Class notes
Lecture notes Information Systems & Data Analytics
- Course
- Institution
Lecture notes of the course Information Systems & Data Analytics
[Show more]
Seller
Follow
YKN
Reviews received
Content preview
Lecture 1. Introduction to the courseWhy do companies need information?
- Delegation and accountability
- Decision making
- Operating the business
Data engineering: all operational activities that pertain to defining, collecting, transforming,
processing and recording data. Aimed at enhancing the reliability of those data in such a
way that they don’t contain errors, doubles and inconsistencies.
Data analysis helps the organization by supporting the provision of relevant information,
but also helps to the auditor in checking whether client data and information are reliable.
Information-based control framework
- Business domain→ models the essence of a company and as such pertain to what a
company does to create value. Including selling products, purchasing raw materials,
hiring personnel, and making investment in fixed assets
- Information & communication domain→ models the information that will be
provided to the business domain for decision making and operating the business, as
well as the information that is provided by the business domain for delegation and
accountability.
- Data domain→ models the data that is needed for information provisions
- IT domain→ models the required information and communication technology
applications and hardware
The strategy formation level embodies the processes that lead to the business strategy,
information strategy, data strategy and the IT strategy.
The underlying theory of the information-based control framework is that the resulting 8
cells need to be continuously aligned with one another for optimal problem solutions→
change in one cell will always lead to changes in at least one of the other cells.
Risk assessment:
- Operation risks may include foregone revenues, excessive waste, goods being stolen
- Information provisions risks may include missing product information on the
company’s website, overstated financial statements
- Data engineering risks may include incomplete sales transaction data, invalid input of
purchase transaction data
- IT infrastructure risks may include a data breach, corrupted data warehouse, a
store’s website becoming unavailable
Control layer:
- Internal control→ it is designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting and compliance
- Information control→ internal control aimed at information provision
- Data control→ internal control aimed at the data engineering of an organization
- IT control→ internal control aimed at the IT infrastructure of an organization
1
,Information system: an organized collection of software and hardware (IT domain) for
inputting, processing and storing data (data domain) and providing information (information
and communication domain) aimed at the attainment of organizational goals
Lecture 2. Internal control and accounting information systems
Fraud cases because of weak internal control.
Management has a direct interest in securing the quality of its operations.
Auditor has interest in securing the reliability of information.
COSO Internal Control Framework
- Committee Of Sponsoring Organizations of the Treadway Commission→ the
treadway commission was tasked with finding explanation for high profile fraud
cases.
- COSO→ “Internal control is a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives relating to operations, reporting and
compliance.
- Internal control objectives:
o Effectiveness and efficiency of operations
o Reliability of (internal and external) reporting
o Compliance with applicable laws and regulations
The five components of internal control are:
- Monitoring
- Information & communication
- Risk assessment
- Control activities
- Control environment
Five principles that apply to the control environment (= the
organization’s culture with respect to the importance of internal control):
- The organization is committed to integrity and ethical values
- The supervisory board or non-executive directors in the board of directors are
independent of management in exercising oversight on internal controls
- Management, with board oversight, puts in place structures, reporting lines,
authorities and responsibilities
2
, - The organization demonstrates a commitment to attract, develop, and retain
competent personnel in alignment with its objectives
- The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives
A good control environment is one where people in the organization are aware of the
importance of internal control and behave accordingly
Risk: an uncertain future event that, if it becomes reality, will have negative consequences
for the realization of the organization’s goals
- Don’t mix up risk with cause and consequence. For example, a risk is not that there is
unsatisfactory pairing of duties (potential cause), neither is foregone revenues a risk
(consequence)
- If you know the cause(s) of a risk, then you know the direction of your control
solution
Risk assessment: the identification, analysis and evaluation of relevant risks to the
achievement of objectives. Objectives fall withing three broad internal control categories:
- Operations objectives
- Reporting objectives
- Compliance objectives
Use some model for risk assessment to avoid overlooking certain risks. It also helps you to
work systematically and simplify the often too complex control environment.
Risks:
- Business risks → future uncertain event that if becoming a reality will lead to
organizational underperformance
- Information risks → future uncertain event that if becoming a reality will lead to
poor information quality
- Data risks → future uncertain event that if becoming a reality will lead to poor data
quality
- IT risks→ future uncertain event that if becoming a reality will lead to poor IT
deployment (inzet)
Stages in risk assessment
1. Risk identification, which is identifying the future uncertain events that may have
negative consequences
2. Risk analysis, which is assessing the likelihood and impact of each risk
3. Risk evaluation, which is categorizing each risk so that an appropriate risk response
can be given with respect to that risk
→ risk management = risk assessment + risk response
Four principles that apply to risk assessment
- The organization specifies objectives with sufficient clarity to enable the
identification and assessment of risks relating to objectives
- The organization identifies risks to the achievement of its objectives across the entity
and analyses risks as a basis for determining how the risks should be managed
3
, - The organization considers the potential for fraud in assessing risks to the
achievement of objectives
- The organization identifies as assesses changes that could significantly impact the
system of internal control
Control activities→ distinction between preventive (aim to prevent risks of becoming
reality) and detective (detect and correct deviations that results from certain risk haven
become reality) controls
Examples of preventive internal controls include: segregation of duties, physical protection
of assets and setting procedures for executing certain activities.
Examples of detective controls include tests of relationships, analytical review, stocktaking,
variance analysis and reperformance of certain calculations.
Three principles that apply to control activities
- The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels
- The organization selects and develops general control activities over technology to
support the achievement of objectives
- The organization deploys control activities through policies that establish what is
expected and procedures that put policies into action
Managers should always think of the level
of residual risk that they are willing to
accept. This is their risk appetite.
4
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller YKN. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $6.11. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
67474 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now