E INFORMATION TECHNOLOGY

1. Principles of information technology

(a) Advise on the basic hardware and software infrastructure required to support
business information systems.
(b) Identify and analyse general information technology controls and application
controls required for effective accounting information systems.
(c) Analyse the adequacy of general information technology controls and application
controls for relevant application systems.
(d) Evaluate controls over the safeguarding of information technology assets to ensure
the organisational ability to meet business objectives.

In particular, in (a) above, knowledge and skills relating to hardware and software
infrastructure have expanded from a focus on e-business to more general business
information systems. (b), (c) and (d) above all relate to controls which were not mentioned at
all in earlier syllabuses or study guides.

Infrastructures to support business

information systems

Very large companies began to use of computers in the 1960s. The first applications were for
wages and salaries processing, the production of sales invoices and receivables ledger
accounting. These applications automated existing operations allowing greater accuracy,
more speed and cheaper processing. At this time the IT operations would have been called
‘data processing’.

Once transactions are processed by computer it is easy to analyse those transactions to

produce information that could be useful for management. For example, once the sales ledger
is computerised it is easy to produce aged receivables listings. These additional management
reports became common in the 1970s (and are still important) and IT operations became
known as ‘management information systems’ (MIS). The systems could also be programmed
to make simple decisions such as comparing inventory levels to production plans to enable
automatic stock ordering. The simple decisions are known as programmable or structured
decisions, meaning that there is a well-defined way of getting to the correct answer. MIS
primarily allows companies to keep their costs down, helping them to move towards cost
leadership, through a combination of automation and rationalisation.

At the beginning of the 1980s, spreadsheets were invented and this allowed computers to be
used to help managers make unstructured (non-programmable) decisions. For these decisions
there is no definitively right answer. For example, what should next year’s budget look like?
At what price should a new product be launched? Financial models on spreadsheets allow
managers to try out 'what if?' experiments where they try out different combinations of
assumptions and try to home in on a credible answer. These systems are known ‘decision
support systems’ (DSS): they do not make the decision but help managers make decisions.

More sophisticated DSS systems can combine, for example, computer aided design and
computer aided manufacturing systems to enable new products to be brought to market more
quickly: data warehousing (recording historical transaction data) and data mining (trawling
through that data to learn more about customers’ preferences and buying patterns). Both of
these techniques can help with differentiation and focus strategies.
Somewhat later, around the 1990s, executive information systems were developed. These
were of particular use to senior managers and they have a particular emphasis on giving
access to external information that is needed for operational and strategic planning. It was, of
course, in the 1990s that the Internet began to expand rapidly and much more external
information became available. Executive information systems also emphasise flexibility so
that executives can see company data in a wide variety of ways. Typically, such systems
would initially present sales for the group, but upon double-clicking on that figure, it would
split into sales by division. Double-clicking on one of those figures might show the sales to
the division’s 10 key customers, compared to the comparable period last year. This process is
known as drilling down.

Databases are by far the preferred way to hold data. Databases allow a wide range of users
and applications to use the data flexibly and to update it. Each user can be given a unique,
personalised and relevant view of the data which they can easily search and manipulate.

The increasing reliance on computers by all levels within a company requires careful design
of the information technology (IT) infrastructure. IT usually refers to the hardware:
computers, connections, disk storage.

Networks

Only the very smallest of businesses will have stand-alone computers, computers not
connected to other computers. Even in small businesses employees need to share data and
very soon after personal computers were invented networks of computers were introduced.
There are two main types:

 Local area network (LAN): Here the network extends over only a relatively small area, such
as an office, a university campus or a hospital. The small area means that these networks use
specially installed wiring to connect the machines.
 Wide area networks (WAN): Here the network can extend between several cities and
countries. Each office would have its LAN, but that connects to LANs in other offices and
countries using commercial, public communications systems. At one time this would have
been done by the organisation leasing telephone lines for their private use to transmit data
from office to office. However, this is expensive and inflexible and the common system now
used is known as a virtual private network (VPN)

VPN’s allow data to be transmitted securely over the internet between any two locations. For
example, an employee working from home or a hotel can access the company system as
though being in the office. Information will pass over many different circuits and connections
but the system gives the impression that you are operating over a dedicated, private
communications link. Hence, the name: virtual private network. Because data is being
transmitted over public systems it is particularly vulnerable to interception and it is very
important that adequate security measures are in place to safeguard the data. There are three
essential steps in the security measures:

1. Access control and authentication – this ensures that unauthorised users do not access the
system. Typically this will be accomplished through a log-in procedure. Many organisations,
such as banks, may require a password, answers to security questions (such as ‘What is the
fourth letter of your secret word?’), and also a code number generated by a security device
that has been issued to the user. Use of the latter technique means that anyone logging on
has both to know a password and to be in possession of the security device.
2. Confidentiality – this ensures that data cannot be intercepted and read by a third party
whilst being transmitted. This is achieved using encryption.
 3. Data integrity – this ensures that the data has not been altered or distorted whilst in transit.
To ensure this, the message could have special check digits added to ensure that the data
complies with a mathematical rule.

Centralised and decentralised (distributed) architectures

Consider an office local area network. There are three main ways in which the data and
processing can be arranged: centralised, decentralised (distributed) and hybrid.

Centralised systems
In these systems there is a powerful central computer which holds the data and which carries
out the processing. The main advantages of such systems are:

 Security: all data can be stored in a secure data centre so that, for example, access to the
data and back-up routines are easier to control.
 One copy of the data: all users see the same version of the data.
 Lower capital and operational costs: minimal hardware is needed at each site. There is also
less administrative overhead.
 The central computer can be very powerful: this will suit in processing-intensive
applications.
 They allow a centralised approach to management. For example, a chain of shops needs to
keep track of inventory in each shop and to transfer it as needed. There is little point in a
shop that is running low ordering more of a product if another branch already has a surplus
of that product.

The main disadvantages of such systems are:

 Highly dependent on links to the centralised processing facility. If that machine fails or
communication is disrupted then all users are affected.
 Processing speed: will decrease as more users log-on
 Lack of flexibility: local offices are dependent on suitable software and data being loaded
centrally.

Decentralised (distributed) systems

In these systems, each user has local processing power and will hold data locally.

The main advantages of such systems are:

 Resilience: if one machine breaks down, others are unaffected.

 Easy expansion: simply add another computer.
 Flexibility: local users can decide which programs and software should be installed to meet
local needs.
 They are more useful where each location can operate more or less separately from
others.

The main disadvantages are:

 More difficult to control: data storage and processing are in many locations and correct
access, processing and back-up of data are more difficult to enforce.
 Multiple versions of data: users might have their own version of data that should be
uniform.
 Potentially higher costs: each local computer has to have sufficient processing power and
each location might require an IT expert.
Hybrid systems
In these systems some data and processing are local and some are centralised. For example,
web-browsing and word-processing might be local but critical business applications might be
centralised.

Client-server and peer-to-peer systems

These concepts are similar to centralised and decentralised, but are not quite identical.

In a client-server arrangement, a powerful computer (the server) is dedicated to providing a

service to other computers in the network (the clients). Typical services provided are:

 File storage (file servers)

 Handling printing (print server)
 Handling the sending and receiving of emails (mail servers).

There is an element of centralisation here, but although files might be held centrally on the
server they will often be processed locally. For example, a report will be held on the server,
but when it is being edited it is downloaded to the user’s local machine (client). The edited
version will be saved back to the server where other users can then access it. Obviously there
will be great disruption if the server fails. Access rights to files are set centrally and typically
enforced by users’ log-on information.

Traditionally, in client server networks each client would have had a copy of, say, Word for
Windows. Documents would have been downloaded from the server for local editing then
saved back to the server. The disadvantage of this is that each machine in the network needs a
copy of Word and if the company was upgrading its software all copies of the program would
have to be changed. Providing the software initially for all machines and its subsequent
management is very expensive. With cloud computing, this approach has changed. There is
only one copy of the software on the server within a web-based interface. Users log into the
web system and their processing is then carried out on the server or a ‘cloud’ of servers. It
appears to each user that they have a local version of the software, but what they are really
seeing is the program operating in the server. Client machines can be ‘thin-clients’ which are
not very powerful as they do not have to store much data and software nor do they have to
carry out much processing. Hardware, software and maintenance costs are greatly reduced,
though the system is vulnerable to service disruption.

Hotmail and Gmail provide examples of this approach. Whenever you want to write an email
you log into the web email account and the processing is carried by the system’s computer
cloud – not your computer. All it has to do is to handle the interface.

In peer-to-peer networks, two or more computers are connected directly without the need for
a server. Access rights to files are given by individual users to specified other users. This is a
simpler system to set-up, requiring no specialist operating system or specialist staff and many
home systems are like this. It is a much more distributed system than client server systems
and therefore has back-up and security issues.

Controls in IT systems

IT poses particular risks to organisations’ internal control and information systems. This can
lead to their operations being severely disrupted and subsequently to lost sales, increased
costs, incorrect decisions and reputational damage.
Risks include:

 Reliance on systems or programs that are inaccurately processing data, processing

inaccurate data, reporting inaccurate, misleading results - or all three.
 Unauthorised access to data leading to destruction of data, improper changes to data, or
inaccurate recording of transactions.
 Particular risks may arise where multiple users access a common database on which
everyone in the organisation relies.
 The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties.
 Unauthorised changes to data in master files. For example, changing a selling price or credit
limit.
 Unauthorised changes to systems or programs so that they no longer operate correctly and
reliably.
 Failure to make necessary changes to systems or programs to keep them up-to-date and in
line with legal and business requirements.
 Potential loss of data or inability to access data as required. This could prevent, for example,
the processing of internet sales.

Controls in computer systems can be categorised as general controls and application controls.

General controls

These are policies and procedures that relate to the computer environment and which are
therefore relevant to all applications. They support the effective functioning of application
controls by helping to ensure the continued proper operation of information systems. General
IT controls that maintain the integrity of information and security of data commonly include
controls over the following:

 Data centre and network operations. A data centre is a central repository of data and it is
important that controls there include back-up procedures, anti-virus software and firewalls
to prevent hackers gaining access. Organisations should also have disaster recovery plans in
place to minimise damage caused by events such as floods, fire and terrorist activities.
Where IT is critical to an operation’s business these plans might include having a parallel
system operating at a remote location that can be switched to immediately.
 System software acquisition, change and maintenance. System software refers to operating
systems, such as Windows or Apple’s OS. These systems often undergo updates as problems
and vulnerabilities are identified and it is important for updates to be implemented
promptly.
 Access security. Physical access to file servers should be carefully controlled. This is where
the company keeps it data and it is essential that this is safeguarded: data will usually endow
companies with competitive advantage. Access to processing should also be restricted,
typically through the use of log-on procedures and passwords.
 Application system acquisition, development, and maintenance. Applications systems are
programs that carry out specific operations needed by the company – such as calculating
wages and invoices and forecasting inventory usage. Just as much damage can be done by
the incorrect operation of software as by inputting incorrect data. For example, think of the
damage that could be done if sales analyses were incorrectly calculated and presented.
Management could be led to withdraw products that are in fact very popular. All software
amendments must be carefully specified and tested before implementation.

Example: Royal Bank of Scotland

A software update was applied on 19 June 2012 to RBS's system which controls its payment
processing. The update had been corrupted by RBS technical staff so that customers' wages,
payments and other transactions were disrupted. Many customers were unable to withdraw
cash using automatic teller machines and were not able to see their bank account details.
Others faced fines and surcharges for late payment of bills because the system could not
process direct debits. For many customers the disruption lasted for around a week.

Application controls

Application controls are manual or automated procedures that typically operate at a business
process level, such as the processing of sales orders, wages and payments to suppliers.

These controls help ensure that transactions are authorised, and are completely and accurately
recorded, processed and reported. Examples include:

Edit checks of input data

Checks on input data are very important because once data has been input it is often
automatically processed thereafter without the further chance of human scrutiny. Methods
include:

 Range tests can be applied to reject data outside an allowed range. For example, when
accepting orders through a website, the system could be programmed to prevent, or at least
query, unusually large quantities being ordered.
 Format checks ensure that data is input in the correct format (credit card numbers should be
12 digits long).
 Dependency checks, where one piece of data implies something about another (you have
probably had a travel booking rejected because you inadvertently had a return date earlier
than the outward date).
 Check digits, where a number, such as an account number, is specially constructed to
comply with mathematical rules. For example, UK and European VAT numbers use this
method:

VAT number = GB 2457193 48 (the last two digits, here 48, are the check digits)

The first seven numbers are multiplied by the weighting factors 8, 7, 6, 5, 4, 3, 2:

So 2 x 8 + 4 x 7 + 5 x 6 + 7 x 5 + 1 x 4 + 9 x 3 + 3 x 2 = 146

Subtract 97 until the result is zero or negative:

146 – 97 – 97 = -48

The resulting number is the check digit. The chances of someone incorrectly typing in
a VAT number which accidentally followed these rules are very small.

 Numerical sequence checks to ensure that all accountable documents, such as cheques,
have been processed.
 Drop down menus which constrain choices and ensure only allowable entries can be made.
For example, constraining delivery choices to ordinary post or express delivery, or presenting
a list of allowable account codes.
 Batch total checks. Here, the data is first added up to create a control total, which is
subsequently compared to the total of the data actually submitted.
Online, real time systems can pose particular risks because any number of employees could
be authorised to process certain transactions. Anonymity raises the prospect of both
carelessness and fraud so it is important to be able to trace all transactions to their originator.
This can be done by requiring users to log-on and then tagging each transaction with the
identity of the person responsible. Logging on should require passwords and it is important
that members of staff keep these confidential. Many business systems enforce a rule that
requires passwords to be changed every few months. This is fine in theory, but to remember
their changing passwords many users start to write them down – a potential breach in
security. Increasingly, biometric measurement, such as fingerprint or retina recognition, can
be used to control access.

Log-in security, whether through passwords or biometrics, also helps to control both
processing and access to data. Each user is provided with tailored rights that allow them to
see only certain data, change only certain data and to carry out only specified processing.

Conclusion

This article has mentioned encryption, firewalls authentication and access controls. It is
important to realise that even with these measures in place that organisations can be damaged
by lapses in computer security. For example:

 November to early December 2013, Target Corporation (turnover around $70bn) announced
that data from around 70 million credit and debit cards was stolen.
 April 2011, Sony experienced a data breach within their Playstation Network that the
information of 77 million users was compromised.
 May 2014, Ebay announced that three months earlier that information (including passwords,
email addresses, birth dates, mailing addresses and other personal information) relating to
145 million users had been stolen. Ebay states that the information was encrypted and there
is no evidence that is has been decrypted (yet).

Cyber-espionage is also a growing threat. Governments, competitors and criminals attempt to

steal intellectual property or information about customers and contracts. Quite obviously the
theft of valuable know-how will undermine a company’s competitive advantage and it is
essential that for organisations to defend themselves as far as possible against these threats.