Summary IS&DA
Lecture 1: Introduction: accounting, control, audit and analytics
Why information: decision-making, delegating, accountability and operating the business
Information-based control framework (alignment)
Business domain: shows the essence of a company and what it does to create value,
including selling products, purchasing raw materials, hiring personnel, manufacturing
products, delivering services, making investment decisions.
Information domain: provides information to the business domain for decision-making,
accountability and organizational alignment
Data domain: where the data that is needed for information provision is recorded
IT domain: all required software and hardware needed for the other domains
In the Strategy implementation the deliberate strategy choice is translated into action. The
theory is that the resulting eight cells need to be continuously aligned with one another for
optimal problem solutions. This form of continuous alignment implies that a change in one
cell always will lead to changes in at least one other cell, but most likely in more other cells
than just one. E.g.:
- a retail company decides to transform from a traditional ‘brick and mortar’ business
with physical stores to a fully web-based company change in business strategy
- Replacement of sales personnel with IT personnel and web- administrators
change in operations
- More information needed because of the web sales change in information
provision
- The vast amount of data needs to be managed better change in data
management
- IT infrastructure needs to be built or outsourced for the web store to operate
change in IT infrastructure
Information system: information provision + data management + IT infrastructure
Transaction data: are temporary data that eventually will lead to changes in master data
e.g. receipt of sales order or payment to a creditor (journal entry)
Master data: are repositories of relatively permanent data maintained over an extended
period of time e.g. the bank or inventory account (BS post)
- Can be standing data: e.g. name, address, debtor code etc.
- Can change frequently: e.g. cash, accounts receivable etc.
1
,Lecture 2: Risk management & control
2.1 Internal control
Internal control: a process, effected by an entity’s board of directors, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting and compliance creating opposed interest
between departments helps with controlling
Value cycle: feeder processes of accounting
- Circles show processes/rectangles show positions/accounting is general ledger
- Shows all business processes into one graph, red lines being segregations of duties:
1. Authorization: making decisions, committing the organization/unit to third
parties/other units
2. Custody: safeguarding assets
3. Recording: the independent accounting function
4. Execution: performing tasks based on assignments given by other functions
5. Checking: comparing ‘what is’ versus ‘what should be’ ACCER
Double-entry accounting: for every debit transaction, a credit transaction is made for the
same amount triple-entry: 3th recording in blockchain
COSO internal control report (2003): CCRIM
- Monitoring: assesses the quality of internal control
- Information & communication: keeps the control
system together e.g. transaction
recording/accountability
- Risk assessment: identification and analysis of relevant
risks to the achievement of objectives
- Control Activities: hard controls e.g. a signature that
someone pays within a month or segregation of duties
- Control environment: soft controls the foundation of all other components
norms and values organizational culture, structure, HR policies reduces the
need for hard controls
2
, COSO framework objectives:
- Operations: Effectiveness and efficiency of operations safeguarding assets
- Reporting: Reliability of internal and external reporting
- Compliance: Compliance with applicable laws and regulations
Control hierarchy: three levels of protection
1. Control environment: overall policies and procedures that demonstrate an
organizations commitment to the importance of control. Having a sound control
environment reduces the need for hard controls.
2. Pervasive control plans: address multiple goals and apply to many processes e.g.
keeping your accounts safe with a password
3. Business process control plans: relate to specific process or to the technology used
to implement the process e.g. checking the credit history of a potential customer
or checking whether the purchase transactions used are all valid
Controls on the business level controls on IT
level
Control matrix: a tool designed to assist in
evaluating the potential effectiveness of
controls in a business process by matching
control goals with relevant control plans
1. Input validity: customer credit check
2. Input completeness: procedure to
reject data
3. Input accuracy: digital signature check
4. Update completeness:
5. Update accuracy:
2.2 Risk management
Risk: a future uncertain event that, if becoming reality, will have negative consequences for
the organization example per domain:
- Operations: corona, earthquake that collapses your factory, broken production
machine (in china poisoned baby milk)
- Information: asymmetry, overstated performance report (continuing while making a
loss), financial statements that are incorrect
- Data management: Unauthorized access, data leak
- IT infrastructure: Hardware/software failure, hackers
Managing risks:
- Accept: carrying on with knowing that
the risk is there
- Avoid: eliminate activity or share risk
with others e.g. an insurance
- Control: correcting deviations due to the
risks reduce
3
Lecture 1: Introduction: accounting, control, audit and analytics
Why information: decision-making, delegating, accountability and operating the business
Information-based control framework (alignment)
Business domain: shows the essence of a company and what it does to create value,
including selling products, purchasing raw materials, hiring personnel, manufacturing
products, delivering services, making investment decisions.
Information domain: provides information to the business domain for decision-making,
accountability and organizational alignment
Data domain: where the data that is needed for information provision is recorded
IT domain: all required software and hardware needed for the other domains
In the Strategy implementation the deliberate strategy choice is translated into action. The
theory is that the resulting eight cells need to be continuously aligned with one another for
optimal problem solutions. This form of continuous alignment implies that a change in one
cell always will lead to changes in at least one other cell, but most likely in more other cells
than just one. E.g.:
- a retail company decides to transform from a traditional ‘brick and mortar’ business
with physical stores to a fully web-based company change in business strategy
- Replacement of sales personnel with IT personnel and web- administrators
change in operations
- More information needed because of the web sales change in information
provision
- The vast amount of data needs to be managed better change in data
management
- IT infrastructure needs to be built or outsourced for the web store to operate
change in IT infrastructure
Information system: information provision + data management + IT infrastructure
Transaction data: are temporary data that eventually will lead to changes in master data
e.g. receipt of sales order or payment to a creditor (journal entry)
Master data: are repositories of relatively permanent data maintained over an extended
period of time e.g. the bank or inventory account (BS post)
- Can be standing data: e.g. name, address, debtor code etc.
- Can change frequently: e.g. cash, accounts receivable etc.
1
,Lecture 2: Risk management & control
2.1 Internal control
Internal control: a process, effected by an entity’s board of directors, management, and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting and compliance creating opposed interest
between departments helps with controlling
Value cycle: feeder processes of accounting
- Circles show processes/rectangles show positions/accounting is general ledger
- Shows all business processes into one graph, red lines being segregations of duties:
1. Authorization: making decisions, committing the organization/unit to third
parties/other units
2. Custody: safeguarding assets
3. Recording: the independent accounting function
4. Execution: performing tasks based on assignments given by other functions
5. Checking: comparing ‘what is’ versus ‘what should be’ ACCER
Double-entry accounting: for every debit transaction, a credit transaction is made for the
same amount triple-entry: 3th recording in blockchain
COSO internal control report (2003): CCRIM
- Monitoring: assesses the quality of internal control
- Information & communication: keeps the control
system together e.g. transaction
recording/accountability
- Risk assessment: identification and analysis of relevant
risks to the achievement of objectives
- Control Activities: hard controls e.g. a signature that
someone pays within a month or segregation of duties
- Control environment: soft controls the foundation of all other components
norms and values organizational culture, structure, HR policies reduces the
need for hard controls
2
, COSO framework objectives:
- Operations: Effectiveness and efficiency of operations safeguarding assets
- Reporting: Reliability of internal and external reporting
- Compliance: Compliance with applicable laws and regulations
Control hierarchy: three levels of protection
1. Control environment: overall policies and procedures that demonstrate an
organizations commitment to the importance of control. Having a sound control
environment reduces the need for hard controls.
2. Pervasive control plans: address multiple goals and apply to many processes e.g.
keeping your accounts safe with a password
3. Business process control plans: relate to specific process or to the technology used
to implement the process e.g. checking the credit history of a potential customer
or checking whether the purchase transactions used are all valid
Controls on the business level controls on IT
level
Control matrix: a tool designed to assist in
evaluating the potential effectiveness of
controls in a business process by matching
control goals with relevant control plans
1. Input validity: customer credit check
2. Input completeness: procedure to
reject data
3. Input accuracy: digital signature check
4. Update completeness:
5. Update accuracy:
2.2 Risk management
Risk: a future uncertain event that, if becoming reality, will have negative consequences for
the organization example per domain:
- Operations: corona, earthquake that collapses your factory, broken production
machine (in china poisoned baby milk)
- Information: asymmetry, overstated performance report (continuing while making a
loss), financial statements that are incorrect
- Data management: Unauthorized access, data leak
- IT infrastructure: Hardware/software failure, hackers
Managing risks:
- Accept: carrying on with knowing that
the risk is there
- Avoid: eliminate activity or share risk
with others e.g. an insurance
- Control: correcting deviations due to the
risks reduce
3
