Professional Documents
Culture Documents
September 19, 2022 8:10 AM: New Section 1 Page 1
September 19, 2022 8:10 AM: New Section 1 Page 1
What is Documentation
• Set of documents and models
- Narrative, data flow models, flowcharts
• Describe who, what, why, when and where of systems
- Input, process, storage, output, and controls
Entity
- Represents a source of data or input into the system or
- Represents a destination of data or output from the system
Data Flows
- Movement of data among:
- Entities (sources or destinations)
- Processes
- Data stores
- Label should describe the information moving
Flow Charts
Types of Flowcharts
• Document
- Illustrates the flow of documents through an organization
- Useful for analyzing internal control procedures
• System
- Logical representation of system inputs, processes, and outputs
- Useful in systems analysis and design
• Program
- Represent the logical sequence of program logic
Data Hierarchy
• Field - Attributes about an entity
• Record - Related group of fields
• File - Related group of records
• Database - Related group of files
Database Terminology
• Database Management System (DBMS)
- Interface between software applications and the data in files.
• Database Administrator (DBA)
- Person responsible for maintaining the database
• Data Dictionary
- Information about the structure of the database ¤ Field names, descriptions, uses
Relational Database
- Relational data model represents the conceptual and external level schemas as if data are stored in tables.
- Table
- Each row, a tuple, contains data about one instance of anentity. This is equivalent to a record
- Each column contains data about one attribute of an entity. This is equivalent to a field
Attributes
Primary Key
- An attribute or combination of attributes that can be used to uniquely identify a specific row (record) in a table.
Foreign Key
- An attribute in one table that is a primary key in another table. Used to link the two tables
Chapter 5
Common Threats to AIS
- Natural Disasters and Terrorist Threats
- Software Errors and/or Equipment Malfunction
- Unintentional Acts (Human Error)
- Intentional Acts (Computer Crimes)
What Is Fraud?
Gaining an unfair advantage over another person
- A false statement, representation, or disclosure
- A material fact that induces a person to actAn intent to deceive
- A justifiable reliance on the fraudulent fact in which a person takes action
- An injury or loss suffered by the victim
- Individuals who commit fraud are referred to as whitecollar criminals.
Forms of Fraud
Misappropriation of assets
- Theft of a company's assets.
- Largest factors for theft of assets: Absence of internal control system; Failure to enforce internal control system
Fraudulent financial reporting
- “…intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements”
(The Treadway Commission).
SAS #99
Auditors responsibility to detect fraud
Understand fraud - Discuss risks of material fraudulent statements Among members of audit team
Obtain information - Look for fraud risk factors
Identify, assess, and respond to risk
Evaluate the results of audit tests - Determine impact of fraud on financial statements
Document and communicate findings
Incorporate a technological focus
Computer Fraud
Any illegal act in which knowledge of computer technology is necessary for: Perpetration; Investigation; Prosecution
Chapter 6
Computer Attacks and Abuse
Hacking - Unauthorized access, modification, or use of a computer system or other electronic device
Social Engineering
- Techniques, usually psychological tricks, to gain access to sensitive data or information
- Used to gain access to secure systems or locations
Malware - Any software which can be used to do harm
Types of Spoofing
E-mail - E-mail sender appears as if it comes from a different source
Caller-ID - Incorrect number is displayed
IP address - Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer
system
Address Resolution Protocol (ARP) - Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN
SMS - Incorrect number or name appears, similar to caller-ID but for text messaging
Web page - Phishing (see below)
DNS - Intercepting a request for a Web service and sending the request to a false service
Hacking Attacks
Cross-Site Scripting (XSS) - Unwanted code is sent via dynamic Web pages disguised as user input.
Buffer Overflow - Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with
attacker instructions.
SQL Injection (Insertion) - Malicious code is inserted in the place of query to a database system.
Man-in-the-Middle - Hacker places themselves between client and host.
Type of Malware
Spyware
- Secretly monitors and collects personal information about users and sends it to someone else
- Adware - Pops banner ads on a monitor, collects information about the user’s Web-surfing, and spending habits, and forward
it to the adware creator
Key logging - Records computer activity, such as a user’s keystrokes, e-mails sent and received, Web sites visited, and chat
session participation
Trojan Horse
- Malicious computer instructions in an authorized and otherwise properly functioning program
- Time bombs/logic bombs - Idle until triggered by a specified date or time, by a change in the system, by a message sent to the
system, or by an event that does not occur
Trap Door/Back Door - A way into a system that bypasses normal authorization and authentication controls
Packet Sniffers
- Capture data from information packets as they travel over networks
- Rootkit - Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial -of-
service or an e-mail spam attack; and access user names and log-in information
Superzapping - Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all
without leaving an audit trail
Chapter 7
Internal Control
System to provide reasonable assurance that objectives are met such as:
- Safeguard assets.
- Maintain records in sufficient detail to report company assets accurately and fairly.
- Provide accurate and reliable information.
- Prepare financial reports in accordance with established criteria.
- Promote and improve operational efficiency.
- Encourage adherence to prescribed managerial policies.
- Comply with applicable laws and regulations.
Functions
- Preventive - Deter problems
- Detective - Discover problems
- Corrective - Correct problems
Categories
- General - Overall IC system and processes
- Application -Transactions are processed correctly
Internal Control
Enterprise Risk Management Model
Risk-based vs. control-based
- COSO elements +
- Setting objectives
- Event identification
- Risk assessment
- Can be controlled but also: Accepted; Diversified; Shared; Transferred
Control Environment
- Management’s philosophy, operating style, and risk appetite
- The board of directors
- Commitment to integrity, ethical values, and competence
- Organizational structure
- Methods of assigning authority and responsibility
- Human resource standards
- External influences
ERM—Objective Setting
Strategic - High-level goals aligned with corporate mission
Operational - Effectiveness and efficiency of operations
Reporting - Complete and reliable and Improve decision making
Compliance - Laws and regulations are followed
ERM—Event Identification - “…an incident or occurrence emanating from internal or external sources that affects
implementation of strategy or achievement of objectives."
- Positive or negative impacts (or both)
- Events may trigger other events
- All events should be anticipated
Risk Assessment
ERM—Risk Response
Reduce - Implement effective internal control
Accept - Do nothing, accept likelihood of risk
Share - Buy insurance, outsource, hedge
Avoid - Do not engage in activity that produces risk
Control Activities - Policies and procedures to provide reasonable assurance that control objectives are met:
- Proper authorization of transactions and activities - Signature or code on document to signal authority over a process
- Segregation of duties
- Project development and acquisition controls
- Change management controls
- Design and use of documents and records
- Safeguarding assets, records, and data Independent checks on performance
Segregation of Accounting Duties - No one employee should be given too much responsibility
Separate:
- Authorization - Approving transactions and decisions
- Recording - Preparing source documents; Entering data into an AIS; Maintaining accounting records
- Custody - Handling cash, inventory, fixed assets; Receiving incoming checks; Writing checks
Monitoring
- Evaluate internal control framework.
- Effective supervision.
- Responsibility accounting system.
- Monitor system activities.
- Track purchased software and mobile devices.
- Conduct periodic audits.
- Employ a security officer and compliance officer.
- Engage forensic specialists.
- Install fraud detection software.
- Implement a fraud hotline.
Segregation of System Duties - Like accounting system duties should also be separated ¤
These duties include:
- System administration
- Network management
- Security management
- Change management
- Users
- Systems analysts
- Programmers
- Computer operators
- Information system librarian
- Data control