-
Companies face four threats to their information systems:
- Natural and political disasters
- Software errors and equipment malfunction
- Unintentional acts
- Intentional acts (computer crime)
-
Three types of occupational fraud:
- Misappropriation of assets
- Corruption
- Fraudulent statements
-
Misappropriation of assets
Involves theft, embezzlement, or misuse of company assets for personal gain
Examples: billing schemes, check tampering, skimming, theft of inventory
-
Corruption
Involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit.
Examples: kickback schemes, conflict of interest schemes
-
Fraudulent statements
Involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.
-
Lapping
stealing cash or check that customer A mails in to pay its accounts receivable, then Funds received at a later date from customer B are used to pay off customer A's balance. Funds from customer C are used to pay off customer B and so forth.
-
Kiting
Creating cash by taking advantage of the timing lag between depositing a check and the check clearing the bank.
-
Data diddling
Changing data before, during, or after it is entered into the system.
-
Hijacking
Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge
-
Logic time bomb
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
-
Round-down technique
The programmer instructs the computer to round down all interest rates to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's own account
(think Office Space)
-
Salami technique
A fraud technique in which tiny slices of money are stolen from many different accounts.
-
Superzapping
The unauthorized use of a special system program to bypass regular system controls and perform illegal acts.
-
COSO's internal control model has five crucial components:
- Control environment
- Control activities
- Risk Assessment
- Information and communication
- Monitoring
-
Expected loss equation:
- Expected loss = impact x likelihood
- (EL = I x L)
-
SOX Sections 302 & 906
Requires that the CEO and CFO certify the accuracy of the financial statements.
-
SOX Section 404
Requires that the annual report include a report on the company's internal controls
-
Time-based model's three variables (P, D, C)
- P = Time is takes an attacker to break through the organization's preventative controls
- D = Time it takes to detect that an attack is in progress
- C = Time to respond to the attack
-
Security procedures are effective when: (equation)
P > (D + C)
-
Border router
Connects an organization's information system to the Internet
-
Demilitarized zone (DMZ)
web and email servers that sit outside the corporate private network but is still accessible from the Internet.
-
Two basic mechanisms for protecting consumers' personal information:
- Encryption
- Access controls
-
2 basic types of data transmission controls
- Parity checking
- Message acknowledgement
-
Output controls include:
- User review of output
- Reconciliation procedures
- External data reconciliation
-
The auditor's role in systems development should be:
- Limited to an independent review of system development activities
- Not involved in system development
- Should review policies, procedures, standards, and documentation for systems and programs
-
Inadequate development controls can be compensated by implementing:
Strong processing controls
-
Two techniques to detect unauthorized program changes:
- Reprocessing
- Parallel simulation
-
Auditors commonly use five concurrent audit techniques:
- Integrated test facility (ITF) technique
- Snapshot technique
- System control audit review file (SCARF)
- Audit hooks
- Continuous and intermittent simulation (CIS)
-
ITF technique
Places a small set of fictitious records in the master files
-
Snapshot technique
Examines the way transactions are processed. Audit modules in the program record these transactions and their master file records before and after processing.
-
System control audit review file (SCARF)
Uses embedded audit modules to continuously monitor transaction activity and collect data.
- Records transactions that:
- Exceed a specified dollar limit
- Involve inactive accounts
-
Audit hooks
Flag suspicious transactions
-
Continuous and intermittent simulation (CIS)
- Similar to SCARF
- Processes the data independently
- Records the results
- Compares results with those obtained by the DBMS
-
Four basic business activities performed in the revenue cycle:
- Sales order entry
- Shipping
- Billing
- Cash collection
-
Steps in the sales order entry process:
- Take the customer's order
- Check the customer's credit
- Check inventory availability
- Respond to customer inquiries
-
Four threats in the sales order entry process:
- Incomplete or inaccurate customer orders
- Sales to customers with poor credit
- Orders that are not legitimate
- Stockouts, carrying costs, markdowns
-
Bill of lading and what it identifies:
Legal contract that defines responsibility for goods in transit
- It identifies:
- - Carrier
- - Source
- - Destination
- - Special shipping instructions
- - Who pays for shipping
-
Two basic ways to maintain accounts receivable:
- Open-invoice method
- Balance forward method
-
Open-invoice method
Customers pay according to each invoice
-
Balance forward method
Customers pay according to amount on their monthly statement, rather than by invoice
-
Three basic activities performed in the expenditure cycle:
- Ordering goods, supplies, and services
- Receiving and storing these items
- Paying for these items
-
3 alternate approaches to inventory control:
- Economic order quantity (EOQ)
- Materials requirements planning (MRP)
- Just in time inventory (JIT)
-
EOQ goal
Maintain enough stock so that production doesn't get interrupted
-
MRP goal:
Reduce inventory levels by carefully scheduling production and purchasing around sales forecasts.
-
JIT goal
Minimize or eliminate inventory by purchasing or producing only in response to actual sales (rather than forecasted)
-
Order processing typically begins with a:
Purchase request, followed by the generation of a purchase order
-
Purchase order
Document or electronic form that formally requests a supplier to sell and deliver specified products at specified prices. It is both a contact and a promise to pay.
-
Threats in the process of ordering goods include:
- Stockouts/Excess inventory
- Ordering unnecessary items
- Purchasing goods at inflated prices
- Purchasing goods at inferior quality
- Purchasing from unauthorized suppliers
- Kickbacks
-
Receiving report
Primary document used to decide whether there is a valid purchase order.
-
When goods arrive, a receiving clerk compares:
The PO number on the packing slip with the open PO file to verify the goods were ordered.
-
Voucher package consists of:
Vendor invoice and supporting documentation
-
Pay rate information is obtained from the:
Payroll master file.
-
2 types of payroll deductions:
- Payroll tax withholdings
- Voluntary deductions
-
Threats in the employment practices area are:
- Hiring unqualified or larcenous employees
- Violation of employment law
-
Proper segregation of duties in payroll:
- Only HRM department should be able to update payroll master file
- HRM employees should not directly participate in payroll processing or distribution
-
Basic activities in the GLARS are:
- Update the general ledger
- Post financial statements
- Prepare financial statements
- Produce managerial reports
-
Updating the general ledger consists of posting journal entries from 2 sources:
- Summary journal entries (routine transactions)
- Individual journal entries (non-routine transactions)
-
Accruals
Involves an event that has occurred for which the related cash flow has not yet taken place
-
Deferrals
Involves a situation where the cash flow takes place before the related revenue is earned or the expense is incurred
-
Estimates
Used to recognize expenses that cannot be directly attributed to a related revenue (i.e. depreciation expense or bad debt expense)
-
Re-evaluations
Reconciling actual and recorded values of assets
-
Income statements are prepared using:
balances in the revenue, expense, gain, and loss accounts listed on the adjusted trial balance.
-
closing entries
After preparation of the income statement, all related accounts are closed and balances are transferred to retained earnings
-
Statement of stockholders' equity
Reconciles the changes in the stockholders' equity accounts
-
Balance sheet
- Presents balances in the permanent accounts:
- - Assets
- - Liabilities
- - Owners' equity
-
Statement of cash flows
- Presents changes in cash for the period categorized by:
- - Operating activities
- - Investing activities
- - Financing activities
-
XBRL
Extensible Business Reporting Language
Variant of XML designed to specifically communicate the contents of financial data.
-
SOX section 404
Management must report on their internal controls over financial reporting in their annual report
-
SOX section 301
Audit committee responsible for appointing, compensating, and overseeing work of external auditors.
-
SOX section 303
Unlawful for any officer or director of a public company to make financial statements materially misleading.
|
|
