Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
5.1 Computer Ethics Environment 5.2 Computer Fraud Definition of AIS 5.2.1 Definition of Computer Fraud Components of Computer 5.2.2 AIS Framework Transaction Processing System Fraud Types of Computer 5.2.3 Overview of TPS Fraud 5.2.4 Components of TPS Fraud Detection 5.3 Risk, Exposure and Threats in AIS
Organisational Structure and 5.4 The Internal Control Structure Accounting Function 5.4.1 Definition of Internal Control Accounting Information and 5.4.2 Internal Control Model Decision Making 5.5 Computer Based Information System Accountants Roles in AIS (CBIS)
5.5.1 Effect of CBIS on Traditional Control Activities 5.5.2 General Controls 5.5.3 Application Controls
Computer Ethics
Ethics Ethics
Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong.
Four Main Areas of Business Ethics Four Main Areas of Business Ethics
Security Intellectual Property Equity in access Misuse of Computer Artificial intelligence Unemployment and displacement Environmental issues Internal control responsibility
Security
An attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Act to protect and further the legitimate interests of the systems constituencies. Security can be used to protect systems and personal information, but it can also restrict legitimate access.
Equity in access
Some barriers to access (security systems) are intrinsic to technology of information system but some are avoidable through careful system design. Several factors can limit access to computing technology. Ex: financial cost, cultural barriers, & physical limitations.
Artificial Intelligence
A branch of computer science that studies how to endow computers with capabilities of human intelligence. Ex: both knowledge engineers (those who write the programs) & domain experts (those who provide the knowledge) must be concerned about their responsibility for faulty decisions, in complete or inaccurate knowledge bases, & the role given to computers in decision making process.
Environmental Issues
It is probably easier just to print a document than to consider whether it should be printed and how many copies really need to be made. It may be more efficient / comforting to have a hard copy in addition to the electronic version. However, paper comes from trees, and ends up in landfills if not properly recycled.
Fraud
(2) Pressures
persons motivation for committing a fraud. an employee is experiencing financial difficulties
Reported errors, frauds, and security lapses Reported errors, frauds, and security lapses involving computer-based information systems. involving computer-based information systems.
A customer received a bill of $1 million instead of $100, because of an error in the invoicing program. A supervisor added fictitious employees to the payroll, so that the payroll program would cause their paychecks to be sent to a friends address. A programmer who was employed by a bank changed an interest calculation program to have it credit the fractional cents to his account. A purchasing agent entered unauthorized purchase transactions via a terminal and had the merchandise delivered to his home. A salesperson carried away in her briefcase a magnetic tape containing a publishing firms list of customers. A fire in a firms tape library destroyed thousands of reels of magnetic tape. A failure in an essential component of a computer caused the system to break down and the data to be lost.
Computer Fraud
"The unauthorized use of, or access to, a computer for purposes contrary to the wishes of the owner of the computer or the data held thereon."
Eavesdropping Eavesdropping
is the intercepting and reading of messages and conversations by unintended recipients. Listening to private voice or data transmissions. One who participates in eavesdropping, i.e. someone who secretly listens in on the conversations of others, is called an eavesdropper. The origin of the term is literal, from people who would literally hide out in the of houses to listen in on other people's private conversations.
Hacking Hacking
Accessing and using computer systems without permission, usually by means of a personal computer and a telecommunication network.
Piggybacking Piggybacking
A method of gaining unauthorized access computer facilities by following an authorized employee through a controlled door or restricted area--a building or a
computer room.
Tapping into a telecommunications line and latching on to a legitimate user before he/she logs into the system; legitimate user unknowingly carried perpetrator into the system. Gaining access to a restricted communications channel by using the session another user already established. Piggybacking can be defeated by logging off before leaving a workstation or terminal or by initiating a protected mode, such as via a screensaver, that requires re-authentication before access can be resumed.
Superzapping Superzapping
Using special system programs to bypass regular system controls and perform illegal acts. Superzap lets system administrators or other highly trusted individuals override system security to quickly repair or regenerate the system, especially in an emergency. Example: the manager of computer operations in a bank was told by his boss to correct a problem affecting account balances. The problem was originally caused by unanticipated problems in the changeover of the bank's computer system. While working on the project, the manager found that he could use the Superzap program to make other account changes as well, without having to deal with the usual controls, audits, or documentation. He moved funds from various accounts into the accounts of several friends, netting about $128,000 in all. He was detected only when a customer complained about a shortage in his account. Because the Superzap program left no evidence of data file changes, the fraud was highly unlikely to be discovered by any other means.
Virus Virus
A destructive program that has the ability to reproduce itself and infect other programs or disks. Typically a virus will not show itself immediately, but will add itself to programs and disks to spread itself widely on many computers before it is triggered into its destructive phase. Requires a human to do something (run a program, open a file, etc) to replicate itself.
Worm Worm
A self-replicating program that reproduces itself over a network. Similar to virus, except that: (i) it is a program rather a code segment hidden in a host program or executable file, a worm is a stand-alone program. (ii) virus requires a human to do something (run a program, open a file, etc) to replicate itself; worm replicates itself automatically. Also copies and actively transmits itself directly to other systems. Often resides in e-mail attachments, which, when opened or activated, can damage users system.
Ways to Prevent and Detect Ways to Prevent and Detect Computer Fraud Computer Fraud
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses
Software Software
A Variety to Choose From
Introduction Introduction
The reliance of information and rapidly changing technology has forced organizations to implement comprehensive information security programs and procedures to protect their information assets.
Risk Risk
Business firms face risks that reduce the chances of achieving their control objectives. Risk: the likelihood that a threat or hazard will actually come to pass. Risk exposures: the threats to a firms assets and information quality due to lapses or inadequacies in controls. Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Problem Conditions Affecting Risk Problem Conditions Affecting Risk Exposures Exposures
Collusion (both internal and external): The cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures Lack of enforcement: Management may not prosecute wrongdoers because of the potential embarrassment Computer crime: poses very high degrees of risk, and fraudulent activities are difficult to detect
Objectives of the Internal Control Objectives of the Internal Control Structure Structure
Promoting effectiveness and efficiency of operations Reliability of financial reporting Safeguarding assets Checking the accuracy and reliability of accounting data Compliance with applicable laws and regulations Encouraging adherence to prescribed managerial policies
Modifying Assumptions to the Modifying Assumptions to the Internal Control Objectives Internal Control Objectives
Management Responsibility The establishment and maintenance of a system of internal control is the responsibility of management. Reasonable Assurance The cost of achieving the objectives of internal control should not outweigh its benefits. Methods of Data Processing The techniques of achieving the objectives will vary with different types of technology. Limitations Limitation on IC effectiveness. Error, circumvention, mgt override and changing condition
Preventive, Detective, and Corrective Preventive, Detective, and Corrective Controls Controls
Five Internal Control Components: Five Internal Control Components: Five Internal Control Components: SAS Five Internal Control Components: SAS COSO No. 78 COSO No. 78
1. 2. 3. 4. 5.
Control environment Risk assessment Information and communication Monitoring Control activities
Components and Major Components and Major Considerations of the IC Structure Considerations of the IC Structure
Internal Control Structure Information & Communication
Control Environment
Risk Assessment
Control Activities
Monitoring
General Controls
Application Controls
Organization Structure
The structure of an organisation [is] the sum total of the ways in which it divides its labour into distinct tasks and then achieves co-ordination among them (Mintzberg, 1989). Is an up-to-date organization chart prepared, showing the names of key personnel? Is the information systems function separated from incompatible functions? How is the accounting department organized? Is the internal audit function separate and distinct from accounting? Do subordinate managers report to more than one supervisor?
Audit Committees
The committee responsible for overseeing a corporations internal control structure, financial reporting process, and compliance with related laws and regulations. Comprise of outside members of the B.O.D responsible for dealing with the external and internal auditors
(4) Monitoring
A process that access the quality of internal control performance over time. Separate procedures--test of controls by internal auditors Ongoing monitoring: computer modules integrated into routine operations management reports which highlight trends and exceptions from normal performance
Transaction Authorization Segregation of Duties Supervision Accounting Records Access Controls Independent Verification
A. General Controls
Pertain to all activities involving a firms AIS and resources (assets). Pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, & program maintenance. to ensure that its overall computer system is stable and well managed. Categories: (a) Segregation of duties within the systems (b) Physical access controls (c) Logical access controls (d) Data storage controls (e) Data transmission controls (f) Internet and e-Commerce controls
(i) Segregation of Duties Within the (i) Segregation of Duties Within the Systems Function Systems Function
Implementing control procedures to clearly divide authority and responsibility duties within the information system function to prevent employees from perpetrating and concealing fraud. In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
(i) Segregation of Duties Within the (i) Segregation of Duties Within the Systems Function (Cont) Systems Function (Cont)
Authority and responsibility must be clearly divided among the following functions: 1. Systems administration 2. Network management 3. Security management 4. Change management 5. Users 6. Systems analysis 7. Programming 8. Computer operations 9. Information system library 10.Data control
Protection of PCs and Client/Server Protection of PCs and Client/Server Networks Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on PCs. Establish policies and procedures.
Protection of PCs and Client/Server Protection of PCs and Client/Server Networks Networks
Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment possible. Install software that automatically shuts down a terminal after its been idle for a certain amount of time. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure system. Use multilevel password controls to limit employee access to incompatible data. Use specialists to detect holes in the network.
(vi) Internet and e-Commerce (vi) Internet and e-Commerce Controls Controls
E-Commerce: the electronic execution of business transactions such as buying and selling. Why cautions should be exercised when conducting business on the Internet.
the large and global base of people that depend on the Internet the variability in quality, compatibility, completeness, and stability of network products and services access of messages by others security flaws in Web sites attraction of hackers to the Internet
What controls can be used to secure Internet activity?
B. Application Controls
Pertain directly to the transaction processing systems. Ensure the integrity of specific systems (ex: sales order processing, accounts payable, & payroll applications). Objective: are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported. Application controls are subdivided into: 1) input, 2) processing, and 3) output controls.
(a) Data observation and recording (b) Data transcription (batching and converting) (c)Edit tests of transaction data (d) Transmission of transaction data
Effects of CBIS on Traditional Control Effects of CBIS on Traditional Control Activities Activities
The purpose of this section is to reconcile traditional control concerns with the CBIS environment. SAS 78 control activities:
(1) transaction authorization (2) segregation of duties (3) supervision (4) access control (5) accounting records (6) independent verification
(3) Supervision
More supervision is typically necessary in a CBIS because: highly skilled employees generally have a higher turnover rate highly skilled employees are often in positions of authority physical observation of employees working with the system is often difficult or impractical
End of Chapter 5