the careful and responsible oversight and use of the assets entrusted to management.
code of ethics
a standard of employee conduct paired with internal controls to prevent and detect fraud.
the theft, concealment, and conversion to personal gain of another's money, physical assets, or information.
misappropriation of assets
also referred to as defalcation or internal theft; theft of any item of value, most commonly dealing with cash or property.
the three conditions that enable fraud to be perpetrated, consisting of incentive to commit fraud; opportunity to commit fraud; and the rationalization of fraudulent action.
fraud conducted by non-management employees; usually involves the theft of cash or assets for personal gain.
cash payment that the vendor give the employee in exchange for a sale; often thought of as a business bribe.
occurs when an organization's cash is stolen before it is entered into the accounting records.
the theft of cash after it has been recorded in accounting records.
occurs when two or more people work together to commit a fraud.
occurs when a customer improperly obtains cash or property from a company, or avoids a liability through deception.
credit card fraud & check fraud
involve the customer's use of stole or fraudulent credit cards and checks.
occurs when a customer tries to return stolen good to collect a cash refund.
occurs when vendors obtain payments to which they are not entitled.
the examination of vendor records in support of amounts charged to the company.
the theft of proprietary company information, by digging through the trash of the intended target company?
the unlawful copying of software programs.
altering a program to slice a small amount from several accounts and then crediting those small amounts to the perpetrator's benefit.
trojan horse program
a small, unauthorized program within a larger, legitimate program, used to manipulate the computer system to conduct a fraud.
trap door alteration
a valid programming tool that is misused to commit fraud.
the term commonly used for computer network break-ins.
denial of service attack
intended to overwhelm an intended target computer system with so much bogus network traffic that the system is unable to respond to valid network traffic.
occurs when a person, through a computer system, pretends to be someone else.
Sarbanes-Oxley Act of 2002
intended to reform accounting, financial reporting and auditing functions of companies that are publicly traded in stock exchanges
designed to avoid errors, fraud, or events not authorized by management.
controls that help employees uncover or discover errors, fraud, or unauthorized events.
those steps undertaken to correct an error or problem uncovered via detective controls.
Committee of Sponsoring Organizations (COSO)
committed formed in 2002 to study internal controls of fraud detection and correction in response to ongoing problems with fraudulent financial reporting.
identified five interrelated components of internal control: the control environment; risk assessment; control activities; information and communication; and monitoring.
sets the tone of an organization and influences the control consciousness of its employees.
the policies and procedures that help ensure that management directives are carried out and that management objectives are achieved.
an approval, or endorsement from a responsible person or department in the organization that has been sanctioned by top management.
a set of guidelines that allows transactions to be completed as long as they fall within established perimeters.
requires explicit authorization in order for a single transaction to be completed.
segregation of duties
the separation of related duties
a type of control that lessens the risk of negative effects when other controls are lacking.
verifiable information about the accuracy of accounting records.
controls achieve a sensible balance of reducing risk when compared with the cost of the control.
a method to confirm the accuracy and completeness of data in the accounting system.
a procedure that compares records from different sources.
a summation of key terms in a batch.
Control Objectives for Information Technology (COBIT)
extremely important guidance for those who design or audit IT systems.
Trust Services Principles
designed to be the written guidance for CPAs who provide assurance services for organizations.
Foreign Corrupt Practices Act (FCPA) of 1977
intended to prevent US corporations from bribing foreign officials while soliciting business.
effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.
applications, information, infrastructure and people.
used in accounting applications to control inputs, processing, and outputs. Intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed.
a programmed input check that can examine data in a given database and alert the user to an invalid entry.
authentication of users
a process or procedure in an IT system to ensure that the person accessing the IT system is a valid and authorized user.
authentication technology that plugs into a USB port, thereby eliminating the need for a card reader.
two factor authentication
authentication based on two factors - something the user has and something the user knows (ie. password and security token).
a complete record of all dates, times, and uses for each user account.
a user cannot deny any particular act that he or she did on the IT system; achieved through authentication of users.
a list of valid, authorized users and the access level granted to each one.
tables that contain the appropriate set-up and security settings for hardware, software, and application programs.
hardware, software, or a combination of both that is designed to block unauthorized access on an IT network.
uses a single encryption key that must be used to encrypt data and also decode it.
public key encryption
uses both a public key and a private key. The public key is used to encrypt the data; the private key is used to decode the encrypted data.
wired equivalency piracy (WEP)
depending on the equipment used, enables 64, 128 or 256 bit symmetric encryption.
wireless protected access (WPA)
uses improved encryption and user authentication.
service set identifier (SSID)
used in wireless networks; a password that is passed between the sending and receiving nodes of a wireless network.
virtual private network (VPN)
normally used for traveling; utilizes tunnels, authentication, and encryption within the internet network to isolate internet communications so that unauthorized users cannot access or use certain data.
secure sockets layer (SSL)
a communication protocol built into web server and browser software that encrypts data transferred on that website.
a self-replicating piece of program code that can attach itself to other programs and data and perform malicious actions such as deleting files or shutting down the computer.
continually scans a system for viruses and worms and either deletes or quarantines them.
a small piece of program code that attaches to the computers unused memory space and replicates itself until the system becomes overloaded and shuts down.
process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers.
IT governance committee
usually made up of top executives; charged with governing the overall development and operation of IT systems.
systems development life cycle (SDLC)
the systematic steps undertaken to plan, prioritize, authorize, oversee, test and implement large-scale changes to the IT system.
business continuity planning (BCP)
a proactive program for considering risks to the continuation of business and developing plans and procedures to reduce those risks.
redundant arrays of independent disks (RAIDs)
a form of redundant storage in which two or more disks are exact mirror images.
AICPA Trust Service Principles
security; availability; processing integrity; online privacy; and confidentiality
database management system (DBMS)
a software system that manages the interface between many users and the database.
Local Area Network (LAN)
a computer network covering a small geographic area.
Wide Area Network (WAN)
a group of LANs connected to each other to cover a wider geographic area.
electronic data interchange (EDI)
the company-to-company transfer of standard business documents in electronic form.
internal controls over the input, processing, and output of accounting applications.
intended to ensure the accuracy and completeness of data input procedures and the resulting data.
ensure the accuracy and completeness of processing in accounting applications.
ensure the accuracy, completeness and security of outputs that result from application processing.
subtotals of selected fields for an entire batch of transactions.
a simple count of the number of records processed.
totals of financial data, such as total gross pay or total federal tax deducted.
totals of fields that have no apparent logical reason to be added.
run-to-run control totals
the reconciliation of control totals at various stages of processing.