Chapter: 1

AIS
1: Distinguish between data and information. Discuss the
characteristics of useful information. Explain how to
determine the value of information.
Data are facts that are recorded and stored, insufficient for decision making.
Information is processed data used in decision making. Too much
information is difficult to make decisions. This is known as Information
Overload.
Characteristics of useful information:
Relevant: the capacity of information to make a difference in a decision by
helping users to form predictions about the outcomes of past, present, and
future events or to confirm or correct prior expectations.
Reliable: the quality of information that assures that information is
reasonably free from error and bias and faithfully represents what it purports
to represent.
Complete: the inclusion in reported information of everything material that
is necessary for faithful representation of the relevant phenomena.
Timely: having information available to a decision maker before it loses its
capacity to influence decisions.
Understandable: the quality of information that enables users to perceive
its significance.
Verifiable: the ability through consensus among measurers to ensure that
information represents what it purports to represent or that the chosen
method of measurement has been used without error or bias.
Accessible: available when needed.
Value of Information

Yusuf Hussein

Page 1

Reduce Uncertainty, Improve Decisions, Improve Planning, Improve

Scheduling also reduce Time & Resources.

2: Explain the decisions an organization makes and the

information needed to make them?
Discussion as external knowledge

External:
There are five the usefulness of accounting information systems, generate
external reports, support the routine activities, support decision making, help
planning and control and assist with the implementation of internal controls.

3. Identify the information that passes between internal

and external parties AIS?

Business organizations conduct business transactions between internal

and external stakeholders.

Internal stakeholders are

employees and managers).

External stakeholders are trading partners such as customers and

vendors as well as other external organizations such as Banks and
Government.

The AIS captures the flow of information between these users for the
various business transactions.

employees

in

the

organization

(e.g.,

4: Describe the major business processes present in most

companies.
Business Process Cycles
Five major business process or transaction cycles are:

Yusuf Hussein

Page 2

1. Revenue Cycle: where goods and services are sold for cash or a future
promise to receive cash.
2. Expenditure cycle: where companies purchase inventory for resale or raw
materials o use in producing products in exchange for cash or a future
promise to pay cash.
3. The production or conversion cycle: where raw materials are transformed
into finished goods.
4. Human resources/payroll cycle: where employees are hired, trained,
compensated, evaluated. Promoted and terminated,
5. Financial cycle: where companies sell shares in the company to investors
and borrow money and where investors are paid dividends and interest is
paid on loans.

5: Explain what an accounting information system (AIS) is

and describe its basic functions.

An accounting information system (AIS) is a structure that a business
uses to collect, store, manage, process, retrieve and report its financial
data.
The accounting information system is a set of formal procedures that
determine how data is collected and processed into information and
distributed to the users.
An accounting information system (AIS) is a structure that a business uses to collect, store, manage,
process, retrieve and report its financial data so that it can be used by accountants, consultants, business
analysts, managers, chief financial officers (CFOs), auditors and regulatory and tax agencies

Components of AIS:

It can be manual or computerized

Consists of

People who use the system

Yusuf Hussein

Page 3

Processes

Technology (data, software, and information technology)

Controls to safeguard information

Thus, transactional data is collected and stored into meaningful

information from which business decisions are made and provides
adequate controls to protect and secure the organizational data
assets.

Or
1. the people who use the system
2. the procedures and instructions used to collect, process, and store data
3. the data about the organization and its business activities
4. the software used to process the data
5. the information technology infrastructure include the computer peripheral
devices and network communication devices used in the AIS
6. the internal controls and security measures that safeguard AIS data

6: Discuss how AIS can add value to an organization.

1. Improving the quality and reducing the costs of products or service.
2. Improving efficiency.
3. Sharing Knowledge.
4. Improving the efficiency and effectiveness of its supply chain.
5. Improving the internal control structure
6. Improving decision making

Or

A well thought out AIS can add value through effective and efficient
decisions.

Yusuf Hussein

Page 4

Having effective decisions means quality decisions

Having efficient decisions means reducing costs of decision

making

7: Explain how an AIS and corporate strategy affect each

other.

An AIS is influenced by an organizations strategy.

A strategy is the overall goal the organization hopes to achieve (e.g.,

increase profitability).

Once an overall goal is determined, an organization can determine

actions needed to reach their goal and identify the informational
requirements necessary to measure how well they are doing in
obtaining that goal.

Or

A system is a set of two or more interrelated components that interact to

achieve a goal. Most systems are composed of smaller subsystems that
support the larger system. For example a college of business is a system
composed of various departments, each of which is a subsystem. Each
subsystem is designed to achieve one or more organizational goals. Changes
in subsystems cannot be made without considering the effect on other
subsystems, and on the system as a whole.

Yusuf Hussein

Page 5

A strategy is the overall goal the organization hopes to achieve (e.g.,

increase profitability).
Goal conflict occurs when a subsystem in inconsistent with the goals of

another subsystem or with the system as a whole.

Goal congruence occurs when a subsystem achieves its goals while
contributing to the organizations overall goal.

8: Explain the role of AIS plays in a companys value chain.

An organizations value chain consists of nine interrelated activities that
collectively describe everything it does. Those five primary activities:
Inbound Logistics, Operations, Outbound Logistics, Marketing and, Service
Performed to create market, and deliver products and services to customers
and also to provide post-sales services and support.
This four support activities: Infrastructure, Technology, Human Resources,
Purchasing, in the value chain make it possible for the primary activities to
be performed efficiently and effectively.

Chapter: 2
1: Describe the four parts of the data processing cycle
and the major activities in each? NB
This process consists of four steps; data input, data storage, data
processing and information output.
Data Input: The first step in processing input is to capture transaction
data and enter them into the system. The Data must be collected
about three facets of each business activity:

Yusuf Hussein

Page 6

1 Each activity of interest

2 The resource(s) affected by each activity
3 The people who participate in each activity

Data Storage
A companys data are one of its most important resources.. To function
properly, an organization must have ready and easy access to its data.
Therefore, accountants need to understand how data are organized
and stored in an AIS and how they can be accessed. Three ways to
store data
Ledgers Cumulative accounting information is stored in general and
subsidiary ledger. A general ledger contains summary-level data for
every asset, liability, equity, revenue, and expense account. A
Subsidiary ledger contains detailed data for any general ledger
account with many individual subaccounts.
Data Processing
Once business activity data have been entered into the system, they
must be processed to keep the databases current. The four different
types of data processing activities, referred to as CRUD are as follows:
1 Creating new data records, such as adding a newly hired
employee to the payroll database.
2 Reading, retrieving, or viewing existing data.
3 Updating previously stored data.
4 Deleting data, such as purging the vendor master file of all
vendors the company no longer does business with.

Information Output
The final step in the data processing cycle is information output. When
displayed on a monitor output is referred to as soft copy, when
printed on a paper it is referred to as hard copy. Information is
usually presented in one of three forms: a document, a report or a
query response.

Yusuf Hussein

Page 7

Documents are records of transaction or other company data. Some,

such as checks and invoices, are transmitted to external parties.
Reports are used by employees to control operational activities and
by managers to make decisions and to formulate business strategies.
External users need reports to evaluate company profitability.
A database query is used to provide the information needed to deal
with problems and questions that need rapid action or answer.

2: Describe the ways information is stored in computer-based

information system
The computer store data in a field. The fields containing data about
entity attributes constitute a record each row represents a different
record. And each Column represents an attribute. Each intersecting
row and column is a field with in record, the contents of which are
called a data value.
A file is a group of related records. A master file, like a ledger in
manual AIS, stores cumulative information about an organization. The
inventory and equipment master files store information about
important organization resources.
A Transaction file contains records of individual business transactions
that occur during a specific time. It is similar to a journal in manual.

3: Discuss the types of information that an AIS can

provide.
Documents are records of transaction or other company data. Some,
such as checks and invoices, are transmitted to external parties.
Reports are used by employees to control operational activities and
by managers to make decisions and to formulate business strategies.
External users need reports to evaluate company profitability.

Yusuf Hussein

Page 8

A database query is used to provide the information needed to deal

with problems and questions that need rapid action or answer.

Chapter: 3
L.O.2: Prepare and use flowcharts to understand, evaluate and
document information system
A flowcharts is an analytical technique used describe some aspect of an
information system in a clearly, concise, and logical manner.
Flowcharting symbols are divided into four categories as shown in figure 3-8
1 Input/output symbols represent devices or media that provide input
to or record output form processing operating.
2 Processing symbols show what types of devices are used to process
data or indicate when processing is performed manually.
3 Storage symbols represent the devices used to store data,
4 Flow and miscellaneous symbols indicate the flow of data, where
flowcharts begin or end, where decisions are made, and when to add
explanatory notes to flowcharts

L.O.1: A data flow diagram (DFD) graphically describes the flow of data
within an organization. There are four basic elements: data source and
destination, data flows, transformation processes and data stores

Name: Data sources and destination

Explanation: The people and organization that send data
to and receive
data from the system are represented by square boxes.
Data destination
are also referred to as data sinks.

Yusuf Hussein

Page 9

Name: Data flows

Explanation: the flow of the data into or out of a
process is represented
by curved or straight lines with arrows

Name: Transformation process

Explanation: The processes that transform data from inputs to outputs
are represented by circles. They are often referred to as bubbles.

Name: Data stores

Explanation: the storage of data is represented by
two horizontal lines.

Chapter: 5
L.O.1: Explain the threats faced by modern information
systems
Information systems are becoming increasingly more complex and society is
becoming increasingly more dependent on these systems and Companies
also face a growing risk of these systems being compromised. Therefore,
Companies face four common threats to their information systems:
1.

Natural and political disasters e.g. fire or excessive heat, floods,

earthquakes, high winds, war and terrorist attack.

2.

Software errors. e.g. operating system crashes, power outages and

fluctuations, and undetected data transmission errors.

3. Unintentional acts are errors that mostly come from human accidents
caused by their carelessness, failure to follow established procedures, poor
training and supervision.

Yusuf Hussein

Page 10

4.

Intentional acts include computer fraud, sabotage, unauthorized

disclosure of data, misappropriation of assets, and fraudulent financial fraud.

L.O.2: Define fraud and describe the process one follows

to perpetuate a fraud
Fraud is any and all means a person uses to gain an unfair advantage over
another person.
Types of Fraud
The most two common types of fraud are; misappropriation of assets
(Involves theft, embezzlement, or misuse of company assets for personal
gain examples include billing schemes, check tampering, skimming, and
theft

of

inventory)

and

fraudulent

financial

statement

(involves

misstating the financial condition of an entity by intentionally misstating

amounts or disclosures in order to deceive users).
Reasons for Fraudulent Financial Statements
1 Deceive(mislead) investors or creditors
companys stock price
3 Meet cash flow needs
problems

2.

Increase

4. Hide company losses or other

L.O.3Discuss, who perpetrates fraud and why it occurs, including:

fraud triangle
Researchers

have

compared

the

psychological

and

demographic

characteristics of three groups of people: a) white-collar criminals, b) violent

criminals, c) and the general public.
Three factors have come to be known as the fraud triangle:

Yusuf Hussein

Page 11

Pressure: referred to this pressure as a perceived non-shareable need.

The pressure could be related to finances, emotions, lifestyle, or some
combination.
The most common pressures were:
Not being able to pay ones debts, fear of loss of status because of a
personal failure, business problems.
Opportunity: is the opening or gateway that allows an individual to: commit
the fraud, conceal the fraud and convert the proceeds. There are many
opportunities that enable fraud. Some of the most common are:
Lack of internal controls, inadequate staff, Excessive trusts in key employees
Rationalization
It is important to understand that fraudsters do not regard themselves as
unprincipled. And these rationalizations take many forms, including: Ive
worked for them for 35 years and been underpaid all that time, I needed it to
pay my childs medical bills.
L.O.4: Define computer fraud and discuss the different computer
fraud classifications
The U.S. Department of justice defines computer fraud as any illegal act for
which knowledge of computer technology is essential for its: perpetration,
investigation, or prosecution.
Computer fraud includes the following:
Unauthorized theft, use, access, modification, copying, and destruction
of software or data.
Theft of money by altering computer records.
Theft of computer time.
Theft or destruction of computer hardware.

Yusuf Hussein

Page 12

 Use or the conspiracy to use computer resources to commit a felony.

Intent to illegally obtain information or tangible property through the
use of computers.
In using a computer, fraud perpetrators can steal: more of something, In less
time, and with less effort. And they may also leave very little evidence, which
can make these crimes more difficult to detect.
Computer fraud classification
Frauds can be categorized according to the data processing model:
Input (simplest and most common way to commit a fraud, e.g.
disbursement frauds, inventory frauds, payroll frauds, and Cash receipt
frauds).
Processor (unauthorized system use, theft of computer time and
services, e.g. Surfing the Internet).
Computer instructions (Modifying the software and Making illegal
copies).
Stored data (Copying, using, or searching the data files without
authorization).
Output (Involves stealing or misusing system output, Output is usually
displayed on a screen or printed on paper).
L.O.5:
abuse.

Explain how to prevent and detect computer fraud and

Organizations must take every precaution to protect their information

systems. Certain measures can significantly decrease the potential for fraud
and any resulting losses.
These measures include:
Make fraud less likely to occur

Yusuf Hussein

Page 13

 Increase the difficulty of committing fraud

Improve detection methods
Reduce fraud losses

Chapter 6
1. Compare and contrast computer attack and abuse tactics
Computer Attacks and Abuse: All computers connected to the internet,
especially those with important trade secrets or
valuable IT assets, are under constant attack from hackers, foreign
governments, terrorist
groups, disaffected employees, industrial spies, and competitors. These
people attack
Computers looking for valuable data or to harm the computer system.
Preventing attacks is a
constant battle.

Types of Attacks
There are three types of computer attacks, and they are:
Hacking: is the unauthorized access, modification, or use of an electric
device or

Yusuf Hussein

Page 14

some element of a computer system. Most hackers break into systems using
known flaws in operating systems or application programs, or as a result of
poor access
controls.
Social Engineering: refers to techniques or psychological tricks used to
get people to comply with the perpetrators wishes in order to gain
physical or logical access to a building, computer server or network
usually to get the information needed to
Access a system for the purpose of obtaining confidential data.
Malware: is any software that can be used to do harm
2. Describe the different types of malware used to harm computers
Types of Malware

Spyware:

software

secretly

monitors

and

collects

personal

information about users and sends it to someone else.

Keylogger: records computer activity, such as a user's keystrokes, emails sent and received, Web sites visited, and chat session
participation.
Trojan Horse: is a set of malicious computer instructions in an
authorized and otherwise properly functioning program.
Trap door: is a way into a system that bypasses normal authorization
and authentication controls.
Packet sniffer: capture data from information packets as they travel
over networks.
Captured data are examined to find confidential or proprietary
information.
Superzapping: is the unauthorized use of special system programs to
bypass regular system controls and perform illegal acts, all without
leaving an audit trail.

Yusuf Hussein

Page 15

 Virus: is a segment of self-replicating, executable code that attaches

itself to a file or program.
Worm: is a self-replicating computer program similar to a virus.

Chapter 7
1. Explain basic control concepts and explain why computer control
and security are important.
Internal control is the process implemented by the board of directors,
management, and those under their direction to provide reasonable
assurance that the following control objectives are achieved

Internal controls perform three important functions:

Preventive controls (deter problems before)
Detective controls (discover problems after they arise.)
Corrective controls (correct and modify system.)

Internal controls are often classified as:

General controls

Those designed to make sure an organizations control

environment is stable and well managed.

They apply to all sizes and types of systems.

Examples: Security management controls.

Application controls

Prevent, detect, and correct transaction errors and fraud.

Yusuf Hussein

Page 16

Concerned with accuracy, completeness, validity, and

authorization of the data captured, entered into the
system, processed, stored, transmitted to other systems,
and reported.

AIS threats are increasing, why?

Control risks have increased in the last few years because:

There are computers and servers everywhere.

Distributed computer networks make data available to

many users.

Wide area networks (WANs) are giving customers and

suppliers access to each others systems and data.

Inadequate Protection:

Threats are underestimated, controls are not well

understood.

Productivity pressures, cost reduction pressures.

Companies have not always understood the threats.

Cost pressures mean that mgr.s skip time-consuming

control proc.

2. Compare and contrast the COBIT, COSO, and ERM control

frameworks

Yusuf Hussein

Page 17

The COBIT Framework consolidates systems security and control standards

into a single framework. This allows management to benchmark security and
control practices of IT environments, users to be assured that adequate IT
security and control exist, and auditors to substantiate their internal control
opinions and to advise on IT security and control matters.

The framework

addresses control from three vantage points:

Business objectives, to ensure information conforms to and maps into

business objectives.

IT resources, including people, application systems, technology, facilities, and data.

IT processes, including planning and organization, acquisition and implementation,

delivery and support, and monitoring and evaluation.

COSOs Internal Control Framework is widely accepted as the authority

on internal controls and is incorporated into policies and regulations that
control business activities.

However, it examines controls without

looking at the purposes and risks of business processes and provides

little context for evaluating the results. It makes it hard to know which
control systems are most important, whether they adequately deal with
risk, and whether important controls are missing. In addition, it does not
adequately address Information Technology issues.
It has five components:
1 Control environment, which are the individual attributes, (integrity,
ethical values, competence, etc.) of the people in the organization
and and the environment in which they operate.
2 Control activities, which are control policies and procedures that
help ensure that the organization addresses risks and effectively
achieves its objectives.
3 Risk assessment, which is the process of identifying, analyzing, and
managing organizational risk
4 Information and communication, which is the system that captures

Yusuf Hussein

Page 18

and exchanges the information needed to conduct, manage, and

control organizational operations.
5 Monitoring company processes and controls, so modifications and
changes can be made as conditions warrant.
COSOs Enterprise Risk Management Framework is a new and improved
version of the Integrated Control Framework. It is the process the board
of directors and management use to set strategy, identify events that
may affect the entity, assess and manage risk, and provide reasonable
assurance that the company achieves its objectives and goals.

The

basic principles behind ERM are:

Companies are formed to create value for their owners.

Management must decide how much uncertainty it will accept as it

creates value.

Uncertainty

results

in

risk

and

opportunity,

which

are

the

possibilities that something negatively or positively affects the

companys ability to create or preserve value.

The ERM framework can manage uncertainty as well as create and

preserve value.

The ERM framework takes a risk-based rather than a controls-based

approach. As a result, controls are flexible and relevant because they
are linked to current organizational objectives.

The ERM model also

recognizes that risk, in addition to being controlled, can be accepted,

avoided, diversified, shared, or transferred. Because the ERM model is
more comprehensive than the Internal Control framework, it will likely
become the most widely adopted of the two models.

3. Explain what is meant by objective setting and describe the four

types of objectives used in ERM.

Yusuf Hussein

Page 19

Objective setting is determining what the company hopes to achieve. It is often

referred to as the corporate vision or mission.

The four types of objectives used in ERM are:

1 Strategic objectives are high-level goals that align with the
companys mission, support it, and create shareholder value.
Management should identify alternative ways of accomplishing the
strategic objectives, identify and assess the risks and implications of
each alternative, and formulate a corporate strategy.
2 Operations objectives deal with the effectiveness and efficiency
of company operations and determine how to allocate resources.
They reflect management preferences, judgments, and style and
are a key factor in corporate success. They vary significantly - one
company decides to be an early adopter of technology, another
adopts technology when it is proven, and a third adopts it only after
it is generally accepted.
3

Reporting objectives help ensure the accuracy, completeness,

and reliability of company reports; improve decision-making; and
monitor company activities and performance.

4 Compliance

objectives help the company comply with all

applicable laws and regulations.

Explain how to assess and respond to risk using the Enterprise Risk
Management (ERM) model.
RISK ASSESSMENT AND RISK RESPONSE

The risks of an identified event are assessed in several different ways:

likelihood, positive, and negative impact, individually and by category, their
effect on other organizational units, and on an inherent and residual basis.

Yusuf Hussein

Page 20

Inherent risk: The risk that exists before management takes any steps to
control the likelihood or impact of a risk. Residual risk: The risk that
remains after management implements internal controls or some other form
of response to risk.
Management can respond to risk in one of four ways:

Reduce it. Reduce the likelihood and impact of risk by implementing an

effective system of internal controls.

Accept it. Accept the likelihood and impact of the risk.

Share it. Transfer some of it to others via activities such as insurance,

outsourcing, or hedging.

Avoid it. Avoid risk by not engaging in the activity that produces the risk.

Yusuf Hussein

Page 21