ACC444 Final

  1. Companies face four threats to their information systems:
    • Natural and political disasters
    • Software errors and equipment malfunction
    • Unintentional acts
    • Intentional acts (computer crime)
  2. Three types of occupational fraud:
    • Misappropriation of assets
    • Corruption
    • Fraudulent statements
  3. Misappropriation of assets
    Involves theft, embezzlement, or misuse of company assets for personal gain

    Examples: billing schemes, check tampering, skimming, theft of inventory
  4. Corruption
    Involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit.

    Examples: kickback schemes, conflict of interest schemes
  5. Fraudulent statements
    Involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.
  6. Lapping
    stealing cash or check that customer A mails in to pay its accounts receivable, then Funds received at a later date from customer B are used to pay off customer A's balance. Funds from customer C are used to pay off customer B and so forth.
  7. Kiting
    Creating cash by taking advantage of the timing lag between depositing a check and the check clearing the bank.
  8. Data diddling
    Changing data before, during, or after it is entered into the system.
  9. Hijacking
    Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge
  10. Logic time bomb
    A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
  11. Round-down technique
    The programmer instructs the computer to round down all interest rates to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's own account

    (think Office Space)
  12. Salami technique
    A fraud technique in which tiny slices of money are stolen from many different accounts.
  13. Superzapping
    The unauthorized use of a special system program to bypass regular system controls and perform illegal acts.
  14. COSO's internal control model has five crucial components:
    • Control environment
    • Control activities
    • Risk Assessment
    • Information and communication
    • Monitoring
  15. Expected loss equation:
    • Expected loss = impact x likelihood
    • (EL = I x L)
  16. SOX Sections 302 & 906
    Requires that the CEO and CFO certify the accuracy of the financial statements.
  17. SOX Section 404
    Requires that the annual report include a report on the company's internal controls
  18. Time-based model's three variables (P, D, C)
    • P = Time is takes an attacker to break through the organization's preventative controls
    • D = Time it takes to detect that an attack is in progress
    • C = Time to respond to the attack
  19. Security procedures are effective when: (equation)
    P > (D + C)
  20. Border router
    Connects an organization's information system to the Internet
  21. Demilitarized zone (DMZ)
    web and email servers that sit outside the corporate private network but is still accessible from the Internet.
  22. Two basic mechanisms for protecting consumers' personal information:
    • Encryption
    • Access controls
  23. 2 basic types of data transmission controls
    • Parity checking
    • Message acknowledgement
  24. Output controls include:
    • User review of output
    • Reconciliation procedures
    • External data reconciliation
  25. The auditor's role in systems development should be:
    • Limited to an independent review of system development activities
    • Not involved in system development
    • Should review policies, procedures, standards, and documentation for systems and programs
  26. Inadequate development controls can be compensated by implementing:
    Strong processing controls
  27. Two techniques to detect unauthorized program changes:
    • Reprocessing
    • Parallel simulation
  28. Auditors commonly use five concurrent audit techniques:
    • Integrated test facility (ITF) technique
    • Snapshot technique
    • System control audit review file (SCARF)
    • Audit hooks
    • Continuous and intermittent simulation (CIS)
  29. ITF technique
    Places a small set of fictitious records in the master files
  30. Snapshot technique
    Examines the way transactions are processed. Audit modules in the program record these transactions and their master file records before and after processing.
  31. System control audit review file (SCARF)
    Uses embedded audit modules to continuously monitor transaction activity and collect data.

    • Records transactions that:
    • Exceed a specified dollar limit
    • Involve inactive accounts
  32. Audit hooks
    Flag suspicious transactions
  33. Continuous and intermittent simulation (CIS)
    • Similar to SCARF
    • Processes the data independently
    • Records the results
    • Compares results with those obtained by the DBMS
  34. Four basic business activities performed in the revenue cycle:
    • Sales order entry
    • Shipping
    • Billing
    • Cash collection
  35. Steps in the sales order entry process:
    • Take the customer's order
    • Check the customer's credit
    • Check inventory availability
    • Respond to customer inquiries
  36. Four threats in the sales order entry process:
    • Incomplete or inaccurate customer orders
    • Sales to customers with poor credit
    • Orders that are not legitimate
    • Stockouts, carrying costs, markdowns
  37. Bill of lading and what it identifies:
    Legal contract that defines responsibility for goods in transit

    • It identifies:
    • - Carrier
    • - Source
    • - Destination
    • - Special shipping instructions
    • - Who pays for shipping
  38. Two basic ways to maintain accounts receivable:
    • Open-invoice method
    • Balance forward method
  39. Open-invoice method
    Customers pay according to each invoice
  40. Balance forward method
    Customers pay according to amount on their monthly statement, rather than by invoice
  41. Three basic activities performed in the expenditure cycle:
    • Ordering goods, supplies, and services
    • Receiving and storing these items
    • Paying for these items
  42. 3 alternate approaches to inventory control:
    • Economic order quantity (EOQ)
    • Materials requirements planning (MRP)
    • Just in time inventory (JIT)
  43. EOQ goal
    Maintain enough stock so that production doesn't get interrupted
  44. MRP goal:
    Reduce inventory levels by carefully scheduling production and purchasing around sales forecasts.
  45. JIT goal
    Minimize or eliminate inventory by purchasing or producing only in response to actual sales (rather than forecasted)
  46. Order processing typically begins with a:
    Purchase request, followed by the generation of a purchase order
  47. Purchase order
    Document or electronic form that formally requests a supplier to sell and deliver specified products at specified prices. It is both a contact and a promise to pay.
  48. Threats in the process of ordering goods include:
    • Stockouts/Excess inventory
    • Ordering unnecessary items
    • Purchasing goods at inflated prices
    • Purchasing goods at inferior quality
    • Purchasing from unauthorized suppliers
    • Kickbacks
  49. Receiving report
    Primary document used to decide whether there is a valid purchase order.
  50. When goods arrive, a receiving clerk compares:
    The PO number on the packing slip with the open PO file to verify the goods were ordered.
  51. Voucher package consists of:
    Vendor invoice and supporting documentation
  52. Pay rate information is obtained from the:
    Payroll master file.
  53. 2 types of payroll deductions:
    • Payroll tax withholdings
    • Voluntary deductions
  54. Threats in the employment practices area are:
    • Hiring unqualified or larcenous employees
    • Violation of employment law
  55. Proper segregation of duties in payroll:
    • Only HRM department should be able to update payroll master file
    • HRM employees should not directly participate in payroll processing or distribution
  56. Basic activities in the GLARS are:
    • Update the general ledger
    • Post financial statements
    • Prepare financial statements
    • Produce managerial reports
  57. Updating the general ledger consists of posting journal entries from 2 sources:
    • Summary journal entries (routine transactions)
    • Individual journal entries (non-routine transactions)
  58. Accruals
    Involves an event that has occurred for which the related cash flow has not yet taken place
  59. Deferrals
    Involves a situation where the cash flow takes place before the related revenue is earned or the expense is incurred
  60. Estimates
    Used to recognize expenses that cannot be directly attributed to a related revenue (i.e. depreciation expense or bad debt expense)
  61. Re-evaluations
    Reconciling actual and recorded values of assets
  62. Income statements are prepared using:
    balances in the revenue, expense, gain, and loss accounts listed on the adjusted trial balance.
  63. closing entries
    After preparation of the income statement, all related accounts are closed and balances are transferred to retained earnings
  64. Statement of stockholders' equity
    Reconciles the changes in the stockholders' equity accounts
  65. Balance sheet
    • Presents balances in the permanent accounts:
    • - Assets
    • - Liabilities
    • - Owners' equity
  66. Statement of cash flows
    • Presents changes in cash for the period categorized by:
    • - Operating activities
    • - Investing activities
    • - Financing activities
  67. XBRL
    Extensible Business Reporting Language

    Variant of XML designed to specifically communicate the contents of financial data.
  68. SOX section 404
    Management must report on their internal controls over financial reporting in their annual report
  69. SOX section 301
    Audit committee responsible for appointing, compensating, and overseeing work of external auditors.
  70. SOX section 303
    Unlawful for any officer or director of a public company to make financial statements materially misleading.
Card Set
ACC444 Final
ACC444 Final