Chapter 4

Question 1

apply overall to
the IT accounting system; they are not restricted to any particular accounting
application. An example of a general control is the use of passwords to allow
only authorized users to log in to an IT based accounting system. Without
regard to processing data in any specific application, passwords should be
employed in the IT system.

Answer 1

General controls

Question 2

are used specifically in accounting applications to control
inputs, processing, and outputs. Application controls are intended to ensure that
inputs and processing are accurate and complete and that outputs are properly
distributed, controlled, and disposed.

An example of an input application control is a validity check.

Answer 2

Application controls

Question 3

GENERAL CONTROLS FOR IT SYSTEMS divided into five broad categories:

Answer 3

1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the system
5. Business continuity

Question 4

is a process or procedure in an IT system to ensure that
the person accessing the IT system is a valid and authorized user. Unauthorized users trying to access IT systems is a prevalent, difficult, and ongoing problem
that organizations must try to control. Unauthorized users may be hackers or
people outside the organization, or users within the company trying to gain
access to data they are not entitled to. In order to limit unauthorized access,
there are many general controls that should be in place.

Answer 4

Authentication of users

Question 5

means to make the computer recognize you in order
to create a connection at the beginning of a computer session. To increase the
effectiveness of log-in restriction, user IDs must be unique for each user.

Answer 5

Log in

Question 6

is a secret set of characters that identifies the user as the authentic owner
of that associated user ID. It should be at least eight characters in
length and contain at least one nonalphanumeric character. Such passwords
would be difficult to guess

Answer 6

password

Question 7

To increase the
effectiveness of log-in restriction, ___________ must be unique for each user

Answer 7

user IDs

Question 8

The use of passwords can be strengthened by the use of a _______ that the user carries. The _______ is plugged into the computer’s card reader
and helps authenticate that the user is valid. It is a credit
card–sized device with an integrated circuit that displays a constantly chang-
ing ID code. The user enters her password, and then the smart card displays
an ID that she uses to log in. The smart card typically changes the user ID
every 5 minutes or so.

Answer 8

smart card

Question 9

A newer technology to authenticate users is a __________, which plugs
into the USB port and thereby eliminates the need for a card reader. Other-
wise, the purpose and use of the security token are the same as those of a smart
card.

Answer 9

security token

Question 10

The use of smart cards or tokens can reduce unauthorized access, since the
person who logs in must physically possess and use the smart card or token.
The authentication of the user is called ____________ because it is
based on something the user has, the token, and something the user knows, the
password. A hacker located several hundred miles away from the organization
would not have access to the smart card or token

Answer 10

two-factor authentication

Question 11

can also be used to authenticate users and limit unautho-
rized access. It uses some unique physical characteristic of the
user to identify the user and allow the appropriate level of access to that user.

Answer 11

Biometric devices

Question 12

is a complete record of all dates, times, and uses for
each user. Any abnormalities in log-in or use can be examined in more detail
to determine any weaknesses in log-in procedures. Also, the log-in procedures
and logs establish nonrepudiation of users.

Answer 12

computer log

Question 13

means that a user
cannot deny any particular act that he or she did on the IT system. That is, if a
user logged in and changed data fraudulently, the log-in procedures and logs
help establish undeniably which user took the action. Nonrepudiation is
extremely important in verifying sales to customers.

Answer 13

Nonrepudiation

Question 14

The_________ , which should
be established for every authorized user, determines each user’s access levels
to hardware, software, and data according to the individual’s job responsibilities.

Answer 14

user profile

Question 15

contains a list of valid, authorized users and the access level
granted to each one. For instance, one user within the payroll area may need
to both read and write data, while another may need only read access. These
user profiles may be defined in authority tables. Authority tables are an inte-
gral part of the computer system, and when a user logs in, the system looks
up the nature and type of access to which that user is entitled.

Answer 15

authority table

Question 16

The IT system also has________ for hardware, software, and appli-
cation programs that contain the appropriate set-up and security settings. It is
important to limit user access to these configuration tables so that security set-
tings are not changed by unauthorized users. The hardware and operating sys-
tem configuration table contains security and operating settings for hardware
and the operating system. The application software configuration table contains
security and operating settings for the application software.

Answer 16

configuration tables

Question 17

is hardware,
software, or a combination of both that is designed to block unauthorized access.
All data traveling between the internal network and the Internet should pass
through the firewall first. The firewall examines all data passing through it, and
if the firewall detects unauthorized attempts to pass data, it prevents the flow
of such data. The firewall can prevent the unauthorized flow of data in both
directions, blocking access to data on the network server by preventing unau-
thorized requests to log in or read data.

Answer 17

firewall

Question 18

is the process of converting data into secret codes referred to as
cipher text. Encrypted data can only be decoded by those who possess the
encryption key or password. It renders the data useless to those who
do not possess the correct encryption key.

Answer 18

Encryption

Question 19

There are two types of encryption: symmetric encryption and public key
encryption.

Question 20

uses a single encryption key that must be used
to encrypt data and also to decode the encrypted data. The sender of the data
and the receiver must have the same encryption key. However, it is difficult for
the sender to communicate the encryption key to the receiver without compro-
mising the key.

Answer 20

Symmetric encryption

Question 21

uses both a public key and a private key.
The public key, which can be known by everyone, is used to encrypt the data, and
a private key is used to decode the encrypted data. Knowing which public encryp-
tion method a receiver uses enables the sender to use that public key to encrypt
the data, and the receiver will use her private key to decode the data.

Answer 21

Public key encryption

Question 22

A wireless network must have an access point, or a transmitter, that sends the
network signals. The computer connected to the wireless network must have a
wireless network card to receive the signals. Wireless network equipment, such
as access points and wireless network cards, uses an encryption method called

Answer 22

wired equivalency privacy, or WEP.

Question 23

Because WEP has proven to be susceptible to hacking, the industry
has developed a new wireless network security system called ____________ which has improved encryption and user authentication. With
the improved encryption method, WPA can check to see whether encryption
keys have been tampered with. WEP is based on a computer-specific address,
which is easy for hackers to determine and misuse; A wireless network that uses
WPA, on the other hand, requests connection to the network via an access point.
The access point then requests the user identity and transmits that identity to

Answer 23

wireless protected
access, or WPA,

Question 24

is a password that is passed between the sending and receiving nodes of a wireless network. Most wireless
network equipment sets a default SSID of “any” so that any wireless equipment
can connect to it.

Answer 24

service set identifier, or SSID.

Question 25

utilizes tunnels, authentication, and encryption within the Internet network to isolate Internet communications so that unauthorized users cannot access or use certain data. A VPN is employed when the employee connects to the IT system through a public network such as the Internet. A VPN uses the Internet—it is therefore not truly private, but virtually private. The network traffic can be made to be virtually private by technology.

Answer 25

virtual private network

Question 26

is a communication protocol built into Web server and browser software that encrypts data transferred on that website. If you have ever ordered products on a website, you were proba- bly using SSL technology to encrypt personal data such as your credit card num- ber. You can determine whether such sites use SSL technology by examining the URL address. Most website addresses begin with http:// preceding the URL, but SSL addresses begin with https:// preceding the URL.

Answer 26

secure sockets layer, or SSL

Question 27

is a self-replicating piece of program code that can attach itself to other pro- grams and data and perform malicious actions such as deleting files or shutting down the computer.

Answer 27

virus

Question 29

is a small piece of program code that attaches to the computer’s unused memory space and replicates itself until the system becomes overloaded and shuts down.

Answer 29

worm

Question 30

To avoid destruction of data programs and to maintain operation of the IT system, an organization must employ ________ which continually scans the system for viruses and worms and either deletes or quarantines them. It renders virus and worm pro-gram code harmless.

Answer 30

antivirus software

Question 31

is the process of proactively examining the IT system for weak- nesses that can be exploited by hackers, viruses, or malicious employees. When an organization engages in vulnerability assessment by using manual testing or automated software tools, it can identify weaknesses before they become net- work break-ins and attempt to fix these weaknesses before they are exploited.

Answer 31

Vulnerability assessment

Question 32

are specific software tools that monitor data flow within a network and alert the IT staff to hacking attempts or other unautho- rized access attempts. An intrusion detection system can be thought of as the burglar alarm for the IT system in that it alerts the appropriate users of break- ins

Answer 32

Intrusion detection systems

Question 33

is the process of legitimately attempting to hack into an IT system to find whether weaknesses can be exploited by unauthorized hackers. Penetration testing is sometimes done by the IT staff within an organ- ization, but more often an outside consultant with experience in penetration testing is hired to complete the tests.

Answer 33

Penetration testing

Question 35

is the careful and responsible oversight and use of the assets entrusted to management. This requires that management maintain systems which allow it to demonstrate that it has appropriately used these funds and assets.

Answer 35

Stewardship

Question 36

The management obligations of stewardship and reporting point to the need to maintain accurate and complete accounting systems and to protect assets. To fulfill these obligations, management must maintain internal controls and enforce a

Answer 36

code of ethics

Question 37

a process, affected by an entity’s board of directors, management, and other per- sonnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations reliability of financial reporting compliance with applicable laws and regulations.

Answer 37

Committee of Sponsoring Organizations’2 (COSO’s) report on internal control.3 The COSO report defines internal control as follows:

Question 38

can be defined as the theft, concealment, and conversion to personal gain of another’s money, physical assets, or information. Notice that this def- inition includes theft and concealment.

Answer 38

Fraud

Question 39

involves theft of any item of value. It is sometimes referred to as a defalcation, or internal theft, and the most common examples are theft of cash or inventory. Restaurants and retail stores are especially susceptible to misappropriation of assets because their assets are readily accessible by employees.

Answer 39

Misappropriation of assets

Question 40

involves the falsification of accounting reports. This is often referred to as earnings management, or fraudulent financial reporting.

Answer 40

Misstatement of financial records

Question 41

fraud triangle,

Answer 41

Incentive Opportunity Rationalization

Question 42

Some kind of incentive or pressure typically leads fraudsters to their deceptive acts. Financial pressures, market pres- sures, job-related failures, or addictive behaviors may create the incentive to commit fraud.

Answer 42

Incentive to commit the fraud

Question 43

Circumstances may provide access to the assets or records that are the objects of fraudulent activity. Only those per- sons having access can pull off the fraud. Ineffective oversight is often a contributing factor.

Answer 43

Opportunity to commit the fraud

Question 44

Fraudsters typically justify their actions because of their lack of moral character. They may intend to repay or make up for their dishonest actions in the future, or they may believe that the company owes them as a result of unfair expectations or an inad- equate pay raise.

Answer 44

Rationalization of the fraudulent action.

Question 45

conducted by one or more top-level managers within the company, is usually in the form of fraudulent financial reporting.

Answer 45

Management fraud

Question 46

Managers misstate financial statements in order to receive such indirect benefits as the following:

Answer 46

1. Increased stock price. Management usually owns stock in the company, and it benefits from increased stock price. 2. Improved financial statements, which enhance the potential for a merger or initial public offering (IPO), or prevent negative consequences due to non- compliance with debt covenants or decreased bond ratings. 3. Enhanced chances of promotion, or avoidance of firing or demotion. 4. Increased incentive-based compensation such as salary, bonus, or stock options. 5. Delayed cash flow problems or bankruptcy.

Question 47

may involve overstating revenues and assets, understating expenses and liabilities, misapplying accounting principles, or any combination of these.

Answer 47

Management fraud

Question 48

These two examples illustrate that management fraud typically

Answer 48

1. Is intended to enhance financial statements 2. Is conducted or encouraged by the top managers 3. Involves complex transactions, manipulations, or business structures 4. Involves top management’s circumvention of the systems or internal con- trols that are in place—known as management override

Question 49

Involves top management’s circumvention of the systems or internal con- trols that are in place—known as

Answer 49

management override

Question 50

is conducted by nonmanagement employees. This usually means that an employee steals cash or assets for personal gain.

Answer 50

Employee fraud

Question 51

Kinds of employee fraud

Answer 51

Inventory theft Cash receipt theft Accounts payable fraud Payroll fraud Expense account fraud

Question 52

Inventory can be stolen or misdirected. This could be mer- chandise, raw materials, supplies, or finished goods inventory.

Answer 52

Inventory theft

Question 53

This occurs when an employee steals cash from the company. An example would be the theft of checks collected from cus- tomers.

Answer 53

Cash receipt theft

Question 54

Accounts payable fraud. Here, the employee may submit a false invoice, create a fictitious vendor, or collect kickbacks from a vendor. A kickback is a cash payment that the vendor gives the employee in exchange for the sale; it is like a business bribe.

Answer 54

Accounts payable fraud

Question 55

is a cash payment that the vendor gives the employee in exchange for the sale

Answer 55

Kickback

Question 56

This occurs when an employee submits a false or inflated time card.

Answer 56

Payroll fraud

Question 57

. This occurs when an employee submits false travel or entertainment expenses, or charges an expense ledger account to cover the theft of cash.

Answer 57

Expense account fraud