Accounting Information System

BSIT 103 Inter SEM SY 2018-2019 MAC

1. Introduction to accounting information systems

Information
Information is knowledge for the purpose of taking effective action.

Information become valuable when it is used for:

a. Making decisions,
b. taking actions, and
c. fulfilling legal actions

Information System
Are sets of formal procedures by which data are collected, processed into
information, and distributed to users.

Transaction
A transactions is an event that affects or is of interest to the organization and it’s
processed by its information system as a unit of work.

Financial Transaction
A financial transaction is an economic event that affects the assets and equities of
the organization, is reflected in its accounts, and measured in monetary terms.

Nonfinancial Transaction
Nonfinancial transactions are events that do not meet the narrow definition of a
financial transaction.

Objectives of Information System

1. To support the stewardship function of management.
2. To support management decision making
3. To support the firm’s day-to-day operations

1|Page
 1.1 Review of Manual Accounting

Accounting is a way business owners manage their company’s financial information.

They use accounting to record, report and analyze their company’s financial information.
Companies often generate several pieces of financial information from business transactions, and
compile this information into general ledgers and journals. Business technology has created
significant advances in the area of financial management and accounting software.

Manual accounting uses several paper ledgers and journals where accountants record
financial information. The general ledger includes miscellaneous transactions and the aggregate
balance of all subsidiary ledgers and journals. Computerized accounting uses software programs
designed from traditional manual accounting systems. It involves the use of computers,
spreadsheets and programs designed to record and report financial information electronically.

Advantages & Disadvantages of Manual Accounting Systems

Simplicity and Complexity

A sole proprietor who simply wants to do her own books and develop a working
understanding of her company's financial activities may not need a double-entry program
that transfers debits and credits between theoretical accounts such as equity and accounts
payable.

Usability

It is easy to enter information into a manual accounting system, but it can be

difficult to distill information and create reports. However, if you use a manual
accounting system, you must review and manually transfer information from each
relevant account, enter these figures onto a separate page or spreadsheet and then
manually perform the computations. A computer bookkeeping program also makes it less
likely to make mistakes.

Durability and Permanence

Manual accounting systems are more durable than computer systems, because
they exist as hard copies rather than digital files that can be wiped out by a computer
mishap. However, paper files can also be destroyed as well by fires or floods, and they
are easier to misplace. In addition, a digital accounting format gives you the opportunity
to back up files by making multiple copies. It takes much longer to photocopy or
manually copy a spreadsheet than to save a computer file on a thumb drive or cloud.

Transparency

2|Page
 Computer files can be modified simply by adding and deleting data. The numbers
on the screen show no trace of these changes unless you dig deeper and uncover the date
a file was last modified. In contrast, manual accounting systems show evidence of having
been changed. If you work in pencil, then erasures are obvious, and if you work in pen
you must cross out old entries to make new ones. The difficulty of hiding changes makes
it easier to tell when you have changed a manual accounting system and facilitates
transparency.

1.2 Traditional Accounting Information System

The Difference between Traditional Accounting & Computerized Accounting

Before the advent of fast and cheap computers, accounting traditionally

was processed manually with all transactions recorded in columnar papers
and kept in voluminous binders. Manual accounting are very detailed, since
accountants must carefully enter information into physical books. Once computers
became popular and software affordable, accounting tasks moved into this
medium, where concepts stayed the same but mechanics changed from papers to
programs.

Speed

The most glaring difference between traditional and computerized

accounting is the speed of operations. With an accounting program, data is
entered once and it is saved. The program provides management with
reports in a speed never dreamed possible in the traditional days. No more
waiting days or weeks to know whether your business is making a profit.
Using computerized accounting, information can be accessed in a matter
of minutes. Once data is available in the system, it can be used in reports,
queries and analysis.
Accuracy

Computerized systems have drastically increased accuracy of

calculations when compared to the traditional, manual system, in which
columns had to be added up, numbers moved from one page to the next,

3|Page
 and trial balance and financial statements manually compiled. If errors
occurred, many hours had to be spent trying to find and correct them. With
accounting software, this problem is eliminated. In the case of accounting
spreadsheets, adding simple formulas still may be needed, but it is an
easier and more accurate process.

Costs

The traditional manual accounting system with paper and pencil is

cheaper than the computerized version, in which a firm needs a computer,
software, printer and other expenses associated with a system. The manual
system may work for small businesses up to a certain point, but with the
affordable costs of computers and software, many firms are opting for the
computerized system. They are easy to use, and finding experienced
employees to run the system is not a hurdle.
Backups

When using a manual system, the risk of losing data is real. If

important papers are damaged or destroyed, that work may have to be re-
created. Copies of the original work can be made, but that could be
expensive and time-consuming. Accounting on a computerized system
offers the choice of saving work on a CD, portable or external hard drive,
flash drive, or even online. Many firms back up data every night as a
precaution. If something happens the next day, the data can be restored
from the backup.

1.3 The role of AIS in the value chain

What are Accounting Information Systems?

An information system is a formal process for collecting data, processing
the data into information, and distributing that information to users. The purpose
of an accounting information system (AIS) is to collect, store, and process
financial and accounting data and produce informational reports that
managers or other interested parties can use to make business decisions. Although
an AIS can be a manual system, today most accounting information systems are
computer-based.

4|Page
 There are 3 Basic Functions of AIS

1. Collect and store data about organizational activities, resources, and

personnel. Organization have a number of business processes, such as making
a sale or purchasing raw materials which are repeated frequently.

2. Transform data into information so management can plan, execute, control,

and evaluate activities, resources, and personnel.

3. Provide adequate controls to safeguard the organization’s assets and data.

A well designed AIS can add value to an organization by:

a. Improving the quality and reducing the costs of products or services
b. Improving efficiency
c. Sharing Knowledge
d. Improving the efficiency and effectiveness of its supply chain
e. Improving the internal control structure
f. Improving decision making
g. The factors influencing a design of the AIS are organizational culture,
business strategy, information technology.
h. The AIS and Corporate Strategy

1.4 Data Concept

What Is a Relational Database?
• Collection of Objects which follow very strict relational algebra (mathematical
rules)
• Center piece are Tables
• Other important Objects are Forms, Reports and Queries
• Objects tied together through defined & specific relationships
Some Key Terms

Formal Less Formal Data Processing

Relation Table File
Tuple Row Record
Attributes Column Field

Three Foundation Concepts

5|Page
 • Normalization
– Storing data where it uniquely belongs, there are seven normal forms,
AIS tries to achieve the Third Normal form

• Dynasets
– The results of a query, looks like a Table but only exists in memory

• Keys
– The “string” that ties together all the data
– Primary Key: An attribute (field) that uniquely identifies each row in
a table
– Foreign Key: An attribute (field) in one table that matches the primary
key field in another table

1.5 Business System Design

Information Technology and business strategy

For many companies the use of information technology starts with the purchase
of hardware such as mainframes, PCs and networks. The use of IT is based on the
opportunities of technology. Companies often find it hard to indicate to what extent
the specific resources and systems contribute to their business and their market
position. In such a case, IT is, above all, regarded as an item of expense.

On the other hand more and more organizations have become aware of the
possibilities offered by IT to achieve competitive advantage.

Strategic use of IT requires, first of all, a distinct business strategy that indicates
what the organization is aiming at in terms of customers, suppliers, competitors,
shareholders and authorities, and what role IT is playing in all this.

On the basis of the business strategy, the specific use of IT can be established, in
terms of an architecture and an infrastructure. As a result, a company is able to
indicate where and how IT supports the business and the market position. If IT is
applied in this way, it will not only be an item of expense, but also a production
factor which is integrated into the strategic planning of a company.

Systems-oriented professionals: Accounting Information Systems: The

Challenge of the Real-Time Reporting

Real-time reporting in accounting or simply real-time accounting offers many

benefits when compared to conventional periodic reporting.

6|Page
 Traditionally, enterprises require financial or non-financial reporting based on
quarterly and annual periods. Yet, the rapid change that occurs on market and society
causes this periodic reporting to become quickly outdated.

Higher competition among enterprises demands for more updated information to

enable management to rapidly adapt to opportunities and answer problems. Real-time
accounting addresses these needs, but needs new technological answers.

Technologies can help the implementation of real-time accounting, namely,

business process management, mobile devices, cloud computing, business intelligence,
enterprise architecture and enterprise application integration.

2. The business environment and the AIS

2.1;2 Business firm, Organizational structure in business firms

What Is Organization Structure?

Organizational structure provides the guidelines for the system of reporting that
drives an organization, dividing it into areas or departments that are responsible for certain
aspects of the organization's purpose; it shows the relationships between areas and
individuals needed to achieve more efficient operations while attaining the goals of the
organization.

The organizational structure should be put in place at the start of an organization.

It defines how the company will function, what is expected of employees and the
chain of command.

Structure

The structure clarifies the areas of responsibility and the individuals that
will work together. This allows for effective communication, decision making and
sharing helpful information within departments.

Organizational Climate

A well designed organizational structure can create a climate, or

environment, that encourages employees to be supportive, cooperative and hard
working. It also contributes to job satisfaction.

Motivation

7|Page
 By grouping people within their specific areas of expertise, it encourages
teamwork and high levels of performance.

Upward Mobility

Providing an organizational structure gives employees the opportunity to

see where they may be able to advance, motivating them to work hard in an effort
to be promoted.

One method of organization is to set up departments covering the four main areas
of business activity:
• Finance
• Human Resources
• Marketing
• Operations

A well thought out and strategic business configuration clarifies reporting

relationships and supports good communication – resulting in efficient and
effective work process flow.

2.3 Operational system

An operational system is a term used in data warehousing to refer to a system

that is used to process the day-to-day transactions of an organization. These systems are
designed so processing of day-to-day transactions is performed efficiently and the
integrity of the transactional data is preserved.

Synonyms

Sometimes operational systems are referred to as operational databases,

transaction processing systems, or online transaction processing systems (OLTP).
However, the use of the last two terms as synonyms may be confusing, because
operational systems can be batch processing systems as well.

Any Enterprise must necessarily maintain a lot of data about its operation. This is
its "Operational Data".

Organization Probably

Manufacturing Company Product data

Bank Account Data

8|Page
 Hospital Patient Data

University Student Data

Government Department Planning data

3. Computer-based transactional processing

Transaction Processing Systems (TPS)

A Transaction Processing System (TPS) is a type of information system

that collects, stores, modifies and retrieves the data transactions of an enterprise.

A transaction is any event that passes the ACID test in which data is generated or
modified before storage in an information system

Features of Transaction Processing Systems

The success of commercial enterprises depends on the reliable processing of

transactions to ensure that customer orders are met on time, and that partners and
suppliers are paid and can make payment.

Transaction processing systems offer enterprises the means to

rapidly process transactions to ensure the smooth flow of data and the
progression of processes throughout the enterprise. Typically, a TPS will
exhibit the following characteristics:

Rapid Processing

The rapid processing of transactions is vital to the success of any

enterprise – now more than ever, in the face of advancing technology and
customer demand for immediate action. TPS systems are designed to
process transactions virtually instantly to ensure that customer data is
available to the processes that require it.

Reliability

Similarly, customers will not tolerate mistakes. TPS systems must be

designed to ensure that not only do transactions never slip past the net, but
that the systems themselves remain operational permanently. TPS systems
are therefore designed to incorporate comprehensive safeguards and
disaster recovery systems. These measures keep the failure rate well

9|Page
 within tolerance levels.

Standardization

Transactions must be processed in the same way each time to maximize

efficiency. To ensure this, TPS interfaces are designed to acquire identical
data for each transaction, regardless of the customer.

Controlled Access

Since TPS systems can be such a powerful business tool, access must be
restricted to only those employees who require their use. Restricted access
to the system ensures that employees who lack the skills and ability to
control it cannot influence the transaction process.

Transactions Processing Qualifiers

Atomicity

Atomicity means that a transaction is either completed in full or not at all.

For example, if funds are transferred from one account to another, this
only counts as a bone fide transaction if both the withdrawal and deposit
take place. If one account is debited and the other is not credited, it does
not qualify as a transaction. TPS systems ensure that transactions take
place in their entirety.

Consistency

TPS systems exist within a set of operating rules (or integrity constraints).
If an integrity constraint states that all transactions in a database must have
a positive value, any transaction with a negative value would be refused.

Isolation

Transactions must appear to take place in isolation. For example, when a

fund transfer is made between two accounts the debiting of one and the
crediting of another must appear to take place simultaneously. The funds
cannot be credited to an account before they are debited from another.

Durability

Once transactions are completed they cannot be undone. To ensure that

this is the case even if the TPS suffers failure, a log will be created to
document all completed transactions.

These four conditions ensure that TPS systems carry out their transactions

10 | P a g e
 in a methodical, standardized and reliable manner.

Types of Transactions

While the transaction process must be standardized to maximize efficiency; every

enterprise requires a tailored transaction process that aligns with its business
strategies and processes. For this reason, there are two broad types of transaction:

Batch Processing

Batch processing is a resource-saving transaction type that stores data for

processing at pre-defined times. Batch processing is useful for enterprises that
need to process large amounts of data using limited resources.

Examples of batch processing include credit card transactions, for which the
transactions are processed monthly rather than in real time. Credit card
transactions need only be processed once a month in order to produce a statement
for the customer, so batch processing saves IT resources from having to process
each transaction individually.

Real Time Processing

In many circumstances the primary factor is speed. For example, when a bank
customer withdraws a sum of money from his or her account it is vital that the
transaction be processed and the account balance updated as soon as possible,
allowing both the bank and customer to keep track of funds.

4. Development standards and practices for accounting

information systems
4.1 Role of Information Systems in an Organization

An information system increases organizational productivity.

An information system can be a mainframe, mid-range or network

computer concept that allows distributed processing for a group of users
accessing the same software application. These systems provide
management with control over their data, with various tools to extract data
or view data structures and records. The role of an information system is to
foster a data management environment that is robust and can be expanded
according to an organizations' strategic plan for information processing. An
information system also satisfies diverse information needs in an
organization.

11 | P a g e
 4.1.1 Databases/Database Management Systems
Data fields – is the smallest unit of data.

Data – is consist of facts and figures that are relatively meaningless to the users. When
data is processed, it can be converted into information.

Records – is a collection of related data fields (employee record).

File – is a collection off related records (employee file).

A database is an organized collection of data. The data is typically organized to model

relevant aspects of reality (for example, the availability of rooms in hospital, services,
subjects etc.), in a way that supports processes requiring this information (for example,
finding a hospital with heart improvement services).

Database management systems (DBMSs) are specially designed applications that

interact with the user, other applications, and the database itself to capture and analyze
data. A general-purpose database management system (DBMS) is a software system
designed to allow the definition, creation, querying, update, and administration of
databases. Well-known DBMSs include
 MySQL
 PostgreSQL
 SQLite
 Microsoft SQL Server
 Microsoft Access
 Oracle
 SAP
 DBase
 FoxPro
 IBM DB2
 FilemakerPro

A database is not generally portable across different DBMS, but different DBMSs
can inter-operate by using standards such as SQL and ODBC or JDBC to allow a single
application to work with more than one database.

Automation of Manual Tasks

Information systems architecture can assist an organization in

automating manual tasks. Automation can save time, money and resources
and enhance organizational workflow. There are various types of
information systems that automate manual tasking, ranging from robotic
information systems used in areas such as health and medical services to
logistical information systems (automated warehouses and distribution
systems).

12 | P a g e
 Hardware and Software Integration

An organization can have several different computer platforms

(hardware and software). The concept of information systems as a scalable
platform can merge different hardware and software systems. A system can
process, store and distribute information if integrated into the workflow of
an information system. For example, a local area network (LAN) can
integrate into a mainframe system that processes accounting information
through a concept called a "gateway." An open architecture information
system allows for integration at all levels throughout an organization.

Support of a Multi-Processing Environment

An information system can support a "real-time" multi-processing

environment through the concept of "time-sharing application." Time-
sharing application allows for the prioritizing of applications based on user-
id and system priority assigned to an application, device, and database or
system catalog. These features are important to an organization that process
transactions while developing and testing program applications. In a multi-
processing environment, various departments, divisions or branches can
have access to the system at the same time intervals.

System Partitioning

The layout of an information system is partitioned according to data

security policies, user access and program applications. The partitioning of
the physical hard drives, memory and storage space related to software
applications creates system balance and effective use of the system Central
Processing Unit (CPU). System partitioning programs, tools and routines
keeps the system from overloading, which slows down system performance.
Extra files paged to memory that are not being used can slow down a
customer support system, which relies on timely processing of customer
inquiries. System partitioning is maintained by a process of "preventive
maintenance" which ensures the integrity of system partitioning.

Provides Data for Decision Support

The most important role of an information system in an organization

is to provide data to help executive management make decisions. Data is
compiled through transaction processing or query routines built into the
information system to access item and detail records. Through decision
support programs, which are packaged as software routines, executive
management can analyze several areas of an organization and create
scenarios through the information system for a desired result. These results
are defined in the organizations' objectives and goals to improve
productivity.

13 | P a g e
 An alternate and emerging view of organizational design considers
a framework that is useful for both new organizations as well as existing
organizations in need of a redesign. The ability to effectively assess internal
and external factors that may hinder long-term organizational success
requires a comprehensive view of factors found by Triplett (2007) to be
critical and, perhaps, one that is the multi-use theory that works across
cultures and industry and minimizes the burden that organizational design
should be specialized:

• Goal achievement
• Strategic planning
• Organizational design
• Leadership
• Control
• Knowledge Management
• The learning organization
• Diversity
• Conflict
• Technology, structure, change, and the environment
• Ethics
• Research methodologies in organizational behavior and design

Types of Database Management Systems

DBMSs come in many shapes and sizes. For a few hundred dollars,
you can purchase a DBMS for your desktop computer. For larger computer
systems, much more expensive DBMSs are required. Many mainframe-
based DBMSs are leased by organizations. DBMSs of this scale are highly
sophisticated and would be extremely expensive to develop from scratch.
Therefore, it is cheaper for an organization to lease such a DBMS program
than to develop it. Since there are a variety of DBMSs available, you should
know some of the basic features, as well as strengths and weaknesses, of
the major types.

Types of DBMS: Hierarchical Databases

There are four structural types of database management

systems: hierarchical, network, relational, and object-oriented.

14 | P a g e
 Hierarchical Databases (DBMS), commonly used on
mainframe computers, have been around for a long time. It is one of
the oldest methods of organizing and storing data, and it is still used
by some organizations for making travel reservations. A hierarchical
database is organized in pyramid fashion, like the branches of a tree
extending downwards. Related fields or records are grouped
together so that there are higher-level records and lower-level
records, just like the parents in a family tree sit above the
subordinated children.

The advantage of hierarchical databases is that they can be

accessed and updated rapidly because the tree-like structure and the
relationships between records are defined in advance. However, this
feature is a two-edged sword. The disadvantage of this type of
database structure is that each child in the tree may have only one
parent, and relationships or linkages between children are not
permitted, even if they make sense from a logical standpoint.
Hierarchical databases are so rigid in their design that adding a new
field or record requires that the entire database be redefined.

Types of DBMS: Network Databases

15 | P a g e
 Network databases are similar to hierarchical databases by
also having a hierarchical structure. There are a few key differences,
however. Instead of looking like an upside-down tree, a network
database looks more like a cobweb or interconnected network of
records. In network databases, children are called members and
parents are called owners. The most important difference is that
each child or member can have more than one parent (or owner).

Like hierarchical databases, network databases are

principally used on mainframe computers. Since more connections
can be made between different types of data, network databases are
considered more flexible. However, two limitations must be
considered when using this kind of database. Similar to hierarchical
databases, network databases must be defined in advance. There is
also a limit to the number of connections that can be made between
records.

Types of DBMS: Relational Databases

16 | P a g e
 In relational databases, the relationship between data files
is relational, not hierarchical. Hierarchical and network databases
require the user to pass down through a hierarchy in order to access
needed data. Relational databases connect data in different files by
using common data elements or a key field. Data in relational
databases is stored in different tables, each having a key field that
uniquely identifies each row. Relational databases are more flexible
than either the hierarchical or network database structures. In
relational databases, tables or files filled with data are called
relations, tuples designates a row or record, and columns are
referred to as attributes or fields.

Relational databases work on the principle that each table

has a key field that uniquely identifies each row, and that these key
fields can be used to connect one table of data to another. Thus, one
table might have a row consisting of a customer account number as
the key field along with address and telephone number. The
customer account number in this table could be linked to another
table of data that also includes customer account number (a key
field), but in this case, contains information about product returns,
including an item number (another key field). This key field can be
linked to another table that contains item numbers and other product
information such as production location, color, quality control
person, and other data. Therefore, using this database, customer
information can be linked to specific product information.

The relational database has become quite popular for two

major reasons. First, relational databases can be used with little or
no training. Second, database entries can be modified without
redefining the entire structure. The downside of using a relational

17 | P a g e
 database is that searching for data can take more time than if other
methods are used.

Types of DBMS: Object-oriented Databases (OODBMS)

Able to handle many new data types, including graphics,

photographs, audio, and video, object-oriented databases
represent a significant advance over their other database cousins.
Hierarchical and network databases are all designed to handle
structured data; that is, data that fits nicely into fields, rows, and
columns. They are useful for handling small snippets of information
such as names, addresses, zip codes, product numbers, and any kind
of statistic or number you can think of. On the other hand, an object-
oriented database can be used to store data from a variety of media
sources, such as photographs and text, and produce work, as output,
in a multimedia format.

Object-oriented databases use small, reusable chunks of

software called objects. The objects themselves are stored in the
object-oriented database. Each object consists of two elements: 1) a
piece of data (e.g., sound, video, text, or graphics), and 2) the
instructions, or software programs called methods, for what to do
with the data. Part two of this definition requires a little more
explanation. The instructions contained within the object are used to
do something with the data in the object. For example, test scores
would be within the object as would the instructions for calculating
average test score.

Object-oriented databases have two disadvantages. First,

they are more costly to develop. Second, most organizations are
reluctant to abandon or convert from those databases that they have
already invested money in developing and implementing. However,
the benefits to object-oriented databases are compelling. The ability
to mix and match reusable objects provides incredible multimedia
capability. Healthcare organizations, for example, can store, track,
and recall CAT scans, X-rays, electrocardiograms and many other
forms of crucial data.

System Development Life Cycle

The oldest of these, and the best known, is the waterfall: a sequence of stages in
which the output of each stage becomes the input for the next. These stages can be
characterized and divided up in different ways, including the following:

18 | P a g e
  Project planning, feasibility study: Establishes a high-level view of the intended
project and determines its goals.
 Systems analysis, requirements definition: Refines project goals into defined
functions and operation of the intended application. Analyzes end-user information
needs.
 Systems design: Describes desired features and operations in detail, including
screen layouts, business rules, process diagrams, pseudo code and other
documentation.
 Implementation: The real code is written here.
 Integration and testing: Brings all the pieces together into a special testing
environment, then checks for errors, bugs and interoperability.
 Acceptance, installation, deployment: The final stage of initial development,
where the software is put into production and runs actual business.
 Maintenance: What happens during the rest of the software's life: changes,
correction, additions, and moves to a different computing platform and more? This,
the least glamorous and perhaps most important step of all, goes on seemingly
forever.

The image below is the classic Waterfall model methodology, which is the first
SDLC method and it describes the various phases involved in development.

5. Risks exposure and the internal control structure

Risk is the possibility of loss or injury that can reduce or eliminate an
organization’s ability to achieve its objectives. In terms of electronic commerce,
risk relates to loss of, theft or destruction of data as well as the use of computer
programs that financially or physically harm an organization.

19 | P a g e
 An intranet is a computer network that uses Internet Protocol technology
to share information, operational systems, or computing services within an
organization. The term is used in contrast to internet, a network between
organizations, and instead refers to a network within an organization. Sometimes,
the term refers only to the organization's internal website, but may be a more
extensive part of the organization's information technology infrastructure, and may
be composed of multiple local area networks. The objective is to organize each
individual's desktop with minimal cost, time and effort to be more productive, cost
efficient, timely, and competitive.

Types of risks

Intranet risks

Intranet risks posed by dishonest employee who have technical

knowledge and position to perpetrate frauds, and internet risk that threaten
both consumers and business entities.

Interception of Network Messages

An intercept message is a telephone recording informing

the caller that the call cannot be completed, for any of a number of
reasons ranging from local congestion, to disconnection of the
dialed phone, or network trouble along the route.

Access to corporate database

Intranets connected to central corporate database increase

the risk than an employee will view, corrupt, change, or copy data.
Social security number, customer listing, credit card information,
recipes, formulas, and design specifications may be downloaded and
sold. A Computer Security Institutes (SCI) study reported that
financial fraud losses of this sort averaged $500,000. A previous CSI
study found that the average loss from corporate espionage was

20 | P a g e
 more than $ 1 million. Total losses from insider trade secret theft
have been estimated to exceed $24 billion per year.

Privileged Employees

According to CSI study, however, middle managers, who

often possess access privileges that allow them to override control,
are most often prosecuted from insider crimes. Information system
employees within the organization are another group empowered
with override privileges that may permit access to mission-critical
data.

Reluctance to Prosecute

A factor that contributes to computer crime is many

organizations’ reluctance to prosecute the criminals. According to
CSI study, this situation is improving. In 1996, 75 percent of such
crimes were reported. Of the 25 percent that did not report the
intrusion, fear of negative publicity was the most common cited
justification for their silence.

Internet Risk

The risks related to consumer privacy and transaction security are

examined. The risk to business entities from fraud and malicious acts are then
reviewed.

Risk to consumer

As more and more people connect to the web, internet fraud

increases. Because of this, many consumers view the internet as an unsafe
place to do business. In particular, they worry about the security of credit
card information left on the web sited and confidentiality of their
transactions some of the more common threats to consumers from cyber
criminals are discussed here.

Theft of Credit Card Numbers

Theft of Passwords

Customer Privacy

Cookies and Consumer Security

Cookies are files containing user information that are created by the
Web server of the site being visited. The cookies are then stored on the

21 | P a g e
 visitor’s computer hard drive. They contain URLs of visited sites. When the
site is revisited, the user’s browser sends the specific cookies to the Web
server.

IP Spoofing

IP Spoofing is a form of masquerading to gain unauthorized access

to a Web server and /or to perpetrate an unlawful act without revealing one’s
identity. To accomplish this, a perpetrator modifies the IP address of the
originating computer to disguise his or her identity. A criminal may use IP
spoofing to make a message appear to be coming a trusted or authorized
source and thus slip through the control systems designed to accept
transmission from certain (trusted) host computers and block out others.

Denial of Service Attacks

A denial of service attack (Dos) is an assault on the Web server to

prevent it from servicing it legitimate users. Three common type of Dos
attack are; SYN flood, smurf, and distributed denial of services (DDos).

Motivation behind Dos Attacks

Dos attacks originally have been to punish an organization

with which the perpetrator had a grievance or simply to gain
bragging rights for being able to do it. Dos attacks are also
perpetrated for financial gain. Financial institutions, which are
particularly dependent of Internet access, have been prime targets.

SYN Flood Attack

When a user establishes a connection on the internet through

TCP/IP, a handshakes takes place. Then connecting server sends an
initiation code called SY (SYNchronize) packet to the receiving server. The
receiving server then acknowledges the request by returning a SYNcronize-
ACKnowledg (SYN-ACK) packet. Organization under attack thus may be
prevented from receiving internet messages for days at a time. (Firewall…)

Smurf Attack

A smurf attack involves three parties: the perpetrator, the

intermediary and the victim. It is accomplished by exploiting an internet
maintenance tool called a ping, which is used to test the state of network
congestion and determine whether a particular host computer is connect and
available in the network.

Distributed Denial of Service (DDos)

22 | P a g e
 A DDos attack may take the form of SYN flood or smurf attack. The
perpetrator of a DDos attack may employ a virtual army of so-called zombie
or bot (robot) computer to launch the attack. Thousands of individual attack
computer are harder to track down and turn off.

Viruses and Malicious Code

Computer viruses are probably the most widely-known form of

Internet security attack. A virus is a piece of software programming with
the unique ability to replicate and spread itself to other computers.
Malicious code in general refers to computer programs that are written
specifically to cause mischief or, worse, cause damage to infected
computers.

A virus or script like this can enter a victim computer either through
email, by downloading infected software from the Internet, or by using
infected media such as floppy disks or CD-ROMs. With the wide use of
email, malicious viruses and scripts have the capability to reach almost
anyone who is connected to the Internet.

Like their biological equivalent, a computer virus often carries with

it a destructive payload, and is difficult to eradicate. Well-known viruses
like Melissa, and ILOVEYOU.VBS have been able to spread so quickly
that they overloaded Internet email systems and company networks within
a few hours of their introduction. A virus may be merely annoying, or
completely destructive. The most severe viruses will erase the contents of
the computer’s hard drive, or render it completely useless. If no back-ups
are kept, important data may be lost or damaged beyond repair, which could
ultimately result in serious financial loss.

Trojan Horses

Another form of malicious code is the Trojan horse. A Trojan horse

is similar to a virus in the way it is transmitted; however, unlike a virus, a
Trojan horse does not replicate itself. Rather, it stays in the target machine,
inflicting damage or allowing somebody from a remote site to take control
of the computer. A Trojan horse often masquerades as a legitimate program,
but once installed on the victim machine performs an illicit, damaging
program.

Worms

A third type of malicious code is known as a worm. A worm is a

type of virus that can replicate itself across all the different nodes or
connections that make up a network. Worms can contain harmful payloads,

23 | P a g e
 but they generally cause most of their damage by tying up the network,
using up valuable memory and wasting valuable processing time.

In February 2000, denial of service attacks against web giants like

Yahoo and eBay garnered a lot of attention from the media and from the
Internet community. When it comes to problems with Internet security, it is
usually major attacks against big companies that get the headlines.
Unfortunately, many small or home business owners do not realize that they
are just as likely to be targeted as any large company. As a consequence of
existing in the digital age, almost everyone is vulnerable to breaches of
security. If your business relies on computer or Internet technology, you
need to be prepared to deal with security issues.

What is Internet Security?

Internet security can be defined as the protection of data from theft, loss or
unauthorized access, use or modification. With the constantly evolving
nature of the Internet, it is vital that users continuously protect themselves
and their information. This issue is so important that many large firms
employ full-time security experts or analysts to maintain network security.
However, few, if any, home and small business owners can afford that
luxury. Therefore it is up to small-office users to take these issues into their
own hands.

Attackers, Hackers and Crackers

Any time a large attack is reported in the media, there is a great deal of
speculation about who perpetrated the attack and why. By now, most people have
heard the term hacker bandied about by the media. Often attacks are blamed on
these so-called hackers. Who or what are hackers? What role do they play in
Internet security and what motivates them to do what they do?

Hackers

The term hacker was originally used to refer to a self-taught

computer expert who is highly skilled with technology, programming, and
hardware. Many hackers employ these skills to test the strength and
integrity of computer systems for a wide variety of reasons: to prove their
own ability, to satisfy their curiosity about how different programs work, or
to improve their own programming skills by exploring the programming of
others. The term hacker has been adopted by the mass media to refer to all
people who break into computer systems, regardless of motivation;
however, in the media the term hacker is often associated with people who
hack illegally for criminal purposes. Many in the Internet security
community strongly disagree with this use of the term.

24 | P a g e
 Crackers

People within the Internet community tend to refer to people who

engage in unlawful or damaging hacking as crackers, short for criminal
hackers. The term cracker generally connotes a hacker who uses his or her
skills to commit unlawful acts, or to deliberately create mischief. Unlike
hackers whose motivations may be professional or community
enhancement, the motivation of crackers is generally to cause mischief,
create damage or to pursue illegal activities, such as data theft, or vandalism.

Script Kiddies

Some of the most highly publicized Internet security breaches, such

as the February denial of service attacks, are committed by middle class
teenagers, who seem to perpetrate mischief in order to make a name for
themselves. Security experts often refer to these individuals as script kiddies
Script kiddies are generally ego-driven, unskilled crackers who use
information and software or scripts that they download from the Internet to
inflict damage upon targeted sites. Script kiddies are generally looked upon
with disdain by members of the hacking community and by law
enforcement authorities because they are generally unskilled individuals
with a lot of time on their hands who wreak havoc, usually in order to
impress their friends.

Why Are Internet Users So Vulnerable?

Increased Usage

In the last 10 years the face of computing has changed dramatically.

More and more businesses rely heavily on networked systems and the
Internet to conduct business. In just a few years, we have turned into a wired
world, with information of any type accessible from just about anywhere,
by anyone. At the end of 1999, there were approximately 200 million users
online worldwide. That number is expected to increase to 1 billion users by
the year 2003. As more people use the Internet the number of potential
targets increase. Furthermore, as more and more businesses store their
valuable information online, the potential for theft or damage increases.

Always-On Connections

In response to the need for greater speed and higher carrying

capacity, most small or home businesses users rely on high bandwidth
connections to the Internet such as DSL (digital subscriber line) or cable
modems. Always-on connections have two important characteristics that
increase vulnerability. Firstly, because they are always on, they are always
available for potential attackers to access. An unprotected connection to the

25 | P a g e
 Internet is an open two-way channel information goes in and out of the
system unimpeded. As long an unprotected connection is maintained, it
serves as a point of entry for potential intruders to enter or attack the system.

Secondly, always-on connections have static or unchanging IP

addresses. With traditional connectivity, such as dial-up modems, the
connection is temporary when the user finishes using the Internet he or she
disconnects. Each time the connection is re-established, the computer gets
a new IP address. This makes the computer harder for attackers to find,
because the target address is always changing. However, because high-
speed connections often remain connected, even when the computer is not
in use the IP address never changes. Once a potential hacker has found the
computer, he or she will be able to return to it as long as it is using the same
IP address, placing it at greater risk of malicious intrusion.

Insecure Technology

Another factor that has increased the risk of intrusion for Internet
users is the tremendous rate of technological change. The pace of
technological development has never been faster, and the world is trying
frantically to catch up with it. Software developers strive to make their
programs more user-friendly, often sacrificing security or reliability. Many
commercial software packages that are released to market contain inherent
flaws that may be exploited by attackers. This puts the end user at risk not
only is the technology potentially vulnerable, but users are often unaware
of how they may be at risk.

Lack of Education

One of the biggest security concerns that a small business may face
today is a lack of information about the threats that exist on the Internet.
This doesn’t mean that people don’t care, or aren’t concerned, but in today’s
world of doing business at light-speed, managers do not have the time or
resources to stay on top of the latest developments in information security.
For smaller enterprises, employing someone full-time to maintain system
security is rarely an option - security professionals don’t come cheap, even
when contracted temporarily. Furthermore, most small business operators
are sufficiently busy tackling the traditional challenges of establishing and
running their own business without trying to ensure the security of their
computer networks. As a result, information security can be an afterthought
for many small and home office users.

How do Hackers Enter a System?

Port Scanning

26 | P a g e
 Port scanning is a way for potential attackers to identify whether or
not a computer is vulnerable to attack. In simple terms, a port is an opening
on a computer through which information enters and exits. A computer uses
a different port to communicate with other computers for each Internet
application, such as HTTP (aka the World Wide Web), which typically uses
port 80. Port scanning checks a range of Internet addresses to identify
machines that respond to a connection request. Responding to a
communication request indicates that a port is open. A port scan would
reveal this potential victim to the attacker, and add it to a list of potential
targets that the attacker could use later on.

Vulnerabilities, Exploits and Bugs

In addition to using port scanning to find machines, potential

attackers use flaws in operating systems or software applications to break
in and do damage. These flaws are commonly known as vulnerabilities,
bugs or holes. Many remote security attacks rely on bugs in operating
system software, or in the services that the machine may host. Depending
on the operating system, a remote attack could work well enough to give
the cracker full administrative control over a machine, letting the attacker
use it for whatever purpose he likes, even using it as a platform from which
to launch further attacks on other networks.

What is at Stake?

Loss of Information/ Data Theft

Once an attacker gains control of the user’s computer, he or she may

gain access to all the files that are stored on the computer, including
personal or company financial information, credit card numbers, and client
or customer data or lists. Needless to say, in the wrong hands, this could do
serious damage to any business. If the data is altered or stolen, a company
may risk losing the trust and credibility of their customers. In addition to
the potential financial loss that may occur, the loss of information may cause
a business to lose crucial competitive advantage over its rivals due to the
loss of information. With the importance of information to the success of
any business, the loss or theft of data could be disastrous.

Launching of Attacks from the Occupied System.

When a computer is successfully hacked, it is said to be owned.

Once it is owned, the victim computer can be manipulated to perform the
commands of the hacker. One of the dangers of being constantly connected,
is that if a user’s computer is successfully hacked, it can then be used to
launch attacks against other machines, without knowledge or awareness of
the user. If the machine runs any web services, the website(s) may be

27 | P a g e
 defaced, destroyed or removed and replaced with web graffiti, a tag or
image representing the cracker or a cracker group or affiliation. If the
computer is used for illegal activities, such as denial of service attacks, the
owner of the victim computer may be held legally responsible.

Protection - Knowledge is the Key

The situation isn't entirely hopeless, however. There are many things
that businesses can do to protect themselves and their assets. Knowledge is
a key component in addressing this problem. Knowing what the risks are,
how your business is vulnerable and how attacks could potentially affect
your business is paramount in maintaining security. You don’t have to be a
security expert to recognize the damage that you could incur should your
company fall victim to the efforts of a malicious attacker. By understanding
the problem, you empower yourself to protect yourself and your company
to deal with any security issues as they arise.

Information system control

To ensure secure and efficient operation of information systems, an

organization institutes a set of procedures and technological measures called
controls. Information systems are safeguarded through a combination of general
and application controls.

General controls apply to information system activities throughout an

organization. The most important general controls are the measures that control
access to computer systems and the information stored there or transmitted over
telecommunications networks. General controls include administrative measures
that restrict employees’ access to only those processes directly relevant to their
duties. As a result, these controls limit the damage that any individual employee.

Transaction Authorization

Controls need to be built into the system to validate transactions before

other modules accept and act upon them. Because ERP’s real-time orientation, they
are more dependent on programmed control than on human intervention.

Segregation of Duties

Operational decisions in ERP-based organizations are pushed down to a

point as close as possible to the source of the event. Manual process that normally
requires segregation of duties are, therefore, often eliminated in the ERP
environment. Organizations using ERP system must establish new security, audit,
and control tools to ensure duties are properly segregated. An important aspect of
such control is the assignment of roles.

28 | P a g e
 Supervisions

Supervisor needs to acquire an extensive technical and operational

understanding of the system.

Accounting Records

Risk is mitigated by improved data entry accuracy through the use of default
values, cross-checking, and specified user views of data.

Independent Verification

The focus of independent verification thus needs to be redirected from the

individual transaction level to one that views overall performance. ERP system
comes with canned controls and can be configured to produce performance reports
that should be used as assessment tools. Internal auditors also play an important
role in this environment and need to acquire thorough technical background and
comprehensive understanding of the ERP system.

Access Control

Access security is one of the most critical control issues in an ERP

environment. The goal of ERP access control is to maintain data confidentiality,
integrity, and availability. Security weakness can result in transaction errors,
irregularities, data corruption, and financial statement misrepresentation.

Review of system analysis and design techniques

Principles of a reliable system

The key requirement for all software projects –is reliability. Clients
obviously want their projects to work accurately, to be done on time, and
economically, but reliability is always the prime requirement, and the hardest to
achieve.

Designing for reliability also makes the overall project easier to manage,
and reduces the risk of cost and time overruns, and of functional errors.

Reliability of a system depends on two related aspects: the overall

complexity of the system, and the individual reliability of its pieces.

In general more complex systems have less reliable components and we

believe this is direct cause and effect: developers are less able to build reliable
components in a complex architecture.

29 | P a g e
 So, the fundamental challenge facing all software architects, though only
good architects realize this, is how to solve complexity. Solving any given technical
issues simply by applying effort, money, resources. But even the most well-funded
projects collapse under their own weight if is badly designed. People confuse
complexity for value, simplicity for naivety, when the truth is opposite. It is hard to
build simple systems, easy to make complex ones.

General Principles

Architecture does not Just Happen

A successful architecture is the work of a skilled architect who invests in

the job. Just as a vibrant, livable city is the work of many generations of skilled
planners, and a mega-slum is the result of unplanned growth, so software systems
that have no architects will inevitably become slums.

Several classic scenarios where no architect is put in charge of the overall design:

1. There may be no clear business owner of the overall system, so no-one is willing
or able to nominate an architect and take responsibility for the global quality.
2. Competition between vendors can prevent a single person acting as architect.
3. There may be no competent architect available at all.
4. It may not be obvious to the business that there is an architecture issue.

Architecture is About People

The term “software engineer” suggests that software is a material like steel or
carbon fiber. In fact writing software is a lot more like cooking, designing clothes, or
classic architecture of homes and offices. People have limitations, make mistakes, and
need help in certain ways. This applies as much to those making the software as those
using it.

Divide and Conquer

A good architect starts by cutting large problems into smaller pieces, like a
diamond cutter breaks a large stone into smaller pieces. Personal and collective
experience guides the knife.

However, there are some general rules that help:

 Pieces need to fit people. Ultimately, architecture is about fitting the problem to
people. If a problem fits neatly to one developer or one small team, it has a good
size. If a problem can only be solved by collaborating teams, it's badly sized.
 Interfaces define the fracture points. It's best to slice at the point where the interface
is simplest. The interface will become a contract between individual developers, or
teams. The simplest contract is the best one.

30 | P a g e
  Every problem can be deconstructed. If an architect cannot break a large problem
into pieces, he or she is not competent. Sometimes lateral thinking is needed. But
we have never seen large problems that could not be divided up.
 The architecture is a contract. It must be clear enough to create boundaries, between
teams and layers that cannot and never need to be crossed except through agreed
interfaces.
 Decouple the change process. The architecture should package change into clean
boxes so that the overall system can be both stable and dynamic.

Windows, on the other hand, remains stubbornly expensive to develop, weak

in terms of security, reliability and performance. In 2008 the RAM industry is
facing a collapse because expected sales of Windows Vista have not
materialized.

Formalize the Interfaces

Every interface is a contract between two parties (or rather, two categories
of party) and must be formalized as far as reasonable. Typically we formalize some
or all these aspects of an interface:

1. What information we exchange between the two parties (the semantics);

2. How we exchange this information (the syntax);
3. How we handle errors of different types;
4. How we negotiate, report, or extend the interface;
5. How we evolve the interface over time;

A good interface is regular, predictable, utterly consistent, and overall

simple to understand. An interface that is “complex” is a recipe for unreliable
applications. Further, a bad interface is inflexible; it has no shades of gray, no
flexibility when things go wrong. Problems in a system must be seen sooner, rather
than later.

Identify and Eliminate Risk

Risk is always relative, and one reason organization pay skilled people to help
in design architectures are that they should be able to eliminate risk. There is a classic
set of risks that face all non-trivial software projects, and each can be eliminated
through careful architectural choices:

 The risk of dependency on specific operating systems, languages, or other

platforms. Creating or reusing portability layers.
 The risk of vendor lock-in. Allowing open source technologies and open
standards.
 The risk of dependency on key staff. Making it possible and economic to re-
engineer any part of the architecture if necessary.

31 | P a g e
  The risk of human error. Assuming people make mistakes, and designing our
processes to catch those (rather than demanding that people be perfect).
 The risk of design failure. Designing progressively, especially in new areas
where we also need to learn. Sometimes we deliberately discard designs and
start afresh.
 The risk of budget or schedule overruns. Working minimalistic ally, never
implementing any functionality that is not needed.
 The risk of badly implemented components. Make sure every component is
fully testable before it is plugged into the architecture.

Reliable software does take longer to develop but is much cheaper to maintain.

Eliminate Dependencies

One of the biggest headaches in complex architectures is that changing one

part has unexpected consequences elsewhere. Programmers who experience this in
their code – it is a sign that the code is poorly architected.

Eliminating dependencies between components makes architectures easier

to change. For example, imagine if a Linux kernel module had dependencies to
other kernel modules. Any change in one of these could affect the others in
unforeseen ways.

The key view here is the difference between “dependency” and “interface”.
If two components need to communicate, they do this via a formal interface that
can be documented and that allows each component to be tested in vitro.

An unwelcome dependency would be two applications that share the same

database tables.

Ensure Full Testability

A unit should operate the same whether it is in a laboratory, or in a real architecture.

32 | P a g e