-
stewardship
the careful and responsible oversight and use of the assets entrusted to management.
-
code of ethics
a standard of employee conduct paired with internal controls to prevent and detect fraud.
-
fraud
the theft, concealment, and conversion to personal gain of another's money, physical assets, or information.
-
misappropriation of assets
also referred to as defalcation or internal theft; theft of any item of value, most commonly dealing with cash or property.
-
fraud triangle
the three conditions that enable fraud to be perpetrated, consisting of incentive to commit fraud; opportunity to commit fraud; and the rationalization of fraudulent action.
-
employee fraud
fraud conducted by non-management employees; usually involves the theft of cash or assets for personal gain.
-
kickback
cash payment that the vendor give the employee in exchange for a sale; often thought of as a business bribe.
-
skimming
occurs when an organization's cash is stolen before it is entered into the accounting records.
-
larceny
the theft of cash after it has been recorded in accounting records.
-
collusion
occurs when two or more people work together to commit a fraud.
-
customer fraud
occurs when a customer improperly obtains cash or property from a company, or avoids a liability through deception.
-
credit card fraud & check fraud
involve the customer's use of stole or fraudulent credit cards and checks.
-
refund fraud
occurs when a customer tries to return stolen good to collect a cash refund.
-
vendor fraud
occurs when vendors obtain payments to which they are not entitled.
-
vendor audits
the examination of vendor records in support of amounts charged to the company.
-
industrial espionage
the theft of proprietary company information, by digging through the trash of the intended target company?
-
software piracy
the unlawful copying of software programs.
-
salami technique
altering a program to slice a small amount from several accounts and then crediting those small amounts to the perpetrator's benefit.
-
trojan horse program
a small, unauthorized program within a larger, legitimate program, used to manipulate the computer system to conduct a fraud.
-
trap door alteration
a valid programming tool that is misused to commit fraud.
-
hacking
the term commonly used for computer network break-ins.
-
denial of service attack
intended to overwhelm an intended target computer system with so much bogus network traffic that the system is unable to respond to valid network traffic.
-
spoofing
occurs when a person, through a computer system, pretends to be someone else.
-
Sarbanes-Oxley Act of 2002
intended to reform accounting, financial reporting and auditing functions of companies that are publicly traded in stock exchanges
-
preventative controls
designed to avoid errors, fraud, or events not authorized by management.
-
detective controls
controls that help employees uncover or discover errors, fraud, or unauthorized events.
-
corrective controls
those steps undertaken to correct an error or problem uncovered via detective controls.
-
Committee of Sponsoring Organizations (COSO)
committed formed in 2002 to study internal controls of fraud detection and correction in response to ongoing problems with fraudulent financial reporting.
-
COSO report
identified five interrelated components of internal control: the control environment; risk assessment; control activities; information and communication; and monitoring.
-
control environment
sets the tone of an organization and influences the control consciousness of its employees.
-
control activities
the policies and procedures that help ensure that management directives are carried out and that management objectives are achieved.
-
authorization
an approval, or endorsement from a responsible person or department in the organization that has been sanctioned by top management.
-
general authorization
a set of guidelines that allows transactions to be completed as long as they fall within established perimeters.
-
specific authorization
requires explicit authorization in order for a single transaction to be completed.
-
segregation of duties
the separation of related duties
-
compensating control
a type of control that lessens the risk of negative effects when other controls are lacking.
-
audit trail
verifiable information about the accuracy of accounting records.
-
cost-benefit/reasonable assurance
controls achieve a sensible balance of reducing risk when compared with the cost of the control.
-
independent checks
a method to confirm the accuracy and completeness of data in the accounting system.
-
reconciliation
a procedure that compares records from different sources.
-
batch total
a summation of key terms in a batch.
-
Control Objectives for Information Technology (COBIT)
extremely important guidance for those who design or audit IT systems.
-
Trust Services Principles
designed to be the written guidance for CPAs who provide assurance services for organizations.
-
Foreign Corrupt Practices Act (FCPA) of 1977
intended to prevent US corporations from bribing foreign officials while soliciting business.
-
information criteria
effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.
-
IT resources
applications, information, infrastructure and people.
-
application controls
used in accounting applications to control inputs, processing, and outputs. Intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed.
-
validity check
a programmed input check that can examine data in a given database and alert the user to an invalid entry.
-
authentication of users
a process or procedure in an IT system to ensure that the person accessing the IT system is a valid and authorized user.
-
security token
authentication technology that plugs into a USB port, thereby eliminating the need for a card reader.
-
two factor authentication
authentication based on two factors - something the user has and something the user knows (ie. password and security token).
-
computer log
a complete record of all dates, times, and uses for each user account.
-
nonrepudiation
a user cannot deny any particular act that he or she did on the IT system; achieved through authentication of users.
-
authority table
a list of valid, authorized users and the access level granted to each one.
-
configuration tables
tables that contain the appropriate set-up and security settings for hardware, software, and application programs.
-
firewall
hardware, software, or a combination of both that is designed to block unauthorized access on an IT network.
-
symmetric encryption
uses a single encryption key that must be used to encrypt data and also decode it.
-
public key encryption
uses both a public key and a private key. The public key is used to encrypt the data; the private key is used to decode the encrypted data.
-
wired equivalency piracy (WEP)
depending on the equipment used, enables 64, 128 or 256 bit symmetric encryption.
-
wireless protected access (WPA)
uses improved encryption and user authentication.
-
service set identifier (SSID)
used in wireless networks; a password that is passed between the sending and receiving nodes of a wireless network.
-
virtual private network (VPN)
normally used for traveling; utilizes tunnels, authentication, and encryption within the internet network to isolate internet communications so that unauthorized users cannot access or use certain data.
-
secure sockets layer (SSL)
a communication protocol built into web server and browser software that encrypts data transferred on that website.
-
virus
a self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions such as deleting files or shutting down the computer.
-
antivirus software
continually scans a system for viruses and worms and either deletes or quarantines them.
-
worm
a small piece of program code that attaches to the computers unused memory space and replicates itself until the system becomes overloaded and shuts down.
-
penetration testing
process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers.
-
IT governance committee
usually made up of top executives; charged with governing the overall development and operation of IT systems.
-
systems development life cycle (SDLC)
the systematic steps undertaken to plan, prioritize, authorize, oversee, test and implement large-scale changes to the IT system.
-
business continuity planning (BCP)
a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks.
-
redundant arrays of independent disks (RAIDs)
a form of redundant storage in which two or more disks are exact mirror images.
-
AICPA Trust Service Principles
security; availability; processing integrity; online privacy; and confidentiality
-
database management system (DBMS)
a software system that manages the interface between many users and the database.
-
Local Area Network (LAN)
a computer network covering a small geographic area.
-
Wide Area Network (WAN)
a group of LANs connected to each other to cover a wider geographic area.
-
electronic data interchange (EDI)
the company-to-company transfer of standard business documents in electronic form.
-
application controls
internal controls over the input, processing, and output of accounting applications.
-
input controls
intended to ensure the accuracy and completeness of data input procedures and the resulting data.
-
processing controls
ensure the accuracy and completeness of processing in accounting applications.
-
output controls
ensure the accuracy, completeness and security of outputs that result from application processing.
-
control totals
subtotals of selected fields for an entire batch of transactions.
-
record counts
a simple count of the number of records processed.
-
batch totals
totals of financial data, such as total gross pay or total federal tax deducted.
-
hash totals
totals of fields that have no apparent logical reason to be added.
-
run-to-run control totals
the reconciliation of control totals at various stages of processing.
|
|