Information systems & data analytics
Lecture 1: introduction information, control, and analytics
Information
Why information?
- Decision making
- Control
- Signaling: things are going in the right direction, or things are not going in the right direction
- Education and learning: feedback on your performance, learn from your mistakes
- Accountability to (internal and external) stakeholders: the company is accountable for their
performance based on their accountability
- Regulatory compliance: you have to comply with the rules and laws
Adjusted strategic alignment model
The eight cells need to be continuously aligned with one another for optimal problem solutions a
change in one cell always will lead to changes in at least one other cell
Four domains:
- Information domain: information is provided to the business domain for decision-making,
accountability, and organizational alignment: information = data that has meaning, relavant
for the user
- Data domain: the data that is needed for information provision is recorded: data doesn’t
have any meaning
- IT: the required information and communication technology applications and hardware are
described
Strategy formation level: models the processes that lead to the business strategy, information
strategy, data strategy and IT strategy
Strategy implementation level: is about how strategies can be translated into action
Control
COSO internal control report: Committee Of Sponsoring Organizations of the Treadway Commission
had to investigate why companies went bankrupt: the internal control systems were not good
Five components:
1. Monitoring
2. Information & communication
3. Risk assessment
4. Control activities
5. Control environment
,US Sarbanes-Oxley act it is mandatory for businesses to issue an in-control statement since the
COSO report provided a sound basis for internal control assessments COSO report of internal
control became standard after
Internal control objectives (goals of COSO)
1. Reliability of (internal and external) reporting: reliability of information, information is
reliable when it is good representation of the reality
2. Effectiveness and efficiency of operations: for example, when you sell something you should
send an invoice
3. Compliance with applicable laws and regulations: internal control systems help companies
with complying to these laws
Control environment
- Soft controls
- Th foundation of all the other components of internal control
- Norms and values with respect to control consciousness
- Organization culture, but also: organizational structure, management philosophy and
operation style, human resource policies, etc.
- Having a sound control environment reduces the need for hard controls
- Foundation of control systems
Control activities
- Hard controls
- Establish accountability using segregation of duties (signature that you received the goods:
always receive something)
- Reconciliations and control totals
- Procedures for authorization
- Physical security of assets
- Analytical review
- Supervision
Risk assessment
- Risk assessment is the identification and analysis of relevant risks to the achievement of
objectives
- Objectives fall within three broad internal control categories
o Operations objectives
o Information objectives
o Compliance objectives
- Use some kind of model for risk analysis to avoid overlooking certain risks; it also helps you
to work out systematically and simplify the often too complex world
Information & communication
- Recording of transactions
- Matching of internal with external recordings
- Confirmations to third parties
- Communications of procedures and task assignments
- Accountability
- Other management reports
,Monitoring
- Monitoring is a process that assesses the quality of an internal control system over time
- Two different forms:
o Monitoring as a continuous process
o Monitoring as separate evaluations
- For example: periodical physical stocktaking, comparing the results with the accounting
records and reporting on the differences
- Monitoring is about the ongoing operations effectiveness of controls: controlling the controls
- Roof of control systems
Data analytics and business intelligence
Data analytics = technical analysis
Business intelligence = the transformation of these analysis into usable information
Takeaways
- Any business needs internal controls
- Internal control is aimed at reliable information, safeguarding of assets, efficiency,
effectiveness of operations, and compliance
- Internal control is different from management control
- Data is ubiquitous, cheap, but not always reliable (hence the need for internal controls)
- Data analysis helps the company by supporting the provision of relevant information, but
also helps the auditor in checking whether client data and information are reliable
Lecture 2: Controlling information systems
Value cycle: feeder processes of accounting
Between each element (events and positions) in the value cycle there ideally must be segregation of
duties = the red lines
There are five different types of duty that should be separated:
1. Authorization (making decision, committing the organization to third parties)
2. Recording (the independent accounting function)
3. Custody (safeguarding assets)
4. Checking (comparing Ist and Soll, “what is” versus “what should be”)
5. Execution (performing tasks based on assignments given by other functions)
, Relationships in double-entry accounting
Sales: Inventory = purchase price, accounts receivable = sales price
Difference between sales price and purchase price = gross margin
Steps in double-entry accounting
1. Business event data
2. Journal voucher
3. General ledger
4. Trial balance
5. Adjusting entries
6. Financial statements
check: debit = credit
Triple-entry accounting with blockchain: debit = credit = external recording in blockchain
- Creating a distributed database that is managed by each entity in the ecosystem and that
serves as the shared single source of truth
- Making journal entries not only locally in each entity’s ERP system but also in the distributed
database a normative position (Soll) is continuously maintained against which the local
databases (Ist) can be checked
Standardization is needed
- If organizational boundaries are crossed for controlling purposes, then some kind of
standardization of data flows is needed for searchability, comparability and interoperability
- Creating worldwide standards is an onerous task
- XBRL is the first and predominant attempt to develop a common language that enables
communication between entities without having to build interfaces
- Standard business reporting (SBR) is the governmental standard for enabling worldwide
communication via XBRL
- There are many XBRL taxonomies, for example the Dutch Taxonomy that is used for tax
returns and statistical data exchange between companies and governmental bodies
Enterprise risk management and internal control
= A process effected by an entity’s board of directors, management, and other personnel, applied in
strategy setting and across the enterprise designed to identify potential events that may affect the
entity, manage risk to be within its risk appetite, and provide reasonable assurance regarding the
achievement of entity objectives.
Risk response
- Risk needs to be managed to avoid surprises
- Make informed decisions about how to react to identified risks:
o Accept
o Avoid (eliminate, share)
Lecture 1: introduction information, control, and analytics
Information
Why information?
- Decision making
- Control
- Signaling: things are going in the right direction, or things are not going in the right direction
- Education and learning: feedback on your performance, learn from your mistakes
- Accountability to (internal and external) stakeholders: the company is accountable for their
performance based on their accountability
- Regulatory compliance: you have to comply with the rules and laws
Adjusted strategic alignment model
The eight cells need to be continuously aligned with one another for optimal problem solutions a
change in one cell always will lead to changes in at least one other cell
Four domains:
- Information domain: information is provided to the business domain for decision-making,
accountability, and organizational alignment: information = data that has meaning, relavant
for the user
- Data domain: the data that is needed for information provision is recorded: data doesn’t
have any meaning
- IT: the required information and communication technology applications and hardware are
described
Strategy formation level: models the processes that lead to the business strategy, information
strategy, data strategy and IT strategy
Strategy implementation level: is about how strategies can be translated into action
Control
COSO internal control report: Committee Of Sponsoring Organizations of the Treadway Commission
had to investigate why companies went bankrupt: the internal control systems were not good
Five components:
1. Monitoring
2. Information & communication
3. Risk assessment
4. Control activities
5. Control environment
,US Sarbanes-Oxley act it is mandatory for businesses to issue an in-control statement since the
COSO report provided a sound basis for internal control assessments COSO report of internal
control became standard after
Internal control objectives (goals of COSO)
1. Reliability of (internal and external) reporting: reliability of information, information is
reliable when it is good representation of the reality
2. Effectiveness and efficiency of operations: for example, when you sell something you should
send an invoice
3. Compliance with applicable laws and regulations: internal control systems help companies
with complying to these laws
Control environment
- Soft controls
- Th foundation of all the other components of internal control
- Norms and values with respect to control consciousness
- Organization culture, but also: organizational structure, management philosophy and
operation style, human resource policies, etc.
- Having a sound control environment reduces the need for hard controls
- Foundation of control systems
Control activities
- Hard controls
- Establish accountability using segregation of duties (signature that you received the goods:
always receive something)
- Reconciliations and control totals
- Procedures for authorization
- Physical security of assets
- Analytical review
- Supervision
Risk assessment
- Risk assessment is the identification and analysis of relevant risks to the achievement of
objectives
- Objectives fall within three broad internal control categories
o Operations objectives
o Information objectives
o Compliance objectives
- Use some kind of model for risk analysis to avoid overlooking certain risks; it also helps you
to work out systematically and simplify the often too complex world
Information & communication
- Recording of transactions
- Matching of internal with external recordings
- Confirmations to third parties
- Communications of procedures and task assignments
- Accountability
- Other management reports
,Monitoring
- Monitoring is a process that assesses the quality of an internal control system over time
- Two different forms:
o Monitoring as a continuous process
o Monitoring as separate evaluations
- For example: periodical physical stocktaking, comparing the results with the accounting
records and reporting on the differences
- Monitoring is about the ongoing operations effectiveness of controls: controlling the controls
- Roof of control systems
Data analytics and business intelligence
Data analytics = technical analysis
Business intelligence = the transformation of these analysis into usable information
Takeaways
- Any business needs internal controls
- Internal control is aimed at reliable information, safeguarding of assets, efficiency,
effectiveness of operations, and compliance
- Internal control is different from management control
- Data is ubiquitous, cheap, but not always reliable (hence the need for internal controls)
- Data analysis helps the company by supporting the provision of relevant information, but
also helps the auditor in checking whether client data and information are reliable
Lecture 2: Controlling information systems
Value cycle: feeder processes of accounting
Between each element (events and positions) in the value cycle there ideally must be segregation of
duties = the red lines
There are five different types of duty that should be separated:
1. Authorization (making decision, committing the organization to third parties)
2. Recording (the independent accounting function)
3. Custody (safeguarding assets)
4. Checking (comparing Ist and Soll, “what is” versus “what should be”)
5. Execution (performing tasks based on assignments given by other functions)
, Relationships in double-entry accounting
Sales: Inventory = purchase price, accounts receivable = sales price
Difference between sales price and purchase price = gross margin
Steps in double-entry accounting
1. Business event data
2. Journal voucher
3. General ledger
4. Trial balance
5. Adjusting entries
6. Financial statements
check: debit = credit
Triple-entry accounting with blockchain: debit = credit = external recording in blockchain
- Creating a distributed database that is managed by each entity in the ecosystem and that
serves as the shared single source of truth
- Making journal entries not only locally in each entity’s ERP system but also in the distributed
database a normative position (Soll) is continuously maintained against which the local
databases (Ist) can be checked
Standardization is needed
- If organizational boundaries are crossed for controlling purposes, then some kind of
standardization of data flows is needed for searchability, comparability and interoperability
- Creating worldwide standards is an onerous task
- XBRL is the first and predominant attempt to develop a common language that enables
communication between entities without having to build interfaces
- Standard business reporting (SBR) is the governmental standard for enabling worldwide
communication via XBRL
- There are many XBRL taxonomies, for example the Dutch Taxonomy that is used for tax
returns and statistical data exchange between companies and governmental bodies
Enterprise risk management and internal control
= A process effected by an entity’s board of directors, management, and other personnel, applied in
strategy setting and across the enterprise designed to identify potential events that may affect the
entity, manage risk to be within its risk appetite, and provide reasonable assurance regarding the
achievement of entity objectives.
Risk response
- Risk needs to be managed to avoid surprises
- Make informed decisions about how to react to identified risks:
o Accept
o Avoid (eliminate, share)
