Professional Documents
Culture Documents
Accounting Information Systems 2nd Edition Richardson Solutions Manual 1
Accounting Information Systems 2nd Edition Richardson Solutions Manual 1
1. b
2. d
3. a
4. b
5. d
6. d
7. a
8. d
9. c
10. d
11. c
12. d
13. c
14. d
15. d
Discussion Questions
An email that requests the victim to log into a website that looks legitimate but is actually
controlled by the attacker. An attacker clones a legitimate website and distributes a broken link
to victims in an attempt to convince them to enter sensitive information.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
1
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
2. If social engineering is a common reason that confidential information was revealed, what needs
to be done to prevent this from occurring?
User training is often employed to counter social engineering attacks. By teaching users the
dangers of social engineering and establishing a policy governing the dissemination of any
information like login data, the users will be much more knowledgeable if a social engineering
attempt is made.
3. Payment Card Industry Data Security Standards (PCI-DSS) and Health Insurance Portability and
Accountability Act (HIPPA) are examples of the laws related to information security. Discuss the
major requirements of these legislations.
PCI-DSS and HIPAA both establish standards for protecting and disseminating personal
identifiable information (PID). They establish frameworks for data security management that
must be complied with to either participate in electronic card transactions or store electronic
patient records. Standards cover topics such as establishing a secure infrastructure, monitoring
network and security information, and guaranteeing access controls are established.
4. Give an example of employee fraud and identify reasons why it may occur.
An employee facing the threat of layoff plants a logic bomb in the system that will require the
company to rehire the employee as a consultant to remediate the problem. The fraud triangle
has been developed to explain and predict fraudulent behavior. It states that three conditions
must exist for fraud to occur: incentive, opportunity, and the ability to rationalize the fraud they
intend to commit.
Authentication ensures that users are who they claim to be. Authorization is the level of
permission to interact with system resources granted to each individual.
1) The sender encrypts a challenge message with the receivers public key
2) Receiver decrypts with his own private key, answers the message, and sends the response
encrypted with their own private key
3) Sender decrypts the message with the receivers public key and validates the challenge
message
4) The process is reversed to authenticate the sender.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
2
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
5) Either the sender (or the receiver) generates a symmetric key (called session key because it
is valid for a certain timeframe only) to be used by both parties.
6) Use asymmetric-key encryption method to distribute the session key.
7) After both parties have the session key, use the session key to transmit confidential
data/information. This is because using symmetric key for encryption is faster in data
transmission.
Hashing is a one way process that turns a document of any length into a key of fixed length. The
process cannot be reversed and is used as part of validation of data integrity or to generate a
message digest to encrypt as part of the digital signature process.
Data integrity can be ensured by comparing a message digest created by the sender with that
generated from the sent over document. If the two hashes match, then the message has not
been altered.
9. Both COBIT and ISO 27000 series are security frameworks. Are there significant differences
between the two frameworks?
The main objective of the ISO 27000 series is to provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving an Information Security Management System
(ISMS). COBIT is a more general IT governance framework that considers the governance of a
firm’s entire IT infrastructure. COBIT does not go into as much detail on security issues as ISO
27000, however, the two standards may be implemented together to improve corporate IT
governance.
10. Compare disaster recovery plan (DRP) and business continuity management (BCM).
A disaster recovery plan seeks to allow the business to quickly recover from a catastrophic
event, while a business continuity plan is related to ensuring that the business can continue
activities during conditions that would otherwise cause a service outage.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
3
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
Problems
(Note – Problems with “Connect” in parentheses below are available for assignment within
Connect.)
Answer:
Asymmetric key encryption is very slow but allows for only 2 keys to be needed per user.
Additionally, asymmetric key encryption can be used to authenticate users. Symmetric key
encryption is much faster, but requires a separate key for every pair of users. In addition, these pairs
must be physically distributed to users no matter how greatly dispersed. This is not an effective
practice for an e-commerce company. Most companies will utilize both of these methods. The
company will establish a connection to its users utilizing asymmetric key encryption and generate a
symmetric session key to conduct all further business.
2. Many internal auditors and IT professionals consider wireless networks and mobile devices pose
high risks in a firm’s network system. Collect information to examine whether this concern is valid. If
so, identify the risks and the general controls to help reduce these risks.
Answer:
A company should have all of its mobile devices require VPN’s into the company’s network if it
allows them to connect at all. This can allow a mobile device to connect through an un-trusted
wireless network. The company should also keep any of its own wireless networks separated
physically from the wired more secure networks that business is conducted through.
3. Under PKI, Certification Authority (CA) plays a critical role in the success of maintaining information
security. Search over the Internet to find a few public firms who are CA’s. Compare these firms and
provide suggestions on how to choose a CA as part of information security management.
Answer:
VeriSign: Part of Symantec; a large public security firm that is a trusted in the security industry.
When selecting a PKI CA provider, it is important to focus on trustworthiness and proven history of
security and confidentiality. In addition, the provider must possess sufficient resources to meet your
needs. As always, third party service providers should have reports available to its customers providing
third party assurance over the security of its systems.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
4
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
Answer:
a. i
b. ii
c. ii
d. ii
e. ii
5. (Connect) Match correct statement(s) with each term regarding system availability.
b. A process that identifies significant events that may ii. Fault tolerance
threaten a firm’s operations and outline the procedures to
ensure that the firm will resume operations if such events
occur
d. A clearly defined and documented plan that covers key iv. Disaster recovery
personnel, resources including IT infrastructure and planning
applications, and actions required to be carried out in
order to continue or resume the systems for critical
business functions
e. Using redundant units to provide a system with the ability v. Business continuity
to continue functioning when part of the system fails management
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
5
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
Answer:
a. v
b. iv
c. iii
d. iv
e. ii
f. i
Component Category
a. Prioritize vulnerabilities i. Vulnerability management
c. Monitor vulnerabilities
e. Identify vulnerabilities
Answer:
a. ii
b. i
c. i
d. i
e. ii
7. There are computer fraud schemes in systems development life cycles (refer to Figure 12.1). Identify
an example in each phase of systems development life cycles.
Answer:
a. Lack of authentication and/or role based access control
b. Lack of consideration for security vulnerabilities
c. Lack of code reviews
d. Lack of enforcement of documentation and back-up procedures
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
6
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
8. Internal auditors are often tasked with testing vulnerabilities. How would you suggest testing for
system intrusion, logical access control, natural disasters, and intentional destruction of
information?
Answer:
System intrusion:
• Broad Detection Range: Internal auditors should measure the ability of the system to detect
different type of intrusions.
o Work with a 3rd party IT team to try to hack the system.
• Economy in resource usage: Internal auditors should also measure the consumption of
computer resources by the intrusion detection system.
• Resilience to stress: Auditors are supposed to look at operational impairment in the case of
high computing activity.
Natural disasters:
• The company should develop an IT disaster recovery plan. It begins by compiling an
inventory of hardware (e.g. servers, desktops, laptops and wireless devices), software
applications and data. The plan should include a strategy to ensure that all critical
information is backed up.
• Vendors should be able to provide “hot sites” for IT disaster recovery. These sites are fully
configured data centers with commonly used hardware and software products. Subscribers
may provide unique equipment or software either at the time of disaster or store it at the
hot site ready for use.
• It’s better for the company to have access to more than one facility. Hardware at an
alternate facility can be configured to run similar hardware and software applications when
needed. Assuming data is backed up off-site or data is mirrored between the two sites, data
can be restored at the alternate site and processing can continue.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
7
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
• Agreement with another company of similar size in a different location to utilize their
system as a database backup. Agreement could include doing the same for the “sister”
company.
9. Browse the Internet to identify some recent cases related to system availability. What are the risks
and issues in system availability of these cases? Indicate possible controls to mitigate the risks.
Answer:
Students’ answers may vary.
http://blogs.wsj.com/cio/2016/06/16/fbi-says-corporate-email-impersonation-scams-growing/
http://www.wsj.com/articles/cisco-proposes-plan-to-monitor-data-centers-1466019703
• The more complicated the system, the longer it takes to restart it. Hence, outages that
require system shutdown and restart can dramatically affect your ability to meet a
challenging availability target.
• A support person who is called in afterhours could easily take an hour or two simply to
arrive to diagnose the problem.
• Unsuspecting users opening e-mails that appear genuine and without viruses
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
8
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
• From the Cisco article: “Analysts add that most of existing tools track individual pieces of
hardware, or take samples of information flows rather than tracking every packet of data.
Because of Cisco’s central position in hardware plumbing, the information they have “gives
you granularity that no one has ever had before,” said Zeus Kerravala, an analyst at ZK
Research.”
10. Consider each of the following fraud cases. Identify the incentive, opportunity, and rationalization
present in each case.
a. An employee of a telecommunications firm’s payroll department moved to a new position
within the department in which she no longer has privileged access to payroll accounts.
However, when changing positions, her access rights to the payroll accounts were left
unchanged. An associate told her that he was starting a financial service business and
needed some contact information. Using the privileged access rights that she had retained,
the employee provided her associate with confidential information of many employees,
including 401k account numbers, credit card account numbers, and social security numbers,
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
9
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
which he then used to commit more than 100 cases of identity theft. The insider’s actions
caused more than $1 million worth of damages to the firm and its employees.
b. A database analyst of a major check authorization and credit card processing company went
beyond his authorized computer access rights. The employee obtained his firm’s consumer
information of 8.4 million individuals. The stolen information included names and addresses,
bank account information, and credit and debit card information. He sold the data to
telemarketers over a five-year period.
c. An IT consultant working under contract for an offshore oil platform company was denied
an offer for a permanent job with the same company. He then accessed the firm’s computer
systems without approval and caused damage by impairing the integrity and availability of
data.
d. A manager responsible for payment authorization hired an offshore programmer to insert a
couple of independent contractors to the vendor table of his company’s database. He then
authorized payments to the independent contractors on fictitious services for personal gain.
He spent the stolen money on luxury items and extravagant purchases for himself, his
family, and friends.
Answers:
a.
Incentive: The insider’s action involves more than $1 million worth to the firms and its
employees. The employee may be jaded that her new position no longer has privileged access to
payroll accounts. This may have been felt as a demotion.
Opportunity: When changing positions, her access rights to the payroll accounts were left
unchanged. She realizes her access rights were not changed. She may not have received training
that indicated this would be unacceptable behavior.
Rationalization: She was an employee of payroll department and hence she might feel it is not
wrong to access to those payroll accounts. She may have felt she HAD to give this information to
the associate if he was in a higher position of responsibility.
b.
Incentive: He could sell 8.4 million consumers’ information to telemarketers over a five-year
period.
Opportunity: The data analyst has been authorized with computer access rights to 8.4 million
consumers’ information. The analyst was not authorized, but apparently had the capability to
extend his computer access rights.
Rationalization: Being a database analyst, he might feel it is acceptable and justifiable to sell
that information to external parties. He probably rationalized that if it was not secure enough to
keep him out why would it matter if he sold the information.
c.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
10
Richardson, Chang, Smith – Accounting Information Systems, 2nd Edition – Chapter 12
Incentive: He was able to access the firm’s computer systems without approval and thus he was
able to revenge the company for not offering a permanent job to him. Deny an offer of
permanent employment after working as a consultant.
Opportunity: He was able to access the firm’s computer systems without approval and caused
damage even as a contractor. Since he was an IT contractor he already know the companies
systems well and had the capability to access the data.
Rationalization: As an IT consultant, he might feel it was easy for him to conceal his action and
caused damage without being notice. He may have felt that the company deserved these
actions since they did not value him.
d.
Incentive: He could authorize payments on fictitious services for personal gain and spent money
for himself, his family and his friends. The incentive is the luxury items and extravagant
purchases for himself, family, and friends.
Opportunity: He had the opportunity to authorize payments to the independent contractors on
fictitious services. The opportunity arises from having access to an offshore programmer who
can hack the system to input vendors in a way unrelated to him.
Rationalization: He might feel that he is the manager and would not be caught for fraudulent
payment authorization. As a manager he may feel that he is authorized to use the funds
however he sees fit as long as it appears that it is being used for business purposes. Or maybe
he feels he deserves a better lifestyle and is currently underpaid.
Copyright © 2018 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill
Education.
11