Test 2

Question 1

What are some threats to AIS?

Answer 1

Natural and Political Disasters
Software errors and equipment malfunctions
Unintentional acts - human errors and omissions
Intentional acts - computer crimes/sabotage

Question 2

What is the greatest risk to information systems and causes the greatest cumulative dollar losses?

Answer 2

Unintentional acts - human errors and omissions

Question 3

What is Fraud?

Answer 3

Any and all means a person uses to gain an unfair advantage over another person

Question 4

What are the two most common types of fraud?

Answer 4

Misappropriation of assets (e.g. theft of company assets by employees)

Fraudulent financial reporting (e.g. intentional or reckless conduct)

Question 5

What are the Three Keys parts of the Fraud Triangle?

Answer 5

Pressure: person’s incentive or motivation for committing fraud
Rationalization: excuse that person uses to justify their illegal behavior
Opportunity: condition or situation that allows a person or organization to commit and conceal fraud

Question 6

Why is a high percentage of fraud not recorded?

Answer 6

Don’t want adverse publicity resulting from copycat fraud

Question 7

What is the simplest and most common way to commit computer fraud?

Answer 7

Input

E.g. alter source documents

Question 8

What is unauthorized system use?

Answer 8

Processor

Question 9

What is tampering with computer software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity?

Answer 9

Computer instructions

Question 10

What is illegally using, copying, browsing, searching, or harming company data (“data breach”)?

Answer 10

Data

Question 11

What is displayed or printed output that can be stolen, copied, or misused unless properly safeguarded?

Answer 11

Output

Question 12

Why is control needed?

Answer 12

Threat/event - potential adverse occurrence
Exposure/impact - potential dollar loss
Likelihood/risk - probability

Question 13

What are Internal Controls?

Answer 13

Ongoing processes/procedures implemented to provide reasonable assurance that control objectives are met

Question 14

What are some of the control objectives?

Answer 14

Safeguard assets
Maintain records
Provide accurate and reliable information
Prepare financial reports in accordance with established criteria
Promote and improve operational efficiency
Encourage adherence to prescribed managerial policies
Comply with applicable laws and regulations

Question 15

What are the 2 categories of Internal Controls?

Answer 15

General - make sure control environment is stable and well managed

Application - preventative, detective, and corrective with problems

Question 16

What did the Foreign Corrupt Practices Act (1977) do?

Answer 16

Prevent companies from bribing foreign officials to obtain business

Requires all public companies to maintain a system of internal accounting controls

Question 17

What did SOX (2002) do?

Answer 17

Created Public Company Accounting Oversight Board (PCAOB)
New rules for auditors (cannot perform certain non-audit services for clients, e.g. audit and consulting)
CEO and CFO have to sign off on financial statements and footnotes are fairly presented
Members of audit committees must also be members of the Co’s Board of Directors

Question 18

What does “CRIME” stand for?

Answer 18

Control Activities
Risk Assessment
Information and Communcation
Monitoring
Control/Internal Environment

Question 19

What is the difference in approach from COSO-IC and COSO-ERM?

Answer 19

COSO-IC = “control based”

COSO-ERM = “risk based” (CRIME + objective setting, event identification, and risk response)

Question 20

What are Control Activities?

Answer 20

Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out

Question 21

What is Risk Assessment?

Answer 21

Includes an assessment of all threats (natural & political, software error/equipment failures, unintentional acts, intentional acts)

Question 22

What is Information and Communication?

Answer 22

Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities

Question 23

What is Monitoring?

Answer 23

The entirety of enterprise risk management is monitored and modifications made as necessary

Question 24

What is Control/Internal Environment?

Answer 24

“Tone at the Top;” control consciousness; encompassses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity’s people