Test 2 Flashcards
What are some threats to AIS?
Natural and Political Disasters
Software errors and equipment malfunctions
Unintentional acts - human errors and omissions
Intentional acts - computer crimes/sabotage
What is the greatest risk to information systems and causes the greatest cumulative dollar losses?
Unintentional acts - human errors and omissions
What is Fraud?
Any and all means a person uses to gain an unfair advantage over another person
What are the two most common types of fraud?
Misappropriation of assets (e.g. theft of company assets by employees)
Fraudulent financial reporting (e.g. intentional or reckless conduct)
What are the Three Keys parts of the Fraud Triangle?
Pressure: person’s incentive or motivation for committing fraud
Rationalization: excuse that person uses to justify their illegal behavior
Opportunity: condition or situation that allows a person or organization to commit and conceal fraud
Why is a high percentage of fraud not recorded?
Don’t want adverse publicity resulting from copycat fraud
What is the simplest and most common way to commit computer fraud?
Input
E.g. alter source documents
What is unauthorized system use?
Processor
What is tampering with computer software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity?
Computer instructions
What is illegally using, copying, browsing, searching, or harming company data (“data breach”)?
Data
What is displayed or printed output that can be stolen, copied, or misused unless properly safeguarded?
Output
Why is control needed?
Threat/event - potential adverse occurrence
Exposure/impact - potential dollar loss
Likelihood/risk - probability
What are Internal Controls?
Ongoing processes/procedures implemented to provide reasonable assurance that control objectives are met
What are some of the control objectives?
Safeguard assets
Maintain records
Provide accurate and reliable information
Prepare financial reports in accordance with established criteria
Promote and improve operational efficiency
Encourage adherence to prescribed managerial policies
Comply with applicable laws and regulations
What are the 2 categories of Internal Controls?
General - make sure control environment is stable and well managed
Application - preventative, detective, and corrective with problems
What did the Foreign Corrupt Practices Act (1977) do?
Prevent companies from bribing foreign officials to obtain business
Requires all public companies to maintain a system of internal accounting controls
What did SOX (2002) do?
Created Public Company Accounting Oversight Board (PCAOB)
New rules for auditors (cannot perform certain non-audit services for clients, e.g. audit and consulting)
CEO and CFO have to sign off on financial statements and footnotes are fairly presented
Members of audit committees must also be members of the Co’s Board of Directors
What does “CRIME” stand for?
Control Activities
Risk Assessment
Information and Communcation
Monitoring
Control/Internal Environment
What is the difference in approach from COSO-IC and COSO-ERM?
COSO-IC = “control based”
COSO-ERM = “risk based” (CRIME + objective setting, event identification, and risk response)
What are Control Activities?
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out
What is Risk Assessment?
Includes an assessment of all threats (natural & political, software error/equipment failures, unintentional acts, intentional acts)
What is Information and Communication?
Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities
What is Monitoring?
The entirety of enterprise risk management is monitored and modifications made as necessary
What is Control/Internal Environment?
“Tone at the Top;” control consciousness; encompassses the tone of an organization and sets the basis for how risk is viewed and addressed by an entity’s people
