University of Adelaide Adelaide Business School

ACCOUNTING SYSTEMS and PROCESSES (M)

TUTORIAL 8 – Answers Guide

BEFORE TUTORIAL 8

1 Read the material indicated below and attempt answers to the questions that
follow.

Material to read:
MyUni>
Data Analytics – Microsoft Power BI Material>
Topic 7 – From dimensional model to stunning report in Power
BI Desktop. pdf

Key aims of Topic 7 are to strengthen understanding of importing data from

multiple MS Excel sheets; table relationships; data preparation including
creating field hierarchies, hiding columns, renaming of tables; creating
calculated measures using DAX; creating advanced interactive report using
conditional formatting and slicers.

Students are expected to learn basic hands-on skills to carry out these tasks.

Students are expected to attempt tasks in this document before the tute and raise
questions about issues encountered during the tute.

2 Prepare the answers to the following questions from Control and Accounting
Information Systems and Controls for Information Security (Romney &
Steinbart Chapters 10 and 11.

Question 1
One function of the AIS is to provide adequate controls to ensure the safety of
organizational assets, including data. However, many people view control procedures
as “red tape.” They also believe that, instead of producing tangible benefits, business
controls create resentment and loss of company morale. Discuss this position.

Well-designed controls should not be viewed as “red tape” because they can
actually improve both efficiency and effectiveness. The benefits of business
controls are evident if one considers the losses that frequently occur due to the
absence of controls.

Consider a control procedure mandating weekly backup of critical files. Regular

performance of this control prevents the need to spend a huge amount of time
and money recreating files that are lost when the system crashes, if it is even
possible to recreate the files at all. Similarly, control procedures that require
workers to design structured spreadsheets can help ensure that the spreadsheet
decision aids are auditable and that they are documented well enough so that
other workers can use them.

It is probably impossible to eliminate resentment or loss of morale among all

employees, but these factors may be minimized if controls are administered
fairly and courteously.
 Of course, there is a cost-benefit tradeoff in implementing internal controls. If
an organization has too many controls, this may justifiably generate resentment
and loss of morale among employees. Controls having only marginal economic
benefit may be rejected for this reason.

Another factor is the obtrusiveness of the controls. When the user sees no clear
need or purpose to a control it can appear to be there only to control them and
little more than that. When the user does not understand their purpose, controls
can often provoke resentment.

Question 2
Explain how the principle of separation of duties is violated in each of the following
situations. Also, suggest one or more procedures to reduce the risk and exposure
highlighted in each example.

i. A payroll clerk recorded a 40-hour workweek for an employee who

had quit the previous week. He then prepared a paycheck for this
employee, forged her signature, and cashed the check.

PROBLEM: Segregation of duties is violated here because the payroll

clerk had the ability to record time worked and to prepare the payroll
check (custody). This allowed the payroll clerk to both commit and
conceal the fraud. The payroll clerk ignored the authorization process or
had the authority to authorize the payment.
SOLUTION: These three functions should be segregated. One person
should authorize payments, another should record the payments, a third
should prepare the check, and a fourth should sign it.

ii. A cashier prepared a fictitious invoice from a company using his

brother-in-law’s name. He wrote a check in payment of the invoice,
which the brother-in-law later cashed.

PROBLEM: Segregation of duties is violated here because the cashier

had the ability to both write the check (custody) and approve the invoice
for payment (authorization).

SOLUTION: The functions of authorizing invoices for payment and

preparing checks for signature should be organizationally independent.

iii. An employee of the finishing department walked off with several parts
from the storeroom and recorded the items in the inventory ledger as
having been issued to the assembly department.

PROBLEM: Employees can commit and conceal fraud when they have
access to physical inventory (custody) and to inventory records
(recording).

SOLUTION: This can be prevented by restricting storeroom access to

authorized employees only. Likewise, access to inventory records should
be limited to authorized employees. Where possible, no storeroom
employee should have access to both the physical inventory and the
inventory records.

iv. Several customers returned clothing purchases. Instead of putting the

clothes into a return bin to be put back on the rack, a clerk put the
clothing in a separate bin under some cleaning rags. After her shift,
she transferred the clothes to a gym bag and took them home.

PROBLEM: The clerk was authorized to accept the return, grant credit,
and had custody of the inventory. It is also possible that the clerk may

Accounting Systems and Processes (M) Tutorial 8 Page 2

 have had responsibility to record the returns, but did not do so to cover the
theft.

SOLUTION: All purchase returns should be documented by preparing a

customer receipt and recording the return in a purchase returns journal. No
cash or credit can be given without the return being authorized by a
supervisor and recorded in the data files recorded in the cash register.

The purchase returns area should be kept clean and orderly so that returns
cannot be "hid" among excess returns. Employees should not be allowed
to have gym bags or other personal items that could conceal stolen items in
work areas.

v. An insurance claims adjuster had check signing authority of up to

$6,000. The adjuster created three businesses that billed the
insurance company for work not performed on valid claims. The
adjuster wrote and signed checks to pay for the invoices, none of
which exceeded $6,000.

PROBLEM: The adjuster had authorization to add vendors to vendor

master file, authorization to write checks up to $6,000, and had custody of
the signed the checks. Apparently, the adjuster also had some recording
duties (maintaining the vendor master file).

SOLUTION: The functions of signing checks for invoices, approving

vendors, and maintaining the vendor master file should be organizationally
independent. Payments should not be made to anyone that is not on the
approved vendor list. Controls should be put into place to ensure that
employees cannot add an unauthorized or unapproved vendor to the
vendor master file.

Question 3
What are the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?

Type of Advantages Disadvantages

Credential
Something you + Easy to use + Easy to forget or guess
know
+ Universal - no special hardware + Hard to verify who is
required presenting the credential
+ Revocable – can cancel and + May not notice compromise
create new credential if immediately
compromised
Something you + Easy to use + May require special hardware
have if not a USB token (i.e., if a
+ Revocable – can cancel and
smart card, need a card reader)
reissue new credential if
compromised + Hard to verify who is
presenting the credential
+ Quickly notice if lost or stolen
Something you are + Strong proof who is presenting + Cost
(biometric) the credential
+ Requires special hardware, so
+ Hard to copy/mimic not universally applicable
+ Cannot be lost, forgotten, or + User resistance. Some people
stolen may object to use of
fingerprints; some culture
groups may refuse face
recognition, etc.

Accounting Systems and Processes (M) Tutorial 8 Page 3

 + May create threat to privacy.
For example, retina scans may
reveal health conditions.
+ False rejection due to change
in biometric characteristic
(e.g., voice recognition may
fail if have a cold).
+ Not revocable. If the biometric
template is compromised, it
cannot be re-issued (e.g., you
cannot assign someone a new
fingerprint).

Question 4
Which preventive, detective, and/or corrective controls would best mitigate the
following threats?

a. An employee’s laptop was stolen at the airport. The laptop contained

personally identifying information about the company’s customers that
could potentially be used to commit identity theft.

Preventive: Policies against storing sensitive information on laptops and

requiring that if any such information must exist on the laptop that it be
encrypted.

Training on how to protect laptops while traveling to minimize the risk of

theft.

Corrective: Installation of “phone home” software might help the

organization either recover the laptop or remotely erase the information it
contains.

b. A salesperson successfully logged into the payroll system by guessing the

payroll supervisor’s password.

Preventive: Strong password requirements such as at least an 8-character

length, use of multiple character types, random characters, and require that
passwords be changed frequently.

Detective: Locking out accounts after 3-5 unsuccessful login attempts; since
this was a “guessing” attack, it may have taken more than a few attempts to
login.

c. A criminal remotely accessed a sensitive database using the authentication

credentials (user ID and strong password) of an IT manager. At the time
the attack occurred, the IT manager was logged into the system at his
workstation at company headquarters.
Accounting Systems and Processes (M) Tutorial 8 Page 4
 Preventive: Integrate physical and logical security. In this case, the system
should reject any user attempts remotely log into the system if that same user
is already logged in from a physical workstation.

Detective: Having the system notify appropriate security staff about such an
incident.

d. An employee received an email purporting to be from her boss informing

her of an important new attendance policy. When she clicked on a link
embedded in the email to view the new policy, she infected her laptop with
a keystroke logger.

Preventive: Security awareness training is the best way to prevent such

problems. Employees should be taught that this is a common example of a
sophisticated phishing scam.

Detective and corrective: Anti-spyware software that automatically checks

and cleans all detected spyware on an employee's computer as part of the
logon process for accessing a company's information system.

DURING TUTORIAL 8
• Contribute to the class discussion of the above questions.
Please remember that you’ll enhance your learning by ACTIVELY
PARTICIPATING in the discussions.

Accounting Systems and Processes (M) Tutorial 8 Page 5