The flashcards below were created by user
on FreezingBlue Flashcards.
Companies face four threats to their information systems:
- Natural and political disasters
- Software errors and equipment malfunction
- Unintentional acts
- Intentional acts (computer crime)
Three types of occupational fraud:
- Misappropriation of assets
- Fraudulent statements
Misappropriation of assets
Involves theft, embezzlement, or misuse of company assets for personal gain
Examples: billing schemes, check tampering, skimming, theft of inventory
Involves the wrongful use of a position, contrary to the responsibilities of that position, to procure a benefit.
Examples: kickback schemes, conflict of interest schemes
Involves misstating the financial condition of an entity by intentionally misstating amounts or disclosures in order to deceive users.
stealing cash or check that customer A mails in to pay its accounts receivable, then Funds received at a later date from customer B are used to pay off customer A's balance. Funds from customer C are used to pay off customer B and so forth.
Creating cash by taking advantage of the timing lag between depositing a check and the check clearing the bank.
Changing data before, during, or after it is entered into the system.
Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge
Logic time bomb
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
The programmer instructs the computer to round down all interest rates to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer's own account
(think Office Space)
A fraud technique in which tiny slices of money are stolen from many different accounts.
The unauthorized use of a special system program to bypass regular system controls and perform illegal acts.
COSO's internal control model has five crucial components:
- Control environment
- Control activities
- Risk Assessment
- Information and communication
Expected loss equation:
- Expected loss = impact x likelihood
- (EL = I x L)
SOX Sections 302 & 906
Requires that the CEO and CFO certify the accuracy of the financial statements.
SOX Section 404
Requires that the annual report include a report on the company's internal controls
Time-based model's three variables (P, D, C)
- P = Time is takes an attacker to break through the organization's preventative controls
- D = Time it takes to detect that an attack is in progress
- C = Time to respond to the attack
Security procedures are effective when: (equation)
P > (D + C)
Connects an organization's information system to the Internet
Demilitarized zone (DMZ)
web and email servers that sit outside the corporate private network but is still accessible from the Internet.
Two basic mechanisms for protecting consumers' personal information:
- Access controls
2 basic types of data transmission controls
- Parity checking
- Message acknowledgement
Output controls include:
- User review of output
- Reconciliation procedures
- External data reconciliation
The auditor's role in systems development should be:
- Limited to an independent review of system development activities
- Not involved in system development
- Should review policies, procedures, standards, and documentation for systems and programs
Inadequate development controls can be compensated by implementing:
Strong processing controls
Two techniques to detect unauthorized program changes:
- Parallel simulation
Auditors commonly use five concurrent audit techniques:
- Integrated test facility (ITF) technique
- Snapshot technique
- System control audit review file (SCARF)
- Audit hooks
- Continuous and intermittent simulation (CIS)
Places a small set of fictitious records in the master files
Examines the way transactions are processed. Audit modules in the program record these transactions and their master file records before and after processing.
System control audit review file (SCARF)
Uses embedded audit modules to continuously monitor transaction activity and collect data.
- Records transactions that:
- Exceed a specified dollar limit
- Involve inactive accounts
Flag suspicious transactions
Continuous and intermittent simulation (CIS)
- Similar to SCARF
- Processes the data independently
- Records the results
- Compares results with those obtained by the DBMS
Four basic business activities performed in the revenue cycle:
- Sales order entry
- Cash collection
Steps in the sales order entry process:
- Take the customer's order
- Check the customer's credit
- Check inventory availability
- Respond to customer inquiries
Four threats in the sales order entry process:
- Incomplete or inaccurate customer orders
- Sales to customers with poor credit
- Orders that are not legitimate
- Stockouts, carrying costs, markdowns
Bill of lading and what it identifies:
Legal contract that defines responsibility for goods in transit
- It identifies:
- - Carrier
- - Source
- - Destination
- - Special shipping instructions
- - Who pays for shipping
Two basic ways to maintain accounts receivable:
- Open-invoice method
- Balance forward method
Customers pay according to each invoice
Balance forward method
Customers pay according to amount on their monthly statement, rather than by invoice
Three basic activities performed in the expenditure cycle:
- Ordering goods, supplies, and services
- Receiving and storing these items
- Paying for these items
3 alternate approaches to inventory control:
- Economic order quantity (EOQ)
- Materials requirements planning (MRP)
- Just in time inventory (JIT)
Maintain enough stock so that production doesn't get interrupted
Reduce inventory levels by carefully scheduling production and purchasing around sales forecasts.
Minimize or eliminate inventory by purchasing or producing only in response to actual sales (rather than forecasted)
Order processing typically begins with a:
Purchase request, followed by the generation of a purchase order
Document or electronic form that formally requests a supplier to sell and deliver specified products at specified prices. It is both a contact and a promise to pay.
Threats in the process of ordering goods include:
- Stockouts/Excess inventory
- Ordering unnecessary items
- Purchasing goods at inflated prices
- Purchasing goods at inferior quality
- Purchasing from unauthorized suppliers
Primary document used to decide whether there is a valid purchase order.
When goods arrive, a receiving clerk compares:
The PO number on the packing slip with the open PO file to verify the goods were ordered.
Voucher package consists of:
Vendor invoice and supporting documentation
Pay rate information is obtained from the:
Payroll master file.
2 types of payroll deductions:
- Payroll tax withholdings
- Voluntary deductions
Threats in the employment practices area are:
- Hiring unqualified or larcenous employees
- Violation of employment law
Proper segregation of duties in payroll:
- Only HRM department should be able to update payroll master file
- HRM employees should not directly participate in payroll processing or distribution
Basic activities in the GLARS are:
- Update the general ledger
- Post financial statements
- Prepare financial statements
- Produce managerial reports
Updating the general ledger consists of posting journal entries from 2 sources:
- Summary journal entries (routine transactions)
- Individual journal entries (non-routine transactions)
Involves an event that has occurred for which the related cash flow has not yet taken place
Involves a situation where the cash flow takes place before the related revenue is earned or the expense is incurred
Used to recognize expenses that cannot be directly attributed to a related revenue (i.e. depreciation expense or bad debt expense)
Reconciling actual and recorded values of assets
Income statements are prepared using:
balances in the revenue, expense, gain, and loss accounts listed on the adjusted trial balance.
After preparation of the income statement, all related accounts are closed and balances are transferred to retained earnings
Statement of stockholders' equity
Reconciles the changes in the stockholders' equity accounts
- Presents balances in the permanent accounts:
- - Assets
- - Liabilities
- - Owners' equity
Statement of cash flows
- Presents changes in cash for the period categorized by:
- - Operating activities
- - Investing activities
- - Financing activities
Extensible Business Reporting Language
Variant of XML designed to specifically communicate the contents of financial data.
SOX section 404
Management must report on their internal controls over financial reporting in their annual report
SOX section 301
Audit committee responsible for appointing, compensating, and overseeing work of external auditors.
SOX section 303
Unlawful for any officer or director of a public company to make financial statements materially misleading.