Accounting Information Systems, 10e 1
SOLUTIONS FOR CHAPTER 7
Each end-of-chapter question in the Solutions Manual is tagged to correspond with AACSB, AICPA
and CISA standards, allowing professors to more easily manage the task of reporting outcomes to these
professional and accrediting bodies. Please see the corresponding spreadsheet file for the tagging
information.
Discussion Questions
DQ 7-1 Recently, the U.S. federal government and the American Institute of Certified
Public Accountants (AICPA) have taken aggressive steps aimed at ensuring the
quality of organizational governance. What are these changes, how might they
change organizational governance procedures, and do you believe that these
actions will really improve internal control of business organizations?
ANS. First, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX). This
groundbreaking legislation is intended to set the foundation for improved
organizational governance. Most notably, SOX disallows auditors of public
DQ 7-2 “Enterprise Risk Management is a process for organizational governance.”
Discuss why this might be correct and why it might not.
ANS. Let’s look at the elements of the definitions of these two concepts side-by-side:
2 Solutions for Chapter 7
DQ 7-3 “If it weren’t for the potential of computer crime, the emphasis on controlling
computer systems would decline significantly in importance.” Do you agree?
Discuss fully.
ANS. Without computer crime, and the attendant, fascinating stories, public awareness
of the importance of controlling computer systems might decline. However, while
DQ 7-4 Provide five examples of potential conflict between the control goals of ensuring
effectiveness of operations and of ensuring efficient employment of resources.
ANS. 1. By striving to answer many customer telephone calls, a customer service
Accounting Information Systems, 10e 3
DQ 7-5 Discuss how the efficiency and effectiveness of a mass-transit system in a large
city can be measured.
ANS. The main purpose of this question is to reinforce the ideas that (1) effectiveness
must be judged in light of objectives and (2) efficiency is the relationship of
inputs to outputs.
DQ 7-6 “If input data are entered into the system completely and accurately, then the
information system control goals of ensuring update completeness and of ensuring
update accuracy will be automatically achieved.” Do you agree? Discuss fully.
ANS. No, we do not agree. The text distinguishes input and update because these steps
DQ 7-7 “Section 404 of SOX has not been a good idea. It has been too costly and it has
not had its intended effect.” Do you agree? Discuss fully.
4 Solutions for Chapter 7
ANS. As reported in the chapter, reviews of the results of SOX Section 404 are mixed.
Certainly, its implementations have been quite costly. Also, some foreign firms
Section 404.
DQ 7-8 How does this text’s definition of internal control differ from COSO? How does it
differ from the controls that are subject to review under Section 404 of SOX?
ANS. The text’s definition of internal control is aimed at all reporting, not just financial
reporting. Both COSO and SOX 404 are interested only in controls over the
information systems and output reporting that are related to financial reporting.
DQ 7-9 What, if anything, is wrong with the following control hierarchy? Discuss fully.
Highest level of control Pervasive control plans
The control environment
Application controls
Business process control plans
Lowest level of control IT general controls
ANS. The correct order from highest to lowest level of control is (see also Figure 7.6)
the following:
Accounting Information Systems, 10e 5
Short Problems
SP 7-1 ANS. The answer should note the differences in the following two internal control
6 Solutions for Chapter 7
Accounting Information Systems, 10e 7
SP 7-2 ANS.
B 1.
8 Solutions for Chapter 7
SP 7-3 ANS.
H(B) 1.
SP 7-4 ANS. Answers will vary among students.
Problems
P 7-1 ANS.
E 1.
H 2.
Accounting Information Systems, 10e 9
P 7-2 ANS. The major implication is that management can be held legally accountable for the
organization’s control system. Under the Foreign Corrupt Practices Act (FCPA),
for example, an officer of an organization must ensure that the organization
maintains adequate accounting records. Recently, Section 404 of the Sarbanes–
Oxley Act of 2002 has reinforced this management responsibility by requiring
nonconflict of interest affidavits, control policies, and reward systems that
support, rather than undermine, the control policies.
• Being actively and continuously involved in the design, operation, review, and
modification of the organization’s systems and related control systems. This
may involve participation in—or at least approval of—the systems
10 Solutions for Chapter 7
P 7-3 ANS.
Situation
Control Goal
Explanation
1.
E and A
Checking to make sure that shipping notices are received for all
sales orders issued addresses the goal of ensuring that event data
2.
F and D
Double checking unit prices helps to ensure that the prices
actually billed are accurate.
Answer D is appropriate if we explain that checking prices
against an authorized price list helps to ensure that the event
was an authorized one (input validity).
the update run, must equal $3,900. If not, something went wrong
during the run. Some payments were not posted (UC), or some
were posted incorrectly (UA).
5.
E
A vendor is unlikely to send two different invoices with the
same number. Thus, the second instance of invoice #12345 is
probably a duplicate of the first. The second invoice should be
rejected to ensure that the invoice is processed once and only
once (input completeness).
Under the definitions given in the chapter, data elements missing
from an input document are instances of lack of input accuracy
as opposed to input completeness, which relates to recording all
events that occurred.
timeliness in cash receipts processing, an operations process by
Answer B is appropriate if we explain that it is more efficient to
manually.
P 7-4 ANS. Description Answer
Answer A is appropriate here if we assume– that timely
Accounting Information Systems, 10e 11
1. J
2. C
P 7-5 ANS.
Part A: Current Scenario:
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
50
External downtime incidents per year
50
Total downtime incidents per year
100
Expected Gross Risk
Preventative Measures
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
Part B: Additional Redundant Technology
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
External downtime incidents per year
50
Total downtime incidents per year
65
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
Part C: Additional Redundant Technology and Additional ISP Support
12 Solutions for Chapter 7
the expected residual risk is (see Part C.2 below).
If the company moves to a higher support level of no more than 20 downtime incidents,
the residual expected risk is (see Part C.3 below).
900,000
If the company moves to a higher support level of no more than 10 downtime incidents,
the residual expected risk is (see Part C.4 below).
925,000
If the company moves to a higher support level of no more than 0 downtime incidents,
the residual expected risk is (see Part C.5 below).
950,000
$900,000.00. Thus, management would be prudent to pay for a guarantee of only 20 rather than 30 incidents
because the former would also result in less customer dissatisfaction if and when downtime incidents occur.
Part C.1: Additional Redundant Technology and Additional ISP Support for 40 Downtime Incidents
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
External downtime incidents per year
40
Total downtime incidents per year
55
Expected Gross Risk
$550,000
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
tolerance.
If the company remains with the current ISP contract of no more than 50 downtime
incidents, the residual expected risk is (see Part B above).
If the company moves to a higher support level of no more than 40 downtime incidents,
the residual expected risk is (see Part C.1 below).
950,000
If the company moves to a higher support level of no more than 30 downtime incidents,
900,000
Accounting Information Systems, 10e 13
Part C.2: Additional Redundant Technology and Additional ISP Support for 30 Downtime Incidents
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
External downtime incidents per year
30
Total downtime incidents per year
45
Part C.3: Additional Redundant Technology and Additional ISP Support for 20 Downtime Incidents
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
External downtime incidents per year
20
Total downtime incidents per year
35
Expected Gross Risk
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
Part C.4: Additional Redundant Technology and Additional ISP Support for 10 Downtime Incidents
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
External downtime incidents per year
10
Total downtime incidents per year
25
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
Expected Gross Risk
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
14 Solutions for Chapter 7
Part C.5: Additional Redundant Technology and Additional ISP Support for 0 Downtime Incidents
Dollar loss (sales) per hour of downtime
$10,000
Internal downtime incidents per year
15
P 7-6 ANS. We might compare the elements of these two control matrices as follows:
Figure 7.7 (the textbook)
Figure 7.8 (PwC)
Comment
Control goals of the Lenox cash receipts
business process.
Subprocess.
Both name the process.
Control goals of the operations process.
PwC matrix relates to controls over
financial reporting and operations are
beyond the scope of the PwC matrix.
Ensure efficient employment of
resources.
Operations are beyond the scope of
the PwC matrix.
Information processing
objective (restricted access).
to information resources. Figure
7.7’s objective also includes other
assets.
Control goals of the information
process.
Control objective.
goals.
objective (validity).
Input completeness/update
completeness.
Information processing
objective (completeness).
Same, but PwC does not address
updates.
Input accuracy/update accuracy.
control activity.
frequency of the control activity.
PwC states an overall objective for
each process. In Figure 7.7, this is a
heading for more specific control
External downtime incidents per year
Total downtime incidents per year
Expected Gross Risk
Preventive Measures
Annualized cost of redundant technology
Annualized cost of ISP
Total annualized cost of preventive measures
Residual Expected Risk
Accounting Information Systems, 10e 15
Figure 7.7 (the textbook)
Figure 7.8 (PwC)
Comment
NA
Financial statement area.
PwC matrix is for controls over
financial reporting and states the area
of interest.
The overall assessment is that the matrices are quite similar. In fact, the control
matrix for this textbook was adapted from earlier versions of a PwC matrix (one
that was developed by Coopers & Lybrand, one of the firms that became part of
PwC). The PwC matrix, focused as it is on the financial statement audit, has
financial statement audit. Testing of
NA
P or D.
Figure 7.7 does not specifically
A or M.
Figure 7.7 does not classify controls
as automated or manual.