INFORMATION

SYSTEMS CONTROL

AND AUDIT

(CA Final)


Contents – Part A

Chapter / Chapter Name
1 / Information Systems Concepts
2 / Enterprise Resource Planning
3 / System Development Life Cycle Methodology
4 / Risk Assessment Methodologies and
Applications
5 / Information Technology Act 2008

INFORMATION

SYSTEMS

CONCEPTS


Chapter 1 – Information System Concepts

Section (I)Introduction and defintion of systems

Section (II)Information

Section (III)Information systems

Section (IV)Computer Based Information Systems (CBIS)

Section (V)Information systems at different levels of management

Section (VI)Question Bank

Chapter Snapshot

  • In the recent years, there has been a shift from the term “Information Technology” to “Information Systems”. The term “Information Systems” is much wider than “Information Technology”.
  • This chapter starts with understanding of what a “System” is. Then we understand what “Information” is. Combination of these two makes “Information Systems”.
  • Now, these Information Systems may of may not be “Computer Based” based. These days, these are mostly Computer Based i.e. “Information Technology”. In such a scenario, these “Information Systems” are known as “Compute Based Information Systems”.
  • Such “Information Systems” are classified on the basis of their use for “Operations”, “Management”, or only for “Office Automation”.

How is this chapter relevant to Chartered Accountants?

  • As the Management of the companies needs Information on a day to day basis for taking business decisions, so they need people to prepare correct information. This process is generally handled by the Finance & Accounts departments, which generally employ CAs. So, understanding of Information Systems is important for CAs.
  • Similarly, lot of companies require audit of their Information Systems, for which they hire CA Firms or Large Consulting firms such as the Big 4s etc. Consequently, there are several business oppurtunities in such firms for CAs. Normally Information System Audit is part of the Internal Audit department.

Related Certifications

  • There are two full fledged certifications for Information Systems Audit which have gained importance in the last few years, i.e. ISA (Information Systems Auditor) conducted by ICAI and CISA (CertifiedInformation Systems Auditor) conducted by ISACA, a US body. These certifications are done by IT related people as well as CAs.

  1. Introduction and definition of systems

(A)Definition

  • The term system may be defined as a set of interrelated and interdependent elements that operate collectively to accomplish some common purpose or goal.
  • For instance, a manufacturing company is a system where economic resources such as people, money, material, machines, etc are transformed by various organizational processes (such as production, marketing, finance etc.) into goods and services.
  • A computer based information system is also a system which is a collection of people, hardware, software, data procedure that interact to provide timely information to authorized people who need it.

(B)General model of a system

  • A general model of a physical system consists of inputs, process, outputs, storage and feedback.

Input is the data flowing into the system from outside.

Processing is the action of manipulating the input into a more useful from.

Storage is the means of holding information for use at a later date.

Output is the information flowing out of a system.

(C)System Environment and components of a system

  1. System environment
  • System environment consists of elements outside the boundary of the system. For instance, in case of a Manufacturing Company’s Information System, the system environment is made up of Suppliers, Customers etc.
  • These elements surround the system and often interact with it.
  • The features that define and delineate a system form its boundary. The system is inside the boundary the environment is outside boundary.
  1. Sub-system
  • A system and its environment can be described in many ways. A subsystem is a part of a larger system. Each system is composed of subsystems, which in turn are made up of other subsystems, system being delineated by its boundaries.
  • The interconnections and interactions between the subsystems are termed interfaces. Interfaces occur at the boundary and take the form of inputs and outputs.
  • For instance, within a manufacturing company, there maybe several sub-systems such as Planning, Procurement etc.

Characteristics of Sub-systems

(a)Decomposition

  • A complex system is difficult to comprehend when considered as a whole. Therefore the system is decomposed or factored into subsystems.
  • Decomposition of systems means decomposing or factoring systems into sub-systems.
  • Decomposition is generally based on functional cohesion, i.e. components are considered to be part of the same system, if they perform the same function or are related to the same function.
  • The boundaries and interfaces are defined, so that the sum of the subsystems constitutes the entire system.
  • This process of decomposition is continued with subsystems divided into smaller subsystems until the smallest subsystems are of manageable size.
  • An example of decomposition is the factoring of business system into subsystems. For instance, Information system divided into subsystems such as:
  • Materials Management
  • Production Planning and Control
  • Sales and Distribution
  • Financials
  • Controlling
  • Treasury
  • Investment Management
  • Human Resources Management
  • Internet and Intranet
  • Integrated Enterprise Management

Each subsystem is divided further into subsystems. For example, the Human Resources Management might be divided into the following smaller subsystems:

a. Creation and update of personnel pay-roll records

b. Personnel reports

c. Payroll data entry and validation

d. Monthly payroll processing

e. Payroll reports for management

f. Payroll reports for government

These subsystems might be further subdivided into smaller subsystems or modules. For example, the hourly payroll processing subsystem might be factored into modules for the calculation of deductions and net pay, payroll register and audit controls preparation, cheque printing, and register and controls output

(b)Simplification

  • Simplification is defined as the process of organizing subsystems so as to reduce the number of interconnections, which is a potential interface for communication among subsystems.

(c)Decoupling(Decouple means “To uncouple / Separate / Disconnect”

  • If two different subsystems are connected very tightly, very close coordination between them is required. For example, if the raw material is put directly into production the moment it arrives at the factory, the raw materials system can be said to be tightly couple. Under these conditions, it is important to decouple the two sub-systems, i.e. raw material delivery and production are decoupled.
  1. Supra-system
  • A supra-system refers to the entity formed by a system and other equivalent systems with which it interacts.
  • For example, for any sub-system within a manufacturing company system, such as Planning sub-system, the combination of this system and other sub-systems such as Procurement, Inventory etc. is referred to as supra systems.
  1. Boundary
  • All systems function within some sort of environment, which is a collection of elements. These elements surround the system and often interact with it. For any given problem, there are many types of systems and many types of environments. Thus, it is important to be clear about what constitutes the system and the environment of interest.
  • The features that define and delineate a system form its boundary. The system is inside the boundary; the environment is outside the boundary. In some cases, it is fairly simple to define what is part of the system and what is not.

(D)Nature and types of system

  • We can distinguish systems on the basis of following parameters:

Elements

Interactive Behavior

Degree of Human Intervention

Working / Output

  1. According to elements – Abstract system vs. Physical system)

(Element means a fundamental and essential constituent of an entity)

  • Abstract system (or conceptual system or model system or Intangible system) - is an orderly arrangement of interdependent ideas. An abstract system or a model is a representation of a real or a planned system. The use of models makes it easier for the analyst to visualize relationships in the system under study.
  • A physical system is a set of elements which operate together to accomplish an objective. Physical systems are tangible entities. For Example, the physical parts of the computer center are the offices, desks, and chairs that facilitate operation of the computer. They can be seen and counted.
  1. According to Interactive Behaviour - Open system and Closed system
  • Open System - A system that interacts freely with its environment by taking input and returning output is termed as an open system. With change of environment, an open system also changes to match itself with the environment.

For example, any business process system will quickly change when the environment changes. To do this, an open system will interact with elements that exist and influence from outside the boundary of the system.

  • Closed system - A system that does not interact with the environment nor changes with the change in environment is termed as a closed system.

Such systems are insulated from the environment and are not affected with the changes in environment.

Closed systems are rare in business area but often available in physical systems that we use in our day to work. For example, consider a 'throw-away' type sealed digital watch. This watch is a closed system as it is completely isolated from its environment for its operation. Such closed systems will finally run down or become disorganized. This movement to disorder is termed on increase in entropy.

Related concept - Entropy

Entropy is the quantitative measure of disorder in a system. As there are no inputs of matter and energy to repair, replenish and maintain the system, it leads to disorder.

Presenting or offsetting an increase in entropy requires inputs of matter and energy to repair, replenish and maintain the system. This maintenance input is termed as Negative Entropy. Open systems require more negative entropy than relatively closed systems for keeping at a steady state. On the other hand, the life cycle of a closed system is much shorter compared to that of an open system because it decays faster for not having any input/ interaction from environment.

Why are organizations considered to be relatively open systems?

Organizations are considered to relatively open systems, as they continuously interact with the external environment, by processes or transformation of inputs into useful output.

However, organizations behave as a relatively closed system in certain respects so as to preserve their identity and autonomy. They may ignore many opportunities so as to maintain their core-competence.

Organizations are open systems, because they are input-output systems. The input consists of finance, physical & mental labour and raw material. Organizations perform several operations on these inputs and process out products or services. The process of exchange generates some surplus, in the form of profit, goodwill experience and so on, which can be retained in the organization and can be used for further input output process.

Organizations are dependent upon their external environment for the inputs required by them and for disposing of their outputs in a mutually beneficial manner.

  1. According to degree of Human Intervention - Manual vs. Computer based
  • Manual system - where data collection, manipulation, maintenance and final reporting are carried out absolutely by human efforts.
  • Automated systems - where computers or microprocessors are used to carry out all the tasks mentioned above. However it will be wrong to say that a business system is 100% automated; rather, to some extent, it depends on manual intervention, may be in a negligible way. The reasons for using computer in business area are as follows:

Handling huge volume of data that is not manageable by human efforts.

Storing enormous volume of data for indefinite period without any decay.

Quick and accurate processing of data to match the competitive environment.

Quick retrieval of information on query.

Quick and efficient transportation of data/information to distant places almost at no cost.

Availability of software tools for quick decision making in a complex situation

  1. Accoring to working/ output - Deterministic and Probabilistic system
  • A deterministic system operates in a predictable manner. The interaction among the parts is known with certainty. If one has a description of the state of the system at a given point in time plus a description of its operation, the next state of the system may be given exactly, without error. An example is a correct computer program, which performs exactly according to a set of instructions.
  • The probabilistic system can be described in terms of probable behaviour, but a certain degree of error is always attached to the prediction of what the system will do. An inventory system is an example of a probabilistic system. The average demand, average time for replenishment, etc, may be defined, but the exact value at any given time is not known.

(E)Systems stress and systems change

  • Systems whether living or artificial systems like organizational systems, information systems, change because they undergo stress. A stress is a force transmitted by a system’s supra- system that causes a system to change, so that the supra-system can better achieve its goals. In trying to accommodate the stress, the system may impose stress on its subsystems and so on.
  • When a supra-system exerts stress on a system, the system will change to accommodate the stress, or it will decay and terminate.
  • A Supra-system enforces compliance by the system through its control over the supply of resources and information input to the system. If the system does not accommodate the stress the supra-system decreases or terminates the supply of matter energy and information input to the system.
  • Systems accommodate stress through a change in the form; there can be structural changes or process changes. For example - a computer system under stress for more share-ability of data may be changed through the installation of terminals in remote locations - a structural change. Demands for greater efficiency may be met by changing the way in which it sorts the data - a process change
  1. Information
  • Information is data that have been put into a meaningful and useful context, and is of real or perceived value in current or progressive decision.
  • For example, data regarding sales by various salesmen can be merged to provide information regarding total sales through sales personnel. This information is of vital importance to a marketing manager who is trying to plan for future sales.
  • Information is the substance on which business decisions are based. Therefore, the quality of raw materials is crucial. Quality of input fed in determines the quality of information produced. This phenomenon is also known as garbage in garbage out (GIGO).

(A)Attributes of Information

Attribute / Explanation / Examples
  1. Timely availability
/
  • If information is not available at the time of need, it is useless.
/
  • Region wise sales of the company’s products should be available when the annual assessment is being done to increase/ decrease marketing focus in any particular region.

  1. Purpose
/
  • It helps in creating new concepts, identifying problems, solving problems, decision making, planning, initiating, and controlling
/
  • Here, the purpose is decision making, i.e. whether to increase/ decrease marketing focus in any region.

  1. Mode and format
/
  • Information is usually visual, verbal or in written form
  • All the statistical rules of compiling statistical tables and presenting information by means of diagram, graphs, curves, etc., should be considered and appropriate one followed.
/
  • Year on year sales of the various products in different regions maybe depicted in form (i.e. mode and format) of graphs and bar charts.

  1. Completeness
/
  • The information should be as complete as possible.
  • With the complete information, the manager is in a much better position to decide whether or not to undertake the venture.
/
  • Sales information should be complete, i.e. should not have missed out the sale of any region/ branch.

  1. Reliability
/
  • The information should be from reliable sources. Reliable information is a measure of failure or success of using information for decision-making.
/
  • Sales information has been extracted from the company’s ERP by using a reliable report.

  1. Quality
/
  • Quality refers to the correctness of information.
  • Information is likely to be spoiled by personal bias. To get rid of the errors, internal controls should be developed and procedure for measurements prescribed.
  • Information should, of course, be accurate otherwise it will not be useful; but accuracy should not be made an obsession
/
  • For example, an over-optimistic salesman may give rather too high estimates of the sales, which may hamper the quality of information.
  • For example, the sales may be rounded off to thousands of rupees, and may not be given to the last rupee

  1. Frequency
/
  • The frequency with which information is transmitted or received affects its value.
  • Frequency has some relationship with the level of management also it should be related to an operational need.
/
  • Sales information maybe required by the top management on an annual basis only, whereas at the level of Sales executive, sales information maybe on a daily or weekly basis.

  1. Decay
/
  • Value of information usually decays with time and usage and so it should be refreshed from time to time
/
  • The sales data should be updated annually
Other examples
  • In a highly fluctuating share market a broker is always interested about the latest information of a particular stock/s

  1. Rate
/
  • The rate of transmission/reception of information may be represented by the time required to understand a particular situation.
/
  • Number of bits of information per character (sign) per unit of time

  1. Cost benefit analysis
/
  • Benefits derived from the information must justify the cost incurred in procuring information.
  • The cost factor is not difficult to establish. Using costing techniques, we shall have to find out the total as well as the marginal cost of each managerial statement but benefits are hard to quantify, i.e., they are usually intangibles. In fact, the assessment of such benefits is very subjective and its conversion into objective units of measurement is almost impossible. To resolve this problem, we can classify all the managerial statements into many categories with reference to the degree of importance attached, say (a)Absolutely essential statements (b)Necessary statements (c) Normal statements and (d) Extra statements
/
  • Cost of preparing the Sales data can be measured, and its benefits can be categorized into one of the several categories mentioned to ascertain the cost benefit analysis.

  1. Value of information
/
  • It is defined as difference between the value of the change in decision behaviour caused by the information and the cost of the information.
  • If new information causes a different decision to be made, the value of the new information is the difference in value between the outcome of the old decision and that of the new decision, less the cost of obtaining the information.

(B)Types of Information