Accounting Information Systems, 10e 1
SOLUTIONS FOR CHAPTER 8
Each end-of-chapter question in the Solutions Manual is tagged to correspond with AACSB, AICPA
and CISA standards, allowing professors to more easily manage the task of reporting outcomes to these
professional and accrediting bodies. Please see the corresponding spreadsheet file for the tagging
information.
Discussion Questions
DQ 8-1 “The Enterprise Risk Management (ERM) framework introduced in Chapter 7
can be used by management to make decisions on which controls in this chapter
should be implemented.” Do you agree? Discuss fully.
ANS. Several issues might be included in an answer to this question. Here are some of
those issues:
DQ 8-2 “In small companies with few employees, it is virtually impossible to implement
the segregation of duties control plan.” Do you agree? Discuss fully.
ANS. Obviously, whether one agrees or disagrees with the statement depends on how
few “few” employees actually are. (Forty-seven percent of all U.S. employers
2 Solutions for Chapter 8
DQ 8-3 “No matter how sophisticated a system of internal control is, its success
ultimately requires that you place your trust in certain key personnel.” Do you
agree? Discuss fully.
ANS. Yes and no. We say no because we believe that a control system should monitor
the quantity, quality, and legitimacy of each employee’s work. Procedures should
DQ 8-4 “If personnel hiring is done correctly, the other personnel control plans are not
needed.” Do you agree? Discuss fully.
Accounting Information Systems, 10e 3
ANS. Emphatically no. While sound hiring practices are a crucial personnel policy,
employees can change over time. An employee’s need for ongoing training might
not be addressed (a personnel development control plan), or they may become
DQ 8-5 “Monitoring must be performed by an independent function such as a CPA.” Do
you agree? Discuss fully.
ANS. All internal controls need to be reviewed periodically to determine that they
continue to function effectively and efficiently. This review may be one of three
types.
DQ 8-6 Compare and contrast the COBIT definition of control in this chapter with
definitions in Chapter 7 for ERM, the COSO definition of internal control, and
this textbook’s definition of internal control.
ANS. Some common elements, and some differences, are summarized in the following
table:
ERM
COSO
COBIT
4 Solutions for Chapter 8
ERM
COSO
COBIT
personnel.
personnel.
Applied in strategy
setting and across the
enterprise.
Identify potential events
that may affect the
entity.
Undesired events will be
prevented or detected and
corrected.
Operationsefficient
and effective use of
resources.
Effectiveness and
efficiency of operations.
Effectiveness and
efficiency are qualities of
information that are to be
achieved.
Reliability of reporting.
Reliability of financial
reporting.
Reliability of information
and integrity are qualities
of information that are to
be achieved.
Compliance with
applicable laws and
regulations.
Compliance with
applicable laws and
regulations.
Compliance is a quality of
information that is to be
achieved.
Availability is a quality of
information.
Confidentiality is a
quality of information.
DQ 8-7 According to ISACA, COBIT 5 is taking IT control in a “new direction.” Discuss aspects
of this new direction and state your opinion as to how radically new COBIT 5.
Manage risk within the
risk appetite.
Achievement of entity
objectives.
Achievement of
objectives.
Achievement of objectives.
Business objectives will
be achieved.
goals, aligned with and
supporting its mission.
Accounting Information Systems, 10e 5
ANS This can be answered in a couple of different ways. First, one might focus on the big
picture of COBIT 5. In this approach, the answer should include and discuss: (1) COBIT
DQ 8-8 A key control concern described in Table 8.2 regarding the systems development
manager is that “systems development can develop and implement systems
without management approval.” Discuss a control described in this chapter that
reduces the risk that unauthorized systems will be implemented.
ANS. Program change controls address this risk. As depicted in Figure 8.6, any new or
revised programs must go through three sets of hands. First, a programmer must
DQ 8-9 Debate the following point: Business continuity planning is really an IT issue.”
ANS. Yes. IT needs to ensure the continued operation of IT, one of the organization’s
major resources.
DQ 8-10 “Contracting for a hot site is too cost-prohibitive except in the rarest of
circumstances. Therefore, the vast majority of companies should think in terms of
providing for a cold site at most.” Discuss fully.
ANS. The key discussion point in this question should be the trade-off between timely
recovery of critical business functions on the one hand and the cost of providing
6 Solutions for Chapter 8
DQ 8-11 “Preventing the unauthorized disclosure and loss of data has become almost
impossible. Employees and others can use iPods, flash drives, cameras, and
PDAs, such as BlackBerries and Treos, to download data and remove it from an
organization’s premises.” Do you agree? Describe some controls from this
chapter that might be applied to reduce the risk of data disclosure and loss for
these devices.
ANS. These devices can certainly be used to circumvent physical access controls and
logical access controls, such as physically restricting access to a computer facility,
capability to write to portable storage devices.
DQ 8-12 Your boss was heard to say, “If we implemented every control plan discussed in
this chapter, we’d never get any work done around here.” Do you agree? Discuss
fully.
ANS. Yes and no. In rebutting your boss’s statement, you could point out at least two
things:
1. The authors never intended that the plans be applied to all situations in all
companies. Some are appropriate for some environments, whereas others are
Accounting Information Systems, 10e 7
unnecessary, and cost-prohibitive.
Also, because over-control has the potential to encourage unwanted, negative
behavioral reactions, it often can be as injurious to an organization as can
under-control. Employees may rebel at controls that they perceive as unduly
constraining or distasteful. Their rebellion might well manifest itself in petty
acts of fraud, thievery, or other forms of covert and overt resistance.
3. Balancing effectiveness and efficiency: This topic was also mentioned in
Chapter 7, when the authors talked about controls being built in rather than
built on. Controls impose some overhead on a firm. Therefore, management
must attempt to integrate the control system as seamlessly as possible with the
work system so that normal operations are not unduly burdened or impeded.
DQ 8-13 For each of these control plans suggest a monitoring activity:
8 Solutions for Chapter 8
a. Credit approval
ANS. A list of new customers for the last month and the supporting documentation used
to approve credit reviewed by the CFO.
Short Problems
SP 8-1 ANS.
Control Situation
Control Plan
1.
A
2.
E
3.
4.
D
5.
SP 8-2 ANS.
Control Situation
Control Plan
1.
F
2.
B
4.
E
Accounting Information Systems, 10e 9
SP 8-3 ANS.
1. CAEMWLVGPE, A becomes C by adding 2, C becomes A by subtracting 2, C
SP 8-4 ANS. Students’ solutions will vary, of course. At a minimum, each answer should
SP 8-5 ANS. The following summarise the major changes in COBIT 5. Note that not all of
these are in the textbook summary. They can be found at various websites, e.g.,
ww.isaca.org/COBIT/Documents/COBIT5-Compare-With-4.1.ppt, accessed May 7, 2013.
o New GEIT Principles
o Increased Focus on Enablers
SP 8-6 ANS. This can be found on page 19 (Figures 5 and 6) of
C
O
B
I
T
5: A Business
Framework for the Governance and Management of Enterprise IT. COBIT 5
Problems
P 8-1 ANS.
Note: This problem and solution were adopted from Thomas Wailgum, “Security: 50-Cent
Holes,” CIO Magazine, October 15, 2005.
A.
The personal information can be used to perpetrate identify theft. Releasing the data
may violate privacy laws and regulations. To prevent this problem, train employees and
10 Solutions for Chapter 8
D.
The information on the laptop can be used to perpetrate identify theft. Releasing the
data may violate privacy laws and regulations. To prevent this problem, management
should perform risk assessment to determine what data must be protected and then
implement security policies based on that assessment. Security protection may include
password protection, encrypted data, and biometric access.
E.
of passwords that individuals must create and remember.
The information on the backup disks can be used to perpetrate identify theft and execute
fraudulent credit card charges. Releasing the data may violate privacy laws and
regulations and subject the company to financial loss as it indemnifies customers for
any losses. To prevent this problem, the credit card company should send the data
encrypted and electronically.
the policy by taking disciplinary action against those violating the policy. Management
might consider scanning messages for violation of the policy. For example, systems can
scan for messages with 16-digit numbers (i.e., credit card numbers).
A hacker, or any individual for that matter, could use the passwords to access computer
systems and cause many kinds of problems. To prevent this problem, establish an
organization-wide policy prohibiting the creation and storage of electronic files listing
passwords. Educate employees as to the importance of this policy, and enforce the
policy by taking disciplinary action against those violating the policy (assumes that
network files are scanned on a regular basis, looking for files that violate the policy).
Management might consider implementing single sign-on systems to reduce the number
H.
The account information can be used to steal funds from the individuals’ accounts and
to perpetrate identify theft. To prevent this problem, establish an organization-wide
policy specifying who can access what information, how they can access it, and how
often. Then implement the policy through library controls and access control software to
limit employee access to data. An employee education program about the importance of
this policy should be conducted.
her transmissions. The data accessed in this manner can be used for a variety of
fraudulent activities or to create a competitive advantage. To prevent this problem,
employees need to be trained on how to set up and secure (passwords, firewall,
antivirus, etc.) a wireless network. Perhaps the organization can provide assistance to
employees to ensure their proper installation.
the consumer-grade IM with an enterprise-grade system.
Accounting Information Systems, 10e 11
P 8-2 ANS.
P & D 1.
P & D 11.
P 2.
P & C 12.
P 3.
P & D 13.
C 4.
P 14.
C 5.
P & D 15.
C 6.
P 16.
P & C 7.
C 17.
P 8.
P 18.
P & D 9.
P & D 19.
P 10.
P & D 20.
Note: We have offered multiple possibilities for answers to some of the preceding
items:
Item 1: Library controls will manage access to programs and data and thus
prevent unauthorized access. These controls also log all uses of programs and
data and thus can detect any unauthorized uses that may take place.
authorized users for authorized purposes.
handing in the cell phone.
12 Solutions for Chapter 8
P 8-3 ANS.
Control Situation
Control Plan
1.
H
2.
F
3.
B
4.
5.
C
6.
J
7.
I
8.
L
9.
K
10.
E
P 8-4 ANS.
Option
Manager
Matthew
Mark
1
No
No
No
2
No
Yes
No
3
No
No
5
No
No
6
Yes
7
Yes
Explanation:
Accounting Information Systems, 10e 13
Option 1, vendor data maintenance, should be performed by the purchasing office. By doing so,
we separate authorization to engage in business with a particular vendor from the approval to
create accounts payable records and to disburse payments.
P 8-5 ANS.
Employee
Function
Grant
1, 6, 7
Jordyn
2, 3, 10
James
4, 5, 8, 9
Comment: The preceding solution represents but one of many possible solutions.
Our primary goal in solving this problem should be to segregate the handling of
P 8-6 ANS.
14 Solutions for Chapter 8
Domain
Process
Plans
Plan and Organize Domain
Establish Strategic Vision for
Information Technology
An inventory of IT
capabilities
Statement of IT goals and
Develop and Acquire IT
Solutions
An assessment of how new
hardware might affect existing
hardware
Application documentation
Integrate IT Solutions into
A process for testing a new
Manage Changes to Existing
IT Systems
A process to select and
prioritize user requests for
system changes
Program change testing
Deliver and Support Domain
Deliver Required IT Services
Define service levels
Ensure Security and
Complete a disaster recovery
Biometric security devices
User training classes
Processes
Perform preventive
maintenance
strategies
Communicate, and Manage
Realization of the Strategic
Vision
the IT department
A quality assurance plan
Feasibility studies
Accounting Information Systems, 10e 15
P 8-7 ANS.
1. Controls related to the control
environment
H
O
Establishment of a code of conduct
Use of control frameworks such as COBIT and
COSO
2. Controls over management
K
Segregation of duties
5. Controls to monitor the results of
operations
F
M
Budgetary controls
Service level agreements and reporting
processes
6. Controls to monitor other
controls, including activities of
the internal audit function, the
audit committee and self-
assessment programs
B
A
A report of all employees not taking required
vacation days
A file of signed code of conduct letters
7. Controls over the period-end
financial reporting process
I
Not covered
P 8-8 ANS.
1. Security officer: Business continuity planning can help an organization
recover quickly from natural disasters such as hurricanes and losses of data
and computing resources such as those perpetrated by hackers.
16 Solutions for Chapter 8
P 8-9 ANS. Student solutions will vary, of course. At a minimum, each answer should include
(1) a description of the incident(s), with background; (2) how long the site(s) were
not available; (3) how they came to be out of service; (4) which controls would
have prevented, detected, or corrected the outages; and (5) sources.
P 8-10 ANS. Student solutions will vary, of course. At a minimum, each answer should include
(1) a description of the incident(s), with background; (2) how long the site(s) were
P 8-11 ANS. As of this writing, the main Web page for Trust Services Principles and Criteria is
found at
Accounting Information Systems, 10e 17
Privacy. Personal information is collected, used, retained, disclosed,
and destroyed in conformity with the commitments in the entity’s privacy
notice and with criteria set forth in generally accepted privacy principles
issued by the AICPA and CICA.
P 8-12 ANS. The 34 high level processes of COBIT 4.1 are:
In the “Plan and Organize” domain:
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
In the “Acquire and Implement” domain:
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
Here are the changes from 4.1 to 5:
Summary of changes between COBIT 4.1 and COBIT 5
Processes in COBIT 4.1 that are merged in COBIT 5
DS7 is merged with PO7 (Education and Human
Resources)
and Information Security)
Processes in COBIT 4.1 that are reassigned in COBIT 5
ME4 to EDM1, 2, 3, 4, 5 (Governance)
Processes in CobiT® 4.1 that are relocated in COBIT 5
PO1 to APO2 (Strategic Planning)
PO4 to APO1 (Organisation, Relationships and
Processes)