Systems Analysis and Design in a Changing World, Fourth Edition -Solutions 14

Systems Analysis and Design in a Changing World, Fourth Edition

14-1

Chapter 14 – Designing System Interfaces, Controls, and Security Solutions to End-of-Chapter Material Review Questions 1. What does XML stand for? Explain how XML is similar to HTML. Also, discuss the differences between XML and HTML. XML stands for eXtensible Markup Language. Like HTML, XML uses markup codes that are identified with brackets (< >) and that are embedded in an ASCII text file. The markup codes as well as the text file are in humanreadable format. Unlike HTML, the markup codes in XML are not predefined. The language is extensible because the markup codes are self-defining. An additional file, called the Document Type Definition (DTD) file, is needed to define the meaning of the markup codes. 2. Compare the strengths and weaknesses of using a DFD to define inputs with using a sequence diagram to define inputs. Which do you like the best? Why? DFDs: The arrows on a DFD describe information flows. As such, they define logical  inputs of data. The design of the inputs and outputs might be more detailed, requiring  several screens.   Sequence diagrams: The messages on a sequence diagram identify interactions. The  parameters define the data that is passed. If the developer does not carefully define the  parameters, the message might give an incomplete design. A sequence diagram also  describes the various steps that are required to complete a business transaction, which  might help define the set of required screens.  Preferences will vary.  3. Explain the system boundary. Why was one used on a DFD but not used on a system sequence diagram? The system boundary divides the automated system from the manual system. It is used on a DFD because a DFD includes both manual and automated processes. To identify which data flows cross the boundary, a boundary must be superimposed on the diagram. The flow of information from actors to objects is by definition a flow of data from external to internal.

Systems Analysis and Design in a Changing World, Fourth Edition

14-2

4. What additional information does the structure chart provide that is not obtained from a DFD in the development of input forms? A structure chart gives more detailed information about access to individual input screens or files. A structure chart provides more details about the set of individual forms that might be required to support an input data flow. 5. How are the data fields identified using the structured approach? Data fields primarily come from the data flows that cross the system boundary. These data flows can be checked by ensuring that adequate input data is available to support the fields in the data stores. 6. How are the data fields identified using UML and the object-oriented approach? The primary source of data fields is the class diagram. Fields are identified in the classes. Input messages must contain enough data fields to support the required modifications to data fields in the internal classes. 7. Explain four types of integrity controls for input forms. Which have you seen most frequently? Why are they important?    

Field combination controls verify that the data in one field is based on the data in another field or fields. Value limit controls identify when a value in a field is too large or too small. Completeness controls ensure that all necessary fields on an input form have been entered. Data validation controls validate the input data for correctness.

Answers will vary. 8. What protection does transaction logging provide? Should it be included in every system? Transaction logging provides an audit trail to track the changes that were made, when they were made, and who made them. It also provides an effective method for backup and recovery in case the primary data file is destroyed. Transaction logging should be included in every system that contains financial information. Other types of systems that are not as critical do not require logging. 9. What are the different considerations for output screen design and output report design?

Systems Analysis and Design in a Changing World, Fourth Edition

14-3

Output screens are more dynamic but have limited information available at one time. It is harder to view multiple pages at the same time with screen output. However, dynamic features, such as drill down, can be provided so that summary information does not have to stand alone. Printed output is more permanent. Consequently, it should always include identifying fields, such as date printed. Because reports are not dynamic, they must be self-contained and include all necessary information to be understandable. 10. What is meant by drill down? Give an example of how you might use it in a report design. Drill down is a technique that links a summary field to its supporting detail and enables users to view the detail dynamically. In financial reports, totals or summary amounts can include drill-down links to supporting accumulations. Textual reports can include drill-down links to more detailed explanations of critical terms. 11. What is the danger from information overload? What solutions can you think of? Information overload can cause users to miss important facts, such as exception conditions. Users can also become discouraged when they are unable to find the information they need within reams of unimportant data. Solutions generally include identifying the information that is important and highlighting it using color or graphics, or by visually separating it from the other data. 12. Describe the kinds of integrity controls you would recommend to place on all output reports. Why? Date printed, processing date, page numbers, titles, form numbers, routing information, end-of-report notification, and control totals and footings. It is usually easy to understand the report and its data when the report is first printed. However, reports are often long-term, and reviewing a report that was printed a week or month ago requires this control information. Frequently, there are multiple copies of the same type of report, and this control information is necessary to distinguish one day’s report from another day’s report. 13. What are the objectives of integrity controls in information systems? Explain what each of the three objectives mean. Give an example of each.  Ensure that only appropriate and correct business transactions occur. This objective ensures that no erroneous or fraudulent transactions are entered. Example: A control to ensure that a clerk does not request a check for a service that was never provided.

Systems Analysis and Design in a Changing World, Fourth Edition

14-4



Ensure that the transactions are recorded and processed correctly. This objective ensures that the system processes and stores the data completely. Example: a control to ensure that a double-entry bookkeeping entry always processes both entries.



Protect and safeguard the assets (including information) of the organization. This objective ensures that information is not lost due to theft, fire, or some other mishap. Example: Storing backup data periodically offsite.

14. What are four types of input controls used to reduce input errors? Describe how each works. Field combination control: An integrity control that verifies that the data in one field is based on the data in another field or fields. Value limit control: An integrity control that identifies when a value in a field is too large or too small. Completeness control: An integrity control that ensures that all necessary fields on an input form have been entered. Data validation control: An integrity control that validates the input data for correctness and appropriateness. 15. Explain what is meant by update controls for a database management system. Update controls prohibit multiple programs from simultaneously updating the same fields or records in the database, which can result in overwriting or destroying data. Update  controls maintain database integrity by ensuring that either all or none of the updates are  completed.   16.   What is the basic purpose of transaction logging? Microsoft Access does not have  automatic transaction logging. Is this a deficiency, or is it not really an important  consideration in database integrity? Transaction logging takes every update to the database and logs exactly how it happened  (sometimes with an image of the transaction).  It is extremely important for audit trails  and for recovery in case something goes wrong.   Transaction logging is usually not performed in databases that are small and not  important to the business. For this reason, MS Access should not be used for important or mission­critical databases.  17.   On a printed output report, what is the difference between the date the report was  printed and the date of the data? 

Systems Analysis and Design in a Changing World, Fourth Edition

14-5

Every report should have a date and time stamp, both for the time the report was printed and for the date of the underlying data. It is important to distinguish between the two dates. A report that is printed in November, for example, might contain data from August, September, or October. Therefore, if you did not know the date of the underlying data in the report, you might mistakenly assume that it was from November, the date the report was actually printed. 18.  

What are the two primary objectives of security controls?  Maintain a stable, functioning operating environment for users and application systems (usually 24 hours a day, seven days a week). Protect information and transactions during transmission outside the organization (public carriers).

19. Explain the three categories of user access privileges. Is three the right number, or should there be more or fewer than three? Why or why not? Unauthorized, registered, and privileged. Unauthorized users do not have any access rights to the system. Registered users have different levels of access rights to the system. Some users might have rights to update data fields while others can only see them. Managers might have access to sensitive information that is not available to clerks. Privileged users are those who can access the security system and other control systems. There are also various levels of privileged users. These three categories cover all the needs. The registered and privileged user categories can include several different levels of access privileges, making it unnecessary to create additional categories. 20.   How does single­key (symmetric) encryption work? What are its strengths? What  are its weaknesses? A single key is used to encrypt and decrypt a message. Both parties must have the key. Its strength is that it is simple and fast. Its weaknesses are that it might be easy to break the  encryption and that it is difficult to distribute the key in a secret fashion to all the  authorized participants.   21.   How does public­key (asymmetric) encryption work? What are its strengths? What  are its weaknesses?  A public­key encryption has two keys, a public one that is widely distributed and a  private one that is secret. To send data to the owner of the keys, someone uses the public  key.  The data can then only be decrypted with the private key. So, the owner is the only 

Systems Analysis and Design in a Changing World, Fourth Edition

14-6

one who can decrypt the data. After the message is encrypted, it can only be decrypted  with the private key.  22.   What is a digital certificate? What role do certifying authorities play in security  systems?  A digital certificate is an institution’s name and public key (plus other information such  as address, Web site URL, and validity date of the certificate) that is encrypted and  certified by a third party.   Certifying authorities are companies that are very well known so that everybody knows  for sure what their public keys are. These certifying authorities sell digital certificates to  other companies (that are not as well known) so that these companies can convince their  customers that they are legitimate.  23.  

What is a digital signature? What does it tell a user? A digital signature is a technique in which a document is encrypted using a private key to verify who wrote the document. If you have the public key of an entity, and that entity sends you a message with its private key, you can decode it with the public key. You know that the party is the one you want to communicate with because that entity is the only one who can encode a message with that private key.

Systems Analysis and Design in a Changing World, Fourth Edition

14-7

Thinking Critically 1. The chapter described various situations that emphasized the need for controls. In the first scenario presented, a furniture store sells merchandise on credit. Based on the descriptions of controls given in the chapter, identify the various controls that should be implemented in the system to ensure that corrections to customer balances are made only by someone with the correct authorization. Answers will vary but should include at least the following:    2.

Transaction logging to note all changes (especially financial) made to the database. Log records should include the login ID of the person making the transaction. Financial transaction screens should be available (and visible) only via authorization of the correct level of registered user. Possibly a notification report of any changes (other than standard payments) made to correct account balances.

In the second scenario illustrating the need for controls, an accounts payable clerk uses the system to write checks to suppliers. Based on the information in the chapter, what kinds of controls would you implement to ensure that checks are only written to valid suppliers, that checks are written for the correct amount, and that all payouts have the required authorization? How would you design the controls if different payment amounts required different levels of authorization? Answers will vary but should include at least the following:    

  

Both manual and automated controls might be needed for this process. The manual control will require authorization by a supervisor on paper documents for payment. Also, a paper audit trail (numbered invoice) might be required. Payments made only to valid suppliers can be controlled by having pre-defined PayTo fields that come from a supplier file. The supplier file should be maintained by different people to ensure separation of duties. Ensuring that checks are written for the correct amount can be accomplished by making sure a payment amount corresponds with the invoice amount in the system. A supervisor can also verify payments for correct amounts and viable suppliers. This can be done either with paper documents or with electronic forms. Before a check is written, a payment transaction can be approved by an electronic signature of a different person. Output reports detailing payments should be provided and reviewed. Internal edits can be developed to note whether payments are customary and normal. Out-of-range payments can be flagged as exceptions and verified by a manager. Different levels of payments will require the same types of controls; however, they may require different electronic signatures by higher-level registered users.

Systems Analysis and Design in a Changing World, Fourth Edition

3.

14-8

The executives of a company have asked for a special decision support system report on corporate financials. They want this report to be based on actual financial data for the past several years. The report is to have several input parameters so that the executives can do “what-if” analysis of future sales based on past performance. They want the report to be viewable online as well as in printed form. What kinds of controls would you implement to ensure that (1) only authorized executives can request the report, (2) the executives understand the basis (past and projected data) for a given report, and (3) the executives are aware of the sensitive nature of the information and treat it as confidential? Answers will vary but should include at least the following:      

4.

Only registered users with the correct level of authority should be able to request the report. Printing the report might also require the user to enter his or her user ID and password to ensure that the person printing the report is the same person who had the authority to request it. Online screen output should blackout after a defined number of minutes of nonactivity. To reactivate the screen output, the user might need to re-enter his or her user ID and password or some other keyword. All data on the report should be carefully labeled. The date of report, the date and source of underlying data, and the input reporting parameters should be included in the output report. Special notifications can be printed as headings and footings on each page, identifying the sensitive nature of the data. Electronic restrictions can be placed on the report to prevent it from being e-mailed or distributed to anyone other than the expected channels (this might be difficult to implement).

A payroll system has a data-entry subsystem that is used to enter time card information for hourly employees. What kinds of controls would you implement to ensure that the data is correct and error-free? What other controls would you include to ensure that a data-entry clerk (who might be a friend of an employee) not inflate the hours on the time card (after it was approved by a supervisor)? Answers will vary but should include at least the following:     

The accuracy of data can be improved by using OCR readers instead of data-entry clerks. A combination of the two can also be used. The system should edit input data for normal and expected values by employee. Data can be entered twice—keypunch and verify. A transaction log that identifies which employee entered which time card will discourage falsification of records. Time cards can be manually compared with a data-entry report.

Systems Analysis and Design in a Changing World, Fourth Edition

5.

14-9

Based on the DFD (Figure 10-26) given in Chapter 10, “Thinking Critically” problem 3, Add class to schedule, and the structure chart you developed there, identify the set of input and output screens for the system. Include the data fields that will be required. Input/Output Screen Display Course Information Enter Student ID Information Enter Course Add Information Display Error Message Display Student Schedule Information

6.

Data Fields CourseID, Section, Name, Description, Hour, Location, Teacher Student ID, Password CourseID, Section Text of message Student ID, Name, CourseIDs, Sections, Names, Hours, Locations, Teachers

Based on the DFD (Figure 10-27) given in Chapter 10 “Thinking Critically” problem 5, Special-order purchasing, and the structure chart you developed there, identify the set of inputs and outputs required. Develop the list of data fields for each screen and report. Screen/Report Screen Screen

Name Enter Special Order Information Display Orders

Screen

Enter Approvals/Changes

Report

Purchase Order

Data Fields InventoryID, Quantity Customer Information, Order Information, Inventory Order Information Customer Information, Order Information, Inventory Order Information, Field for approvals Supplier Information, Order Information, Inventory on Order Information

Systems Analysis and Design in a Changing World, Fourth Edition

7.

14-10

A university library system is depicted in Figure 14-25, with partial system sequence diagrams for two use cases, Check out a book and Return a book. Based on the figure, construct four tables showing inputs and outputs, as shown in Figures 14-10 and 14-12: (1) Inputs for the Library System, (2) Outputs for the Library System, (3) Inputs for the Student Record System, and (4) Outputs for the Student Record System. Library System Inputs Input Message verifyStudent addBookToLoan returnBook

Data Parameters studentID catalogNo, copyNo catalogNo, copyNo

Library System Outputs Output Message verifyStudent MsgReturn changeStatus

Data Parameters studentID title, author, lendingCategory studentID, fineStatus

Classes Student Book

Single/Group Single Single

Student

Single

Student Record System Inputs Input Message verifyStudent changeStatus

Data Parameters StudentID studentID, fineStatus

Student Record System Outputs Output Message MsgReturn

Data Parameters studentID, name, status

Classes Student

Single/Group Single

Systems Analysis and Design in a Changing World, Fourth Edition

8.

14-11

You work for a grocery chain that always has many customers in the stores. To facilitate and speed checkout, the company wants to develop self-service checkout stands. Customers can check out their own groceries and pay by credit card or cash. How would you design the checkout register and equipment? What kinds of equipment would you use to make it easy and intuitive for the customers, make sure that prices are entered correctly, and ensure that cash or credit card payments are done correctly? In other words, what equipment would you have at the checkout station? In your solution, you can use existing state-ofthe-art-solutions or invent new devices. Answers will vary but should include at least the following points:     

Current grocery store scanners are intuitive to use. However, an instruction screen can be added if desired. Use bar codes as much as possible. Make sure all groceries are bar coded. Possibly have camera surveillance at all stands. Recorded film should be synchronized with data entry. Current scanners and automatic weighing trays are intuitive to use. Perhaps add buttons to identify produce by name rather than by price. Current payment technology is adequate for cash and credit card payments. Cash machines can read and return correct change. Credit card machines can require electronic signature before returning a credit card. Payments will be correct because they are based on sale amount.

In cases where customers have questions or problems at self-service checkout stands, a single clerk can probably be made available to help customers at several stands. If a self-service checkout stand cannot read a bar code on an item, a touch screen can be provided to provide customers with options to select the right item and price it.

Systems Analysis and Design in a Changing World, Fourth Edition

14-12

Experiential Exercises 1.

Look on the Web for an e-commerce site (for example, Amazon.com or eBay.com). Evaluate the effectiveness of the screens. What kinds of security and controls are integrated into the system? Do you see potential problems with the integrity controls? Evaluate the design of the individual screens. How easy are they to read and use? What suggestions would make them easier to use? How effective are they in minimizing data-entry errors? Answers will vary. The following explanation uses Amazon.com as an example. Data Site Fairly easy to navigate. Lots of tabs. Has plenty of search capability. Can narrow focus by entering different portals. Pages Some pages seem fairly busy; however, most pages are laid out fairly well. Hotlinks appear to be easy to find. Data Entry Mostly done with clicks, which reduces data errors. Gives lots of opportunities to double check and correct choices. Implements one-click method to expedite data entry and reduce errors. Security and Controls Use user ID and password. Do not give option of system remembering password. Make user sign in to secure server. Use secure socket layer. Potential Security Problems Will let you work with standard, non-secure servers. If you forget your password, system allows you (or someone else) to set up a new one. Remembers all credit card information for various credit cards.

2.

Examine the information system of a local business (fast-food restaurant, doctor’s office, video store, food store, and so forth). Evaluate the screens (and reports if possible) for ease of use and effectiveness. What kinds of integrity controls are in place? How easy are the screens to use? What kinds of improvements would you make? Answers will vary.

3.

Find and research a system that is being constructed or has recently been constructed. You might work for a company that has a development project in progress or have a friend who works for such a company. Another source of

Systems Analysis and Design in a Changing World, Fourth Edition

14-13

development projects is the university itself. Interview one of the developers. Ask about integrity controls, methodology for screen design, and guidelines to ensure consistency across the user interface. Ask about the number and scope of the input and output design tasks (for example, how many screens or hours required) and the method used to layout the screens and reports (such as prototyping, CASE tools, and so forth). Answers will vary. 4.

If your university uses Java, find out about the JSwing class library. Write a onepage description of the JSwing library, its purpose, and ways to use it. Your objective is to demonstrate that you understand the concept of JSwing and the way it is used to build windows and input screens in a Windows environment. Answers will vary. JSwing is a set of classes that define basic window functionality. To write programs in a Windows environment, a developer must address all aspects of a graphical user interface, including mouse movement and activity, keyboard capture, painting and repainting windows, and all other types of graphical and event-based activities. To provide these GUI capabilities, a set of base classes has been defined with the necessary methods and events. A Windows programmer uses these base classes to create the specific classes for the application he or she is writing. Because the methods and attributes of the JSwing classes are inherited, GUI capabilities can be provided automatically without having to reinvent them for every program.

5.

If your university uses Studio .NET from Microsoft, find out about the .NET class library to build user interfaces. Write a one-page description of the .NET library, its purpose, and ways to use it. Your objective is to demonstrate that you understand the concept of .NET forms design and the way it is used to build windows and input screens in a Windows environment. Answers will vary but should be similar to the answer provided in question 4.

6.

Go to the Internet and find out what you can about Pretty Good Privacy. What is it? How does it work? Research what you can about a passphrase. What does it mean? Here are two sites that you can use to start your research: http://www.pgpi.org/ and http://web.mit.eu/network/ppg.html. Answers will vary. PGP is a program that makes your e-mail messages private. It does this by encrypting your email so that nobody but the intended person can read it. When encrypted, the message looks like a meaningless jumble of random characters. PGP has proven itself quite capable of resisting even the most sophisticated forms of analysis aimed at reading the encrypted text. PGP can also be used to apply a digital signature to a message without encrypting it. This is normally used in public postings where you don't want to hide what you are saying, but rather

Systems Analysis and Design in a Changing World, Fourth Edition

14-14

want to allow others to confirm that the message actually came from you. After a digital signature is created, it is impossible for anyone to modify either the message or the signature without the modification being detected by PGP. PGP uses public key encryption to encrypt and decrypt e-mail messages. A passphrase is a longer version of a password. It can be an entire phrase. It is used to generate the public key/private key combination for a PGP user.

Systems Analysis and Design in a Changing World, Fourth Edition

14-15

Case Studies Case Study: All-Shop Superstores All­Shop Superstores is a regional chain of superstores in the Boston, New York, and  Washington, D.C. corridor. These stores compete with other giants, such as Wal­Mart,  Kmart, Target, and other budget retailers. The stores contain large grocery stores as well  as domestics, clothing, automobile, and home improvement products. Overall, the margins  in this portion of the retail industry are very small. Grocery profits have always been small, in the range of 5 to 10 percent. The margin for domestics, clothing, and other goods is a  little higher, but to compete with Wal­Mart, all margins must be kept low. To reduce operating costs as much as possible, All­Shop has decided to move very heavily  into electronic data interchange (EDI) with its suppliers. All­Shop is aware that several of  its more advanced competitors allow their suppliers to manage inventory levels in the  stores themselves. For example, paper hygiene products such as disposable diapers and  toilet paper are high­volume products that require very close monitoring of inventory  levels. All­Shop has already installed sophisticated sales and inventory systems that track  activity of each individual item (tracked by UPC code) daily. These systems not only  capture daily activity but also maintain histories in a data warehouse to support online  data analysis. The first step for All­Shop was to enable its major suppliers to have access to its daily sales  and inventory database. That way, the suppliers could monitor sales activities and check  inventory to ensure that deliveries are made on time to maintain inventory levels at an  optimal level. The system should also permit each supplier to access and check the status of its individual accounts and a history of past payment activity. Obviously, all of this  information must be controlled by All­Shop so that suppliers cannot observe each other’s  information. 1. 

Based on what you have learned in this and previous chapters, develop a use case  diagram identifying the use cases that apply to the supplier as an actor. Even though this is really a system­to­system interface, the supplier system can be considered an  actor. Identify two lists of controls that you consider necessary for this interface. In  the first list, identify overall controls for the entire EDI interface. Then, for the  second list, for each identified use case, develop a specific set of controls that will be  necessary. Base your analysis on the types of controls discussed in the chapter as  well as the three primary objectives of integrity controls. In other words, your  assignment is to develop a statement of required controls that can be used by the  system developers to ensure that the system adequately protects the assets and  information of All­Shop. Use cases that should be identified in the use case diagram include the following:

Systems Analysis and Design in a Changing World, Fourth Edition

    

14-16

Check daily sales of item Check inventory level of item Check last delivery information for item Check history of payments sent (from All-shop to supplier) Modify reorder point of inventory item

Other activities, such as generating an order and shipping items, would be done within the supplier system.

Read sales data

Read inventory data

Supplier Read payment data

Lists of controls will vary. Some important points include the following:     

Controls should limit access to valid registered users. Making a system available to outside users introduces the risk of unauthorized people accessing the system. Very stringent user ID and password controls need to be implemented. Additional security measures can include recognition by requesting the computer name (source of external messages must come from a known computer) and the time of day (access available only during certain, pre-defined working hours). Each record should contain accessibility codes that allow only a particular supplier or a specified group of users to view the record. A transaction log is also mandatory.

For each use case, the following should apply:   

For those use cases that are read-only, access should be limited to reading the data. The update transaction must have very tight controls to make sure the right supplier has access to it. Valid range checks should also be implemented. Data must be carefully examined to define which data is accessible to which users.

Systems Analysis and Design in a Changing World, Fourth Edition

2. 

14-17

All­Shop is considering a plan to provide supplier access to its data warehouse to  permit executives to analyze past trends and help design promotions to increase  overall sales and those of individual products. In other words, All­Shop is building  partnerships with its suppliers to maximize its presence in the retail marketplace.  One major concern of All­Shop executives is how to ensure that the suppliers treat  this information with maximum security and not damage All­Shop. How can they  ensure that this information is not used to benefit its competitors inadvertently, as  suppliers also work with All­Shop competitors? Answers will vary. Some ideas might include the following:   

3. 

Signing contracts and letters of confidentiality All-Shop might perform the programming and data analysis and provide suppliers with summary results only. All-Shop should keep a log of what information is accessed by which supplier and identify any requests for information that are not appropriate for a particular supplier.

Do you think this second step is a wise move for All­Shop? If not, why? If so, what  kinds of controls and contractual arrangements should be made to protect All­ Shop? You can see how a narrow focus on integrity controls might be inadequate to  protect proprietary information. A broader view and understanding of controls and  their objectives is required in this instance. Answers will vary. Students should support their answers.

Systems Analysis and Design in a Changing World, Fourth Edition

14-18

Case Study: Real Estate Multiple Listing Service System (Structured) Based on the DFD fragments you developed in Chapter 6 and the structure charts from Chapter 10, develop a table of inputs along with the associated data couples and data fields for each input. Also, develop a table of outputs with the required data fields. Input New Listing

Listing Changes New Agent Agent Changes New Office Office Changes Request for Listing Information Request for Listing Book Output Listing Inquiry

Listing Book

Data Fields Listing Number, Address, Year Built, Square Feet, Number Bedrooms, Number Baths, Owner Name, Owner Phone, Asking Price, Date Listed, Date Last Updated, Status Code, OfficeID, AgentID Listing Number, fields to be changed Agent Number, Name, Office Phone, Home Phone, E-mail Address, Cell Phone, OfficeID Agent Number, fields to be changed Office Number, Name, Office Manager Name, Address, Phone, FAX Office Number, fields to be changed Listing Number

Data Fields Listing Number, Address, Year Built, Square Feet, Number Bedrooms, Number Baths, Owner Name, Owner Phone, Asking Price, Date Listed, Date Last Updated, Status Code, OfficeID, AgentID Listing Number, Address, Year Built, Square Feet, Number Bedrooms, Number Baths, Owner Name, Owner Phone, Asking Price, Date Listed, Date Last Updated, Status Code, OfficeID, AgentID

Systems Analysis and Design in a Changing World, Fourth Edition

14-19

Case Study: TheEyesHaveIt.com Book Exchange System Based on the system sequence diagrams you developed in Chapter 7, develop a list of inputs and outputs required for this system. Also, identify any specific controls that might be  necessary to ensure that information is entered accurately. Input New Seller Information

Controls All fields completed

Book Inquiry

Data Fields Name, address, telephone, emailAddress bookTitle or bookauthor or isbn or bookCategory

Book Purchase Request

isbn or bookTitle

Validate against database

Buyer Information

Name, address, telephone, emailAddress, creditCardInfo

   

Output Order Information

Data Fields Order ID, data, sellerName, BookTitles, bookAuthors, bookPrices, Total. BuyerName, creditCardInfo.

Controls Secure socket and transmission

No special controls

All fields must be filled in Credit card field validated Credit check completed Secure transmission and socket for credit card information

Systems Analysis and Design in a Changing World, Fourth Edition

14-20

Case Study: DownTown Video Rental System Using the system sequence diagrams you developed in Chapter 7, develop a list of inputs and outputs, along with the necessary data fields, for the system. Input New Customer Update to Customer New Conceptual Movie Update Conceptual Movie New Movie Copy Update Movie Copy New Rental Rental Line Item Finalize Rental Return Movie Request Movie Report Request Overdue Rental Report Output Receipt Movie Inventory Report

Overdue Rental Report

Data Fields CustomerID, Family Name, Address, Telephone, *{FamilyMemberName, Age, Limitations} CustomerID, as appropriate Title, Producer, Release Date, Copy Cost, Rental Price, Movie Category, Rental Type, Rating Title, as appropriate Title, Copy Number, Date Purchased, Rental Status, Condition Title, Copy Number, as appropriate CustomerID, Rental Date/Time, Total Amount Movie/GameID, Copy Number, Rental Price, Due Date PaymentType, Payment Amount Title, CopyNumber Date Date Data Fields CustomerID, RentalID, Title, Price, Type, Copy Number, Due Date Title, Producer, Release Date, Copy Cost, Rental Price, Movie Category, Rental Type, Rating, Copy Number, Date Purchased, Rental Status, Condition CustomerID, Family Name, Address, Telephone, Movie/GameID, Copy Number, Rental Price, Due Date

Systems Analysis and Design in a Changing World, Fourth Edition

14-21

Case Study: Rethinking Rocky Mountain Outfitters The RMO event table lists six system reports that are part of the new system:  Order summary  Transaction summary  Fulfillment summary  Prospective customer activity  Customer adjustments  Catalog activity For each of these six reports, answer the following questions: 1. Identify the data fields that each report should include. 2. What questions will users want each report to answer? 3. What type of report is it: detailed, summary, exception?  4. How might graphics be used? What about drill­down capabilities?  5. How would you prepare a mock­up of each report, assuming a printed output and  also an online output?   6. What output controls should be associated with each report? Answers will vary, but should include the following information: Order Summary Report This is a summary report of orders over a period of time. 1. 2.

3. 4.

5.

Period covered by the data, total orders by category (Web, telephone, mail), total dollar sales for each category. This report could also be sorted by other categories, such as region, order type, date, product line, and so on. As a summary report, the users are primarily executives who are watching sales figures and trends. They will be answering the following types of questions: What products and product lines are selling well? What products are done? How do the areas of the business (telephone, mail, Web) compare? What are the trends? How does this year compare to previous years and periods? Summary report The information in summary reports is often best presented with graphics. Bar charts or line graphs can show trends and comparisons with previous periods. Pie charts can illustrate percentage splits. Drill-down links might also be helpful in an online version of the report. The system could allow users to drill down by each category in the report. An effective way to build a mock-up for the report is to build a simple database with tables and sample data. Developers could use MS Access or an Integrated Development Environment (IDE) tool, such as Borland’s JBuilder (for Java shops) or PowerBuilder. Many of these IDE tools also have their own database engines. MS Access can be used to create printed reports. Drill-down prototypes or mock-ups might require other tools provided by IDEs.

Systems Analysis and Design in a Changing World, Fourth Edition

6.

14-22

This report contains sensitive financial data on RMO. Only authenticated users should have access to the online versions of the report. Printed versions should have distribution controls. Data controls should have cross-footings to make sure all the numbers are correct and correlated. The dates and periods of the underlying data should be carefully indicated to avoid mistakes and wrong assumptions.

Transaction Summary Report This report shows counts of activity for all types of activities. 1. 2.

3. 4. 5. 6.

Counts of activities for different kinds of activities such as orders (by category), returns, payments, corrections, and so on. The report can be used to show trends in activity. Comparing the data in this report with the data in an order summary report can show trends in average dollar size of orders by various categories. Trends in returns or corrections can also be noted in these transaction volumes. Summary report See order summary report. See order summary report. See order summary report.

Fulfillment Summary Report This is a summary report of the orders that have been shipped (fulfilled). 1. 2. 3. 4.

5. 6.

Volume of orders shipped, dollar value of orders, average time to ship, average number of items out of stock or on backorder. The report is used to track the performance of the company, as well as the performance of each department, in the area of order fulfillment. Middle management uses the report more frequently than senior executives do. Summary report This report should include drill-down capability to specific details. Drill-down links and graphics would make the report very user friendly. For example, a summary figure, such as the total number of backorders, could be expanded to show products by backorder status and then by manufacturer. A pie chart could also illustrate the percentage split of the various components that make up the combined number. See order summary report. This report might not require quite as many access controls as the previous reports. Because it contains corporate totals, this report should be carefully protected to ensure that its information is not exposed to competitors. This report should contain internal footings and controls that are as stringent as the ones contained in the order summary report.

Prospective Customer Activity Report This report shows activity for people who request catalogues and other sales activity prior to purchasing.

Systems Analysis and Design in a Changing World, Fourth Edition

1.

2.

3. 4. 5. 6.

14-23

The data in the report will vary somewhat depending on the type of information requested. Web site traffic, including hits, stickiness of pages, time per page, and hits on the various pages, will be recorded. Telephone requests for catalogues and information will be recorded. Other summary data, including statistics on catalogues and promotions with response rates, is important to track the effectiveness of marketing materials and programs. This report is primarily used by the marketing and sales staff to track the effectiveness of marketing activities. Using the report, staff members could perform a demographic analysis to determine which types of sales and marketing techniques are most effective for different categories of customers. They could also perform a comparative analysis of the existing customer base versus potential customers. Summary report Bar charts might be an effective technique to show different types of activities; however, much of the data might need to be analyzed directly from the numbers. Sample mock-ups could be developed using drawing or word-processing tools. Although controls are important, they are not as critical in this report as they are in the other reports because this report can be accessed by a broader audience. However, as always, the time period of the data should be carefully identified.

Customer Adjustments Report This report shows adjustments to customer accounts. 1.

2. 3. 4. 5. 6.

A simple version of this report could show only financial adjustments for customer accounts. Data could include dollar adjustment, customer balance before and after, name of the person making the adjustment, and reason for the adjustment. An expanded version of the report could also contain return of merchandise (and the corresponding adjustment). The report is used to track error rates in billing and payment processing. Exception report. Although adjustments need to be made, it is important that adjustment rates do not get too high. High adjustment rates can indicate other problems in the company, such as poor merchandise quality or poor delivery performance. Graphs that compare previous periods with last year’s periods are useful to highlight potential problems. Sample mock-ups could be developed using a test database. No particular controls are required for this report; however, the time period of the data should be carefully noted.

Catalog Activity Report This report shows data about the utility of the RMO catalogs. 1. Number of catalogs sent, number of people making purchases from the catalog, and number of catalogs not being used. This report is generated for the various promotions and different types of catalogs. 2. The report will help to track catalog expenses and purchases from the catalogs. 3. Summary report. However, the totals are provided by many different details. 4. Because the report contains many different categories and details, drill-down links would allow users to access specific information. Graphics could be used to perform a comparative analysis between time periods or types of promotions.

Systems Analysis and Design in a Changing World, Fourth Edition

5. 6.

14-24

Sample mock-ups could be created using drawing or word-processing tools. No particular controls are required for this report.

Case Study: Focusing on Reliable Pharmaceutical Service One of the challenges of a pharmaceutical company is keeping current with new drugs and changes to existing drugs. New drugs are continually being developed and approved. In addition, generic drugs are often available to compete with brand-name drugs. One of the services that Reliable provides is to try to find the least expensive alternative to fulfill a prescription. This cost saving service is one of the marketing advantages that the nursing homes can use to promote their services. Obviously, this service builds tremendous loyalty between Reliable and its customers. To keep current with these changes, Reliable subscribes to an online drug-update service. The service provides updates in several formats, one of which is an XML file. 1.

Based on the content of your design class diagrams that you developed in Chapter 11, illustrate a sample XML input file that could be used to update drug information in the Reliable database. Answers will vary.

2.

In earlier chapters, the case description indicated that a case manifest was produced for each patient whenever prescriptions needed to be filled and delivered. Based on the data found in your class diagrams, design a case manifest. Consider that a patient might have multiple prescriptions that are being filled on the same delivery. Answers will vary.

3.

Each month, Reliable produces a statement for each nursing home. The statement lists each patient who received prescriptions during the month. All the filled prescriptions are listed. For each prescription, the following information is listed: the price, the amount billed to the patient’s insurance provider, the amount paid by the insurance provider, and the co-pay amounts due from the patients. Design this monthly statement. Also, identify and highlight output controls that you believe are appropriate for this type of report. Answers will vary. Output controls should address the need to control document handling and distribution for patient privacy. The output integrity controls on destination, completeness, accuracy, and correctness should be included.

4.

In the preceding chapter, you defined an input form to be used to collect orders from the nursing homes. Go back and analyze that input form, and identify all of the input controls that you think are necessary to ensure that the prescriptions are correct. What other procedures or controls would you recommend to make sure that there are no mistakes on the prescriptions?

Systems Analysis and Design in a Changing World, Fourth Edition

14-25

Answers will vary. Some important points to address include the following:    

Procedures include comparing existing prescriptions and checking the dosageSize and the dosageFrequency against the DrugItem. Very stringent user ID and password controls need to be implemented. The input integrity controls and database integrity controls on pages 601-603 should be included. A transaction log is also mandatory.