ACC 321 Exam 2 Flashcards
Creating cash using the lag between the time a check is deposited and the time it clears the bank.
Check kiting
Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable.
Lapping
A text file created by a website and stored on a visitor’s hard drive.
- store information about who the user is and what the user has done on the site.
Cookie
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
Corruption
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
Investment fraud
Any type of fraud that requires computer technology to perpetrate.
Computer fraud or cybercrime
Any and all means a person uses to gain an unfair advantage over another person.
Fraud
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements
Fraudulent financial reporting
Theft of company assets by employees.
Misappropriation of assets
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain.
Opportunity
A person’s incentive or motivation for committing fraud.
Pressure
The excuse that fraud perpetrators use to justify their illegal behavior.
Rationalization
An intentional act where the intent is to destroy a system or some of its components.
Sabotage
Typically, businesspeople who commit fraud.
- usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
White-collar criminals
Spyware that causes banner ads to pop up on a monitor, collects information about the user’s web-surfing and spending habits, and forwards it to the adware creator, often an advertising or media organization.
- usually comes bundled with freeware and shareware downloaded from the Internet.
Adware
Gaining control of someone else’s computer to carry out illicit activities, such as sending spam without the computer user’s knowledge.
Hijacking
A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware.
Botnet
Hijacked computers, typically part of a botnet, that are used to launch a variety of Internet attacks.
Zombies
The person who creates a botnet by installing software on PCs that responds to the bot herder’s electronic instructions. This control over the PCs allows the ______ to mount a variety of Internet attacks.
bot herder
Trial-and-error method that uses software to guess information, such as the user ID and the password, needed to gain access to a system.
Brute force attack
Recovering passwords by trying every possible combination of upperand lower-case letters, numbers, and special characters and comparing them to a cryptographic hash of the password.
Password cracking
When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system.
Buffer overflow attack
(insertion) Inserting a malicious SQL query in input such that it is passed to and executed by an application program. This allows a hacker to convince the application to run SQL code that it was not intended to execute.
SQL injection attack
Taking control of someone else’s phone to make or listen to calls, send or read text messages, connect to the Internet, forward the victim’s calls, and call numbers that charge fees.
Bluebugging
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
E-mail spoofing
Displaying an incorrect number on the recipient’s caller ID display to hide the caller’s identity.
Caller ID spoofing
Activities performed on stolen credit cards, including making a small online purchase to determine whether the card is still valid and buying and selling stolen credit card numbers.
Carding
Planting a small chip that records transaction data in a legitimate credit card reader. The chip is later removed or electronically accessed to retrieve the data recorded on it.
Chipping
A fake EMV chip is inserted in a stolen card. When a purchase is declined, the perpetrator persuades the clerk to let the card be swiped, thereby bypassing the EMV verification.
EMV chip bypass
(XSS) A vulnerability in dynamic web pages that allows an attacker to bypass a browser’s security mechanisms and instruct the victim’s browser to execute code, thinking it came from the desired website.
Cross-site scripting
Hacking into and hijacking computing resources to mine cryptocurrency, thereby avoiding costs that can outweighs the value of the crypto mined.
Crypto jacking
Hacking into a wallet or using social engineering tactics to trick a person into revealing the digital keys needed to access their blockchain account.
Crypto wallet attacks
Manipulating the number of times an ad is clicked on to inflate advertising bills. Companies advertising online pay from a few cents to over $10 for each click on their ads.
Click fraud
The unauthorized copying or distribution of copyrighted software.
Software piracy
Threatening to harm a company or a person if a specified amount of money is not paid.
Cyberextortion
Software that encrypts programs and data until a ransom is paid to remove it.
Ransomware
Using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.
Cyberbullying
A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the Internet service provider’s e-mail server or the web server is overloaded and shuts down.
Denial-of-service attack (DoS)
Software that generates user ID and password guesses using information about the targeted company and a dictionary of possible user IDs and passwords to reduce the number of guesses required.
Dictionary attack
Listening to private communications or tapping into data transmissions intended for someone else. One way to intercept signals is by setting up a wiretap.
Eavesdropping
Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.
Skimming
Theft of information, trade secrets, and intellectual property.
Economic espionage
Threats sent to victims by e-mail. The threats usually require some follow-up action, often at great expense to the victim.
E-mail threats
Using an Internet auction site to defraud another person.
Internet auction fraud
Techniques which use malware to infect online checkout pages and steal a customer’s personal and payment information.
E-skimming
A wireless network with the same name (Service Set Identifier) as a legitimate wireless access point.
Evil twin
Setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.
Typosquatting/URL hijacking
Unauthorized access, modification, or use of an electronic device or some element of a computer system.
Hacking
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
E-mail spoofing
Assuming someone’s identity, usually for economic gain, by illegally obtaining confidential information such as a Social Security number or a bank account or credit card number.
Identity Theft
Using the Internet to spread false or misleading information.
Internet misinformation
Using the Internet to pump up the price of a stock and then sell it.
Internet pump-and-dump fraud
Software that records computer activity, such as a user’s keystrokes, e-mails sent and received, websites visited, and chat session participation.
Keylogger
Inserting a sleeve into an ATM that prevents it from ejecting the card. The perpetrator pretends to help the victim, tricking the person into entering the PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money.
Lebanese looping
Any software that is used to do harm.
Malware
A hacker placing himself between a client and a host to intercept communications between them; also called session hijacking.
Man-in-the-middle attack (MITM)
Gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user’s ID and passwords.
Masquerading/impersonation
(1) Tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system.
(2) The clandestine use of a neighbor’s Wi-Fi network.
(3) An unauthorized person following an authorized person through a secure door, bypassing physical security controls.
Piggybacking
Programs that capture data from information packets as they travel over the Internet or company networks. Captured data is sifted to find confidential or proprietary information.
Packet sniffers
A program that can merge confidential information with a seemingly harmless file, password protect the file, and send it anywhere in the world, where the file is unlocked and the confidential information is reassembled.
The host file can still be heard or viewed because humans are not sensitive enough to pick up the slight decrease in image or sound quality.
Steganography program
Software program flaws that a hacker can exploit to either crash a system or take control of it.
Vulnerabilities
An attack between the time a new software vulnerability is discovered and “released into the wild” and the time a software developer releases a patch to fix the problem.
Zero-day attack
Code released by software developers that fixes a particular vulnerability.
Patch
Attacking phone systems to obtain free phone line access; use phone lines to transmit malware; and to access, steal, and destroy data.
Phreaking
Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim’s account.
Phishing
Redirecting website traffic to a spoofed website.
Pharming
Using an invented scenario (the pretext) that creates legitimacy in the target’s mind in order to increase the likelihood that a victim will divulge information or do something.
Pretexting
Creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering the product.
Posing
Using a small device with storage capacity (iPod, flash drive) to download unauthorized data from a computer.
Podslurping
Stealing tiny slices of money from many different accounts.
Salami technique
Instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer’s account. Most frequently found in financial institutions that pay interest.
Round-down fraud
Exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone.
Sexting
A means of concealing system components and malware from the operating system and other programs; can also modify the operating system.
Rootkit
A segment of executable code that attaches itself to a file, program, or some other executable system component. When the hidden program is triggered, it makes unauthorized alterations to the way a system operates.
Virus
Malicious software of no benefit that is sold using scare tactics.
Scareware
Searching documents and records to gain access to confidential information.
- methods include searching garbage cans, communal trash bins, and city dumps.
Scavenging/dumpster diving
When perpetrators look over a person’s shoulders in a public place to get information such as ATM PIN numbers or user IDs and passwords.
Shoulder surfing
The unauthorized copying or distribution of copyrighted software.
Software piracy
The techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data.
Social engineering
Phishing except that texts are used to induce unsuspecting recipients to disclose personal information.
Smishing
Software that secretly monitors computer usage, collects personal information about users, and sends it to someone else, often without the computer user’s permission.
Spyware
Altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the recipient.
Spoofing
Using short message service (SMS) to change the name or number a text message appears to come from.
SMS spoofing
Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim’s account.
Web-page spoofing
Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something.
Spamming
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
Time bomb/logic bomb
A set of computer instructions that allows a user to bypass the system’s normal controls.
Trap door/back door
A set of unauthorized computer instructions in an authorized and otherwise properly functioning program.
Trojan horse
Software that destroys competing malware. This sometimes results in “malware warfare” between competing malware developers.
Torpedo software
Voice phishing; it is like phishing except the victim enters confidential data by phone.
Vishing
Programming a computer to dial thousands of phone lines searching for dialup modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected.
War dialing
Driving around looking for unprotected home or corporate wireless networks.
War driving
Similar to a virus, except that it is a program rather than a code segment hidden in a host program.
- also copies itself automatically and actively transmits itself directly to other systems.
Worm
The examination of the relationships between different sets of data; abnormal or unusual relationships and trends should be further investigated.
Analytical review
- Controls that prevent, detect, and correct transaction errors and fraud in application programs.
- They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
Application controls
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.
Audit committee
- A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin.
- It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
Audit trail
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
Authorization
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
Background checks
System that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values.
Belief system
System that helps employees act ethically by setting boundaries on employee behavior. Instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off-limit activities, and avoiding actions that might damage their reputation.
Boundary system
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Change management
(CCO) An employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings.
Chief compliance officer
Cooperation between two or more people in an effort to thwart internal controls.
Collusion
(COSO) A privatesector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Committee of Sponsoring Organizations
Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
Computer forensics specialists
People who operate the company’s computers. They ensure that data are input properly, processed correctly, and that needed output is produced
Computer operators
(CSO) An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
Computer security officer
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Control activities
The company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Control environment
(COBIT) A security and control framework that allows
(1) management to benchmark the security and control practices of IT environments,
(2) users of IT services to be assured that adequate security and control exist, and
(3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Control Objectives for Information and Related Technology
Controls that identify and correct problems as well as correct and recover from the resulting errors, such as maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.
Corrective controls
Controls designed to discover control problems that were not prevented, such as duplicate checking of calculations and preparing bank reconciliations and monthly trial balances.
Detective controls
Controls that deter problems before they arise, such as hiring qualified accounting personnel; appropriately segregating employee duties; and effectively controlling physical access to assets, facilities, and information.
Preventive controls
People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output.
Data control
People responsible for making sure a system operates smoothly and efficiently.
Systems administrators
People who ensure that the organization’s networks operate properly.
Network Managers
People who make sure systems are secure and protected from internal and external threats.
Security Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Change management
An executive-level committee to plan and oversee the information systems function; it typically consists of management from systems and other areas affected by the information systems function
Steering committee
A multiple-year plan of the projects the company must complete to achieve its long-range goals.
Strategic master plan
Document showing project requirements (people, hardware, software, and financial), a cost–benefit analysis, and how a project will be completed (modules or tasks to be performed, who will perform them, and completion dates).
Project development plan
Points where progress is reviewed and actual and estimated completion times are compared.
Project milestones
A schedule that shows when each data processing task should be performed.
Data processing schedule
Ways to evaluate and assess a system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is being productively used), and response time (how long it takes the system to respond).
System performance measurements
(1) The total amount of useful work performed by a computer system during a given period of time.
(2) The number of “good” units produced in a given period of time.
Throughput
The percentage of time a system is used.
Utilization
How long it takes for a system to respond, such as the amount of time that elapses between making a query and receiving a response.
Response time
An outside party hired to manage a company’s systems development effort.
Systems integrator
System that measures, monitors, and compares actual company progress to budgets and performance goals; feedback helps management adjust and fine-tune inputs and processes so future outputs more closely match goals.
Diagnostic control system
A hash encrypted with the hash creator’s private key.
Digital signature
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
Expected loss
Any potential adverse occurrence or unwanted event that could injure the AIS or the organization. Also referred to as an event.
Threat
The potential dollar loss if a particular threat becomes a reality.
Exposure/impact
The probability that a threat will come to pass.
Likelihood/risk
(FCPA) Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.
Foreign Corrupt Practices Act
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
Forensic investigators
A phone number employees can call to anonymously report fraud and abuse.
Fraud hotline
The authorization given employees to handle routine transactions without special approval.
General authorization
Controls designed to make sure an organization’s information system and control environment is stable and well managed, such as security; IT infrastructure; and software acquisition, development, and maintenance controls.
General controls
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
Inherent risk
The risk that remains after management implements internal controls or some other response to risk.
Residual risk
System that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions; system data are interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers.
Interactive control system
The processes and procedures implemented to provide reasonable assurance that control objectives are met.
Internal controls
(IC) A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems; widely accepted authority on internal controls incorporated into policies, rules, and regulations used to control business activities.
Internal Control—Integrated Framework
People who ensure that the organization’s networks operate properly.
Network managers
Computing systems that imitate the brain’s learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically.
Neural networks
A document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties; it includes the chart of accounts, copies of forms and documents, and is a helpful on-the-job reference and training tool.
Policy and procedures manual
Review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls.
Postimplementation review
People who use the analysts’ design to create and test computer programs.
Programmers
(PCAOB) A board created by SOX that regulates the auditing profession; created as part of SOX.
Public Company Accounting Oversight Board
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid must be in alignment with company strategy.
Risk appetite
(SOX) Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.
Sarbanes–Oxley Act
Separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud.
Segregation of accounting duties
Implementing control procedures to clearly divide authority and responsibility within the information system function.
Segregation of systems duties
Special approval an employee needs in order to be allowed to handle a transaction.
Specific authorization
An executive-level committee to plan and oversee the information systems function; it typically consists of management from systems and other areas affected by the information systems function.
Steering committee
People who help users determine their information needs, study existing systems and design new ones, and prepare specifications used by computer programmers
Systems analysts
An outside party hired to manage a company’s systems development effort.
Systems integrator
People who record transactions, authorize data processing, and use system output.
Users
