CHAPTER 3

SYSTEMS DEVELOPMENT AND DOCUMENTATION TECHNIQUES

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

3.1 Identify the DFD elements in the following narrative: A customer purchases a few items from a
local grocery store. Jill, a salesclerk, enters the transaction in the cash register and takes the
customer's money. At closing, Jill gives both the cash and the register tape to her manager.
Data Flows: merchandise, payment, cash and register tape
Date Source: customer
Processes: capture sales and payment data and collect payment, give cash and register tape to manager
Storage: sales file (register tape), cash register

3.2 Do you agree with the following statement: "Any one of the systems documentation procedures
can be used to adequately document a given system"? Explain.
It is usually not sufficient to use just one documentation tool. Every tool document a uniquely important
aspect of a given information system. For example:

• System flowcharts are employed to understand physical system activities including inputs, outputs,
and processing.
• Data flow diagrams provide a graphic picture of the logical flow of data within an organization.
• Business process diagrams show the activities a company engages in to do business and the
diagrams can be used to evaluate internal controls strengths and weaknesses.
Each alternative is appropriate for a given aspect of the system. As a result, they work together to fully
document the nature and function of the information system.

3.3 Compare the guidelines for preparing flowcharts, BPDs, and DFDs. What general design
principles and limitations are common to all 3 documentation techniques?
Similar design concepts include the following

• All three methods require an initial understanding of the system before actual documentation
begins. This ensures that the system is properly represented by the diagram,
• All three methods require the designer to identify the elements of the system and to identify the
names and relations associated with the elements.
• All three methods encourage the designer to show only the regular flows of information and not to
be concerned with unique situations.
• All three require more than one "pass" to capture the essence of the system accurately.
The product of all three methods is a model documenting the flow of information, processes, and/or
documents in an information system. All three documentation methods are limited by the nature of the
models they employ, as well as by the talents and abilities of the designer to represent reality.

3.4 Your classmate asks you to explain flowcharting conventions using real-world examples. Draw
each of the major flowchart symbols from memory, placing them into one of four categories:
input/output, processing, storage, and flow and miscellaneous. For each symbol, suggest several uses.
The major flowcharting symbols and their respective categories are shown in Fig. 3.8 in the text.
With respect to how symbols are used, student answers will vary. Possible examples include:
Input/Output Symbols

• Document: an employee time card, a telephone bill, a budget report, a parking ticket, a contract.
• Display: student information monitors, ATM monitors, a computer monitor.
Processing Symbols

• Processing: processing a student payroll program, assessing late fees.

• Manual operation: writing a parking ticket, preparing a paper report, collecting and entering
student payments.
Storage Symbols

• Database: alumni information database, a student information database or an airline reservation

database stored on-line.
• Magnetic tape: archival student information.
Flow (Miscellaneous)

• Communication link: a telephone linkage that connects you to an on-line database.

 CHAPTER 4

RELATIONAL DATABASES

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

4.1 Contrast the logical and the physical view of data and discuss why separate views are
necessary in database applications. Describe which perspective is most useful for each of the
following employees: a programmer, a manager, and an internal auditor. How will
understanding logical data structures assist you when designing and using database systems?

Databases are possible because of their database management system (DBMS). As shown in Figure
4.2, the DBMS is a software program that sits between the actual data stored in the system and the
application programs that use the data. As shown in Figure 4.4, this allows users to separate the
way they view the data (called the logical view) from the way the data is actually stored (the
physical view). The DBMS interprets the users' requests and retrieves, manipulates, or stores the
data as needed. The two distinct views separate the applications from the physical information,
providing increased flexibility in applications, improved data security, and ease of use.

In a database system, the manager will rarely need to understand or be familiar with the physical
view of the data. Nor, in most instances, will the internal auditor and the programmer as most
everything they do involves the logical view of the data.

If accountants understand logical data structures and the logical view of the data, they are better
able to manage, use, and audit a database and its data.

4.2 The relational data model represents data as being stored in tables. Spreadsheets are another
tool that accountants use to employ a tabular representation of data. What are some
similarities and differences in the way these tools use tables? How might an accountant’s
familiarity with the tabular representation of spreadsheets facilitate or hinder learning how
to use a relational DBMS?

A major difference between spreadsheets and databases is that spreadsheets are designed primarily
to handle numeric data, whereas databases can handle both text and numbers. Consequently, the
query and sorting capabilities of spreadsheets are much more limited than what can be
accomplished with a DBMS that has a good query language.

Accountants’ familiarity with spreadsheets might hinder their ability to design and use relational
DBMS because many links in spreadsheets are preprogrammed and designed in, whereas a well-
designed relational database is designed to facilitate ad-hoc queries.

Accountants’ familiarity with spreadsheets sometimes leads them to use a spreadsheet for a task
that a database could handle much better. Over the years, the Journal of Accountancy has
published a number of very good articles on how to use databases and when to use databases and
when to use spreadsheets. These articles can be found on the Journal’s website:
http://www.journalofaccountancy.com/
4.3 Some people believe database technology may eliminate the need for double-entry accounting.
This creates three possibilities: (1) the double-entry model will be abandoned; (2) the double-
entry model will not be used directly, but an external-level schema based on the double-entry
model will be defined for accountants’ use; or (3) the double-entry model will be retained in
database systems. Which alternative do you think is most likely to occur? Why?

There is no correct answer to this question because it is asking the student to express his opinion on
what will happen in the future. Therefore, the quality of his answer depends on the justifications
provided. Good answers should address the following:

1. Database technology does permit abandonment of double entry, but there will likely be
great resistance to such a radical change. Thus, students choosing this option need to present
reasons why they think such a radical change would succeed.

10. The use of a schema for accountants seems quite plausible. It does eliminate the redundancy
of double entry from the database system, yet it still provides a framework familiar and useful
to accountants and financial analysts.

11. There is a good possibility that double entry will remain, even in databases, due to inertia.
Indeed, many modern AIS, such as ERP systems, use databases but also retain the principles
of double entry.

4.4 Relational DBMS query languages provide easy access to information about the
organization’s activities. Does this mean that online, real-time processing should be used for
all transactions? Does an organization need real-time financial reports? Why or why not?

On-line real-time processing is not necessary for every business transaction. For example, batch
processing is adequate for payroll: there is little need for the data to be current except on payday.
Real-time financial statements are useful for planning and provide management with better ability
to react to changes in the environment. Nevertheless, real-time financial statements may present
distorted pictures of reality if accruals have been ignored or not properly recognized.

4.5 Why is it so important to have good data?

Bad data costs businesses over $600 billion a year. Some people estimate that over 25% of
business data is inaccurate or incomplete. In addition, incorrect database data can lead to bad
decisions, embarrassment, and angry users. The text illustrated this with the following
examples:
• For quite some time, a company sent half its catalogs to incorrect addresses. A manager
finally investigated the large volume of returns and customer complaints and corrected the
customer addresses in the database. He saved the company $12 million a year.
• Valparaiso, Indiana used the county database to develop its tax rates. After mailing the tax
notices, it was discovered that a $121,900 home was valued at $400 million. Due to the
$3.1 million property tax revenue shortfall, the city, the school district, and governmental
agencies had to make severe budget cuts.

Managing data is not going to get any easier as the quantity of data generated and stored
doubles every 18 months.
4.6 What is a data dictionary, what does it contain, and how is it used?
A data dictionary contains information about the structure of the database. Table 4-1 shows that there is a
record in the dictionary describing each data element. The DBMS maintains the data dictionary, whose
inputs include new or deleted data elements and changes in data element names, descriptions, or uses.
Outputs include reports for programmers, designers, and users. These reports are used for system
documentation, database design and implementation, and as part of the audit trail.

4.7 Compare and contrast the file-oriented approach and the database approach. Explain the
main advantages of database systems.
Information about the attributes of a customer, such as name and address, are stored in fields. Fields contain
data about one entity (e.g., one customer). Multiple fields form a record. A set of related records, such as
all customer records, forms a file (e.g., the customer file). A set of interrelated, centrally coordinated files
forms a database.
Figure 4-2 illustrates the differences between file-oriented and database systems. In the database approach,
data is an organizational resource that is used by and managed for the entire organization, not just the
originating department. A database management system (DBMS) is the interface between the database and
the various application programs. The database, the DBMS, and the application programs that access the
database through the DBMS are referred to as the database system.
Database systems were developed to address the proliferation of master files. This proliferation created
problems such as the same data stored in two or more master files. This made it difficult to integrate and
update data and to obtain an organization-wide view of data. It also created problems because the data in
the different files was inconsistent.
Databases provide organizations with the following benefits:
• Data integration. Master files are combined into large “pools” of data that many applications
programs access. An example is an employee database that consolidates payroll, personnel, and job skills
master files.
• Data sharing. Integrated data is more easily shared with authorized users. Databases are easily
browsed to research a problem or obtain detailed information underlying a report. The FBI, which does a
good job of collecting data but a poor job of sharing it, is spending eight years and $400 million to integrate
data from their different systems.
• Minimal data redundancy and data inconsistencies. Because data items are usually stored only
once, data redundancy and data inconsistencies are minimized.
• Data independence. Because data and the programs that use them are independent of each other,
each can be changed without changing the other. This facilitates programming and simplifies data
management.
• Cross-functional analysis. In a database system, relationships, such as the association between
selling costs and promotional campaigns, can be explicitly defined and used in the preparation of
management reports.
CHAPTER 6

COMPUTER FRAUD AND ABUSE TECHNIQUES

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

6.1 When U.S. Leasing (USL) computers began acting sluggishly, computer operators
were relieved when a software troubleshooter from IBM called. When he offered to
correct the problem they were having, he was given a log-on ID and password. The
next morning, the computers were worse. A call to IBM confirmed USL’s suspicion:
Someone had impersonated an IBM repairman to gain unauthorized access to the
system and destroy the database. USL was also concerned that the intruder had
devised a program that would let him get back into the system even after all the
passwords were changed.

What techniques might the impostor have employed to breach USL’s internal
security?

The perpetrator may have been an external hacker or he may have been an employee with
knowledge of the system.

It seems likely that the perpetrator was responsible for the sluggishness, as he called soon
after it started. To cause the sluggishness, the perpetrator may have:

• Infected the system with a virus or worm.

• Hacked into the system and hijacked the system, or a large part of its processing
capability.

To break into the system, the perpetrator may have:

• Used pretexting, which is creating and using an invented scenario (the pretext) to
increase the likelihood that a victim will divulge information or do something they
would not normally do. In this case, the perpetrator pretended to be an IBM software
troubleshooter to get a log-on ID and password.

• Used masquerading or impersonation, which is pretending to be an authorized user to

access a system. This was possible in this case once the perpetrator obtained the log-on
ID and password. Once inside the system, the perpetrator has all the privileges attached
to the user ID and password given to him.

• Infected it with a Trojan horse, trap door, logic or time bomb, or some other
malware.

• Made unauthorized use of superzap, a software utility that bypasses regular system
controls.
What could USL do to avoid these types of incidents in the future?

• Determine how the perpetrator caused the sluggishness and implement the controls
need to prevent it from happening again.

• Conduct a complete security review to identify and rectify and security weaknesses.

• Only reveal passwords and logon numbers to authorized users whose identities have
been confirmed. When someone calls and indicates they are an IBM employee, verify
their identity by calling IBM back on their known and published service number.
Even better would be to call and talk to the IBM representative assigned to USL.

• Provide employee training aimed at helping them not fall victim to the many forms of
social engineering.

• After providing outsiders with temporary user IDs and passwords, block their use as
soon as the need for them is passed.

Other control considerations that could reduce the incidence of unauthorized access
include:

• Improved control of sensitive data.

• Alternate repair procedures.

• Increased monitoring of system activities.

6.3 The UCLA computer lab was filled to capacity when the system slowed and crashed,
disrupting the lives of students who could no longer log into the system or access data
to prepare for finals. IT initially suspected a cable break or an operating system
failure, but diagnostics revealed nothing. After several frustrating hours, a staff
member ran a virus detection program and uncovered a virus on the lab’s main
server. The virus was eventually traced to the computers of unsuspecting UCLA
students. Later that evening, the system was brought back online after infected files
were replaced with backup copies.
What conditions made the UCLA system a potential breeding ground for the virus?
• Many computers, providing numerous potential hosts.
• Users are allowed to create and store programs.
• Users share programs regularly.
• Numerous external data storage devices are used each day by students without adequate
controls over their contents.
• University students send lots of emails and download lots of software, music, and
videos from the Internet, all of which are excellent ways to pass viruses to others.
What symptoms indicated that a virus was present?
• Destroyed or altered data and programs.
• The inability to boot the system or to access data on a hard drive.
• Clogged communications.
• Hindered system performance.
However, the system did not print disruptive images or messages on the screen. Some
people who write viruses cause some sort of message or image to appear to give some
indication that the system has been compromised.