Chapter

Ethic, Fraud Control and Security in Accounting Information Systems

Learning Objectives Learning Objectives

5.1 Computer Ethics Environment 5.2 Computer Fraud Definition of AIS 5.2.1 Definition of Computer Fraud Components of Computer 5.2.2 AIS Framework Transaction Processing System Fraud Types of Computer 5.2.3 Overview of TPS Fraud 5.2.4 Components of TPS Fraud Detection 5.3 Risk, Exposure and Threats in AIS

The Information System

Organisational Structure and 5.4 The Internal Control Structure Accounting Function 5.4.1 Definition of Internal Control Accounting Information and 5.4.2 Internal Control Model Decision Making 5.5 Computer Based Information System Accountants Roles in AIS (CBIS)
5.5.1 Effect of CBIS on Traditional Control Activities 5.5.2 General Controls 5.5.3 Application Controls

Learning Objective 5.1 Learning Objective 5.1

Computer Ethics

Ethics Ethics
Pertains to the principles of conduct that individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong.

Business ethics Business ethics

Business ethics involve finding the answers for:
How do managers decide what is right in conducting their business? Once recognize what is right, how to achieve it?

In business, conflicts may arise between:

employees management stakeholders

Four Main Areas of Business Ethics Four Main Areas of Business Ethics

Computer Ethics Computer Ethics

The analysis of the nature and social impact of computer technology and the corresponding formulation and justification of policies for the ethical use of such technology Includes concerns about software as well as hardware, networks connecting computers and computers themselves (Moor,1985).

Levels of Computer Ethics Levels of Computer Ethics

POP exposure to stories and reports found in the popular media regarding the good or bad ramifications of computer technology. PARA taking a real interest in computer ethics cases and acquiring some level of skill and knowledge in the field. THEORETICAL Interest to multidisciplinary researchers who apply the theories to computer science with the goal of bringing some new understanding to the field.

Computer Ethics Issues Computer Ethics Issues

(a) Privacy

(b) (c) (d) (e) (f) (g) (h) (i)

Security Intellectual Property Equity in access Misuse of Computer Artificial intelligence Unemployment and displacement Environmental issues Internal control responsibility

Computer Ethics Issues (Cont) Computer Ethics Issues (Cont)

Privacy
People desire to be in full control of what and how much information about themselves is available to others, and to whom it is available. It raises the issue of ownership.

Security
An attempt to avoid such undesirable events as a loss of confidentiality or data integrity. Act to protect and further the legitimate interests of the systems constituencies. Security can be used to protect systems and personal information, but it can also restrict legitimate access.

Computer Ethics Issues (Cont) Computer Ethics Issues (Cont)

Intellectual Property
is the group of legal rights to things people create or invent. Intellectual property rights typically include patent, copyright, trademark and trade secret rights. Laws designed to preserve real property rights. Copyright laws have been invoked in an attempt to protect those who develop software from having it copied.

Equity in access
Some barriers to access (security systems) are intrinsic to technology of information system but some are avoidable through careful system design. Several factors can limit access to computing technology. Ex: financial cost, cultural barriers, & physical limitations.

Computer Ethics Issues (Cont) Computer Ethics Issues (Cont)

Misuse of Computer
Illegal copying of software Ex: Copying proprietary software Although clearly illegal, it is commonly done.

Artificial Intelligence
A branch of computer science that studies how to endow computers with capabilities of human intelligence. Ex: both knowledge engineers (those who write the programs) & domain experts (those who provide the knowledge) must be concerned about their responsibility for faulty decisions, in complete or inaccurate knowledge bases, & the role given to computers in decision making process.

Computer Ethics Issues (Cont) Computer Ethics Issues (Cont)

Unemployment and Displacement
Many jobs have been and are being changed as a result of the availability of computer technology. People unable or unprepared to change are displaced.

Environmental Issues
It is probably easier just to print a document than to consider whether it should be printed and how many copies really need to be made. It may be more efficient / comforting to have a hard copy in addition to the electronic version. However, paper comes from trees, and ends up in landfills if not properly recycled.

Computer Ethics Issues (Cont) Computer Ethics Issues (Cont)

Internal Control Responsibility
A business cannot meet its financial obligations or achieve its objectives if its information is unreliable. Thus, managers must establish and maintain a system of appropriate internal controls to ensure the integrity and reliability of their data.

Learning Objective 5.2 Learning Objective 5.2

Fraud

Definition of Fraud Definition of Fraud

Fraud a deliberate act or untruth intended to obtain unfair or unlawful gain. Made by one party to another party with the intent to deceive and induce the other party to justifiably rely on the fact to his/her detriment. A fundamental aspect of mgts stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. Also known as white-collar crime, defalcation, embezzlement, & irregularities.

Components of Fraud Components of Fraud

False representation - false statement or nondisclosure Material fact - a fact must be substantial in inducing someone to act Intent there must be the intent to deceive or the knowledge that ones statement is false. Justifiable reliance - the misrepresentation must have been a substantial factor on which the injured party relied. Injury or loss the deception must have caused injury or loss to the victim of the fraud.

Motivating Factors Motivating Factors

(1) Opportunities
The condition or situation that allows a person to commit and conceal a dishonest act. Often stem from a lack of internal controls.

(2) Pressures
persons motivation for committing a fraud. an employee is experiencing financial difficulties

(3) Personal Characteristics (Integrity)

personal morals of individual employees rationalization

Escalation and Frequency Escalation and Frequency

FBI Computer Crimes Division Reports: 15 security breaches every day 75% annual increase in recent years

Reported errors, frauds, and security lapses Reported errors, frauds, and security lapses involving computer-based information systems. involving computer-based information systems.
A customer received a bill of $1 million instead of $100, because of an error in the invoicing program. A supervisor added fictitious employees to the payroll, so that the payroll program would cause their paychecks to be sent to a friends address. A programmer who was employed by a bank changed an interest calculation program to have it credit the fractional cents to his account. A purchasing agent entered unauthorized purchase transactions via a terminal and had the merchandise delivered to his home. A salesperson carried away in her briefcase a magnetic tape containing a publishing firms list of customers. A fire in a firms tape library destroyed thousands of reels of magnetic tape. A failure in an essential component of a computer caused the system to break down and the data to be lost.

Levels of Fraud Levels of Fraud

(1) Employee fraud (2) Management fraud

(1) Employee Fraud (1) Employee Fraud

Committed by? non-management employees Usually consists of: an employee taking cash or other assets for personal benefit by circumventing a companys system of internal controls Involves 3 steps: a) Stealing something of value (an asset) b) Converting the asset to a usable form (cash), and c) Concealing the crime to avoid detection

(2) Management Fraud (2) Management Fraud

More insidious than employee fraud because it often escapes detection until irreparable damage or loss has been suffered by the organization. Typically contains 3 special characteristics: a) It is perpetrated at levels of management above the one to which internal control structure relates. b) It frequently involves using the financial statements to create an illusion that an entity is more healthy and prosperous than it actually is. c) If it involves misappropriation of assets, it frequently is shrouded in a maze of complex business transactions.

Fraud Schemes Fraud Schemes

Three categories of fraud schemes according to the Association of Certified Fraud Examiners: (a) Fraudulent statements (b) Corruption (c) Asset misappropriation

(a) Fraudulent Statements (a) Fraudulent Statements

Misstating the financial statements to make the copy appear better than it is Usually occurs as management fraud May be tied to focus on short-term financial measures for success May also be related to management bonus packages being tied to financial statements

(b) Corruption (b) Corruption

Examples: (a) Bribery Giving, offering, soliciting, or receiving things of value to influence an official in the performance of his unlawful duties. (b) Illegal gratuities Involves giving, receiving, offering, or soliciting something of value because an official act that has already been taken. (c) Conflicts of interest Has self-interest in the activity being performed. (d) Economic extortion The use (threat) of force (including economic sanctions) by an individuals or organization to obtain something of value.

(c) Asset Misappropriation (c) Asset Misappropriation

Most common type of fraud and often occurs as employee fraud. Examples: Making charges to expense accounts to cover theft of asset (especially cash) Lapping: using customers check from one account to cover theft from a different account Transaction fraud: deleting, altering, or adding false transactions to steal assets Computer fraud schemes: Data collection (Input) Data processing (Process) Database management Storage, retrieval, and deletion Information generation (Output)

Learning Objective 5.2 Learning Objective 5.2

Computer Fraud

Definition of Computer Fraud? Definition of Computer Fraud?

Any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. Includes: Unauthorized theft, use, access, copying, and destruction of software or data. Theft of money by altering computer records or the theft of computer time. Theft or destruction of computer hardware. Use or the conspiracy to use computer resources to commit a felony. Intent to illegally obtain information or tangible property through the use of computers.

What is Computer Abuse? What is Computer Abuse?

There are many definitions of Computer Abuse and it is often confused with Computer Fraud but put quite simply it is:

"The unauthorized use of, or access to, a computer for purposes contrary to the wishes of the owner of the computer or the data held thereon."

Computer Abuse (Cont) Computer Abuse (Cont)

The Australian Computer Abuse Research Bureau (ACARB): theft, fraud, embezzlement or damage related to computers and includes: Unauthorized manipulation of computer input and/or output Unauthorized access to the system through terminals or personal computers Unauthorized modification or use of application programs, operating systems or computing equipment Trespass on data processing installation, theft of equipment, files or output Sabotage of computer installation equipments, files, or output Unauthorized data interception

Computer Fraud Classifications Computer Fraud Classifications

(a) (b) (c) (d) (e) Input Processor Computer instructions Data Output

(a) Input (a) Input

The simplest and most common This phase of the system is most vulnerable because it is very easy to change data as it is being entered into the system. Alter computer input Perpetrators need only to understand how the system operates. GIGO (Garbage In, Garbage Out) - if the input data is inaccurate, processing will result in inaccurate output.

(b) Processor (b) Processor

Computer fraud can be committed through unauthorized system use, including the theft of computer time and services. Ex: use company computers for personal or outside business records.

(b) Processor (Cont) (b) Processor (Cont)

Program Frauds Creating illegal programs that can access data files to alter, delete, or insert values into accounting records. Destroying programs using a virus Altering program to cause the application to process data incorrectly. Operations Frauds Misuse or theft of company computer resources, such as using the computer for personal business

(c) Computer Instructions (c) Computer Instructions

Tampering with the software that processes company data. Include modifying the software, making illegal software copies, using software in an unauthorized manner, developing a software program or module to carry out an unauthorized activity. Least common requires specialized knowledge.

(d) Data (d) Data

Altering or damaging a companys data files or by copying, using, or searching them without authorization. Ex: employee removed the external labels from hundreds of tape files.

(e) Output (e) Output

Stealing or misusing system output. System output is usually displayed on monitors or printed on paper. Monitor and printer output is subject to prying eyes and unauthorized copying.

Increase in computer fraud. Why? Increase in computer fraud. Why?

Not everyone agrees on what constitute to CF Many go undetected A high percentage of uncovered fraud is not reported Many networks have low level of security Info how to commit fraud in the Internet Law enforcement cannot keep up with the CF The total dollar value of losses is difficult to calculate.

Computer Fraud Techniques

Computer Fraud Techniques Computer Fraud Techniques

What are some of the more common techniques to commit computer fraud and abuse? Data diddling Data leakage Denial of service attack Eavesdropping E-mail forgery and threats Hacking Internet misinformation Internet terrorism Logic time bomb Masquerading or impersonation

Computer Fraud Techniques Computer Fraud Techniques

Password cracking Piggybacking Software piracy Scavenging / Dumpster diving Social engineering Super zapping Trap door / Back door Trojan horse Virus Worm

Data Diddling Data Diddling

The act of intentionally entering false information into a system or modifying existing data. Changing data before, during, or after it is entered into the system. The change can be made to delete, alter, or add key system data. Example: Hacker modifies certain programs to send certain information (ex: p/w) and names back to him when other people use these programs.

Data Diddling (Cont) Data Diddling (Cont)

Example: Employees are able to falsify time cards before the data contained on the cards is entered into the computer for payroll computation.

Data Leakage Data Leakage

Unauthorized copying of company data, often without leaving any indication that it was copied. Copying company data, ex; computer files, without permission. Example: employee made copies of company customers and selling them to other companies.

Denial of Service Attack (DoS) Denial of Service Attack (DoS)

An attack that bombards the receiving server with so much information that it shuts down. Sending e-mail bombs (thousands per second) from randomly generated false addresses. The ISPs e-mail server is overloaded and shut down. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: attempts to "flood" a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service attempts to prevent a particular individual from accessing a service attempts to disrupt service to a specific system or person

Eavesdropping Eavesdropping
is the intercepting and reading of messages and conversations by unintended recipients. Listening to private voice or data transmissions. One who participates in eavesdropping, i.e. someone who secretly listens in on the conversations of others, is called an eavesdropper. The origin of the term is literal, from people who would literally hide out in the of houses to listen in on other people's private conversations.

E-mail Forgery/ Spoofing E-mail Forgery/ Spoofing

Sending an e-mail message that looks as if it were sent by someone else. Forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual source. Examples: email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

Hacking Hacking
Accessing and using computer systems without permission, usually by means of a personal computer and a telecommunication network.

Internet Misinformation Internet Misinformation

Using the internet to spread false or misleading information about people or companies. Can be done in many ways. Ex: messages on online chats, setting up websites. Example: Post message to Internet newsgroups or online bulletin boards intent to harm the persons or companys reputation.

Internet Terrorism Internet Terrorism

Hackers using the internet to disrupt electronic commerce and to destroy company and individual communications.

Logic Time Bomb Logic Time Bomb

A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. Sabotaging a system using a program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the bomb destroys programs, data, or both. Example: A programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database). Software that is inherently malicious, such as viruses and worms often contain logic bombs that execute a certain payload at a predefined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day.

Masquerading // Impersonation Masquerading Impersonation

Accessing a system by pretending to be an authorized user. Occurs when one person uses the identity of another to gain access to a computer. This may be done in person or remotely. The impersonator enjoys the same privileges as the legitimate user. Requires the perpetrator know the legitimate users identification numbers or passwords.

Password Cracking Password Cracking

Password cracking is the process of recovering secret passwords stored in a computer system. Using illicit means to steal a file containing passwords. Penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password. Doesn't always involve sophisticated tools. It can be as simple as finding a sticky note with the password written on it stuck right to the monitor or hidden under a keyboard.

Piggybacking Piggybacking
A method of gaining unauthorized access computer facilities by following an authorized employee through a controlled door or restricted area--a building or a

computer room.

Tapping into a telecommunications line and latching on to a legitimate user before he/she logs into the system; legitimate user unknowingly carried perpetrator into the system. Gaining access to a restricted communications channel by using the session another user already established. Piggybacking can be defeated by logging off before leaving a workstation or terminal or by initiating a protected mode, such as via a screensaver, that requires re-authentication before access can be resumed.

Software Piracy Software Piracy

Copying of computer software without the publishers permission. Software piracy is illegal. Each pirated piece of software takes away from company profits, reducing funds for further software development initiatives.

Scavenging // Dumpster Diving Scavenging Dumpster Diving

Searching through object residue (file storage space) to acquire unauthorized data. searching through the trashcans on the computer center for discarded output (the output should be shredded, but frequently is not)

Social Engineering Social Engineering

Fraudulently gaining information to access a system by fooling an employee. Tricking an employee into providing the information needed to get into a system. An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems. Example: A man posing as a magazine writer was able to get valuable information over the telephone from the telephone company simply by asking for it--supposedly for his story. He then used that information to steal more than a million dollars in telephone company equipment.

Superzapping Superzapping
Using special system programs to bypass regular system controls and perform illegal acts. Superzap lets system administrators or other highly trusted individuals override system security to quickly repair or regenerate the system, especially in an emergency. Example: the manager of computer operations in a bank was told by his boss to correct a problem affecting account balances. The problem was originally caused by unanticipated problems in the changeover of the bank's computer system. While working on the project, the manager found that he could use the Superzap program to make other account changes as well, without having to deal with the usual controls, audits, or documentation. He moved funds from various accounts into the accounts of several friends, netting about $128,000 in all. He was detected only when a customer complained about a shortage in his account. Because the Superzap program left no evidence of data file changes, the fraud was highly unlikely to be discovered by any other means.

Trap Door // Back Door Trap Door Back Door

Entering the system using a back door that bypasses normal system controls and perpetrates fraud. A trap door is a quick way into a program; it allows program developers to bypass all of the security built into the program now or in the future. To a programmer, trap doors make sense. If a programmer needs to modify the program sometime in the future, he can use the trap door instead of having to go through all of the normal, customer-directed protocols just to make the change.

Trojan Horse Trojan Horse

Placing unauthorized computer instructions in an authorized and properly functioning program. Hidden instructions embedded in software or email that, once opened, may modify damage or send important data. Unlike viruses and worms, the code does not replicate itself.

Virus Virus
A destructive program that has the ability to reproduce itself and infect other programs or disks. Typically a virus will not show itself immediately, but will add itself to programs and disks to spread itself widely on many computers before it is triggered into its destructive phase. Requires a human to do something (run a program, open a file, etc) to replicate itself.

Worm Worm
A self-replicating program that reproduces itself over a network. Similar to virus, except that: (i) it is a program rather a code segment hidden in a host program or executable file, a worm is a stand-alone program. (ii) virus requires a human to do something (run a program, open a file, etc) to replicate itself; worm replicates itself automatically. Also copies and actively transmits itself directly to other systems. Often resides in e-mail attachments, which, when opened or activated, can damage users system.

Ways to Prevent and Detect Ways to Prevent and Detect Computer Fraud Computer Fraud
Make fraud less likely to occur Increase the difficulty of committing fraud Improve detection methods Reduce fraud losses

Preventative Measures Preventative Measures

Education and Training Education and Training

A Logical First Step

Preventative Measures Preventative Measures

Education and Training Education and Training

10 Suggestions from Ernst and Young:
(1) (2) (3) (4) (4) (5) (6) (7) (8) (9) Confidentiality Statements Regular Back-Ups Policies and Procedures Control Intranet Access Boot-level Passwords Control Internet Access Restrict Use of Internet Classify Data Secure All Computers Require file-level Passwords

Preventative Measures Preventative Measures

Software Software
A Variety to Choose From

Preventative Measures Preventative Measures

Legal Ramifications Legal Ramifications

A Better Prepared Law Enforcement

New Laws With Harsher Penalties

Learning Objective 5.3 Learning Objective 5.3

Risk, Exposure and Threats in AIS

Introduction Introduction
The reliance of information and rapidly changing technology has forced organizations to implement comprehensive information security programs and procedures to protect their information assets.

Risk Risk
Business firms face risks that reduce the chances of achieving their control objectives. Risk: the likelihood that a threat or hazard will actually come to pass. Risk exposures: the threats to a firms assets and information quality due to lapses or inadequacies in controls. Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.

Risk arise or change from.. Risk arise or change from..

changes in the operating environment that impose new or changed competitive pressures on the firm new personnel that hold a different or inadequate understanding of internal control new or reengineered information systems that affect transaction processing significant and rapid growth that strains existing internal controls the implementation of new technology into the production process or information system that impacts transaction processing

Risk arise or change from.. Risk arise or change from..

the introduction of new product lines or activities with which the organization has little experience organizational restructuring resulting in the reduction and/or reallocation of personnel such that business operations and transaction processing are affected entering into foreign markets that may impact operations (i.e. the risks associated with foreign currency transactions) adoption of a new accounting principle that impacts the preparation of financial statements.

Types of Risks Types of Risks

Unintentional errors Deliberate Errors (Fraud) Unintentional Losses of Assets Thefts of assets Breaches of Security Acts of Violence and Natural Disasters

Some Typical Sources of Risk Some Typical Sources of Risk

Clerical and operational employees, who process transactional data and have access to assets Computer programmers, who have knowledge relating to the instructions by which transactions are processed Managers and accountants, who have access to records and financial reports and often have authority to approve transactions

Some Typical Sources of Risk Some Typical Sources of Risk

Former employees, who may still understand the control structure and may harbor grudges against the firm Customers and suppliers, who generate many of the transactions processed by the firm Competitors, who may desire to acquire confidential information of the firm Outside persons, such as computer hackers and criminals, who have various reasons to access the firms data or its assets or to commit destructive acts Acts of nature or accidents, such as floods, fires, and equipment breakdowns, high winds, war, earthquakes

Degrees of Risk Exposure Degrees of Risk Exposure

Frequency - the more frequent an occurrence of a transaction, the greater the exposure to risk Vulnerability - liquid and/or portable assets contribute to risk exposure Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure

Problem Conditions Affecting Risk Problem Conditions Affecting Risk Exposures Exposures
Collusion (both internal and external): The cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures Lack of enforcement: Management may not prosecute wrongdoers because of the potential embarrassment Computer crime: poses very high degrees of risk, and fraudulent activities are difficult to detect

Learning Objective 5.4 Learning Objective 5.4

The Internal Control Structure

The Internal Controls Shield The Internal Controls Shield

The Internal Control Structure The Internal Control Structure

Internal Control is a state that management strives to achieve to provide reasonable assurance that the firms objectives will be achieved These controls encompass all the measures and practices that are used to counteract exposures to risks The control framework is called the Internal Control Structure

Definition of Internal Control Definition of Internal Control

The Committee of Sponsoring Organisations (COSO) Definition of I.C: a process effected by an entitys BOD, mgt, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) effectiveness and efficiency of operations b) reliability of financial reporting c) compliance with applicable laws and regulations.

Objectives of the Internal Control Objectives of the Internal Control Structure Structure
Promoting effectiveness and efficiency of operations Reliability of financial reporting Safeguarding assets Checking the accuracy and reliability of accounting data Compliance with applicable laws and regulations Encouraging adherence to prescribed managerial policies

Modifying Assumptions to the Modifying Assumptions to the Internal Control Objectives Internal Control Objectives
Management Responsibility The establishment and maintenance of a system of internal control is the responsibility of management. Reasonable Assurance The cost of achieving the objectives of internal control should not outweigh its benefits. Methods of Data Processing The techniques of achieving the objectives will vary with different types of technology. Limitations Limitation on IC effectiveness. Error, circumvention, mgt override and changing condition

Preventive, Detective, and Corrective Preventive, Detective, and Corrective Controls Controls

(1) Preventive Controls (1) Preventive Controls

A control system that places restrictions on and requires documentation of employee activities so as to reduce the occurrence of errors and deviations. Passive techniques designed to reduce the frequency of occurrence of undesirable events. Ex: password and data-entry controls, well-designed source documents

(2) Detective Controls (2) Detective Controls

Controls designed to discover control problems soon after they arise. Discover the occurrence of adverse events such as operational inefficiency Reveal specific types of errors by comparing actual occurrences to pre-established standards. Ex: departments review of long distance telephone charges

(3) Corrective Controls (3) Corrective Controls

Procedures established to remedy problems that are discovered through detective controls. Fix the problem. Ex: manual procedures to correct a batch that is not accepted.

Auditing Standards Auditing Standards

Auditors are guided by GAAS (Generally Accepted Auditing Standards) 3 classes of standards general qualification standards field work standards reporting standards For specific guidance, auditors use the AICPAs SASs (Statements on Auditing Standards)

SAS No. 78 SAS No. 78

Describes the relationship between the firms internal control structure, auditors assessment of risk, and the planning of audit procedures How do these three interrelate? The weaker the internal control structure, the higher the assessed level of risk; the higher the risk, the more auditor procedures applied in the audit. AIS is particularly concerned with the internal control structure.

Five Internal Control Components: Five Internal Control Components: Five Internal Control Components: SAS Five Internal Control Components: SAS COSO No. 78 COSO No. 78

1. 2. 3. 4. 5.

Control environment Risk assessment Information and communication Monitoring Control activities

Components and Major Components and Major Considerations of the IC Structure Considerations of the IC Structure
Internal Control Structure Information & Communication

Control Environment

Risk Assessment

Control Activities

Monitoring

Activities related to Financial Reporting

Activities related to Information Processing

General Controls

Application Controls

(1) The Control Environment

The organizations environment with respect to controls. Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of its I.C, providing discipline and structure. Leaders of each department, area or activity establish a local control environment.

The Control Environment (Cont) The Control Environment (Cont)

Elements of Control Environment: The organization structure. The participation of the organizations board of directors and the audit committee, if one, exists. Managements philosophy and operating style. The procedures for delegating responsibility and authority. The organizations policies and practices for managing its human resources. The integrity and ethical values of management. Managements methods for assessing performance. External influences, e.x. examinations by regulatory agencies. The commitment to competence.

Organization Structure
The structure of an organisation [is] the sum total of the ways in which it divides its labour into distinct tasks and then achieves co-ordination among them (Mintzberg, 1989). Is an up-to-date organization chart prepared, showing the names of key personnel? Is the information systems function separated from incompatible functions? How is the accounting department organized? Is the internal audit function separate and distinct from accounting? Do subordinate managers report to more than one supervisor?

Audit Committees
The committee responsible for overseeing a corporations internal control structure, financial reporting process, and compliance with related laws and regulations. Comprise of outside members of the B.O.D responsible for dealing with the external and internal auditors

Audit Committees (Cont) Audit Committees (Cont)

Key functions performed by audit committees: Establish an Internal Audit Department Review the scope and status of audits Review audit findings with the Board and ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions Maintain a direct line of communication among the Board, Management, external and internal auditors, and periodically arrange meetings among the parties

Audit Committees (Cont)

Key functions performed by audit committees: Review the Audited Financial Statements with the internal auditors and the Board of Directors Require periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvement Supervise special investigations, such as fraud investigations Assess the performance of Financial Management Require the review of compliance with Laws and Regulations and with Corporate Codes of Conduct

Management Philosophy and Operating Cycle

Does management emphasize short-term profits and operating goals over long-term goals? Is management dominated by one or a few individuals? What type of business risks does management take and how are these risks managed? Is management conservative or aggressive toward selecting from available alternative accounting principles?

Assignment of Authority and Responsibility

Does the company prepare written employee job descriptions defining specific duties and reporting relationships? Is written approval required for changes made to information systems? Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships? Does the company properly delegate authority to employees and departments?

Human Resource Policies and Practices

Are new personnel indoctrinated with respect to Internal Controls, Ethics Policies, and Corporate Code of Conduct? Are Grievance Procedures to manage conflict in force? Does the company maintain a sound Employee Relations program? Do employees work in a safe, healthy environment? Are counseling programs available to employees? Are proper separation programs in force for employees who leave the firm? Are critical employees bonded?

(2) Risk Assessment (2) Risk Assessment

Is the entitys identification and analysis of relevant risk to achievement of its objectives, forming a basis for determining how the risks should be managed. Top management must be directly involved in Business Risk Assessment.

Risk Assessment (Cont) Risk Assessment (Cont)

identify, analyze, and manage risks relevant to financial reporting Ex: changes in external environment risky foreign markets significant and rapid growth that strain internal controls new product lines restructuring, downsizing changes in accounting policies

(3) Information and Communication

Are the identification, capture, and exchange of information in a form and time frame that enables people to carry out their responsibilities. The AIS should produce high quality information which: identifies and records all valid transactions provides timely information in appropriate detail to permit proper classification and financial reporting accurately measures the financial value of transactions, and accurately records transactions in the time period in which they occurred

Information and Communication (Cont)

Auditors must obtain sufficient knowledge of the IS to understand: (red shows relationship to the AIS model) the classes of transactions that are material how these transactions are initiated [Input] the associated accounting records and accounts used in processing [Input] the transaction processing steps involved from the initiation of a transaction to its inclusion in the financial statements [Process] the financial reporting process used to compile financial statements, disclosures, and estimates [Output]

Information & Communication Information & Communication (Cont) (Cont)

All transactions entered for processing are valid and authorized All valid transactions are captured and entered for processing on a timely basis and in sufficient detail to permit the proper classification of transactions The input data of all entered transactions are accurate and complete, with the transactions being expressed in proper monetary terms All entered transactions are processed properly to update all affected records of master files and/or Other Types of Data sets All required outputs are prepared according to appropriate rules to provide accurate and reliable information All transactions are recorded in the proper accounting period

(4) Monitoring
A process that access the quality of internal control performance over time. Separate procedures--test of controls by internal auditors Ongoing monitoring: computer modules integrated into routine operations management reports which highlight trends and exceptions from normal performance

(5) Control Activities

Policies and procedures that help ensure that the appropriate actions are taken in response to identified risks. Control activities as related to Financial Reporting may be classified according to their intended uses in a system: Preventive Controls block adverse events, such as errors or losses, from occurring Detective Controls discover the occurrence of adverse events such as operational inefficiency Corrective Controls are designed to remedy problems discovered through detective controls Security Measures are intended to provide adequate safeguards over access to and use of assets and data records

Categories of Control Activities Categories of Control Activities

1) Computer Controls (a) General Controls (b) Application Controls 2) Physical Controls (a) Transaction Authorization (b) Segregation of Duties (c) Supervision (d) Accounting Records (e) Access Controls (f) Independent Verification

(2) Physical Controls (2) Physical Controls

Relates primarily to the human activities employed in accounting systems (manual or computer-based). E.x: physical custody of assets. Do not relate to the computer logic that actually performs these accounting tasks. Six categories:

(a) (b) (c) (d) (e) (f)

Transaction Authorization Segregation of Duties Supervision Accounting Records Access Controls Independent Verification

(a) Transaction Authorization (a) Transaction Authorization

Procedure to ensure that employees process only valid transactions within the scope of their authority The empowerment of an employee to perform certain functions within an organization. Ex: to purchase or sell on behalf of the company. Purpose: to ensure that all material transactions processed by the information system are valid and in accordance with managements objectives. Need to include a thorough review of supporting information to verify the processing and validity of transaction.

Transaction Authorization Transaction Authorization

May be general or specific. General authority: Granted to operations personnel to perform day-to-day operations without specific approval. Ex. authorize purchase of inventory from a designated vendor only when inventory levels falls to their predetermined reorder points. Specific authority: Deal with case-by-case decisions associated with nonroutine transactions. Requires an employee to get special approval before handling a transaction Ex. the decision to extend a particular customers credit limit beyond the normal amount. usually a management responsibility.

(b) Segregation of Duties (b) Segregation of Duties

The separation of assigned duties and responsibilities so that no single employee can both perpetrate and conceal errors or irregularities. Authorization for a transaction is separate from the processing of the transaction. responsibility for the custody of assets should be separate from the recordkeeping responsibility. The organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities.

(b) Segregation of Duties (Cont) (b) Segregation of Duties (Cont)

3 separate functions:
(a) Authorization approving transactions and decisions (b) Recording preparing source documents; entering data into online systems; maintaining journals, ledgers, file or databases; preparing reconciliations; and preparing performance reports. (c) Custody handling cash, tools, inventory, or fixed assets; receiving incoming customer checks; writing checks on the organizations bank account.

(c) Supervision (c) Supervision

A control activity involving the critical oversight of employees. Often called as compensating control. In small organizations or in functional areas that lack sufficient personnel, mgt must compensate for the absence of segregation controls with close supervision.

(d) Accounting Records (d) Accounting Records

A document, journal, or ledger used in transaction cycles. These records capture the economic essence of transactions and provide an audit trail of economic events. Audit trail enables the auditor to trace any transaction through all phases of its processing from the initiation of the event to the financial statements.

(e) Access Controls (e) Access Controls

Controls that ensure that only authorized personnel have access to the firms assets. Can be direct or indirect. Direct: physical security devices, ex. locks, safes, fences, electronic and infrared alarm systems. Indirect: access to the records and documents that control the use, ownership, & disposition of the asset. E.x. an individual with access to all the relevant accounting records can destroy the audit trail that describes a particular sales transaction.

(f) Independent Verification (I.V) (f) Independent Verification (I.V)

Verification procedure: independent checks of the accounting system to identify errors and misrepresentations. Ex: reconcile batch totals at points during transaction processing, compare physical assets with accounting records. Differs from supervision because it takes place after the fact, by an individual who is not directly involved with the transaction or task being verified. Thru I.V procedures, mgt can access: a) performance of individuals b) the integrity of the transaction processing system c) the correctness of data contained in accounting records.

(1) Computer Controls (1) Computer Controls

Relate specifically to the IT environment and IT auditing. Two categories: (a) General controls (b) Application controls

A. General Controls
Pertain to all activities involving a firms AIS and resources (assets). Pertain to entity-wide concerns such as controls over the data center, organization databases, systems development, & program maintenance. to ensure that its overall computer system is stable and well managed. Categories: (a) Segregation of duties within the systems (b) Physical access controls (c) Logical access controls (d) Data storage controls (e) Data transmission controls (f) Internet and e-Commerce controls

(i) Segregation of Duties Within the (i) Segregation of Duties Within the Systems Function Systems Function
Implementing control procedures to clearly divide authority and responsibility duties within the information system function to prevent employees from perpetrating and concealing fraud. In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

(i) Segregation of Duties Within the (i) Segregation of Duties Within the Systems Function (Cont) Systems Function (Cont)
Authority and responsibility must be clearly divided among the following functions: 1. Systems administration 2. Network management 3. Security management 4. Change management 5. Users 6. Systems analysis 7. Programming 8. Computer operations 9. Information system library 10.Data control

(ii) Physical Access Controls (ii) Physical Access Controls

Ability to physically use computer equipment. How can physical access security be achieved? Place computer equipment in locked rooms and restrict access to authorized personnel Have only one or two entrances to the computer room Require proper employee ID Require that visitors sign a log Use a security alarm system Restrict access to private secured telephone lines and terminals or PCs. Install locks on PCs. Restrict access of off-line programs, data and equipment Locate hardware and other critical system components away from hazardous materials. Install fire and smoke detectors and fire extinguishers that do not damage computer equipment

(iii) Logical Access Controls (iii) Logical Access Controls

The ability to use computer equipment to access company data. Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls? passwords physical possession identification biometric identification compatibility tests

Protection of PCs and Client/Server Protection of PCs and Client/Server Networks Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on PCs. Establish policies and procedures.

Protection of PCs and Client/Server Protection of PCs and Client/Server Networks Networks
Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment possible. Install software that automatically shuts down a terminal after its been idle for a certain amount of time. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure system. Use multilevel password controls to limit employee access to incompatible data. Use specialists to detect holes in the network.

(iv) Data Storage Controls (iv) Data Storage Controls

Computer storage is the holding of data in an electromagnetic form for access by a computer processor. Primary storage is data in random access memory (RAM) and other "built-in" devices. Secondary storage is data on hard disk, tapes, and other external devices. ***Random Access Memory*** The place in a computer where the operating system, application programs, and data in current use are kept so that they can be quickly reached by the computer's processor. The memory in a computer that can be overwritten with new information repeatedly. It is erased when the computer is turned off.

(v) Data Transmission Controls (v) Data Transmission Controls

Methods of monitoring the network to detect weak points, maintain backup documents, and ensure that the system can still communicate if one of the communications paths should fail. Designed to minimize the risk of data transmission errors. To reduce the risk of data transmission failures, companies should monitor the network.

Data Transmission Controls Data Transmission Controls

Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT). How can data transmission errors be minimized? data encryption (cryptography) routing verification procedures adding parity message acknowledgment techniques

(vi) Internet and e-Commerce (vi) Internet and e-Commerce Controls Controls
E-Commerce: the electronic execution of business transactions such as buying and selling. Why cautions should be exercised when conducting business on the Internet.

the large and global base of people that depend on the Internet the variability in quality, compatibility, completeness, and stability of network products and services access of messages by others security flaws in Web sites attraction of hackers to the Internet
What controls can be used to secure Internet activity?

passwords encryption technology routing verification procedures

Internet and e-Commerce Controls Internet and e-Commerce Controls

Another control is installing a firewall, hardware and software that control communications between a companys internal network (trusted network) and an external network. The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network. Electronic envelopes can protect e-mail messages

B. Application Controls
Pertain directly to the transaction processing systems. Ensure the integrity of specific systems (ex: sales order processing, accounts payable, & payroll applications). Objective: are to ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported. Application controls are subdivided into: 1) input, 2) processing, and 3) output controls.

(i) Input Controls

Controls that ensure only accurate, valid, and authorized data are entered into the system. Input controls may be subdivided into:

(a) Data observation and recording (b) Data transcription (batching and converting) (c)Edit tests of transaction data (d) Transmission of transaction data

(a) Controls for Data Observation and Recording

The use of pre-numbered documents Keeping blank forms under lock and key Online computer systems offer the following features: Menu screens Preformatted screens Using scanners that read bar codes or other preprinted documents to reduce input errors Using feedback mechanisms such as a confirmation slip to approve a transaction Using echo routines

(b) Data Transcription

refers to the preparation of data for computerized processing and includes: Carefully structured source documents and input screens Batch control totals that help prevent the loss of transactions and the erroneous posting of transaction data The use of Batch control logs in the batch control section Amount control total totals the values in an amount or quantity field Hash total totals the values in an identification field Record count totals the number of source documents (transactions) in a batch

Data Transcription (Cont) (Conversion of Transaction Data)

Key Verification which consists of re-keying data and comparing the results of the two-keying operations Visual Verification which consists of comparing data from original source documents against converted data.

Examples of Batch Control Totals

Financial control total - totals up dollar amounts (e.g., total of sales invoices) Non-financial control total - computes non-dollar sums (e.g., number of hours worked by employees) Record count - totals the number of source documents once when batching transactions and then again when performing the data processing Hash total - a sum that is meaningless except for internal control purposes (e.g., sum of customer account numbers)

(c) Edit Tests of Transaction Data

Definition and Purpose of Edit Tests Edit tests (programmed checks) are most often validation routines built into application software The purpose of edit tests is to examine selected fields of input data and to reject those transactions whose data fields do not meet the pre-established standards of data quality

Examples of Edit Tests (Programmed Checks

Validity Check (e.g., M = male, F = female) Limit Check (e.g., hours worked do not exceed 40 hours) Reasonableness Check (e.g., increase in salary is reasonable compared to base salary) Field Check (e.g., numbers do not appear in fields reserved for words) Sequence Check (e.g., successive input data are in some prescribed order) Range Check (e.g., particular fields fall within specified ranges pay rates for hourly employees in a firm should fall between $8 and $20) Relationship Check (logically related data elements are compatible - employee rated as hourly gets paid at a rate within the range of $8 and $20)

(d) Transmission of Transaction Data

When data must be transmitted from the point of origin to the processing center and data communications facilities are used, the following checks should also be considered: Echo Check - transmitting data back to the originating terminal for comparison with the transmitted data Redundancy Data Check - transmitting additional data to aid in the verification process Completeness Check - verifying that all required data have been entered and transmitted.

(ii) Processing Controls (ii) Processing Controls

Controls that ensure that all transactions are processed accurately and completely and that all files and records are properly updated. Categories of processing controls include:
(a) Manual Cross-Checks - include checking the work of another employee, reconciliations and acknowledgments (b) Processing Logic Checks - many of the programmed edit checks, such as sequence checks and reasonableness checks (e.g., payroll records) used in the input stage, may also be employed during processing

Processing Controls (Cont)

(c) Run-to-Run Totals - batched data should be controlled during processing runs so that no records are omitted or incorrectly inserted into a transaction file (d) File and Program Changes - to ensure that transactions are posted to the proper account, master files should be checked for correctness, and programs should be validated (e) Audit Trail Linkages - a clear audit trail is needed to enable individual transactions to be traced, to provide support in general ledger balances, to prepare financial reports and to correct transaction errors or lost data

(iii) Output Controls

Controls that regulate system output. Outputs should be complete and reliable and should be distributed to the proper recipients Two major types of output controls are: (a) validating processing results Activity (or proof account) listings document processing activity and reflect changes made to master files Because of the high volume of transactions, large companies may elect to review exception reports that highlight material changes in master files

(iii) Output Controls (Cont)

(b) regulating the distribution and use of printed output
Reports should only be distributed to appropriate users by reference to an authorized distribution list Sensitive reports should be shredded after use instead of discarding

Learning Objective 5.5 Learning Objective 5.5

Computer Based Information System (CBIS)

Effects of CBIS on Traditional Control Effects of CBIS on Traditional Control Activities Activities
The purpose of this section is to reconcile traditional control concerns with the CBIS environment. SAS 78 control activities:

(1) transaction authorization (2) segregation of duties (3) supervision (4) access control (5) accounting records (6) independent verification

(1) Transaction Authorization

Ensure that an organizations employees process only valid transactions within the scope of prescribed authority. In CBIS, transactions are often authorized by rules embedded within computer programs.

(2) Segregation of Duties (2) Segregation of Duties

Duties that must be separated in a manual system may be combined in a computerized setting. The computer-based functions of programming, processing, and maintenance must be separated. A computer program may perform many tasks that are deemed incompatible. In computerized system, segregation should exist between: Program coding/programming Program processing Program maintenance

(3) Supervision
More supervision is typically necessary in a CBIS because: highly skilled employees generally have a higher turnover rate highly skilled employees are often in positions of authority physical observation of employees working with the system is often difficult or impractical

(4) Access Controls

Tight control is necessary over access to programs and files. Fraud is easier to commit since records are located in one data repository. Data consolidation exposes the organization to computer fraud and excessive losses from disaster.

(5) Accounting Records (5) Accounting Records

Source documents and ledgers may be stored magnetically with no paper trail. Expertise is required to understand the links. Ledger accounts and sometimes source documents are kept magnetically. No audit trail is readily apparent.

(6) Independent Verification

need to review the internal logic of programs and comparison of accounting records and physical assets management must assess: the performance of individuals the integrity of the transaction processing system the correctness of data contained in accounting records When tasks are performed by the computer rather than manually, the need for an independent check is not necessary. However, the programs themselves are checked.

Independent Verification (Cont) Independent Verification (Cont)

Examples: 1) Reconciliation of batch totals at periodic points during transaction processing 2) Comparison of physical assets with accounting records 3) Reconciliation of subsidiary accounts with control accounts 4) Reviews by management of reports that summarize business activity 5) Periodic audits by independent internal and external auditors

Internal Control Limitations Internal Control Limitations

Staff size Human error, misunderstandings, fatigue, stress No out-of-pocket costs Designing and establishing effective internal control is not always a simple task and cannot always be accomplished through a short set of quick fixes. *** there is no such thing as a perfect control system***

End of Chapter 5