4 pages. Need it today

Katep50

PPTSlides.zip

Home >Business & Finance homework help >Management homework help >4 pages. Need it today

New folder/013255271X_ppt_013.ppt

Chapter 1

Accounting Information Systems: An Overview

1-*

What Is a System?

System
A set of two or more interrelated components interacting to achieve a goal
Goal Conflict
Occurs when components act in their own interest without regard for overall goal
Goal Congruence
Occurs when components acting in their own interest contribute toward overall goal

1-*

Data vs. Information

Data are facts that are recorded and stored.
Insufficient for decision making.
Information is processed data used in decision making.
Too much information however, will make it more, not less, difficult to make decisions. This is known as Information Overload.

1-*

Value of Information

Benefits

Reduce Uncertainty
Improve Decisions
Improve Planning
Improve Scheduling

Costs

Time & Resources

Produce Information
Distribute Information

1-*

Benefit $’s > Cost $’s

What Makes Information Useful?

Necessary characteristics:
Relevant
“The capacity of information to make a difference in a decision by helping users to form predictions about the outcomes of past, present, and future events or to confirm or correct prior expectations.”
Reliable
“The quality of information that assures that information is reasonably free from error and bias and faithfully represents what it purports to represent.”
Complete
“The inclusion in reported information of everything material that is necessary for faithful representation of the relevant phenomena.”

1-*

Point out to students that these characteristics are from the SFAC #2 Quality of Accounting Information (maybe have them read it). http://www.fasb.org/pdf/aop_CON2.pdf

What Makes Information Useful?

Timely
“Having information available to a decision maker before it loses its capacity to influence decisions.”
Understandable
“The quality of information that enables users to perceive its significance.”
Verifiable
“The ability through consensus among measurers to ensure that information represents what it purports to represent or that the chosen method of measurement has been used without error or bias.”
Accessible
Available when needed (see Timely) and in a useful format (see Understandable).

1-*

Point out to students that these characteristics are from the SFAC #2 Quality of Accounting Information (maybe have them read it).

Business Process

Systems working toward organizational goals

1-*

Business Process Cycles

Revenue
Expenditure
Production
Human Resources
Financing

1-*

Business Transactions

Give–Get exchanges
Between two entities
Measured in economic terms

1-*

Business Cycle Give–Get

1-*

Accounting Information Systems

Collect, process, store, and report data and information
If Accounting = language of business
AIS = information providing vehicle
Accounting = AIS

1-*

Components of an AIS

People using the system
Procedures and Instructions
For collecting, processing, and storing data
Data
Software
Information Technology (IT) Infrastructure
Computers, peripherals, networks, and so on
Internal Control and Security
Safeguard the system and its data

1-*

AIS and Business Functions

Collect and store data about organizational:
Activities, resources, and personnel
Transform data into information enabling
Management to:
Plan, execute, control, and evaluate
Activities, resources, and personnel
Provide adequate control to safeguard
Assets and data

1-*

AIS Value Add

Improve Quality and Reduce Costs
Improve Efficiency
Improve Sharing Knowledge
Improve Supply Chain
Improve Internal Control
Improve Decision Making

1-*

Improve Decision Making

Identify situations that require action.
Provide alternative choices.
Reduce uncertainty.
Provide feedback on previous decisions.
Provide accurate and timely information.

1-*

Value Chain

The set of activities a product or service moves along before as output it is sold to a customer
At each activity the product or service gains value

1-*

Value Chain—Primary Activities

1-*

AIS and Corporate Strategy

Organizations have limited resources, thus investments to AIS should have greatest impact on ROI.

Organizations need to understand:

IT developments

Business strategy

Organizational culture

Will effect and be effected by new AIS

1-*

New folder/013255271X_ppt_032.pptx

Chapter 3

Systems Documentation Techniques

3-1

What Is Documentation?

Set of documents and models

Narratives, data flow models, flowcharts

Describe who, what, why, when, and where of systems:

Input, process, storage, output, and controls

3-2

Why Should You Learn Documentation?

You need to be able to read documentation in all its forms: narratives, diagrams, models.

You need to be able to evaluate the quality of systems, such as internal control based in part on documentation.

SAS 94 requires independent auditors to understand all internal control procedures.

Documentation assists in auditor understanding and documentation of their understanding

Sarbanes-Oxley states that management:

Is responsible for internal control system

Is responsible for assessing the effectiveness of the IC System

Both management and external auditors need to document and test IC System

3-3

Data Flow Diagrams

Graphically describes the flow of data within a system

Four basic elements

3-4

Entity

Process

Data Flow

Data Store

Entity

Represents a source of data or input into the system

Represents a destination of data or output from the system

3-5

Data Flows

Movement of data among:

Entities (sources or destinations)

Processes

Data stores

Label should describe the information moving

3-6

Process

Represents the transformation of data

3-7

Data Store

Represents data at rest

3-8

Data Flow Diagram Levels

Context

Highest level (most general)

Purpose: show inputs and outputs into system

Characteristics: one process symbol only, no data stores

Level-0

Purpose: show all major activity steps of a system

Characteristics: processes are labeled 1.0, 2.0, and so on

3-9

Flowcharts

Use symbols to logically depict transaction processing and the flow of data through a system.

Using a pictorial representation is easier to understand and explain versus a detailed narrative.

3-10

Types of Flowcharts

Document

Illustrates the flow of documents through an organization

Useful for analyzing internal control procedures

System

Logical representation of system inputs, processes, and outputs

Useful in systems analysis and design

Program

Represent the logical sequence of program logic

3-11

New folder/013255271X_ppt_055.pptx

Chapter 5

Computer Fraud

5-1

Common Threats to AIS

Natural Disasters and Terrorist Threats

Software Errors and/or Equipment Malfunction

Unintentional Acts (Human Error)

Intentional Acts (Computer Crimes)

5-2

What Is Fraud?

Gaining an unfair advantage over another person

A false statement, representation, or disclosure

A material fact that induces a person to act

An intent to deceive

A justifiable reliance on the fraudulent fact in which a person takes action

An injury or loss suffered by the victim

Individuals who commit fraud are referred to as white-collar criminals.

5-3

Forms of Fraud

Misappropriation of assets

Theft of a companies assets.

Largest factors for theft of assets:

Absence of internal control system

Failure to enforce internal control system

Fraudulent financial reporting

“…intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements” (The Treadway Commission).

5-4

Reasons for Fraudulent Financial Statements

Deceive investors or creditors

Increase a company’s stock price

Meet cash flow needs

Hide company losses or other problems

5-5

SAS #99

Auditors responsibility to detect fraud

Understand fraud

Discuss risks of material fraudulent statements

Among members of audit team

Obtain information

Look for fraud risk factors

Identify, assess, and respond to risk

Evaluate the results of audit tests

Determine impact of fraud on financial statements

Document and communicate findings

See Chapter 3

Incorporate a technological focus

5-6

The Fraud Triangle

5-7

Three conditions that are present when Fraud occurs.

Pressure

Opportunity

Rationalization

Pressure

Motivation or incentive to commit fraud

Types:

Employee

Financial

Emotional

Lifestyle

Financial

Industry conditions

Management characteristics

5-8

Employee

Financial

Emotional

Lifestyle

Financial Reporting

Industry Conditions

Mgmt Characteristics

Opportunity

Condition or situation that allows a person or organization to:

Commit the fraud

Conceal the fraud

Lapping

Kiting

Convert the theft or misrepresentation to personal gain

5-9

Opportunity

Commit

Conceal

Convert

Rationalizations

Justification of illegal behavior

Justification

I am not being dishonest.

Attitude

I don’t need to be honest.

Lack of personal integrity

Theft is valued higher than honesty or integrity.

5-10

Rationalization

Justification

Attitude

Lack of Peronal Integrity

Computer Fraud

Any illegal act in which knowledge of computer technology is necessary for:

Perpetration

Investigation

Prosecution

5-11

Rise of Computer Fraud

Definition is not agreed on

Many go undetected

High percentage is not reported

Lack of network security

Step-by-step guides are easily available

Law enforcement is overburdened

Difficulty calculating loss

5-12

New folder/013255271X_ppt_07.pptx

Chapter 7

Control and AIS

7-1

Internal Control

System to provide reasonable assurance that objectives are met such as:

Safeguard assets.

Maintain records in sufficient detail to report company assets accurately and fairly.

Provide accurate and reliable information.

Prepare financial reports in accordance with established criteria.

Promote and improve operational efficiency.

Encourage adherence to prescribed managerial policies.

Comply with applicable laws and regulations.

7-2

Internal Control

Functions

Preventive

Deter problems

Detective

Discover problems

Corrective

Correct problems

New folder/013255271X_ppt_08.pptx

Controls for Information Security

Chapter 8

8-1

Trust Services Framework

Security

Access to the system and data is controlled and restricted to legitimate users.

Confidentiality

Sensitive organizational data is protected.

Privacy

Personal information about trading partners, investors, and employees are protected.

Processing integrity

Data are processed accurately, completely, in a timely manner, and only with proper authorization.

Availability

System and information are available.

8-2

The trust services framework is a means to organize IT controls to help ensure systems reliability. At the foundation of this framework is security which is absolutely necessary for success and for achieving the other four principles.

Security procedures:

Restrict access to authorized users only

which protects confidentiality of sensitive organizational data and the privacy of personal

data collected from customers, suppliers, employees, and so on.

Security protects the processing integrity by preventing submission of unauthorized transactions or unauthorized changes to the data.

Security provides protection from unwanted attacks that could bring down the system and make it unavailable.

8-3

This is a good visual of the Trust Services Framework

Using an analogy of building a house, you need a good foundation; otherwise the house will fall apart. Then to keep the roof over your head, you need to have wel-constructed walls.

Similarly, for good systems reliability you need a good foundation of Security. The walls are the four pillars focused on maintaining good systems reliability.

Security Life Cycle

Security is a management issue

8-4

Although technologies tools are used for security and the security expertise is within an IT department, effective security must have the support of senior management to understand the potential threats to an organizations information systems which would impede the organization from achieving its goals.

As we previously discussed about threats to an AIS, management must assess the threat to an AIS and determine how to respond (reduce, accept, share, avoid). The second step is to develop security policies (e.g., employees should not click on any links embedded into e-mails) and make sure that those policies are communicated (best way is through training).

The third step is to invest in the necessary resources (human and technology) to reduce the security threats. Finally, active monitoring to evaluate the security effectiveness provides a feedback loop as management may need to make updates based upon new threats or techniques that affect security.

Overall, management is responsible for maintaining a “culture of security”. The fourth step requires monitoring of performance because if you do not monitor how well you are doing with your objectives, how do you know if it is achieved?

Security Approaches

Defense-in-depth

Multiple layers of control (preventive and detective) to avoid a single point of failure

Time-based model, security is effective if:

P > D + C where

P is time it takes an attacker to break through preventive controls

D is time it takes to detect an attack is in progress

C is time it takes to respond to the attack and take corrective action

8-5

How to Mitigate Risk of Attack

Preventive Controls

Detective Controls

People

Process

IT Solutions

Physical security

Change controls and change management

Log analysis

Intrusion detection systems

Penetration testing

Continuous monitoring

8-6

Preventive: People

Culture of security

Tone set at the top with management

Training

Follow safe computing practices

Never open unsolicited e-mail attachments

Use only approved software

Do not share passwords

Physically protect laptops/cellphones

Protect against social engineering

8-7

Preventive: Process

Authentication—verifies the person

Something person knows

Something person has

Some biometric characteristic

Combination of all three

Authorization—determines what a person can access

8-8

These two concepts are related, to get into a system, you need to be authenticated, then authorization is where you are allowed to go once you are in the system.

Preventive: IT Solutions

Antimalware controls

Network access controls

Device and software hardening controls

Encryption

8-9

Preventive: Other

Physical security access controls

Limit entry to building

Restrict access to network and data

Change controls and change management

Formal processes in place regarding changes made to hardware, software, or processes

8-10

Corrective

Computer Incident Response Team (CIRT)

Chief Information Security Officer (CISO)

Patch management

8-11

New folder/013255271X_ppt_09.pptx

Confidentiality and Privacy Controls

Chapter 9

9-1

Protecting Confidentiality and Privacy of Sensitive Information

Identify and classify information to protect

Where is it located and who has access?

Classify value of information to organization

Encryption

Protect information in transit and in storage

Access controls

Controlling outgoing information (confidentiality)

Digital watermarks (confidentiality)

Data masking (privacy)

Training

9-2

Recall that in Chapter 7 the trust services framework was introduced and confidentiality versus privacy was first introduced? This chapter focuses on controls related specifically to preserving confidentiality and privacy.

Confidentiality relates to organizational intellectual property which includes strategic plans, trade secrets, cost information, legal documents, and so on.

Privacy focuses on protecting personal information on customers, vendors, employees, and business partners (it does not apply to organizational data, that is confidentiality).

Generally Accepted Privacy Principles

Management

Procedures and policies with assigned responsibility and accountability

Notice

Provide notice of privacy policies and practices prior to collecting data

Choice and consent

Opt-in versus opt-out approaches

Collection

Only collect needed information

Use and retention

Use information only for stated business purpose

Access

Customer should be able to review, correct, or delete information collected on them

Disclosure to third parties

Security

Protect from loss or unauthorized access

Quality

Monitoring and enforcement

Procedures in responding to complaints

Compliance

9-3

Generally Accepted Privacy Principles (GAPP) are 10 best practices recommended for protecting privacy of customer’s personal information.

Encryption

Preventative control

Factors that influence encryption strength:

Key length (longer = stronger)

Algorithm

Management policies

Stored securely

9-5

Encryption Steps

Takes plain text and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)

To read ciphertext, encryption key reverses process to make information readable (receiver of message)

9-5

Types of Encryption

Symmetric

Asymmetric

Uses one key to encrypt and decrypt

Both parties need to know the key

Need to securely communicate the shared key

Cannot share key with multiple parties, they get their own (different) key from the organization

Uses two keys

Public—everyone has access

Private—used to decrypt (only known by you)

Public key can be used by all your trading partners

Can create digital signatures

9-6

The text refers to examples of symmetric and asymmetric encryption algorithms:

Examples of symmetric encryption are DES (data encryption standard) which was superseded by AES (advanced encryption standard).

Examples of asymmetric encryption are RSA (Rivest-Shamir-Adleman) and PGP (Pretty Good Privacy).

A good example for understanding asymmetric encryption is this:

I want to buy a book online, this purchase information with my credit card uses the online bookstore’s public key to encrypt the information. Only the online bookstore can decrypt this information using their private key which is known to them. That way, I can feel safe when purchasing online with the bookstore.

Now that we understand encryption better and that information is encrypted in transit, why is it that hackers can get credit card data?

It’s usually due to the fact that the private encryption key is stolen because it is not secured properly. Many times the private key is stored on the same server as the data itself, so when hackers gain access to the server, they are able to decrypt the data!

Virtual Private Network

Securely transmits encrypted data between sender and receiver

Sender and receiver have the appropriate encryption and decryption keys.

9-7

New folder/013255271X_ppt_131.pptx

Chapter 13

The Expenditure Cycle: Purchasing to Cash Disbursements

13-1

The Expenditure Cycle

13-2

The Expenditure Cycle

Activities and information processing related to:

Purchasing and payment of

Goods and services

Primary objective:

Minimize the total cost of acquiring and maintaining inventories, supplies, and the various services the organization needs to function

13-3

Expenditure Cycle Activities

Ordering materials, supplies, and services

Receiving materials, supplies, and services

Approving supplier invoices

Cash disbursements

13-4

Expenditure Cycle General Threats

Inaccurate or invalid master data

Unauthorized disclosure of sensitive information

Loss or destruction of data

Poor performance

13-5

Expenditure Cycle General Controls

Data processing integrity controls

Restriction of access to master data

Review of all changes to master data

13-6

Ordering Threats

Inaccurate inventory records

Purchasing items not needed

Purchasing at inflated prices

Purchasing goods of inferior quality

Unreliable suppliers

Purchasing from unauthorized suppliers

Kickbacks

13-7

Ordering Controls

Perpetual inventory system

Bar coding or RFID tags

Periodic physical counts of inventory

Perpetual inventory system

Review and approval of purchase requisitions

Centralized purchasing function

Price lists

Competitive bidding

Review of purchase orders

Budgets

Purchasing only from approved suppliers

13-8

Receiving Threats

Accepting unordered items

Mistakes in counting

Verifying receipt of services

Theft of inventory

13-9

Receiving Controls

Requiring existence of approved purchase order prior to accepting any delivery

Do not inform receiving employees about quantity ordered

Require receiving employees to sign receiving report

Incentives

Document transfer of goods to inventory

Use of bar-codes and RFID tags

Configuration of the ERP system to flag discrepancies between received and ordered quantities that exceed tolerance threshold for investigation

Segregation of duties: custody of inventory versus receiving

Budgetary controls

Audits

Restriction of physical access to inventory

Documentation of all transfers of inventory between receiving and inventory employees

Periodic physical counts of inventory and reconciliation to recorded quantities

13-10

Approving Invoices Threats

Errors in supplier invoices

Mistakes in posting to accounts payable

13-11

Cash Disbursement Threats

Failure to take advantage of discounts for prompt payment

Paying for items not received

Duplicate payments

Theft of cash

Check alteration

Cash flow problems

13-12

Cash Disbursement Controls

Filing of invoices by due date for discounts

Cash flow budgets

Requiring that all supplier invoices be matched to supporting documents that are acknowledged by both receiving and inventory control

Budgets (for services)

Requiring receipts for travel expenses

Use of corporate credit cards for travel expenses

Requiring a complete voucher package for all payments

Policy to pay only from original copies of supplier invoices

Cancelling all supporting documents when payment is made

13-13

Cash Disbursement Controls

Restriction of access to supplier master file

Limiting the number of employees with ability to create one-time suppliers and to process invoices from one-time suppliers

Running petty cash as an imprest fund

Surprise audits of petty cash fund

Check protection machines

Use of special inks and papers

“Positive pay” arrangements with banks

Cash flow budget

13-14

Chapter 13

The Expenditure Cycle: Purchasing to Cash Disbursements

2012 Pearson Education, Inc. publishing as Prentice Hall

New folder/Chapter2_updatedslides1.ppt

Chapter 2

Overview of Transaction Processing and ERP Systems

2-*

Data Processing Cycle

2-*

The Data Processing Cycle Determines

What data is stored?
Who has access to the data?
How is the data organized?
How can unanticipated information needs be met?

2-*

Data Input—Capture

As a business activity occurs data is collected about:

Each activity of interest

The resources affected

The people who are participating

2-*

Paper-Based Source Documents

Data are collected on source documents
E.g., a sales-order form
The data from paper-based will eventually need to be transferred to the AIS
Turnaround
Usually paper-based
Are sent from organization to customer
Same document is returned by customer to organization

2-*

Turnaround Document

Source Data Automaton

Source data is captured
In machine-readable form
At the time of the business activity
E.g., ATM’s; POS

2-*

Data Input—Accuracy and Control

Well-designed source documents can ensure that data captured is
Accurate
Provide instructions and prompts
Check boxes
Drop-down boxes
Complete
Internal control support
Prenumbered documents

2-*

Data Storage

Types of AIS storage:
Paper-based
Ledgers
Journals
Computer-based

2-*

Ledgers

General
Summary level data for each:
Asset, liability, equity, revenue, and expense
Subsidiary
Detailed data for a General Ledger (Control) Account that has individual sub-accounts
Accounts Receivable
Accounts Payable

2-*

Journals

General
Infrequent or specialized transactions
Specialized
Repetitive transactions
E.g., sales transactions

2-*

Computer Based Storage

Entity
Person, place, or thing (Noun)
Something an organization wishes to store data about
Attributes
Facts about the entity
Fields
Where attributes are stored
Records
Group of related attributes about an entity
File
Group of related Records

2-*

File Types

Transaction
Contains records of a business from a specific period of time
Master
Permanent records
Updated by transaction with the transaction file
Database
Set of interrelated files

2-14

Data Processing

Four Main Activities

Create new records

Read existing records

Update existing records

Delete records or data from records

2-*

Data Output Types

Soft copy
Displayed on a screen
Hard copy
Printed on paper

2-*

ERP Systems

2-*

ERP Advantages

Integration of an organization’s data and financial information
Data is captured once
Greater management visibility, increased monitoring
Better access controls
Standardizes business operating procedures
Improved customer service
More efficient manufacturing

2-*

ERP Disadvantages

Cost
Time-consuming to implement
Changes to an organization’s existing business processes can be disruptive
Complex
Resistance to change

2-*

New folder/romney_ais13_ppt_061.pptx

Computer Fraud and Abuse Techniques

Chapter 6

6-1

Types of Attacks

Hacking

Unauthorized access, modification, or use of an electronic device or some element of a computer system

Social Engineering

Techniques or tricks on people to gain physical or logical access to confidential information

Malware

Software used to do harm

6-2

Hacking

Hijacking

Gaining control of a computer to carry out illicit activities

Botnet (robot network)

Zombies

Bot herders

Denial of Service (DoS) Attack

Spamming

Spoofing

Makes the communication look as if someone else sent it so as to gain confidential information.

6-3

Forms of Spoofing

E-mail spoofing

Caller ID spoofing

IP address spoofing

Address Resolution (ARP) spoofing

SMS spoofing

Web-page spoofing (phishing)

DNS spoofing

6-4

Why is there spoofing? Well its because the perpetrator of the fraud wants you to think that they are someone else that you’d trust. For example:

E-mail spoofing, allows you to think that the e-mail you received is from someone you know. This type of attack is often combined with a social engineering technique called phishing. For example, perpetrators will send an e-mail spoofing the senders address from your bank. Inside the e-mail they will embed a link which they hope you will click on it and use your login and password basically giving them access to your bank account.

Caller ID spoofing will display the wrong number on your phone hoping that you think it’s from a trusted source (e.g., Bank).

IP address spoofing is used to conceal the identity of a sender of DoS attacks.

ARP spoofing allows for man in the middle as well as DoS attacks. ARP spoofing can allow the perpetrator to “sniff” the data that is coming over the Internet. Sniffing means that the perpetrator can see the data as it is passing from the source to the intended destination over the Internet.

SMS spoofing is falsifying the sender of a text message (it can also be used in phishing scams).

Hacking with Computer Code

Cross-site scripting (XSS)

Uses vulnerability of Web application that allows the Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.

Buffer overflow attack

Large amount of data sent to overflow the input memory (buffer) of a program causing it to crash and replaced with attacker’s program instructions.

SQL injection (insertion) attack

Malicious code inserted in place of a query to get to the database information

6-5

Other Types of Hacking

Man in the middle (MITM)

Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.

Piggybacking

Password cracking

War dialing and driving

Phreaking

Data diddling

Data leakage

podslurping

6-6

These types of hacking are used to gain unauthorized access into a computer system or confidential data.

Piggybacking can be using a neighbors unsecured wifi, an unauthorized person following an authorized person through a door bypassing screening or the security code needed to gain access into a secure area, and tapping into a communications line and electronically latching onto an authorized user as they enter the system.

Password cracking is penetrating the system to steal passwords.

War dialing is using a program to dial phone lines looking for an unsecured dial-up modem line.

War driving is driving around looking for an unsecured wireless network, this invites unauthorized access into your network.

Phreaking is attacking the phone system to get free service.

Data diddling is falsifying data entry (e.g., timecards for payroll).

Data leakage is unauthorized copying of data.

Podslurping is using a flash drive to download the unauthorized data.

Hacking Used for Embezzlement

Salami technique:

Taking small amounts at a time

Round-down fraud

Economic espionage

Theft of information, intellectual property and trade secrets

Cyber-extortion

Threats to a person or business online through e-mail or text messages unless money is paid

6-7

Hacking Used for Fraud

Internet misinformation

E-mail threats

Internet auction

Internet pump and dump

Click fraud

Web cramming

Software piracy

6-8

Internet misinformation is used to spread false or misleading information.

E-mail threats that require an action by the victim causing them great expense.

Internet auction fraud can unfairly bid up the price, deliver inferior products, or not deliver anything at all, or the buyer fails to make a payment.

Internet pump and dump uses the Internet to inflate the price of the stock and then sell it. Usually occurs with penny stocks buying large volumes of the stock, then posts false information to drive up the stock and sells shares to pocket profit before the price falls back down.

Click fraud uses botnets to click on ads to get Web click-through commissions.

Webcramming is a scam that offers a free Web site and then continuing to charge the person for months after they don’t want or use the Web site.

Software piracy is unauthorized copying or distribution of copyrighted software. This can occur by:

Selling a computer preloaded with unauthorized software,

installing single license software on more than one computer, and

loading software on a server allowing unrestricted access.

Social Engineering Techniques

Identity theft

Assuming someone else’s identity

Pretexting

Using a scenario to trick victims to divulge information or to gain access

Posing

Creating a fake business to get sensitive information

Phishing

Sending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive data

Pharming

Redirects Web site to a spoofed Web site

URL hijacking

Takes advantage of typographical errors entered in for Web sites and user gets invalid or wrong Web site

Scavenging

Searching trash for confidential information

Shoulder surfing

Snooping (either close behind the person) or using technology to snoop and get confidential information

Skimming

Double swiping credit card

Eeavesdropping

6-9

Why People Fall Victim

Compassion

Desire to help others

Greed

Want a good deal or something for free

Sex appeal

More cooperative with those that are flirtatious or good looking

Sloth

Lazy habits

Trust

Will cooperate if trust is gained

Urgency

Cooperation occurs when there is a sense of immediate need

Vanity

More cooperation when appeal to vanity

6-10

Minimize the Threat of Social Engineering

Never let people follow you into restricted areas

Never log in for someone else on a computer

Never give sensitive information over the phone or through e-mail

Never share passwords or user IDs

Be cautious of someone you don’t know who is trying to gain access through you

6-11

Types of Malware

Spyware

Secretly monitors and collects information

Can hijack browser, search requests

Adware

Keylogger

Software that records user keystrokes

Trojan Horse

Malicious computer instructions in an authorized and properly functioning program

Trap door

Set of instructions that allow the user to bypass normal system controls

Packet sniffer

Captures data as it travels over the Internet

Virus

A section of self-replicating code that attaches to a program or file requiring a human to do something so it can replicate itself

Worm

Stand alone self replicating program

6-12

Cellphone Bluetooth Vulnerabilities

Bluesnarfing

Stealing contact lists, data, pictures on bluetooth compatible smartphones

Bluebugging

Taking control of a phone to make or listen to calls, send or read text messages

6-13

Bluesnarfing and bluebugging may take advantage of bluetooth technology on smartphones.

New folder/romney_ais13_ppt_11.pptx

Auditing Computer-Based Information Systems

Chapter 11

11-1

Auditing

The process of obtaining and evaluating evidence regarding assertions about economic actions and events in order to determine how well they correspond with established criteria

11-3

Let’s break down the definition of auditing to see what this really means:

1. an economic event or action has occurred (e.g., financial transaction)

2. what established criteria exists for this event? (is it government compliance or regulation? e.g., Generally Accepted Accounting Principles)

3. how well does this evidence fit with the criteria? (e.g., if it’s a sales event, does the evidence (sales contract) show that the sale was recorded according to GAAP?)

This chapter focuses on the role of the internal auditor. An internal auditor is someone who works for the organization but is expected to be independent and objective in their evaluation of the organization. Internal auditors are able to add value to their organization in helping to achieve the goals of the organization by conducting different internal audits:

Financial—examines the reliability and integrity of financial transactions, accounting records, and financial statements

Information systems, or internal control—reviews control policies and procedures of an AIS (input, processing, output, storage)

Operational—focus on efficient use of resources and the accomplishment of established organizational goals and objectives

Compliance—determines if organization is complying with applicable laws, regulations, policies, and procedures

Investigative—examines possible incidents of fraud, misappropriation, waste and abuse, or improper government activities

The other type of auditor is an external auditor. The external auditor is not an employee of the organization. However, external auditors may be hired by an organization to audit the financial statements. This is required for companies that are publicly held. In addition, if a company has a bank loan, the bank may require that the company hire external auditors to do a financial audit.

Major Steps in the Auditing Process

Audit planning

Why, how, when, and who

Establish scope and objectives of the audit; identify risk

Collection of audit evidence

Evaluation of evidence

Communication of results

11-4

There are four major steps in the auditing process:

Audit planning organizes what you need to do, how you are going to do the audit, and who will be doing the audit. This is done by first identifying the risks, then you can adequately understand the scope and objectives of the audit and what will be required to perform the audit. The majority of the audit work will focus on the areas with the highest amount of risk.

There are three types of audit risk:

Inherent risk: risk of control problems in absence of internal controls

Control risk: risk of material misstatement that will get through the internal control structure

Detection risk: risk that auditors and procedures will not detect material misstatement or error

2. Collection of evidence can be conducted in a variety of ways:

Observation

Reviewing documentation

Interviews, discussions, and questionnaires

Physical examination (e.g., inventory counts)

Confirmation with third parties

Reperforming calculations (e.g., estimates such as depreciation or bad debt expense calculations)

Vouching supporting documents (e.g., customer sales order, shipping documents, sales invoice, customer payment)

Analytical review (examining trends and patterns both within organization and their industry)

3. Evaluation of evidence involves the auditors conclusion that the evidence supports or does not support the assertion.

4. Communication of results is in the form of a written report and often includes recommendations to management.

Risk-Based Framework

Identify fraud and errors (threats) that can occur that threaten each objective

Identify control procedures (prevent, detect, correct the threats)

Evaluate control procedures

Review to see if control exists and is in place

Test controls to see if they work as intended

Determine effect of control weaknesses

Compensating controls

11-5

These four basic areas of the risk-based framework can be applied to an information system audit objectives

Audit Techniques Used to Test Programs

Integrated Test Facility

Uses fictitious inputs

Snapshot Technique

Master files before and after update are stored for specially marked transactions

System Control Audit Review File (SCARF)

Continuous monitoring and storing of transactions that meet pre-specifications

Audit Hooks

Notify auditors of questionable transactions

11-13

These are audit techniques used for objectives two and three.

Computer Audit Software

Computer assisted audit software that can perform audit tasks on a copy of a company’s data. Can be used to:

Query data files and retrieve records based upon specified criteria

Create, update, compare, download, and merge files

Summarize, sort, and filter data

Access data in different formats and convert to common format

Select records using statistical sampling techniques

Perform analytical tests

Perform calculations and statistical tests

11-15

There are two popularly used computer audit software:

Audit control language (ACL) www.acl.com

Interactive Data Extraction and Analysis (IDEA)

Operational Audits

Purpose is to evaluate effectiveness, efficiency, and goal achievement. Although the basic audit steps are the same, the specific activities of evidence collection are focused toward operations such as:

Review operating policies and documentation

Confirm procedures with management and operating personnel

Observe operating functions and activities

Examine financial and operating plans and reports

Test accuracy of operating information

Test operational controls

11-16