Accounting System be using the documentation or the policies and

Midterm Reviewer procedures documented.

CHAPTER 3: SYSTEM DOCUMENTATION WHAT: deals with specific processes or

TECHNIQUES policies.

Document Systems WHEN: deals with the frequency when the

• Accountants must be able to read practice is done or when ginagawa ang
documentation and understand how a processes.
system works (e.g., auditors need to
assess risk) WHERE, WHY AND HOW: Related to the
 Every process should be discretion of the company.
documented, should be written
or presented and must be visible WHERE: most likely in company facility
to everyone and understandable.
• Sarbanes-Oxley Act (SOX) requires
management to assess internal controls Narrative description
regulations and auditors to evaluate the  written step-by-strep explanation of
assessment. [if effective (positive) or system components and how they
weak (existence of risk)] interact.
 Similar to IFRS in terms of  The documentation that should be seen
accounting but this time it’s or presented to the newly requited
about internal control. employees. (includes the main
• Used for systems development and objectives)
changes
 We should have a base line of the Data Flow Diagram (DFD)
existing one, in case for updating  A graphical description of data sources,
or make our control more data flows, transformation processes,
effective, we need to know what data storage and data destinations.
we need to improve which is  DFD are visually simple, can be used to
based on the policy and represent the same process at a high
procedures. abstract or detailed level.
 Simpler than flow chart because it uses
Documentation few symbols than flowchart.
 explains how a system works, including
the who, what, when, where, why and Focuses on the data flows for:
how of data entry, data processing, data • Processes
storage, information output, and system • Sources and destinations of the data
controls. • Data stores
Different Components of data Processing:
1. Data Entry (Input)
2. Data Processing
3. Data Storage
4. Output file
Except for System controls

WHO: Includes the stake holders and those

persons whose responsible or persons who will
Basic DFD Elements
 (e.g., update, edit, prepare, validate,
etc.).
 Example: CHECK document
received
 Give each process a sequential number
to help the reader navigate from the
abstract to the detailed levels.
 Everything should be numbered
to see the flow and sequential/
chronological
 Edit/Review/Refine your DFD to make
Basic Guidelines in creating DFD: it easy to read and understand.
 Should be understandable in a
 Understand the system that you are simplest way
trying to represent.
 Preparer should be able to
understand the system that Flowcharts
she/he is trying to represent.
 A DFD is a simple representation  Describe an information system
meaning that you need to consider what showing:
is relevant and what needs to be  Inputs and Outputs
included.  Information activities or
 It is a simple representation; thus, (processing data)
it needs to consider what is  Data storage
relevant and what needs to be  Data flows
included.
 Decision steps
 Key strengths of flowcharts are that they
 Start with a high level (context diagram)
can easily capture control via decision
to show how data flows between
outside entities and inside the system. points, show manual vs. automated
Use additional DFD’s at the detailed processes.
level to show how data flows within the Flowchart Categories and its Symbols:
system.
 Show how data flows between 1. Input/ output symbols:
outside entities and inside
systems, basically shows where is
the flows especially if the internal
or external or both in one DFD.
 Identify and group all the basic
elements of the DFD.
 Stakeholders and concern
departments (e.g.: updating of
employee records; employee and
the human resource)
 Objective; to understand the DFD
 Name data elements with descriptive 2. Processing Symbols
names, use action verbs for processes
 Provides rationale on why we should
we do this

Guideline in making Flowcharts:

 Understand the system you are trying to
3. Storage Symbols represent.
 Identify business processes, documents,
data flows, and data processing
procedures.
 Organize the flowchart so as it reads
from top to bottom and left to right.
 Starts with upper part and ends at lower
part; shows department concerns
 Name elements descriptively.
 Edit/Review/Refine to make it easy to
read and understand.

4. Flow and Miscellaneous Symbols: Business Process Diagram

 Is a visual way to represent the activities
in a business process
 Intent is that all business users can
easily understand the process from a
standard notation (BPMN: Business
Process Modeling Notation)
 Can show the organizational unit
performing the activity
 Not commonly used
 Symbols are similar to DFD

Business Process Diagram Basic Symbols:

Notes:
Broken arrow in flowchart
 Connects one department to another.

Types of Flowcharts:
A. Document: shows the flow of
documents and data for a process,
useful in evaluating internal controls
 Need to have Archiving
B. System: depicts the data processing
cycle for a process (eg: selections, polls Example: Payroll Business Process Diagram
(statistics) etc) Example
 What would be the chronological steps
in terms of executing assistant.
C. Program: illustrates the sequence of
logic in the system process
 Database users and design:
a. External level of the database
 These users have logical views of
Microsoft Visio the data.
 Software used to prepare flow charts b. Internal level of the database
 The physical view of the data
which is how the data is actually
CHAPTER 4: RATIONAL DATABASES physically stored in the system.

Importance and advantages:  Designers of a database need to

a. Data is integrated and easy to share understand user’s needs and the
 Since everything is stored in a single conceptual level of the entire
storage file in a form of data base, database as well as the physical
data is easily integrated in terms of view.
accessing it and its quite convenience
as well. Logical database view 
b. Minimize data redundancy  is how the data appear to the user to be
 No redundancy because the files are stored. This view represents the
well coordinated and there’s an structure that the user must interface
efficient processing involves. with in order to extract data from the
c. Data is independent of the programs database. 
that use the data  In terms of perspective, it’s how the data
d. Data is easily accessed for reporting and appear to the users, basically the
cross-functional analysis interface in the perspective of the one
using the data base.
 It corresponds to the user’s tailored
Data Base need
 Reflects the central coordination among
the different components.
 Contains the storage. Physical database view 
 Efficiently and centrally coordinates  is how the data are actually physically
information for a related group of files stored on the storage medium used in
 A file is a related group of records the database management
 A record is a related group of fields system. (optical media (cd desks),
 A field is a specific attribute of magnetic media (videos), paper
interest for the entity (record) documents, etc.)
 paano ba talaga ang storage ng data

Database Design
 i. To design a database, you need to have B. Data Manipulation Language (DML)
a conceptual view of the entire  Changes the content in the
database. The conceptual view database
illustrates the different files and  Creates, updates, insertions,
relationships between the files. (involves and deletions of specific
multiple data base) contents.
 This is the interface, whatever we C. Data Query Language (DQL)
see on the perspective of the one  Enables users to retrieve, sort, and
who uses the data base. display specific data from the
ii. The data dictionary is a “blueprint” of database
the structure of the database and  Whatever the user
includes data elements, field types, requiring form the data
programs that use the data element, base
outputs, and so on.
 Common records in the data Relational Database
base.  Represents the conceptual and external
 For instance, permanent files, schema as if that “data view” were
specific numbers (SSS, truly stored in one table.
PHILHEALTH,  Because were using more than
IDENTIFICATION NUMBERS) one data base.
 The multiple data base is related
Database Management System (DBMS) to one another.
 refer to the technology solution used to  Although the conceptual view appears
optimize and manage the storage and to the user that this information is in
retrieval of data from databases. one big table, it really is a set of tables
 DBMS offers a systematic approach to that relate to one another.
manage databases via an interface for
users as well as workloads accessing the Conceptual View example
databases via apps.
 Examples: IBM, Net suite

DBMS Languages
A. Data Definition Language (DDL)
 Builds the data dictionary –
(centralized repository of
information about data such as
meaning, relationships to other
data, origin, usage, and format)
 Serves as storage of all data
and information
 Creates the database
 Describes logical views for each
user
 Specifies record or field security
constraints
Rational Data Table  Insert anomaly- redundancy
 Delete anomaly
 Nangyayare usually if excel base ang
ginamit as data base

Relational Database Design Rules:

 Every column in a row must be single

valued
 Primary key cannot be null (empty) also
known as entity integrity
 IF a foreign key is not null, it must have
a value that corresponds to the value of
a primary key in another table
(referential integrity)
 All other attributes in the table must
describe characteristics of the object
identified by the primary key

Primary key  Following these rules allows

 Cannot be null or empty databases to be normalized and
 It also known as entity integrity solves the update, insert, and delete
Foreign Key anomalies.
 It uniquely identifies the customers in
the customer table Queries
 If the foreign key is not null, must be a  Users may want specific information
valid correspond to another primary found in a relational database and not
key
have to sort through all the files to get
If meron both dapat NOT ZERO.
that information. So they query (ask a
And if there’s a specificVALUE indicated
question) the data. (tailored to the needs
from one data base to another dapat may
value din of the user)
Kase if nag zero ang isa, possible  An example of a query might be: What
magkakaroon ng intergrity issues in a form are the invoices of customer D. Ainge
of entity integrity and reference integrity. and who was the salesperson for those
invoices?
Why Have a Set of Related Tables?
 Data stored in one large table can be
redundant and inefficient causing the
following problems: Constraints
 Update anomaly i. Creating the Query
 Two categories of fraud:

1. Misappropriation of asset
 Theft of company assets, which can
include physical assets (e.g., cash,
inventory) and digital assets (e.g.,
intellectual property such as
protected trade secrets, customer
data)
Pag nanakaw ng assets sa company,
intellectual property, kinalaman sa
ii. Query answer
patent, or trade marks

2. Fraudulent Financial Reporting

 “cooking the books” (e.g.,booking
fictitious revenue, overstating
assets, etc.)
Manipulation of records (page edit ng
records)
CHAPTER 5: COMPUTER FRAUD Objectives: mag mukhang maganda ang
records (investment fraud)
Threats To AIS:
 Natural and Political disasters
Conditions for Fraud
 Software errors and equipment
 These three conditions must be present
malfunctions
for fraud to occur: which is presents in a
 Unintentional acts Fraud Triangle
 Intentional acts
1. Pressure
Fraud (intentional and has motive)  Employee
 Financial
 any means a person uses to gain an  Lifestyle
unfair advantage over another person.  Emotional
This includes:  Financial Statement
 Financial
 A false statement, representation, or
 Management
disclosure
 A material fact, which includes a victim  Industry conditions
to act may financial, lifestyle or emotional
 Material- important/ relevant problems
 An intent to deceive
 Victim relied on the misrepresentation 2. Opportunity
 Injury or loss was suffered by the victim  Commit
 Conceal
 Is a white collar crime means a non-  Convert to personal gain
violent crimes committed through pag di masaydong protective ang
deceptive practices, for the purpose of system like no CCTV, then there will be
financial gain.
 no evidence for doing fraud, like walang d) Sales Fraud on the internet
supervision  falsification or misinterpretation of FS

3. Rationalization e) Computer data tampering or computer

 Justify behavior software manipulation
 Attitude that rules don’t apply  viruses serve as surveillance ng personal
 Lack personal integrity information
Like, di naman nila ako binabayaran ng
Preventing and detecting Fraud:
ot or any other reason to justify the
action, lack of personal integrity and 1) Make fraud less likely to occur:
attitude A. Organizational
 Create a culture of integrity
 Adopt structure that minimizes
fraud, create governance (e.g.,
Board of Directors)
 Assign authority for business
objectives and hold them
accountable for achieving those
objectives, effective supervision
and monitoring of employees
 Communicate policies
Computer fraud
B. Systems
 If a computer is used to commit fraud it
 Develop security policies to
is called computer fraud.
guide and design specific
 Computer fraud is classified as:
control procedures
 Input
 Implement change
 Processor
management controls and
 Computer instruction
 Data Output project development acquisition
controls
Types of Computer Fraud:
2) Make it difficult to commit
a) Identity theft A. Organizational
 steal the identity of potential person  Develop strong internal
like wealthy persons controls
b) Phishing  Segregate accounting functions
 Gathering of critical information by  Use properly designed forms
lawful information through email  Require independent checks
(about updating) and reconciliations of data
 To prevent it:
B. Systems
 Dapat secured ang website
 Restrict access
 Tingnan ang official page
 Tingnan ang format ng email (grammar,  System authentication
not comparative sa email ng bank)  Implement computer controls
over input, processing, storage
c) Identity Fraud and output of data
 more on activity of identity theft  Use encryption
  Fix software bugs and update  Gaining control of a computer to
systems regularly carry out illicit activities
 Destroy hard drives when B. Botnet (robot network)
disposing of computers  Makes the communication look
as if someone else sent it so as to
3) Improve Detection gain confidential information.
A. Organizational  Examples: Zombies, Bot herders,
 Assess fraud risk Denial of Service (DoS) Attack,
 External and internal audits Spamming, Spoofing
 Fraud hotline C. Spoofing
B. Systems  Forms: E-mail spoofing, Caller
 Audit trail of transactions ID spoofing, IP address
through the system spoofing, Address Resolution
 Install fraud detection software (ARP) spoofing, SMS spoofing,
 Monitor system activities (user Web-page spoofing (phishing),
and error logs, intrusion DNS spoofing
detection) D. Hacking with Computer code
 Types of hacking with
4) Reduce Fraud Losses computer code:
A. Organizational
1. Cross-site scripting (XSS)
 Insurance
 Business continuity and  Uses vulnerability of Web
disaster recovery plan application that allows the
B. Systems Web site to get injected with
 Store backup copies of program malicious code. When a user
and data files in secure, off-site visits the Web site, that
location malicious code is able to collect
 Monitor system activity data from the user.
2. Buffer overflow attack
 Large amount of data sent to
overflow the input memory
(buffer) of a program causing
it to crash and replaced with
CHAPTER 6: COMPUTER FRAUD AND attacker’s program
ABUSE TECHNIQUES instructions.

TYPES OF ATTACK: 3. SOL injection (insertion) attack

 Malicious code inserted in
1) HACKING place of a query to get to the
 Unauthorized access, modification, or database information
use of an electronic device or some E. Other Types of Hacking:
element of a computer system a. Man in the middle (MITM)
 Types of hacking:  Hacker is placed in between a
A. Hijacking client (user) and a host (server)
to read, modify, or steal data.
 b. Piggybacking F. URL hijacking
c. Password cracking o Takes advantage of
d. War dialing and driving typographical errors entered
e. Phreaking in for Web sites and user
f. Data diddling gets invalid or wrong Web
g. Data leakage site
h. Pod slurping G. Scavenging
o Searching trash for
confidential information
Hacking used for fraud: H. Shoulder surfing
o Snooping (either close
• Internet misinformation
behind the person) or using
• E-mail threats technology to snoop and get
confidential information
• Internet auction
I. Skimming
• Internet pump and dump o Double swiping credit card
J. Eaves dropping
• Click fraud
• Web cramming 3) MALWARE
 Software used to do harm
• Software piracy  Types:
A. Spyware
o Secretly monitors and
2) SOCIAL ENGINEERING collects information
 Techniques or tricks on people to gain
o Can hijack browser, search
physical or logical access to confidential
requests
information
o Adware
 Social Engineering Techniques:
B. Keylogger
A. Identity theft
o Software that records user
o Assuming someone else’s
keystrokes
identity
C. Trojan Horse
B. Pretexting
o Malicious computer
o Using a scenario to trick
instructions in an authorized
victims to divulge
and properly functioning
information or to gain access
program
C. Posing
D. Trap door
o Creating a fake business to
o Set of instructions that allow
get sensitive information
the user to bypass normal
D. Phishing
system controls
o Sending an e-mail asking
E. Packet sniffer
the victim to respond to a
o Captures data as it travels over
link that appears legitimate
the Internet
that requests sensitive data
F. Virus
E. Pharming
o A section of self-replicating
o Redirects Web site to a
code that attaches to a program
spoofed Web site
or file requiring a human to do
 something so it can replicate
itself
G. Worm
o Stand-alone, self-replicating
program

Why people fall victim?

A. Compassion
 Desire to help others
B. Greed
 Want a good deal or something for free
C. Sex appeal
 More cooperative with those that are
flirtatious or good looking
D. Sloth
 Lazy habits
E. Trust
 Will cooperate if trust is gained
F. Urgency
 Cooperation occurs when there is a
sense of immediate need
G. Vanity
 More cooperation when appeal to
vanity

Minimize the Threat of Social Engineering:

a. Never let people follow you into restricted

areas
b. Never log in for someone else on a
computer
c. Never give sensitive information over the
phone or through e-mail
d. Never share passwords or user IDs
e. Be cautious of someone you don’t know
who is trying to gain access through you