchange. Security software can also record all user activity and the terminal
that was used to access data or programs. This activity log must be carefully monitored, however, to
provide the security desired (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
An outgrowth of limiting logical access, is limiting changes to programs or the development of new
programs. All systems changes should be authorized by upper management and should be duly
documented.
Encryption, the coding of text into an unreadable string of characters based on math algorithms, is an
effective method of preventing browsing of confidential data. A decoding key is needed to be able to
read the original message. This method can be employed when storing sensitive data or programs and
when transmitting or receiving data from external sources. Two types of encryption systems are
available: the secret key system requires both parties to have the decoding key, and the public key
system where the message is encrypted with a public key and the receiver decodes the message with
a private key (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
Computer viruses are lines of code that reproduce and attach themselves to other programs. In some
cases they simply fill memory and slow system processing, while in other cases they are designed to
destroy or change data and programs. Viruses may be introduced through external communications
systems or by using floppy disks or CD-ROMS that are infected with the virus. They are particularly
problematic with networked computers. Virus protection/detection software is usually included in
newer computer operating systems, and is readily available from reputable vendors for older systems.
This software should be updated on a regular basis to take advantage of its detection of newer
viruses. Such software should be set to automatically scan computer files when the system is first
turned on. Employees should be trained to also scan any external media they introduce to the system
during their daily activities (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
As accounting systems become less and less document driven and place more reliance on
electronically stored data, the concept of backing up this data is tantamount to business survival.
Most personal computer operating systems have a method of backing up the hard drive to floppy
disks, but as the size of storage on these machines continues to grow, this is a slow process. Tape and
Zip drives are now available at an affordable price to speed the backup process and supporting
software enables the user to set a given interval or time to perform regular backup procedure. Several
series of backups should be maintained as an added security measure, and backup should be stored
off site. With the increase in computer communications systems, it is now possible to backup data
using these communications capabilities to vaulted storage at another location (Graves & Torrence,
1997; Institute of Internal Auditors, 1991, 1994).
A final security method for the newer technology is periodic audits of the accounting information
system. Whether the audit is performed by external auditors or internal auditors, a regular review of
internal controls and security methods should be conducted with an eye toward improving the
existing system (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
Business owners have a fiduciary responsibility to provide accurate accounting information and
safeguard the assets of the organization. There is no 100 percent foolproof method of assuring no
errors or irregularities will occur in the accounting information system with the continuing advances
in technology. The simple security measures suggested may provide at least some assurance that
accounting data will not be lost or corrupted.
A 1993 survey of security methods showed CPAs in public accounting firms used virus protection 25
percent of the time, passwords 43 percent of the time, and backup 80 percent of the time. CPAs in
industry were more security conscious using virus protection approximately 50 percent of the time,
passwords 84 percent of the time, and backup 80 percent of the time (Gallun, Heagy & Lindsey,
1993a). By 1994, CPAs in public accounting firms were more aware of virus protection (37 percent),
but showed little improvement in the use of passwords (40 percent)and backup (83 percent) (Khani &
Zarowin, 1994). In 1995, the use of backup took a dramatic jump for public accountants to 93 percent
while CPAs in industry hovered at the 80 percent mark (Khani & Zarowin, 1995).
This lack of security in CPA firms should be a concern for the profession as a whole. If professional
accountants are either unaware or unconcerned about accounting systems security, how can we
impress on the average business person the need for security over accounting information. If the
situation is one of management's concern for costs versus benefits, then an effort must be put forth to
quantify this information for the system's user. Furthering the dilemma is the fact that the respondents
to these surveys were individuals attending accounting information system seminars that suggest they
are more knowledgeable about automated accounting systems than the average individual and should
be well aware of the potential for loss or corruption of accounting data.
RESEARCH METHODOLOGY
To collect information on accounting systems and their security methods in Tidewater Virginia, a one
page survey was developed by the author and mailed to 1000 businesses in Hampton Roads, Virginia.
A convenience sample of businesses was selected from the 1995 Corporate America CD Rom
Database and the yellow pages of the Bell Atlantic telephone book. The database includes only
businesses with annual sales more than one million dollars and employing twenty or more persons,
therefore the telephone book provided smaller businesses for the sample. The survey was distributed
in two mailings, with one in February 1995 and one in May 1995, in an attempt to avoid tax and
year-end reporting cycles for the businesses. Any surveys returned as undeliverable were replaced
with another subject to maintain an outstanding sample of 1000. Two hundred sixty-one usable
surveys were returned (26.1 percent).
The survey instrument consisted of four parts (See Exhibit 1). Part one collected basic demographics
on the company's business type, numbers of employees, and revenues. Part two was designed to
collect data about the nature of the processing of accounting transactions, the business' specific
accounting applications, and any accounting software utilized. Part three reported types of hardware
used by the accounting system, and part four described basic security measures used with the
accounting systems.
Respondents were also asked to report whether their accounting system had undergone major
changes in the past year and if the company had suffered any losses from employees or outsiders in
the past year. Finally, respondents who were interested in discussing their accounting systems further
were requested to provide their name, address and telephone number. This information was masked
on the survey after it was recorded in a separate database to provide confidentiality to the
respondents.
Univariate analysis of the results was conducted to assess the nature of accounting systems in the
Hampton Roads area.
RESEARCH FINDINGS
Business Demographics
Table 1 presents the demographics of the 261 respondents. Much of the sample (47.5 percent)
consisted of service organizations providing repair, accounting, engineering, legal, health care,
finance, entertainment, research, personal service and a variety of other functions. The next largest
sample was retailing (19.6 percent), followed by manufacturing (11.6 percent) and then wholesaling
(10.1 percent). Review of the number of employees and revenues suggests the sample represented
both small, medium and large organizations with an almost equal representation over the categories.
Fifty of the businesses (19.2 percent) reported a major change to their accounting systems in the past
year. Part of the group was moving from a manual system to a more automated system, while the rest
were undergoing a change in their already computerized system. Twenty of these companies made
more than five million dollars in revenue annually.
It is interesting to note that two companies reported suffering losses due to employee actions and two
companies reported losses due to the actions of an outsider. One of the outsider losses was to a
business making less than one half million dollars in revenue annually while the rest of the losses
were to businesses making between one and five million dollars in revenues annually. Further review
of the nature of the accounting system hardware in the outsider losses shows one business utilizes a
network and one utilizes a client/server system, but neither appear to use external communications.
The nature of the accounting systems is presented in Table 2. Approximately ten percent of the
respondents used only a manual accounting system. Surprisingly, not all of these companies were in
the smallest revenue classification of less than one half million dollars annually (See Table 4). More
than 50 percent of the businesses described their accounting systems as highly automated. Companies
using computers were as likely to process accounting information using batch techniques as online
batch or online real-time techniques.
Technology
Stand alone personal computers were used by 213 of the respondents with an almost equal
distribution utilizing DOS and Windows. Approximately 43 percent of the computerized
organizations used networked personal computers and 24.8 percent used client/server systems. More
than 40 percent of the businesses employed a mainframe computer in their accounting system with
the majority (74) operating centralized facilities and 17 operating through distributed facilities. Of
interest is the fact that four companies outsourced their mainframe computing.
Over 30 percent of the companies utilize databases in their accounting systems and 18.8 percent
operate electronic data interchange systems. Many employ a variety of communications equipment
with the most popular method of communications being a modem (44.0 percent). More sophisticated
communications hardware included fiber optics (5.1 percent), satellites (3.0 percent), and
microwaves (.8 percent).
Other technologies employed with the accounting systems include image processing, bar coding,
OCR scanners, and radio tracking devices.
All types of accounting applications were captured in the companies' accounting information systems
including the revenue cycle, procurement cycle, production cycle, personnel cycle, and
financial/general ledger cycle. Of particular interest was the number of respondents (15.8 percent)
capturing total quality information or customer satisfaction within the accounting information
system.
TABLE 1
DEMOGRAPHICS
N = 261
Communication 4 1.4
Construction 19 6.9
Government 4 1.4
Manufacturing-see detail 32 11.6
Retail 54 19.6
Service-see detail 131 47.5
Transportation 3 1.1
Wholesaling 28 10.1
Utility 1 0.4
Repair 23 17.6
Professionals 14 10.7
Healthcare 14 10.7
Cleaning 10 7.6
Banking/Finance 10 7.6
Insurance 7 5.3
Entertainment 7 5.3
Realty 6 4.6
Storage/Freight 5 3.9
Heating/AC 5 3.9
Advertising/Printing 3 2.3
Computers/Software 3 2.3
Contracting 2 1.5
Temp. Employment 2 1.5
Housing 2 1.5
Personal Grooming 2 1.5
Auction, Security,
Lawn, Pets, Marine,
Research, Vending,
Testing, Warehouse 13 9.9
Not stated 3 2.3
TABLE 2
Manual 27 10.4
Manual & Computer 99 38.1
Computerized 135 51.5
Mainframe:
INTRODUCTION
In recent years, the popular accounting press has begun publishing regular columns reviewing
computer hardware and software for all types of accounting applications. It is apparent that the nature
of recording, reviewing, and safeguarding accounting information is changing
Ads by Google
Discussions of security issues in the accounting press, however, do not always manifest themselves
in actual practice. To ascertain the degree of correspondence between theory and practice, this author
undertook a survey of businesses in Hampton Roads, Virginia to determine the nature of their
accounting systems and security methods in use.
The area of Hampton Roads, in the eastern Tidewater region of Virginia, has a population of more
than one and a half million people and comprises several Virginia cities including Norfolk, Virginia
Beach, Chesapeake, Portsmouth, Suffolk, Hampton, Newport News, and Poquoson. This area is
home to over 7,500 businesses with annual revenues of one million dollars or more, including an
amazing variety of manufacturing and service companies, as well as numerous government agencies.
These organizations are of all sizes and ownership types. With the largest trading port in the United
States, and a superior intermodal system, the region's economy is growing. Thus, the area provides a
thriving, and varied business population for ascertaining the current technology and security practices
in use in accounting information systems.
For almost 500 years, accounting was a manual process of handwritten entries in journals and
ledgers. With the invention of the ENIAC mainframe computer in 1946, a new technology became
available for processing accounting data. Mainframe accounting systems proliferated throughout the
1960s, 1970s and 1980s. In 1975, the first microcomputer was developed and by 1980, the first
"packaged" software (spreadsheet, word processing, and database) for these machines became
available. Since then, technology and software have evolved at an ever accelerating pace and are
increasingly used for recording accounting information.
The Journal of Accountancy (JOA), for the last several years, has annually surveyed CPAs at AICPA
sponsored events on their use of computers and software. These individuals, however, were often
attending seminars on accounting technology and may be more informed on the subject than the
average business person.
The JOA surveys of technology show widespread use of personal computers with increasing use of
laptops (from 53 percent in 1994 to 83 percent in 1995), modems (62 percent in 1995), and local area
networks by CPAs in public accounting firms (34 percent in 1993, 78 percent in 1994, 87 percent in
1995) and industry (48 percent in 1993, 70 percent in 1994, 80 percent in 1995) (Gallun, Heagy &
Lindsey, 1993a; Khani & Zarowin, 1994, 1995). Operating systems may be DOS or Windows with a
slightly larger percentage using Windows (Khani & Zarowin, 1994, 1995). Processing may include
either batch (periodic processing) or online real-time modes (immediate processing) (Ott, Boomer &
Pottroff, 1993). By 1994, CPAs were beginning to use optical scanning (22 percent), bar coding (12
percent), document imaging (24 percent), and electronic data interchange (6 percent) (Khani &
Zarowin, 1994). These trends toward increasing use of a variety of technologies in accounting
continued in 1995 (Khani & Zarowin, 1995).
JOA software surveys are generally oriented toward CPA firm functions and include tax, time and
billing, and audit packages, as well as accounting applications. In 1994, 52 percent of accountants
used custom software and 85 percent were using "off the shelf" accounting products (Khani &
Zarowin, 1994). Popular accounting packages include ACCPAC, DacEasy, Creative Solutions,
Macola, One-Write Plus, Great Plains, CYMA, Open Systems, Peachtree, Platinum, Prentice-Hall,
Quick Books, Real World, Solomon and MAS90 (Courtney & Flippen, 1995; Khani & Zarowin,
1994, 1995; Luzi, Marshall & McCabe, 1994) The firms also noted use "off the shelf" word
processing (100 percent in 1995), spreadsheet (100 percent in 1995), database (60 percent in 1995),
presentation (31 percent in 1995), and scheduling software (32 percent in 1995) (Gallun, Heagy &
Lindsey, 1993b; Khani & Zarowin, 1994, 1995).
With the steady decline in the price of information technology and the increasing availability of "off
the shelf" accounting software, more and more businesses of any size are able to automate all or part
of their accounting functions. Further, in an effort to be extremely "user friendly" some of the
accounting software requires little knowledge of accounting to be put to effective use. It is doubtful
these users would have direct knowledge of security issues in accounting systems and must he made
aware of potential security problems and solutions by the accounting, auditing or tax professionals
they may occasionally consult.
TECHNOLOGY AND SECURITY
The concept of internal control or security is as old as accounting itself. The purpose of accounting
was to report accurate financial information on business ventures to interested parties and to provide
information on stewardship of assets. The very development of double entry accounting was
specifically aimed at controlling errors.
The first formal definition if internal control or security by the accounting profession was in 1949
and a Statement of Auditing Standards on such controls was issued in 1958. However, United States
businesses were under no legal obligation to institute such a system of internal controls until the
passage of the Foreign Corrupt Practices Act of 1977. Since that time, the concept and methods of
internal control in accounting information systems have evolved and changed as new technological
innovations have been incorporated by the accounting profession.
No matter the type of technology employed, all accounting information systems seek five basic
results: to record an actual, valid transaction; to accurately classify the nature of the transaction; to
record the correct value of the transaction; to place the transaction in the proper accounting period;
and to generate financial statements containing information about the transaction.
In any accounting information system, some form of controls are required to prevent and detect
errors, and prevent and detect both accidental and intentional loss of assets and information. Over
time, manual accounting systems developed well established controls and security methods to realize
these ends that were often based in segregation of duties, comparison of documents and repeated
checking of totals. With the proliferation of mainframe accounting systems, these controls were
adapted to the centralized, automated environment of data processing. The new technology of the
1990's, however, distributes information ownership and processing to all possible users, both within
and without the organization. Further, fewer and fewer paper documents exist as organizations
migrate to computer media.
A 1996 survey of specialists in computerized accounting information systems noted increased use of
networked personal computers with shared data, networks and stand-alone computers with modem
connections to external users, and mainframe access to and from remote locations. These individuals
rated the risk of security problems as moderate with stand-alone personal computers (49.7 percent),
moderate with internal networks (63.8 percent), moderate with mainframes (71.1 percent) but high
with any computer with external communications connections (71.4 percent) (Davis, 1996). This
unlimited access from virtually anywhere and by anyone to electronically recorded data requires a
change in the focus of controls and security methods that are often not fully understood or
appreciated by the business owner.
Statistics suggest that the loss of accounting information with the new technology can be caused by a
variety of exposures: software may malfunction or be in error (14 percent), hardware may
malfunction or be stolen (44 percent), destructive natural forces may occur (3 percent), human error
(32 percent), and man-made disasters such as computer viruses (7 percent) (Ontrack Computer,
1996). A few simple security methods may be employed to limit the possibility or outcome of such
occurrences.
Physical security of assets is an element of any accounting system. Computers and the information
they contain or process are valuable assets to any business. Locking buildings and rooms containing
these assets are the most basic methods of deterring loss. If not cost prohibitive, alarms, video
cameras and motion detectors may be included as part of the security system. As computers become
more and more portable, however, it becomes necessary to secure them to tables and desks with
cables and plate locks. Computer media such as disks and tapes should not be neglected in this
process; lock these items in a secure storage area. Some form of fire protection and detection is
extremely important to safeguard both data and equipment, as is an unitterupted power supply to
maintain processing and data integrity. (Graves & Torrence, 1997; Institute of Internal Auditors,
1991, 1994).
Limiting logical access to data and programs through the computer and communications devices is
the next level of security and has become increasingly important with the ease of remote access to
computer via modem. Passwords have been in use for 30 years to identify users in the computer
environment and are still a very useful tool. Employees should be made aware of the importance of
keeping their password secret and logging off the system when they are not using it. Passwords
should be changed regularly, and after a certain number of attempts at entering a password, the
system should no longer allow access. Another valuable security method utilizes the capability of
security software by providing a user access control matrix. This program determines who may have
access to data and programs and what the nature of that access may be (able to read data, able to
change data, able to delete data). This is particularly important with the increasing use of databases
and electronic data interchange. Security software can also record all user activity and the terminal
that was used to access data or programs. This activity log must be carefully monitored, however, to
provide the security desired (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
An outgrowth of limiting logical access, is limiting changes to programs or the development of new
programs. All systems changes should be authorized by upper management and should be duly
documented.
Encryption, the coding of text into an unreadable string of characters based on math algorithms, is an
effective method of preventing browsing of confidential data. A decoding key is needed to be able to
read the original message. This method can be employed when storing sensitive data or programs and
when transmitting or receiving data from external sources. Two types of encryption systems are
available: the secret key system requires both parties to have the decoding key, and the public key
system where the message is encrypted with a public key and the receiver decodes the message with
a private key (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
Computer viruses are lines of code that reproduce and attach themselves to other programs. In some
cases they simply fill memory and slow system processing, while in other cases they are designed to
destroy or change data and programs. Viruses may be introduced through external communications
systems or by using floppy disks or CD-ROMS that are infected with the virus. They are particularly
problematic with networked computers. Virus protection/detection software is usually included in
newer computer operating systems, and is readily available from reputable vendors for older systems.
This software should be updated on a regular basis to take advantage of its detection of newer
viruses. Such software should be set to automatically scan computer files when the system is first
turned on. Employees should be trained to also scan any external media they introduce to the system
during their daily activities (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
As accounting systems become less and less document driven and place more reliance on
electronically stored data, the concept of backing up this data is tantamount to business survival.
Most personal computer operating systems have a method of backing up the hard drive to floppy
disks, but as the size of storage on these machines continues to grow, this is a slow process. Tape and
Zip drives are now available at an affordable price to speed the backup process and supporting
software enables the user to set a given interval or time to perform regular backup procedure. Several
series of backups should be maintained as an added security measure, and backup should be stored
off site. With the increase in computer communications systems, it is now possible to backup data
using these communications capabilities to vaulted storage at another location (Graves & Torrence,
1997; Institute of Internal Auditors, 1991, 1994).
A final security method for the newer technology is periodic audits of the accounting information
system. Whether the audit is performed by external auditors or internal auditors, a regular review of
internal controls and security methods should be conducted with an eye toward improving the
existing system (Graves & Torrence, 1997; Institute of Internal Auditors, 1991, 1994).
Business owners have a fiduciary responsibility to provide accurate accounting information and
safeguard the assets of the organization. There is no 100 percent foolproof method of assuring no
errors or irregularities will occur in the accounting information system with the continuing advances
in technology. The simple security measures suggested may provide at least some assurance that
accounting data will not be lost or corrupted.
A 1993 survey of security methods showed CPAs in public accounting firms used virus protection 25
percent of the time, passwords 43 percent of the time, and backup 80 percent of the time. CPAs in
industry were more security conscious using virus protection approximately 50 percent of the time,
passwords 84 percent of the time, and backup 80 percent of the time (Gallun, Heagy & Lindsey,
1993a). By 1994, CPAs in public accounting firms were more aware of virus protection (37 percent),
but showed little improvement in the use of passwords (40 percent)and backup (83 percent) (Khani &
Zarowin, 1994). In 1995, the use of backup took a dramatic jump for public accountants to 93 percent
while CPAs in industry hovered at the 80 percent mark (Khani & Zarowin, 1995).
This lack of security in CPA firms should be a concern for the profession as a whole. If professional
accountants are either unaware or unconcerned about accounting systems security, how can we
impress on the average business person the need for security over accounting information. If the
situation is one of management's concern for costs versus benefits, then an effort must be put forth to
quantify this information for the system's user. Furthering the dilemma is the fact that the respondents
to these surveys were individuals attending accounting information system seminars that suggest they
are more knowledgeable about automated accounting systems than the average individual and should
be well aware of the potential for loss or corruption of accounting data.
RESEARCH METHODOLOGY
To collect information on accounting systems and their security methods in Tidewater Virginia, a one
page survey was developed by the author and mailed to 1000 businesses in Hampton Roads, Virginia.
A convenience sample of businesses was selected from the 1995 Corporate America CD Rom
Database and the yellow pages of the Bell Atlantic telephone book. The database includes only
businesses with annual sales more than one million dollars and employing twenty or more persons,
therefore the telephone book provided smaller businesses for the sample. The survey was distributed
in two mailings, with one in February 1995 and one in May 1995, in an attempt to avoid tax and
year-end reporting cycles for the businesses. Any surveys returned as undeliverable were replaced
with another subject to maintain an outstanding sample of 1000. Two hundred sixty-one usable
surveys were returned (26.1 percent).
The survey instrument consisted of four parts (See Exhibit 1). Part one collected basic demographics
on the company's business type, numbers of employees, and revenues. Part two was designed to
collect data about the nature of the processing of accounting transactions, the business' specific
accounting applications, and any accounting software utilized. Part three reported types of hardware
used by the accounting system, and part four described basic security measures used with the
accounting systems.
Respondents were also asked to report whether their accounting system had undergone major
changes in the past year and if the company had suffered any losses from employees or outsiders in
the past year. Finally, respondents who were interested in discussing their accounting systems further
were requested to provide their name, address and telephone number. This information was masked
on the survey after it was recorded in a separate database to provide confidentiality to the
respondents.
Univariate analysis of the results was conducted to assess the nature of accounting systems in the
Hampton Roads area.
RESEARCH FINDINGS
Business Demographics
Table 1 presents the demographics of the 261 respondents. Much of the sample (47.5 percent)
consisted of service organizations providing repair, accounting, engineering, legal, health care,
finance, entertainment, research, personal service and a variety of other functions. The next largest
sample was retailing (19.6 percent), followed by manufacturing (11.6 percent) and then wholesaling
(10.1 percent). Review of the number of employees and revenues suggests the sample represented
both small, medium and large organizations with an almost equal representation over the categories.
Fifty of the businesses (19.2 percent) reported a major change to their accounting systems in the past
year. Part of the group was moving from a manual system to a more automated system, while the rest
were undergoing a change in their already computerized system. Twenty of these companies made
more than five million dollars in revenue annually.
It is interesting to note that two companies reported suffering losses due to employee actions and two
companies reported losses due to the actions of an outsider. One of the outsider losses was to a
business making less than one half million dollars in revenue annually while the rest of the losses
were to businesses making between one and five million dollars in revenues annually. Further review
of the nature of the accounting system hardware in the outsider losses shows one business utilizes a
network and one utilizes a client/server system, but neither appear to use external communications.
The nature of the accounting systems is presented in Table 2. Approximately ten percent of the
respondents used only a manual accounting system. Surprisingly, not all of these companies were in
the smallest revenue classification of less than one half million dollars annually (See Table 4). More
than 50 percent of the businesses described their accounting systems as highly automated. Companies
using computers were as likely to process accounting information using batch techniques as online
batch or online real-time techniques.
Technology
Stand alone personal computers were used by 213 of the respondents with an almost equal
distribution utilizing DOS and Windows. Approximately 43 percent of the computerized
organizations used networked personal computers and 24.8 percent used client/server systems. More
than 40 percent of the businesses employed a mainframe computer in their accounting system with
the majority (74) operating centralized facilities and 17 operating through distributed facilities. Of
interest is the fact that four companies outsourced their mainframe computing.
Over 30 percent of the companies utilize databases in their accounting systems and 18.8 percent
operate electronic data interchange systems. Many employ a variety of communications equipment
with the most popular method of communications being a modem (44.0 percent). More sophisticated
communications hardware included fiber optics (5.1 percent), satellites (3.0 percent), and
microwaves (.8 percent).
Other technologies employed with the accounting systems include image processing, bar coding,
OCR scanners, and radio tracking devices.
All types of accounting applications were captured in the companies' accounting information systems
including the revenue cycle, procurement cycle, production cycle, personnel cycle, and
financial/general ledger cycle. Of particular interest was the number of respondents (15.8 percent)
capturing total quality information or customer satisfaction within the accounting information
system.
TABLE 1
DEMOGRAPHICS
N = 261
Communication 4 1.4
Construction 19 6.9
Government 4 1.4
Manufacturing-see detail 32 11.6
Retail 54 19.6
Service-see detail 131 47.5
Transportation 3 1.1
Wholesaling 28 10.1
Utility 1 0.4
Repair 23 17.6
Professionals 14 10.7
Healthcare 14 10.7
Cleaning 10 7.6
Banking/Finance 10 7.6
Insurance 7 5.3
Entertainment 7 5.3
Realty 6 4.6
Storage/Freight 5 3.9
Heating/AC 5 3.9
Advertising/Printing 3 2.3
Computers/Software 3 2.3
Contracting 2 1.5
Temp. Employment 2 1.5
Housing 2 1.5
Personal Grooming 2 1.5
Auction, Security,
Lawn, Pets, Marine,
Research, Vending,
Testing, Warehouse 13 9.9
Not stated 3 2.3
TABLE 2
Manual 27 10.4
Manual & Computer 99 38.1
Computerized 135 51.5
Mainframe:
Encryption 15 6.4
Password 174 74.4
Backup 188 80.3
Virus Protection 100 42.7
Change Authorization 85 36.3
Physical Security 71 30.3
Periodic Audits 105 44.9
Types of Software
Table 2 notes the variety of software used to support the accounting function. This included
spreadsheets, word processing, report writers and graphics, databases, desktop publishing, and audit
packages.
Accounting information system
From Wikipedia, the free encyclopedia
An accounting information system (AIS) is the system of records a business keeps to maintain its accounting system. This includes the purchase, sales, and other
financial processes of the business. The purpose of an AIS is to accumulate data and provide decision makers (investors, creditors, and managers) with information.
While this was previously a paper-based process, most businesses now use accounting software. In an electronic financial
accounting system, the steps in the accounting cycle are dependent upon the system itself. For example, some systems allow direct journal posting to the
various ledgers and others do not.
Accounting Information Systems (AISs) combine the study and practice of accounting with the design, implementation, and monitoring of information systems. Such systems use
modern information technology resources together with traditional accounting controls and methods to provide users the financial information necessary to manage their organizations.
AIS TECHNOLOGY Input The input devices commonly associated with AIS include: standard personal computers or workstations running applications; scanning devices for
standardized data entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In addition, many financial systems come "Web-enabled" to allow
Process Basic processing is achieved through computer systems ranging from individual personal computers to large-scale enterprise servers. However, conceptually, the underlying
processing model is still the "double-entry" accounting system initially introduced in the fifteenth century.
Output Output devices used include computer displays, impact and nonimpact printers, and electronic communication devices for EDI and e-commerce. The output content may
encompass almost any type of financial reports from budgets and tax reports to multinational financial statements.
MANAGEMENT INFORMATION SYSTEMS (MIS) MISs are interactive human/machine systems that support decision making for users both in and out of traditional organizational
boundaries. These systems are used to support an organization's daily operational activities; current and future tactical decisions; and overall strategic direction. MISs are made up of
several major applications including, but not limited to, the financial and human resources systems. Financial applications make up the heart of an AIS in practice. Modules commonly
implemented include: general ledger, payables, procurement/purchasing, receivables, billing, inventory, assets, projects, and budgeting.
Human resource applications make up another major part of modern information systems. Modules commonly integrated with the AIS include: human resources, benefits
AIS—INFORMATION SYSTEMS IN CONTEXT AISs cover all business functions from backbone accounting transaction processing systems to sophisticated financial management
planning and processing systems. Financial reporting starts at the operational levels of the organization, where the transaction processing systems capture important business events
such as normal production, purchasing, and selling activities. These events (transactions) are classified and summarized for internal decision making and for external financial reporting.
Cost accounting systems are used in manufacturing and service environments. These allow organizations to track the costs associated with the production of goods and/or performance
of services. In addition, the AIS can provide advanced analyses for improved resource allocation and performance tracking.
Management accounting systems are used to allow organizational planning, monitoring, and control for a variety of activities. This allows managerial-level employees to have access to
advanced reporting and statistical analysis. The systems can be used to gather information, to develop various scenarios, and to choose an optimal answer among alternative
scenarios. DEVELOPMENT
The development of an AIS includes five basic phases: planning, analysis, design, implementation, and support. The time period associated with each of these phases can be as short
as a few weeks or as long as several years. Planning—project management objectives and techniques The first phase of systems development is the planning of the project. This
entails determination of the scope and objectives of the project, the definition of project responsibilities, control requirements, project phases, project budgets, and project deliverables.
Analysis The analysis phase is used to both determine and document the accounting and business processes used by the organization. Such processes are redesigned to take
advantage of best practices or of the operating characteristics of modern system solutions. Data analysis is a thorough review of the accounting information that is currently being
collected by an organization. Current data are then compared to the data that the organization should be using for managerial purposes. This method is used primarily when designing
Decision analysis is a thorough review of the decisions a manager is responsible for making. The primary decisions that managers are responsible for are identified on an individual
basis. Then models are created to support the manager in gathering financial and related information to develop and design alternatives, and to make actionable choices. This method
Process analysis is a thorough review of the organization's business processes. Organizational processes are identified and segmented into a series of events that either add or change
data. These processes can then be modified or reengineered to improve the organization's operations in terms of lowering cost, improving service, improving quality, or improving
management information.
This method is appropriate when automation or reengineering is the system's primary objective. Design The design phase takes the conceptual results of the analysis phase and
develops detailed, specific designs that can be implemented in subsequent phases. It involves the detailed design of all inputs, processing, storage, and outputs of the proposed
accounting system. Inputs may be defined using screen layout tools and application generators. Processing can be shown through the use of flowcharts or business process maps that
define the system logic, operations, and work flow. Logical data storage designs are identified by modeling the relationships among the organization's resources, events, and agents
through diagrams. Also, entity relationship diagram (ERD) modeling is used to document large-scale database relationships. Output designs are documented through the use of a
variety of reporting tools such as report writers, data extraction tools, query tools, and on-line analytical processing tools. In addition, all aspects of the design phase can be performed
Reporting is the driving force behind an AIS development. If the system analysis and design are successful, the reporting process provides the information that helps drive management
decision making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports can be tabular, showing data in a table or tables; graphic, using images
to convey information in a picture format; or matrices, to show complex relationships in multiple dimensions.
There are numerous characteristics to consider when defining reporting requirements. The reports must be accessible through the system's interface. They should convey information in
a proactive manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the information processing (cognitive) style of the audience they are to inform.
Reports are of three basic types: A filter report that separates select data from a database, such as a monthly check register; a responsibility report to meet the needs of a specific user,
such as a weekly sales report for a regional sales manager; a comparative report to show period differences, percentage breakdowns and variances between actual and budgeted
expenditures. An example would be the financial statement analytics showing the expenses from the current year and prior year as a percentage of sales.
Screen designs and system interfaces are the primary data capture devices of AISs and are developed through a variety of tools. Storage is achieved through the use of normalized
databases that assure functionality and flexibility. Business process maps and flowcharts are used to document the operations of the systems. Modern AISs use specialized databases
and processing designed specifically for accounting operations. This means that much of the base processing capabilities come delivered with the accounting or enterprise software.
Implementation The implementation phase consists of two primary parts: construction and delivery. Construction includes the selection of hardware, software and vendors for the
implementation; building and testing the network communication systems; building and testing the databases; writing and testing the new program modifications; and installing and
testing the total system from a technical standpoint. Delivery is the process of conducting final system and user acceptance testing; preparing the conversion plan; installing the
production database; training the users; and converting all operations to the new system. Tool sets are a variety of application development aids that are vendor-specific and used for
customization of delivered systems. They allow the addition of fields and tables to the database, along with ability to create screen and other interfaces for data capture. In addition, they
help set accessibility and security levels for adequate internal control within the accounting applications.
Security exists in several forms. Physical security of the system must be addressed. In typical AISs the equipment is located in a locked room with access granted only to technicians.
Software access controls are set at several levels, depending on the size of the AIS. The first level of security occurs at the network level, which protects the organization's
communication systems. Next is the operating system level security, which protects the computing environment. Then, database security is enabled to protect organizational data from
theft, corruption, or other forms of damage. Lastly, application security is used to keep unauthorized persons from performing operations within the AIS.
Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of individual modifications. Program testing involves the interaction between the individual
modification and the program it enhances. System testing is used to determine that the program modifications work within the AIS as a whole. Acceptance testing ensures that the
modifications meet user expectations and that the entire AIS performs as designed.
Conversion entails the method used to change from an old AIS to a new AIS. There are several methods for achieving this goal. One is to run the new and old systems in parallel for a
specified period. A second method is to directly cut over to the new system at a specified point. A third is to phase in the system, either by location or system function. A fourth is to pilot
the new system at a specific site before converting the rest of the organization.
Support The support phase has two objectives. The first is to update and maintain the AIS. This includes fixing problems and updating the system for business and environmental
changes. For example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate changes to conversion or reference tables used for financial
reporting. The second objective of support is to continue development by continuously improving the business through adjustments to the AIS caused by business and environmental
changes. These changes might result in future problems, new opportunities, or management or governmental directives requiring additional system modifications. ATTESTATION
AISs change the way internal controls are implemented and the type of audit trails that exist within a modern organization. The lack of traditional forensic evidence, such as paper,
necessitates the involvement of accounting professionals in the design of such systems. Periodic involvement of public auditing firms can be used to make sure the AIS is in compliance
with current internal control and financial reporting standards. After implementation, the focus of attestation is the review and verification of system operation. This requires adherence to
standards such as ISO 9000-3 for software design and development as well as standards for control of information technology. Periodic functional business reviews should be
conducted to be sure the AIS remains in compliance with the intended business functions. Quality standards dictate that this review should be done according to a periodic schedule.
ENTERPRISE RESOURCE PLANNING (ERP) ERP systems are large-scale information systems that impact an organization's AIS. These systems permeate all aspects of the
organization and require technologies such as client/server and relational databases. Other system types that currently impact AISs are supply chain management (SCM) and customer
relationship management (CRM). Traditional AISs recorded financial information and produced financial statements on a periodic basis according to GAAP pronouncements. Modern
ERP systems provide a broader view of organizational information, enabling the use of advanced accounting techniques, such as activity-based costing (ABC) and improved managerial
Accounting Information Systems (AISs) combine the study and practice of accounting with the
design, implementation, and monitoring of information systems. Such systems use modern
information technology resources together with traditional accounting controls and methods to
provide users the financial information necessary to manage their organizations.
Ais Technology
Input The input devices commonly associated with AIS include: standard personal computers or
workstations running applications; scanning devices for standardized data entry; electronic
communication devices for electronic data interchange (EDI) and e-commerce. In addition, many
financial systems come "Web-enabled" to allow devices to connect to the World Wide Web.
Process Basic processing is achieved through computer systems ranging from individual personal
computers to large-scale enterprise servers. However, conceptually, the underlying processing model
is still the "double-entry" accounting system initially introduced in the fifteenth century.
Output Output devices used include computer displays, impact and nonimpact printers, and
electronic communication devices for EDI and e-commerce. The output content may encompass
almost any type of financial reports from budgets and tax reports to multinational financial
statements.
MISs are interactive human/machine systems that support decision making for users both in and out
of traditional organizational boundaries. These systems are used to support an organization's daily
operational activities; current and future tactical decisions; and overall strategic direction. MISs are
made up of several major applications including, but not limited to, the financial and human
resources systems.
Financial applications make up the heart of an AIS in practice. Modules commonly implemented
include: general ledger, payables, procurement/purchasing, receivables, billing, inventory, assets,
projects, and budgeting.
Human resource applications make up another major part of modern information systems. Modules
commonly integrated with the AIS include: human resources, benefits administration, pension
administration, payroll, and time and labor reporting.
AISs cover all business functions from backbone accounting transaction processing systems to
sophisticated financial management planning and processing systems.
Financial reporting starts at the operational levels of the organization, where the transaction
processing systems capture important business events such as normal production, purchasing, and
selling activities. These events (transactions) are classified and summarized for internal decision
making and for external financial reporting.
Cost accounting systems are used in manufacturing and service environments. These allow
organizations to track the costs associated with the production of goods and/or performance of
services. In addition, the AIS can provide advanced analyses for improved resource allocation and
performance tracking.
Management accounting systems are used to allow organizational planning, monitoring, and control
for a variety of activities. This allows managerial-level employees to have access to advanced
reporting and statistical analysis. The systems can be used to gather information, to develop various
scenarios, and to choose an optimal answer among alternative scenarios.
Development
The development of an AIS includes five basic phases: planning, analysis, design, implementation,
and support. The time period associated with each of these phases can be as short as a few weeks or
as long as several years.
Analysis The analysis phase is used to both determine and document the accounting and business
processes used by the organization. Such processes are redesigned to take advantage of best practices
or of the operating characteristics of modern system solutions.
Data analysis is a thorough review of the accounting information that is currently being collected by
an organization. Current data are then compared to the data that the organization should be using for
managerial purposes. This method is used primarily when designing accounting transaction
processing systems.
Decision analysis is a thorough review of the decisions a manager is responsible for making. The
primary decisions that managers are responsible for are identified on an individual basis. Then
models are created to support the manager in gathering financial and related information to develop
and design alternatives, and to make actionable choices. This method is valuable when decision
support is the system's primary objective.
Design The design phase takes the conceptual results of the analysis phase and develops detailed,
specific designs that can be implemented in subsequent phases. It involves the detailed design of all
inputs, processing, storage, and outputs of the proposed accounting system. Inputs may be defined
using screen layout tools and application generators. Processing can be shown through the use of
flowcharts or business process maps that define the system logic, operations, and work flow. Logical
data storage designs are identified by modeling the relationships among the organization's resources,
events, and agents through diagrams. Also, entity relationship diagram (ERD) modeling is used to
document large-scale database relationships. Output designs are documented through the use of a
variety of reporting tools such as report writers, data extraction tools, query tools, and on-line
analytical processing tools. In addition, all aspects of the design phase can be performed with
software tool sets provided by specific software manufacturers.
Reporting is the driving force behind an AIS development. If the system analysis and design are
successful, the reporting process provides the information that helps drive management decision
making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports
can be tabular, showing data in a table or tables; graphic, using images to convey information in a
picture format; or matrices, to show complex relationships in multiple dimensions.
There are numerous characteristics to consider when defining reporting requirements. The reports
must be accessible through the system's interface. They should convey information in a proactive
manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the
information processing (cognitive) style of the audience they are to inform.
Reports are of three basic types: A filter report that separates select data from a database, such as a
monthly check register; a responsibility report to meet the needs of a specific user, such as a weekly
sales report for a regional sales manager; a comparative report to show period differences,
percentage breakdowns and variances between actual and budgeted expenditures. An example would
be the financial statement analytics showing the expenses from the current year and prior year as a
percentage of sales.
Screen designs and system interfaces are the primary data capture devices of AISs and are developed
through a variety of tools. Storage is achieved through the use of normalized databases that assure
functionality and flexibility.
Business process maps and flowcharts are used to document the operations of the systems. Modern
AISs use specialized databases and processing designed specifically for accounting operations. This
means that much of the base processing capabilities come delivered with the accounting or enterprise
software.
Implementation The implementation phase consists of two primary parts: construction and delivery.
Construction includes the selection of hardware, software and vendors for the implementation;
building and testing the network communication systems; building and testing the databases; writing
and testing the new program modifications; and installing and testing the total system from a
technical standpoint. Delivery is the process of conducting final system and user acceptance testing;
preparing the conversion plan; installing the production database; training the users; and converting
all operations to the new system.
Tool sets are a variety of application development aids that are vendor-specific and used for
customization of delivered systems. They allow the addition of fields and tables to the database,
along with ability to create screen and other interfaces for data capture. In addition, they help set
accessibility and security levels for adequate internal control within the accounting applications.
Security exists in several forms. Physical security of the system must be addressed. In typical AISs
the equipment is located in a locked room with access granted only to technicians. Software access
controls are set at several levels, depending on the size of the AIS. The first level of security occurs at
the network level, which protects the organization's communication systems. Next is the operating
system level security, which protects the computing environment. Then, database security is enabled
to protect organizational data from theft, corruption, or other forms of damage. Lastly, application
security is used to keep unauthorized persons from performing operations within the AIS.
Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of
individual modifications. Program testing involves the interaction between the individual
modification and the program it enhances. System testing is used to determine that the program
modifications work within the AIS as a whole. Acceptance testing ensures that the modifications
meet user expectations and that the entire AIS performs as designed.
Conversion entails the method used to change from an old AIS to a new AIS. There are several
methods for achieving this goal. One is to run the new and old systems in parallel for a specified
period. A second method is to directly cut over to the new system at a specified point. A third is to
phase in the system, either by location or system function. A fourth is to pilot the new system at a
specific site before converting the rest of the organization.
Support The support phase has two objectives. The first is to update and maintain the AIS. This
includes fixing problems and updating the system for business and environmental changes. For
example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate
changes to conversion or reference tables used for financial reporting. The second objective of
support is to continue development by continuously improving the business through adjustments to
the AIS caused by business and environmental changes. These changes might result in future
problems, new opportunities, or management or governmental directives requiring additional system
modifications.
Attestation
AISs change the way internal controls are implemented and the type of audit trails that exist within a
modern organization. The lack of traditional forensic evidence, such as paper, necessitates the
involvement of accounting professionals in the design of such systems. Periodic involvement of
public auditing firms can be used to make sure the AIS is in compliance with current internal control
and financial reporting standards.
After implementation, the focus of attestation is the review and verification of system operation. This
requires adherence to standards such as ISO 9000-3 for software design and development as well as
standards for control of information technology.
Periodic functional business reviews should be conducted to be sure the AIS remains in compliance
with the intended business functions. Quality standards dictate that this review should be done
according to a periodic schedule.
ERP systems are large-scale information systems that impact an organization's AIS. These systems
permeate all aspects of the organization and require technologies such as client/server and relational
databases. Other system types that currently impact AISs are supply chain management (SCM) and
customer relationship management (CRM).
Traditional AISs recorded financial information and produced financial statements on a periodic
basis according to GAAP pronouncements. Modern ERP systems provide a broader view of
organizational information, enabling the use of advanced accounting techniques, such as activity-
based costing (ABC) and improved managerial reporting using a variety of analytical techniques.
THEODORE J. MOCK
ROBERT M. KIDDOO
An accounting information system (AIS) is the system of records a business keeps to maintain its
accounting system. This includes the purchase, sales, and other financial processes of the business.
The purpose of an AIS is to accumulate data and provide decision makers (investors, creditors, and
managers) with information.
While this was previously a paper-based process, most businesses now use accounting software. In
an electronic financial accounting system, the steps in the accounting cycle are dependent upon the
system itself. For example, some systems allow direct journal posting to the various ledgers and
others do not.
Accounting Information Systems (AISs) combine the study and practice of accounting with the
design, implementation, and monitoring of information systems. Such systems use modern
information technology resources together with traditional accounting controls and methods to
provide users the financial information necessary to manage their organizations.
AIS TECHNOLOGY Input The input devices commonly associated with AIS include: standard
personal computers or workstations running applications; scanning devices for standardized data
entry; electronic communication devices for electronic data interchange (EDI) and e-commerce. In
addition, many financial systems come "Web-enabled" to allow devices to connect to the World
Wide Web.
Process Basic processing is achieved through computer systems ranging from individual personal
computers to large-scale enterprise servers. However, conceptually, the underlying processing model
is still the "double-entry" accounting system initially introduced in the fifteenth century.
Output Output devices used include computer displays, impact and nonimpact printers, and
electronic communication devices for EDI and e-commerce. The output content may encompass
almost any type of financial reports from budgets and tax reports to multinational financial
statements.
Human resource applications make up another major part of modern information systems. Modules
commonly integrated with the AIS include: human resources, benefits administration, pension
administration, payroll, and time and labor reporting.
Management accounting systems are used to allow organizational planning, monitoring, and control
for a variety of activities. This allows managerial-level employees to have access to advanced
reporting and statistical analysis. The systems can be used to gather information, to develop various
scenarios, and to choose an optimal answer among alternative scenarios. DEVELOPMENT
The development of an AIS includes five basic phases: planning, analysis, design, implementation,
and support. The time period associated with each of these phases can be as short as a few weeks or
as long as several years. Planning—project management objectives and techniques The first phase of
systems development is the planning of the project. This entails determination of the scope and
objectives of the project, the definition of project responsibilities, control requirements, project
phases, project budgets, and project deliverables.
Analysis The analysis phase is used to both determine and document the accounting and business
processes used by the organization. Such processes are redesigned to take advantage of best practices
or of the operating characteristics of modern system solutions. Data analysis is a thorough review of
the accounting information that is currently being collected by an organization. Current data are then
compared to the data that the organization should be using for managerial purposes. This method is
used primarily when designing accounting transaction processing systems.
Decision analysis is a thorough review of the decisions a manager is responsible for making. The
primary decisions that managers are responsible for are identified on an individual basis. Then
models are created to support the manager in gathering financial and related information to develop
and design alternatives, and to make actionable choices. This method is valuable when decision
support is the system's primary objective.
This method is appropriate when automation or reengineering is the system's primary objective.
Design The design phase takes the conceptual results of the analysis phase and develops detailed,
specific designs that can be implemented in subsequent phases. It involves the detailed design of all
inputs, processing, storage, and outputs of the proposed accounting system. Inputs may be defined
using screen layout tools and application generators. Processing can be shown through the use of
flowcharts or business process maps that define the system logic, operations, and work flow. Logical
data storage designs are identified by modeling the relationships among the organization's resources,
events, and agents through diagrams. Also, entity relationship diagram (ERD) modeling is used to
document large-scale database relationships. Output designs are documented through the use of a
variety of reporting tools such as report writers, data extraction tools, query tools, and on-line
analytical processing tools. In addition, all aspects of the design phase can be performed with
software tool sets provided by specific software manufacturers.
Reporting is the driving force behind an AIS development. If the system analysis and design are
successful, the reporting process provides the information that helps drive management decision
making. Accounting systems make use of a variety of scheduled and on-demand reports. The reports
can be tabular, showing data in a table or tables; graphic, using images to convey information in a
picture format; or matrices, to show complex relationships in multiple dimensions.
There are numerous characteristics to consider when defining reporting requirements. The reports
must be accessible through the system's interface. They should convey information in a proactive
manner. They must be relevant. Accuracy must be maintained. Lastly, reports must meet the
information processing (cognitive) style of the audience they are to inform.
Reports are of three basic types: A filter report that separates select data from a database, such as a
monthly check register; a responsibility report to meet the needs of a specific user, such as a weekly
sales report for a regional sales manager; a comparative report to show period differences, percentage
breakdowns and variances between actual and budgeted expenditures. An example would be the
financial statement analytics showing the expenses from the current year and prior year as a
percentage of sales.
Screen designs and system interfaces are the primary data capture devices of AISs and are developed
through a variety of tools. Storage is achieved through the use of normalized databases that assure
functionality and flexibility. Business process maps and flowcharts are used to document the
operations of the systems. Modern AISs use specialized databases and processing designed
specifically for accounting operations. This means that much of the base processing capabilities come
delivered with the accounting or enterprise software.
Implementation The implementation phase consists of two primary parts: construction and delivery.
Construction includes the selection of hardware, software and vendors for the implementation;
building and testing the network communication systems; building and testing the databases; writing
and testing the new program modifications; and installing and testing the total system from a
technical standpoint. Delivery is the process of conducting final system and user acceptance testing;
preparing the conversion plan; installing the production database; training the users; and converting
all operations to the new system. Tool sets are a variety of application development aids that are
vendor-specific and used for customization of delivered systems. They allow the addition of fields
and tables to the database, along with ability to create screen and other interfaces for data capture. In
addition, they help set accessibility and security levels for adequate internal control within the
accounting applications.
Security exists in several forms. Physical security of the system must be addressed. In typical AISs
the equipment is located in a locked room with access granted only to technicians. Software access
controls are set at several levels, depending on the size of the AIS. The first level of security occurs at
the network level, which protects the organization's communication systems. Next is the operating
system level security, which protects the computing environment. Then, database security is enabled
to protect organizational data from theft, corruption, or other forms of damage. Lastly, application
security is used to keep unauthorized persons from performing operations within the AIS.
Testing is performed at four levels. Stub or unit testing is used to insure the proper operation of
individual modifications. Program testing involves the interaction between the individual
modification and the program it enhances. System testing is used to determine that the program
modifications work within the AIS as a whole. Acceptance testing ensures that the modifications
meet user expectations and that the entire AIS performs as designed.
Conversion entails the method used to change from an old AIS to a new AIS. There are several
methods for achieving this goal. One is to run the new and old systems in parallel for a specified
period. A second method is to directly cut over to the new system at a specified point. A third is to
phase in the system, either by location or system function. A fourth is to pilot the new system at a
specific site before converting the rest of the organization.
Support The support phase has two objectives. The first is to update and maintain the AIS. This
includes fixing problems and updating the system for business and environmental changes. For
example, changes in generally accepted accounting principles (GAAP) or tax laws might necessitate
changes to conversion or reference tables used for financial reporting. The second objective of
support is to continue development by continuously improving the business through adjustments to
the AIS caused by business and environmental changes. These changes might result in future
problems, new opportunities, or management or governmental directives requiring additional system
modifications. ATTESTATION
AISs change the way internal controls are implemented and the type of audit trails that exist within a
modern organization. The lack of traditional forensic evidence, such as paper, necessitates the
involvement of accounting professionals in the design of such systems. Periodic involvement of
public auditing firms can be used to make sure the AIS is in compliance with current internal control
and financial reporting standards. After implementation, the focus of attestation is the review and
verification of system operation. This requires adherence to standards such as ISO 9000-3 for
software design and development as well as standards for control of information technology. Periodic
functional business reviews should be conducted to be sure the AIS remains in compliance with the
intended business functions. Quality standards dictate that this review should be done according to a
periodic schedule. ENTERPRISE RESOURCE PLANNING (ERP) ERP systems are large-scale
information systems that impact an organization's AIS. These systems permeate all aspects of the
organization and require technologies such as client/server and relational databases. Other system
types that currently impact AISs are supply chain management (SCM) and customer relationship
management (CRM). Traditional AISs recorded financial information and produced financial
statements on a periodic basis according to GAAP pronouncements. Modern ERP systems provide a
broader view of organizational information, enabling the use of advanced accounting techniques,
such as activity-based costing (ABC) and improved managerial reporting using a variety of analytical
techniques.
PREFACE
The main object of teaching is not to give explanations, but to knock at the doors of the
mind. If any boy is asked to give an account of what is awakened in him by such
knocking, he will probably say something silly. For what happens within is much bigger
than what comes out in words. Those who pin their faith on university examinations as the
test of education take no account of this.
Rabindranath Tagore
These notes are prepared exclusively for the benefit of the students in the course Acc 681
Accounting Information Systems in the Department of Accounting & Law at the State
University of New York at Albany, and are not to be used by others for any purpose
without the express permission of the author.
I shall be adding to these notes as we go along. You can download the file and print the
pages that you need. You will find the instructions for viewing postscript files on the
course homepage at
http://www.albany.edu/faculty/gangolly/acc682/fall99/
Jagdish S. Gangolly
Albany, NY 12222
• Contents
• Introduction to Systems I
o Introduction
o What is an accounting information system?
What is a system?
What is an information system?
What is an accounting information system?
o Different views of a system
A Contextual view
A Control view
o Attributes of Complex Systems: (Booch, 1994)
Some basic concepts & strategies in the study of systems
o References
• Introduction to Systems II
o Introduction
o Types of Information Systems
Classification by mode of processing
Classification by System Objectives
Classification based on the nature of interaction with environment
o Specification of Information Systems
Why specifications?
Formal vs. Informal Specifications
Components of specifications
o Methodologies for Systems Development
Systems Development Life Cycle
o References
• The Functional Model
o Introduction
o The Strategy in Functional Modeling
o Dataflow Diagrams
o Guidelines for Drawing Dataflow Diagrams
o A Toy Sales Order Entry & Processing System (Example):
o References
• About this document ...
Chapter 1: Introduction
Chapter 2: Overview of Accounting Data Processing
Chapter 3: International Issues and the World Wide Web
Chapter 4: Computer Hardware and Software
Chapter 5: Decision Support Tools and Expert Systems
Chapter 6: E-Business and Communication Systems
Chapter 7: File Processing and the Database Approach
Chapter 8: Ethics, Computer Crime, and Internal Control
Chapter 9: Auditing the AIS
Chapter 10: Systems Development Overview
Chapter 11: Revenue (Marketing) Cycle
Chapter 12: Expenditure Cycle
Chapter 13: Conversion (Production) Cycle
Chapter 14: Financial Cycle