Documente Academic
Documente Profesional
Documente Cultură
Contents
Slide 1 - Accounting Information Systems and the Accountant - Chapter 1...........................................................2
Slide 2 - Information Technology and Accounting Information Systems - Chapter 2.............................................14
Slide 3 - Data Modelling - Chapter 3 Page.............................................................................................. 23
Slide 4 - Database Organizing, Manipulating and Forms and Reports - Chapter 4-5 Page..................................30
Slide 5 - Documenting Accounting Information Systems - Chapter 6 Page.................................38
Slide 6 - Accounting Information Systems and Business Processes - Chapter 7 Page.................52
Slide 9 - Introduction to Internal Control Systems - Chapter 9 Page...........................................58
Slide 10 - Computer Controls for Organizations and AISs - Chapter 10 Page 311.......................72
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11A Page..................81
Slide 11 - Computer Crime, Fraud, Ethics and Privacy - Chapter 11B Page..................89
Slide 11 - Information Technology Auditing - Chapter 12 Page....................................106
Slide 11 - Developing and Implementing Effective AISs - Chapter 13 Page................120
Learning Objectives
Supports the use of business intelligence (e.g. dashboards and scorecards); and
Be familiar with
What is a System?
Consists of
Can be:
Manual
Decision-making
Collect and store data about organizational activities, resources and personnel
Transform data into information so management can plan, execute, control and evaluate
activities, resources and personnel
AIS Interactions
Information
*Information Systems
These processes are a set of structured activities that are performed by people, machines, or
both to achieve a specific goal.
Knowledge workers
Trends in IT
Information sources, systems and applications for all business systems accessible by
all business functions
Cloud Computing
Data storage
Application
Cost Accounting
Measure and Control Costs
Activity-based costing
Activity-Based Costing
Assigning of Overhead
AIS Enable
Customer knowledge
Risk Assessment
Electronic Commerce
Webtrust Services
Auditing
Traditional role
Present role
Management consulting
Traditional Accounting
Systems Consulting
Disaster Recovery
Key Terms
Audit trail
Balanced scorecard
Cloud computing
Cost accounting
Dashboards
Data
e-business
e-commerce
Forensic accounting
Information overload
IT Auditors
Interactive data
Knowledge workers
Penetration testing
Ponzi scheme
Predictive analytics
REA accounting
Sustainability reporting
System consultants
Value-added resellers
Operations / Production
Shipping / Receiving
HR
Be able to describe why IT is important to AIS and why accounts should know about this
technology
Understand why computer processor speeds are not particularly important to AIS
Be familiar with source documents and why they are important to AIS
Describe some common AIS uses for point-of-sale input, magnetic ink and optical character
recognition
Importance of IT to Accountants
*Input Devices
Source documents and data transcription
Human readable
*Input Devices
Optical Character Recognition (OCR)
Input Devices
To verify legitimate access to a system:
*Record Layout
Fields have a name and starting position along with format (if date fields)
-
In types too
A collection of fields is a record and collection of record is a file
Fields have a starting section and a length. Theres also a certain type, such as logical.
Different length of records. Different types of file lengths. Multiple files.
Importance of Secondary Storage Devices
Primary memory (RAM) used in processing is volatile, contents lost if electrical power is lost
Secondary storage uses permanent media to maintain data accuracy and integrity but
allow rapid access and modification
CD-ROM
DVDs
Blu-Ray Disc
Flash Memory
Consists of microcomputers, printers, terminals and similar devices that are connected for
communications purposes.
Advantages:
Gather financial data from remote sites and distribute accounting information to and
from headquarters
Bank ATMs connected to WANs for the purpose of centralized account information
Advantages of this
-
Having file servers spread you have advantage of faster service (regional servers)
Cuts down on telecommunication costs as youre not constantly accessing main system and it
gets updated
You have more powerful terminal than a main frame computer in each region
Disadvantages
Passive - no power source, but can answer inquiries from energized sources
Active chips with antennas, own power source, broadcast range of 100 m or
more
Range of about 20 cm
Antivirus software
*Application Software
Key Terms
Antivirus software
Application software
Biometric scanner
Client/Server computing
Complier
Computer record
Data transmission
Peripheral equipment
Primary memory
Secondary storage
Source document
Turnaround document
Utility programs
Virtual storage
Wireless communications
Customer
OCTranspo
Recommendations
Homework Assignment
pp. 70-71
Learning Objectives
After reading this chapter you will:
Be able to describe the concepts of data hierarchy, record structures, and keys
Be able to explain why design concerns such as processing accuracy, concurrency, and security
are important to multi-user databases
Be able to explain the difference between structured and unstructured data and give examples
of each.
Structured data (15% of information) standard formats e.g. relational databases with rows
and columns
*Big Data
Big Data is characterized by:
Volume
Variety
Velocity
Veracity
5 Exabyte's of data would contain all of the words ever spoken by human beings on earth
By 2020, 1.7MB of new information will be created for each and every human being on the
planetevery second of every day.
Data transformation
Analysts / visualization
Unstructured Data
*Unstructured Data
Heterogeneous
Text
Document
Images
Video
Sensors / RFID
Mobile communications
Structured Data
Structured data
Data paths
Access to data
What is data?
Unicode ?????????????????
Name,Address,Phone#
"Jones, June,876 Baseline Ave,555-1032
Smith, Ray,1281 Grey Street,555-8748
Stevens, Dave,103 North Street,555-8984
Key points:
The fields dont take up the same amount of space on each record and blank/empty fields
Martin,
10th
markedJean,1241
by a delimiters e.g.
,, Street W,555-0155
Phuong,
Chu,3346 Fieldcrest Street,555-7778
The end of record has an end of record marker (CRLF)
Common types of delimited files:
Some customers have had more purchase transactions than others so their records are longer.
Multiple Record Type
Customer No
Name
Date
Amount
Amount
129078
Date
Amount
Date
2013/01/21
$4,432.35
127721
$1,100.23
20013/04/12
$99.45
2013/08/29
$17.21
2013/11/14
CAATS Limited
2013/09/01
$4,432.35
$4,200.24
2013/04/12
The first line of each pair of records contains the Customer Number and Name.
128123
University of Ottawa
The second line contains their last three purchases (Date and Amount). Multiple record type files can
have hundreds of types of records.
Multiple Record type files
Many types of records usually the first field is the record type. For example:
1 127721 CAATS Limited
2 1233 Grey Mountain Cres.
3 $10,000
4 2013/09/01
$4,200.24
4 2013/04/12
$17.21
4 2013/11/14
$4,432.35
Can be accessed by multiple users and used by many different computer applications
*Database Keys
Primary Key
Foreign Keys
Volume YouTube visitors watch more than 100 million videos clips each day
Additional concerns:
Discussion
Technology Inc. (TI) is a custom manufacturer of computer parts, staffed by ten full-time employees
and five part-time employees. On the advice of the bookkeeper, TI purchased an accounting package.
The package contains general ledger, payroll, sales and accounts receivable, and accounts payable
modules.
1. What data files should be created to meet management requirement of:
2. Identify primary and foreign keys and describe general content for each table.
Key Terms
Access control
Big data
Business event
Data dictionary
Data field
Data hierarchy
Data integrity
Database administrator
Foreign key
Master file
Record
Record structure
Relational database
Relationship table
Structured data
Transaction control
Transaction file
Unstructured data
Slide 4 - Database Organizing, Manipulating and Forms and Reports - Chapter 45 Page
Learning Objectives
After reading this chapter you will:
Databases
Relationships
Queries
Reports
Field name
Use mnemonics; not excessively long (e.g. SIN vs Social Insurance Number)
Description (optional)
Database Design
To design a database, you need to have a conceptual view of the entire database. The
conceptual view illustrates the different files and relationships between the files.
The data dictionary is a blueprint of the structure of the database and includes data
elements, field types, programs that use the data element, outputs, and so on.
i.e credit card number being encrypted but required as it was foreign key
Change content in the database (e.g. create, update, insert and delete records)
Enable users to retrieve, sort, and display specific data from the database
Data types assigned for fields, Access will reject data not of that type (e.g., 1-9 not a-z)
Input masks limit data to specific formats (e.g., 13/06/2015; or (123) 456-7890
Default values with pre-entered data fields of new records (e.g., 40 hours = standard time)
Validation rules set a range of values that may be entered (e.g., Year must be between 1972
and 2015)
*Relationships
Identify tables
Link tables
*Relational files
Tables can be related through Direct (Parent Child) relationships or Indirect (e.g. Parent (Child)
Grandchild) relationships.
Designing Queries
1. Correct spelling and capitalization (e.g. AB not Alb or Ab)
2. AND / OR logic
3. Join tables properly
4. Name queries systematically (not Qry1, Qry2)
5. Selective data fields meet your requirements
Creating the Query
Query Answer
Designing Reports
1. Select underlying tables (data sources) and fields
2. Indicate grouping levels if required (e.g. by province)
3. Indicate sort fields (e.g. by customer name)
4. Name and save report
5. Modify report as desired (e.g. add graphics, colour)
Discussion
1. Identify the data files and relations would be required to verify that all Vendor Invoice (A/P)
amounts agree with receipted amounts (i.e. Unit cost in A/P equals unit price in the inventory
file).
Final output should include the following fields: vendor number, name and address;
product number, product description, product class, class description and unit price.
2. Draw the relationship diagram showing the data files and the foreign keys.
3. Identify the controls that should be in place to ensure amounts are equal.
Record Layouts for Tables
ACL Demo
Demo of ACL
Relate command
Filter
Key Terms
Data type
Field properties
Input masks
Query
Referential integrity
Schema
Validation rule
Exercise 5-1
Quantity Received > Quantity Ordered
You have determined that there is no control to ensure that the quantity received is what was
ordered. As a result, the Quantity Received can be more than the Quantity Ordered
Identify three people who could take advantage of this control weakness and how they
could do so.
Homework Assignment
Groups
Exercise 5-1:
Understand why documenting an AIS is important to the organization and its auditors
Be able to create simple data flow diagrams and document flowcharts and explain how they
describe the flow of data in AISs
Be able to create simple system flow diagrams and process maps and interpret these diagrams
Describe how program flowcharts and decision tables help document AISs
*Documentation
Documentation includes flowcharts, narratives, etc. that describe the inputs, processing and outputs
of the AIS. Document is important:
1. Depicts how a system works
2. Training users
3. Designing new systems
4. Controlling system development and maintenance costs
5. Standardizing communication with others
6. Auditing AISs
7. Documenting business processes
8. Complying with regulation such as C-SOX
9. Establishing accountability
Document flowcharts
System flowcharts
Process maps
Uses
Types
Context
Physical
Logical
Types of DFDs
Context Diagrams
Focus on physical entities, tangible documents, and reports flowing through the system
You have more information and things are broken down (logical flow of information)
Circles instead of showing employees and their job titles is showing jobs that are being
performed
Decomposition
Types of Flowcharts
Document: shows the flow of documents and data for a process, useful in evaluating internal controls
Systems: depicts the data processing cycle for a process
Program: illustrates the sequences of logic in the system process
*Creating Data Flow Diagrams
Example Lemonade stand
Steps:
1. Create a list of business transactions
2. Construct Context Level DFD
(identifies system and entities)
Customer Order
Serve Product
Collect Payment
Produce Product
Store Product
Order Raw Materials
Pay for Raw Materials
Pay for Labor
Process Decomposition
Document Flows basic symbols - - Do not need to know for midterm exam
Identify areas of responsibility for each person involved in process list across top or
side of page
Sequence of events (in order from top to bottom and left to right)
Draw documents
Exercise 6-1
In groups of 3-4 - develop a process map for one of the following:
Rental of an apartment
Identify:
Purchase of House
Flowchart Tools
Microsoft
Visio
PowerPoint
Word
CASE tools
Variety of other software online, free
Key Terms
Context diagram
Decision table
Decomposition
Document flowchart
End-user computing
Graphical documentation
Job stream
Process maps
Program flowcharts
Sandwich rule
Scope
Signed checklist
Structure programming
System flowcharts
Homework Assignment
Be able to describe the steps in the financial accounting process and the role of AIS in each
step
Be able to demonstrate the use of Journals and ledgers to assist in processing accounting
transactions
Understand why planning an AIS starts with the design of the outputs in order to meet the
users information needs
Recognize the objectives and map the inputs and outputs of the sales and purchasing process
Journals
Ledgers
Trial Balance
Financial Statement
*Coding Systems
Code Types:
Block sequent codes with blocks of number reserved for specific purposes
Group lead portion of sequential code (e.g. first 2 of product code is product type)
Identify all the current assets with a 1 and all investments by looking for 12.
Financial Accounting Cycle
Sales Process
Objectives
Inputs
Sales Order
Sales Invoices
Remittance Advice
Shipping Notice
Debit/Credit Memo
Outputs
Aging Report
Customer Listing
Purchase Process
Objectives
Inputs
Purchase Invoice
Purchase requisition
Purchase order
Vendor listing
Receiving report
Debit/credit memo
Outputs
Vendor cheques
Cheque Register
Discrepancy reports
Wireless capabilities allow mobility and real time data entry in the field
RFID Tags
Key Terms
Alphanumeric code
Block code
Discrepancy reports
Exception report
Group code
Mnemonic code
Numeric code
Purchasing process
RFID tags
Sales process
Sequence code
Supply chain
Homework Assignment
Topic
Understand the importance of enterprise-risk assessment and its impact on internal controls
Be able to identify the differences between preventive, detective and corrective controls
Controls
Controls in a computer information system reflect the policies, procedures, practices and
organizational structures designed to provide reasonable assurance that objectives will be
achieved.
The controls in a computer system ensure effectiveness and efficiency of operations, reliability
of financial reporting and compliance with the rules and regulations
Internal Controls
Internal control describes the policies, plans and procedures implemented by management to:
Protect assets
Safeguard assets
*SAS #94
Auditors must determine how the firm uses IT systems to initiate, record, process and report
transactions
This understanding is necessary to plan the audit and to determine the nature, timing and
extent of tests to be performed to gain a sufficient understanding of internal controls.
The more your system uses, as you move away from paper to electronic. You cant take a sample and
verify things, cant rely on that. You need to actually test the IT controls.
Then theres a number of risks involved.
Which IT Risks Need to be Considered?
AU 319.19
AU 319.20
Security of the entire database might be compromised by a lack of control at a single user
entry point resulting in:
Improper changes
Destruction of data
Breakdown in segregation of duties can occur when IT personnel and users are given, or can
gain access privileges beyond necessary to perform their assigned duties
AU 319.21
IT personnel may not completely understand how the IT system and how it processes
transactions
AU 319.22
Edit routines in programs designed to identify and report transactions that exceed certain
limits may be disabled or overwritten
AU 319.31
Do you have the necessary skills on the audit team; or do you need an IT Audit specialist?
*Control Frameworks
COSO
COSO-ERM
COBIT
Pull up a set of controls above to test a system. Helps you determine what you need to look at.
*Components of COSO Frameworks (not asked how many components and principles but will for
below) *(CeRaCaIcM)
Control environment
Risk assessment
Control activities
Monitoring
The control environment standards, processes and structures that provide the framework includes the organizational structures, the ethical values of the company and expectations of
rigor in performance measures.
Risk assessment identifying and assessing risks that could impact the achievement of
objectives.
Control activities actions to ensure that management efforts to mitigate risk are carried out.
This includes authorizations, verifications and business performance reviews.
Information and communication the generation of information and its dissemination both
within and outside of the company.
COSO-ERM expands some areas of COSO (in red). For example the coco beans for flavouring
chocolate due to internal strife, competition for bean, weather, etc. How likely would our supply be
limited, if its really high maybe dont offer that chocolate and expand into other areas. Maybe buy
insurance or hedge it.
Internal Environment
Organizing structure
identifying threat,
Risk Assessment
Risk is assessed from two perspectives:
Likelihood
Impact
Accept
Share
Avoid
Audit Trail
Tone-at-the-top
Prioritize risks
Follow-up if needed
Residual risk
Is the risk that remains after management implements internal controls or some other
type of risk response
Control risk
is the risk that error that could occur in an account balance or class of transactions and
could be material, will not be prevented or detected on a timely basis by the
system of internal accounting controls.
Detection risk
is the risk that an auditor's procedures will lead him to conclude that an error in
an account balance or class of transactions that could be material, does not exist
when in fact such error does exist
Preventive controls
Detective controls
Deter problems from occurring (e.g. firewall to prevent unauthorized access to network)
Corrective controls
Procedures used to solve, correct or recover from a problem (e.g. backup copies of
critical data)
If someone gets through firewall you need detective controls to tell you. You then need to fix it with
corrective control.
Examples of Control Activities
Common control activities include:
Separation of duties
*Controls - examples
Preventive
Physical safeguard and access restriction controls (human, financial, physical and
information assets)
Segregation of duties
Business systems integrity and continuity controls (e.g. system development process,
change controls, security controls, systems backup and recovery)
Encryption / Decryption
Anti-virus software
Separation of Duties
Purpose
Structure of work assignments so one employees work checks the work of another
Custody of assets
Authorizing transactions
Recording transactions
Inventory controls
Document controls
Corporate charter, major contracts, blank cheques, and TSE registration statements
Controls - examples
For each topic below identify preventive, detective and corrective controls:
Independent assessment
Cost-Benefit Analysis
Only controls whose benefits are expected to be greater than or at least equal to their costs
are implemented.
The matrix can identify unnecessary controls or risks that are not being mitigated.
Exercise 9-2
For the following flow diagram
Process Controls
Controls
Limitations of controls:
Judgement
Breakdowns
Management override
Collusion
Operational expediency
Discussion
Identify mitigation strategies or controls for each of the control limitations:
Judgement
Breakdowns
Management override
Collusion
Operational expediency
Key Terms
Control environment
Corporate governance
Corrective controls
Detective controls
Expected loss
Ideal control
Internal control
Operational audits
Risk assessment
SAS #94
Separation of duties
Homework Assignment
Case Analysis:
Case 9-19
p. 309; and
Case 9-20
Be able to describe control objectives related to IT and understand how these objectives are
achieved.
Be able to identify enterprise-level controls and understand why they are essential for
corporate governance.
Discuss the importance of general controls for IT and why these should be considered when
designing and implementing AISs.
Be able to identify IT general security and controls issues for wireless technology, networked
computers, and personal computers.
Know what input, processing and output controls are and be familiar with specific examples of
control procedures in each of these categories.
*Computer Controls
Three broad categories:
Application controls are to prevent, detect, and correct errors in processing transactions
Enterprise-Level Controls
Enterprise controls are those that affect the entire organization and influence the effectiveness of
other controls.
Controls to monitor other controls, including activities of the internal audit function,
the audit committee, and self-assessment programs.
Physical measures protect firms facilities, resources, and data stored on physical media
Access controls to facilities, data centres, computers (e.g. biometrics, access cards)
Proper storage and disposal of hard drive and electronic storage media
Secure storage of backup copies of data and master copies of critical software
Logical Security
System authentication
Biometrics
Smart cards
IT is trying to find the right mix above. Do we make changes that are required, authorized, tested?
The person who does that cant be the one implementing. How do we handle incidents? For example
audit the CRA did but the group responsible for knowing the people wrongly accessing database
werent even told. End User Computing is end users making their own programs, some places say no.
Strong passwords
Biometric identification
Security
Wireless
Data encryption
Networks
Trailer label and transaction segments to verify entire message was received
Sender and receiver have the appropriate encryption and decryption keys.
Security
Safeguards for PCs, laptops and tablets
Anti-virus software
Separation of Duties
Control problems
Electronic eavesdropping
Control procedures
Checkpoint
Routing verification
Message acknowledgement
Personnel Policies
Separation of duties
Safeguard files from intentional and unintentional errors. (69% of database breaches
were because of internal culprits)
Disaster Recovery
Back up and disaster recovery sites (hot, flying-start, and cold site alternatives)
Fault tolerance
Preventive maintenance
Fire suppression
Surge protection
Backup procedures
Incremental backup
Copies only items that have changed since last partial backup
Differential backup
Backup sites
Fault-tolerant systems
Hot / cold
Backup
UPS
Hot backup is you swap it in and its ready cold you have to turn everything off to do
Application Controls
Field check
Sign check
Compares data from transaction file to that of master file to verify existence
Reasonableness test
Validity check
Completeness check
Size check
Range check
Limit check
Recalculating check digit to verify data entry error has not been made
Batch processing
Sequence check
Batch totals
Financial total
Hash total
Record count
Prompting
Closed-loop verification
Checks accuracy of input data by using it to retrieve and display other related
information (e.g., customer account # retrieves the customer name)
Processing Controls
Data matching
File labels
Cross-footing
Zero-balance tests
Write-protection mechanisms
Verifies accuracy by comparing two alternative ways of calculating the same total
Prevent error of two or more users updating the same record at the same time
Output Controls
Reconciliation
Procedures to reconcile to control reports (e.g. general ledger A/R account reconciled to
A/R subsidiary ledger)
Exercise 10-1
Accounts Payable duplicates
An audit found $1M in duplicates because of weaknesses in the controls over duplicates
For each criteria identify a possible control weakness which would allow duplicates to
happen and recommend a control improvement.
Vendor name in master file. If theres poor control in master file you have vendors with multiple
names and suddenly youve broken test for duplicates. Control is to restrict access.
Key Terms
Application controls
Data encryption
Disaster recovery
Edit tests
Input controls
Integrated security
IT general control
Output controls
Physical security
processing controls
Security policies
Validity test
Homework Assignment
1. Identify and briey explain the problems The Big Corporation could experience with
respect to the condentiality of information and records in the new system.
There doesnt seem to be any condentiality as not only stores and warehouses can access the
information system but also laptops and handhelds. While for the former there may be
restrictions for some personnel its not the case for all of them. This means if they ever lose
access to their devices or someone else was to use them they could access condential
information. Furthermore remote terminals could allow access to condential data by
unauthorized personnel. The restrictions themselves are upon certain reports which means of
everything listed such as company records, personnel information, etc, etc there could be a lot of
sensitive information available to anyone who can access the system.
2. Recommend measures The Big Corporation could incorporate into the new system that
would ensure the condentiality of information and records in this new system.
There needs to be a mix of physical and logical securities within the new system to ensure
condentiality of information and records. Physical securities such as facility monitoring such as
surveillance and guards and access controls such as access cards would make the remote
terminals a lot more secure. Likewise logical security such as e-IDs and passwords along with
system authentication could make accessing the system with laptops and handhelds much more
secure. Additionally a log of whos accessing the condential information is important as it can
hold people accountable in case of a breach of security. It could also indicate there were
attempts to access condential information if there were too many log on attempts. There also
needs to be policies in place such as time restrictions on access to the system so that in the
event someone does sneak onto the system they dont have a lot of time to go through the
condential information.
3. What safeguards can The Big Corporation develop to provide physical security for its (a)
computer equipment, (b) data, and (c) data processing centre facilities?
For computer equipment surveillance, cameras, guards, biometrics, access cards, etc would be
enough. For the data itself E-IDs and passwords along with system authentication, rewalls, antivirus and encryption could protect the data well enough. For the data processing centre facilities
there should be backups in case the data is altered, corrupted or damaged. The system and
facility itself needs to be insured and have backups in different locations to provide redundancy.
There needs to be a team to oversee potential issues and constantly update the security as well
to ensure safeguards are up to date and running effectively.
Slide 11 - Computer Crime, Fraud, Ethics and Privacy Chapter 11A Page
Learning Objectives
After reading this chapter you will:
Be familiar with several computer crime cases and the proper controls for preventing them
Understand the importance of ethical behaviour within the environment of computerized AISs
Section 342
Unauthorized use of computers and networks including hacking and theft of passwords
Section 184
Defines identify theft including impersonating any person, living or dead, with intent
to gain advantage, steal property or avoid arrest
Computer Crime
Computer crime a criminal offence involving the computer as the object of the crime, or the
tool used to commit a material component of the crime
Pure computer crimes computer is the primary object of the crime. Examples: hacking,
denial of service spreading of computer viruses.
Computer supported crimes the computer is the instrument used in committing the
crime. This can include harassment, fraud, and support of other criminal activities.
Intent to illegally obtain information or tangible property through the use of computers
Protection of data
Encryption
Ethical hackers
Intrusion testing
User education
Denial of service
Firewalls
Anti-virus software
Canadian Examples
CRA
Calgary Police
RCMP
Personal use
CRA Audit
Audit of Privacy and Security policies and procedures
Lack of automated tools to flag inappropriate access and gaps in audit trail
Access to Information and Privacy Directorate is not regularly informed about privacy
breaches
Security Approaches
Multiple layers of control (preventive and detective) to avoid a single point of failure
where
Security just wants you to take long enough that the police get to you.
Layering of Controls
Steps to an Attack
Do I have to access building, how do I get in, what is allowed in and out
Implement controls
Fraud - A Definition
In general fraud consists of:
What is fraud?
65% Male
42% had 1-5 years on the job (only 6% had less than 1 year on the job)
Pressure
Opportunity
Rationalization
10-80-10 rule
The removal of pressure sometimes isnt enough, but the first act of fraud is harder to do then the
rest of them. Afterwards the risk rises along with the dollar values.
Behavioural Red Flags
Financial difficulties
Divorce/family problems
Wheeler-dealer attitude
Addition problems
Discussion 11-1
HP fraud at Department of National Defence - $146M over 10 years.
Based on the statements below, what are the possible behavioural red flags for each:
Bulk purchase paid more but justified it; email from boss had same content;
Match employee/vendor not employee but a contractor who had signing authority
He had saved the department hundreds of millions of dollars and had received superior
performance appraisals but should be paid more
Audit found a computer mouse that cost $650 dollars and IT maintenance contracts
with labour/no parts and parts/no labour
Whealer dealer
Defensiveness
Given much more authority than he should have had
unwillingness to share duties
Wasnt paid enough for what he was doing as far as he was concerned
Phone Scam
Forensic analysis
Physical surveillance
staked out for filling car or a dollar 50 a litre when its really a dollar a litre and
theyd split the cash
Electronic surveillance
Undercover operations
Combination of above
Digital Evidence
Data, by its very nature, is fragile and can be altered, damaged or destroyed through changes in:
Network Connections
Avoiding Mistakes
Basic Rules:
Slide 11 - Computer Crime, Fraud, Ethics and Privacy Chapter 11B Page
Occurrence of Fraud
Perceived root causes of observed misconduct:
Belief they will be rewarded by results, not the means they use to achieve them
Belief that the code of conduct is not taken seriously by senior management
A survey of people who observed misconduct thought the root causes were:
Belief they will be rewarded by results, not the means used to achieve them
Belief that the code of conduct is not taken seriously by senior management
People
Procedures
Data communications
Databases
External auditors examine the AIS primarily to evaluate how the organizations control procedures
over computer processing affect the financial statements (attest objectives).
If control are weak or nonexistent, auditors will need to perform substantive testing- specific test
of transactions and account balances (e.g. confirmation of accounts receivable with customers) rather
than an evaluation of controls and processes
Occurrence of Misconduct/Fraud
Integrity survey results:
56% feel the misconduct could cause a serious loss of public trust
Serious misconduct in: healthcare, banking and finance, aerospace and defence, government
and technology
Globally 70% of companies suffer from at least one type of fraud last year
How bad is it ?
The KPMG 2013 Integrity survey found that 73% of respondent employees have witnessed
misconduct during the last 12 months.
A majority (56 percent) of respondents thought that the misconduct they witnessed so serious
it could cause a significant loss of public trust if discovered.
The industries with above average rates of respondent-observed serious misconduct this
year are healthcare (57 percent), banking and finance (57 percent), aerospace and defence
(59 percent), government (62 percent), and technology (63 percent).
The Kroll 2013-14 Global Fraud Report states that The incidence of fraud has increased this
year. Overall, 70% of companies reported suffering from at least one type of fraud in the last
year.
Every kind of fraud covered in the survey saw an increase in incidence, with vendor, supplier or
procurement fraud and management
Median Losses due to Fraud
Billing
$ 100K
Payroll
Cheque Tampering
$ 120K
Expense Reimbursements
Non-Cash Misappropriation
$ 95K
Skimming
$ 40K
50K
30K
ACFE 2014 Report to the Nations on Occupational Fraud and Abuse reported a median loss of
$145,000 and 22% of the cases had a loss of at least $1M.
Survey estimated that an organization loses 5% of revenue. Projected worldwide, this is $3.7
trillion dollars per year.
As you can see - the median losses are significant for different types of fraud. In the US the median
loss was $100K and in Canada it was $250K (up from $78K in 2012).
I should mention that the victim in 10% of the cases was government; and the median loss was
$100K.
Yet many federal government departments think that they do not have fraud why?
Median Duration of Fraud Scheme
An overwhelming 93 percent of frauds were committed in multiple transactions. For 42% of those
frauds, the average value per transaction was between US $1K-50K.
The question that arises is Why are the median losses so high? Part of the answer is that it
takes a long time to detect fraud - as can be seen by the median lengths (in months) that it took to
detect different types of fraud. ACFE 2014 study median of 18 months before being detected.
However, when controls were in place the duration of the fraud dropped by 50%
Why would payroll take longer to detect?
- hidden among many employees;
- requires HR and pay info;
- fully automated process once you have fixed your pay no one knows.
Median Duration
2014
2012
1
1
2
3
3
3
4
4
5
7
7
7
14
14
15
16
42
43
Code of Conduct
Anti-Fraud Policy
Rotation/Mandatory Vacation*
Hotline**
Management Review**
Surprise Audits*
Fraud Detection
Fraud hotline
Process controls
Reconciliations
Independent review
audits
Data analysis
Anomalies
Trends
The use of a whistleblower hotline - this is one of the more effective measures organizations
can implement as part of their fraud risk assessment program
Process controls specifically designed to detect fraudulent activity, as well as errors, include
reconciliations, independent reviews, physical inspections/counts, analyses, and audits.
data analysis, continuous auditing techniques, and other technology tools effectively to detect
fraudulent activity. Data analysis uses technology to identify anomalies, trends, and risk
indicators within large populations of transactions.
Types of Fraud
Asset misappropriation
Corruption
Asset misappropriations - accounted for more than 85% of cases, yet these schemes also had
the lowest median loss at $130,000.
Financial statement fraud was involved in less than 9% of the cases studied, but caused the
greatest median loss at $1 million.
Corruption schemes fell in the middle in terms of both frequency (approximately 37% of the
cases reported) and median loss ($200,000).
30% of the cases included two or more of the primary types of fraud.
Why do you think the losses for asset misappropriation were lower than other types of
fraud? - often small dollar inflated invoices; bid rigging (small variance in price) shorter time frame before being caught????
What are some other (non-financial) types of losses ?
loss of goodwill;
employee morale;
Also, most studies only consider the cost of known frauds. What about the costs of undetected
frauds?
Median Loss
1000
200
130
Percent of Cases
37
85
Asset Misappropriation
Employees
An organizations assets, both tangible (e.g., cash or inventory) and intangible (e.g., proprietary or
confidential product or customer information), can be misappropriated by employees, customers, or
vendors.
The main method of prevention is to ensure that controls are in place to protect such assets. To do
this you need to develop; an understanding of what assets are subject to misappropriation, the
locations where the assets are maintained; and which personnel have control over or access to
tangible or intangible assets.
Common schemes include misappropriation by employees such as:
Theft of assets
Theft of corporate information salesman takes customer list when she leaves
Customers
But not all frauds are committed by employees. Vendors and customers can be the perpetrator of
fraud without any involvement of employees:
fictitious invoices
inferior goods
Corruption
Bribery of
Companies
Private individuals
Public officials
Corruption includes:
Misstated Revenue
Masked disclosures
Concealment of acquisitions
Executives cook the books, as they say, by fictitiously inflating revenues, recognizing revenues before
they are earned, closing the books early (delaying current period expenses to a later period),
overstating inventories or fixed assets, and concealing losses and liabilities.
The Treadway Commission recommended four actions to reduce the possibility of fraudulent
financial reporting:
Identify and understand the factors that lead to fraudulent financial reporting.
Design and implement internal controls to provide reasonable assurance that fraudulent
financial reporting is prevented.
Understand Fraud
Obtain information
Understand Fraud
Obtain information
But SAS 99 also requires audits to incorporate a technology focus auditors have to use technology
to define fraud-auditing and IT auditing procedures.
This is expanded in SAS 94 which we will cover in chapter 9.
Risk Examples
SAS 99 defines various risk factors and can be used as when assessing the risk of fraudulent financial
reporting and other fraudulent acts. In particular, it outlines risk factors, including:
Management Environment
Are financial targets too ambitious and the consequences of failure high?
(Enron)
Are performance measures unrealistic e.g. increase market share by 10% every
quarter or increase shareholder value by 20% every year.
These types of pressures can increase the risk that an employee will overstate performance to
achieve targets.
Types of analysis suggested include: reviewing production figures for accuracy; review next period
after bonuses have been awarded and look for returns. ????? Others ?????
Competitive Industry with rapidly changing technology (Nortel, BB) can lead to inventory
becoming obsolete and if not re-evaluated lead to overstatement on the financial report. Check
for data and impact of last inventory evaluation. Look at inventory turnover. ? Others ?
Employee Relationships hiring of family member or giving contracts to relatives. One test is to
match employee and vendor address (problems with this approach? How could you improve
it?). You can also compare trends across years totals by contracting officer vendor look at
sudden increases or decreases. ?? Others ??
Attractive Assets if your company has attractive/easily transportable items (hi-tech) then you
are at risk. Test inventory controls and look at trends in reorder quantity. ?? Others ??
Internal Controls
New organization structures and systems the previous manual system may have had
mitigating controls; often it is assumed that new computer systems will contain all the
necessary controls but sometimes these arent even turned on. Therefore, you should test
key controls. ??? Others ????
Business Re-engineering
Re-organization particularly downsizing can lead to issues around separation of duties ???
Others ????
insufficient monitoring and few audits particularly in purchasing. Even companies that have
ERP systems often dont initiate three-way matching. ??? Others ????
Examine these risk factors can help you complete a Fraud Risk Assessment of different areas of the
company.
Computer Crime, Fraud, Ethics and Privacy Chapter 11B 2
Developing a Fraud Investigation Plan
All the time with fraud:
Perform analysis
When fraud is suspected you need to enhance the fraud monitoring plan and develop a more detailed
fraud investigation plan
why are you performing the analysis and what are you looking for - including stating the
possible symptoms of the fraud;
specifies the required data - single year or several; one business unit or more; also describes
the expected results.
determines the data source and which fields are required; data owners and programmers;
determine the best methods for obtaining the data; file formats; transfer mechanisms; and
how you will safeguard the data
When performing the analysis, it is important to drill down into the data challenging the
assumptions and results. In cases of suspected fraud, the auditor must verify to source or compare
with other sources.
The Fraud Plan is a living document - does not constrain your analyses, but provides a structure and
a purpose.
Important to get sign off, you may want to confer the corporate lawyer.
Discussion 11-2
You have been informed that someone in A/R has changed the system parameters so customers can
have an outstanding balance that is more than their credit limit.
Develop a fraud detection plan to determine if this is happening. Answer the following:
If the controls are not working what additional analysis should be performed and
why?
It could also be someone in receiving raising the customers limit. Customer pays back but
the person steals $200 out of th $1000.
Identify Theft
The minimum information required to impersonate someone is simply their name, but access to the
following can cause real damage:
Full name
Date of birth
Full address
Your identity can be stolen simply by someone using your name (for example, at a party
someone gives the person they have been talking to and dont want to see again - your
name and number).
However, if the fraudster has access to any of the following: full name, date of birth, social
insurance number, mothers maiden name, user name and passwords to website real
damage can ensue.
Cell phones
Airline tickets
Medical services
Passport
Use identify to get a drivers license and then use credit card, bank account and photo id to:
Cell phone
Airline tickets
Dumpster diving bank / credit card statements, phone / water / hydro bills
Internet
Hacking -
Vishing VOIP to ask user to call and provide account verification info
ATM
Shoulder surfing
Hidden camera
Fraud case in Ontario used fake drivers license and rental info to get bank account and credit
card which they used to get a passport and to lease expensive automobiles. Defaulted on
payments cars shipped overseas.
Key Terms
Antivirus software
Computer crime
Computer virus
Computer worms
cookie
Firewalls
Identify theft
Intrusion testing
Privacy policy
Social engineering
Learning Objectives
After reading this chapter you will:
Know how to determine the effectiveness of internal controls over specific information systems
Be able to detail how audits can use IT to prevent and detect fraud
Know how SOX and CICA rules influence the role of IT auditors
IT Audit Process
IT audit function encompasses:
People
Procedures
Data communications
Databases
External auditors examine the AIS primarily to evaluate how the organizations control procedures
over computer processing affect the financial statements (attest objectives).
If control are weak or nonexistent, auditors will need to perform substantive testing- specific test
of transactions and account balances (e.g. confirmation of accounts receivable with customers) rather
than an evaluation of controls and processes
IT Auditor Toolkit
Automated workpapers
Perform consolidations
Specialized packages
SQL
Parallel simulation
Program comparison
Exception reporting
Transaction tagging
Snapshot technique
Risk-Based Framework
Steps to determine where and what to audit:
Identify fraud and errors (threats) that can occur that affect each objective; and assess
the probability and impact of the risk occurring
Determine effect of control weaknesses and identify and recommend control procedures
that should be in place
Project Initiation
Project assignment
Project announcement
Opening meetings
Risk Assessment
Scope answers the question what will be audited. It delineates the boundaries of the
audit.
Audit Program
Includes:
Pilot Sites
Entry Meetings
Gather Evidence
Standards of Evidence
Types of Evidence
No surprises approach
Findings
Condition what is
Effect so what
Supervisory Review
Validation of evidence
Closing Conferences
No surprises approach
Buy-in
Drafting Reports
Validate facts
Management Response
Final Reports
Publish Reports
Transparency
Follow-up - Activities
Audit Consistency
Fault tolerant design; file backup and recovery; and disaster recovery
Preventive maintenance
Control Tests
Review information security and disaster recovery plans and results of tests
Computer Processing
Control Procedures
Supervision
Control Tests
Source Data
Control Procedures
Control Tests
Data Files
Control Procedures
Off-site backup
Control Tests
Control Procedures
System documentation
Control Tests
Verify license agreements and test for management authorization for program
development and acquisition
The critical network devices such as routers, switches and modems protected from physical
damage; and configuration and inventories maintained;
The network operation monitored for any security irregularity and formal procedures in place
for identifying and resolving security problems.
Physical access to communications and network sites controlled and restricted; and
communication and network systems controlled and restricted to authorized individuals.
Network diagnostic tools, e.g., spectrum analyzer protocol analyzer used on a need basis.
Firewalls to isolate an organisation's data network from any external network and to limit
network connectivity from unauthorised use.
All firewalls subjected to thorough test for vulnerability prior to being put to use and at
regularly thereafter.
The internal network of the organization physically and logically isolated from the Internet and
any other external connection.
All web servers for access by Internet users isolated from other data and host servers and
procedures established for allowing connectivity of the computer network or computer system
to any outside system or network
Networks that operate at varying security levels isolated from each other
The suitability of new hardware/software assessed before connecting the same to the
organization's network.
Network should be monitored and appropriate follow up of any unusual activity or pattern of
access should be investigated promptly
The system must include a mechanism (e.g., intrusion detection system) for alerting the
Network Administrator of possible breaches in security, e.g., unauthorised access, virus
infection and hacking.
Audit program
Whether services of other auditors and experts were used and their contributions
Management response
Audit documentation relation with document identification and dates (your cross-reference of
evidence to audit step)
IT Audit
Risks
Objective
Scope
Audit program
What
How
SysTrust
The SysTrust review encompasses a combination of the following principles:
Security: The system is protected against unauthorized access (both physical and logical).
Availability: The system is available for operation and use as committed or agreed.
WebTrust
The WebTrust certification can fall into the following four categories:
WebTrust. The scope of the engagement includes any combination of the trust principles and
criteria.
WebTrust Online Privacy. The scope of the engagement is based upon the online privacy
principle and criteria.
WebTrust Consumer Protection. The scope of the engagement is based upon the
processing integrity and relevant online privacy principles and criteria.
WebTrust for Certification Authorities. The scope of the engagement is based upon
specific principles and related criteria unique to certification authorities.
Trust Services
Trust Services are defined as:
A set of professional assurance and advisory services based on a common framework (i.e., a
core set of principles and criteria) to address the risks and opportunities of IT.
In the development of Trust Services the objective was to establish a core set of principles and
related criteria for key areas related to IT, e-commerce, e-business, and systems. These form
the measurement basis for the delivery of the related service(s).
Policies
Communications
Procedures
The entity has defined and documented its policies relevant to the particular principle.
The entity uses procedures to achieve its objectives in accordance with its defined
policies.
Monitoring
The entity monitors the system and takes action to maintain compliance with its defined
policies
Exercise 12-1
Key Terms
CA WebTrust
Fraud triangle
IT auditing
Parallel simulation
Risk-based audit
Test data
Trust services
Learning Objectives
After reading this chapter you will:
Describe the roles of accountants, analysis teams, and steering committees in systems studies
Discuss why systems analysts must understand the strategic goals and operations of a
company
Be familiar with the deliverables in systems analysis work, especially systems analysis report
Create a plan to complete the analysis and design phases of a systems study
Describe the costs, benefits, tools, and techniques associated with systems design work
Be familiar with the activities required to implement and maintain a large information system
Systems study team performs preliminary investigation of existing system and develops
strategic plans for the remainder of the study
Design changes that eliminate (or minimize) current systems weak points while
preserving its strengths
Analysis
Design
Acquire resources for new system; train new or existing employees; conduct follow-up
studies to identify problems; and maintain the system correct minor flaws and update
system as required
Systems that do not meet users needs causes frustration, resistance and even sabotage
System that are not flexible enough to meet business requires and are ultimately scrapped
Cost overruns
System Analysis
Examine system in depth
Data gathering
Data structure how data elements will be organized into logical records
Constraints description
Controls to reduce risk of errors and irregularities in the input, processing and output stages
Make-or-Buy
RFP Evaluation consider each of the proposed systems:
Performance capability
Cost / Benefit
Maintainability
Vendor support
Maintenance
Backup systems
System Implementation
Physical site
Functional changes
Train personnel
User satisfaction
Key Terms
Change management
Critical path
Make-or-buy decisions
RFP evaluation
Scope creep
Structured design
System maintenance
Systems analysis
Systems implementation
Turnkey system
What-if analysis
Know why XBRL is important to financial reporting and EDI is important to AISs
Understand some examples of cloud computing and the difference between business-toconsumer and B2B e-commerce
Know why business use firewalls, proxy servers and encryption; and understand digital
signatures and time-stamping techniques
Understand the differences among various types of accounting and enterprise software
Be able to explain how the various functions work in ERPs; and understand the architecture
and use of a centralized database in ERPs
Be able to describe the relationship between business process re-engineering and ERP
implementation
Recognize when an organization needs a new AIS and the process to select an ERP
Supports general financial reporting and the exchange of financial information between
trading partners
XML tags actually describe the data rather than simply indicate how to display it.
HTML: <b>$1,000,000</b> =
$1,000,000
XML: <SalesRevenue>$1,000,000</SalesRevenue>
XBRL
Advantages
Uniquely defines the data even if reported in several places always has same tags
Disadvantages
Goes beyond e-commerce and deep into the processes and cultures of an
enterprise. Includes: email, soliciting vendor bids, e-payments, electronic
exchange of data, and a host of cloud-computing services
E-commerce
Buying and selling of goods and services electronically between businesses, business
and government, business and customer
Electronic Business
Electronic Data Interchange (EDI)
E-Payment
Software application (customer vendor) to store consumers info (e.g. Credit card
numbers)
E-Wallets
E-Commerce
Definition:
A type of business model, or segment of a larger business model, that enables a firm or
individual to conduct business over an electronic network, typically the internet.
Attributes:
Allows customers to create own order forms, shipping labels, and payment documents
Discussion
E-commerce creates opportunities and risks.
Business-to-Business (B2B)
Business buying and selling goods and services to each other over the Internet
Real-time data
Cloud Computing
Purchase of computing services over the Internet
Processing services
Backup services
Educational service
Payroll services
Advantages
Speed
Pay as you go
Reactive have ability to detect potential intrusions dynamically, log off potentially
malicious users, and even reprogram firewall to block further messages from suspected
source
Each user is assigned a unique account code that identifies the external entity and
authenticates subsequent transactions
Create a VAN
From scratch
Proxy servers
A network server and software that creates a transparent gateway to and from the
Internet and control Web access
Data Encryption
Public key encryption requires each party to use a pair of public/private encryption
keys
Digital Time-Stamping
Specialized AISs
Accounting
Finance
Supply chain
Strategic planning
Customer relationship
Human resources
SAP Modules
Improved flow of the information - stored in a centralized database and can be accessed by
all areas of the organization (i.e., Sales enters data about a customer and the info
automatically is available to Accounting for invoicing)
Data conversion
Key Terms
B2B e-commerce
BI tools
Domain address
Encryption key
Enterprise software
Proxy server
TCP/IP, URL