Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

Accounting Information Systems 2nd Edition

Richardson

Full download link at:

Solution Manual: https://testbankpack.com/p/solution-manual-for-accounting-

information-systems-2nd-edition-richardson-chang-smith-1260153150-
9781260153156/

Test Bank: https://testbankpack.com/p/test-bank-for-accounting-information-

systems-2nd-edition-richardson-chang-smith-1260153150-9781260153156/

Chapter 12 – Information Security and Computer Fraud

Multiple Choice Questions

1. b
2. d
3. a
4. b
5. d
6. d
7. a
8. d
9. c
10. d
11. c
12. d
13. c
14. d
15. d

Discussion Questions

1. Phishing is a type of social engineering. Give two examples of phishing.

An email that requests the victim to log into a website that looks legitimate but is actually
controlled by the attacker. An attacker clones a legitimate website and distributes a broken link
to victims in an attempt to convince them to enter sensitive information.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
1
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

2. If social engineering is a common reason that confidential information was revealed, what needs
to be done to prevent this from occurring?

User training is often employed to counter social engineering attacks. By teaching users the
dangers of social engineering and establishing a policy governing the dissemination of any
information like login data, the users will be much more knowledgeable if a social engineering
attempt is made.

3. Payment Card Industry Data Security Standards (PCI-DSS) and Health Insurance Portability and
Accountability Act (HIPPA) are examples of the laws related to information security. Discuss the
major requirements of these legislations.

PCI-DSS and HIPAA both establish standards for protecting and disseminating personal
identifiable information (PID). They establish frameworks for data security management that
must be complied with to either participate in electronic card transactions or store electronic
patient records. Standards cover topics such as establishing a secure infrastructure, monitoring
network and security information, and guaranteeing access controls are established.

4. Give an example of employee fraud and identify reasons why it may occur.

An employee facing the threat of layoff plants a logic bomb in the system that will require the
company to rehire the employee as a consultant to remediate the problem. The fraud triangle
has been developed to explain and predict fraudulent behavior. It states that three conditions
must exist for fraud to occur: incentive, opportunity, and the ability to rationalize the fraud they
intend to commit.

5. What are the differences between authentication and authorization?

Authentication ensures that users are who they claim to be. Authorization is the level of
permission to interact with system resources granted to each individual.

6. Explain how to use the asymmetric-key encryption method to maintain confidentiality in

transmitting a business document electronically?

1) The sender encrypts a challenge message with the receivers public key
2) Receiver decrypts with his own private key, answers the message, and sends the response
encrypted with their own private key
3) Sender decrypts the message with the receivers public key and validates the challenge
message
4) The process is reversed to authenticate the sender.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
2
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

5) Either the sender (or the receiver) generates a symmetric key (called session key because it
is valid for a certain timeframe only) to be used by both parties.
6) Use asymmetric-key encryption method to distribute the session key.
7) After both parties have the session key, use the session key to transmit confidential
data/information. This is because using symmetric key for encryption is faster in data
transmission.

7. What is hashing? Does it serve the same purpose as encryption? Why?

Hashing is a one way process that turns a document of any length into a key of fixed length. The
process cannot be reversed and is used as part of validation of data integrity or to generate a
message digest to encrypt as part of the digital signature process.

8. How to ensure data integrity in conducting E-business? Why is it critical to E-business?

Data integrity can be ensured by comparing a message digest created by the sender with that
generated from the sent over document. If the two hashes match, then the message has not
been altered.

9. Both COBIT and ISO 27000 series are security frameworks. Are there significant differences
between the two frameworks?

The main objective of the ISO 27000 series is to provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving an Information Security Management System
(ISMS). COBIT is a more general IT governance framework that considers the governance of a
firm’s entire IT infrastructure. COBIT does not go into as much detail on security issues as ISO
27000, however, the two standards may be implemented together to improve corporate IT
governance.

10. Compare disaster recovery plan (DRP) and business continuity management (BCM).

A disaster recovery plan seeks to allow the business to quickly recover from a catastrophic
event, while a business continuity plan is related to ensuring that the business can continue
activities during conditions that would otherwise cause a service outage.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
3
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

Problems
(Note – Problems with “Connect” in parentheses below are available for assignment within
Connect.)

1. Compare and contrast symmetric-key and asymmetric-key encryption methods in conducting E-

business. Why companies may prefer one method over the other. If a company chooses to use both
methods, what are the reasons and how the company uses both methods for E-business?

Answer:

Asymmetric key encryption is very slow but allows for only 2 keys to be needed per user.
Additionally, asymmetric key encryption can be used to authenticate users. Symmetric key
encryption is much faster, but requires a separate key for every pair of users. In addition, these pairs
must be physically distributed to users no matter how greatly dispersed. This is not an effective
practice for an e-commerce company. Most companies will utilize both of these methods. The
company will establish a connection to its users utilizing asymmetric key encryption and generate a
symmetric session key to conduct all further business.

2. Many internal auditors and IT professionals consider wireless networks and mobile devices pose
high risks in a firm’s network system. Collect information to examine whether this concern is valid. If
so, identify the risks and the general controls to help reduce these risks.

Answer:

A company should have all of its mobile devices require VPN’s into the company’s network if it
allows them to connect at all. This can allow a mobile device to connect through an un-trusted
wireless network. The company should also keep any of its own wireless networks separated
physically from the wired more secure networks that business is conducted through.

3. Under PKI, Certification Authority (CA) plays a critical role in the success of maintaining information
security. Search over the Internet to find a few public firms who are CA’s. Compare these firms and
provide suggestions on how to choose a CA as part of information security management.

Answer:

DigiCert: A large organization approved by several government organizations.

VeriSign: Part of Symantec; a large public security firm that is a trusted in the security industry.

When selecting a PKI CA provider, it is important to focus on trustworthiness and proven history of
security and confidentiality. In addition, the provider must possess sufficient resources to meet your
needs. As always, third party service providers should have reports available to its customers providing
third party assurance over the security of its systems.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
4
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

4. (Connect) Match the descriptions with each encryption method.

Descriptions Encryption Method

a. Good for large data sets i. Symmetric-key encryption

b. Slow in processing ii. Asymmetric-key encryption

c. Convenient for key distribution & key

management

d. Each user has a public-key and a private key

e. Good for authentication

Answer:
a. i
b. ii
c. ii
d. ii
e. ii

5. (Connect) Match correct statement(s) with each term regarding system availability.

Internal Controls System Availability Terms

a. Activities required to keep a firm running during a period i. Uninterruptible power
of displacement or interruption of normal operations supply

b. A process that identifies significant events that may ii. Fault tolerance
threaten a firm’s operations and outline the procedures to
ensure that the firm will resume operations if such events
occur

c. A service model in which a third-party service provider iii. Cloud computing

offers computing resources, including hardware and
software applications, to cloud users over the Internet,
and the service provider charges on a per-user basis

d. A clearly defined and documented plan that covers key iv. Disaster recovery
personnel, resources including IT infrastructure and planning
applications, and actions required to be carried out in
order to continue or resume the systems for critical
business functions

e. Using redundant units to provide a system with the ability v. Business continuity
to continue functioning when part of the system fails management

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
5
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

f. A device using battery power to enable a system to

operate long enough to back up critical data and shut
down properly during the loss of power

Answer:
a. v
b. iv
c. iii
d. iv
e. ii
f. i

6. (Connect) Identify the main components of vulnerability management and assessment.

Component Category
a. Prioritize vulnerabilities i. Vulnerability management

b. Design a risk response plan ii. Vulnerability assessment

c. Monitor vulnerabilities

d. Establish policy and requirements

e. Identify vulnerabilities

Answer:

Please refer to Figure 12.10 in the textbook.

a. ii
b. i
c. i
d. i
e. ii

7. There are computer fraud schemes in systems development life cycles (refer to Figure 12.1). Identify
an example in each phase of systems development life cycles.

Answer:
a. Lack of authentication and/or role based access control
b. Lack of consideration for security vulnerabilities
c. Lack of code reviews
d. Lack of enforcement of documentation and back-up procedures
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
6
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

e. End-user access to source code

8. Internal auditors are often tasked with testing vulnerabilities. How would you suggest testing for
system intrusion, logical access control, natural disasters, and intentional destruction of
information?

Answer:
System intrusion:
• Broad Detection Range: Internal auditors should measure the ability of the system to detect
different type of intrusions.
o Work with a 3rd party IT team to try to hack the system.
• Economy in resource usage: Internal auditors should also measure the consumption of
computer resources by the intrusion detection system.
• Resilience to stress: Auditors are supposed to look at operational impairment in the case of
high computing activity.

Logical access control:

• The company has formal policies and procedures for logical access, physical access and IT
security.
• Requests for New or Revised Access Form are approved by the Department Manager.
• Administrator access to active directory, application and database is limited to authorized
personnel.
• Department Manager performs access review for applications and the active directory
domain.
• Event logging is activated and configured per policy.
• All employees are required to have three things to access the system; something they have,
know and are. Testing is done to see if system can be accessed without one of these three
items.

Natural disasters:
• The company should develop an IT disaster recovery plan. It begins by compiling an
inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software
applications and data. The plan should include a strategy to ensure that all critical
information is backed up.
• Vendors should be able to provide “hot sites” for IT disaster recovery. These sites are fully
configured data centers with commonly used hardware and software products. Subscribers
may provide unique equipment or software either at the time of disaster or store it at the
hot site ready for use.
• It’s better for the company to have access to more than one facility. Hardware at an
alternate facility can be configured to run similar hardware and software applications when
needed. Assuming data is backed up off-site or data is mirrored between the two sites, data
can be restored at the alternate site and processing can continue.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
7
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

• Agreement with another company of similar size in a different location to utilize their
system as a database backup. Agreement could include doing the same for the “sister”
company.

Intentional destruction of information:

• Periodic testing and evaluation of the effectiveness of information security policies,
procedures, practices, and security controls to be performed with a frequency depending on
risk, but no less than annually.
• A process for planning, implementing, evaluating, and documenting remedial actions to
address any deficiencies in the information security policies, procedures, and practices of
the organization
• Procedures for detecting, reporting, and responding to security incidents
• Plans and procedures to ensure continuity of operations for information systems that
support the operations and assets of the organization.
• Frequent and regular tests to ensure information is present. Knowledge of this process
could deter destruction of information.
• Keeping important information with limited access. Or in a situation where two people must
be present to access.
• System Configuration Review: Internal auditors should conduct a review of how the system
is configured. (GTAG, Auditing Application Controls, IIA)
o “Review the three-way match system parameters”
o “Query the underlying programming code of the application report generation
process for appropriate logic”
o “Rerun the query to compare the report to the one management generated”

9. Browse the Internet to identify some recent cases related to system availability. What are the risks
and issues in system availability of these cases? Indicate possible controls to mitigate the risks.

Answer:
Students’ answers may vary.
http://blogs.wsj.com/cio/2016/06/16/fbi-says-corporate-email-impersonation-scams-growing/
http://www.wsj.com/articles/cisco-proposes-plan-to-monitor-data-centers-1466019703

Typical risks are:

• Unauthorized access to the system leads to system intrusion and data corruption.

• The more complicated the system, the longer it takes to restart it. Hence, outages that
require system shutdown and restart can dramatically affect your ability to meet a
challenging availability target.
• A support person who is called in afterhours could easily take an hour or two simply to
arrive to diagnose the problem.
• Unsuspecting users opening e-mails that appear genuine and without viruses

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
8
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

• From the Cisco article: “Analysts add that most of existing tools track individual pieces of
hardware, or take samples of information flows rather than tracking every packet of data.
Because of Cisco’s central position in hardware plumbing, the information they have “gives
you granularity that no one has ever had before,” said Zeus Kerravala, an analyst at ZK
Research.”

Possible controls to mitigate risks:

Test the Change Control Process

Applications are always evolving to fit new business requirements and improve behavior. Even
mission-critical applications change over time. Because the change control process is a large
source of downtime-causing errors. A business- or mission-critical application must not go into
production until it can be repeatedly performing error free change control.

Test Catastrophic Failure

Before deploying new application, companies should make sure that the catastrophic recovery
procedures are created work as expected. Is the recovery team ready? It must be trained,
equipped, and well-rehearsed. The plan is not useful if the recovery plan is not effective.

Test for Resource Conflicts

• Availability engineering requires in-depth consideration of an application's interactions with
other system processes. Auditors must look at how a particular service is provided, evaluate
all the ways some other application might interfere with the intended service, test for
conflicts, and possibly consider design alternatives.
• Update system belong the Secure E-mail Gateway (SEG) and educate employees through
training to identify scams. Be clear about communicating how information will be requested
and be consistent in following your own policies.
• From Cisco article above: “Security is a key focus. One reason companies struggle in
stopping network attacks is the constant changes in where they originate, which make it
hard to keep a list of suspicious machines or internet addresses to block.
• Cisco said its new technology makes it easier, instead, to enforce a “white list” of authorized
systems, so that servers can only accept connections from approved devices and no others.”

10. Consider each of the following fraud cases. Identify the incentive, opportunity, and rationalization
present in each case.
a. An employee of a telecommunications firm’s payroll department moved to a new position
within the department in which she no longer has privileged access to payroll accounts.
However, when changing positions, her access rights to the payroll accounts were left
unchanged. An associate told her that he was starting a financial service business and
needed some contact information. Using the privileged access rights that she had retained,
the employee provided her associate with confidential information of many employees,
including 401k account numbers, credit card account numbers, and social security numbers,

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
9
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

which he then used to commit more than 100 cases of identity theft. The insider’s actions
caused more than $1 million worth of damages to the firm and its employees.
b. A database analyst of a major check authorization and credit card processing company went
beyond his authorized computer access rights. The employee obtained his firm’s consumer
information of 8.4 million individuals. The stolen information included names and addresses,
bank account information, and credit and debit card information. He sold the data to
telemarketers over a five-year period.
c. An IT consultant working under contract for an offshore oil platform company was denied
an offer for a permanent job with the same company. He then accessed the firm’s computer
systems without approval and caused damage by impairing the integrity and availability of
data.
d. A manager responsible for payment authorization hired an offshore programmer to insert a
couple of independent contractors to the vendor table of his company’s database. He then
authorized payments to the independent contractors on fictitious services for personal gain.
He spent the stolen money on luxury items and extravagant purchases for himself, his
family, and friends.

Answers:
a.
Incentive: The insider’s action involves more than $1 million worth to the firms and its
employees. The employee may be jaded that her new position no longer has privileged access to
payroll accounts. This may have been felt as a demotion.
Opportunity: When changing positions, her access rights to the payroll accounts were left
unchanged. She realizes her access rights were not changed. She may not have received training
that indicated this would be unacceptable behavior.
Rationalization: She was an employee of payroll department and hence she might feel it is not
wrong to access to those payroll accounts. She may have felt she HAD to give this information to
the associate if he was in a higher position of responsibility.

b.
Incentive: He could sell 8.4 million consumers’ information to telemarketers over a five-year
period.
Opportunity: The data analyst has been authorized with computer access rights to 8.4 million
consumers’ information. The analyst was not authorized, but apparently had the capability to
extend his computer access rights.
Rationalization: Being a database analyst, he might feel it is acceptable and justifiable to sell
that information to external parties. He probably rationalized that if it was not secure enough to
keep him out why would it matter if he sold the information.

c.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
10
 Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12

Incentive: He was able to access the firm’s computer systems without approval and thus he was
able to revenge the company for not offering a permanent job to him. Deny an offer of
permanent employment after working as a consultant.
Opportunity: He was able to access the firm’s computer systems without approval and caused
damage even as a contractor. Since he was an IT contractor he already know the companies
systems well and had the capability to access the data.
Rationalization: As an IT consultant, he might feel it was easy for him to conceal his action and
caused damage without being notice. He may have felt that the company deserved these
actions since they did not value him.

d.
Incentive: He could authorize payments on fictitious services for personal gain and spent money
for himself, his family and his friends. The incentive is the luxury items and extravagant
purchases for himself, family, and friends.
Opportunity: He had the opportunity to authorize payments to the independent contractors on
fictitious services. The opportunity arises from having access to an offshore programmer who
can hack the system to input vendors in a way unrelated to him.
Rationalization: He might feel that he is the manager and would not be caught for fraudulent
payment authorization. As a manager he may feel that he is authorized to use the funds
however he sees fit as long as it appears that it is being used for business purposes. Or maybe
he feels he deserves a better lifestyle and is currently underpaid.

Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
11