The Paper P3 syllabus for December 2014 and June 2015 has expanded section E, Information Technology. Section E1 is a new subject area:
E INFORMATION TECHNOLOGY
1. Principles of information technology
(a) Advise on the basic hardware and software infrastructure required to support business information systems.
(b) Identify and analyse general information technology controls and application controls required for effective accounting information systems.
(c) Analyse the adequacy of general information technology controls and application controls for relevant application systems.
(d) Evaluate controls over the safeguarding of information technology assets to ensure the organisational ability to meet business objectives.
In particular, in (a) above, knowledge and skills relating to hardware and software infrastructure have expanded from a focus on e-business to more general business information systems. (b), (c) and (d) above all relate to controls which were not mentioned at all in earlier syllabuses or study guides.
INFRASTRUCTURES TO SUPPORT BUSINESS
Very large companies began to use of computers in the 1960s. The first applications were for wages and salaries processing, the production of sales invoices and receivables ledger accounting. These applications automated existing operations allowing greater accuracy, more speed and cheaper processing. At this time the IT operations would have been called ‘data processing’.
Once transactions are processed by computer it is easy to analyse those transactions to produce information that could be useful for management. For example, once the sales ledger is computerised it is easy to produce aged receivables listings. These additional management reports became common in the 1970s (and are still important) and IT operations became known as ‘management information systems’ (MIS). The systems could also be programmed to make simple decisions such as comparing inventory levels to production plans to enable automatic stock ordering. The simple decisions are known as programmable or structured decisions, meaning that there is a well-defined way of getting to the correct answer. MIS primarily allows companies to keep their costs down, helping them to move towards cost leadership, through a combination of automation and rationalisation.
At the beginning of the 1980s, spreadsheets were invented and this allowed computers to be used to help managers make unstructured (non-programmable) decisions. For these decisions there is no definitively right answer. For example, what should next year’s budget look like? At what price should a new product be launched? Financial models on spreadsheets allow managers to try out 'what if?' experiments where they try out different combinations of assumptions and try to home in on a credible answer. These systems are known ‘decision support systems’ (DSS): they do not make the decision but help managers make decisions.
More sophisticated DSS systems can combine, for example, computer aided design and computer aided manufacturing systems to enable new products to be brought to market more quickly: data warehousing (recording historical transaction data) and data mining (trawling through that data to learn more about customers’ preferences and buying patterns). Both of these techniques can help with differentiation and focus strategies.
Somewhat later, around the 1990s, executive information systems were developed. These were of particular use to senior managers and they have a particular emphasis on giving access to external information that is needed for operational and strategic planning. It was, of course, in the 1990s that the Internet began to expand rapidly and much more external information became available. Executive information systems also emphasise flexibility so that executives can see company data in a wide variety of ways. Typically, such systems would initially present sales for the group, but upon double-clicking on that figure, it would split into sales by division. Double-clicking on one of those figures might show the sales to the division’s 10 key customers, compared to the comparable period last year. This process is known as drilling down.
Databases are by far the preferred way to hold data. Databases allow a wide range of users and applications to use the data flexibly and to update it. Each user can be given a unique, personalised and relevant view of the data which they can easily search and manipulate.
The increasing reliance on computers by all levels within a company requires careful design of the information technology (IT) infrastructure. IT usually refers to the hardware: computers, connections, disk storage.
Only the very smallest of businesses will have stand-alone computers, computers not connected to other computers. Even in small businesses employees need to share data and very soon after personal computers were invented networks of computers were introduced. There are two main types:
- Local area network (LAN): Here the network extends over only a relatively small area, such as an office, a university campus or a hospital. The small area means that these networks use specially installed wiring to connect the machines.
- Wide area networks (WAN): Here the network can extend between several cities and countries. Each office would have its LAN, but that connects to LANs in other offices and countries using commercial, public communications systems. At one time this would have been done by the organisation leasing telephone lines for their private use to transmit data from office to office. However, this is expensive and inflexible and the common system now used is known as a virtual private network (VPN)
VPN’s allow data to be transmitted securely over the internet between any two locations. For example, an employee working from home or a hotel can access the company system as though being in the office. Information will pass over many different circuits and connections but the system gives the impression that you are operating over a dedicated, private communications link. Hence, the name: virtual private network. Because data is being transmitted over public systems it is particularly vulnerable to interception and it is very important that adequate security measures are in place to safeguard the data. There are three essential steps in the security measures:
- Access control and authentication – this ensures that unauthorised users do not access the system. Typically this will be accomplished through a log-in procedure. Many organisations, such as banks, may require a password, answers to security questions (such as ‘What is the fourth letter of your secret word?’), and also a code number generated by a security device that has been issued to the user. Use of the latter technique means that anyone logging on has both to know a password and to be in possession of the security device.
- Confidentiality – this ensures that data cannot be intercepted and read by a third party whilst being transmitted. This is achieved using encryption.
- Data integrity – this ensures that the data has not been altered or distorted whilst in transit. To ensure this, the message could have special check digits added to ensure that the data complies with a mathematical rule.
CENTRALISED AND DECENTRALISED (DISTRIBUTED) ARCHITECTURES
Consider an office local area network. There are three main ways in which the data and processing can be arranged: centralised, decentralised (distributed) and hybrid.
In these systems there is a powerful central computer which holds the data and which carries out the processing. The main advantages of such systems are:
- Security: all data can be stored in a secure data centre so that, for example, access to the data and back-up routines are easier to control.
- One copy of the data: all users see the same version of the data.
- Lower capital and operational costs: minimal hardware is needed at each site. There is also less administrative overhead.
- The central computer can be very powerful: this will suit in processing-intensive applications.
- They allow a centralised approach to management. For example, a chain of shops needs to keep track of inventory in each shop and to transfer it as needed. There is little point in a shop that is running low ordering more of a product if another branch already has a surplus of that product.
The main disadvantages of such systems are:
- Highly dependent on links to the centralised processing facility. If that machine fails or communication is disrupted then all users are affected.
- Processing speed: will decrease as more users log-on
- Lack of flexibility: local offices are dependent on suitable software and data being loaded centrally.
Decentralised (distributed) systems
In these systems, each user has local processing power and will hold data locally.
The main advantages of such systems are:
- Resilience: if one machine breaks down, others are unaffected.
- Easy expansion: simply add another computer.
- Flexibility: local users can decide which programs and software should be installed to meet local needs.
- They are more useful where each location can operate more or less separately from others.
The main disadvantages are:
- More difficult to control: data storage and processing are in many locations and correct access, processing and back-up of data are more difficult to enforce.
- Multiple versions of data: users might have their own version of data that should be uniform.
- Potentially higher costs: each local computer has to have sufficient processing power and each location might require an IT expert.
In these systems some data and processing are local and some are centralised. For example, web-browsing and word-processing might be local but critical business applications might be centralised.
CLIENT-SERVER AND PEER-TO-PEER SYSTEMS
These concepts are similar to centralised and decentralised, but are not quite identical.
In a client-server arrangement, a powerful computer (the server) is dedicated to providing a service to other computers in the network (the clients). Typical services provided are:
- File storage (file servers)
- Handling printing (print server)
- Handling the sending and receiving of emails (mail servers).
There is an element of centralisation here, but although files might be held centrally on the server they will often be processed locally. For example, a report will be held on the server, but when it is being edited it is downloaded to the user’s local machine (client). The edited version will be saved back to the server where other users can then access it. Obviously there will be great disruption if the server fails. Access rights to files are set centrally and typically enforced by users’ log-on information.
Traditionally, in client server networks each client would have had a copy of, say, Word for Windows. Documents would have been downloaded from the server for local editing then saved back to the server. The disadvantage of this is that each machine in the network needs a copy of Word and if the company was upgrading its software all copies of the program would have to be changed. Providing the software initially for all machines and its subsequent management is very expensive. With cloud computing, this approach has changed. There is only one copy of the software on the server within a web-based interface. Users log into the web system and their processing is then carried out on the server or a ‘cloud’ of servers. It appears to each user that they have a local version of the software, but what they are really seeing is the program operating in the server. Client machines can be ‘thin-clients’ which are not very powerful as they do not have to store much data and software nor do they have to carry out much processing. Hardware, software and maintenance costs are greatly reduced, though the system is vulnerable to service disruption.
Hotmail and Gmail provide examples of this approach. Whenever you want to write an email you log into the web email account and the processing is carried by the system’s computer cloud – not your computer. All it has to do is to handle the interface.
In peer-to-peer networks, two or more computers are connected directly without the need for a server. Access rights to files are given by individual users to specified other users. This is a simpler system to set-up, requiring no specialist operating system or specialist staff and many home systems are like this. It is a much more distributed system than client server systems and therefore has back-up and security issues.
CONTROLS IN IT SYSTEMS
IT poses particular risks to organisations’ internal control and information systems. This can lead to their operations being severely disrupted and subsequently to lost sales, increased costs, incorrect decisions and reputational damage.
- Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, reporting inaccurate, misleading results - or all three.
- Unauthorised access to data leading to destruction of data, improper changes to data, or inaccurate recording of transactions.
- Particular risks may arise where multiple users access a common database on which everyone in the organisation relies.
- The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties.
- Unauthorised changes to data in master files. For example, changing a selling price or credit limit.
- Unauthorised changes to systems or programs so that they no longer operate correctly and reliably.
- Failure to make necessary changes to systems or programs to keep them up-to-date and in line with legal and business requirements.
- Potential loss of data or inability to access data as required. This could prevent, for example, the processing of internet sales.
Controls in computer systems can be categorised as general controls and application controls.
These are policies and procedures that relate to the computer environment and which are therefore relevant to all applications. They support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:
- Data centre and network operations. A data centre is a central repository of data and it is important that controls there include back-up procedures, anti-virus software and firewalls to prevent hackers gaining access. Organisations should also have disaster recovery plans in place to minimise damage caused by events such as floods, fire and terrorist activities. Where IT is critical to an operation’s business these plans might include having a parallel system operating at a remote location that can be switched to immediately.
- System software acquisition, change and maintenance. System software refers to operating systems, such as Windows or Apple’s OS. These systems often undergo updates as problems and vulnerabilities are identified and it is important for updates to be implemented promptly.
- Access security. Physical access to file servers should be carefully controlled. This is where the company keeps it data and it is essential that this is safeguarded: data will usually endow companies with competitive advantage. Access to processing should also be restricted, typically through the use of log-on procedures and passwords.
- Application system acquisition, development, and maintenance. Applications systems are programs that carry out specific operations needed by the company – such as calculating wages and invoices and forecasting inventory usage. Just as much damage can be done by the incorrect operation of software as by inputting incorrect data. For example, think of the damage that could be done if sales analyses were incorrectly calculated and presented. Management could be led to withdraw products that are in fact very popular. All software amendments must be carefully specified and tested before implementation.
Example: Royal Bank of Scotland
A software update was applied on 19 June 2012 to RBS's system which controls its payment processing. The update had been corrupted by RBS technical staff so that customers' wages, payments and other transactions were disrupted. Many customers were unable to withdraw cash using automatic teller machines and were not able to see their bank account details. Others faced fines and surcharges for late payment of bills because the system could not process direct debits. For many customers the disruption lasted for around a week.
Application controls are manual or automated procedures that typically operate at a business process level, such as the processing of sales orders, wages and payments to suppliers.
These controls help ensure that transactions are authorised, and are completely and accurately recorded, processed and reported. Examples include:
Edit checks of input data
Checks on input data are very important because once data has been input it is often automatically processed thereafter without the further chance of human scrutiny. Methods include:
- Range tests can be applied to reject data outside an allowed range. For example, when accepting orders through a website, the system could be programmed to prevent, or at least query, unusually large quantities being ordered.
- Format checks ensure that data is input in the correct format (credit card numbers should be 12 digits long).
- Dependency checks, where one piece of data implies something about another (you have probably had a travel booking rejected because you inadvertently had a return date earlier than the outward date).
- Check digits, where a number, such as an account number, is specially constructed to comply with mathematical rules. For example, UK and European VAT numbers use this method:
VAT number = GB 2457193 48 (the last two digits, here 48, are the check digits)
The first seven numbers are multiplied by the weighting factors 8, 7, 6, 5, 4, 3, 2:
So 2 x 8 + 4 x 7 + 5 x 6 + 7 x 5 + 1 x 4 + 9 x 3 + 3 x 2 = 146
Subtract 97 until the result is zero or negative:
146 – 97 – 97 = -48
The resulting number is the check digit. The chances of someone incorrectly typing in a VAT number which accidentally followed these rules are very small.
- Numerical sequence checks to ensure that all accountable documents, such as cheques, have been processed.
- Drop down menus which constrain choices and ensure only allowable entries can be made. For example, constraining delivery choices to ordinary post or express delivery, or presenting a list of allowable account codes.
- Batch total checks. Here, the data is first added up to create a control total, which is subsequently compared to the total of the data actually submitted.
Online, real time systems can pose particular risks because any number of employees could be authorised to process certain transactions. Anonymity raises the prospect of both carelessness and fraud so it is important to be able to trace all transactions to their originator. This can be done by requiring users to log-on and then tagging each transaction with the identity of the person responsible. Logging on should require passwords and it is important that members of staff keep these confidential. Many business systems enforce a rule that requires passwords to be changed every few months. This is fine in theory, but to remember their changing passwords many users start to write them down – a potential breach in security. Increasingly, biometric measurement, such as fingerprint or retina recognition, can be used to control access.
Log-in security, whether through passwords or biometrics, also helps to control both processing and access to data. Each user is provided with tailored rights that allow them to see only certain data, change only certain data and to carry out only specified processing.
This article has mentioned encryption, firewalls authentication and access controls. It is important to realise that even with these measures in place that organisations can be damaged by lapses in computer security. For example:
- November to early December 2013, Target Corporation (turnover around $70bn) announced that data from around 70 million credit and debit cards was stolen.
- April 2011, Sony experienced a data breach within their Playstation Network that the information of 77 million users was compromised.
- May 2014, Ebay announced that three months earlier that information (including passwords, email addresses, birth dates, mailing addresses and other personal information) relating to 145 million users had been stolen. Ebay states that the information was encrypted and there is no evidence that is has been decrypted (yet).
Cyber-espionage is also a growing threat. Governments, competitors and criminals attempt to steal intellectual property or information about customers and contracts. Quite obviously the theft of valuable know-how will undermine a company’s competitive advantage and it is essential that for organisations to defend themselves as far as possible against these threats.
Ken Garrett is a freelance lecturer and writer