ACC 3303 exam 2

chp 8, 10, 11, 12, 13

common threats to AIS

1. natural disasters and terrorist threats

2. software errors/ equipment malfunction

3. unintentional acts

4. intentional acts

fraud

• gaining an unfair advantage over another person

  • false statement, representation, or disclosure

  • material fact that induces a person to act

  • an intent to deceive

  • a justifiable reliance on the fraudulent fact in which a person takes action

  • an injury or loss suffered by the victim

• individuals who commit fraud are referred to as white-collar criminals

corruption

• dishonest conduct by those in power; involves immoral or unethical actions

sabotage

• intentional act with the intent to destroy a system or its components

cookie

• text file created by a website and stored on a visitor’s computer that tells who the user is and what they have done

investment fraud

• misrepresenting or omitting facts to promote an investment that promises fantastic profits with little or no risk

computer fraud

• any type of fraud that requires computer technology to perpetrate

white-collar criminals

• business people who commit fraud by resorting to trickery; their crimes usually involve a violation of trust or confidence

fraudulent financial reporting

• intentional or reckless conduct that results in materially misleading financial statements

  • deceive investors or creditors

  • increase a company’s stock price

  • meet cash flow needs

  • hide company losses or other problems

misappropriation of assets

• theft of a company’s assets

• personal gains and/or damage the company

• perpetrators: gain trust/confidence, self-perpetuating, grows careless over time

• most significant contributing factor is lack or internal controls and/or failure to enforce them

treadway commission actions to reduce fraud

• establish environment which supports the integrity of the financial reporting process

• identification of factors that lead to fraud

• assess the risk of fraud within the company

• design and implement internal controls to provide assurance that fraud is being prevented

misappropriations vs fraudulent

• misappropriate occur more frequently, but fraudulent financial reporting has a much larger financial impact

SAS no.99 - standards expected of the auditor

• understand fraud

• discuss the risks of material fraudulent misstatements

• obtain information

• identify, assess and respond to risks

• evaluate the results of audit tests

• document and communicate findings

• incorporate a technology focus

fraud triangle

• pressure

• opportunity

• rationalization

fraud triangle: pressure

• motivation or incentive to commit frauds

• employee

  • financial

  • emotional

  • lifestyle

• financial

  • industy conditions

  • management characteristics

fraud triangle: opportunity

• condition or situation that allows a person or organization to

• commit the fraud

• conceal the fraud

• convert the theft or misrepresentation to personal gain

lapping

• concealing theft of cash by delaying the posting of A/R collections

• within the company

check kiting

• creating cash using the lag between the time a check is deposited and the time it clears the bank

• with a bank

fraud triangle: rationalization

• justification of illegal behavior

• justification

  • “i am not being dishonest”

• attitude

  • “I don’t need to be honest”

• lack of personal integrity

  • theft is valued higher than honesty or integrity

types of computer fraud: input fraud

• alter or falsify input

types of computer fraud: processor fraud

• unauthorized system use

types of computer fraud: computer instructions fraud

• tampering with software

types of computer fraud: data fraud

• illegally using, copying or harming company data

types of computer fraud: output fraud

• theft of printed or displayed output

_____ can used to help prevent and detect fraud

• data analytics

primary objective of AIS

• control the organization so the organization can achieve its objectives

  • provide a framework for how information/data flows within a company and related parties

• management expects accountants

  • take a proactive approach to eliminating system threats

  • detect, correct, and recover from threats when they occur

threat

• any potential adverse occurence

exposure/impact

• potential dollar loss of that threat

risk/likelihood

• probability that it will happen

internal controls

• processes implemented to provide reasonable assurance that objectives are achieved

internal control: operational

• safeguard assets

• maintain sufficient records

• provide accurate and reliable information

internal control: reporting

• promote and improve operational efficiency

• prepare financial reports according to established criteria

internal controls: compliance

• encourage adherence with management policies

• comply with laws and regulations

general controls

• ensure organization’s control environment is stable & well managed (IT infastructure, software acquisition, development & maintenance)

application controls

• prevent, detect & correct transaction errors and fraud

• concerned with the accuracy, completeness validity, and authorization of the data captured, entered, processed, stored, transmitted and reported

preventive controls

• deter problems from occuring

• password security, segregation of duties, endorse checks immediately

• P > D + C

detective controls

• discover problems that are not prevented

• checking calculations, bank reconciliations, three-way match

corrective controls

• identify and correct problems; correct and recover from the problems

• file backups, data entry errors, quality control teams, thermostats, insurance

foreign corrupt practices vs SOX

• FCPA - 1977

  • prevent companies from bribing foreign officials to obtain business

  • AICPA language with a focus on good system of internal controls

• SOX - 2002

  • most significance accounting-based legislation in recent history

  • financial statement fraud

  • strengthen internal controls

  • punishment for fraudulent actions

public company accounting oversight board

• control the auditing professioin

• sets and enforces auditing, quality control, ethics, independence, and other auditing standards

SOX: auditors

• must report specific information to the company’s audit committee

SOX: audit committees

• must be on the company’s board of directors and be independent of the company

• hires, compensates, and oversees the auditors, who report directly to them

SOX: management

• financial statements are disclosures are fairly presented, have been reviewed and not misleading

• auditors were informed of all material internal control weaknesses and fraud

SOX: control requirements

• companies issue a report stating that management is responsible for establishing and maintaining an adequate system of internal control

COBIT

• framework for IT control

COSO

• framework for enterprise internal controls

• widely accepted

• provide guidance for evaluation of controls

• financial statements representations related to IC

COSO: control environment (most important)

• management’s philosophy, operating style and risk appetite

  • tone is set at the top

• commitment to integrity, ethical values, and competence

• internal control oversight by board of directors

• organizing structure

• methods of assigning authority and responsibility

• HR standards

COSO: risk assessment

• must identify, analyze, and manage its risks

• risk is assessed from two perspectives

  • likelihood: probability that the event will occur

  • impact: estimate potential loss if event occurs

• types of risk

  • inherent: risk that exists before plans are made to control it (earthquakes, theft, accidents)

  • residual: risk that is left over after you implement internal controls (cost-benefit analysis)

risk response

• reduce: implement effective internal controls

• accept: do nothing, accept likelihood and impact of risk

• share: buy insurance, outsource/sub-contract, or hedge

• avoid: do not engage in risky activity

COSO: control activities

• policies and procedures that help ensure that management’s directives to mitigate risk are carried out

• built into each transaction process cycle

• manual or automated

  • reconcile bank account

  • approve customer credit

  • separate cash receipts from posting to accounts

control activities: high level internal controls (SCALP)

• segregation of duties

• compare documents

• adequate records

• limited access

• proper approvals

SCALP: segregation of duties

• one employee should not be able to commit and conceal fraud or make undetected errors

• collusion between two or more people circumbents good controls

SCALP: comparison

• documents from appropriate sources

• controls: mistakes, customer satisfaction, limits improper behavior

SCALP: adequate records

• garbage in…garbage out

• encourage data entry controls

• avoid incomplete orders

SCALP: limited access

• we should safeguard

  • cash

  • inventory

  • supplies

  • records

SCALP: proper approvals

• specific part of SoD

• set materiality levels

  • balancing risks vs empowerment

  • cannot approve all transactions

COSO: information and communication

• capture and exchange the information needed to conduct, manage, and control the ogranization’s operations

• obtain or generate relevant, high quality information to support internal controls

• internally communicate information

• communicate relevant internal control matters to external parties (auditors)

COSO: monitoring

• evaluate internal controls periodically

• supervision

  • training employees

  • oversight of employees

  • feedback

• risk analysis and management software packages

  • transaction log and review

• mobile devices

  • who has them, what are they used for, are they secure

• periodic audits

evaluate internal controls

• critical thinking → essential

• think like a criminal

  • how can you steal cash or assets and not be caught

  • how can you post fraudulent accounting entries without being caught

• think like an auditor

  • how is a mistake or error detected

  • professional skepticism

trust service framework

• security: access to the system and data is controlled and restricted to legitimate users

• confidentiality: sensitive organizational data is protected

• privacy: personal information about trading partners, investors, and employees is protected

• processing integrity: data are processed accurately, completely, in a timely manner, and only with proper authorization

• availability: system and information are available

security life cycle

• assess threats & select risk response

• develop and communicate policy

• acquire & implement solutions

• monitor performance

people

• people are the critical factor

• can be your “weakest link” or an important asset

preventitve process: physical security

• physical security access controls

• limit entry to building

• restrict access to network and data

preventitve process: user access controls

• authentication: verifies the person (multifactor or multimodal)

• multifactor: 2 or more types in combination (think duo)

• multimodal: two ore more of the same type (facial recognition w/ fingerprint)

  • something person knows

  • something person has

  • some biometric characteristic

  • combination of all 3

• authorization: determines what a person can access

preventitve process: IT solutions

• antimalware controls

• network access controls

• device and software hardening controls

• encryption

detective: log analysis

• examining logs to identify evidence of possible attacks

detective: intrusion detection system (IDS)

• system that creates logs of network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions

detective: honeypots

• a decoy system used to provide early warning that an insider or outsider is attempting to search for confidential information

detective: continuous monitoring

• employee compliance with organization’s information security policies and overall performance of business processes

respond/correct

• computer incident response team (CIRT)

• chief information security officer (CISO)

correct: penetration test

• an authorized attempt to break into the organization’s information system

correct: change control and change management

• the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability

P > D + C

• preventive: physical security, process, IT solutions

• detective: log analysis, intrusion detection, honeypots

• correct: computer incident, CIRT, CISO

demilitarized zone

• subnetwork accessible from the internet but separate from the organization’s internal network

deep packet inspection

• firewall technique that filters traffic by examining not just packet header information but also the contents of a packet

router

• device that uses the internet protocol to send packets across the networks

firewall

• device that provides perimeter security by filtering packets

hardening

• improving security by removal or disabling unnecessary programs and features

border router

• device that connects the organization to the internet

patch management

• process of applying code supplied by a vendor to fix a problem in that vendor’s software

confidentiality vs privacy

• confidentiality: company/organization proprietary information

  • customer lists, business plans, engineering drawings, financial data, stock price sensitive info

  • internal policy and protection

• privacy: customer and third-party sensitive data/information

  • name & address, social security, account number, medical records and history, legal matters

  • legal requirements to protect; law

protecting confidentiality and privacy

• identify and classify information (company starts here)

  • owner of that info manages it

• encryption

• access control

• training

protecting information

• policies and procedures: where is data stored; training

• authentication and authorization: who can access company data; where can they move within the system

• encrypt stored and transmitted data: limitations include authentication strength

• output/printed information: remove or disguise private data; mark information as confidential/restricted use

information rights management software

• who has access to specific files/documents

• what type of access (read only, download, etc)

data masking/tokenization

• replaces real data with fake values

• for system/software testing purposes

digital watermark

• allows companies to determine if confidential information has been disclosed outside the company guidelines

data loss prevention software

• controls and monitors downloads of data and outbound transmissions

• assume employee/third party is inside the company firewall

• looks for abnormal behavior through monitoring all the data movement within the network

• blocks outgoing messages containing intellectural property

proper disposal

• shred/burn documents

• destroy data

• include backups and copies

GDPR

• European Union’s general data privacy regulation

• affects any organization that collects and stores EU resident information

• regulates how EU residents’ information can be stored accessed and used

FERPA

• family educational rights and privacy acts

• protects privacy of student education records

generally accepted privacy principles (GAPP)

• set of policies and procedures need to be established at the company level

• customers should be notified of company privacy policies

• choices of collection and use of customer information should be made available to customers (opt-in vs opt-out)

• only collect information necessary; cookies store info about user and what they’ve done on the site

• use, retention and disposal of customer information should follow company privacy policies

• access for customers to their own information

• disclosure to 3rd parties

• security

• quality of customer information

• monitoring and enforcement - are employees following privacy policies

encryption

• process of transforming normal text, plaintext or cleartext, into unreadable gibberish, called ciphertext

• preventitve control

• decryption reverses this process

• to encrypt and decrypt, both need a key and an algorithm

symmetric encryption

• use the same key to encrypt and decrypt

• pro

  • much faster than asymmetric encryption

• con

  • both parties need to know the secret key (how do you share)

  • unique keys for each partner set: 1000 customers = 1000 keys

  • either party can change the text: can’t assign responsibility

asymmetric encryption

• uses two keys

  • public: publicly available

  • private: kept secret and known only to the owner of that pair of keys

• either key can be used to encrypt

• the other key must be used to decrypt

• pro

  • solves problem of communicating symmetric key

  • public key can be shared openly: email or web

  • private key creates digital signatures

• con

  • much slower than symmetric

virtual private network

• create encrypted tunnel between devices

hashing

• takes plaintext of any length and transforms it into a short code called a hash

• not encryption

• creates a unique digital signature

• allows recipeint to test validity of document being sent/received

• if party changes then it will be very noticeable

digital signatures require

• asymmetric encryption and hashing

digital certificates

• electronic document, created and digitally signed by a trusted third party

• certifies the identity of the owner of a particular public key

• contains the party’s public key

• issued by certificate authorities

blockchain

• distrubted ledger of hashed documents with copies store on multiple computers

• can’t be altered by any one entity

• nonce: random number used in the mining process to validate a new block in a blockchain

nonrepudiation

• inability to unilaterally deny having created a document or file or having agreed to perform a transaction