Summaries & Keywords based on the 14th
edition of the Accounting and Information
Systems book, by Marshall B. Romney &
Paul John Steinbart.
Initially meant for the Auditing and Proces
Management (2) class & exam of Saxion
Enschede 2017 – 2018
Exercises available on:
wps.pearsoned.com/bp_romney_ais_13/
Auditing & Process
Management 2
Summaries chapter (1, 2, 3) 5, 6, 7,
8, 9, 10, 11
Kathleen Gaillot
,Table of Contents
Week 0: Previous Period Reviews ............................................................................................................................. 1
Chapter 1: Accounting Information System: And Overview.................................................................................. 1
Chapter 2: Overview of Transaction Processing and Enterprise Resource Planning systems ............................... 2
Enterprise Resource Planning (ERP) System ...................................................................................................... 2
Chapter 3: Systems Documentation Techniques................................................................................................... 2
Week 1: FRAUD - Chapter 5 & 6 ................................................................................................................................ 3
Chapter 5: Fraud .................................................................................................................................................... 3
Computer Fraud................................................................................................................................................. 5
Preventing and Detecting Fraud and Abuse ...................................................................................................... 5
Chapter 6: Computer fraud and abuse technique (MC) ........................................................................................ 6
Hacking .............................................................................................................................................................. 6
Social Engineering Techniques: ......................................................................................................................... 6
Types of Malware .............................................................................................................................................. 7
Week 2 & 3: COSO CUBE WHOLE & INTERNAL ENVIRONMENT- Chapter 7 .............................................................. 8
Control Concepts ............................................................................................................................................... 8
Control Framework .......................................................................................................................................... 10
The Internal Environment ................................................................................................................................ 12
COSO ERM Model (Enterprise Risk Management) .......................................................................................... 14
Chapter 8: Control and Audit of Accounting Information Systems ..................................................................... 17
Understanding Targeted Attacks ..................................................................................................................... 18
Protecting Information Resources ................................................................................................................... 18
Security implications of virtualization, cloud computing, and the internet of things ..................................... 20
Week 4: RELIABILITY - CONFIDENTIALITY AND PRIVACY – Chapters 9 & 10 ........................................................... 21
Chapter 9: Confidentiality and Privacy Controls.................................................................................................. 21
Privacy.............................................................................................................................................................. 21
Privacy Principles ............................................................................................................................................. 21
Encryption ........................................................................................................................................................ 22
Digital Certificates and Public Key Infrastructure ............................................................................................ 23
Chapter 10: Processing Integrity and Availability Controls ................................................................................. 23
Processing Integrity ......................................................................................................................................... 23
Availability ....................................................................................................................................................... 25
Week 5: AUDIT WITH AND AUDIT FROM IS – Chapter 11 ....................................................................................... 26
The Nature of Auditing: The Four Steps .......................................................................................................... 26
Risk-Based Audit Approach.............................................................................................................................. 27
Information System Audits .............................................................................................................................. 27
Week 6: IT IMPLEMENTATION – Chapter x ............................................................................................................. 33
Week 7: Exam/Case Notes....................................................................................................................................... 34
,Week 0: Previous Period Reviews
Chapter 1: Accounting Information System: And Overview
1
Characteristics of useful information:
- Relevant: reduces uncertainty, improves decision making, or confirms or corrects prior expectations
- Reliable: free from error or bias, accurately represents organization events or activities
- Complete: does not omit important aspects of the events or activities it measures
- Timely: provided in time for decision makers to make decisions
- Understandable: presented in a useful and intelligible format
- Verifiable: two independent, knowledgeable people produce the same information
- Accessible: available to users when they need it and in a format they can use
The AIS and its subsystems:
- Financial cycle: give cash, get cash
- Human resource/payroll cycle: give cash, get labor
- Expenditure cycle: give cash, get goods/raw materials
- Production cycle: give labor/raw materials, get finished products
- Revenue cycle: give goods, get cash
- General ledger & reporting system: info for both internal and external user
The six components of an AIS:
1. The people who use the system
2. The procedures nad instructions used to collect, process, and store data
3. The data about the organization and its business activities
4. The software used to process the data
5. The information technology infrastructure, including the computers, peripheral devices, and network
communications devices used in the AIS
6. The internal controls and security measures that safeguard AIS data
AIS adds value through:
- Improving the quality and reducing the costs of products or services
- Improving efficiency
- Sharing knowledge
- Improving the efficiency and effectiveness of its supply chain
- Improving the internal control structure
- Improving decision making
Value chain: linking together of all the primary and support activities in a business. Value is added as a product passes
through the chain.
Primary activities: value chain activities that produce, market, and deliver products and services to customers and
provide post-delivery service and support
- Inbound logistics
- Operations
- Outbound logistics
- Marketing and sales
- Service
Support activities: allow the five primary activities to be performed efficiently & effectively.
- Firm infrastructure
- Human resource
- Technology
- purchasing
1
,Chapter 2: Overview of Transaction Processing and Enterprise Resource Planning systems
2
The data processing cycle: the four operations (data input, data storage, data processing and data output),
performed on data to generate meaningful and relevant information
1. Data input
2. Data storage
o Coding techniques
o Chart of accounts
o Journals
o Audit trail
o Computer-based storage concepts
3. Data processing: CRUD
o Creating
o Reading
o Updating
o Deleting
4. Data Output (such as report)
Enterprise Resource Planning (ERP) System
ERP is a system that integrates all aspects of an organization’s activities – such as accounting, finance, marketing,
human resources, manufacturing, and inventory management – into the system. An ERP system is modularized;
companies can purchase the individual modules that meet their specific needs. And ERP facilitates information flow
among the company’s various business functions and manages communications with outside stakeholders
3
Chapter 3: Systems Documentation Techniques
Documentation: narratives, flowcharts, diagrams, and other written materials that explain how a system works
Documentation tools are important on the following levels:
- At a minimum, you must be able to read documentation to determine how a system works
- You may need to evaluate documentation to identify internal control strengths and weaknesses and
recommend improvements as well as to determine if a proposed system meets the company’s needs
- More skills is needed to prepare documentation that shows how an existing or proposed system operates
1. Data Flow Diagram (DFD): a graphical description of data sources, data flows, transformation processes, data
storage, and data destinations. It contains:
a. Data sources and destinations a) c) d)
b)
b. Data flows
c. Transformation processes e)
d. Data storage
e. Internal control
2. Flowchart: which is a graphical description of a system. There are several types of flowcharts, including:
a. Document flowchart: shows flow of documents and information between departments
b. System flowchart: which shows the relationship among the input/processing/output of an AIS
c. Program flowchart: shows the sequence of logical operations a cpu performs as it executes a program
3. Business process diagrams: which are graphical descriptions of the business processes used by a company
2
,Week 1: FRAUD - Chapter 5 & 6 5
Chapter 5: Fraud
The 4 types of AIS threats
Threats Examples
Natural and Fire or excessive heat
Political Floods, earthquakes, landslides, hurricanes, tornadoes, blizzards, snowstorms, and freezing rain
Disasters War and attacks by terrorists
Software Hardware or software failure
errors and Software errors or bugs
equipment Operating system crashes
malfunctions Power outages and fluctuations
Undetected data transmission errors
Unintentional Accidents caused by human carelessness, failure to follow established procedures, and poorly
Acts trained or supervised personal
Innocent errors or omissions
Lost, erroneous, destroyed or misplaced data
Logic errors
Systems that do not meet company needs or cannot handle intended tasks
Intentional Sabotage
acts Misrepresentation, false use, or unauthorized disclosure of data
(computer Misappropriation of assets
crimes) Financial statement fraud
Corruption
Computer fraud-attacks, social engineering, malware, etc.
Sabotage: an intentional act where the intent is to destroy a system or some of its components.
Cookie: a text file created by a website and stored on a visitor’s hard drive. Cookies store information about
who the user is and what the user has done on the site.
Fraud: any and all means a person uses to gain an unfair advantage over another person.
For an act to be fraudulent, there must be:
1. A false statement, representation, or disclosure
2. A material fact, which is something that induces a person to act
3. An intent to deceive
4. A justifiable reliance; that is, the person relies on the misrepresentation to take an action
5. An injury or loss suffered by the victim
ACFE – Association of Certified Fraud Examiner: conducts comprehensive fraud studies and releases its findings in a
Report to the Nation on Occupational Fraud and Abuse.
White-collar criminals: typically, businesspeople who commit fraud. White-collar criminals usually report to
trickery or cunning, and their crimes usually involve a violation of trust or confidence.
Corruption: dishonest conduct by those in power which often involves actions that are illegitimate, immoral,
or incompatible with ethical standards. Examples include bribery and bid rigging.
Investment fraud: misrepresenting or leaving out facts in order to promote an investment that promises
fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
Misappropriation of assets: theft of company assets by employees.
Examples: embezzlement, someone being fired yet still having access to his company account
3
,The most significant contributing factor in most misappropriations is the absence of internal controls and/or
failure to enforce existing internal controls.
5
Fraudulent Financial Reporting: intentional or reckless conduct, whether by act or omission, that results in
materially misleading financial statements.
This might be used to deceive investors, increase company’s stock price, meet cash flow needs or hide
company losses or problems. “cooking the books” (e.g.,booking fictitious revenue, overstating assets, etc.)
The Treadway Commission recommends four actions to reduce fraudulent financial reporting:
1. Establish an organisational environment that contributes to the integrity of the financial reporting process.
2. Identify and understand the factors that lead to fraudulent financial reporting.
3. Assess the risk of fraudulent financial reporting within the company.
4. Design and implement internal controls to provide reasonable assurance of preventing fraudulent financial
reporting.
Auditors are required to:
Understand fraud Identify, assess, and respond to risks
Discuss the risks of material fraudulent Evaluate the results of their audit tests
misstatements Document and communicate findings
Obtain information Incorporate a technology focus
These three conditions must be present for fraud to occur: *FRAUD TRIANGLE*
(1) Pressure: a person’s incentive or motivation for committing fraud. • Pressure
▫ Employee
(2) Opportunity: the condition or situation that allows a person or Financial
organisation to commit and conceal a dishonest act and convert it to Lifestyle
personal gain Emotional
▫ Financial Statement
Lapping: concealing the theft of cash by means of a series of delays in
Financial
posting collections to accounts receivables.
Management
Check kiting: creating cash using the lag between the time a check is Industry conditions
deposited and the time it clears the bank.
• Opportunity to:
(3) Rationalization: the excuse that fraud perpetrators use to justify ▫ Commit
their illegal behaviour. ▫ Conceal
▫ Convert to
personal gain
• Rationalize
▫ Justify behavior
▫ Attitude that
rules don’t
apply
▫ Lack personal
integrity
4
, Pressure
The Fraud Triangle
Opportunities Rationalization
5
Leading to employee fraud: - Internal control factor (not - Justification (“I took
- Financial (unreasonable monitoring internal controls, what they owed
quotas, tax avoidance, living management not involved, too much me”)
beyond one’s means) trust…) - Attitude (“The rules
- Emotional (greed, ego) - Other factors (incompetent don’t apply to me”)
- Lifestyle (gambling, drugs) personnel, no code of conduct, low - Lack of personal
Leading to financial statement fraud: morale…) integrity (“Getting
- Management characteristics - Opportunity to: (1) commit fraud (2) what I want is more
- Industry conditions conceal the fraud (3) convert the important than
- Financial theft/misrepresentation to personal gain. being honest”)
Computer Fraud
- Unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or data
- Theft of asset covered up by altering computer records
- Obtaining information or tangible property illegally using computers
Computer Fraud: any type of fraud that requires computer technology to perpetrate. It classifies as:
▫ Input; alter or falsify computer input. It requires little skills: perpetrators need only understand how the
system operates so they can cover their tracks.
▫ Processor: includes unauthorized system use, including the theft of computer time and services.
▫ Computer instruction: includes tampering with company software, copying software illegally, using software
in an unauthorized manner, and developing software to carry out an unauthorized activity. Common online.
▫ Data: illegally using, copying, browsing, searching, or harming company data constituted data fraud. The
biggest cause of data breaches is employee negligence.
▫ Output: unless properly safeguarded, displayed or printed output cam be stolen, copied or misused. Such as
scanning a company check and modifying it on a computer to print it again.
Preventing and Detecting Fraud and Abuse
Ways to make fraud less likely to occur
Organizational Systems
• Create a culture of integrity • Develop security policies to guide and design
• Adopt structure that minimizes fraud, create specific control procedures
governance (e.g., Board of Directors) • Implement change management controls and
• Assign authority for business objectives and hold them project development acquisition controls
accountable
• Communicate policies
Make it difficult to commit
• Develop strong internal controls • Restrict access
• Segregate accounting functions • System authentication
• Use properly designed forms • Implement computer controls over input,
• Require independent checks and reconciliations of data processing, storage and output of data
• Use encryption
• Fix software bugs and update systems regularly
• Destroy hard drives when disposing of computers
Improve Detection
• Assess fraud risk • Audit trail of transactions through the system
• External and internal audits • Install fraud detection software
• Fraud hotline • Monitor system activities
Reduce Fraud Losses
• Insurance • Store backup copies of program and data files in
• Business continuity and disaster recovery plan secure, off-site location
• Monitor system activity
5
, Chapter 6: Computer fraud and abuse technique (MC)
Types of attacks
6
• Hacking: Unauthorized access, modification, or use of an electronic device or some element of a computer system
• Social Engineering : Techniques or tricks on people to gain physical or logical access to confidential information
• Malware : Software used to do harm
Forms of spoofing:
Hacking • E-mail spoofing
▫ Hijacking • Caller ID spoofing
Gaining control of a computer to carry out illicit activities • IP address spoofing
▫ Botnet (robot network) • Address Resolution (ARP) spoofing
Zombies: a hijacked computer • SMS spoofing
Zombies, Bot herders, Denial of Service (DoS) Attack, • Web-page spoofing (phishing)
Spamming, Spoofing (Makes the communication look as if • DNS spoofing
someone else sent it so as to gain confidential information.)
▫ Denial-of-service (DoS) attack: a computer attack in which the Other types of hacking:
attacker sends so many e-mail bombs/web page requests, often • Man in the middle (MITM) : Hacker is
from randomly generated false addresses, that the internet service placed in between a client (user) and a
provider’s e-mail server or the web server is overloaded and shuts host (server) to read, modify, or steal
down data.
▫ Dictionary attack: using special software to guess company e—mail • Masquerading : gaining access to a
addresses and send them blank e-mail messages. Unreturned system by pretending to be an authorized
messages are usually valid e-mail addresses that can be added to user (must know legit ID)
spammer e-mail lists. • Piggybacking: tapping into com. Line and
▫ Zero-day attack: an attack between the time a new software latching into a legit user who
vulnerability is discovered and ‘released into the wild’ and the time unknowingly carries the perpretrator into
a software developer releases a patch to fix the problem. the system/using a neighbor’s wi-fi/
physical following of an authorized user
Hacking with computer code
into a building
• Cross-site scripting (XSS): Uses vulnerability of Web application
• Password cracking: stealing files to gain
that allows the Web site to get injected with malicious code.
access to restricted data
When a user visits the Web site, that malicious code is able to
• War dialing and driving
collect data from the user.
• Phreaking: attacking phone systems to
• Buffer overflow attack: Large amount of data sent to overflow
obtain free phone lines to transmit
the input memory (buffer) of a program causing it to crash and
malware
replaced with attacker’s program instructions.
• Data diddling
• SQL injection (insertion) attack: Malicious code inserted in
• Data leakage; unauthorized copying data
place of a query to get to the database information
• Podslurping: using a usb to steal data
Hacking used for embezzlement:
• Salami technique: Taking small amounts at a time Hacking used for fraud:
Round-down fraud (interest calculations) • Internet misinformation
• Economic espionage : Theft of information, intellectual • E-mail threats
property and trade secrets • Internet auction (defrauding..)
• Cyber-extortion : Threats to a person or business online • Internet pump and dump (stock$)
through e-mail or text messages unless money is paid • Click fraud
• Web cramming
• Software piracy
Social Engineering Techniques:
• Identity theft : Assuming someone else’s identity • Posing : Creating a fake business to get sensitive
• Pretexting : Using a scenario to trick victims to information
divulge information or to gain access
6