ELECTRONIC DATA PROCESSING (EDP)

I. EDP TERMINOLOGY

A. Communicating with the Computer

Source code ---------> Compiler ---------> Object codeHuman languages Machine languages

B. Data Organization

Data hierarchy Definition Example

Bit a 0 or a 1 0 or 1

Byte a group of related bits A, B, 1, 2

Field a group of related bytes name

Record a group of related fields name, SS#, rate

File a group of related records payroll for all employees

Data Base a group of related files payroll and personnel

Data Base -- A centralized set of interrelated files combined to reduce data redundancy and enhance data consistency. The data base is accessible to multiple authorized users who utilize it in performing various applications e.g. payroll, general ledger update, billing etc.

Example: A bank may maintain a data base system for customers’ savings accounts that includes the customers’ names, addresses, account numbers, and the activity in and balances of the savings accounts. From this data base, a variety of users can extract information for different purposes. Tellers can use the data base to determine whether or not a customer has sufficient funds for a withdrawal. The accounting function can use the data base to compute interest payments. The marketing function can use the data base to gather names and addresses for a marketing survey.

Data bases can be hierarchical or networked, but by far the most popular structure of databases relational. Relational databases resemble spreadsheets, but allow tremendous flexibility in manipulating the data. The underlying basis of all major accounting software packages is now a relational database.

Data Base Management System (DBMS) - a set of software programs which manages (creates, accesses and maintains) the database.

1

Access controls are very important and typically include restrictions on which fields can be accessed by which users and/or which machine locations. Special attention must be paid to back up procedures. A database administer is also an important control in a database environment.

Data Base Administrator (DBA) - Maintains the 1) DBMS 2) data dictionary - which defines the data 3) controls over the DB and 4) Utility programs. When a DBA exists the auditor must be aware of the inherent violation of separation of duties. The DBA serves an important control mechanism in

C Data Storage Mechanisms--

TAPE- sequential access- batch processing- use when large data files infrequently accessed need data for extended time period--BACKUP- advantages cheaper updating doesn’t destroy data- disadvantage must read entire file up to desired record

DISK- random (direct) access- OLRT processing- use when frequent access or rapid retrieval needed rapid update needed

- advantages fast access less cumbersome

- disadvantages more expensive destructive update

D. Data Processing Methods

1. Batch Processing - data is accumulated by type of transaction (e.g. payroll or sales) and then it is both entered and processed in batches at one time. The advantages of batch processing are hard copy documentation and batch control totals/reference numbers.

Key Data Errors for Correction Old to Tape and Reentry Master

File

Validated Process Transaction Validate Transaction and File File Update

Sorted Updated Sort Transaction Master

File File

Master file=Transaction file =

2

2. On-line Entry/Batch Processing - individual transactions are entered directly into the computer via terminal which allows them to be subjected to certain edit or validation checks. A validated transaction file is accumulated as the transactions are entered and is later used to update the master file. Batch controls are still used.

Entry of data & Receive Error/Validation Messages

Trans- Validate action Periodic Master

Terminal Transactions File Processing File

(and store) (Validated)

3. On-line Entry/On-line Processing - similar to #2 except the master files are updated concurrently with data entry and a transaction log (or register) is produced that consists of a chronological record of all transactions.

Entry of data & Receive Error/Validation Messages; Receive Master Files/Transaction Results Database

Immediate Transaction Terminal Validation, Log

Update & Process

E. Data Processing Configurations

1. Stand alone mainframe, mini or microcomputer2. Networks--computers linked together to enhance individual and

group productivity through “transmission media”. Each computer has a network interface card (hardware) which allows it to “hookup” to the other computers.

a. Networks facilitate sharing of data, processing and resources between different users e.g. files, databases, application programs, printers, scanners, tape backup devices, etc. They are sometimes called distributed processing systems. However distributed processing systems can also imply a traditional mainframe computer hooked up to a series of small computers. Regardless, LANs and distributed systems reduce the load on the main computer by transferring certain edit and processing functions to the users in remote sites. Networks can be either Local Area Networks (LANs) or Wide Area Networks (WANs). Both kinds of networks can carry either voice or data.

i. LOCAL AREA NETWORK (LAN) - a configuration of microcomputers located in a close physical relationship which facilitates high speed communication and information sharing between them. In a LAN, the machines are connected by cables (typically coaxial, copper or fiber optic). A dedicated high-speed, high-capacity microcomputer (called a server) allows the linked computers to access the same data, software, and peripheral equipment simultaneously, as well as communicate with each other.

ii. WANs-- cover larger geographical distances and can be private (e.g. a particular company’s—called an Intranet or Extranet) or public (e.g. the Internet). In a WAN, the machines are typically connected by phone lines, but satellites or microwaves can also be used.

The Internet and Electronic Commerce

What is electronic commerce? Broadly defined, it is any business activity taking place using electronic communication software. It describes all types of business transactions, including internal business functions, business-to-business transactions, and business-to-consumer exchanges. Compared to traditional methods of doing business, on-line, transaction-oriented communication offers numerous and significant benefits. Enhanced productivity, better service, worldwide 24 hour availability, fast access to awide range of useful information, and the ability of a small business to compete with a much larger business are just a few.

The financial impact of continuing growth is significant

The popularity and functionality of the Internet is growing daily. Depending on whose numbers you believe, there are between 25 or 80 million people using the Internet. By the year 2000 it is predicted that 200 million users will be connected via the Internet. If the growth continues as most Internet service providers (ISPs) predict, by 2010 a billion people will be on-line. The financial impact of this growth is significant. Analysts suggest that the entire Internet market will swell to over $150 billion by the year 2000. While consumer purchasing is expected to mushroom, business user will account for the lion’s share of Web commerce. The forecast for Internet commerce by consumers is projected to grow from $730 million in 1996 to $20 billion in 2000, while business sales on the Internet will grow form $120 million to $134 billion. The impact of electronic commerce extends well beyond the Internet. Simply put, electronic commerce takes much of the complexity out of everyday business interactions. It reduces lead times, enhances productivity, and saves money, giving new meaning to the “faster, better, cheaper” model that has become the underlying principle of today’s global business arena. The use of Internet-based applications also has created a range of customer self-service activities that were not possible via traditional customer/supplier interactions. Buyers can check product availability and inventory levels, place orders, and determine the status of their orders any time of the day or night.

On-line security is now at its highest level in history

One element keeping electronic commerce from being readily accepted is the concern over transaction and information security. The issue of security has been extensively addressed through the application of new technologies, firewalls, decentralized systems, and encryption techniques. As a result, on-line security is at its highest level in history. You’re probably safer placing a credit card transaction over the Internet than handing your credit card to a complete stranger in a restaurant and asking the person to total your bill with it. From: Strategies by Shenck & Associates

II. COMMON FLOWCHARTING SYMBOLS

Document This can be a manual form or a computer printout

Computer Operation Computer process which transforms input data into useful information

Manual Operation Manual (human) process to prepare documents, make entries, check output, etc.

Decision Determines which alternative path is followed (IF/THEN/ELSE Conditions)

Input/Output General input or output to a process. Often used to represent accounting journals and ledgers on document flowcharts.

On-line Storage Refers to direct access computer storage connected directly to the CPU. Data is available on a random access basis.

Off-line Storage Refers to a file or indicates the mailing of a document, i.e., invoices or statements to customers. A letter in the symbol below the line indicated the order in which the file is stored. (N-Numerical, C-Chronological, A-Alphabetical)D=Date C/N Customer number

On-Page Connector Connects parts of flowchart on the same page.

Off-Page Connector Connects parts of flowchart on separate pages.

The greatest good you can do for another is not just to share your riches, but to reveal to him his

own. Benjamin Disraeli

Transmission line for data to computer

Display Visual display of data and/or output on a terminal screen.

Batch Total Tape Manually computed total before processing (such as the number of records to be processed). This total is recomputed by the computer and compared after processing is completed.

Magnetic Tape Used for reading, writing, or storage on sequential storage media.

Magnetic Disk Random access storage media used for reading, writing, or storage.

Annotation Provides additional description or information connected to symbol to which it annotates by a dotted line (not a flowline).

Flowline Shows direction of data flow, operations, and documents.

Manual Data Entry Refers to data entered through a terminal keyboard or key-to-tape or key-to-disk device. Sometimes they just use the manual operation symbol.

Communication Link Telecommunication line linking computer system to remote locations.

Items 1 through 3 are based on the following section of a system flowchart for a payrollapplication.

BATCHEDTIME CARDS

A

TIME BATCHEDCARD TIME CARDSDATA

B

TIME VALIDCARD TIME CARD ERRORS CDATA DATA

1. Symbol A could representa. Computation of gross pay. c. Preparation of paychecks.b. Input of payroll data. d. Verification of pay rates.

2. Symbol B could representa. Computation of net pay.b. Separation of erroneous time cards.c. Validation of payroll data.d. Preparation of the payroll register.

3. Symbol C could representa. Batched time cards. c. Erroneous time cards.b. Unclaimed payroll checks. d. An error report.

Nothing gives one person so much advantage over another as to remain cool and unruffled under all circumstances.

Thomas Jefferson

4. Which of the following symbolic representations indicates that new payroll transactions and the old payroll file have been used to prepare payroll checks, prepare a printed payroll journal, and generate a new payroll file? a.

b.

c.

d.

Item 5 is based on the following flowchart:

Sales Credit X Invoices Memos

Input Input Data Data

Trans- actions

File

Master Computer File Update Run

Updated Transaction Exception Master Register Reporting File

5. In a credit sales and cash receipts system flowchart symbol X could represent a. Auditor’s test data. b. Remittance advices. c. Error reports. d. Credit authorization forms.

Items 6 and 7 are based on the following flowchart of a clients revenue cycle:

6. Symbol A most likely representsa. remittance advice file.b. Receiving report file.c. Accounts receivable master file.d. Cash disbursements transaction file.

7. Symbol B most likely representsa. Customer orders.b. Receiving reports.c. Customer checks.d. Sales invoices.

BIG ROCKS

One day an expert was speaking to a group of business students and, to drive home a point, used an illustration those students will never forget. As this man stood in front of the group of high-powered overachievers he said, "Okay, time for a quiz." Then he pulled out a one-gallon, wide-mouthed mason jar and set it on a table in front of him. Then he produced about a dozen fist-sized rocks and carefully placed them, one at a time, into the jar. When the jar was filled to the top and no more rocks would fit inside, he asked, "Is this jar full?" Everyone in the class said, "Yes." Then he said, "Really?" He reached under the table and pulled out a bucket of gravel. Then he dumped some gravel in and shook the jar causing pieces of gravel to work themselves down into the spaces between the big rocks. Then he asked the group once more, "Is the jar full?" By this time the class was onto him. "Probably not," one of them answered. "Good!" he replied. He reached under the table and brought out a bucket of sand. He started dumping the sand in and it went into all the spaces left between the rocks and the gravel. Once more he asked the question, "Is this jar full?" "No!" the class shouted. Once again he said, "Good!" Then he grabbed a pitcher of water and began to pour it in until the jar was filled to the brim. Then he looked up at the class and asked, "What is the point of this illustration?" One eager beaver raised his hand and said, "The point is, no matter how full your schedule is, if you try really hard, you can always fit some more things into it!" "No," the speaker replied, "that's not the point. The truth this illustration teaches us is: If you don't put the big rocks in first, you'll never get them in at all." What are the 'big rocks' in your life? A project that YOU want to accomplish? Time with your loved ones? Your faith, your education, your finances? A cause? Teaching or mentoring others? Remember to put these BIG ROCKS in first or you'll never get them in at all. --- So, tonight or in the morning when you are reflecting on this short story, ask yourself this question: What are the 'big rocks' in my life or business? Then, put those in your jar first.

SOME ACCOUNTING JOKES

9

What's the definition of an accountant? Someone who solves a problem you didn't know you had in a way you don't understand.

What's the definition of a good tax accountant? Someone who has a loophole named after him.

What's an auditor? Someone who arrives after the battle and bayonets all the wounded.

An accountant is having a hard time sleeping and goes to see his doctor. "Doctor, I just can't get to sleep at night." "Have you tried counting sheep?" "That's the problem-I make a mistake and spend three hours trying to find it." *****************************************************************************A fellow has been learning to be a balloonist and takes his first solo flight. Unfortunately the wind gets up, he is blown off course and forced to land. He is in a paddock close to a road, but has no idea where he is.

He sees a car coming along the road and hails it. The driver gets out and the balloonist says, "G'day mate, can you tell me where I am?” "Yes, of course." says the motorist. "You have just landed your balloon and with this wind you have obviously been blown off course. You are in the top paddock on John Dawson's farm, 13.5 kilometers from Condobolin. John will be ploughing the paddock next week and sowing wheat. There is a bull in the paddock. It's behind you and about to attack you." At that moment the bull reaches the balloonist and tosses him over the fence. Luckily he is unhurt. He gets up, dusts himself off and says to the motorist, "I see you're an accountant!".

"Good grief", says the other man, "you're right. How did you know that?" "I employ accountants," says the balloonist. "The information you gave me was detailed, precise and accurate. Most of all it was useless and arrived far too late to be of any help." ******************************************************************************A business man was interviewing applicants for the position of divisional manager. He devised a simple test to select the most suitable person for the job. He asked each applicant the question, "What is two and two?"

The first interviewee was a journalist. He answered "Twenty-two".

The second applicant was an engineer. He pulled out a slide-rule and showed the answer to be between 3.999 and 4.001.

The next person was a lawyer. He stated that in the case of Jenkins vs. Commissioner of Stamp Duties (Qld), two and two was proven to be four.

The last applicant was an accountant. The business man asked him, "How much is two and two?" The accountant got up from his chair, went over and closed the door, then came back and sat down. He leaned across the desk and said in a low voice, "How much do you want it to be?"

The accountant got the job.

Number 2 (Estimated time - 15 to 25 minutes)

10

Required:The flowchart on the following page depicts part of a revenue cycle. Some of the flowchart symbols are labeled to indicate control procedures and records. For each symbol numbered 1 through 13, select one response from the answer lists below. Each response in the lists may be selected once or not at all.

Answer Lists

Operations and control procedures

A. Enter shipping dataB. Verify agreement of sales order and shipping documentC. Write off accounts receivable 1. D. To warehouse and shipping department 2. E. Authorize account receivable write-off 3. F. Prepare aged trial balance 4. G. To sales department 5. H. Release goods for shipment 6. I. To accounts receivable department 7. J. Enter price data 8. K. Determine that customer exists 9. L. Match customer purchase order with sales order 10. M. Perform customer credit check 11 N. Prepare sales journal 12 O. Prepare sales invoice 13

Documents, journals, ledgers, and files

P. Shipping documentQ. General ledger master fileR. General journalS. Master price fileT. Sales journalU. Sales invoiceV. Cash receipts journalW. Uncollectible accounts fileX. Shipping fileY. Aged trial balanceZ. Open order file

11

You can’t stay mad at somebody who makes you laugh.

Jay Leno

CPA FLOWCHART

CustomerPurchase

Order

CustomerPurchase

Order

#3

Customer P.O.Sales Order

Sales Order

COMPUTERIZEDORDER PROGRAM:

#1 and perform editchecks and prepare sales

order

COMPUTERIZEDSHIPPING PROGRAM:

Retrieve Open Orders; AddShipping Data; Transfer toShipping File; and Prepare

Shipping Documents

FromComputer

ProcessingDept.

Sales Order

Sales Order

Sales Order

Sales Order

COMPUTERIZED UPDATEPROGRAM:

Update master files: PrepareG/L Transaction Summary,

Prepare Accounts ReceivableLedger, Prepare Aged T/B,

and #11

COMPUTERIZEDBILLING PROGRAM:

Retrieve Shipping Data;Enter Price Data;

Prepare SalesTransaction File; and #7

ToWarehouseand Shipping

Dept.

Shipping Doc.

ShippingDocument

#4

#5

Sales OrderShipping Doc.

ShippingDocument

FromCustomer

Cust.Credit

File#2

12

3

3

12

AccountsRec.

MasterFile

ShippingFile

#6

ToCustomer

General LedgerTransaction

Summary#12

AccountsReceivable

Ledger#13

#81

2

ToCustomer #9

ToAccounting

ToAccounting

ToAccounts

Receivable

To CustomerCredit

1

23

ToCustomer

withGoods

TransmitShipping

Information toComputer

InventoryMaster

File#10

SalesTrans-action

File

TransmitCustomer

Data toComputer

SALES DEPT.COMPUTER

PROCESSINGDEPARTMENT

WAREHOUSE &SHIPPING

DEPARTMENT

12

NOVEMBER1993

12

If you want to lead the orchestra you must be willing to turn your back on the crowd. Max Lucado

DESCRIPTION OF BATCH PROCESSING SYSTEM FOR A PAYROLL APPLICATION

Preparing the Payroll. Figure 1 illustrates typical controls in a basic system for preparing the payroll in the payroll and EDP departments. On receipt of the clock cards and time tickets in the payroll department, the documents are batched and a batch total is prepared of hours worked. The documents and a batch transmittal form are then sent to data control in the EDP department. Data control verifies the information on the batch transmittal form, enters the batch totals in a control log, and forwards the data to data entry where it is keyed to tape and verified. The resulting payroll transactions tape is then used in preparing the payroll.

In run 1, the payroll transactions are sorted by employee number and the data are subjected to an edit check routine. This includes a check for valid employee number and a limit or reasonableness check on the hours worked. The output of this run consists of a valid payroll transactions tape and an exceptions and control report that is sent to data control. Data control compares the control totals with the batch control log, informs the payroll department of exceptions discovered by the edit routine, and follows up to see that payroll submits corrected data. These controls over the data entry process preceding the calculation of the payroll contribute to the existence or occurrence, completeness, and valuation or allocation assertions for payroll transactions.

In the system shown in Figure 1, the calculation of the payroll and the preparation of the payroll register and payroll checks occur in run 2. The program uses data from the valid payroll transactions tape and the personnel data and employee earnings master files. This run also records the payroll as described in the next section.

Recording the Payroll. As the gross pay, deductions, and net pay are calculated in run 2 for each employee, the program updates the employee earnings master file, and accumulates totals for the payroll journal entry that is generated and entered in the general ledger master file at the conclusion of the run. The following printed outputs of this run are sent to data control:

* An exceptions and control report that is reviewed by data control before distributing the other printed output.

* A copy of the payroll register that is returned along with the clock cards and time tickets to the payroll department for comparison with the original batch transmittal data.

* A second copy of the payroll register and prenumbered payroll checks that are sent to the treasurer's office.

* A general ledger summary that is sent to accounting showing the payroll entry generated by the payroll program.

13

Remember one thing about democracy. We can have anything we want and at the same time, we always end up with exactly what we deserve.

Edward Albee

14

CPA ESSAY QUESTIONS ON PAYROLL INPUT CONTROLS

Talbert Corporation hired an independent computer programmer to develop a simplified payroll application for its newly purchased computer. The programmer developed an on-line, data-based micro-computer system the minimized the level of knowledge required by the operator. It was based upon typing answers to input cues that appeared on the terminal's viewing screen, examples of which follow.

A. Access routine: 5. Single or married?1. Operator access number to payroll file? 6. Number of dependents?2. An there new employees? 7. Account distribution?

B. New employees routine: C. Current payroll routine:1. Employee name? 1. Employee number?2. Employee number? 2. Regular hours worked?3. Social/security/number? 3. Overtime hours worked?4. Rate per hour? 4. Total employee per payroll period?

The independent auditor is attempting to verify that certain input validation (edit) checks exist to ensure that errors resulting from omissions, invalid entries, or other inaccuracies will be detected during the typing of answers to the input cues. Identify the various types of input validation (edit) checks the independent auditor would expect to find in the EDP system. Describe the assurances provided by each identified validation check. Do not discuss the review and evaluation of these controls.

Answer -- The following edit checks might be used to detect errors during the typing of answers to the input cues:* Password -- ensures that the operator is authorized to access computer programs and files.* Numeric check -- ensures that numbers are entered into and accepted by the system where only numbers

are required to be entered, e.g., numbers 0-9 in social security number.* Alphabetic check ensures that letters are entered into and accepted by the system where only letters are

required to be entered, e.g., letters A-Z in employee name.* Special Character check ensures that only specific special characters are entered into and accepted by the

system where only these special characters are required to be entered e.g., dashes between numbers in social security number.

* Sign checks -- ensures that positive or negative signs are entered into and accepted by the system where only such signs are required to be entered, e.g., hours worked.

* Arithmetic check -- ensures the validity of the result of a mathematical computation, e.g., total employees for period equals number of employee numbers in system.

* Validity checks -- ensures that only authorized data codes will be entered into and accepted by the system where only such authorized data codes are required. e.g., authorized employee account numbers.

* Limit (reasonableness) checks -- ensures that only data within predetermined limits will be entered into and accepted by the system, e.g., rate per hour cannot be lower than the minimum set by law or higher than the maximum set by management.

* Self checking digit -- ensures that only specific code numbers prepared by using a specific arithmetic operation will be entered into and accepted by the system, e.g., employee numbers generated by the modules method with prime number weighting.

* Size check --ensures that only data using fixed or defined field lengths will be entered into and accepted by the systems e.g., number of dependents requires exactly two digits.

* Data check--ensures that no blanks will be entered into and accepted by the system when data should be present e.g., an “S” or “M” is entered in response to single or married.

* Overflow check ensures that no digits are dropped if a number becomes too large for a variable during processing, e.g., hourly rate "on size errors" are detected.

* Control Total checks --ensures that no unauthorized changes are made to specified data or data fields and all data have been entered.

15

Nothing increases your golf score like witnesses.Bits ’n Pieces

FIGURE 2—REVENUE FLOWCHART

16

DESCRIPTION OF ON-LINE ENTRY/BATCH PROCESSING FOR REVENUE APPLICATION

Figure 2 shows a flowchart of an on-line batch entry processing system that incorporates most of the controls discussed in the preceding sections.

In the illustrated system, as orders are received sales order clerks use on-line terminals and an order program to determine that the customer has been approved, and that the order will not cause the customer's balance to exceed the customer's authorized credit limit. The program also checks the inventory master file to determine that goods are on hand to fill the order. If the order is accepted, the computer enters it into an open order file and a multicopy sales order form is produced on a printer in the sales order department. When an order is, not accepted, a message is displayed on the terminal indicating the reason for rejection.

Copies of the approved sales order are forwarded to the warehouse as authorization to release goods to shipping. In shipping, personnel first makes an independent check on agreement of the goods received with the accompanying sales order form. They then use their on-line terminals and a shipping program to retrieve the corresponding sales order from the open order file and add appropriate shipping data. Next the computer transfers the transaction from the open order file to a shipping file and produces a shipping document on the printer in the shipping department.

As matching shipping documents and sales order forms are received in the billing department, they are batched and batch totals are manually compared. Using their on-line terminals and a billing program, billing department personnel first enter the manually prepared batch totals. Next the previously entered order and shipping data for each transaction is retrieved from the shipping file and a sales invoice is generated using prices from the master price file. As each billing is completed, the computer enters it into a sales transactions file. After all the transactions in a batch have been processed in this manner, the billing program compares a computer generated batch total with the manual batch total previously entered by the billing clerk. Discrepancies are displayed on the terminal and corrected by the billing clerks before processing continues. Finally, sales invoices for the batch are printed in the EDP department and distributed as shown in the flowchart.

The recording of sales transactions is completed at the end of each day when the EDP department runs the master file update program. As shown, this program updates three master files and produces a sales journal and general ledger transaction summary which are sent to accounting. The use of a separate program to produce monthly customer statements is not shown in the flowchart.

17

Each of us is given a pocketful of time to spend however we may. We use what we will. We waste what we will. But we can never get back a day.

Roger Wilcox

DESCRIPTION OF AN ONLINE ENTRY/BATCH PROCESSINGSYSTEM FOR AN EXPENDITURE APPLICATION

A flowchart of a representative system for processing purchases transactions is shown in Figure 3. In this system, purchase orders are prepared in the purchasing department using on-line terminals. Multicopy purchase orders are printed and distributed as shown in the figure. In addition, an open purchase order file is maintained on the computer.

When goods arrive in the receiving department, a copy of the matching purchase order is pulled from the file. The goods are then counted, inspected and compared against the copy of the purchase order. Next, receiving clerks use their computer terminals to retrieve the computer record of the purchase order from the open purchase order file. After a clerk keys in the quantities received on an order, the computer produces a multi-copy receiving report and transfers the record from the open purchase order file to the receiving report file. The copies of the receiving report are distributed as shown in the flowchart.

Copies of the purchase order and receiving report for each transaction are placed in a holding file in the vouchers payable department pending arrival of the matching vendor’s invoice. Once the vendor’s invoice arrives, a vouchers payable clerk checks the mathematical accuracy and compares it with the purchase order and receiving report. Batches of approved matched documents are assembled and a batch total is calculated manually. Data keyed in from the vendors’ invoices, together with matching data extracted by the computer from the receiving report file, are then used to create a record for each voucher in the purchases transactions file. The vouchers and a voucher summary are then printed. The voucher summary is compared with the manual batch total in vouchers payable and any differences are resolved. The summary is then forwarded to accounting . The vouchers are collated with the supporting documents and placed in a file by due date in the vouchers payable department.

The purchases transactions file is subsequently used to update the accounts payable, inventory and general ledger master files. Outputs of that run include a voucher register listing the newly processed vouchers, and a general ledger summary showing the totals posted to the general ledger accounts. These printouts are forwarded to accounting where they are reviewed on a daily basis and reconciled with the voucher summaries received from vouchers payable.

On their due dates approved vouchers are manually pulled from the unpaid voucher file in the vouchers payable department and a batch total is prepared. In the system shown, as clerks key in each voucher number, the cash disbursements program is used to prepare a check based on information in the accounts payable master file. In addition, the program enters the payment data in a cash disbursement transaction file and produces a check summary which is compared with the batch total prepared in V/P. The checks, check summary, and vouchers are then forwarded to the treasurer’s department.

In the treasurer’s department, an independent check is made to determine the existence of an approved voucher for each check. Also the payee’s name and check amount are agreed with the voucher. The supporting documents for each voucher are then stamped “paid”, and the check is signed and mailed with the remittance advice. A copy of the check is attached to the voucher and filed in the paid voucher file. The check summary and copies of all the checks are sent to accounting. The cash disbursements update program is then used to update the accounts payable and general ledger master files based on data in the cash disbursements transaction file. This program also produces the cash disbursement journal and a general ledger summary showing the totals posted to general ledger accounts. These are forwarded from EDP to the accounting department where they are compared with the check summary received from the treasurer.

The perfection of the means and the confusion of the end

is the characteristic that marks our time.

18

--Einstein(Some things never change!!!)

19

FIGURE 3 -- EXPENDITURE CYCLE

ApprovedPurchase

Requisition

EnterPurchase

Order Data

RequisitionPurchase Order

Purchase OrderPurchase Order

Purchase Order

PurchaseOrder

EnterReceiving

Data

Inspect andCount

Goods;Compare to

P. O.

PurchaseOrder

Purchase OrderReceiving Report

Receiving Report

ReceivingReport

FromPurchasing

Purchase OrderReceiving

Report

FromReceiving

Remittance Advice

Vendor'sInvoice

File PendingArrival of allDocuments

FromStores

12

34

51

N

N

12

32

A

FromVendor

MatchDocuments;

Check Accuracyof Invoice ; Code;Approve; Prepare

Batch Total

Enter VoucherData and Verify

Batch Total

Purchase OrderReceiving

ReportRemittance Advice

Vendor's Invoice

13

BatchTotal

Voucher

VoucherSummary D

VoucherProgram

ReceivingProgram

PurchaseOrder

Program

PurchasesTrans-actions

File

ReceivingReport

File

OpenPurchasesOrder File

To Vendor

ToReceiv-

ing

ToVouchersPayable

ToStores

N

FromPurchasing

ToVouchersPayable

To Stores with Goods

To Accounting

AccountsPayableUpdate

Program

General LedgerSummary

VoucherRegisterInventory

MasterFile

AccountsPayableMaster

File

GeneralLedgerMaster

File To Accounting

2

EDP

3 1

PURCHASING RECEIVING VOUCHERS PAYABLE

Pull ApprovedVouchers on

Due Date andPrepare Batch

Total

Enter VoucherData and VerifyAgreement with

Batch Total

ReviewVouchers;

Verify Accuracyof Checks and

Summary

Stamp Docu-ments Paid;

Sign and MailChecks

Remittance Advice

Check

Check

CheckSummary

BatchTotal

Purchase Order

Receiving Report

Remittance Advice

Vendor's Invoice

ApprovedVoucher

Check

CheckCheck

CheckSummary

CashDisbursements

Program

CashDisburse-

ments UpdateProgram

G/L Summary

CashDisbursements

Journal

CheckVoucher andSupportingDocuments

D UnpaidVoucher

File

1

3

1

2

3

CashDisburs.

Trans. File

AccountsPayableMaster

File

GeneralLedgerMaster

File

To Accounting

2

1

3

APaidVoucherFile

To Vendor

To Accounting

EDP

VOUCHERS PAYABLE

TREASURER

File PendingArrival of

Goods

Copy Three Signedand Returned; Filedwith P.O.

UnpaidVoucher File

20

During our computer class, the teacher chastised one boy for talking to the girl sitting next to him. “I was just asking her a question,” the boy said.“If you have a question, ask me,” the teacher tersely replied. “Okay,” he answered. “ Do you want to go out with me Friday night?”

-Contributed by Tracy Maxwell

EXAMPLE OF A DATA BASE FOR THE EXPENDITURE CYCLE

Vendor RecordVendornumber

Vendorname

Vendor address

Payment terms

Current balance

Quality code

Reliability code

Other vendorhistory data

Purchase Order RecordPO

numberVendornumber

Orderdate

Buyercode

Vendor Invoice RecordInvoicenumber

Vendornumber

Invoicedate

POnumber

Paymentterms

Datedue

Invoicesubtotal

Freightcharges

Invoicetotal

Purchase Line ItemsPO

numberStock

numberQuantityordered

Quantityreceived

Orderprice

Invoice Line ItemsInvoicenumber

Stocknumber

Quantityordered

Quantityshipped

Unitprice

Itemtotal

Quotation RecordVendornumber

Stocknumber

Quotedate

Quotedprice

Receiving Report RecordReportnumber

Vendornumber

POnumber

Receiptdate

Receivercode

Shippercode

Receiving Line ItemsReportnumber

Stocknumber

Quantityreceived

Descriptionand comments

Materials Inventory RecordStocknumbe

r

Itemdescription

Location code

Vendor code

Reorder point

Order quantity

Quantity on hand

Quantity on order

Quantity reserved

Unit cost

Total cost

21

III. CHARACTERISTICS OF EDP SYSTEMS THAT DIFFER FROM MANUAL SYSTEMS

Uniform Processing of Transactions - Computers process like transactions in a like manner; so subject to same controls - Therefore, computers virtually eliminate clerical error - Computers will only error systematically, unlike humans who error on a random

basis

Segregation of Functions - Many I/C procedures performed by separate individuals may be combined in EDP

systems - Special concern that individuals with access to the computer not have other

incompatible duties (e.g. ability to initiate or change transactions)

Potential For Errors & Irregularities - Decrease human involvement in handling transactions reduces the potential for

observing errors/irregularities - The average computer fraud is ten times greater than the average manual fraud

Initiation or Subsequent Execution of Transactions by Computer - Computer authorization of “Automatic” transactions may not be well documented - Errors in POS can have multiple effects

Transaction Trail - May be lost, partially obscured, or only exist on a temporary basis - Many control procedures in EDP systems do not leave documentary evidence of

performance - Files and records are in machine readable form and can’t be read

Electronic Audit Trail – Elements of a Computer log

Unique identification of transaction . Examples include the assignment of a number by the computer. The unique identifier could be assigned sequentially or could consist of a location identifier and a unique number for that location. Sales invoices, for example, are sequentially numbered by the computer application.

Date and time of transaction . These could be assigned automatically by the computer application.

Individual responsible for the transaction . When a party logs on to a computer terminal to initiate or authorize a transaction there is evidence of who the party is and the location from which the transaction was initiated. The log in used to gain access to the computer can identify the source of the transaction.

Procrastination is like a credit card: It’s a lot of fun until you get the bill. Christopher Parker

22

WAVE OF THE FUTURE--NO HARD COPY DOCUMENTS!!!!

In the not-too-distant future, ELECTRONIC DATA INTERCHANGE (EDI) is expected to be common place. Already, about 75% of the Fortune 100 companies and 39% of the Fortune 500 use EDI to some extent. Examples include the following:

- Computers at over 3,000 suppliers to Chrysler accept purchase orders transmitted by computers at Chrysler assembly plants, and in turn electronically invoice Chrysler’s computers for parts shipped.

- Wal-Mart, which operates the largest EDI program in the retail industry, processes about 75% of its payments to suppliers with EDI.

Among other benefits, proponents claim that EDI can cut, in half, the currently estimated 7% of corporate spending that goes for processing orders, sending invoices, and other administrative costs.

EDI is the electronic exchange of business transactions, in a standard format, from one entity's computer to another entity's computer through an electronic communications network. If a private communications network is being used it is called a VAN--Value Added Network. But, an increasing number of EDI transactions are conducted over the Internet. EDI is commonly used for purchasing, processing accounts payables, invoicing, and financial applications. In EDI systems, documents such as purchase orders, invoices, shipping forms, bills of lading, and checks are converted by “translation software” into electronic transactions conforming to a standard format. For example, in electronic funds transfer systems, a form of EDI, electronic transactions replace checks as a means of payment.

Computers are useless. They only give you answers. Picasso

23

EDP CONTROLS

Among the objectives of internal controls are to 1) provide reasonable, but not absolute, assurance that assets are safeguarded from unauthorized use or disposition, and 2) that financial records are reliable to permit the preparation of financial statements. These objectives remain the same in an EDP Environment. However, there are certain modifications we need to make in how we think of the internal control components-- environment, information and communication, risk assessment, control activities (procedures), and monitoring--when the computer is introduced into the accounting process.

I. EFFECT OF COMPUTER ON CONTROL ENVIRONMENT

We use I B MACHO to remember the seven factors which reflects the overall attitude, awareness and actions of the board of directors, management, owners and others concerning the importance of internal control and its emphasis in the entity:

I Integrity and ethical values B Audit Committee and Board of Directors M Philosophy of Management and operating style A Assignment of authority and responsibility C Commitment to competence H Human resource policies and procedures O Organizational structure

The organizational structure is particularly impacted when we have an EDP environment. A company should work to segregate functions to reduce the risk of error or fraud due to the human element.

A. Segregation of functions within the EDP department

1. Systems design--overall design of systems; prepares systems flowcharts; NO access to equipment

2. Programmer--designs application flowcharts, program coding and debugging, record input and report output layouts; prepares program run manual; access to equipment only when debugging; no access to live input

3. Operator--loads programs and inputs; supervises operations; receives output; can intervene by console (be sure to keep a log); allowed access only to operator instructions, not the entire program run manual

4. Librarian--custody of programs, program documentation and data files; allows access only to authorized persons at authorized times; keeps a check-out log; Today the librarian is generally a computer program.

5. Control group--receives input and output; reconciles output with input control totals; distributes output to only authorized persons; control of error log and reprocessing of errors; reviews console log for unauthorized access

24

B. Segregation of functions between EDP and users

1. EDP should not authorize or initiate transactions or have custody or access to non-EDP assets.

2. EDP should not correct non-EDP errors.3. EDP should be organizationally separate from the departments it serves.

C. General policies1. Bond all key EDP employees.2. Rotate operators within shifts and responsibilities.3. Enforce mandatory vacations.4. Terminate fired employees immediately.5. Have written standard operating procedures.

II. EFFECT OF THE COMPUTER ON THE CONTROL PROCEDURES

The computer has the most effect on a company’s control procedures. Recall that we use DAASI to remind us of the control procedures (activities) of a company. In an EDP environment, control procedures are generally comprised of a combination of general, application and user controls.

GENERAL CONTROLS--relate to the overall EDP environment and pertain to all applications. General controls relate to:

Operations controlsChanges to existing systems and programsAccess to programs, data, equipmentDeveloping new programs and systems

A weakness in general controls will have a pervasive effect and consequently makes it almost impossible to rely on the specific applications controls. Likewise, good general controls increase the assurance that application procedures operate effectively.

APPLICATION CONTROLS--relate to specific applications (e.g. revenue, payroll, expenditure) and consists of programmed controls and related manual follow-up procedures.

Programmed controls are actually embedded in the program, e.g. in the revenue cycle, the computer would match sales orders to shipping documents and print a report of all unfilled sales orders.

Related manual follow-up procedures involve employee follow-up of items listed on computer exception reports. For the example above, it would be an employee checking the status of back-ordered goods.

USER CONTROL PROCEDURES--represent manual checks of the completeness and accuracy of computer processing through comparing computer output against source documents or other input. For example, assume you sent 20 timecards to EDP for

25

processing. A user control procedure would be to make sure that 20 paychecks came back from EDP (these totals are called control totals).

III. GENERAL CONTROLS

A. OPERATIONS CONTROLS are intended to ensure that application programs are used properly and that the proper data files are used during processing. They involve management review of regular and unscheduled job lists, restricting operator’s access to only the operations manual (not program documentation) and adequate procedures for managing and backing up data and program files.

1. Framework for controlling operations in the event of physical disaster or computer failure.a. Contingency procedures and back-up facilities plans for fires, floods, etc.

Hot site vs. Cold siteb. Duplicate (back-up) files-stored off premise

Disk = dump Database = daily “snap shot”Note: Daily snapshots are retained until a weekly is create; weeklys are

retained until a monthly is created; monthlys are retained until theyearly is created.

Tape = Grandfather-Father-Son

Master File =

Transaction File=

2. Controls to make sure the proper files are used.a. Labels--external and internal

i. external labels should be codedii. internal labels (header and trailer labels) --Header: file serial #, volume serial #, file name, creation date and

retention date --Trailer: number of blocks, record count, control totals, end of

volume, and end of reelb. File protection rings - “no ring, no write”; read only switch for disks

3. Maintain an equipment failure (downtime) log

26

B. CHANGES OVER EXISTING PROGRAMS AND SYSTEMS includes controls intended to ensure that modifications to application programs are suitably approved, designed, tested and implemented.

1. A change request log should be kept.2. Any changes should be approved by supervisor.3. All changes should be made by programmers and tested before

implementation.4. Users should approve the tested changes.5. All changes should be documented.6. SOURCE CODE COMPARISONS.

C. ACCESS CONTROLS TO PROGRAMS AND DATA are intended to prevent or detect unauthorized changes to programs and files. Access is controlled both through restrictive physical controls and software controls that limit a) programmer access to production programs, live data files, and job control language; b) operator access to source code and individual elements of data files; and c) user access to defined programs and data files.

1. Restrict access to programs, program documentation and data filesa. Password and passkeysb. External and internal labelsc. Librarian-storage in a strongly constructed vault i. Store programs and data in strong vault ii. Keeps usage log and maintains authorization listd. Software packages are available to monitor authorized and unauthorized changes made to the files, programs or the operating system

2. Restrict access to computer equipment to only authorized personnela. Passwords and passkeys, sign-in sheetsb. Guards, locks, badgesc. Don’t allow terminated personnel or disgruntled employees near the

computer!!!!!d. Log of computer utilization-EDP control group should check for

unauthorized use

3. Special consideration for restricting access in on-line real-time (OLRT) systemsa. Restrict terminal to certain programs and data filesb. Authorization tables--list the programs and data that each terminal and

user is permitted to use, and identifies the activities each user is authorized to perform with each program and data set

c. Locks on data records-restricts access to certain fields, records or files, e.g. number of hours and hourly rate, executive payroll

4. Special considerations regarding restricting access when usingtelecommunications (electronic transmission of data) (remember telephonewires can be tapped!)a. Call back units-prevent unauthorized users access to systemb. Encryption-encode data to disguise it

27

c. FIREWALL--security measure companies adopt to prevent outside users(particularly from the Internet) from accessing the company’s system

D. DEVELOPMENT OF NEW PROGRAMS AND SYSTEMS controls are intended to ensure that new application systems are suitably authorized, designed and tested.

1. Reviewing, testing and approval of new systems

a. Companies need to use the Systems Development Life Cycle when implementing new computer systems. SDLC phases are:-- Analysis-determining whether the current systems is meeting users’

needs. In the event it is not, a feasibility study is conducted to examine potential solutions to the problem.

-- Design-this phase involves developing specifications regarding input, processing, internal controls and security measures, programs, procedures, output and databases.

-- Implementation-involves the actual programming for the new system including debugging & testing AND conversion from the old system to the new system. Common implementation methods include running parallel systems which is very expensive but safe; the cold turkey method which is less expensive but very risky or a phased in approach which makes the most sense.

-- Operation-this phase includes post-implementation review to determine if the system is meeting its objectives and is being utilized. Also systems maintenance (monitoring, evaluating and modifying the system) is an ongoing part of this phase.

2. BE SURE TO involve users, internal auditors, and external auditors at the systems design and development stage - designing controls into an already implemented system is very difficult and costly.

3. Involve users and EDP in the systems testing, and be sure to test the system through the entire cycle (e.g. include testing procedures only done at year-end).

4. Get management and user approval of the new system to avoid problems like system not being used because it doesn’t provide the data on a timely enough basis.

5. Documentation procedures - the Program Run Manual should include:a. Systems descriptions and flowchartsb. Program descriptions and flowcharts

A BUSINESSMAN taking a seminar on efficiency completed a case study of his wife’s routine for fixing breakfast, and presented the results to the class. “After a few days of observation, I quickly determined the practices that were robbing her of precious time and energy,” the man reported. “Taking note of how may trips she made from the kitchen to the dining room carrying just one item, I suggested that in the future she carry several items at a time.”“Did it work?” the teacher asked. “It sure did,” replied the businessman. “Instead of taking her 20 minutes to fix my breakfast, it now takes me just seven.”

28

c. Program listing (in source code)d. Record layouts (input documents and output reports)e. Control proceduresf. Operating instructions.g. Good documentation is important to:

i. The company for training of new personnel and maintenance.ii. The auditors to aid in understanding the system and designing the

audit tests.

A man went into a fortune teller's shop and waited for a reading. The fortune teller gazed into the crystal ball and said " You will be poor and unhappy until you are 45 year old." "Then what will happen?" asked the man. The fortune teller replied, "Then you'll get used to it."

From Dear Abby6. Hardware controls--ensure that the computer system will not be a cause of

inaccurate application processing. Automatic (built-in) error detection features

a. Parity check--an extra bit used to check that all data has been transferred without loss--odd or even parity.

b. Dual circuitry--a computation is made twice by the computer in different parts of the CPU and the results are compared.

c. Echo check--a signal sent to the CPU verifying that a command has been received & complied with.

d. Dual read--input data are read twice and compared.

e. Read after write--data is read after it is recorded in storage and verified for accuracy.

f. Boundary protection--prevents the intermixing or overlapping of data among the many files in the computer.

IV. APPLICATION CONTROLS--relate to specific applications (e.g. revenue, payroll expenditure) and consists of programmed controls and related manual follow-up procedures.

Programmed controls are actually embedded in the program, e.g. in the expenditure cycle, the computer would be programmed to accept only vendors from an approved vendor list and would print a report of any purchases made from unauthorized vendors.

Related manual follow-up procedures involve employee follow-up of items listed on computer exception reports. For the example above, it would be an employee reviewing the purchases from unauthorized vendors to determine if specific management approval had been given for the purchase.

Examples of Application Controls:

29

A. Batch control totals establish the accuracy of processing record counts—number of documents, e.g. control totals—a total that has some meaning, e.g. hash totals—an inherently meaningless total, e.g.

B. Self-checking digit--a check number is created from the originalnumber and becomes part of the number itself

Experience enables you to recognize amistake when you make it again.

Franklin P. Jones

30

C. Programmed edit checks--checks written into the application programs toreject incomplete, inaccurate, or unreasonable DATA DURING THE INPUTSTAGE. These edit checks prevent the user from progressing further untilresolved.

a. Field check -prevents invalid characters--e.g. alphabetic character in a numeric field

b. Invalid codes--e.g. store codes from 01-22 code 53 would be invalidc. Limit test--e.g. data which falls outside pre-established limitsd. Sequence checks--e.g. file arranged in ascending ordere. Sign test--e.g. negative number in a positive fieldf. Missing data--e.g. blank fieldg. Anticipation test--e.g. anticipate receipt of particular datah. Field size check- won’t allow more than certain numbersi. Logic check - prevents illogical combinations of inputj. Closed loop verification—sometimes called “redundant data check” uses

two identifiers for a transaction such as name and customer ID before allowing data entry to occur

k. Verification of self-checking digit

D. Limit and Reasonableness tests--logical tests performed DURING PROCESSING to verify the contents and relationships of records. These errors show up on exception (error) reports.

Comparison to a limit--e.g. did customer exceed credit limit Comparison to a range of values--e.g. paychecks should not be less

than $150 or greater that $3,000 Test for proper mathematical sign--e.g. negative rate of pay Test for a zero value--e.g. social security number Test for non-numeric data in a numeric field--e.g. #*.80 for a pay rate Comparison of field value or code against a table of allowed values or

codes--e.g. codes for authorized vendors Test for logical relationship between fields--e.g. Match master file account

# with transaction file account #

E. Computer generated log of input errors Error log--invalid data, file programs Console log--time run, files and programs used, interventions & machine halts

F. Footing and Crossfooting tests

G. The EDP Control group does the following:

Balancing of all control totals Visual scanning--for unusual errors Distribution of output to authorized persons Review of error logs Procedures for follow up of exceptions and errors

31

Payroll Cycle Application Control Procedure Examples

Completeness test. Program verifies existence of EMPLOYEE-NUMBER, EMPLOYEE-NAME, HOURS WORKED.

Control total. Program verifies that the total number of hours on batch transmittal form = total number of hours on valid payroll transactions + total number of hours on erroneous payroll transactions.

Record count. Program verifies that the number of lines on the register = the number of payroll transaction records.

Limit test. Program flags those transactions with amounts > $10,000 for review by the data control group.Record count. Program verifies that the number of paychecks = number of payroll transaction records.Control total. Program verifies that total amount of paychecks = total debit to payroll general ledger account and

total credit to cash general ledger account.Control total. Data control group compares control totals taken on paycheck amounts and disclosed on control

report and payroll register.

Expenditure Cycle Application Control Procedure Examples

Completeness test. Program verifies existence of REQUISITION NUMBER, INVENTORY ITEM NUMBER, ITEM DESCRIPTION, ITEM QUANTITY, DELIVERY DUE DATE.

Record count. Program verifies that the number of new records in purchase order detail file = number of line items on purchase orders.

Control total. In a batch system the data control group compares hash totals of purchase order numbers disclosed on control reports and purchase order register.

Completeness test. Program verifies that purchasing agent enters VENDOR NUMBER, PURCHASING AGENT NAME, VENDOR PRODUCT NUMBER, ITEM UNIT PRICE.

Validity test. Program computes check digit on VENDOR NUMBER.Record count. Number of lines on check register = number of cash disbursement transaction records.Limit test. Program flags those transactions with amount > $100,000 for review by data control group.Control total. Data control group verifies that total amount of checks = total amounts of vouchers disclosed on

control reports and check register.Control total. In a batch system the data control group compares totals of purchase order numbers disclosed on the

control report and the receipts register.Completeness test. Program verifies existence of PURCHASE ORDER NUMBER, VENDOR INVOICE

NUMBER, VENDOR INVOICE DATE, GROSS AMOUNT, DISCOUNT DATE, NET AMOUNT, PAYMENT DUE DATE, GENERAL LEDGER ACCOUNT, GENERAL LEDGER AMOUNT.

Validity test. Program verifies that dates are of the form AA-BB-CCCC, where AA<13, BB<32, and CCCC is numeric.

Record count. Program verifies that the decrease in the number of open purchase order records = increase in the number of pending invoice records.

Many executives seem to be infatuated with the limitless information potential of computers--sometimes at the real expense of the human thinking that ought to be at the base of any analysis. When playing the enticing "what if" games that computers make available, beware of contracting spreadsheetitis." And remember, machines cannot think (not yet)--they can only rearrange what was furnished them previously.

Philip Kropatkin

32

HOW BIG WAS IT OR COULD YOU DO ONE FOR, SAY

The Transaction

The wire transfer unit of a large West Coast bank received a phone call from one of the bank's international officers requesting a $10 million transfer from the bank to an account at a New York City bank. The calling officer provided the correct secret codes for the day and satisfied the criteria for initiating a wire transfer. The wireroom processed the request and transferred the funds. Later the New York City bank received instruction from it account holder to transfer the funds to a bank account in Geneva, Switzerland.

Discovery of the Fraud

The FBI received information that a person had purchased a large quantity of diamonds with funds stolen from a named West Coast bank. The FBI determined that the tip was accurate and notified the West Coast bank of the multimillion dollar fraud that had be committed against it.

The Investigation

The investigation revealed:

The West coast bank had been installing new computer hardware and software in its wire transfer room. A computer consultant hired by the bank was actively involved in this renovation. While working in the wireroom, the consultant was:

Placed on the authorized list for admittance to the wireroom; given a valid password for gaining access to the electronic funds transfer processing system; and allowed use of terminals connected to this system;

Able to observe the process for ordering wire transfers, including how to obtain the daily secret codes used to authorize electronic funds transfers; and able to listen to the conversational style and format used by bank officers in ordering fund transfer.

One day after his assignment had been completed, the consultant requested permission to enter the wireroom. Because his name had not been deleted from the authorized list, the consultant was allowed to enter the area and t use a terminal. Using a wireroom terminal and his own password, which had not been deleted from the system, the consultant obtained the secret funds transfer codes for that day. He left the wireroom and called the wireroom from a phone booth. Pretending to be an international office of the bank, he requested a $10 million funds transfer from the bank to an account at a New York City bank. The wireroom employee, believing that he was speaking with an international officer of his bank because of the style and format of the conversation and the use of the correct secret codes for the day, accepted the order and transferred the funds.

The consultant flew to Geneva, Switzerland, where he had the stolen funds transferred from his account t the East Coast bank into an account at a Swiss bank. He purchased over $8 million in diamonds from a Russian diamond wholesaling company. He flew back to the West Coast with the diamonds and moved in with a friend. While the consultant tried to decide what to do with his ill-gotten gains, his "friend" made a critical tip to the FBI.

How to Prevent this Fraud

When it is necessary to hire a consultant who will have access to very sensitive data, the consultant should undergo a special clearance process before being allowed access to the data. Another control should be used to record all passwords and accesses given to the consultant and to promptly terminate all passwords and accesses on the consultants last day of employment. Additionally, a consistently followed, call-back verification process would have simply and quickly detected and prevented the multimillion dollar fraud.

Epilogue

As might be expected, the news media reported this fraud extensively in every country in the Western world. The prestige and reputation of the West Coast bank were harmed. The bank now has one of the largest computer security staffs of any bank in the world.

Following his indictment, and while free on $200,000 bond prior to the trial, the consultant teamed with an employee of another West Coast bank to commit a $50 million wire transfer fraud. The employee alerted the FBI of the planned EFT fraud and it was aborted. The consultant the agreed to a guilty plea and was sentenced to eight years imprisonment on the first wire fraud to avoid prosecution on the second, attempted wire fraud. Following his release from prison in less than three years, the consultant was hired to run the computer system of a national science association in Washington, D.C.

33

EDP MULTIPLE CHOICE QUESTIONS

I. EDP TERMINOLOGY QUESTIONS

1. More than one file may be stored on a single magnetic memory disc. Several programs may be in the core storage unit simultaneously. In both cases it is important to prevent the mixing of data. One way to do this is to usea. File integrity control. c. Interleaving.b. Boundary protection. d. Paging.

2. In a computerized system, procedure or problem-oriented language is converted to machine language through a (an)a. Interpreter. c. Compiler.b. Verifier. d. Converter.

3. Which of the following is not a characteristic of a batch processed computer system?a. The collection of like transactions which are sorted and processed sequentially

against a master file.b. Keypunching of transactions, followed by machine processing.c. The production of numerous printouts.d. The posting of a transaction, as it occurs, to several files, without intermediate

printouts.

4. Which of the following symbolic representations indicate that a file has been consulted?a. c.

b. d.

5. The machine language for a specific computera. May be changed by the programmer.b. Is the same as all other computer languages.c. Is determined by the engineers who designed the computer.d. Is always alphabetic.

6. A well prepared flowchart should make it easier for the auditor toa. Prepare audit procedure manuals.b. Prepare detailed job descriptions.c. Trace the origin and disposition of documents.d. Assess the degree of accuracy of financial data.

34

7. When a data base administrator's position exists within a client organization, the auditor must be aware of thea. Output effectiveness/efficiency considerations.b. Need for coded program files.c. Use of encrypted dialog in a two-way authentication process.d. Inherent violation of the principle separation of duties.

8. What type of EDP system is characterized by data that are assembled from more than one location and records that are updated immediately?a. Microcomputer system. c. Batch processing system.b. Minicomputer system. d. On-line real-time system.

9. Which of the following symbolic representations indicates that a sales invoice has been filed?a.

b.

c.

d.

10. Which of the following flowchart symbols represents on-line storage?a. c.

b. d.

11. The computer system most likely to be used by a large savings bank for customers' accounts would bea. An on-line, real-time system. c. A generalized utility system.b. A batch processing system. d. A direct access data base system.

35

II. EDP INTERNAL CONTROL QUESTIONS

1. One of the major problems in an EDP system is that incompatible functions may be performed by the same individual. One compensating control for this is use ofa. A tape library. c. Computer generated hash totals.b. A self-checking digit system. d. A computer log.

2. Which of the following would lessen internal control in an electronic data processing system?a. The computer librarian maintains custody of computer program instructions and

detailed program listing.b. Computer operators have access to operator instructions and detailed program

listings.c. The control group maintains sole custody of all computer output.d. Computer programmers write and debug programs which perform routines

designed by the systems analyst.

3. When an on-line, real-time (OLRT) electronic data processing system is in use, internal control can be strengthened bya. Providing for the separation of duties between keypunching and error listing

operations.b. Attaching plastic file protection rings to reel of magnetic tape before new data

can be entered on the file.c. Making a validity check of an identification number before a user can obtain

access to the computer files.d. Preparing batch totals to provide assurance that file updates are made for the

entire input.

4. If a control total were to be computed on each of the following data items, which would best be identified as a hash total for a payroll EDP application?a. Net pay. c. Hours worked.b. Department numbers. d. Total debits and total credits.

5. For good internal control, which of the following functions should not be the responsibility of the treasurer's department?a. Data processing. c. Custody of securities.b. Handling of cash. d. Establishing credit policies.

6. Which of the following constitutes a weakness in the I/C of an EDP system?a. One generation of backup files is stored in an off-premises location.b. Machine operators distribute error messages to the control group.c. Machine operators do not have access to the complete systems manual.d. Machine operators are supervised by the programmer.

7. Totals of amounts in computer-record data fields which are not usually added for other purposes but are used only for data processing control purposes are calleda. Record totals. c. Processing data totals.b. Hash totals. d. Field totals.

36

8. Carmela Department Stores has a fully integrated EDP accounting system and is planning to issue credit cards to credit-worthy customers. To strengthen internal control by making it difficult for one to create a valid customer account number, the company's independent auditor has suggested the inclusion of a check digit which should be placeda. At the beginning of a valid account number, only.b. In the middle of a valid account number, only.c. At the end of a valid account number, only.d. Consistently in any position.

9. Which of the following is an example of a check digit?a. An agreement of the total number of employees to the total number of checks

printed by the computer.b. An algebraically determined number produced by the other digits of the

employee number.c. A logic test that ensures all employee numbers are nine digits.d. A limit check that an employee's hours do not exceed 50 hours per work week.

10. Which of the following activities would most likely be performed in the EDP department?a. Initiation of changes to master records.b. Conversion of information to machine-readable form.c. Correction of transactional errors.d. Initiation of changes to existing applications.

11. For control purposes, which of the following should be organizationally segregated from the computer operations functions?a. Data conversion.b. Surveillance of CRT messages.c. Systems development.d. Minor maintenance according to a schedule.

12. Where computer processing is used in significant accounting applications, internal control procedures may be defined by classifying control procedures into two types: general anda. Administrative. c. Application.b. Specific. d. Authorization.

13. Which of the following most likely constitutes a weakness in the internal control of an EDP system?a. The control clerk establishes control over data received by the EDP department

and reconciles control totals after processing.b. The application programmer identifies programs required by the systems design

and flowcharts the logic of these programs.c. The systems analyst reviews output and controls the distribution of output from

the EDP department.d. The accounts payable clerk prepares data for computer processing and enters

the data into the computer.

37

14. Which of the following is not a major reason why an accounting audit trail should be maintained for a computer system?a. Query answering. c. Monitoring purposes.b. Deterrent to irregularities. d. Analytical procedures.

15. A procedure control used in the management of a computer center to minimize the possibility of data or program file destruction through operator error includesa. Control figures. c. Limit checks.b. Crossfooting tests. d. External labels.

16. The use of a header label in conjunction with magnetic tape is most likely to prevent errors by thea. Computer operator. c. Computer programmer.b. Keypunch operator. d. Maintenance technician.

17. Where disc files are used, the grandfather-father-son update backup concept is relatively difficult to implement because thea. Location of information points on discs is an extremely time consuming task.b. Magnetic fields and other environmental factors cause off-site storage to be

impractical.c. Information must be dumped in the form of hard copy if it is to be reviewed

before used in updating.d. Process of updating old records is destructive.

18. Which of the following is an application control?a. Dual read. c. Systems flowchart.b. Hash total. d. Control over program changes.

19. Where computers are used, the effectiveness of internal control depends, in part, upon whether the organizational structure includes any incompatible combinations. Such a combination would exist when there is no separation of the duties betweena. Documentation librarian and manager of programming.b. Programmer and console operator.c. Systems analyst and programmer.d. Processing control clerk and key punch supervisor.

20. Which of the following employees in a company's electronic data processing department should be responsible for designing new or improved data processing procedures?a. Flowchart editor. c. Systems analyst.b. Programmer. d. Control group supervisor.

21. Responsibility for initial testing (debugging) of the program should be assigned to thea. EDP department control group. c. Programmer.b. Internal audit control group. d. Machine operator.

38

22. Parity checks, read-after-write checks, and duplicate circuitry are electronic data processing controls that are designed to detecta. Erroneous internal handling of data.b. Lack of sufficient documentation for computer processes.c. Illogical programming commands.d. Illogical uses of hardware.

23. A control feature in an electronic data processing system requires the central processing unit (CPU) to send signals to the printer to activate the print mechanism for each character. The print mechanism, just prior to printing, sends a signal back to

the CPU verifying that the proper print position has been activated. This type of hardware control is referred to asa. Echo control. c. Signal control.b. Validity control. d. Check digit control.

24. An advantage of manual processing is that human processors may note data errors and irregularities. To replace the human element of error detection associated with manual processing, a well-designed electronic data processing system should introducea. Programmed limits. c Echo checks.b. Dual circuitry. d. Read-after-write.

25. An internal administrative control that is sometimes used in connection with procedures to detect unauthorized or unexplained computer usage isa. Maintenance of a computer tape library.b. Use of file controls.c. Maintenance of a computer console log.d. Control over program tapes.

Anyone with money to burn will always find himself surrounded by people with matches.

Joe Ryan39