AC2104 Seminar Group 1

Seminar 11
Presentation 8
Chia Wei Ying, Ho Chan Keen, Ng Wei Nicodemus, Toh Xin Lin
“ Part A
(a) Are there IT-related issues that could facilitate
the fraud?
(b) What audit tests may be performed on the
processes and IT systems to detect the fraud?
(c) In light of your findings, what
recommendations might you suggest to
improve both manual and IT systems internal
controls?

2
The Fraud

Turning control of First payroll run using

new payroll new system
software
Payroll

IT manager increase
annual pay by $5,000

IT manager

3
(a) Are there IT-related issues that could facilitate the
fraud?

1. IT manager had global access to all aspects of the payroll software, including
employee additions, pay rate changes, and employee benefits changes.
Consequences
• Results in the lack of segregation of duty, which facilitated the fraud as the
IT manager will have the opportunity to control the functions of
authorisation, execution and recording.
• IT Manager has supervisory access which enables him to enter the system
to edit his annual pay without being detected.

4
 (a) Are there IT-related issues that could facilitate the
fraud?

2. There is no detailed reconciliation between the output of the old system

and output of new system to ensure that the output of both system are
identical.

Consequences
• This provided the opportunity for the IT manager to use his
supervisory access to increase his annual pay by $5,000 without
detection.

5
 (a) Are there IT-related issues that could facilitate the
fraud?

3. The payroll department did not conduct a detailed test to compare the payroll
data in the new payroll system with records held by the payroll department
such as employment contracts.
o Payroll supervisor assumed that employees will report on discrepancies in
their rate of pay or deductions but in the case of overstated pay, employee
will most likely not report it.

Consequences
• This gave the IT manager the opportunity to commit the fraud by
overstating his own pay without detection.

6
 (b) What audit tests may be performed on the
processes and IT systems to detect the fraud?

Type of audit test Description

Test on control over data ● Test on whether the IT system allows only authorised personnel (payroll
supervisor) to have access to edit the pay rates and not other unauthorised
personnel (IT manager)
● Inspect the list of authorised personnel to ensure that it only contains
authorised personnels.
● Keying in the access codes of unauthorised personnel to see if it has been
rejected.

Inspection of output ● Auditor obtains output data of old system from payroll departments, and
data compares it with the output data of the new system to ensure that both data are
identical.
7
 (b) What audit tests may be performed on the
processes and IT systems to detect the fraud?

Type of audit test Description

Enquiry ● Enquire if the payroll supervisor conducted a payroll data test in the IT system
before the running of the first payroll to ensure that payroll data in the IT system
matches the payroll records held in the payroll department.

Inspection of employees’ ● Inspect annual performance review documents and employee contracts / letter
salary information of promotion or salary raise for evidence of changes in pay rates and compare to
the data in the IT system.
● Substantive analytical procedures to compare and analyse periodic
payrolls(fortnightly or yearly), for explanation of fluctuations. Prior to this, the
auditor should establish an appropriate base payroll (data from old system) to
which other payrolls are compared by undertaking tests of controls.
8
 (b) What audit tests may be performed on the
processes and IT systems to detect the fraud?

Type of control Description

Inspection of exception ● Auditor inspects exception report with all the changes in the payroll data, and
report inspect if all of the changes in salary are approved by the payroll department by
evidence of signature or initials. This is assuming that the IT system is able to
generate an exception report.
● Exception reports can also be matched to employment contract/annual
performance review documents to check for changes in salaries

Controlled processing ● The auditor establishes control over client input (payroll department records of
(output) input data) and independently calculates key processing results (total payroll). The
auditor maintains control over the computer processing and output, and compares
the computer output to the calculated results.
9
 (c) In light of your findings, what recommendations
might you suggest to improve both manual and IT
systems internal controls?

Type of control Description

General controls - ● Operations and system development functions within the IT department are
Segregation of duties incompatible and should kept separate.

● IT manager who have the knowledge on the operations of the accounting systems,
applications and modification of programs should not be permitted to access data
files such as the payroll.

● IT manager should only be responsible for supervision of data-processing staff

● Similarly, those with access to the payroll data files and payroll system such as the
payroll supervisor, should not have knowledge of operating the accounting system,
application and modification of programs.
10
 (c) In light of your findings, what recommendations
might you suggest to improve both manual and IT
systems internal controls?

Type of control Description

General control - Control ● Restricting access to data files such that only authorised personnel have access to them.
over data After turning control over to the Payroll Department, IT manager’s authorisation to
access data files in the software should be automatically removed. There should be a ID
and password set up to restrict access to only authorised operations personnel such as
payroll supervisor.

● Use of system software by system programmers should be monitored to prevent bypass

of automated access controls. Systems security software packages can be implemented
to monitor access to data files and prevent unauthorised access. Management reports of
unauthorised access to data files can be generated for follow-up and investigations.

● The files used by IT manager in testing programs should be copies of the original files,
instead of live data files.
11
 (c) In light of your findings, what recommendations
might you suggest to improve both manual and IT
systems internal controls?

Type of control Description

General control - Control Any changes to master files should be documented in an exception report and require
over data approval so as to ensure that all changes made are authorised and signed.

Application control Use financial totals for both old and new systems for payroll data for reconciliation
before running the first payroll in the new system

Manual control A detailed test should be conducted by the payroll department to compare the payroll
data in the new payroll system with records held by the payroll department such as
employment contracts.

12
“ Part B
(a) Are there IT-related issues that could facilitate
the fraud?
(b) What audit tests may be performed on the
processes and IT systems to detect the fraud?
(c) In light of your findings, what
recommendations might you suggest to
improve both manual and IT systems internal
controls?

13
The Fraud

Override company policy Wrote off his

of granting credit limit of remaining account
10%, so as to buy balance using IT
engagement ring system

Credit manager
avoided instructing
AR clerk to perform
follow-up on his
account for months

14
 (a) Are there IT-related issues that could facilitate the
fraud?

1. There is no system access control over employee transaction data, and credit
manager is given access and responsibility to approve his own increased credit
limit.

Consequences
• This allowed the credit manager to override the company policy and obtain
higher credit limit exceeding 10% of his current salary for his own credit
card.

15
 (a) Are there IT-related issues that could facilitate the
fraud?

2. There is no automated procedure in the IT system to provide AR clerk with the

AR past due report to perform follow-up procedures.
o The credit manager is responsible in reviewing the AR past due report and
instructing the AR clerk to follow-up on the specific customer accounts.

Consequences
• Credit manager has the opportunity to withhold his account information
and avoid directing his account to the AR clerk to perform follow-up
procedures, making it go undetected for several months.

16
 (a) Are there IT-related issues that could facilitate the
fraud?

3. There is no system access control over employee transaction data, and credit
manager is given access and responsibility to write off his own account remaining
balance. There is also no rule implemented in the IT system to determine if the
account balance can be written off.
o The credit manager is responsible for the determination of which accounts
should be written off, and processes any necessary adjustments through the
IT system
Consequences
• This allowed the credit manager to write off his own account balance using
the IT system and make the necessary adjustments in the system to prevent
detection of fraud.
17
 (b) What audit tests may be performed on the
processes and IT systems to detect the fraud?

Type of Audit Test Description

Inspection of ● Sample employee transactions (sales invoices) and match to sales

documents (credit journal, credit limit documents and approval of account receivables
limit) written off to detect if any personnels recording and authorising the
transactions are the same or related.
● Use advanced data analytics to match all the employee transactions
to documents and identifying correlated fields such as employee
numbers. This also enables auditor to check on the full population
of employee transactions.

18
 (b) What audit tests may be performed on the
processes and IT systems to detect the fraud?

Type of Audit Test Description

Test on control over ● Test for access control in the system to restrict access of employees
data to their own employee transactions by keying in the access codes of
employees to their own transactions to see if it has been rejected.
● Test on whether the IT system allows only authorised personnel (AR
clerk) to have access to the IT system and not other unauthorised
personnel (credit manager)
● Inspect the list of authorised personnel to ensure that it only
contains authorised personnels. Key in the access codes of
unauthorised personnel to see if it has been rejected.

19
 (b) What audit tests may be performed on the processes
and IT systems to detect the fraud?

Type of Audit Test Description

Enquiry of ● Enquire about the policies regarding any increases in credit limits
increasing credit which may specify the method the entity uses to calculate the
limit policy customer’s credit worthiness.
● Select a sample of accounts with higher credit limits that have been
approved by the credit manager and observe if the credit manager
performs the change in credit limits based on established policies.
This can be done through reperformance or inspection of any
documentation of his rationale.

20
 (b) What audit tests may be performed on the processes
and IT systems to detect the fraud?

Type of Audit Test Description

Inspection of ● Inspect and compare the AR past-due report generated by the

documents (AR system to the list or correspondence from the credit manager of
documents) specific accounts that the AR clerk is instructed to follow up.
Auditor will investigate on AR balances that are due for payment
but not being followed up.

Test Data ● Use simulated transaction data with credit limit above 10% to
determine if the IT system has sufficient controls to ensure that
these transactions are being flagged out and reflected in the
exception report. Accounts reflected in the exception report will be
further investigated. This will be able to deter any overriding of the
policy.
21
 (b) What audit tests may be performed on the processes
and IT systems to detect the fraud?

Type of Audit Test Description

Enquiry of write off ● Enquire about the policies regarding bad debts write-off which may
policy specify the method the entity uses to write off customer’s accounts
receivables based on the days overdue and the balance amount.
● Select a sample of accounts written off by the credit manager and
observe if the credit manager performs the write offs based on
established policies, this can be done through reperformance or
inspection of documentation of his rationale.

22
 (c) In light of your findings, what recommendations might
you suggest to improve both manual and IT systems
internal controls?

Type of Control Descriptions of control

IT controls - General ● There should be restriction of access to accounting records in the IT system. There
controls - segregation should be segregation of the recording and authorising functions. Only authorised
of duties, controls personnel in charge of recording should have access to the data and can make the
over data
necessary adjustments. Such authorised personnel includes the AR clerk but not
the credit manager, who is in charge of authorization.

● Credit manager should not be able to make adjustments to the IT system and
should only be able to authorise the write off of accounts. This will ensure that the
credit manager does not have the ability to authorise and record the write off of
accounts on his own.

23
 (c) In light of your findings, what recommendations might
you suggest to improve both manual and IT systems
internal controls?

Type of Control Descriptions of control

IT controls ● The system should implement an automated prompting of follow up to be done by

AR clerk with reference to the AR past-due reports, instead of placing reliance on
the instructions given by the credit manager.

● This will prevent the credit manager from withholding information from the AR
clerk and concealing fraud.

24
 (c) In light of your findings, what recommendations might
you suggest to improve both manual and IT systems
internal controls?

Type of Control Descriptions of control

Application Control ● Implement a limit test in the IT system which will identify any credit limit that
exceeds the 10% of the customer monthly salary and create an exception report
for further investigation.

● Any amount exceeding the credit limit granted of 10% of monthly salary will be
sent to the CFO for investigation.

● The credit manager should also state his rationale of approving the higher credit
limits, based on company’s established policies on granting higher credit limits.
This enables the CFO to also review the exception reports for investigation of
unusual credit limit granted.

25
 (c) In light of your findings, what recommendations might
you suggest to improve both manual and IT systems
internal controls?

Type of Control Descriptions of control

Control over data ● There should be a clear distinction between employee transactions and other
transactions.

● Employee transactions should be separately processed and approved by

independent employee or higher authority e.g CFO. There should be access
controls placed to restrict employees from accessing their own transaction records
such as credit limit document, sales journal and approval of AR write offs.

● Systems security software packages can be implemented to monitor access to data

files and prevent unauthorised access. These can produce management reports of
unauthorised access to data files for follow up and further investigation.

26
 (c) In light of your findings, what recommendations might
you suggest to improve both manual and IT systems
internal controls?

Type of Control Descriptions of control

IT controls ● There should be an established company policy with regards to the allowed
amount to be written off. Based on AR past due report, the system could have
calculated amount allowed to be written off with reference to certain criterias in
the policy.

● The credit manager should also state his rationale of approving the write offs,
based on company’s established policies. This enables the CFO to also review for
investigation of unusual write offs granted.

27
“ Part C
Based on one or more media articles, briefly
discuss a real-life case (within the past three
years) in which a company experienced a
breach of cyber security. Identify the cause(s)
and impacts of the breach, where possible.
Include relevant references at the end of your
presentation slides.

28
Tesco Bank Cyber Security Breach

29
Summary of article

● Attackers used an algorithm that generated authentic debit card numbers and used
them to engage in unauthorised card transactions

● The attack did not involve loss or theft of personal data, but the attacked amassed
£2.26m

● Tesco bank found out about the attack after 21 hours, and when the system started to
ask customers to call about the suspicious activity.

● Its fraud strategy team identified the primary channel and source of the attack and put
in place a rule to block the transactions

○ However, tesco bank failed to monitor the rule

○ The rule contains errors and was rendered ineffective

30
Causes of Breach

Causes Elaboration

Weak controls ● Tesco debit cards were poorly designed and controlled. The bank never
intended the cards to be used for contactless MSD transactions, yet allowed
that use.
● The debit cards were also issued with sequential PAN numbers, allowing
hackers to easily predict numbers
● Tesco’s IT system did not require checking the exact date of card expiration,
allowing the fraud to go undetected. The fraud analysis management
system was also set at an account, and not card level.
● Transactions involving debit cards previously replaced were not
programmed into the fraud analysis system

31
Causes of Breach

Causes Elaboration

Poor risk ● The bank did not take sufficient account for financial crime risks in designing
management its debit cards. Visa and MasterCard had warned members about this
particular risk, but the bank took action only to block the transactions on its
credit cards, not its debit cards

Slow response ● The financial crime operation team did not contact the fraud strategy team
time for 21 hours, during which time nothing was done to stop the attack, which
continued. This exacerbated the scale of the attack.

Poor and ● The fraud strategy team eventually identified the primary channel and
inadequate source of the attack and put in place a rule to block the transactions, but
response failed to monitor it – and in fact the rule was ineffective because of a mistake
in it. This also prolonged the attack.

32
Impacts of Breach

1. Affected Party: Tesco Bank

• Attackers manage to steal £2.26m from various bank accounts.
• FCA found that, although the bank’s controls stopped around 80%
of the unauthorised transactions, the attach affected over 9,000
accounts
• The charges and interest the bank applied led to many unpaid
direct debits.
• would have been a fine of over £33 million, but was reduced by
30% for mitigation credit and a 30% discount for early settlement.
FCA has fined Tesco Personal Finance plc £16,400,000
• Tesco Bank refunded each customer account in full and no 33
customer data was lost or stolen.
Impacts of Breach

1. Affected Party: Tesco Bank Customers

• Bank transactions were disrupted for 48 hours
• Customers who were affected received texts in the middle of the
night, faced embarrassment when unable to use their cards and
long queues when calling the bank for help.

34
References

Tesco Bank's Cyber Attack: A Series of Unfortunate Events?

https://www.lexology.com/library/detail.aspx?g=18490a29-c9bf-461d-906d-c890c5c9f348

Tesco Bank cyber attack involved guesswork, study claims:

https://www.theguardian.com/technology/2016/dec/02/tesco-bank-cyber-attack-involved-
simply-guessing-details-study-claims

Tesco Bank cyber-thieves stole £2.5m from 9,000 people:

https://www.theguardian.com/business/2016/nov/08/tesco-bank-cyber-thieves-25m

35