Question 1.

Based on this case, identify scenarios where the unauthorised changes to the
mailing address were a result of internal data breaches and external data breaches. What
internal controls could have prevented these data breaches? What internal controls could
have detected these data breaches?

The first question has three parts. The first part is based on this case, identify scenarios
where the unauthorised changes to the mailing address were a result of internal data
breaches and external data breaches.

a) The first part has a three scenario, the first scenario is when the national Malaysian
Bank received an email complain from one of the card holders. The card holder
which is Yasmin tan stated that she didn’t receive the hard copy of her credit card
statement for the month of February 2018, when she called the bank, it’s said that
her mailing is different from she lives. And the address for the national Malaysian
bank account were not change with her mailing address. Hence, we can see that,
this is the result of the internal data breaches and external data breaches, why
because Yasmin Tan herself is suspicious which this situation and her mailing
address were change to an address with is located in is east Malaysia, where she
said that she’s doesn’t have a business dealing at east Malaysia nor she visited east
Malaysia

b) The next scenario is when the bank information technology team produces exception
report for Adam. What is the exception report? An exception report is a document
that states, those instances in which actual performance deviated significantly from
expectations, usually in a negative way. Johan which is the internal audit manager
suggest Adam the manager of the credit card services to perform credit card
customer data base checking, the result showed that there were 80 different
customers whose credit card account mailing address differs from the mailing
address of their other bank accounts which is the current situation face by Yasmin
Tan. One of the mailing addresses that were link to the customers is the Eden
Healing Spa which is the address that is mentioned by Yasmin’s in her email. Hence,
we can see that this is the result of internal data breaches and external data
breaches, because none of those mailing address changes were evidenced by
eithers a computer changes in personal details form or proof of identity document
which means that the policies or procedure of changing address request were not
followed.

c) The last scenario is when Johan found out that the Eden Healing Spa address
matches the home address of a former employee. The formal employee had
previously spent two years in the bank credit card services department, processing
credit card application, the formal employee was a close friend with another data
entry clerk who was currently responsible for keying in changes in customers
personal details. Hence this the result of internal data breaches and external data
breaches, because there is the possibility that was collusion between the former
employee and the data entry clerk due two position they hold.
Move on the second part of this question, and the question is what internal controls could
have prevented these data breaches? Here are the internal data control which is first
authorisation and second security of access.

a) Authorization
Authorization is the power rented to an employee to perform task for example,
management will authorise employee to perform certain transaction within limited
areas for this case in order for the bank to change the customer personal details
such as mailing address after receiving an original identities document as proof of
her or his identity the change of personal details form must be authorise by authorise
personnel. This to avoid data breaches by irresponsible employees.

b) Security of access
Security of access is the access to the bank, equipment, inventories, securities cash
and others restricted access for example only one authorised are given the access to
the bank access for this case in order to prevent data breaches, only certain
employees is allowed to have access to the bank data and information. This is where
Adam immediately assigns the data entry clerk to a less data sensitive task for the
next month because the data entry clerk is risk expected to have breached internal
data and external data.

Next is the third part of this question, and the question is what internal controls could have
detected these data breaches? There are two points here

a) Reconciliation
Reconciliation is where an employee related with different sets of data to one
another, identify sense of data to one another identify an investigate differences and
take corrective action when necessary for this national Malaysian bank the bank did
the credit card data customer data based checking and there have found out that
there are differences in 80 difference customer information base on the data and
information detected the bank have taken necessary action to avoid for this kind of
situation to happen in the future.

b) Audits
Audit is an official inspection of an organization account, typically by independent
body. For this case in order for the bank detected data breaches is through internal
audit and external audit but more to internal audit because external audit is
incidentally consent which the prevention and detection of fraud in general but is
directly consent when financial statement maybe materially affected. whereas for
internal audit directly involve with the prevention and detection of fraud in any form or
extend in any activity review. By having an internal audit function in the bank, they
will be able to detect any fraud occurred in the bank.