topic 5 ethics fraud and security in ais
TRANSCRIPT
Ethic, Fraud Control and Security in
Accounting Information Systems
Chapter
55
Learning ObjectivesLearning Objectives
The Information System Environment
Definition of AIS AIS Framework
Transaction Processing System Overview of TPS Components of TPS
Organisational Structure and Accounting Function Accounting Information and Decision Making Accountants’ Roles in AIS
5.1 Computer Ethics5.2 Computer Fraud 5.2.1 Definition of Computer Fraud 5.2.2 Components of Computer Fraud 5.2.3 Types of Computer Fraud 5.2.4 Fraud Detection 5.3 Risk, Exposure and Threats in AIS
5.4 The Internal Control Structure 5.4.1 Definition of Internal Control 5.4.2 Internal Control Model5.5 Computer Based Information System (CBIS) 5.5.1 Effect of CBIS on Traditional Control Activities 5.5.2 General Controls 5.5.3 Application Controls
Learning Objective 5.1Learning Objective 5.1
Computer Ethics
EthicsEthics
Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong.
Business ethicsBusiness ethics
Business ethics involve finding the answers for:• How do managers decide what is right in
conducting their business?
• Once recognize what is right, how to achieve it?
In business, conflicts may arise between:• employees• management• stakeholders
Four Main Areas of Business EthicsFour Main Areas of Business Ethics
Computer EthicsComputer Ethics
The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology…
Includes concerns about software as well as hardware, networks connecting computers and computers themselves (Moor,1985).
Levels of Computer EthicsLevels of Computer Ethics
POP exposure to stories and reports found in the popular media
regarding the good or bad ramifications of computer technology.
PARA taking a real interest in computer ethics cases and
acquiring some level of skill and knowledge in the field.
THEORETICAL Interest to multidisciplinary researchers who apply the
theories to computer science with the goal of bringing some new understanding to the field.
Computer Ethics IssuesComputer Ethics Issues
(a) Privacy
(b) Security
(c) Intellectual Property
(d) Equity in access
(e) Misuse of Computer
(f) Artificial intelligence
(g) Unemployment and displacement
(h) Environmental issues
(i) Internal control responsibility
Privacy
Security
Computer Ethics Issues (Cont…)Computer Ethics Issues (Cont…)
People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available.
It raises the issue of ownership.
An attempt to avoid such undesirable events as a loss of confidentiality or data integrity.
Act to protect and further the legitimate interests of the system’s constituencies.
Security can be used to protect systems and personal information, but it can also restrict legitimate access.
Intellectual Property
Equity in access
Computer Ethics Issues (Cont…)Computer Ethics Issues (Cont…)
is the group of legal rights to things people create or invent. Intellectual property rights typically include patent, copyright, trademark and trade secret rights.Laws designed to preserve real property rights.
Copyright laws have been invoked in an attempt to protect those who develop software from having it copied.
Some barriers to access (security systems) are intrinsic to technology of information system but some are avoidable through careful system design.
Several factors can limit access to computing technology. Ex: financial cost, cultural barriers, & physical limitations.
Misuse of Computer
Artificial Intelligence
Computer Ethics Issues (Cont…)Computer Ethics Issues (Cont…)
Illegal copying of software Ex: Copying proprietary software Although clearly illegal, it is commonly done.
A branch of computer science that studies how to endow computers with capabilities of human intelligence.
Ex: both knowledge engineers (those who write the programs) & domain experts (those who provide the knowledge) must be concerned about their responsibility for faulty decisions, in complete or inaccurate knowledge bases, & the role given to computers in decision making process.
Unemployment and Displacement
Environmental Issues
Computer Ethics Issues (Cont…)Computer Ethics Issues (Cont…)
Many jobs have been and are being changed as a result of the availability of computer technology.
People unable or unprepared to change are displaced.
It is probably easier just to print a document than to consider whether it should be printed and how many copies really need to be made.
It may be more efficient / comforting to have a hard copy in addition to the electronic version.
However, paper comes from trees, and ends up in landfills if not properly recycled.
Internal Control Responsibility
Computer Ethics Issues (Cont…)Computer Ethics Issues (Cont…)
A business cannot meet its financial obligations or achieve its objectives if its information is unreliable.
Thus, managers must establish and maintain a system of appropriate internal controls to ensure the integrity and reliability of their data.
Learning Objective 5.2Learning Objective 5.2
Fraud
Definition of FraudDefinition of Fraud
Fraud – a deliberate act or untruth intended to obtain unfair or unlawful gain.
Made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his/her detriment.
“A fundamental aspect of mgt’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled”.
Also known as ‘white-collar crime’, ‘defalcation’, ‘embezzlement’, & irregularities.
Components of FraudComponents of Fraud
False representation - false statement or nondisclosure
Material fact - a fact must be substantial in inducing someone to act
Intent – there must be the intent to deceive or the knowledge that one’s statement is false.
Justifiable reliance - the misrepresentation must have been a substantial factor on which the injured party relied.
Injury or loss – the deception must have caused injury or loss to the victim of the fraud.
Motivating FactorsMotivating Factors
(1) Opportunities• The condition or situation that allows a person to commit
and conceal a dishonest act.• Often stem from a lack of internal controls.
(2) Pressures • person’s motivation for committing a fraud.• an employee is experiencing financial difficulties
(3) Personal Characteristics (Integrity)• personal morals of individual employees• rationalization
Escalation and FrequencyEscalation and Frequency
FBI Computer Crimes Division Reports:
• 15 security breaches every day
• 75% annual increase in recent years
Reported errors, frauds, and security lapses involving computer-based information systems.
Reported errors, frauds, and security lapses involving computer-based information systems.
A customer received a bill of $1 million instead of $100, because of an error in the invoicing program.
A supervisor added fictitious employees to the payroll, so that the payroll program would cause their paychecks to be sent to a friend’s address.
A programmer who was employed by a bank changed an interest calculation program to have it credit the fractional cents to his account.
A purchasing agent entered unauthorized purchase transactions via a terminal and had the merchandise delivered to his home.
A salesperson carried away in her briefcase a magnetic tape containing a publishing firm’s list of customers.
A fire in a firm’s tape library destroyed thousands of reels of magnetic tape.
A failure in an essential component of a computer caused the system to break down and the data to be lost.
Levels of FraudLevels of Fraud
(1) Employee fraud
(2) Management fraud
(1) Employee Fraud(1) Employee Fraud
Committed by?
non-management employees
Usually consists of:
an employee taking cash or other assets for personal benefit by circumventing a company’s system of internal controls
Involves 3 steps:
a) Stealing something of value (an asset)
b) Converting the asset to a usable form (cash), and
c) Concealing the crime to avoid detection
(2) Management Fraud(2) Management Fraud
More insidious than employee fraud because it often escapes detection until irreparable damage or loss has been suffered by the organization.
Typically contains 3 special characteristics: a) It is perpetrated at levels of management above the one to which internal control structure relates. b) It frequently involves using the financial statements to create an illusion that an entity is more healthy and prosperous than it actually is. c) If it involves misappropriation of assets, it frequently
is shrouded in a maze of complex business transactions.
Fraud SchemesFraud Schemes
Three categories of fraud schemes according to the Association of Certified Fraud Examiners:
(a) Fraudulent statements
(b) Corruption
(c) Asset misappropriation
(a) Fraudulent Statements(a) Fraudulent Statements
Misstating the financial statements to make the copy appear better than it is
Usually occurs as management fraud May be tied to focus on short-term financial measures
for success May also be related to management bonus packages
being tied to financial statements
(b) Corruption(b) Corruption Examples:
(a) Bribery Giving, offering, soliciting, or receiving things of value
to influence an official in the performance of his unlawful duties.(b) Illegal gratuities
Involves giving, receiving, offering, or soliciting something of value because an official act that has already been taken. (c) Conflicts of interest
Has self-interest in the activity being performed.(d) Economic extortion
The use (threat) of force (including economic sanctions) by an individuals or organization to obtain something of value.
(c) Asset Misappropriation(c) Asset Misappropriation
Most common type of fraud and often occurs as employee fraud. Examples:
• Making charges to expense accounts to cover theft of asset (especially cash)
• Lapping: using customer’s check from one account to cover theft from a different account
• Transaction fraud: deleting, altering, or adding false transactions to steal assets
• Computer fraud schemes:• Data collection (Input)• Data processing (Process)• Database management – Storage, retrieval, and deletion• Information generation (Output)
Learning Objective 5.2Learning Objective 5.2
Computer
Fraud
Definition of Computer Fraud?Definition of Computer Fraud?
“Any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution”.
Includes:• Unauthorized theft, use, access, copying, and
destruction of software or data.• Theft of money by altering computer records or the theft
of computer time.• Theft or destruction of computer hardware.• Use or the conspiracy to use computer resources to
commit a felony.• Intent to illegally obtain information or tangible property
through the use of computers.
What is Computer Abuse?What is Computer Abuse?
There are many definitions of Computer Abuse and it is often confused with Computer Fraud but put quite simply it is:
"The unauthorized use of, or access to, a computer for purposes contrary to the wishes of the owner of the computer or the data held thereon."
Computer Abuse (Cont…)Computer Abuse (Cont…) The Australian Computer Abuse Research Bureau (ACARB):
“theft, fraud, embezzlement or damage related to computers and includes:Unauthorized manipulation of computer input and/or
outputUnauthorized access to the system through terminals or
personal computersUnauthorized modification or use of application programs,
operating systems or computing equipmentTrespass on data processing installation, theft of
equipment, files or outputSabotage of computer installation equipments, files, or
outputUnauthorized data interception”
Computer Fraud ClassificationsComputer Fraud Classifications
(a) Input
(b) Processor
(c) Computer instructions
(d) Data
(e) Output
(a) Input(a) Input
The simplest and most common This phase of the system is most vulnerable
because it is very easy to change data as it is being entered into the system.
Alter computer input Perpetrators need only to understand how the system
operates. GIGO (Garbage In, Garbage Out) - if the input data is
inaccurate, processing will result in inaccurate output.
(b) Processor(b) Processor
Computer fraud can be committed through unauthorized system use, including the theft of computer time and services.
Ex: use company computers for personal or outside business records.
(b) Processor (Cont…)(b) Processor (Cont…)
Program Frauds Creating illegal programs that can access data files to
alter, delete, or insert values into accounting records. Destroying programs using a virus Altering program to cause the application to process
data incorrectly.
Operations Frauds Misuse or theft of company computer resources, such
as using the computer for personal business
(c) Computer Instructions(c) Computer Instructions
Tampering with the software that processes company data.
Include modifying the software, making illegal software copies, using software in an unauthorized manner, developing a software program or module to carry out an unauthorized activity.
Least common – requires specialized knowledge.
(d) Data (d) Data
Altering or damaging a company’s data files or by copying, using, or searching them without authorization.
Ex: employee removed the external labels from hundreds of tape files.
(e) Output (e) Output
Stealing or misusing system output. System output is usually displayed on monitors or
printed on paper. Monitor and printer output is subject to prying eyes
and unauthorized copying.
Increase in computer fraud. Why?Increase in computer fraud. Why?
Not everyone agrees on what constitute to CF Many go undetected A high percentage of uncovered fraud is not
reported Many networks have low level of security Info ‘ how to commit fraud’ in the Internet Law enforcement cannot keep up with the CF The total dollar value of losses is difficult to
calculate.
Computer Fraud TechniquesComputer Fraud Techniques
Computer Fraud TechniquesComputer Fraud Techniques
What are some of the more common techniques to commit computer fraud and abuse? Data diddling Data leakage Denial of service attack Eavesdropping E-mail forgery and threats HackingHacking Internet misinformation Internet misinformation Internet terrorismInternet terrorism Logic time bombLogic time bomb Masquerading or impersonationMasquerading or impersonation
Computer Fraud TechniquesComputer Fraud Techniques
Password cracking Piggybacking Software piracy Scavenging / Dumpster diving Social engineering Super zapping Trap door / Back door Trojan horse Virus Worm
Data DiddlingData Diddling
The act of intentionally entering false information into a system or modifying existing data.
Changing data before, during, or after it is entered into the system.
The change can be made to delete, alter, or add key system data.
Example: Hacker modifies certain programs to send certain information (ex: p/w) and names back to him when other people use these programs.
Data Diddling (Cont…)Data Diddling (Cont…)
Example: Employees are able to falsify time cards before the data contained on the cards is entered into the computer for payroll computation.
Data LeakageData Leakage
Unauthorized copying of company data, often without leaving any indication that it was copied.
Copying company data, ex; computer files, without permission.
Example: employee made copies of company customers and selling them to other companies.
Denial of Service Attack (DoS)Denial of Service Attack (DoS)
An attack that bombards the receiving server with so much information that it shuts down.
Sending e-mail bombs (thousands per second) from randomly generated false addresses.
The ISP’s e-mail server is overloaded and shut down. A "denial-of-service" attack is characterized by an explicit attempt by
attackers to prevent legitimate users of a service from using that service. Examples include: • attempts to "flood" a network, thereby preventing legitimate
network traffic • attempts to disrupt connections between two machines, thereby
preventing access to a service • attempts to prevent a particular individual from accessing a service • attempts to disrupt service to a specific system or person
EavesdroppingEavesdropping
is the intercepting and reading of messages and conversations by unintended recipients.
Listening to private voice or data transmissions. One who participates in eavesdropping, i.e. someone
who secretly listens in on the conversations of others, is called an eavesdropper. The origin of the term is literal, from people who would literally hide out in the of houses to listen in on other people's private conversations.
E-mail Forgery/ SpoofingE-mail Forgery/ Spoofing
Sending an e-mail message that looks as if it were sent by someone else.
Forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual source.
Examples:• email claiming to be from a system administrator
requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this
• email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information
HackingHacking
Accessing and using computer systems without permission, usually by means of a personal computer and a telecommunication network.
Internet MisinformationInternet Misinformation
Using the internet to spread false or misleading information about people or companies.
Can be done in many ways. Ex: messages on online chats, setting up websites.
Example: Post message to Internet newsgroups or online bulletin boards – intent to harm the person’s or company’s reputation.
Internet TerrorismInternet Terrorism
Hackers using the internet to disrupt electronic commerce and to destroy company and individual communications.
Logic Time BombLogic Time Bomb
A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.
Sabotaging a system using a program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the bomb destroys programs, data, or both.
Example: A programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database).
Software that is inherently malicious, such as viruses and worms often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day.
Masquerading / Impersonation Masquerading / Impersonation
Accessing a system by pretending to be an authorized user. Occurs when one person uses the identity of another to gain access
to a computer. This may be done in person or remotely. The impersonator enjoys the same privileges as the legitimate user. Requires the perpetrator know the legitimate user’s identification
numbers or passwords.
Password CrackingPassword Cracking
Password cracking is the process of recovering secret passwords stored in a computer system.
Using illicit means to steal a file containing passwords.
Penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password.
Doesn't always involve sophisticated tools. It can be as simple as finding a sticky note with the password written on it stuck right to the monitor or hidden under a keyboard.
PiggybackingPiggybacking
A method of gaining unauthorized access computer facilities by following an authorized employee through a controlled door or restricted area--a building or a computer room.
Tapping into a telecommunications line and latching on to a legitimate user before he/she logs into the system; legitimate user unknowingly carried perpetrator into the system.
Gaining access to a restricted communications channel by using the session another user already established. Piggybacking can be defeated by logging off before leaving a workstation or terminal or by initiating a protected mode, such as via a screensaver, that requires re-authentication before access can be resumed.
Software PiracySoftware Piracy
Copying of computer software without the publisher’s permission.
Software piracy is illegal. Each pirated piece of
software takes away from company profits, reducing funds for further software development initiatives.
Scavenging / Dumpster DivingScavenging / Dumpster Diving
Searching through object residue (file storage space) to acquire unauthorized data.
searching through the trashcans on the computer center for discarded output (the output should be shredded, but frequently is not)
Social EngineeringSocial Engineering
Fraudulently gaining information to access a system by fooling an employee.
Tricking an employee into providing the information needed to get into a system.
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.
Example: A man posing as a magazine writer was able to get valuable information over the telephone from the telephone company simply by asking for it--supposedly for his story. He then used that information to steal more than a million dollars in telephone company equipment.
SuperzappingSuperzapping
Using special system programs to bypass regular system controls and perform illegal acts.
Superzap lets system administrators or other highly trusted individuals override system security to quickly repair or regenerate the system, especially in an emergency.
Example: the manager of computer operations in a bank was told by his boss to correct a problem affecting account balances. The problem was originally caused by unanticipated problems in the changeover of the bank's computer system. While working on the project, the manager found that he could use the Superzap program to make other account changes as well, without having to deal with the usual controls, audits, or documentation. He moved funds from various accounts into the accounts of several friends, netting about $128,000 in all. He was detected only when a customer complained about a shortage in his account. Because the Superzap program left no evidence of data file changes, the fraud was highly unlikely to be discovered by any other means.
Trap Door / Back DoorTrap Door / Back Door
Entering the system using a back door that bypasses normal system controls and perpetrates fraud.
A trap door is a quick way into a program; it allows program developers to bypass all of the security built into the program now or in the future.
To a programmer, trap doors make sense. If a programmer needs to modify the program sometime in the future, he can use the trap door instead of having to go through all of the normal, customer-directed protocols just to make the change.
Trojan HorseTrojan Horse
Placing unauthorized computer instructions in an authorized and properly functioning program.
Hidden instructions embedded in software or email that, once opened, may modify damage or send important data.
Unlike viruses and worms, the code does not replicate itself.
VirusVirus
A destructive program that has the ability to reproduce itself and infect other programs or disks.
Typically a virus will not show itself immediately, but will add itself to programs and disks to spread itself widely on many computers before it is triggered into its destructive phase.
Requires a human to do something (run a program, open a file, etc) to replicate itself.
WormWorm
A self-replicating program that reproduces itself over a network.
Similar to virus, except that:(i) it is a program rather a code segment hidden in a host program or executable file, a worm is a stand-alone program.(ii) virus requires a human to do something (run a program, open a file, etc) to replicate itself; worm replicates itself automatically.
Also copies and actively transmits itself directly to other systems.
Often resides in e-mail attachments, which, when opened or activated, can damage user’s system.
Ways to Prevent and Detect Computer Fraud
Ways to Prevent and Detect Computer Fraud
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses
Education and TrainingEducation and Training
A Logical First Step
Preventative MeasuresPreventative Measures Preventative MeasuresPreventative Measures
Education and TrainingEducation and Training
10 Suggestions from Ernst and Young:
(1) Confidentiality Statements
(2) Regular Back-Ups
(3) Policies and Procedures
(4) Control Intranet Access
(4) Boot-level Passwords
(5) Control Internet Access
(6) Restrict Use of Internet
(7) Classify Data
(8) Secure All Computers
(9) Require file-level Passwords
Preventative MeasuresPreventative Measures Preventative MeasuresPreventative Measures
SoftwareSoftware
A Variety to Choose From
Preventative MeasuresPreventative Measures Preventative MeasuresPreventative Measures
Legal RamificationsLegal Ramifications A Better Prepared Law
Enforcement
New Laws With Harsher Penalties
Preventative MeasuresPreventative Measures Preventative MeasuresPreventative Measures
Learning Objective 5.3Learning Objective 5.3
Risk, Exposure
and Threats in AIS
Introduction Introduction
The reliance of information and rapidly changing technology has forced organizations to implement comprehensive information security programs and procedures to protect their information assets.
RiskRisk
Business firms face risks that reduce the chances of achieving their control objectives.
Risk: the likelihood that a threat or hazard will actually come to pass.
Risk exposures: the threats to a firm’s assets and information quality due to lapses or inadequacies in controls.
Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Risk arise or change from..Risk arise or change from..
changes in the operating environment that impose new or changed competitive pressures on the firm
new personnel that hold a different or inadequate understanding of internal control
new or reengineered information systems that affect transaction processing
significant and rapid growth that strains existing internal controls
the implementation of new technology into the production process or information system that impacts transaction processing
Risk arise or change from..Risk arise or change from..
the introduction of new product lines or activities with which the organization has little experience
organizational restructuring resulting in the reduction and/or reallocation of personnel such that business operations and transaction processing are affected
entering into foreign markets that may impact operations (i.e. the risks associated with foreign currency transactions)
adoption of a new accounting principle that impacts the preparation of financial statements.
Types of RisksTypes of Risks
Unintentional errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of assets Breaches of Security Acts of Violence and Natural
Disasters
Some Typical Sources of RiskSome Typical Sources of Risk
Clerical and operational employees, who process transactional data and have access to assets
Computer programmers, who have knowledge relating to the instructions by which transactions are processed
Managers and accountants, who have access to records and financial reports and often have authority to approve transactions
Some Typical Sources of RiskSome Typical Sources of Risk
Former employees, who may still understand the control structure and may harbor grudges against the firm
Customers and suppliers, who generate many of the transactions processed by the firm
Competitors, who may desire to acquire confidential information of the firm
Outside persons, such as computer hackers and criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts
Acts of nature or accidents, such as floods, fires, and equipment breakdowns, high winds, war, earthquakes
Degrees of Risk ExposureDegrees of Risk Exposure
Frequency - the more frequent an occurrence of a transaction, the greater the exposure to risk
Vulnerability - liquid and/or portable assets contribute to risk exposure
Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure
Problem Conditions Affecting Risk Exposures
Problem Conditions Affecting Risk Exposures
Collusion (both internal and external): The cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures
Lack of enforcement: Management may not prosecute wrongdoers because of
the potential embarrassment
Computer crime:poses very high degrees of risk, and fraudulent activities are difficult to detect
Learning Objective 5.4Learning Objective 5.4
The Internal Control
Structure
The Internal Controls ShieldThe Internal Controls Shield
The Internal Control StructureThe Internal Control Structure
Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved
These controls encompass all the measures and practices that are used to counteract exposures to risks
The control framework is called the Internal Control Structure
Definition of Internal ControlDefinition of Internal Control
The Committee of Sponsoring Organisations (COSO) Definition of I.C:
“a process – effected by an entity’s BOD, mgt, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:a) effectiveness and efficiency of operationsb) reliability of financial reportingc) compliance with applicable laws and
regulations.
Objectives of the Internal Control Structure
Objectives of the Internal Control Structure
Promoting effectiveness and efficiency of operations
Reliability of financial reporting Safeguarding assets Checking the accuracy and
reliability of accounting data Compliance with applicable laws
and regulations Encouraging adherence to
prescribed managerial policies
Modifying Assumptions to the Internal Control Objectives
Modifying Assumptions to the Internal Control Objectives
Management Responsibility The establishment and maintenance of a system of internal control
is the responsibility of management.
Reasonable Assurance The cost of achieving the objectives of internal control should not
outweigh its benefits.
Methods of Data Processing The techniques of achieving the objectives will vary with different
types of technology.
Limitations Limitation on IC effectiveness. Error, circumvention, mgt override
and changing condition
Preventive, Detective, and Corrective Controls
Preventive, Detective, and Corrective Controls
(1) Preventive Controls(1) Preventive Controls
A control system that places restrictions on and requires documentation of employee activities so as to reduce the occurrence of errors and deviations.
Passive techniques designed to reduce the frequency of occurrence of undesirable events.
Ex: password and data-entry controls, well-designed source documents
(2) Detective Controls(2) Detective Controls
• Controls designed to discover control problems soon after they arise.
• Discover the occurrence of adverse events such as operational inefficiency
• Reveal specific types of errors by comparing actual occurrences to pre-established standards.
• Ex: department’s review of long distance telephone charges
(3) Corrective Controls(3) Corrective Controls
Procedures established to remedy problems that are discovered through detective controls.
Fix the problem. Ex: manual procedures to correct a batch that is not
accepted.
Auditing StandardsAuditing Standards
Auditors are guided by GAAS (Generally Accepted Auditing Standards)
3 classes of standards
• general qualification standards
• field work standards
• reporting standards For specific guidance, auditors use the AICPA’s
SASs (Statements on Auditing Standards)
SAS No. 78SAS No. 78
Describes the relationship between the firm’s…
• internal control structure,
• auditor’s assessment of risk, and
• the planning of audit procedures
How do these three interrelate?
The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor procedures applied in the audit. AIS is particularly concerned with the internal control structure.
1. Control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities
Five Internal Control Components: SAS No. 78
Five Internal Control Components: SAS No. 78
Five Internal Control Components: COSO
Five Internal Control Components: COSO
Components and Major Considerations of the IC Structure
Components and Major Considerations of the IC Structure
Internal ControlStructure
ControlEnvironment
RiskAssessment
ControlActivities
Information&
CommunicationMonitoring
Activities relatedto FinancialReporting
Activities relatedto Information
Processing
GeneralControls
ApplicationControls
The organization’s environment with respect to controls.
Sets the tone of an organization, influencing the control consciousness of its people.
It is the foundation for all other components of its I.C, providing discipline and structure.
Leaders of each department, area or activity establish a local control environment.
(1) The Control Environment
The Control Environment (Cont…)The Control Environment (Cont…)
Elements of Control Environment:• The organization structure.• The participation of the organization’s board of directors and
the audit committee, if one, exists.• Management’s philosophy and operating style.• The procedures for delegating responsibility and authority.• The organization’s policies and practices for managing its
human resources.• The integrity and ethical values of management.• Management’s methods for assessing performance.• External influences, e.x. examinations by regulatory agencies.• The commitment to competence.
The structure of an organisation [is] the sum total of the ways in which it divides its labour into distinct tasks and then achieves co-ordination among them’ (Mintzberg, 1989). • Is an up-to-date organization chart prepared, showing the
names of key personnel?• Is the information systems function separated from
incompatible functions?• How is the accounting department organized?• Is the internal audit function separate and distinct from
accounting?• Do subordinate managers report to more than one
supervisor?
Organization Structure
The committee responsible for overseeing a corporation’s internal control structure, financial reporting process, and compliance with related laws and regulations.
Comprise of outside members of the B.O.D responsible for dealing with the external and internal
auditors
Audit Committees
Audit Committees (Cont…)Audit Committees (Cont…)
Key functions performed by audit committees: Establish an Internal Audit Department Review the scope and status of audits Review audit findings with the Board and ensure that
Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions
Maintain a direct line of communication among the Board, Management, external and internal auditors, and periodically arrange meetings among the parties
Key functions performed by audit committees: Review the Audited Financial Statements with the
internal auditors and the Board of Directors Require periodic Quality Reviews of the operations of
the Internal Audit Departments to identify areas needing improvement
Supervise special investigations, such as fraud investigations
Assess the performance of Financial Management Require the review of compliance with Laws and
Regulations and with Corporate Codes of Conduct
Audit Committees (Cont…)
Does management emphasize short-term profits and operating goals over long-term goals?
Is management dominated by one or a few individuals?
What type of business risks does management take and how are these risks managed?
Is management conservative or aggressive toward selecting from available alternative accounting principles?
Management Philosophy and Operating Cycle
Does the company prepare written employee job descriptions defining specific duties and reporting relationships?
Is written approval required for changes made to information systems?
Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships?
Does the company properly delegate authority to employees and departments?
Assignment of Authority and Responsibility
Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct?
Are Grievance Procedures to manage conflict in force? Does the company maintain a sound Employee
Relations program? Do employees work in a safe, healthy environment? Are counseling programs available to employees? Are proper separation programs in force for
employees who leave the firm? Are critical employees bonded?
Human Resource Policies and Practices
(2) Risk Assessment(2) Risk Assessment
Is the entity’s identification and analysis of relevant risk to achievement of its objectives, forming a basis for determining how the risks should be managed.
Top management must be directly involved in Business Risk Assessment.
Risk Assessment (Cont…)Risk Assessment (Cont…)
identify, analyze, and manage risks relevant to financial reporting
Ex:
• changes in external environment
• risky foreign markets
• significant and rapid growth that strain internal controls
• new product lines
• restructuring, downsizing
• changes in accounting policies
Are the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities.
The AIS should produce high quality information which:• identifies and records all valid transactions• provides timely information in appropriate detail to
permit proper classification and financial reporting• accurately measures the financial value of
transactions, and• accurately records transactions in the time period
in which they occurred
(3) Information and Communication
Auditors must obtain sufficient knowledge of the IS to understand: (red shows relationship to the AIS model)• the classes of transactions that are material
• how these transactions are initiated [Input]• the associated accounting records and accounts
used in processing [Input]• the transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial statements [Process]
• the financial reporting process used to compile financial statements, disclosures, and estimates [Output]
Information and Communication (Cont…)
Information & Communication (Cont…)
Information & Communication (Cont…)
All transactions entered for processing are valid and authorized
All valid transactions are captured and entered for processing on a timely basis and in sufficient detail to permit the proper classification of transactions
The input data of all entered transactions are accurate and complete, with the transactions being expressed in proper monetary terms
All entered transactions are processed properly to update all affected records of master files and/or Other Types of Data sets
All required outputs are prepared according to appropriate rules to provide accurate and reliable information
All transactions are recorded in the proper accounting period
A process that access the quality of internal control performance over time.
Separate procedures--test of controls by internal auditors
Ongoing monitoring:• computer modules integrated into routine
operations• management reports which highlight trends and
exceptions from normal performance
(4) Monitoring
Policies and procedures that help ensure that the appropriate actions are taken in response to identified risks.
Control activities as related to Financial Reporting may be classified according to their intended uses in a system:• Preventive Controls block adverse events, such as
errors or losses, from occurring • Detective Controls discover the occurrence of
adverse events such as operational inefficiency• Corrective Controls are designed to remedy
problems discovered through detective controls • Security Measures are intended to provide adequate
safeguards over access to and use of assets and data records
(5) Control Activities
Categories of Control ActivitiesCategories of Control Activities
1) Computer Controls(a) General Controls(b) Application Controls
2) Physical Controls(a) Transaction Authorization(b) Segregation of Duties(c) Supervision(d) Accounting Records(e) Access Controls(f) Independent Verification
(2) Physical Controls(2) Physical Controls
Relates primarily to the human activities employed in accounting systems (manual or computer-based). E.x: physical custody of assets.
Do not relate to the computer logic that actually performs these accounting tasks.
Six categories:(a) Transaction Authorization(b) Segregation of Duties(c) Supervision(d) Accounting Records(e) Access Controls(f) Independent Verification
(a) Transaction Authorization(a) Transaction Authorization
Procedure to ensure that employees process only valid transactions within the scope of their authority
The empowerment of an employee to perform certain functions within an organization. Ex: to purchase or sell on behalf of the company.
Purpose: to ensure that all material transactions processed by the information system are valid and in accordance with management’s objectives.
Need to include a thorough review of supporting information to verify the processing and validity of transaction.
Transaction AuthorizationTransaction Authorization
May be general or specific. General authority:
• Granted to operations personnel to perform day-to-day operations without specific approval.
• Ex. authorize purchase of inventory from a designated vendor only when inventory levels falls to their predetermined reorder points.
Specific authority: • Deal with case-by-case decisions associated with nonroutine
transactions. • Requires an employee to get special approval before handling a
transaction• Ex. the decision to extend a particular customer’s credit limit
beyond the normal amount. • usually a management responsibility.
(b) Segregation of Duties(b) Segregation of Duties
The separation of assigned duties and responsibilities so that no single employee can both perpetrate and conceal errors or irregularities.
Authorization for a transaction is separate from the processing of the transaction.
responsibility for the custody of assets should be separate from the recordkeeping responsibility.
The organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities.
(b) Segregation of Duties (Cont…)(b) Segregation of Duties (Cont…)
3 separate functions:(a) Authorization – approving transactions and
decisions(b) Recording – preparing source documents;
entering data into online systems; maintaining journals, ledgers, file or databases; preparing reconciliations; and preparing performance reports.
(c) Custody – handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organization’s bank account.
(c) Supervision(c) Supervision
A control activity involving the critical oversight of employees.
Often called as compensating control. In small organizations or in functional areas that lack
sufficient personnel, mgt must compensate for the absence of segregation controls with close supervision.
(d) Accounting Records(d) Accounting Records
A document, journal, or ledger used in transaction cycles.
These records capture the economic essence of transactions and provide an audit trail of economic events.
Audit trail enables the auditor to trace any transaction through all phases of its processing from the initiation of the event to the financial statements.
(e) Access Controls(e) Access Controls
Controls that ensure that only authorized personnel have access to the firms assets.
Can be direct or indirect.• Direct: physical security devices, ex. locks, safes,
fences, electronic and infrared alarm systems.• Indirect: access to the records and documents that
control the use, ownership, & disposition of the asset. • E.x. an individual with access to all the relevant
accounting records can destroy the audit trail that describes a particular sales transaction.
(f) Independent Verification (I.V)
(f) Independent Verification (I.V)
Verification procedure: independent checks of the accounting system to identify errors and misrepresentations.
Ex: reconcile batch totals at points during transaction processing, compare physical assets with accounting records.
Differs from supervision because it takes place after the fact, by an individual who is not directly involved with the transaction or task being verified.
Thru I.V procedures, mgt can access:a) performance of individualsb) the integrity of the transaction processing systemc) the correctness of data contained in accounting
records.
(1) Computer Controls(1) Computer Controls Relate specifically to the IT environment and IT
auditing. Two categories:
(a) General controls
(b) Application controls
Pertain to all activities involving a firm’s AIS and resources (assets).
Pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, & program maintenance.
to ensure that its overall computer system is stable and well managed.
Categories:(a) Segregation of duties within the systems(b) Physical access controls(c) Logical access controls(d) Data storage controls(e) Data transmission controls(f) Internet and e-Commerce controls
A. General Controls
(i) Segregation of Duties Within the Systems Function
(i) Segregation of Duties Within the Systems Function
Implementing control procedures to clearly divide authority and responsibility duties within the information system function to prevent employees from perpetrating and concealing fraud.
In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.
Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
(i) Segregation of Duties Within the Systems Function (Cont…)
(i) Segregation of Duties Within the Systems Function (Cont…)
Authority and responsibility must be clearly divided among the following functions:1. Systems administration2. Network management3. Security management4. Change management5. Users6. Systems analysis7. Programming8. Computer operations9. Information system library10.Data control
(ii) Physical Access Controls(ii) Physical Access Controls Ability to physically use computer equipment. How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict access to authorized personnel
– Have only one or two entrances to the computer room– Require proper employee ID– Require that visitors sign a log– Use a security alarm system– Restrict access to private secured telephone lines and terminals or
PCs.– Install locks on PCs.– Restrict access of off-line programs, data and equipment– Locate hardware and other critical system components away from
hazardous materials.– Install fire and smoke detectors and fire extinguishers that do not
damage computer equipment
(iii) Logical Access Controls(iii) Logical Access Controls
The ability to use computer equipment to access company data.
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
– compatibility tests
Protection of PCs and Client/Server Networks
Protection of PCs and Client/Server Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks.
The following controls are also important:
• Train users in PC-related control concepts.
• Restrict access by using locks and keys on PCs.
• Establish policies and procedures.
Protection of PCs and Client/Server Networks
Protection of PCs and Client/Server Networks
Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment
possible. Install software that automatically shuts down a terminal
after its been idle for a certain amount of time. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure system. Use multilevel password controls to limit employee access
to incompatible data. Use specialists to detect holes in the network.
(iv) Data Storage Controls(iv) Data Storage Controls
Computer storage is the holding of data in an electromagnetic form for access by a computer processor.
Primary storage is data in random access memory (RAM) and other "built-in" devices.
Secondary storage is data on hard disk, tapes, and other external devices.
***Random Access Memory*** The place in a computer where the operating system,
application programs, and data in current use are kept so that they can be quickly reached by the computer's processor.
The memory in a computer that can be overwritten with new information repeatedly. It is erased when the computer is turned off.
(v) Data Transmission Controls(v) Data Transmission Controls
Methods of monitoring the network to detect weak points, maintain backup documents, and ensure that the system can still communicate if one of the communications paths should fail.
Designed to minimize the risk of data transmission errors.
To reduce the risk of data transmission failures, companies should monitor the network.
Data Transmission ControlsData Transmission Controls
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).
How can data transmission errors be minimized?
– data encryption (cryptography)
– routing verification procedures
– adding parity
– message acknowledgment techniques
(vi) Internet and e-Commerce Controls
(vi) Internet and e-Commerce Controls
E-Commerce: the electronic execution of business transactions such as buying and selling.
Why cautions should be exercised when conducting business on the Internet.– the large and global base of people that depend on the Internet– the variability in quality, compatibility, completeness, and stability
of network products and services– access of messages by others– security flaws in Web sites– attraction of hackers to the Internet
What controls can be used to secure Internet activity?– passwords– encryption technology– routing verification procedures
Internet and e-Commerce ControlsInternet and e-Commerce Controls
Another control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.
• The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.
Electronic envelopes can protect e-mail messages
Pertain directly to the transaction processing systems. Ensure the integrity of specific systems (ex: sales
order processing, accounts payable, & payroll applications).
Objective: are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported.
Application controls are subdivided into:1) input,2) processing, and 3) output controls.
B. Application Controls
Controls that ensure only accurate, valid, and authorized data are entered into the system.
Input controls may be subdivided into:
(a) Data observation and recording
(b) Data transcription (batching and converting)
(c) Edit tests of transaction data
(d) Transmission of transaction data
(i) Input Controls
The use of pre-numbered documents Keeping blank forms under lock and key Online computer systems offer the following features:
• Menu screens• Preformatted screens• Using scanners that read bar codes or other
preprinted documents to reduce input errors• Using feedback mechanisms such as a
confirmation slip to approve a transaction• Using echo routines
(a) Controls for Data Observation and Recording
refers to the preparation of data for computerized processing and includes:
• Carefully structured source documents and input screens
• Batch control totals that help prevent the loss of transactions and the erroneous posting of transaction data
• The use of Batch control logs in the batch control section
• Amount control total totals the values in an amount or quantity field
• Hash total totals the values in an identification field
• Record count totals the number of source documents (transactions) in a batch
(b) Data Transcription
Key Verification which consists of re-keying data and comparing the results of the two-keying operations
Visual Verification which consists of comparing data from original source documents against converted data.
Data Transcription (Cont…)(Conversion of Transaction Data)
Financial control total - totals up dollar amounts (e.g., total of sales invoices)
Non-financial control total - computes non-dollar sums (e.g., number of hours worked by employees)
Record count - totals the number of source documents once when batching transactions and then again when performing the data processing
Hash total - a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)
Examples of Batch Control Totals
Definition and Purpose of Edit Tests
Edit tests (programmed checks) are most often validation routines built into application software
The purpose of edit tests is to examine selected fields of input data and to reject those transactions whose data fields do not meet the pre-established standards of data quality
(c) Edit Tests of Transaction Data
Validity Check (e.g., M = male, F = female) Limit Check (e.g., hours worked do not exceed 40 hours) Reasonableness Check (e.g., increase in salary is reasonable
compared to base salary) Field Check (e.g., numbers do not appear in fields reserved for
words) Sequence Check (e.g., successive input data are in some
prescribed order) Range Check (e.g., particular fields fall within specified ranges -
pay rates for hourly employees in a firm should fall between $8 and $20)
Relationship Check (logically related data elements are compatible - employee rated as “hourly” gets paid at a rate within the range of $8 and $20)
Examples of Edit Tests (Programmed Checks
When data must be transmitted from the point of origin to the processing center and data communications facilities are used, the following checks should also be considered:
• Echo Check - transmitting data back to the originating terminal for comparison with the transmitted data
• Redundancy Data Check - transmitting additional data to aid in the verification process
• Completeness Check - verifying that all required data have been entered and transmitted.
(d) Transmission of Transaction Data
(ii) Processing Controls(ii) Processing Controls
Controls that ensure that all transactions are processed accurately and completely and that all files and records are properly updated.
Categories of processing controls include:(a) Manual Cross-Checks - include checking the work of
another employee, reconciliations and acknowledgments
(b) Processing Logic Checks - many of the programmed
edit checks, such as sequence checks and reasonableness checks (e.g., payroll records) used in the input stage, may also be employed during processing
(c) Run-to-Run Totals - batched data should be controlled during processing runs so that no records are omitted or incorrectly inserted into a transaction file
(d) File and Program Changes - to ensure that transactions are posted to the proper account, master files should be checked for correctness, and programs should be validated
(e) Audit Trail Linkages - a clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data
Processing Controls (Cont…)
Controls that regulate system output. Outputs should be complete and reliable and should be
distributed to the proper recipients Two major types of output controls are:
(a) validating processing results• Activity (or proof account) listings document
processing activity and reflect changes made to master files
• Because of the high volume of transactions, large companies may elect to review exception reports that highlight material changes in master files
(iii) Output Controls
(b) regulating the distribution and use of
printed output
• Reports should only be distributed to appropriate users by reference to an authorized distribution list
• Sensitive reports should be shredded after use instead of discarding
(iii) Output Controls (Cont…)
Learning Objective 5.5Learning Objective 5.5
Computer Based
Information System
(CBIS)
Effects of CBIS on Traditional Control Activities
Effects of CBIS on Traditional Control Activities
The purpose of this section is to reconcile traditional control concerns with the CBIS environment.
SAS 78 control activities:(1) transaction authorization(2) segregation of duties(3) supervision(4) access control(5) accounting records(6) independent verification
Ensure that an organization’s employees process only valid transactions within the scope of prescribed authority.
In CBIS, transactions are often authorized by rules embedded within computer programs.
(1) Transaction Authorization
(2) Segregation of Duties(2) Segregation of Duties
Duties that must be separated in a manual system may be combined in a computerized setting.
The computer-based functions of programming, processing, and maintenance must be separated.
A computer program may perform many tasks that are deemed incompatible.
In computerized system, segregation should exist between:• Program coding/programming• Program processing• Program maintenance
More supervision is typically necessary in a CBIS because:
• highly skilled employees generally have a higher turnover rate
• highly skilled employees are often in positions of authority
• physical observation of employees working with the system is often difficult or impractical
(3) Supervision
Tight control is necessary over access to programs and files.
Fraud is easier to commit since records are located in one data repository.
Data consolidation exposes the organization to computer fraud and excessive losses from disaster.
(4) Access Controls
(5) Accounting Records(5) Accounting Records
Source documents and ledgers may be stored magnetically with no “paper trail.”
Expertise is required to understand the links. Ledger accounts and sometimes source documents
are kept magnetically.
• No audit trail is readily apparent.
need to review the internal logic of programs and comparison of accounting records and physical assets
management must assess: the performance of individuals the integrity of the transaction processing system the correctness of data contained in accounting
records When tasks are performed by the computer rather
than manually, the need for an independent check is not necessary.
However, the programs themselves are checked.
(6) Independent Verification
Independent Verification (Cont…) Independent Verification (Cont…)
Examples:1) Reconciliation of batch totals at periodic points
during transaction processing 2) Comparison of physical assets with accounting
records3) Reconciliation of subsidiary accounts with control
accounts4) Reviews by management of reports that summarize
business activity5) Periodic audits by independent internal and external
auditors
Internal Control LimitationsInternal Control Limitations
Staff size Human error, misunderstandings, fatigue, stress No out-of-pocket costs Designing and establishing effective internal control is
not always a simple task and cannot always be accomplished through a short set of quick fixes.
*** there is no such thing as a perfect control system***
End of Chapter 5End of Chapter 5