Action Items

1. Read the article below: Information Systems and Internal Control.
2. Write: Develop a bulleted list of 2 issues or best practices that you identified based on your reading of this article and how it may impact you while performing in an accounting position.

Information Systems and Internal Control:

G1.04 IS Trends

[1] Networks

Developments in communications have significantly increased the quantities and speed with which data can be processed and ushered in local area networks (LANs) and wide area networks (WANs). Desktops and laptops are very fast microcomputers based on powerful microchips, such as Intel Corporation's Core processor microchips, as well as microchips from other manufacturers. LANs and WANs are groups of workstations (also, intelligent terminalsterminals with computerlike capabilitiesand personal computers) linked together with other devices, such as file serverscentral computers connected to networks that provide security and backup as well as file storage and print servicesand access to databases and mainframes by way of high-speed communications paths. LANs are local, such as in a single office area, while WANs are dispersed over larger geographic areas. LANs and WANs usually operate on versions of Windows, Linux, and Unix software. This type of computing is often referred to as a form of end-user computing because it occurs virtually independently of the IS organization. Thus, the user community becomes the primary focus for controlling applications development, and provisions for processing, access, and backup. Because of their flexibility and affordability, LANs offer advantages over other IS configurations.

[2] Electronic Data Interchange

The techniques in communications and computers have also been applied to large-volume or high-dollar transactions between business entities in order to increase speed and efficiency. Electronic data interchange (EDI) is the automated transacting of business between parties using high-speed data transmission; it avoids or minimizes the delays and errors caused by the handling and transmitting of paperwork that otherwise is necessary for such routine activities as ordering, receiving, and paying for goods and services; reporting employee withholding taxes; filing tax returns; and transferring funds.

EDI transactions are transmitted either directly between entities and their trading partners or through third parties known as value-added networks (VANs). EDI arrangements may use point-to-point connections between the transacting entities, proprietary networks that exist for certain industries (e.g., banking), or public networks that are available on the Internet.² Control procedures (e.g., authentication of electronic signatures) and standards (e.g., American National Standards Institute [ANSI] X12) must be in place to ensure that only authorized transactions occur and to reduce the possibility of errors.

In addition to increasing the speed and efficiency of transaction execution and processing, EDI offers other potential benefits. These include reduced inventory levels, fewer out-of-stock conditions, real-time visibility of transaction status, and increased cash flows by reducing the order to cash time.

[3] Paperless Systems

Paperless systems are systems automated to the point that they operate largely without hard-copy forms, reports, lists, and messages. EDI systems are paperless systems, as are many point-of-sale systems, e-mail systems, and certain aspects of data recording in manufacturing systems (e.g., data input by wands). Some factories can produce final assemblies without paper. This means work orders, instructions, specifications, travelers, and shop control reports are all in electronic form.

The trend in systems development continues to be toward paperless systems, because they operate more effectively and efficiently than their predecessors, thus offering cost and competitive advantages. But, as with other aspects of IS progress, paperless systems bring new risks for which controls must be instituted (see Section G1.05 ).

[4] Expert Systems

Expert systems, also referred to as artificial intelligence or AI, use the power of the computer and advances in programming and databases to emulate the logic used by knowledge-based workers to develop solutions to specific problems. These systems are being used for designing products, processing credit in financial institutions, and performing financial analyses.

Expert systems comprise the following basics:

• a base of knowledge that contains the rules and facts that enable the system to follow procedures, identify relationships, and formulate recommendations;
• an inference engine that enables the system to quickly find those parts of the knowledge base needed for a particular situation;
• a specialist known as a knowledge engineer, who designs and maintains the system; and
• user interfaces that enable communication with users.

[5] Object-Oriented Programming

Object-oriented programming is a conceptual revolution in modern programming that is responsive to the end-user computing phenomenon that characterizes the highest and best use of IS resources. Object-oriented programming is a very efficient and effective way of helping users achieve their objectivesthus the name object-oriented. Examples include Visual Basic from Microsoft and Java from Oracle.

Before the advent of object-oriented programming, applications were process-oriented, meaning the programs were written to process data, pretty much in a centralized mainframe. Programs and the data files to be processed were separate. Each application needed its unique set of data files and programming instructions. Application development was slow, costly, error-prone, less responsive to needs, and characteristically unfriendly to users. Maintenance was a continuing challenge that was both costly and risky. Object-oriented programming overcomes much of these difficulties by altering the concept of the separation of programming and data. In object-oriented programming, the programming and the data are together and form the object. An object could be anything, such as an invoice, a timecard, or a component part in a given company product. The advantage that this type of programming offers is that the objects can be used over and over for a variety of applications and purposes. This eases programming tasks and enables the user, through use of software interfaces known as graphical user interfaces (GUIs), to interact with the objects in a very direct fashion. Thus, object-oriented programming is precisely what is needed in today's environment in which the power of the computer, through workstations and PCs, is within the reach of just about all knowledge-based workers.

[6] Image Processing

Image processing refers to the processing of information based on its image through the use of optical scanners, optical storage disks, and high-resolution monitors. Applicable software also is used to input, store, change, and retrieve data as it appears in its original paper form; an example of an original paper form is an insurance claim processing form. Image processing, making use of the ubiquitous bar code or two-dimensional QR Code, is central to the quick-response systems that are of strategic significance to large retailers, such as Wal-Mart and J.C. Penney. Image processing also facilitates the ability to have backup copies of key source documents such as contracts and other important paperwork stored offsite.

[7] Client/Server Environments

Client/server environments are networks of workstations and/or personal desktop computers interconnected with one or more Unix, Linux, or Windows servers that provide file and processing services to the users. These environments date back to the development of Unix by researchers at Bell Laboratories (now Alcatel Lucent S.A.) in the late 1960s. In 1996, a research study on Unix was jointly published by the IIA Research Foundation and the ISACA Foundation. The study, Unix: Its Use, Control, and Audit, offered a fascinating glimpse of the history and development of Unix and discusses security, control, and audit considerations. Due to the stable nature of Unix, this guidance is just as relevant today. Additional reference to this study is made later in this chapter. Although internal auditors will generally be more familiar with the Windows operating system as this is what powers most desktop and laptop computers, it is important to note that many corporate databases and ERP systems run on Unix platforms. Unix has changed little in recent years. It continues to be more command line driven than Windows and can be very daunting to an auditor who has not been through Unix training, so auditing Unix will usually require bringing in an IT auditor with special expertise in this area.

[8] The Internet

Of all the trends affecting information systems, none has had more impact than the Internet. The Internet refers to the array of networks that are compatible with the transmission control protocol/Internet protocol (TCP/IP). With the spread of computer technologies and the resultant demand for rapid exchange of information for business and other purposes, the Internet has become a de facto standard. As of November 2015, more than 3.3 billion people had access to the Internet, including over 87% of people in North America, and almost half of all Internet users (48%) live in Asia.³ Websites have mushroomed, facilitated by the fact that hypertext markup language (HTML) became the universal language of the Web. Another facilitating development was the emergence of programs, known as browsers, for searching the Web; Internet Explorer and Google Chrome are examples. These programs allow users to sift through millions of websites to identify the precise site of interest to the user. Each website has a unique uniform resource locator (URL) that constitutes the website address. For example, the URL for the SEC is www.sec.gov.

Websites now exist for virtually all Fortune 500 companies, universities, government agencies, accounting firms, publishers, news organizations, private interest groups, and many individuals. The variety and quantity of information available are staggering, as is the relative ease of finding the desired information.

Many companies now have Web-based businesses. Booksellers, auctioneers, toy companies, and most service providers offer customers the convenience of purchasing goods and services from the comfort of their homes or offices. Most major corporations have internal websites, called intranets, to maintain databases and provide information and training to employees, and external websites on the Internet to tout their products to potential customers.

The use of the Internet poses unique challenges for companies wishing to take advantage of this dynamic technology. For internal websites, firewalls must be constructed to maintain electronic security over sensitive information. Customer information (i.e., credit card numbers and Social Security numbers) and other non-public information must be safeguarded. Virus protection and intrusion detection/prevention system (IDS/IPS) software must be installed to detect and eradicate the widespread proliferation of system attacks by hackers and crackers. Auditors need to be alert to the inherent risks of Internet commerce, and plan appropriate audit coverage to address these risks.

Auditors can take advantage of the Internet by accessing websites containing useful information. An excellent first choice is The Institute of Internal Auditors home page at www.theiia.org. From there, the auditor can access the IIA's practice guides, such as the series of detailed guides titled Global Technology Audit Guide (GTAG). Another excellent source of information systems auditing information is the Information Systems Audit and Control Association website at www.isaca.org. A number of informative documents are free for anyone to download, while literally hundreds of other documents containing detailed technical guidance may be downloaded for free by ISACA members. Virtually any topic of interest can be accessed on the Web, including research on current issues, training information, and chat rooms dedicated to internal auditing.