Chapter 3

September 19, 2022 8:10 AM

What is Documentation
• Set of documents and models
- Narrative, data flow models, flowcharts
• Describe who, what, why, when and where of systems
- Input, process, storage, output, and controls

Why Should You Learn Documentation?

• You need to be able to read documentation in all of its forms: narratives, diagrams, models
• You need to be able to evaluate the quality of systems, such as internal control based in part on documentation
• SAS 94 requires independent auditors to understand all internal control procedure
• Sarbones-Oxey states that management:
- Is responsible for internal control system
- Is responsible for assessing the effectiveness of the IC System
- Both management and external auditors need to document and test IC System
Data Flow Diagram
• Graphically describes
• Four basic elements

Entity
- Represents a source of data or input into the system or
- Represents a destination of data or output from the system

Data Flows
- Movement of data among:
- Entities (sources or destinations)
- Processes
- Data stores
- Label should describe the information moving

Process - Represents the transformation of data

Data Store - Represents data at rest

Data Flow Diagram Levels

• Context
- Highest level (most general)
- Purpose: inputs and outputs
• Level-0

Data Flow Diagram Guidelines

• Understand the system
• Identify transformational process
• Ignore certain aspect of the system
• Group transformational
• Determine system boundaries
• Identify all data stores
• Develop a context of DFD
• Identify all sources and destination
• Identify data flows
• Label all DFD elements
• Group data flows
• Subdivide

Flow Charts

New Section 1 Page 1

Flow Charts
• Use symbols logically depict transaction processing and the flow of data through system
• Using a pictorial representation is easier to understand and explain versus a detailed narrative

Flowchart Symbol Categories

• Input/Output
• Processing
• Storage
• Miscellaneous

Types of Flowcharts
• Document
- Illustrates the flow of documents through an organization
- Useful for analyzing internal control procedures
• System
- Logical representation of system inputs, processes, and outputs
- Useful in systems analysis and design
• Program
- Represent the logical sequence of program logic

Data Hierarchy
• Field - Attributes about an entity
• Record - Related group of fields
• File - Related group of records
• Database - Related group of files

Advantages of Database Systems

• Data Integration
- Files are logically combined and made accessible to various systems.
• Data Sharing
- With data in one place it is more easily accessed by authorized users.
• Minimizing Data Redundancy and Data Inconsistency
- Eliminates the same data being stored in multiple files, thus reducing inconsistency in multiple versions of the same
data.
• Data Independence
- Data is separate from the programs that access it. Changes can be made to the data without necessitating a change in
the programs and vice versa.
• Cross-Functional Analysis

New Section 1 Page 2

 the programs and vice versa.
• Cross-Functional Analysis
- Relationships between data from various

Database Terminology
• Database Management System (DBMS)
- Interface between software applications and the data in files.
• Database Administrator (DBA)
- Person responsible for maintaining the database
• Data Dictionary
- Information about the structure of the database ¤ Field names, descriptions, uses

Logical vs. Physical

• Physical View
- Depends on explicitly knowing: 1) How is the data actually arranged in a file. 2)Where is the data stored on the
computer
• Logical View
- A Schema separates storage of data from use of the data
- Unnecessary to explicitly know how and where data is stored.

Schemas - Describe the logical structure of a database

• Conceptual Level - Organization wide view of the data
• External Level
- Individual users view of the data - Each view is a subschema
• Internal Level
- Describes how data are stored and accessed - Description of: records, definitions, addresses, and indexes

Relational Database
- Relational data model represents the conceptual and external level schemas as if data are stored in tables.
- Table
- Each row, a tuple, contains data about one instance of anentity. This is equivalent to a record
- Each column contains data about one attribute of an entity. This is equivalent to a field

Attributes
Primary Key
- An attribute or combination of attributes that can be used to uniquely identify a specific row (record) in a table.
Foreign Key
- An attribute in one table that is a primary key in another table. Used to link the two tables

Database Design Errors

If database is not designed properly data errors can occur.
- Update Anomaly - Changes to existing data are not correctly recorded. Due to multiple records with the same data
attributes
- Insert Anomaly - Unable to add a record to the database.
- Delete Anomaly - Removing a record also removes unintended data from the database.

Design Requirements for Relational

Database
1. Every column must be single valued.
2. Primary keys must contain data (not null).
3. Foreign keys must contain the same data as the primary key in another table.
4. All other attributes must identify a characteristic of the table identified by the primary key.

Normalizing Relational Databases

- Initially, one table is used for all the data in a database.
- Following rules, the table is decomposed into multiple tables related by: Primary key–foreign key integration
- Decomposed set of tables are in third normal form (3NF).

Chapter 5
Common Threats to AIS
- Natural Disasters and Terrorist Threats
- Software Errors and/or Equipment Malfunction
- Unintentional Acts (Human Error)
- Intentional Acts (Computer Crimes)

New Section 1 Page 3

 - Intentional Acts (Computer Crimes)

What Is Fraud?
Gaining an unfair advantage over another person
- A false statement, representation, or disclosure
- A material fact that induces a person to actAn intent to deceive
- A justifiable reliance on the fraudulent fact in which a person takes action
- An injury or loss suffered by the victim
- Individuals who commit fraud are referred to as whitecollar criminals.

Forms of Fraud
Misappropriation of assets
- Theft of a company's assets.
- Largest factors for theft of assets: Absence of internal control system; Failure to enforce internal control system
Fraudulent financial reporting
- “…intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements”
(The Treadway Commission).

Reasons for Fraudulent Financial

Statements
1. Deceive investors or creditors
2. Increase a company’s stock price
3. Meet cash flow needs
4. Hide company losses or other problems

Treadway Commission Actions to Reduce Fraud

1. Establish environment which supports the integrity of the financial reporting process.
2. Identification of factors that lead to fraud.
3. Assess the risk of fraud within the company.
4. Design and implement internal controls to provide assurance that fraud is being prevented.

SAS #99
Auditors responsibility to detect fraud
Understand fraud - Discuss risks of material fraudulent statements Among members of audit team
Obtain information - Look for fraud risk factors
Identify, assess, and respond to risk
Evaluate the results of audit tests - Determine impact of fraud on financial statements
Document and communicate findings
Incorporate a technological focus

Opportunity - Condition or situation that allows a person or organization to:

1. Commit the fraud
2. Conceal the fraud
• Lapping • Kiting
3. Convert the theft or misrepresentation to personal gain

Rationalizations - Justification of illegal behavior

1. Justification - I am not being dishonest.
2. Attitude - I don’t need to be honest.
3. Lack of personal integrity - Theft is valued higher than honesty or integrity.

Computer Fraud
Any illegal act in which knowledge of computer technology is necessary for: Perpetration; Investigation; Prosecution

Rise of Computer Fraud

1. Definition is not agreed on
2. Many go undetected
3. High percentage is not reported
4. Lack of network security
5. Step-by-step guides are easily available
6. Law enforcement is overburdened
7. Difficulty calculating loss

New Section 1 Page 4

Computer Fraud Classifications
Input Fraud - Alteration or falsifying input
Processor Fraud - Unauthorized system use
Computer Instructions Fraud - Modifying software, illegal copying of software, using software in an unauthorized manner,
creating software to undergo unauthorized activities
Data Fraud - Illegally using, copying, browsing, searching, or harming company data
Output Fraud - Stealing, copying, or misusing computer printouts or displayed information

Chapter 6
Computer Attacks and Abuse
Hacking - Unauthorized access, modification, or use of a computer system or other electronic device
Social Engineering
- Techniques, usually psychological tricks, to gain access to sensitive data or information
- Used to gain access to secure systems or locations
Malware - Any software which can be used to do harm

Types of Computer Attacks

1.Botnet—Robot Network
Network of hijacked computers
Hijacked computers carry out processes without users knowledge
Zombie—hijacked computer
2. Denial-of-Service (DoS) Attack
Constant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down service
3. Spoofing
Making an electronic communication look as if it comes from a trusted official source to lure the recipient into providing
information

Types of Spoofing
E-mail - E-mail sender appears as if it comes from a different source
Caller-ID - Incorrect number is displayed
IP address - Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer
system
Address Resolution Protocol (ARP) - Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN
SMS - Incorrect number or name appears, similar to caller-ID but for text messaging
Web page - Phishing (see below)
DNS - Intercepting a request for a Web service and sending the request to a false service

Hacking Attacks
Cross-Site Scripting (XSS) - Unwanted code is sent via dynamic Web pages disguised as user input.
Buffer Overflow - Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with
attacker instructions.
SQL Injection (Insertion) - Malicious code is inserted in the place of query to a database system.
Man-in-the-Middle - Hacker places themselves between client and host.

Additional Hacking Attacks

Password Cracking - Penetrating system security to steal passwords
War Dialing - Computer automatically dials phone numbers looking for modems.
Phreaking - Attacks on phone systems to obtain free phone service.
Data Diddling - Making changes to data before, during, or after it is entered into a system.
Data Leakage - Unauthorized copying of company data.

Hacking Embezzlement Schemes

Salami Technique - Taking small amounts from many different accounts.
Economic Espionage - Theft of information, trade secrets, and intellectual property.
Cyber-Bullying - Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile
behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.
Internet Terrorism - Act of disrupting electronic commerce and harming computers and communications.
Internet Misinformation

Hacking for Fraud

Internet Misinformation - Using the Internet to spread false or misleading information
Internet Auction

New Section 1 Page 5

Internet Auction
- Using an Internet auction site to defraud another person
- Unfairly drive up bidding
- Seller delivers inferior merchandise or fails to deliver at all
- Buyer fails to make payment
Internet Pump-and-Dump - Using the Internet to pump up the price of a stock and then selling it

Social Engineering Techniques

Identity Theft Assuming someone else’s identity
Pretexting Inventing a scenario that will lull someone into divulging sensitive information
Posing Using a fake business to acquire sensitive information
Phishing Posing as a legitimate company asking for verification type information: passwords,
accounts, usernames
Pharming Redirecting Web site traffic to a spoofed Web site.
Lebanese Loping Capturing ATM pin and card numbers
Skimming Double-swiping a credit card
Chipping Planting a device to read credit card information in a credit card reader
Eavesdropping Listening to private communications

Type of Malware
Spyware
- Secretly monitors and collects personal information about users and sends it to someone else
- Adware - Pops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward
it to the adware creator
Key logging - Records computer activity, such as a user’s keystrokes, e-mails sent and received, Web sites visited, and chat
session participation
Trojan Horse
- Malicious computer instructions in an authorized and otherwise properly functioning program
- Time bombs/logic bombs - Idle until triggered by a specified date or time, by a change in the system, by a message sent to the
system, or by an event that does not occur
Trap Door/Back Door - A way into a system that bypasses normal authorization and authentication controls
Packet Sniffers
- Capture data from information packets as they travel over networks
- Rootkit - Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial -of-
service or an e-mail spam attack; and access user names and log-in information
Superzapping - Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all
without leaving an audit trail

Chapter 7
Internal Control
System to provide reasonable assurance that objectives are met such as:
- Safeguard assets.
- Maintain records in sufficient detail to report company assets accurately and fairly.
- Provide accurate and reliable information.
- Prepare financial reports in accordance with established criteria.
- Promote and improve operational efficiency.
- Encourage adherence to prescribed managerial policies.
- Comply with applicable laws and regulations.

Functions
- Preventive - Deter problems
- Detective - Discover problems
- Corrective - Correct problems
Categories
- General - Overall IC system and processes
- Application -Transactions are processed correctly

Sarbanes Oxley (2002)

- Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen

New Section 1 Page 6

 - Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen
internal controls, and punish executives who perpetrate fraud
- Public Company Accounting Oversight Board (PCAOB) - Oversight of auditing profession
- New Auditing Rules - Partners must rotate periodically and Prohibited from performing certain non-audit services
- New Roles for Audit Committee
- Be part of board of directors and be independent
- One member must be a financial expert
- Oversees external auditors
- New Rules for Management
- Financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.
- The auditors were told about all material internal control weak- nesses and fraud.
- New Internal Control Requirements - Management is responsible for establishing and maintaining an adequate internal
control system.

SOX Management Rules

- Base evaluation of internal control on a recognized framework.
- Disclose all material internal control weaknesses.
- Conclude a company does not have effective financial reporting internal controls of material weaknesses.

Internal Control Frameworks

Control Objectives for Information and Related Technology (COBIT)
- Business objectives
- IT resources
- IT processes
Committee of Sponsoring Organizations (COSO)
- Internal control—integrated framework
- Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring

Internal Control
Enterprise Risk Management Model
Risk-based vs. control-based
- COSO elements +
- Setting objectives
- Event identification
- Risk assessment
- Can be controlled but also: Accepted; Diversified; Shared; Transferred

Control Environment
- Management’s philosophy, operating style, and risk appetite
- The board of directors
- Commitment to integrity, ethical values, and competence
- Organizational structure
- Methods of assigning authority and responsibility
- Human resource standards
- External influences

ERM—Objective Setting
Strategic - High-level goals aligned with corporate mission
Operational - Effectiveness and efficiency of operations
Reporting - Complete and reliable and Improve decision making
Compliance - Laws and regulations are followed

ERM—Event Identification - “…an incident or occurrence emanating from internal or external sources that affects
implementation of strategy or achievement of objectives."
- Positive or negative impacts (or both)
- Events may trigger other events
- All events should be anticipated

Risk Assessment

New Section 1 Page 7

Risk Assessment
Identify Risk
- Identify likelihood of risk
- Identify positive or negative impact
Types of Risk
- Inherent - Risk that exists before any plans are made to control it
- Residual - Remaining risk after controls are in place to reduce it

ERM—Risk Response
Reduce - Implement effective internal control
Accept - Do nothing, accept likelihood of risk
Share - Buy insurance, outsource, hedge
Avoid - Do not engage in activity that produces risk

Control Activities - Policies and procedures to provide reasonable assurance that control objectives are met:
- Proper authorization of transactions and activities - Signature or code on document to signal authority over a process
- Segregation of duties
- Project development and acquisition controls
- Change management controls
- Design and use of documents and records
- Safeguarding assets, records, and data Independent checks on performance

Segregation of Accounting Duties - No one employee should be given too much responsibility
Separate:
- Authorization - Approving transactions and decisions
- Recording - Preparing source documents; Entering data into an AIS; Maintaining accounting records
- Custody - Handling cash, inventory, fixed assets; Receiving incoming checks; Writing checks

Information and Communication

Primary purpose of an AIS: 1)Gather 2) Record 3) Process 4) Summarize 5) Communicate

Monitoring
- Evaluate internal control framework.
- Effective supervision.
- Responsibility accounting system.
- Monitor system activities.
- Track purchased software and mobile devices.
- Conduct periodic audits.
- Employ a security officer and compliance officer.
- Engage forensic specialists.
- Install fraud detection software.
- Implement a fraud hotline.

Segregation of System Duties - Like accounting system duties should also be separated ¤
These duties include:
- System administration
- Network management
- Security management
- Change management
- Users
- Systems analysts
- Programmers
- Computer operators
- Information system librarian
- Data control

New Section 1 Page 8

New Section 1 Page 9