SOAL 1

7 Karakteristika informasi yang berguna

1. Relevant Reduces uncertainty, improves decision making, or confirms or corrects prior

expectations.
2. Reliable Free from error or bias; accurately represents organization events or activities.
3. Complete Does not omit important aspects of the events or activities it measures.
4. Timely Provided in time for decision makers to make decisions.
5. Understandable Presented in a useful and intelligible format.
6. Verifiable Two independent, knowledgeable people produce the same information.
7. Accessible Available to users when they need it and in a format they can use.

Basic business processs

1. The revenue cycle, where goods and services are sold for cash or a future promise to receive
cash
2. The expenditure cycle, where companies purchase inventory for resale or raw materials to
use in producing products in exchange for cash or a future promise to pay cash. This cycle is
discussed in Chapter 13.
3. The production or conversion cycle, where raw materials are transformed into finished
goods. This cycle is discussed in Chapter 14.
4. The human resources/payroll cycle, where employees are hired, trained, compensated,
evaluated, promoted, and terminated. This cycle is discussed in Chapter 15.
5. The financing cycle, where companies sell shares in the company to investors and borrow
money, and where investors are paid dividends and interest is paid on loans.

Pengertian SIA: A system that collects, records, stores, and processes data to produce information
for decision makers. It includes people, procedures and instructions, data, software, information
technology infrastructure, and internal controls and security measures.

BAgaimana SIA menambah Value Added:

1. Improving the quality and reducing the costs of products or services

2. Improving efficiency
3. Sharing knowledge
4. Improving the efficiency and effectiveness of its supply chain
5. Improving the internal control structure
6. Improving decision making

Pengertian Data Processing System : The four operations (data input, data storage, data processing,
and information output) performed on data to generate meaningful and relevant information.

a. Input : The first step in processing input is to capture transaction data and enter them into
the system. The data capture process is usually triggered by a business activity. Data must be
collected about three facets of each business activity:
1. Each activity of interest
2. The resource(s) affected by each activity
3. The people who participate in each activity0
For example, the most frequent revenue cycle transaction is a sale, either for cash or on
credit. S&S may find it useful to collect the following data about a sales transaction:

Hanif Abdul Fattah (1606880245)

 ● Date and time the sale occurred
● Employee who made the sale and the checkout clerk who processed the sale
● Checkout register where the sale was processed
● Item(s) sold
● Quantity of each item sold
● List price and actual price of each item sold
● Total amount of the sale
● Delivery instructions
● For credit sales: customer name, customer bill-to and ship-to addresses

b. Storage
A company’s data are one of its most important resources. However, the mere existence of
relevant data does not guarantee that they are useful. To function properly, an organization
must have ready and easy access to its data. Therefore, accountants need to understand
how data are organized and stored in an AIS and how they can be accessed. In essence, they
need to know how to manage data for maximum corporate use.

c. Processing
Once business activity data have been entered into the system, they must be processed to
keep the databases current. The four different types of data processing activities, referred to
as CRUD, are as follows:
1. Creating new data records, such as adding a newly hired employee to the payroll
database.
2. Reading, retrieving, or viewing existing data.
3. Updating previously stored data. Figure 2-4 depicts the steps required to update an
accounts receivable record with a sales transaction. The two records are matched using the
account number. The sale amount ($360) is added to the account balance ($1,500) to get a
new current balance ($1,860).
4. Deleting data, such as purging the vendor master file of all vendors the company no
longer does business with.
d. The final step in the data processing cycle is information output. When displayed on a
monitor, output is referred to as “soft copy.” When printed on paper, it is referred to as
“hard copy.” Information is usually presented in one of three forms: a document, a report,
or a query response.
1. document - A record of a transaction or other company data. Examples include checks,
invoices, receiving reports, and purchase requisitions.
2. reports - System output, organized in a meaningful fashion, that is used by employees to
control operational activities, by managers to make decisions and design strategies, and
by investors and creditors to understand a company’s business activities
3. query - A request for the database to provide the information needed to deal with a
problem or answer a question. The information is retrieved, displayed or printed, and/or
analyzed as requested.

ERP :

Advantages :

Hanif Abdul Fattah (1606880245)

● An ERP provides an integrated, enterprise-wide, single view of the organization’s data and
financial situation. Storing all corporate information in a single database breaks down barriers
between departments and streamlines the flow of information.

● Data input is captured or keyed once, rather than multiple times, as it is entered into different
systems. Downloading data from one system to another is no longer needed.

● Management gains greater visibility into every area of the enterprise and greater monitoring
capabilities. Employees are more productive and efficient because they can quickly gather data from
both inside and outside their own department.

● The organization gains better access control. An ERP can consolidate multiple permissions and
security models into a single data access structure.

● Procedures and reports are standardized across business units. This standardization can be
especially valuable with mergers and acquisitions because an ERP system can replace the different
systems with a single, unified system.

● Customer service improves because employees can quickly access orders, available inventory,
shipping information, and past customer transaction details.

● Manufacturing plants receive new orders in real time, and the automation of manufacturing
processes leads to increased productivity.

Disadvantages :

● Cost. ERP hardware, software, and consulting costs range from $50 to $500 million for a Fortune
500 company and upgrades can cost $50 million to $100 million. Midsized companies spend
between $10 and $20 million.

● Amount of time required. It can take years to select and fully implement an ERP system,
depending on business size, number of modules to be implemented, degree of customization, the
scope of the change, and how well the customer takes ownership of the project. As a result, ERP
implementations have a very high risk of project failure.

● Changes to business processes. Unless a company wants to spend time and money customizing
modules, they must adapt to standardized business processes as opposed to adapting the ERP
package to existing company processes. The failure to map current business processes to existing
ERP software is a main cause of ERP project failures.

● Complexity. This comes from integrating many different business activities and systems, each
having different processes, business rules, data semantics, authorization hierarchies, and decision
centers.

● Resistance. Organizations that have multiple departments with separate resources, missions,
profit and loss, and chains of command may believe that a single system has few benefits. It also
takes considerable training and experience to use an ERP system effectively, and employee
resistance is a major reason why many ERP implementations do not succeed. It is not easy to
convince employees to change how they do their jobs, train them in new procedures, master the
new system, and persuade them to share sensitive information. Resistance, and the blurring of
company boundaries, can cause problems with employee morale, accountability, and lines of
responsibility.

Kenapa ERP Modular :

Hanif Abdul Fattah (1606880245)

ERP systems are modular, with each module using best business practices to automate a standard
business process. This modular design allows businesses to add or delete modules as needed. Typical
ERP modules include:

● Financial (general ledger and reporting system)—general ledger, accounts receivable, accounts
payable, fixed assets, budgeting, cash management, and preparation of managerial reports and
financial statements

● Human resources and payroll—human resources, payroll, employee benefits, training, time and
attendance, benefits, and government reporting

● Order to cash (revenue cycle)—sales order entry, shipping, inventory, cash receipts, commission
calculation

● Purchase to pay (disbursement cycle)—purchasing, receipt and inspection of inventory, inventory

and warehouse management, and cash disbursements

● Manufacturing (production cycle)—engineering, production scheduling, bill of materials, work-in-

process, workflow management, quality control, cost management, and manufacturing processes
and projects

● Project management—costing, billing, time and expense, performance units, activity management

● Customer relationship management—sales and marketing, commissions, service, customer

contact, and call center support

● System tools—tools for establishing master file data, specifying flow of information, access
controls, and so on

SOAL 2

Hanif Abdul Fattah (1606880245)

2 tipe dari fraud

Hanif Abdul Fattah (1606880245)

5 komputer fraud
1. INPUT FRAUD The simplest and most common way to commit a computer fraud is to alter or
falsify computer input. It requires little skill; perpetrators need only understand how the
system operates so they can cover their tracks
2. PROCESSOR FRAUD Processor fraud includes unauthorized system use, including the theft of
computer time and services.

Hanif Abdul Fattah (1606880245)

 3. COMPUTER INSTRUCTIONS FRAUD Computer instructions fraud includes tampering with
company software, copying software illegally, using software in an unauthorized manner,
and developing software to carry out an unauthorized activity. This approach used to be
uncommon because it required specialized programming knowledge. Today, it is more
frequent because of the many web pages that tell users how to create them.
4. DATA FRAUD Illegally using, copying, browsing, searching, or harming company data
constitutes data fraud. The biggest cause of data breaches is employee negligence.
5. OUTPUT FRAUD Unless properly safeguarded, displayed or printed output can be stolen,
copied, or misused.

How to prevent and detect fraud

1. MAKE FRAUD LESS LIKELY TO OCCUR

● Create an organizational culture that stresses integrity and commitment to ethical values and
competence.

● Adopt an organizational structure, management philosophy, operating style, and risk appetite
that minimizes the likelihood of fraud.

● Require oversight from an active, involved, and independent audit committee of the board of
directors.

● Assign authority and responsibility for business objectives to specific departments and
individuals, encourage them to use initiative to solve problems, and hold them accountable for
achieving those objectives.

● Identify the events that lead to increased fraud risk, and take steps to prevent, avoid, share, or
accept that risk.

2. INCREASE THE DIFFICULTY OF COMMITTING FRAUD

● Develop and implement a strong system of internal controls.

● Segregate the accounting functions of authorization, recording, and custody.

● Implement a proper segregation of duties between systems functions.

● Restrict physical and remote access to system resources to authorized personnel.

● Require transactions and activities to be authorized by appropriate supervisory personnel.

Have the system authenticate the person, and their right to perform the transaction, before
allowing the transaction to take place.

3. IMPROVE DETECTION METHODS

● Develop and implement a fraud risk assessment program that evaluates both the likelihood
and the magnitude of fraudulent activity and assesses the processes and controls that can deter
and detect the potential fraud.

● Create an audit trail so individual transactions can be traced through the system to the
financial statements and financial statement data can be traced back to individual transactions.
● Conduct periodic external and internal audits, as well as special network security audits; these
can be especially helpful if sometimes performed on a surprise basis.

Hanif Abdul Fattah (1606880245)

 ● Install fraud detection software.

● Implement a fraud hotline.

4. REDUCE FRAUD LOSSES

● Maintain adequate insurance.

● Develop comprehensive fraud contingency, disaster recovery, and business continuity plans.

● Store backup copies of program and data files in a secure off-site location.

● Use software to monitor system activity and recover from fraud.

Computer Abuse:

1. Hacking is the unauthorized access, modification, or use of an electronic device or some

element of a computer system. Most hackers break into systems using known flaws in
operating systems or application programs, or as a result of poor access controls. One
software monitoring company estimates there are over 7,000 known flaws in software
released in any given year. The following examples illustrate hacking attacks and the damage
they cause:
● Russian hackers broke into Citibank’s system and stole $10 million from customer
accounts.
● Acxiom manages customer information for credit card issuers, banks, automotive
manufacturers, and retailers. A systems administrator for a company doing business with
Acxiom exceeded his authorized access, downloaded an encrypted password file, and used a
password-cracking program to access confidential IDs. The intrusion cost Acxiom over $5.8
million.
● During the Iraq war, Dutch hackers stole confidential information, including troop
movements and weapons information at 34 military sites. Their offer to sell the information
to Iraq was declined, probably because Iraq feared it was a setup.
● A hacker penetrated a software supplier’s computer and used its “open pipe” to a bank
customer to install a powerful Trojan horse in the bank’s computer.
● In the worst security breach in gaming history, 101 million Sony PlayStation accounts were
hacked, crashing the network for over a month. More than 12 million credit card numbers,
e-mail addresses, passwords, home addresses, and other data were stolen.
● Unknown hackers penetrated Bangladesh’s central bank and entered a series of
fraudulent money transfers. Four requests totaling $81 million went through but in the fifth,
to the Shalika Foundation, the hackers misspelled foundation as “fandation.” Deutsche
2. Social Engineering
The techniques or psychological tricks used to get people to comply with the perpetrator’s
wishes in order to gain physical or logical access to a building, computer, server, or network.
It is usually to get the information needed to obtain confidential data
Cisco reported that fraudsters take advantage of the following seven human traits in order
to entice a person to reveal information or take a specific action:
1. Compassion—The desire to help others who present themselves as really needing your
help.
2. Greed—People are more likely to cooperate if they get something free or think they are
getting a once-in-a-lifetime deal.

Hanif Abdul Fattah (1606880245)

 3. Sex Appeal—People are more likely to cooperate with someone who is flirtatious or
viewed as “hot.”
4. Sloth—Few people want to do things the hard way, waste time, or do something
unpleasant; fraudsters take advantage of our lazy habits and tendencies.
5. Trust—People are more likely to cooperate with people who gain their trust.
6. Urgency—A sense of urgency or immediate need that must be met leads people to be
more cooperative and accommodating.
7. Vanity—People are more likely to cooperate if you appeal to their vanity by telling them
they are going to be more popular or successful.
Contoh :
a. Identity theft is assuming someone’s identity, usually for economic gain, by illegally
obtaining and using confidential information, such as a Social Security number or a bank
account or credit card number.
b. Posing is creating a seemingly legitimate business (often selling new and exciting
products), collecting personal information while making a sale, and never delivering the
product. Fraudsters also create Internet job listing sites to collect confidential
information.
c. Phishing is sending an electronic message pretending to be a legitimate company,
usually a financial institution, and requesting information or verification of information
and often warning of some negative consequence if it is not provided. The recipient is
asked to either respond to the bogus request or visit a web page and submit data. The
message often contains a link to a web page that appears legitimate. The web page has
company logos, familiar graphics, phone numbers, and Internet links that appear to be
those of the victimized company. It also has a form requesting everything from a home
address to an ATM card’s PIN.
3. Malware
This section describes malware, which is any software that is used to do harm. Malware is a
constant and growing concern, as well as an expensive one.
Contoh :
a. spyware - Software that secretly monitors computer usage, collects personal
information about users, and sends it to someone else, often without the computer
user’s permission
b. adware - Spyware that causes banner ads to pop up on a monitor, collects information
about the user’s web-surfing and spending habits, and forwards it to the adware creator,
often an advertising or media organization. Adware usually comes bundled with
freeware and shareware downloaded from the Internet.
c. torpedo software - Software that destroys competing malware. This sometimes results
in “malware warfare” between competing malware developers

Hanif Abdul Fattah (1606880245)

SOAL 3

Why is Security is management Issue?

Although effective information security requires the deployment of technological tools such as
firewalls, antivirus, and encryption, senior management involvement and support throughout all
phases of the security life cycle (see Figure 8-2) is absolutely essential for success.

The first step in the security life cycle is to assess the information security-related threats that the
organization faces and select an appropriate response. Information security professionals possess
the expertise to identify potential threats and to estimate their likelihood and impact. However,
senior management must choose which of the four risk responses described in Chapter 7 (reduce,
accept, share, or avoid) is appropriate to adopt so that the resources invested in information
security reflect the organization’s risk appetite.

Step 2 involves developing information security policies and communicating them to all employees.
Senior management must participate in developing policies because they must decide the sanctions
they are willing to impose for noncompliance. In addition, the active support and involvement of top
management is necessary to ensure that information security training and communication are taken
seriously. To be effective, this communication must involve more than just handing people a written
document or sending them an e-mail message and asking them to sign an acknowledgment that they
received and read the notice. Instead, employees must receive regular, periodic reminders about
security policies and training on how to comply with them.

Step 3 of the security life cycle involves the acquisition or building of specific technological tools.
Senior management must authorize investing the necessary resources to mitigate the threats
identified and achieve the desired level of security.

Finally, step 4 in the security life cycle entails regular monitoring of performance to evaluate the
effectiveness of the organization’s information security program. Advances in IT create new threats
and alter the risks associated with old threats. Therefore, management must periodically reassess

Hanif Abdul Fattah (1606880245)

the organization’s risk response and, when necessary, make changes to information security policies
and invest in new solutions to ensure that the organization’s information security efforts support its
business strategy in a manner that is consistent with management’s risk appetite.

So with that, let's look at what the 5 Trust Service Principles are and give a high level definition of
them:

Security - The system is protected against unauthorized access, both physical and logical

Availability - The system is available for operation and use as committed or agreed

Processing Integrity - System processing is complete, accurate, timely, and authorized

Confidentiality - Information designated as confidential is protected as committed or agreed

Privacy - Personal information is collected, used, retained, disclosed, and destroyed in conformity
with the commitments in the entity's privacy notice and with the criteria set forth in Generally
Accepted Privacy Principles (GAPP)

SOAL 4

Why is it Important to have Strong Internal Control?

A failure to have internal controls in place results in front-page news stories that no company wants
to be a part of. Enron, Worldcom, and Equifax are few examples of organizations that made news
headlines due to a lack of internal control. Similarly, there are dozens of cases each year of
companies who privately lose millions of dollars due to control failures, fraud, and misconduct.
Having a strong internal control environment can provide management and stakeholders reasonable
assurance that the organization is operating in accordance with company policies, industry
standards, and regulatory requirements.

Hanif Abdul Fattah (1606880245)

There are five key components of internal control that include the following:

Control Environment—is a set of standards, structures, and processes that provide the foundation
for performing internal control within the entity

Risk Assessment—is a process used to identify (on an iterative basis), assess, and manage risks to the
achievement of the entity’s objectives

Control Activities—are actions performed under the direction of management, as directed by an

entity’s policies and procedures, to mitigate the risks to the achievement of the entity’s objectives

Information and Communication—is the distribution of information needed to perform control

activities and to understand internal control responsibilities to personnel internal and external to the
entity

Monitoring Activities—are ongoing evaluations of the implementation and operation of the five (5)
components of internal audit

Hanif Abdul Fattah (1606880245)

SOAL 5

the risk types and examples include:

Hazard risk

Liability torts, Property damage, Natural catastrophe

Financial risk

Pricing risk, Asset risk, Currency risk, Liquidity risk

Operational risk

Customer satisfaction, Product failure, Integrity, Reputational risk; Internal Poaching; Knowledge
drain

Strategic risks

Competition, Social trend, Capital availability

PERAN MANAGEMENT, BOD, PEMERINTAH DAN EXTERNAL AUDITOR

Senior management and the board of directors have integral roles in the Model. Senior management
is accountable for the selection, development, and evaluation of the system of internal control with
oversight by the board of directors. Although neither senior management nor the board of directors

Hanif Abdul Fattah (1606880245)

is considered to be part of one of the three lines, these parties collectively have responsibility for
establishing an organization’s objectives, defining high-level strategies to achieve those objectives,
and establishing governance structures to best manage risk. They are also the parties best
positioned to make certain the optimal organizational structure for roles and responsibilities related
to risk and control. Senior management must fully support strong governance, risk management and
control. In addition, they have ultimate responsibility for the activities of the first and second lines of
defense. Their engagement is critical for success of the overall model.

Although external parties are not formally considered to be among an organization’s three lines of
defense, groups such as external auditors and regulators often play an important role regarding the
organization’s overall governance and control structure. Regulators establish requirements often
intended to strengthen governance and control, and they actively review and report on the
organizations they regulate. Similarly, external auditors may provide important observations and
assessments of the organization’s controls over financial reporting and related risks.

When coordinated effectively, external auditors, regulators, and other groups outside the
organization could be considered as additional lines of defense, providing important views and
observations to the organization’s stakeholders, including the board of directors and senior
management. However, the work of these groups has different and generally more focused or
narrow objectives, such that the areas addressed are less extensive than those evaluated by the
organization’s internal lines of defense. For example, specific regulatory audits may focus solely on
compliance issues, safety, or other limited-scope issues; while the three lines of defense are
intended to address the entire range of operational, reporting, and compliance risks facing an
organization. Parties such as external auditors and regulators, while they contribute valuable
information, should not be considered as substitutes for the internal lines of defense as it is an
organization’s responsibility to manage its risks, not an outside party’s responsibility.

Hanif Abdul Fattah (1606880245)

The first line of defense has primary ownership of risks and the methods used to manage those risks.
The second line provides expertise in risk, helps set implementation strategy, and assists in
implementation of policies and procedures. While these two lines have different responsibilities for
risk and control, it is essential they work together using the same terminology, understand each
other’s assessment of the organization’s risks, and leverage a common set of tools and processes
where possible.

Hanif Abdul Fattah (1606880245)