Enterprise and Accounting Information System
Enterprise Resource Planning (ERP) systems: are cross-functional systems that support different business functions and facilitate integration of information across departments. Real time communication with a centralized database depending on how independently or integrated is the solution.
Accounting Information System: is something that can collect, record, and store accounting information and then compile the information using accounting rules to report both financial and nonfinancial information to decision makers in an enterprise.
•is more specific in nature than an ERP, can work as a piece of ERP or separately
Accounting Information Subsystems:
•Transaction Processing System: converts economic events into financial transactions and distributes the information to support daily operations. Typically covers sales, conversion of inventory, and expenditures.
•Financial Reporting Systems: Aggregates daily financial information from the TPS and other sources for infrequent events to enable timely regulatory and financial reporting.
•Management Reporting System: Provides internal financial information to solve day to day business problems.
Objectives of an AIS: 3 subsystems with 5 objectives
•Record valid transactions
•Properly classify those transactions
•Record the transactions at their correct value
•Record the transaction in the correct accounting period
•Properly present the transaction and related information in the financial statements of the organization
Sequence of Events of an AIS:
•Transaction data starts with source documents.
•Original source documents, if existed, are filed.
•Transactions are recorded in J/E.
•J/E are posted to the general and subsidiary ledger.
•Trial balance are prepared.
•Adjustments, accruals, and corrections are entered.
•Financial reports are generated.
A well designed AIS should create an audit trail for tracing or vouching.
Transaction Cycles
Purchases and Disbursements Cycle: Ordering and then paying. Internally, the item will be recorded and then the payment will be recorded into the general ledger and reporting cycle, which will be reported to managers.
•AIS should verify that the purchase is on approved list, then display list and make a competing bidding process, then send to the vendor.
•Once the order is received, the receiving department can enter PO number and quanitity
•AIS concurrently updates the receiving report file, reconciles the quantity received against open PO records, closes the PO if no exemptions, updates the inventory subsidiary ledger, and updates the general ledger accounts.
•Accounts payable should be linked to the invoice to PO and receiving report and create a digital account payable voucher stored.
•Should close it out, update GL, and update manager report.
Treasury Cycle: Managers make decisions about cash and working capital, decisions create transactions with the bank, and any transaction will be reported in the General Ledger and Reporting Cycle, which will be reported to managers.
•AIS should help with bank reconciliation, record and update GL for change in cash, provide reports to assist with cash management, anything that helps with effectiveness of Cash.
Payroll Cycle: Paying the employees will generate records to the General Ledger and Reporting Cycle, which will be reported to managers.
Revenue and Collection Cycle:Payments from customers goes to the bank and should be recorded in sales transactions, and any transaction will be reported in the General Ledger and Reporting Cycle, which will be reported to managers.
•should include an inventory real time access, approve or deny based on client credit history, and concurrent record sales invoices in the database, digitally transmitting inventory release orders to the warehouse and digitally sending packing slips to the shipment department.
•Should have a terminal for the shipping department to digitally input shipping notice upon shipment. Then that input should trigger the system to update the customers credit record, reduce inventory subsidiary ledger records, insert the shipping data in sales invoice records, update general ledger accounts, and distribute management reports.
•Should also have a cash receipts system to record the remittance which should close the sales invoice, post to the GL account, update the payment records and distribute management reports
Human Resources and Payroll Cycle:
•AIS integration should enable realtime change of employment data (benefits, pay rates, new hires) in connection with the operational system allowing employees to enter timekeeping data in real time for job cost reports
•allocate labor costs, compute, update, and run a payroll register so we can issue it correctly.
•Create digital journal entries, attaches the original documents to the entries, and automatically update the general ledger.
Production and Fixed Asset Cycle:
•AIS receives a work order for a production run from. The production planning department. The new production order is input as a new record in the WIP subsidiary ledger. As labor and materials are added to the run, documents reflecting those events are sent to AID which will automatically updated WIP.
•Should help find cost for labor, materials, and manufactured overhead, and variance cost.
•close WIP account when it receives the finaal ticket marking move from WIP to finished goods inventory.
•AIS prepares J/E as changes to WIP account are recorded and automatically updates the general ledger.
Fixed Asset Cycle
•Information is entered, then AIS will update the GL, J/E, and create a deprecation schedule.
•AIS automatically calculates BV, accumulated deprecation, and if it is disclosed then the system can calculate gain or loss and update the GL
General Ledger and Reporting Cycle
•AIS updates the general ledger as various transactions occur and journal entries are posted. At the end of accounting period, AIS automatically produces a trial balance showing debits and credits and the accounting department can review and make adjustments as necessary.
•AIS can produce variance analysis, financial statements, close out temporary accounts so that new period can begin.
How can this make our system and our processes better?
By improving the consistency and reliability leading to better process with fewer errors, more efficiency, and enhanced reporting. There are 4 broad areas with three specific forms of tech that help
•Automation/ Business Process Automation: anytime we use a computer program to preform a respective task. Allowing humans to focus on something else. In order to make it work we need to understand the process enough to know when to replace humans with automation.
•Shared services: seeking out redundant services, combining them, and then sharing those services within the organization. The software needs to be able to handle the combined volume of data.
•Outsourcing: External provider. With proper controls in place, cloud based systems can allow external service providers to work seamlessly within an organization. Can provide efficiency but there is a risk with quality of service or productivity suffers, or there might be an information security risks or staff turnover or language barriers since they might be overseas or their outsources are qualified.
•Offshore operation: related to outsourcing.
Tech:
•Robotic Process Automation (RPA): a program that is designed to extract information from a specific user interface that can then initiate further processes based on data extracted. Can be from users or existing web page content.
•Natural language Processing software: having technology to encode, decode, and interoperable human language so that technology can preform tasks, interact with other humans, or carry out commands on other technology devices. This is the technology needed to build a network in a household device of Internet of things. It requires mapping.
•Neural Network: forms of technology that is modeled after neurons that facilitate the functions of human or animal memory. There is an input layer (different variables are fed into it), hidden layer (there are a series of weights applied based on input selected, which then direct the algorithm towards a given output aka prioritize and hopefully they learn too but it's a fuzzy logic decision), and then the output layer.
Two well known approaches used to implement system changes:
•Waterfall model: linearly
•Agile Method: work on projects simultaneously
How do we determine there is a design deficiency that could impair processing integrity?
There is a missing control or there is a control but it isn't designed properly. This can be determined by performing an evaluation by understanding how management assesses risk, evaluate the link between controls in the system description and relevant trust service criteria, and determine whether it is in place and implemented.
TOC are designed and preformed by the service auditor through inquiries, reporforning controls, observing, and reviewing documentations. It ultimately allows them to chain evidence on the how, consistency, and the personnel risible for applying the controls. It could even help show which controls are dependent on each other.
Design deficiencies defined by the AICPA: does not operate as designed or is performed by a person who lacks authority or competence to preform.
Suitably designed: meets or have the potential to meet the trust service criteria because they provide reasonable assurance that a company's system requirements and service commitments were achieved.
Processing integrity is the ability of the system to initiate and complete the transactions so it's valid, accurate, timely, within integrity of confidentiality, and meets company objectives.
Trust Service Criteria: can be used to evaluate deficiencies
•Security: how they process transactions and if confidentiality, privacy, or availability can be circumvented
•Availability: Search for bottlenecks or interfere with in the flow of data across the organization and identify other processes that prevent data from being available when it is needed
•Processing Integrity: survey processing methods and transactions that do not timely, yield faulty results, or do not meet the company objectives.
•Confidentiality: evaluate employees and processes that handle the transactions with confidential data to identify potential data leakages, mishandling, or other practices that expose confidential information.
•Privacy: Analyze methods used to collect, store, use and dispose of personal data that is being processed to identify the potential for data being leaked.
Could also use the AICPA description criteria for a description of a service organization system in SOC 2 since it is a implementation benchmark guide:
•Principle Service Commitment
•Principle System Requirements
understanding the how and why management disclosed certain attributes of its system within these descriptions like processing integrity will help assess the suitability of system control design.
Types of opinions:
•Material Deficiencies: can not obtain reasonable assurance that system requirement or service commitment are met.
Fraud: then access risk that the system description doesn't reflect that the system was designed and the risk that the controls weren't operating effectively
Noncompliance: may be appropriate to hold discussions with appropriate parties, request that the appropriate party consults legal counsel, a regulator, or qualified third party, consider the implications related to other aspects of the engagements, or obtain legal advise about different courses of action that could be taken and their consequences. Can withdraw.
If a company changes service organizations, it should be documented and it would be preferable to test before and after unless they were determined not to be operating effectively.
Don't need to test the controls that did not or didn't need to operate. But should still understand the nature and cause of deviation as it could be the result of an ineffective control of the system being audited.
overall reassembles of risk may require that additional procedures be preformed, or new evidence be obtained of additional controls that are suitably designed that do provide reasonable assurance. We should decided whether the identified deviations, either individually or combined, are material and if they are arterial then modify the opinion.
How do we apply the COSO Internal Control Framework to BlockChain?
The blockchain will have implications across each components of COSO framework. The blockchain intertwines our control environment with the others participating in the block chain, and there is no centralized management and no single person responsible.
•Visibility of financial reporting is better
•Availability of data is better
•Allows management to support its financial records
•Audit of blockchain transactions are easier because of the automatic audit trains
•Management can provide financial information to stakeholders faster and more effectively
So for SOC 2 Trust (security, availability, processing integrity, confidentiality, and privacy). There may be some controls in a nontraditional sense.
When implementing the COSO controls into a lockchain, organizations should consider the following:
•focus on preventative controls due to volume and speed of transactions being processed.
•if using detective controls, increases the frequency of detective controls due to the volume of transactions.
•develop controls that use other analytic technology like AI tools, such as large language models which are good at quickly identifying bugs in codes.
•Develop a code of conduct and establish policies that comply with Know Your Customer regulation and Anti Money Laundering Policies
•Create cross disciplinary teams with segregation of duties in mind and with clear reporting lines that identify all users participating in the blockchain creations and maintained.
•
COSO Internal Control:
Principle 11 states that there should be general controls over tech in order to achieve organizational objectives. To establish these controls, the company must understand the dependency between:
•General controllers over technology
•The use oof technology in business processes
•Relevant technology infrastructure
•Security management
•Technology
•Acquisition
•Maintenance processes
Principle 13 states that as an organization they should acquire, create, and use quality information in order to support internal controls:
•identifying the companies information needs
•capturing both external and internal sources of data
•processing the data into something useful in a quality manner
Principle 14 states that effective communication of information is necessary to support internal controls
•communicating internal information to the proper stakeholders including the board of directors
•providing communication lines that are separate form those directly to management
•selecting relevant methods of communication
Blockchain: is the control system originally designed to govern the creation and distribution of coin. By nature is decentralized.
Ultimately it ensures that each time coins trades hands, it is validated with the new block of transactions with receipt. It prevents coins from being replicated and tracks it making it finite.
not all evidence for a service auditor is located in the block chain, off chain data is needed like an address.