PLAGIARISM DECLARATION FORM (T-DF)

Instructions
Please complete and attach this Plagiarism Declaration Form to each Assignment that you
submit into the Online Assignment Submission (OAS) system for marking.

I declare that the attached work is entirely my own (or when submitted to meet the requirements
of an approved group assignment is the work of the group), except where materials cited, quoted
or paraphrased are acknowledged in the text. I also declare that this work / assignment has not
been submitted for assessment in any other course or university without due acknowledgement.
I understand that plagiarism, collusion, and copying are grave and serious offences.
I understand that disciplinary action (which may include deduction of marks in the Assignment) will be
taken against me if I am found to be an offender of Assignment plagiarism.
Full name and IC No: NUR HIDAYAH BT MOHD ABU BAKAR
Date: 6/12/2020

Assignment (Asgmt) Declaration Form

Semester/Year JULY 2020

Student’s Name NUR HIDAYAH BT MOHD ABU BAKAR

Student’s ID No: 041170619

Course Code BAC303/03

Course Title ACCOUNTING INFORMATION SYSTEMS

Class Code 4-AIS2

Assignment No: 3

No. of pages of this 10

Assignment (including
this page)

Tutor SHAILENDRA SINGH A/L NARANJAN SINGH

Course Coordinator CHOW LAK KEONG

QUESTION 1

Financial systems are the hub of any establishment, and with the pandemic crisis still

ongoing, most companies are facing multiple likelihood of threats that could adversely

impact them. Identify and explain TEN (10) controls that can be adopted to counter

these negative impacts. (50

marks)

1. Preventive controls (proactively) attempt to avoid undesirable happenings. They are

often expensive and sometimes disruptive to normal business operations. Examples

are segregation of duties, authentication and authorisations procedures, and controls

over physical and remote assets.

I. Authentication and authorisation “including end-user training “to appreciate

the philosophy of access control.

II. Physical and remote access control " focusing on remote (Internet, dial-up and

wireless) access and hardening.

III. Encryption “including digital signature and its applications in e-commerce.

2. Detective controls (reactively) identify improper activities, examples are monitoring

(by log analysis and intrusion detection system), reconciliation, audit, and inventory

stock counts. Detective controls describe any security measure taken or solution

that’s implemented to detect and alert to unwanted or unauthorized activity in

progress or after it has occurred. Physical examples include alarms or notifications

 from physical sensor (door alarms, fire alarms) that alert guards, police, or system

administrators. Honeypots and IDSs are examples of technical detective controls.

I. Log analysis " Access and activity log data are gathered and analysed

regularly (at least daily). These analyses may reveal attempts to access

applications and data files. Some log management applications provide rule-

based and text based mechanisms that alert security officers or auditors of

suspicious activities and the presence of text-string parameters, respectively.

II. Intrusion detection systems (IDS) " Most IDSs operate follow one or the other

of two basic approaches: (a) signature-based; and (b) anomaly-based. In the

former case, the system records specific attack patterns (i.e., attack signatures)

and compares them with the traffic or activities recorded in log files.

Anomaly-based systems try to identify unusual or abnormal behaviours,

usually by statistical methods.

III. Managerial reports “Referring to IT-related processes, Romney and Steinbart

recommend applying the 34 control objectives designed by the Information

Systems Audit and Control Association (ISACA) and the IT Governance

Institute (ITGI) to managerial reports.

3. Directive controls foster proper behaviour that supports the firm’s risk strategic

objectives. Examples are policies, access rights determination. Directive Controls are

actions taken to cause or encourage a desirable event to occur. They are broad in
 nature and apply to all situations. Examples are organization structure, policies,

procedures, management directives, and guidance statements.

4. Corrective controls ensure improper actions are corrected. Examples are computer

emergency response teams and patch management. Corrective controls include any

measures taken to repair damage or restore resources and capabilities to their prior

state following an unauthorized or unwanted activity. Examples of technical

corrective controls include patching a system, quarantining a virus, terminating a

process, or rebooting a system. Putting an incident response plan into action is an

example of an administrative corrective control.

5. Information processing controls are involved in the development, maintenance and

access of software systems, as well as those applied to control the processing of

individual applications to help ensure all transactions are valid, properly authorised,

and accurately processed. Firewalls and virus detection tools, user authentication and

intrusion detection belong in this category.

6. Physical controls reinforce physical access and utilisation of PCs, workstations and

other assets. Common controls include door locks and security guards.

Physical controls describe anything tangible that’s used to prevent or detect

unauthorized access to physical areas, systems, or assets. This includes things like

fences, gates, guards, security badges and access cards, biometric access controls,

security lighting, CCTVs, surveillance cameras, motion sensors, fire suppression, as

well as environmental controls like HVAC and humidity controls.

7. Management controls typically follow the principle of segregation of duties, which

will be discussed in the next section.

8. Technical controls (also known as logical controls) include hardware or software

mechanisms used to protect assets. Some common examples are authentication

solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion

protection systems (IPSs), constrained interfaces, as well as access control lists

(ACLs) and encryption measures.

9. Administrative controls refer to policies, procedures, or guidelines that define

personnel or business practices in accordance with the organization's security goals.

These can apply to employee hiring and termination, equipment and Internet usage,

physical access to facilities, separation of duties, data classification, and auditing.

Security awareness training for employees also falls under the umbrella of

administrative controls.
QUESTION 2

Explain FIVE (5) course of actions to mitigate risks in the financial sector during this

crisis. (30 marks)

Five course of action to mitigate risks in the financial sector during this pandemic crisis is the

first action which is readiness assessments. A readiness assessment is a good place to start

when organizations don’t know what their business continuity program should comprise.

Industry and role readiness templates as well as pandemic-specific templates allow an

organization to evaluate their business continuity program against a best practice standard

and identify where gaps may exist. These readiness libraries break down standards and best

practices into actionable pieces so that organizations can track progress and adherence. As an

example, company can select just 10-25 questions from these standards and push out to all

managers’ enterprise wide or a subset of front line managers in sales, marketing, and service,

finance, HR and others in a risk management plan to learn their state of preparedness in risk

management on any topic. To evaluate your overall readiness in risk management, take this

assessment.

Second action is the risk management plan. All organizations should complete a risk

assessment on their core business processes to identify and prioritize any new risks or gaps in

their existing controls for new scenarios like pandemics, recession, and geopolitical

conditions risks. First-level managers on the front line when prompted with risks are in the

best position to be able to assess how these scenarios will impact their areas of responsibility.
As an example, a number of risk events could trigger the need to work offsite during

pandemic. These external risk factors should be assessed and prioritized. Ask participants to

list what could go wrong and what needs to happen. The idea of risk management planning is

that one readiness assessment can serve many different kinds of scenarios so an organization

will always be ready regardless of which scenario comes to pass.

Third action is the business impact analysis. Not all risks within processes or functions

within an organization should be treated the same way. A business impact analysis allows

organizations to identify which parts of the business are most critical to its operations. Use

the results to determine which parts of the organization to prioritize during a business

continuity plan event to maintain operations. As an example, transitioning and transforming

physical events and customer meetings into digital equivalents can achieve social distancing

while still sustaining revenue generation.

Fourth action will be the policy management. As the pandemic evolves and new information

arises, policies will need to be revisited and updated and communicated. For example,

reviewing and revising a work-from-home policy will be effective only if dissemination of

that revised policy is made with governance tracking for adoption across the organization. As

an example, a review of the activities that lead to sales will let you know if any of your sales

reps are struggling. These policy changes then need to be escalated to the right committee in

your organization and then pushed back out to all employees and resigned for people

operations compliance. Tying the context of how this requirement was surfaced and when the

policy was changed while providing evidence of acknowledgement by employees will save

your organization from unintended compliance liabilities.

Fifth action will be the incident management. Incident management is typically a highly

siloes activity embedded within a process. In times of change management, a unified

enterprise-wide mechanism is needed as an input to evaluate the effectiveness of mitigation

and policy activities as well as to manage the exceptions, which are typically 20% of all

activities. As an example, this includes questions like needing equipment like a monitor,

keyboard or a headset to effectively work from home, getting manager approval, and figuring

out a way to make the equipment available. It is critical that these incident management

issues can be work flowed from the individual that reports it to the chain of who needs to take

action and that this tracking and follow-up is recorded and reported. These incident

escalations cannot be siloes within one department’s system; it needs to be an enterprise-wide

resource and response management platform that ties back to each of the other five steps.
QUESTION 3

Illustrate the process work flows in an accounts receivable section of the Accounting

Department via a simple process flow diagram. It is compulsory to include all necessary

pertinent processes, process flows and corresponding labels in your diagram. (20 marks)
 REFERENCE

I. https://conserve.com.au/risk-control-measures-in-workplace/

II. https://www.ashconversions.com/services/accounts-receivable-workflow-automation/

III. https://www.ukessays.com/essays/business/risks-and-threats-of-accounting-

information-system.php

IV. Wawasan Open University Course Material of Accounting Information System