SOM purchasing computers (sales process ex.)
Quote --> Sales order --> Check availability (ATP?) --> pick list --> pack list (different addresses) --> shipment --> invoice --> payment
ATP
available to promise
Business Process and Accounting Transactions chart
1. Pre-sales activities (quotes)
2. Sales order entry
3. Check availability
4. Pick Materials
5. Pack Materials
6. Post Goods Issue
COGS XX
Inventory XX
7. Invoice Customer
A/R XX
Sales XX
8. Receipt of Customer Payment
Bank XX
A/R XX
Chart of Accounts is...
not standardized
depends on the accounts of the specific business
3 business processes
Sales / Revenue
Purchase / Expense
Manufacturing / Conversion
Business process flow can be monitored
at a granular level (finely detailed)
Financial impact transactions..
create unique numbered electronic documents
Post Goods Issue
Invoice Customer
Receipt of Customer payment
Can you delete documents from SAP database?
no
Audit Trail
contains critical and necessary information
- person responsible
- date and time of transaction
- Commercial content
provides a solid and important framework for a strong internal control system (required by SOX)
What is a business process?
a collection of related, structured activities or tasks that produce a specific service or product
begins with mission objective
ends with achievement of the business objective
outcome of a well designed business process:
increased effectiveness
increased
BPM
business process management
Business Process Management
a management approach that seeks to coordinate the functions of an organization toward an ultimate goal of continuous improvement in customer satisfaction
5 categories of activities in BPM
DMEMO
Design: identify existing processes and DESIGN how processes should function once they have been improved
Modeling: introduce variables to the conceptual design for "what-if" analysis
Execution: Design changes implemented and key indicators of succe
General technique or approach to process mangement..
DMAIC
Define: define original process as baseline
Measure: identify indicators that will show a change to the process
Analyze: run simulations/models to determine the targeted improvement
Improve: select the improvement and implement
Control: use dashboar
Six Sigma
continuous quality-improvement program that uses rigorous metrics in the evaluation of goal achievement
Process Management is also referred to as
PDCA
Plan: design the planned process improvement
Do: implement the process improvement
Check: monitor the improvement
Act: continuously commit and reassess
Benefits of Process mangement
Efficiency: resources are used to accomplish objectives
Effectiveness: objectives are accomplished with greater predictability
Agility: quicker responses to changes
DFDs model
systems processes
ER diagrams model
systems data
DFD
data flow diagram
uses symbols to represent
entities
processes
data flows
data stores
represents logical elements of the system, but does not depict the physical system
ER diagram
Entity relationship diagram
technique used to represent the relationship between business entities
cardinality (degree of relationship)
1:1
1:M
M:M
blueprint for the physical database
Systems flowchart (process flowchart)
graphical representation of the physical relationships among key elements of a system
shows the processing of a SINGLE transaction only
describes physical computer media being used
departments, manual activities, computer programs, hard-copy and digital r
Program flowchart
provides operational details for every program represented in a system flow cahrt
CIA
Confidentiality
Integrity
Availability
Input controls
source data controls regulate the integrity of input, which is crucial to accurate output (GIGO)
GIGO
garbage in garbage out
data validation (input controls)
at the field level
meaningful error messages
edit checks
input masks - string expression that governs what a user is allowed to enter in as input in a text box
pre-numbered forms
source data preparation procedures
Processing Controls
Data Matching
File Labels
Recalculation of batch totals
Cross-footing and zero balance tests
White-protection mechanisms
Database processing integrity procedures
Data matching
matching 2 or more items of data before taking an action improves transaction processing
ex: 3 way matching of purchase order, goods received note, and invoice
File labels
use file labels to ensure the correct and most current files are updated
real-time vs. batch
timing
real-time ex - internet purchase, immediate gratification
batch ex - BU brain grades, payroll
Recalculation of batch totals
comparison of amounts input to amounts output ensures volume is correct
hash totals (sums) can be used to confirm that the correct source documents are included
Cross-footing and zero balance tests
testing the sum of a column of row totals to the sum of a row of column totals to verify results
white-protection mechanisms
protections guard against accidental writing over or erasing data files stored on magnetic media
Database processing integrity procedures
database administrators establish and enforce procedures for accessing and updating the database
data dictionaries ensure that the data items are defined and used consistently
concurrent update control processing integrity (lock out one user until the sys
Software/hardware flow
BIOS ---> Hardware ---> operating system ---> database ---> application
Output controls
user review of output
reconciliation procedures
external data reconciliation
output encryption
reconciliation procedures
check and reconcile individual transactions and other updates to control reports
external data reconciliation
reconciliation of database totals with data maintained outside the system
output encryption
authenticity and integrity of data outputs must be protected during transmission
encryption reduces chance for data interception
data transmission error - receiving unit requests the sending unit to retransmit the data
parity checking - parity bits are us
correctly functioning controls
CIA (CAI) for controls
Completeness
Accuracy
Integrity
COSO (Treadway Commission)
Committee of Sponsoring Organization
established to study the factors that can lead to fraudulent reporting
COSO (internal Control - Integrated Framework) 2 broad groups of IT control
General controls and application controls
General controls
designed to ensure that an organization's control environment is stable and well managed
- systems development standard (following SDLC)
- security management controls (PODS username)
- change management procedures
- software acquisition, development, ope
SDLC
Systems development life cycle
SDLC at PWC
Unit testing
System integration testing
user acceptance testing
Application Controls
prevent, detect, and correct transaction error and fraud and are application specific, providing reasonable assurance as to system
- accuracy
- completeness
- validity
Information Technology (IT) controls
should be established for acquisition of hardware and software, operating costs, and for usage
segregation of duties
limit to asset access
Diagnostic Controls
designed to achieve efficiency in operations of the firm to get the most from resources used
Control effectiveness
principles of control to systems development and maintenance
strategic master plan
data processing schedule
steering committee
System performance measurements (% utilization, response time)
strategic master plan
align IS with its business strategies with a multi-year strategic plan
steering committee
guide and oversee systems development and acquisition
Logical controls
use software and data to monitor and control access to information and computing systems
- user access
- managing passwords
firewalls
network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules
firewall - default-allow policy
list network services that are not allowed, and everything else is okay
firewall - default-deny policy
lists allowed services only and everything else is denied
Digital certificates
a form of data security where electronic documents are created and signed by a trusted party that certify the identity of the owners of a particular public key
PKI
public key infrastructure - the system and processes used to issue and manage asymmetric keys and digital certificates
certificate authority
issues keys and records the public key in digital certificates
access control lists
specify which users or system processes are granted access to objects
network intrusion detection systems
comprises of devices and/or software programs that monitor the network or system activities for malicious activities or policy violations producing reports for management
Physical controls
monitor and control the environment of the workplace and computing facilities
segregation of duties
monitoring and control of access to and from facilities (smart cards)
backup files
uninterrupted power supply
program modification controls
malware detecti
program modification controls
controls to changes in programs being used in production
Manual controls
controls performed by a person without making direct use of automated systems
automated controls
control performed by an automated system without interference of a person
value of automated controls
TEAS
timeliness
efficiency
accuracy
security
Preventive controls
security awareness training
firewalls
intruder detection systems
detective controls
blend of technical controls like intruder detection systems, network monitoring, incident alerting to help track how and when system intrusions are being attempted
corrective controls
applying patches, restoring backup data, vulnerability mitigation to make sure that systems are configured correctly
SOM purchasing computers (sales process ex.)
Quote --> Sales order --> Check availability (ATP?) --> pick list --> pack list (different addresses) --> shipment --> invoice --> payment
ATP
available to promise
Business Process and Accounting Transactions chart
1. Pre-sales activities (quotes)
2. Sales order entry
3. Check availability
4. Pick Materials
5. Pack Materials
6. Post Goods Issue
COGS XX
Inventory XX
7. Invoice Customer
A/R XX
Sales XX
8. Receipt of Customer Payment
Bank XX
A/R XX
Chart of Accounts is...
not standardized
depends on the accounts of the specific business
3 business processes
Sales / Revenue
Purchase / Expense
Manufacturing / Conversion
Business process flow can be monitored
at a granular level (finely detailed)
Financial impact transactions..
create unique numbered electronic documents
Post Goods Issue
Invoice Customer
Receipt of Customer payment
Can you delete documents from SAP database?
no
Audit Trail
contains critical and necessary information
- person responsible
- date and time of transaction
- Commercial content
provides a solid and important framework for a strong internal control system (required by SOX)
What is a business process?
a collection of related, structured activities or tasks that produce a specific service or product
begins with mission objective
ends with achievement of the business objective
outcome of a well designed business process:
increased effectiveness
increased
BPM
business process management
Business Process Management
a management approach that seeks to coordinate the functions of an organization toward an ultimate goal of continuous improvement in customer satisfaction
5 categories of activities in BPM
DMEMO
Design: identify existing processes and DESIGN how processes should function once they have been improved
Modeling: introduce variables to the conceptual design for "what-if" analysis
Execution: Design changes implemented and key indicators of succe
General technique or approach to process mangement..
DMAIC
Define: define original process as baseline
Measure: identify indicators that will show a change to the process
Analyze: run simulations/models to determine the targeted improvement
Improve: select the improvement and implement
Control: use dashboar
Six Sigma
continuous quality-improvement program that uses rigorous metrics in the evaluation of goal achievement
Process Management is also referred to as
PDCA
Plan: design the planned process improvement
Do: implement the process improvement
Check: monitor the improvement
Act: continuously commit and reassess
Benefits of Process mangement
Efficiency: resources are used to accomplish objectives
Effectiveness: objectives are accomplished with greater predictability
Agility: quicker responses to changes
DFDs model
systems processes
ER diagrams model
systems data
DFD
data flow diagram
uses symbols to represent
entities
processes
data flows
data stores
represents logical elements of the system, but does not depict the physical system
ER diagram
Entity relationship diagram
technique used to represent the relationship between business entities
cardinality (degree of relationship)
1:1
1:M
M:M
blueprint for the physical database
Systems flowchart (process flowchart)
graphical representation of the physical relationships among key elements of a system
shows the processing of a SINGLE transaction only
describes physical computer media being used
departments, manual activities, computer programs, hard-copy and digital r
Program flowchart
provides operational details for every program represented in a system flow cahrt
CIA
Confidentiality
Integrity
Availability
Input controls
source data controls regulate the integrity of input, which is crucial to accurate output (GIGO)
GIGO
garbage in garbage out
data validation (input controls)
at the field level
meaningful error messages
edit checks
input masks - string expression that governs what a user is allowed to enter in as input in a text box
pre-numbered forms
source data preparation procedures
Processing Controls
Data Matching
File Labels
Recalculation of batch totals
Cross-footing and zero balance tests
White-protection mechanisms
Database processing integrity procedures
Data matching
matching 2 or more items of data before taking an action improves transaction processing
ex: 3 way matching of purchase order, goods received note, and invoice
File labels
use file labels to ensure the correct and most current files are updated
real-time vs. batch
timing
real-time ex - internet purchase, immediate gratification
batch ex - BU brain grades, payroll
Recalculation of batch totals
comparison of amounts input to amounts output ensures volume is correct
hash totals (sums) can be used to confirm that the correct source documents are included
Cross-footing and zero balance tests
testing the sum of a column of row totals to the sum of a row of column totals to verify results
white-protection mechanisms
protections guard against accidental writing over or erasing data files stored on magnetic media
Database processing integrity procedures
database administrators establish and enforce procedures for accessing and updating the database
data dictionaries ensure that the data items are defined and used consistently
concurrent update control processing integrity (lock out one user until the sys
Software/hardware flow
BIOS ---> Hardware ---> operating system ---> database ---> application
Output controls
user review of output
reconciliation procedures
external data reconciliation
output encryption
reconciliation procedures
check and reconcile individual transactions and other updates to control reports
external data reconciliation
reconciliation of database totals with data maintained outside the system
output encryption
authenticity and integrity of data outputs must be protected during transmission
encryption reduces chance for data interception
data transmission error - receiving unit requests the sending unit to retransmit the data
parity checking - parity bits are us
correctly functioning controls
CIA (CAI) for controls
Completeness
Accuracy
Integrity
COSO (Treadway Commission)
Committee of Sponsoring Organization
established to study the factors that can lead to fraudulent reporting
COSO (internal Control - Integrated Framework) 2 broad groups of IT control
General controls and application controls
General controls
designed to ensure that an organization's control environment is stable and well managed
- systems development standard (following SDLC)
- security management controls (PODS username)
- change management procedures
- software acquisition, development, ope
SDLC
Systems development life cycle
SDLC at PWC
Unit testing
System integration testing
user acceptance testing
Application Controls
prevent, detect, and correct transaction error and fraud and are application specific, providing reasonable assurance as to system
- accuracy
- completeness
- validity
Information Technology (IT) controls
should be established for acquisition of hardware and software, operating costs, and for usage
segregation of duties
limit to asset access
Diagnostic Controls
designed to achieve efficiency in operations of the firm to get the most from resources used
Control effectiveness
principles of control to systems development and maintenance
strategic master plan
data processing schedule
steering committee
System performance measurements (% utilization, response time)
strategic master plan
align IS with its business strategies with a multi-year strategic plan
steering committee
guide and oversee systems development and acquisition
Logical controls
use software and data to monitor and control access to information and computing systems
- user access
- managing passwords
firewalls
network security systems that monitor and control incoming and outgoing network traffic based on predetermined security rules
firewall - default-allow policy
list network services that are not allowed, and everything else is okay
firewall - default-deny policy
lists allowed services only and everything else is denied
Digital certificates
a form of data security where electronic documents are created and signed by a trusted party that certify the identity of the owners of a particular public key
PKI
public key infrastructure - the system and processes used to issue and manage asymmetric keys and digital certificates
certificate authority
issues keys and records the public key in digital certificates
access control lists
specify which users or system processes are granted access to objects
network intrusion detection systems
comprises of devices and/or software programs that monitor the network or system activities for malicious activities or policy violations producing reports for management
Physical controls
monitor and control the environment of the workplace and computing facilities
segregation of duties
monitoring and control of access to and from facilities (smart cards)
backup files
uninterrupted power supply
program modification controls
malware detecti
program modification controls
controls to changes in programs being used in production
Manual controls
controls performed by a person without making direct use of automated systems
automated controls
control performed by an automated system without interference of a person
value of automated controls
TEAS
timeliness
efficiency
accuracy
security
Preventive controls
security awareness training
firewalls
intruder detection systems
detective controls
blend of technical controls like intruder detection systems, network monitoring, incident alerting to help track how and when system intrusions are being attempted
corrective controls
applying patches, restoring backup data, vulnerability mitigation to make sure that systems are configured correctly