Accounting Question

accounting question and need support to help me learn.

Assignment Question(s):(Marks 15)
Question 1: (04 Marks)
Explain how Accounting information System (AIS) add value to the organization using examples of Saudi Companies.
Answer:
Question 2: (03 Marks)
Give examples of Saudi companies that using ERP and what are the advantages of implementing the ERP?
Answer:
Question 3:(04 Marks)
What motives do people have for hacking?Why has hacking become so popular in recent years?Do you regard it as a crime?Explain your position.
Answer
Question 4:(02 Marks)
Identify the corporate opportunities that make fraud easier to commit and detection less likely.
Answer:
Question 5:(02 Marks)
Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. With reference to Privacy Concern how would you deal with SPAM and Identify Theft problem of your business organization?
Answer:
Requirements: 3500-4500 | .doc file
Chapter 1Accounting Information Systems: An OverviewCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-1
Learning Objectives¤Distinguish between data and information.¤Discuss the characteristics of useful information.¤Explain how to determine the value of information.¤Explain the decisions an organization makes and the information needed to make them.¤Identify the information that passes between internal and external parties and an AIS. ¤Describe the major business processes present in most companies.¤Explain what an accounting information system (AIS) is and describe its basic functions.¤Discuss how an AIS can add value to an organization.¤Explain how an AIS and corporate strategy affect each other. ¤Explain the role an AIS plays in a companyÕs value chain. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-2
What Is a System?¤System¤A set of two or more interrelated components interacting to achieve a goal¤Goal Conflict¤Occurs when components act in their own interest without regard for overall goal¤Goal Congruence¤Occurs when components acting in their own interest contribute toward overall goalCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-3
Data vs. Information¤Dataare facts that are recorded and stored.¤Insufficient for decision making.¤Informationis processed data used in decision making.¤Too much information however, will make it more, not less, difficult to make decisions. This is known as Information Overload.InformationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-4
Value of InformationBenefits¤Reduce Uncertainty¤Improve Decisions¤Improve Planning¤Improve SchedulingCosts¤Time & Resources¤Produce Information¤Distribute Information1-5Benefit $Õs> Cost $ÕsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
What Makes Information Useful?¤Necessary characteristics:¤Relevant¤ÒThe capacity of information to make a difference in a decision by helping users to form predictions about the outcomes of past, present, and future events or to confirm or correct prior expectations.Ó¤Reliable¤ÒThe quality of information that assures that information is reasonably free from error and bias and faithfully represents what it purports to represent.Ó¤Complete¤ÒThe inclusion in reported information of everything material that is necessary for faithful representation of the relevant phenomena.ÓCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-6
What Makes Information Useful?¤Timely¤ÒHaving information available to a decision maker before it loses its capacity to influence decisions.Ó¤Understandable¤ÒThe quality of information that enables users to perceive its significance.Ó¤Verifiable¤ÒThe ability through consensus among measurers to ensure that information represents what it purports to represent or that the chosen method of measurement has been used without error or bias.Ó¤Accessible¤Available when needed (see Timely) and in a useful format (see Understandable).Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-7
Business Process¤Systems working toward organizational goalsRevenueExpenditureProductionHuman ResourcesFinancingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-8
Business Process Cycles¤Revenue¤Expenditure¤Production¤Human Resources ¤FinancingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-9
Business Transactions¤GiveÐGet exchanges¤Between two entities¤Measured in economic termsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-10
Business Cycle GiveÐGetCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-11
Accounting Information Systems¤Collect, process, store, and report data and information¤If Accounting = language of business¤AIS = information providing vehicle¤Accounting = AISCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-12
Components of an AIS¤People using the system¤Procedures and Instructions¤For collecting, processing, and storing data¤Data¤Software¤Information Technology (IT) Infrastructure¤Computers, peripherals, networks, and so on¤Internal Control and Security¤Safeguard the system and its dataCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-13
AIS and Business Functions¤Collect and store data about organizational:¤Activities, resources, and personnel¤Transform data into information enabling¤Management to:¤Plan, execute, control, and evaluate¤Activities, resources, and personnel¤Provide adequate control to safeguard¤Assets and dataCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-14
AIS Value Add¤Improve Quality and Reduce Costs¤Improve Efficiency¤Improve Sharing Knowledge¤Improve Supply Chain¤Improve Internal Control¤Improve Decision MakingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-15
Improve Decision Making¤Identify situations that require action.¤Provide alternative choices.¤Reduce uncertainty.¤Provide feedback on previous decisions.¤Provide accurate and timely information.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-16
Value Chain¤The set of activities a product or service moves along before as output it is sold to a customer¤At each activity the product or service gains valueCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-17
Value ChainÑPrimary ActivitiesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-18
Value ChainÑSupport ActivitiesFirm InfrastructureHuman ResourcesTechnologyPurchasingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-19
Value ChainCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-20
AIS and Corporate StrategyOrganizations have limited resources, thus investments to AIS should have greatest impact on ROI.Organizations need to understand:üIT developmentsüBusiness strategy üOrganizational cultureWill effect and be effected by new AISCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall1-21
Chapter 2Overview of Transaction Processing and ERP SystemsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-22
Learning Objectives¤Describe the four major steps in the data processing cycle.¤Describe the major activities in each cycle.¤Describe documents and procedures used to collected and process data.¤Describe the ways information is stored in computer-based information systems.¤Discuss the types of information that an AIS can provide.¤Discuss how organizations use ERP systems to process transactions and provide information.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-23
Data Processing CycleCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-24
The Data Processing Cycle Determines¤What data is stored?¤Who has access to the data?¤How is the data organized?¤How can unanticipated information needs be met?Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-25
Data InputÑCapture¤As a business activity occurs data is collected about:1.Each activity of interest2.The resources affected3.The people who are participatingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-26
Paper-Based Source Documents¤Data are collected on source documents¤E.g., a sales-order form¤The data from paper-based will eventually need to be transferred to the AIS¤Turnaround¤Usually paper-based¤Are sent from organization to customer¤Same document is returned by customer to organizationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-27Turnaround Document
Source Data Automaton¤Source data is captured¤In machine-readable form¤At the time of the business activity¤E.g., ATM’s; POSCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-28
Data InputÑAccuracy and Control¤Well-designed source documents can ensure that data captured is¤Accurate¤Provide instructions and prompts¤Check boxes¤Drop-down boxes¤Complete¤Internal control support¤Prenumbered documentsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-29
Data Storage¤Types of AIS storage:¤Paper-based¤Ledgers¤Journals¤Computer-basedCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-30
Ledgers¤General¤Summary level data for each:¤Asset, liability, equity, revenue, and expense¤Subsidiary¤Detailed data for a General Ledger (Control) Account that has individual sub-accounts¤Accounts Receivable¤Accounts Payable¥Joe Smith $250¥Patti Jones $750¥ACME Inc.$150¥Jones, Inc $350Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-31
Journals¤General¤Infrequent or specialized transactions¤Specialized¤Repetitive transactions¤E.g., sales transactionsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-32
Coding Techniques¤Sequence¤Items numbered consecutively¤Block¤Specific range of numbers are associated with a category¤10000Ð199999 = Electric Range¤Group¤Positioning of digits in code provide meaning¤Mnemonic¤Letters and numbers¤Easy to memorize¤Code derived from description of item¤Chart of accounts¤Type of block codingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-33Digit PositionMeaning1Ð2Product Line, size, and so on3Color4Ð5Year of Manufacture6Ð7Optional Features124100012 = Dishwasher4 = White10 = 201000 = No Options
Computer Based Storage¤Entity¤Person, place, or thing (Noun)¤Something an organization wishes to store data about¤Attributes¤Facts about the entity¤Fields¤Where attributes are stored¤Records¤Group of related attributes about an entity¤File¤Group of related RecordsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-34
File Types¤Transaction¤Contains records of a business from a specific period of time¤Master¤Permanent records¤Updated by transaction with the transaction file¤Database¤Set of interrelated filesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-14
Data Processing¤Four Main Activities1.Create new records2.Read existing records3.Update existing records4.Delete records or data from recordsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-36
Data Output Types¤Soft copy¤Displayed on a screen¤Hard copy¤Printed on paperCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-37
ERP SystemsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-38
Enterprise Resource Planning (ERP)¤Integrate an organization’s information into one overall AIS¤ERP modules:¤Financial¤Human resources and payroll¤Order to cash¤Purchase to pay¤Manufacturing¤Project management¤Customer relationship management¤System toolsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-39
ERP Advantages¤Integration of an organization’s data and financial information¤Data is captured once¤Greater management visibility, increased monitoring¤Better access controls¤Standardizes business operating procedures¤Improved customer service¤More efficient manufacturingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-40
ERP Disadvantages¤Cost¤Time-consuming to implement¤Changes to an organization’s existing business processes can be disruptive¤Complex¤Resistance to changeCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall2-41
Chapter 3Systems Documentation TechniquesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-42
Learning Objectives¤Prepare and use data flow diagrams to understand, evaluate, and document information systems.¤Prepare and use flowcharts to understand, evaluate, and document information systems.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-43
What Is Documentation?¤Set of documents and models¤Narratives, data flow models, flowcharts¤Describe who, what, why, when, and where of systems:¤Input, process, storage, output, and controlsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-44
Why Should You Learn Documentation?¤You need to be able to read documentation in all its forms: narratives, diagrams, models.¤You need to be able to evaluate the quality of systems, such as internal control based in part on documentation.¤SAS 94 requires independent auditors to understand all internal control procedures.¤Documentation assists in auditor understanding and documentation of their understanding¤Sarbanes-Oxley states that management:¤Is responsible for internal control system¤Is responsible for assessing the effectiveness of the IC System¤Both management and external auditors need to document and test IC SystemCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-45
Data Flow Diagrams¤Graphically describes the flow of data within a system¤Four basic elementsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-46EntityProcessData FlowData Store
Entity¤Represents a source of data or input into the system or¤Represents a destination of data or output from the systemCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-47
Data Flows¤Movement of data among:¤Entities (sources or destinations)¤Processes¤Data stores¤Label should describe the information movingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-48
Process¤Represents the transformation of dataCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-49
Data Store¤Represents data at restCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-50
Data Flow Diagram Levels¤Context¤Highest level (most general)¤Purpose: show inputs and outputs into system¤Characteristics: one process symbol only, no data stores¤Level-0¤Purpose: show all major activity steps of a system¤Characteristics: processes are labeled 1.0, 2.0, and so onCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-51
DFD Creation Guidelines¤Understand the system¤Ignore certain aspects of the system¤Determine system boundaries¤Develop a context DFD¤Identify data flows¤Group data flows¤Number each process¤Identify transformational processes¤Group transformational processes¤Identify all data stores¤Identify all sources and destinations¤Label all DFD elements¤Subdivide DFDCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-52
Flowcharts¤Use symbols to logically depict transaction processing and the flow of data through a system.¤Using a pictorial representation is easier to understand and explain versus a detailed narrative.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-53
Flowchart Symbol Categories¤Input/Output¤Processing¤Storage¤MiscellaneousCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-54
Flow Chart Symbol Categories¤(contÕd)Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall
Types of Flowcharts¤Document¤Illustrates the flow of documents through an organization¤Useful for analyzing internal control procedures¤System¤Logical representation of system inputs, processes, and outputs¤Useful in systems analysis and design¤Program¤Represent the logical sequence of program logicCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-56
Document FlowchartCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-57
Document Flowchart (contÕd)Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-58
System FlowchartCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-59
Program FlowchartCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall3-60
Chapter 4Relational DatabasesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-61
Learning Objectives¤Explain the importance and advantages of databases.¤Describe the difference between database systems and file-based legacy systems.¤Explain the difference between logical and physical views of a database.¤Explain fundamental concepts of database systems such as DBMS, schemas, the data dictionary, and DBMS languages.¤Describe what a relational database is and how it organizes data.¤Create a set of well-structured tables to store data in a relational database.¤Perform simple queries using the Microsoft Access database.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-62
Data Hierarchy¤Field¤Attributes about an entity¤Record¤Related group of fields¤File¤Related group of records¤Database¤Related group of filesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-63
Advantages of Database Systems¤Data Integration¤Files are logically combined and made accessible to various systems.¤Data Sharing¤With data in one place it is more easily accessed by authorized users.¤Minimizing Data Redundancy and Data Inconsistency¤Eliminates the same data being stored in multiple files, thus reducing inconsistency in multiple versions of the same data.¤Data Independence¤Data is separate from the programs that access it. Changes can be made to the data without necessitating a change in the programs and vice versa.¤Cross-Functional Analysis¤Relationships between data from various organizational departments can be more easily combined.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-64
Database Terminology¤Database Management System (DBMS)¤Interface between software applications and the data in files.¤Database Administrator (DBA)¤Person responsible for maintaining the database¤Data Dictionary¤Information about the structure of the database¤Field names, descriptions, usesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-65
Logical vs. Physical¤Physical View¤Depends on explicitly knowing:¤How is the data actually arranged in a file¤Where is the data stored on the computer¤Logical View¤A Schema separates storage of data from use of the data¤Unnecessary to explicitly know how and where data is stored.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-66
Schemas¤Describe the logical structure of a database¤Conceptual Level¤Organization wide view of the data¤External Level¤Individual users view of the data¤Each view is a subschema¤Internal Level¤Describes how data are stored and accessed¤Description of: records, definitions, addresses, and indexesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-67
DBMS Languages¤Data Definition Language (DDL)¤Builds the data dictionary¤Creates the database¤Describes the subschema¤Specifies record or field security constraints¤Data Manipulation Language (DML)¤Changes the content in the database¤Updates, insertions, and deletions¤Data Query Language (DQL)¤Enables the retrieval, sorting, and display of data from the databaseCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-68
Relational Database¤Relational data model represents the conceptual and external level schemas as if data are stored in tables.¤Table¤Each row, a tuple, contains data about one instance of an entity.¤This is equivalent to a record¤Each column contains data about one attribute of an entity.¤This is equivalent to a fieldCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-69
A Relational TableCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-70Row (Record)Column (Field)Each row contains multiple attributes describing an instance of the entity. In this case, inventory.Same type of data
Attributes¤Primary Key¤An attribute or combination of attributes that can be used to uniquely identify a specific row (record) in a table.¤Foreign Key¤An attribute in one table that is a primary key in another table.¤Used to link the two tablesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-71
Database Design Errors¤If database is not designed properly data errors can occur.¤Update Anomaly¤Changes to existing data are not correctly recorded.¤Due to multiple records with the same data attributes¤Insert Anomaly¤Unable to add a record to the database.¤Delete Anomaly¤Removing a record also removes unintended data from the database.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-72
Design Requirements for Relational Database1.Every column must be single valued.2.Primary keys must contain data (not null).3.Foreign keys must contain the same data as the primary key in another table.4.All other attributes must identify a characteristic of the table identified by the primary key.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-73
Normalizing Relational Databases¤Initially, one table is used for all the data in a database.¤Following rules, the table is decomposed into multiple tables related by:¤Primary keyÐforeign key integration¤Decomposed set of tables are in third normal form (3NF).Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-74
Microsoft Access Query #1Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-75
Microsoft Access Query #2Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-76
Microsoft Access Query #3Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-77
Microsoft Access Query #4Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-78
Microsoft Access Query #5Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall4-79
Chapter 5Computer FraudCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-80
Learning Objectives¤Explain the threats faced by modern information systems. ¤Define fraud and describe the process one follows to perpetuate a fraud.¤Discuss who perpetrates fraud and why it occurs, including:¤the pressures, opportunities, and rationalizations that are present in most frauds.¤Define computer fraud and discuss the different computer fraud classifications.¤Explain how to prevent and detect computer fraud and abuse.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-81
Common Threats to AIS¤Natural Disasters and Terrorist Threats¤Software Errors and/or Equipment Malfunction¤Unintentional Acts (Human Error)¤Intentional Acts (Computer Crimes)Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-82
What Is Fraud?¤Gaining an unfair advantage over another person¤A false statement, representation, or disclosure¤A material fact that induces a person to act¤An intent to deceive¤A justifiable reliance on the fraudulent fact in which a person takes action¤An injury or loss suffered by the victim¤Individuals who commit fraud are referred to as white-collar criminals.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-83
Forms of Fraud¤Misappropriation of assets¤Theft of a companies assets.¤Largest factors for theft of assets:¤Absence of internal control system¤Failure to enforce internal control system¤Fraudulent financial reporting¤ÒÉintentional or reckless conduct, whether by act or omission, that results in materially misleading financial statementsÓ (The Treadway Commission).Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-84
Reasons for Fraudulent Financial Statements1.Deceive investors or creditors2.Increase a companyÕs stock price3.Meet cash flow needs4.Hide company losses or other problemsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-85
Treadway Commission Actions to Reduce Fraud1.Establish environment which supports the integrity of the financial reporting process.2.Identification of factors that lead to fraud.3.Assess the risk of fraud within the company.4.Design and implement internal controls to provide assurance that fraud is being prevented.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-86
SAS #99¤Auditors responsibility to detect fraud¤Understand fraud¤Discuss risks of material fraudulent statements¤Among members of audit team¤Obtain information¤Look for fraud risk factors¤Identify, assess, and respond to risk¤Evaluate the results of audit tests¤Determine impact of fraud on financial statements¤Document and communicate findings¤See Chapter 3¤Incorporate a technological focusCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-87
The Fraud TrianglePressureOpportunityRationalizationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-88
Pressure•Motivation or incentive to commit fraud•Types:1.Employee•Financial•Emotional•Lifestyle2.Financial•Industry conditions•Management characteristicsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-89
Opportunity•Condition or situation that allows a person or organization to:1.Commit the fraud2.Conceal the fraud•Lapping•Kiting3.Convert the theft or misrepresentation to personal gainCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-90
Rationalizations•Justification of illegal behavior1.Justification•I am not being dishonest.2.Attitude•I donÕt need to be honest.3.Lack of personal integrity•Theft is valued higher than honesty or integrity.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-91
Computer Fraud¤Any illegal act in which knowledge of computer technology is necessary for:¤Perpetration¤Investigation¤ProsecutionCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-92
Rise of Computer Fraud1.Definition is not agreed on2.Many go undetected3.High percentage is not reported4.Lack of network security5.Step-by-step guides are easily available6.Law enforcement is overburdened7.Difficulty calculating lossCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-93
Computer Fraud Classifications¤Input Fraud¤Alteration or falsifying input¤Processor Fraud¤Unauthorized system use¤Computer Instructions Fraud¤Modifying software, illegal copying of software, using software in an unauthorized manner, creating software to undergo unauthorized activities¤Data Fraud¤Illegally using, copying, browsing, searching, or harming company data¤Output Fraud¤Stealing, copying, or misusing computer printouts or displayed informationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall5-94
Chapter 6Computer Fraud and Abuse TechniquesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-95
Learning Objectives¤Compare and contrast computer attack and abuse tactics.¤Explain how social engineering techniques are used to gain physical or logical access to computer resources.¤Describe the different types of malware used to harm computers.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-96
Computer Attacks and Abuse¤Hacking¤Unauthorized access, modification, or use of a computer system or other electronic device¤Social Engineering¤Techniques, usually psychological tricks, to gain access to sensitive data or information¤Used to gain access to secure systems or locations¤Malware¤Any software which can be used to do harmCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-97
Types of Computer Attacks¤BotnetÑRobot Network¤Network of hijacked computers¤Hijacked computers carry out processes without users knowledge¤ZombieÑhijacked computer¤Denial-of-Service (DoS) Attack¤Constant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down service¤Spoofing¤Making an electronic communication look as if it comes from a trusted official source to lure the recipient into providing informationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-98
Types of Spoofing¤E-mail¤E-mail sender appears as if it comes from a different source¤Caller-ID¤Incorrect number is displayed¤IP address¤Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer system¤Address Resolution Protocol (ARP)¤Allows a computer on a LAN to intercept traffic meant for any other computer on the LAN¤SMS¤Incorrect number or name appears, similar to caller-ID but for text messaging¤Web page¤Phishing (see below)¤DNS¤Intercepting a request for a Web service and sending the request to a false serviceCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-99
Hacking Attacks¤Cross-Site Scripting (XSS)¤Unwanted code is sent via dynamic Web pages disguised as user input.¤Buffer Overflow¤Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with attacker instructions.¤SQL Injection (Insertion)¤Malicious code is inserted in the place of query to a database system.¤Man-in-the-Middle¤Hacker places themselves between client and host.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-100
Additional Hacking Attacks¤Password Cracking¤Penetrating system security to steal passwords¤War Dialing¤Computer automatically dials phone numbers looking for modems.¤Phreaking¤Attacks on phone systems to obtain free phone service.¤Data Diddling¤Making changes to data before, during, or after it is entered into a system.¤Data Leakage¤Unauthorized copying of company data.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-101
Hacking Embezzlement Schemes¤Salami Technique¤Taking small amounts from many different accounts.¤Economic Espionage¤Theft of information, trade secrets, and intellectual property.¤Cyber-Bullying¤Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.¤Internet Terrorism¤Act of disrupting electronic commerce and harming computers and communications.¤Internet MisinformationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-102
Hacking for Fraud¤Internet Misinformation¤Using the Internet to spread false or misleading information¤Internet Auction¤Using an Internet auction site to defraud another person¤Unfairly drive up bidding¤Seller delivers inferior merchandise or fails to deliver at all¤Buyer fails to make payment¤Internet Pump-and-Dump¤Using the Internet to pump up the price of a stock and then selling itCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-103
Social Engineering Techniques¤Identity Theft¤Assuming someone elseÕs identity¤Pretexting¤Inventing a scenario that will lull someone into divulging sensitive information¤Posing¤Using a fake business to acquire sensitive information¤Phishing¤Posing as a legitimate company asking for verification type information: passwords, accounts, usernames¤Pharming¤Redirecting Web site traffic to a spoofed Web site.¤Typesquatting¤Typographical errors when entering a Web site name cause an invalid site to be accessed¤Tabnapping¤Changing an already open browser tab¤Scavenging¤Looking for sensitive information in items thrown away¤Shoulder Surfing¤Snooping over someoneÕs shoulder for sensitive informationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-104
More Social Engineering¤Lebanese Loping¤Capturing ATM pin and card numbers¤Skimming¤Double-swiping a credit card¤Chipping¤Planting a device to read credit card information in a credit card reader¤Eavesdropping¤Listening to private communicationsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-105
Type of Malware¤Spyware¤Secretly monitors and collects personal information about users and sends it to someone else¤Adware¤Pops banner ads on a monitor, collects information about the userÕs Web-surfing, and spending habits, and forward it to the adware creator¤Key logging¤Records computer activity, such as a userÕs keystrokes, e-mails sent and received, Web sites visited, and chat session participation¤Trojan Horse¤Malicious computer instructions in an authorized and otherwise properly functioning program¤Time bombs/logic bombs¤Idle until triggered by a specified date or time, by a change in the system, by a message sent to the system, or by an event that does not occurCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-106
More Malware¤Trap Door/Back Door¤A way into a system that bypasses normal authorization and authentication controls¤Packet Sniffers¤Capture data from information packets as they travel over networks¤Rootkit¤Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in information¤Superzapping¤Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without leaving an audit trailCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall6-107
Chapter 7Control and AISCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-108
Learning Objectives¤Explain basic control concepts and explain why computer control and security are important.¤Compare and contrast the COBIT, COSO, and ERM control frameworks.¤Describe the major elements in the internal environment of a company¤Describe the four types of control objectives that companies need to set.¤Describe the events that affect uncertainty and the techniques used to identify them.¤Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.¤Describe control activities commonly used in companies.¤Describe how to communicate information and monitor control processes in organizations.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-109
Internal Control¤System to provide reasonable assurance that objectives are met such as:¤Safeguard assets.¤Maintain records in sufficient detail to report company assets accurately and fairly.¤Provide accurate and reliable information.¤Prepare financial reports in accordance with established criteria.¤Promote and improve operational efficiency.¤Encourage adherence to prescribed managerial policies.¤Comply with applicable laws and regulations.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-110
Internal ControlFunctions¤Preventive¤Deter problems¤Detective¤Discover problems¤Corrective¤Correct problemsCategories¤General¤Overall IC system and processes¤Application¤Transactions are processed correctlyCopyright © 2012Pearson Education, Inc. publishing as Prentice Hall7-111
Sarbanes Oxley (2002)¤Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud¤Public Company Accounting Oversight Board (PCAOB)¤Oversight of auditing profession¤New Auditing Rules¤Partners must rotate periodically¤Prohibited from performing certain non-audit servicesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-112
Sarbanes Oxley (2002)¤New Roles for Audit Committee¤Be part of board of directors and be independent¤One member must be a financial expert¤Oversees external auditors¤New Rules for Management¤Financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.¤The auditors were told about all material internal control weak-nesses and fraud.¤New Internal Control Requirements¤Management is responsible for establishing and maintaining an adequate internal control system.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-113
SOX Management Rules¤Base evaluation of internal control on a recognized framework.¤Disclose all material internal control weaknesses.¤Conclude a company does not have effective financial reporting internal controls of material weaknesses.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-114
Internal Control Frameworks¤Control Objectives for Information and Related Technology (COBIT)¤Business objectives¤IT resources¤IT processes¤Committee of Sponsoring Organizations (COSO)¤Internal controlÑintegrated framework¤Control environment¤Control activities¤Risk assessment¤Information and communication¤MonitoringCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-115
Internal Control¤Enterprise Risk Management Model¤Risk-based vs. control-based¤COSO elements +¤Setting objectives¤Event identification¤Risk assessment¤Can be controlled but also ¤Accepted¤Diversified¤Shared¤TransferredCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-116
Control Environment¤ManagementÕs philosophy, operating style, and risk appetite¤The board of directors¤Commitment to integrity, ethical values, and competence¤Organizational structure¤Methods of assigning authority and responsibility¤Human resource standards¤External influencesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-117
ERMÑObjective Setting¤Strategic¤High-level goals aligned with corporate mission¤Operational¤Effectiveness and efficiency of operations¤Reporting¤Complete and reliable¤Improve decision making¤Compliance¤Laws and regulations are followedCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-118
ERMÑEvent Identification¤ÒÉan incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.Ó¤Positive or negative impacts (or both)¤Events may trigger other events¤All events should be anticipatedCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-119
Risk Assessment¤Identify Risk¤Identify likelihood of risk¤Identify positive or negative impact¤Types of Risk¤Inherent¤Risk that exists before any plans are made to control it¤Residual¤Remaining risk after controls are in place to reduce itCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-120
ERMÑRisk Response¤Reduce¤Implement effective internal control¤Accept¤Do nothing, accept likelihood of risk¤Share¤Buy insurance, outsource, hedge¤Avoid¤Do not engage in activity that produces riskCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-121
Event/Risk/Response ModelCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-122
Control Activities¤Policies and procedures to provide reasonable assurance that control objectives are met:¤Proper authorization of transactions and activities¤Signature or code on document to signal authority over a process¤Segregation of duties¤Project development and acquisition controls¤Change management controls¤Design and use of documents and records¤Safeguarding assets, records, and data¤Independent checks on performanceCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-123
Segregation of Accounting Duties¤No one employee should be given too much responsibility¤Separate:¤Authorization¤Approving transactions and decisions¤Recording¤Preparing source documents¤Entering data into an AIS¤Maintaining accounting records¤Custody¤Handling cash, inventory, fixed assets¤Receiving incoming checks¤Writing checksCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-124
Information and Communication¤Primary purpose of an AIS¤Gather¤Record¤Process¤Summarize¤CommunicateCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-125
Monitoring¤Evaluate internal control framework.¤Effective supervision.¤Responsibility accounting system.¤Monitor system activities.¤Track purchased software and mobile devices.¤Conduct periodic audits.¤Employ a security officer and compliance officer.¤Engage forensic specialists.¤Install fraud detection software.¤Implement a fraud hotline.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-126
Segregation of System Duties¤Like accounting system duties should also be separated¤These duties include:¤System administration¤Network management¤Security management¤Change management¤Users¤Systems analysts¤Programmers¤Computer operators¤Information system librarian¤Data controlCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall7-127
Chapter 8Information Systems Controls for System ReliabilityÑPart 1: Information SecurityCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-128
Learning Objectives¤Discuss how the COBIT framework can be used to develop sound internal control over an organizationÕs information systems.¤Explain the factors that influence information systems reliability.¤Describe how a combination of preventive, detective, and corrective controls can be employed to provide reasonable assurance about information security.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-129
AIS Controls¤COSO and COSO-ERM address general internal control¤COBIT addresses information technology internal controlCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-130
Information for Management Should Be:¤Effectiveness¤Information must be relevant and timely.¤Efficiency¤Information must be produced in a cost-effective manner.¤Confidentiality¤Sensitive information must be protected from unauthorized disclosure.¤Integrity¤Information must be accurate, complete, and valid.¤Availability¤Information must be available whenever needed.¤Compliance¤Controls must ensure compliance with internal policies and with external legal and regulatory requirements.¤Reliability¤Management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-131
COBIT FrameworkCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-132InformationCriteria
COBIT Cycle¤Management develops plans to organize information resources to provide the information it needs.¤Management authorizes and oversees efforts to acquire (or build internally) the desired functionality.¤Management ensures that the resulting system actually delivers the desired information.¤Management monitors and evaluates system performance against the established criteria.¤Cycle constantly repeats, as management modifies existing plans and procedures or develops new ones to respond to changes in business objectives and new developments in information technology.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-133
COBIT Controls¤210 controls for ensuring information integrity¤Subset is relevant for external auditors¤IT control objectives for Sarbanes-Oxley, 2nd Edition¤AICPA and CICA information systems controls¤Controls for system and financial statement reliabilityCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-134
Trust Services Framework¤Security¤Access to the system and its data is controlled and restricted to legitimate users.¤Confidentiality¤Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.¤Privacy¤Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.¤Processing Integrity¤Data are processed accurately, completely, in a timely manner, and only with proper authorization.¤Availability¤The system and its information are available to meet operational and contractual obligations.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-135
Trust Services FrameworkCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-136
Security / Systems Reliability¤Foundation of the Trust Services Framework¤Management issue, nota technology issue¤SOX 302 states:¤CEO and the CFO responsible to certify that the financial statements fairly present the results of the companyÕs activities.¤The accuracy of an organizationÕs financial statements depends upon the reliability of its information systems.¤Defense-in-depth and the time-based model of information security¤Have multiple layers of control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-137
ManagementÕs Role in IS Security¤Create security aware culture¤Inventory and value company information resources¤Assess risk, select risk response¤Develop and communicate security:¤Plans, policies, and procedures¤Acquire and deploy IT security resources¤Monitor and evaluate effectivenessCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-138
Time-Based Model¤Combination of detective and corrective controls¤P = the time it takes an attacker to break through the organizationÕs preventive controls¤D = the time it takes to detect that an attack is in progress¤C = the time it takes to respond to the attack¤For an effective information security system:¤P > D + CCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-139
Steps in an IS System AttackCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-140
Mitigate Risk of Attack¤Preventive Control¤Detective Control¤Corrective ControlCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-141
Preventive Control¤Training¤User access controls (authentication and authorization)¤Physical access controls (locks, guards, etc.)¤Network access controls (firewalls, intrusion prevention systems, etc.)¤Device and software hardening controls (configuration options)Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-142
Authentication vs. Authorization¤AuthenticationÑverifies who a person is1.Something person knows2.Something person has3.Some biometric characteristic4.Combination of all three¤AuthorizationÑdetermines what a person can accessCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-143
Network Access Control (Perimeter Defense)¤Border router¤Connects an organizationÕs information system to the Internet¤Firewall¤Software or hardware used to filter information¤Demilitarized Zone (DMZ)¤Separate network that permits controlled access from the Internet to selected resources¤Intrusion Prevention Systems (IPS) ¤Monitors patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacksCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-144
Internet Information ProtocolsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-145
Device and Software Hardening (Internal Defense)¤End-Point Configuration¤Disable unnecessary features that may be vulnerable to attack on:¤Servers, printers, workstations¤User Account Management¤Software Design¤Programmers must be trained to treat all input from external users as untrustworthy and to carefully check it before performing further actions.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-146
Detective Controls¤Log Analysis¤Process of examining logs to identify evidence of possible attacks¤Intrusion Detection¤Sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions¤Managerial Reports¤Security TestingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-147
Corrective Controls¤Computer Incident Response Team¤Chief Information Security Officer (CISO)¤Independent responsibility for information security assigned to someone at an appropriate senior level¤Patch Management¤Fix known vulnerabilities by installing the latest updates¤Security programs¤Operating systems¤Applications programsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-148
Computer Incident Response Team¤Recognize that a problem exists¤Containment of the problem¤Recovery¤Follow-upCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-149
New Considerations¤Virtualization¤Multiple systems are run on one computer¤Cloud Computing¤Remotely accessed resources¤Software applications¤Data storage¤HardwareCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall8-150¤Risks¤Increased exposure if breach occurs¤Reduced authentication standards¤Opportunities¤Implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein
Chapter 9Information Systems Controls for System ReliabilityÑPart 2: Confidentiality and PrivacyCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-151
Learning Objectives¤Identify and explain controls designed to protect the confidentiality of sensitive corporate information.¤Identify and explain controls designed to protect the privacy of customersÕ personal information.¤Explain how the two basic types of encryption systems work.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-152
Trust Services Framework¤Security (Chapter 8)¤Access to the system and its data is controlled and restricted to legitimate users.¤Confidentiality (Chapter 8)¤Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.¤Privacy¤Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.¤Processing Integrity (Chapter 10)¤Data are processed accurately, completely, in a timely manner, and only with proper authorization.¤Availability (Chapter 10)¤System and its information are available to meet operational and contractual obligations.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-153
Intellectual Property (IP)¤Strategic plans¤Trade secrets¤Cost information¤Legal documents¤Process improvements¤All need to be securedCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-154
Steps in Securing IPIdentification and ClassificationEncryptionControlling AccessTrainingjCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-155Where is the information, who has access to it?Classify value of informationThe process of obscuring information to make it unreadable without special knowledge, key files, or passwords.Information rights management: control who can read, write, copy , delete, or download information.Most important! Employees need to know what can or canÕt be read, written, copied, deleted, or downloaded
Privacy¤Deals with protecting customer information vs. internal company information¤Same controls¤Identification and classification¤Encryption¤Access control¤TrainingCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-156
Privacy Concerns¤SPAM¤Unsolicited e-mail that contains either advertising or offensive content¤CAN-SPAM (2003)¤Criminal and civil penalties for spamming¤Identity Theft¤The unauthorized use of someoneÕs personal information for the perpetratorÕs benefit.¤Companies have access to and thus must control customerÕs personal information.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-157
Privacy Regulatory Acts¤Health Insurance Portability and Accountability Act (HIPAA)¤Health Information Technology for Economic and Clinical Health Act (HITECH)¤Financial Services Modernization ActCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-158
Generally Accepted Privacy Principles1.Management¤Procedures and policies¤Assignment of responsibility2.Notice¤To customers of policies3.Choice and Consent¤Allow customers consent over information provided, stored4.Collection¤Only what is necessary and stated in policy5.Use and Retention¤Based on policy and only for as long as needed for the business6.Access¤Customers should be capable of reviewing, editing, deleting information7.Disclosure to 3rdParties¤Based on policy and only if 3rdparty has same privacy policy standard8.Security¤Protection of personal information9.Quality¤Allow customer review¤Information needs to be reasonably accurate10.Monitor and Enforce¤Ensure compliance with policyCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-159
Encryption¤Preventive control¤Process of transforming normal content, called plaintext, into unreadable gibberish¤Decryption reverses this processCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-160
Encryption Strength¤Key length¤Number of bits (characters) used to convert text into blocks¤256 is common¤Algorithm¤Manner in which key and text is combined to create scrambled text¤Policies concerning encryption keys¤Stored securely with strong access codesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-161
Types of Encryption¤Symmetric¤One key used to both encrypt and decrypt¤Pro: fast¤Con: vulnerable¤Asymmetric¤Different key used to encrypt than to decrypt¤Pro: very secure¤Con: very slow¤Hybrid Solution¤Use symmetric for encrypting information¤Use asymmetric for encrypting symmetric key for decryptionCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-162
Hashing¤Converts information into a ÒhashedÓ code of fixed length.¤The code can notbe converted back to the text.¤If any change is made to the information the hash code will change, thus enabling verification of information.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-163
Digital Signature¤Hash of a document¤Using document creators key¤Provides proof:¤That document has notbeen altered¤Of the creator of the documentCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-164
Digital Certificate¤Electronic document that contains an entityÕs public key¤Certifies the identity of the owner of that particular public key¤Issued by Certificate AuthorityCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-165
Virtual Private Network (VPN)¤Private communication channels, often referred to as tunnels, which are accessible only to those parties possessingthe appropriate encryption and decryption keys.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall9-166
Chapter 10Information Systems Controls for System ReliabilityÑPart 3: Processing Integrity and AvailabilityCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-167
Learning Objectives¤Identify and explain controls designed to ensure processing integrity.¤Identify and explain controls designed to ensure systems availability.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-168
Trust Services Framework¤Security (Chapter 8)¤Access to the system and its data is controlled and restricted to legitimate users.¤Confidentiality (Chapter 8)¤Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.¤Privacy (Chapter 9)¤Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure.¤Processing Integrity¤Data are processed accurately, completely, in a timely manner, and only with proper authorization.¤Availability¤System and its information are available to meet operational and contractual obligations.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-169
Controls Ensuring Processing Integrity¤Input¤Process¤OutputCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-170
Input Controls¤ÒGarbage-in Garbage-outÓ¤Form Design¤All forms should be sequentially numbered¤Verify missing documents¤Use of turnaround documents¤Eliminate input errorsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-171
Input Controls¤Data Entry Checks¤Field check¤Characters proper type? Text, integer, date, and so on¤Sign check¤Proper arithmetic sign?¤Limit check¤Input checked against fixed value?¤Range check¤Input within low and high range value?¤Size check¤Input fit within field?¤Completeness check¤Have all required data been entered?¤Validity check¤Input compared with master data to confirm existence¤Reasonableness check¤Logical comparisons¤Check digit verification¤Computed from input value to catch typo errors¤Prompting¤Input requested by system¤Close-loop verification¤Uses input data to retrieve and display related dataCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-172
Batch Input Controls¤Batch Processing¤Input multiple source documents at once in a group¤Batch Totals¤Compare input totals to output totals¤Financial¤Sums a field that contains monetary values¤Hash¤Sums a nonfinancial numeric field¤Record count¤Sums a nonfinancial numeric fieldCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-173
Processing Controls¤Data Matching¤Multiple data values must match before processing occurs.¤File Labels¤Ensure correct and most current file is being updated.¤Batch Total Recalculation¤Compare calculated batch total after processing to input totals.¤Cross-Footing and Zero Balance Tests¤Compute totals using multiple methods to ensure the same results.¤Write Protection¤Eliminate possibility of overwriting or erasing existing data.¤Concurrent Update¤Locking records or fields when they are being updated so multiple users are not updating at the same time.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-174
Output Controls¤User Review¤Verify reasonableness, completeness, and routed to intended individual¤Reconciliation¤Data Transmission Controls¤Check sums¤Hash of file transmitted, comparison made of hash before and after transmission¤Parity checking¤Bit added to each character transmitted, the characters can then be verified for accuracyCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-175
Controls Ensuring Availability¤Systems or information need to be available 24/7¤It is not possible to ensure this so:Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-176
Minimize Risks¤Preventive Maintenance¤Cleaning, proper storage¤Fault Tolerance¤Ability of a system to continue if a part fails¤Data Center Location¤Minimize risk of natural and human created disasters.¤Training¤Less likely to make mistakes and will know how to recover, with minimal damage, from errors they do commit¤Patch Management¤Install, run, and keep current antivirus and anti-spyware programsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-177
Quick Recovery¤Back-up¤Incremental¤Copy only data that changed from last partial back-up¤Differential¤Copy only data that changed from last full back-up¤Business Continuity Plan (BCP)¤How to resume not only IT operations, but all business processes¤Relocating to new offices¤Hiring temporary replacementsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-178
Change Control¤Formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability¤Changes need to be documented.¤Changes need to be approved by appropriate manager.¤Changes need to be tested before implementations.¤All documentation needs to be updated for changes.¤Back-out plans need to be adopted.¤User rights and privileges need to be monitored during change.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-179
Disaster Recovery Plan (DRP)¤Procedures to restore an organizationÕs IT function in the event that its data center is destroyed¤Cold Site¤An empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary equipment within a specified period of time¤Hot Site¤A facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities¤Second Data-Center¤Used for back-up and site mirroringCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall10-180
Chapter 11Auditing Computer-Based Information SystemsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-181
Learning Objectives¤Describe the scope and objectives of audit work, and identify the major steps in the audit process.¤Identify the objectives of an information system audit, and describe the four-step approach necessary for meeting these objectives.¤Design a plan for the study and evaluation of internal control in an AIS.¤Describe computer audit software, and explain how it is used in the audit of an AIS¤Describe the nature and scope of an operational audit.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-182
Auditing¤The systematic process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria¤*******Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-183
Types of Audits¤Financial¤Examines the reliability and integrity of:¤Financial transactions, accounting records, and financial statements.¤Information System¤Reviews the controls of an AIS to assess compliance with:¤Internal control policies and procedures and effectiveness in safeguarding assets¤Operational¤Economical and efficient use of resources and the accomplishment of established goals and objectives¤Compliance¤Determines whether entities are complying with:¤Applicable laws, regulations, policies, and procedures¤Investigative¤Incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-184
The Audit Process¤Planning¤Collecting Evidence¤Evaluating Evidence¤Communicating Audit ResultsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-185
Planning the Audit¤Why, when, how, whom¤Work targeted to area with greatest risk:¤Inherent¤Chance of risk in the absence of controls¤Control¤Risk a misstatement will not be caught by the internal control system¤Detection¤Chance a misstatement will not be caught by auditors or their proceduresCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-186
Collection of Audit Evidence¤Not everything can be examined so samples are collected¤Observation activates to be audited¤Review of documentation¤Gain understanding of process or control¤Discussions¤Questionnaires¤Physical examination¤Confirmations¤Testing balances with external 3rdparties¤Re-performance¤Recalculations to test values¤Vouching¤Examination of supporting documents¤Analytical review¤Examining relationships and trendsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-187
Evaluation of Audit Evidence¤Does evidence support favorable or unfavorable conclusion?¤Materiality¤How significant is the impact of the evidence?¤Reasonable Assurance¤Some risk remains that the audit conclusion is incorrect.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-188
Communication of Audit Conclusion¤Written report summarizing audit findings and recommendations:¤To management¤The audit committee¤The board of directors¤Other appropriate parties Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-189
Risk-Based Audit¤Determine the threats (fraud and errors) facing the company.¤Accidental or intentional abuse and damage to which the system is exposed¤Identify the control procedures that prevent, detect, or correct the threats.¤These are all the controls that management has put into place and that auditors should review and test, to minimize the threats¤Evaluate control procedures.¤A systems review¤Are control procedures in place¤Tests of controls¤Are existing controls working¤Evaluate control weaknesses to determine their effect on the nature, timing, or extent of auditing procedures.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-190
Information Systems Audit¤Purpose:¤To review and evaluate the internal controls that protect the system¤Objectives:1.Overall information security2.Program development and acquisition3.Program modification4.Computer processing5.Source files6.Data filesCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-191
1. Information System Threats¤Accidental or intentional damage to system assets¤Unauthorized access, disclosure, or modification of data and programs¤Theft¤Interruption of crucial business activities¤*******Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-192
2. Program Development and Acquisition¤Inadvertent programming errors due to misunderstanding system specifications or careless programming¤Unauthorized instructions deliberately inserted into the programs¤Controls:¤Management and user authorization and approval, thorough testing, and proper documentationCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-193
3. Program Modification¤Source Code Comparison¤Compares current program against source code for any discrepancies¤Reprocessing¤Use of source code to re-run program and compare for discrepancies¤Parallel Simulation¤Auditor-created program is run and used to compare against source codeCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-194
4. Computer Processing¤System fails to detect:¤Erroneous input¤Improper correction of input errors¤Process erroneous input¤Improperly distribute or disclose output ¤Concurrent audit techniques¤Continuous system monitoring while live data are processed during regular operating hours¤Using embedded audit modules¤Program code segments that perform audit functions, report test results, and store the evidence collected for auditor reviewCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-195
Types of Concurrent Audits¤Integrated Test Facility¤Uses fictitious inputs¤Snapshot Technique¤Master files before and after update are stored for specially marked transactions¤System Control Audit Review File (SCARF)¤Continuous monitoring and storing of transactions that meet pre-specifications¤Audit Hooks¤Notify auditors of questionable transactions¤Continuous and Intermittent Simulation¤Similar to SCARF for DBMSCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-196
5. Source Data and6. Data Files¤Accuracy¤Integrity¤Security of data Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall11-197
Chapter 12The Revenue Cycle: Sales to Cash CollectionsCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall12-198
Learning ObjectivesDescribe the basic business activities and related information processing operations performed in the revenue cycle.Discuss the key decisions that need to be made in the revenue cycle, and identify the information needed to make those decisions.Identify major threats in the revenue cycle, and evaluate the adequacy of various control procedures for dealing with those threats.Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall12-199
The Revenue CycleCopyright © 2012 Pearson Education, Inc. publishing as Prentice Hall12-200
Assignment (1)
Deadline: Saturday 14/01/2023 @ 23:59
For Instructor’s Use only
Instructions – PLEASE READ THEM CAREFULLY
The Assignment must be submitted on Blackboard (WORD format only) via allocated folder.
Assignments submitted through email will not be accepted.
Students are advised to make their work clear and well presented, marks may be reduced for poor presentation. This includes filling your information on the cover page.
Students must mention question number clearly in their answer.
Late submission will NOT be accepted.
Avoid plagiarism, the work should be in your own words, copying from students or other resources without proper referencing will result in ZERO marks. No exceptions.
All answers must be typed using Times New Roman (size 12, double-spaced) font. No pictures containing text will be accepted and will be considered plagiarism.
Submissions without this cover page will NOT be accepted.
Assignment Question(s): (Marks 15)
Question 1: (04 Marks)
Explain how Accounting information System (AIS) add value to the organization using examples of Saudi Companies.
Answer:
Question 2: (03 Marks)
Give examples of Saudi companies that using ERP and what are the advantages of implementing the ERP?
Answer:
Question 3: (04 Marks)
What motives do people have for hacking? Why has hacking become so popular in recent years? Do you regard it as a crime? Explain your position.
Answer
Question 4: (02 Marks)
Identify the corporate opportunities that make fraud easier to commit and detection less likely.
Answer:

Question 5: (02 Marks)
Personal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. With reference to Privacy Concern how would you deal with SPAM and Identify Theft problem of your business organization?
Answer: