Add to collection(s) Add to saved
  1. No category
Uploaded by davmaa

Week 3 - ACCO 350 (1)

advertisement 
Information Systems
Security & Controls
ACCO 350 - Class 3
Professor Anila Kosta
Department of Accountancy
Today’s plan:
•
•
•
•
•
•
Practice MCQ based on last week’s class on fraud
Explain control concepts and computer controls
Kildar and Finsana examples of internal controls
COSO-ERM and Levers of Control (LOC) frameworks
Quickbooks overview
Group project: Create the teams for group project
Next week’s topic:
•
Class 4: Confidentiality, Privacy,
Processing Integrity & Availability of Information
Systems
• Finalize teams for group project
Practice Multiple Choice Questions
Topics from Class 2
Fraud
Question 1
Which of the following statements is false?
A. The psychological profiles of white-collar criminals differ
from those of violent criminals
B. The psychological profiles of white-collar criminals are
significantly different from those of the general public
C. There is little difference between computer fraud
perpetrators and other types of white-collar criminals
D. Some computer fraud perpetrators do not view themselves
as criminals
Question 2
Which of the following conditions is/are usually
necessary for a fraud to occur? Select all correct
answers.
A. Pressure
B. Opportunity
C.Explanation
D.Rationalization
Question 3
Which of the following is not an example of
computer fraud?
A.Theft of money by altering computer records
B.Obtaining information illegally using a computer
C.Failure to perform preventative maintenance on
a computer
D.Unauthorized modification of a software
program
Question 4
Which of the following causes the majority of security
problems?
A. Human errors
B. Software errors
C.Natural disasters
D.Power outages
E. Computer fraud
Question 5
Which of the following is not one of the
responsibilities of auditors in detecting fraud?
A. Evaluate the results of audit tests
B. Incorporating a technological focus
C.Discuss the risk of material fraudulent
misstatements
D.Catching the perpetrators of fraud
Question 6
Which of the following is the most important, basic, &
effective control to deter fraud?
A. Enforce vacations
B. Logical access control
C.Segregation of duties
D.Virus protection controls
Question 7
Once fraud has occurred, which of the following will
reduce fraud losses? Select all correct answers.
A. Insurance
B. Regular back up of data & programs
C.Contingency plan
D.Segregation of duties
Question 8
Which of the following is not an effective fraud
control?
A. A whistleblower hotline
B. Background check
C.Code of Ethics & Conduct
D.Business insurance
Personality Test
Test yourself:
• Machiavellian? (manipulative attitude)
• Narcissism? (excessive self-love)
• Psychopathy? (lack of empathy)
https://openpsychometrics.org/tests/SD3/
Class 3
AIS Control & Security
Internal Controls
Internal controls are procedures and processes put into place by a
company to prevent fraud, promote accountability and ensure the
integrity of financial data.
Internal controls are unique to every company and designed according
to the company's size and structure.
Effective and efficient internal controls aim to meet company
objectives and protect the company's interests. Internal controls not
only address risks to the company but also reduce incurrences of
unnecessary cost or effort.
Internal Controls
Processes implemented to provide guarantee that the following
objectives are achieved:
•
•
•
•
•
•
•
Safeguard assets
Maintain appropriate records
Provide accurate and reliable information
Prepare managerial reports
Promote and improve operational efficiency
Encourage adherence with policies
Comply with laws and regulations
The purpose of a strong internal control system is to reassure users
of the reliability of the information in an organization.
A strong control system strengthens governance, allows
management objectives to be achieved, and mitigates the risk of
fraud by increasing employee perception of detection.
Internal Auditing
 Analyze business processes, procedures, and activities with the goal
of highlighting problems and recommend solutions; they advise
management on operations
 Look at efficiency of activities, the reliability of information, prevent
fraud, safeguard assets, risk management, and IT controls
Example of Results from an Internal Audit








The purchasing system is poorly documented
Some transactions not been processed
Purchase requisitions are missing
Some vendor invoices have been paid without
supporting documents, such as PO and receiving
reports
Management authority is held by the company
president, and his two sons
Several relatives and friends are on the payroll
Lines of authority and responsibility are loosely
defined
Management may have engaged in creative
accounting to make the firm a better performer
External Auditing
 Performs an audit on the financial statements (F/S)
 Opinion on F/S: free of obvious material misstatements and errors
 F/S users rely on the external auditor to present an unbiased and
independent evaluation
 Compliance with laws and regulations
Control & Security
 As an accountant, you must understand how to protect AIS from
threats
 You must also have a good understanding of IT and its risks
 Management expects accountants to:
1.
2.
Take a proactive approach to eliminating threats to AIS (prevention)
and
Detect, correct, and recover from threats when they happen
The Control Concept
 Internal control is a process to provide reasonable assurance that
the control objectives are achieved
 Internal control provides reasonable, rather than absolute
assurance, because providing complete assurance would be difficult
to achieve, and way too expensive
Cost-Benefit of Controls
 No internal control system can provide foolproof protection against all
events
 Too many controls would slow the operations, affect efficiency
 Therefore, the objective in designing an internal control system is to
provide, at an affordable cost, reasonable assurance that problems
do not take place
 The benefits of an internal control procedure must exceed its costs
Accounting Frauds in Early 2000s
 Enron, WorldCom, Parmalat, Tyco, Adelphia
 Arthur Andersen, once the largest CPA firm (BIG 5), collapsed
 In response to these frauds, US Congress passed the SarbanesOxley Act (SOX)
 Canada, and other countries, implemented similar SOX-type rules
SOX Act
 The intent of SOX is to:
 Prevent financial statement fraud
 Make financial reports more transparent
 Protect investors
 Punish executives who perpetrate fraud
 Strengthen internal controls
 SOX has had a material impact on the way boards of directors,
management, and CPAs now operate
Impact of SOX on CPAs
 Public Company Accounting Oversight Board (PCAOB): to control the
auditing profession
 New rules for auditors: ex. partners must rotate; prohibited from
performing non-audit services
 Audit Committee: be part of board of directors and be independent, be
financial expert, oversees external auditors
 CEO and CFO can be prosecuted and fined
 Management is responsible for establishing and maintaining adequate
internal control system
Control Frameworks
A number of frameworks exist to help
companies develop sound internal
control systems:
 COSO-ERM (COmmittee of Sponsoring
Organizations-Enterprise Risk
Management)
 LOC (Levers of Control)
COSO and ERM
COSO:
•
•
•
•
•
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
(+) ERM:
• Setting objectives
• Event identification
• Risk response
= COSO-ERM
COSO Evolution
1992
2006
2009
May 2013
Why update what works – The Framework has become the most
widely adopted control framework worldwide
Original
Framework
Refresh
Objectives
Enhancements
Updated
Framework
COSO’s Internal Control–Integrated Framework (1992 Edition)
Reflect changes in business
& operating environments
Updates
Context
Expand operations and
Articulate principles to
reporting objectives
facilitate effective
internal control
Broadens Application
Clarifies Requirements
COSO’s Internal Control–Integrated Framework (2013 Edition)
Update considers changes in
business and operating environments
Environments changes...
…have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Changes and greater complexity in business
Demands and complexities in laws, rules,
regulations, and standards
Expectations for competencies and
accountabilities
Use of, and reliance on, evolving
information technologies
Expectations relating to preventing and
detecting fraud
COSO Cube
Update articulates principles of
effective internal control
Control Environment
Risk Assessment
Control Activities
Information &
Communication
Monitoring Activities
1.
2.
3.
4.
5.
Demonstrates commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority and responsibility
Demonstrates commitment to competence
Enforces accountability
6.
7.
8.
9.
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
Component
Principle
Controls
embedded in
other
components
may affect this
principle
Control Environment
1. Demonstrates a commitment to integrity and ethical values
HR review
employees’
confirmations to
assess whether
standards of conduct
are understood and
adhered to by staff
across the entity
Control Environment
Reviews information
underlying potential
deviations captured
in whistleblower hotline to assess quality
of information
Information &
Communication
Internal Audit
separately evaluates
Control Environment,
considering
employee behaviors
and whistleblower
hotline results and
reports thereon
Monitoring Activities
COSO – To Remember
• The Framework does not prescribe controls to be
selected, developed, and deployed for effective internal
control
• An organization’s selection of controls is a function of
management judgment based on factors unique to the
entity
 A major deficiency in a component or principle cannot be
mitigated to an acceptable level by the presence and
functioning of other components and principles
Enterprise Risk
Management (ERM)
Framework:
Integration with Strategy
& Performance
35
Builds links to
internal control
• The document does not
replace the Internal Control
– Integrated Framework
• The two frameworks are
distinct and complementary
• Aspects of internal control
common to ERM are not
repeated
Link to Strategy
Explores Strategy from three different perspectives:
• Strategy and objectives to be aligned with mission,
vision and values
• Implications of the strategy chosen
• Risk in executing the strategy
Internal Controls
 Internal environment consists of:
• Management’s philosophy, operating style, and
risk appetite
• The board of directors (audit committee)
• Commitment to integrity, ethical values, and
competence
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
• External influences (ex. regulator, PCAOB)
Risk Assessment &
Response
Identify the events/threats
that confront the organization
Estimate the probability
of each threat occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Must determine the
cost-benefit of control
Is it
costbeneficial
No
Avoid,
Share, or
Accept
risk
Yes
Reduce risk by implementing set of
controls to guard against threat
Event Identification
Identifying incidents that could affect the achievement of the
organization's objectives
Key Management Questions:
•
•
•
•
What could go wrong?
How can it go wrong?
What is the potential harm?
What can be done about it?
Risk Assessment
Probability that the event will occur and
Impact, e.g., estimate loss if event occurs




Reduce: Implement internal control
Accept: Do nothing, accept impact
Share: Buy insurance, outsource
Avoid: Do not engage in the activity; ex. sell a division, exit a
product line
Simons’ Levers of Control
Important management control framework
Four Levers of Control:
 Diagnostic Control Systems
 Belief Systems
 Boundary Systems
 Interactive Control Systems
Have to balance
between initiative,
innovation and
control;
the Yin and the Yang
Diagnostic Control Systems
 Evaluate whether a firm is performing to expectations
 Achievement of pre-established goals
 Provides direction, by correcting deviations from pre-set targets, to
monitor the strategy (firm precise intentions and plans); often
performed through a budgeting approach
Belief Systems
 Articulate and communicate the mission and firm’s core values,
inspiring participants to commit to objectives
 Describe the accepted norms and patterns of expected behavior
 Broad enough to appeal to different groups
 Managers must integrate statements into their behaviour to make
beliefs system a powerful lever of control
Belief Systems
Intrinsic motivations:
 Is the desire to achieve self-satisfaction from good performance,
regardless of external rewards ($, bonus)
 Ex.: greater responsibility; doing interesting and creative work; have
pride in doing work; organizational commitment; have a sense of
achievement; feel satisfied with the job; personal growth, recognition
To inspire
employees, develop
commitment toward
the firm they are
working at
Boundary Systems
 Boundary Systems describe standards of behavior and codes of
conduct expected of all employees (what is appropriate and what
is not appropriate);
 Highlights actions that are “off-limits”
 Rules, interdictions
 What not to do
Here we refer to
expected behavior,
and code of
conduct/ethic
Interactive Control Systems
 Opportunity to learn throughout and beyond the organization, to
focus attention, and initiate a dialogue
 Stimulates the development of new ideas and initiatives by
focusing on strategic uncertainties (emerging threats and
opportunities that could invalidate the priors upon which the current
business strategy stands)
Interactive Control Systems
 External factors: ex. new technology, demographics, competition,
regulation, stakeholders’ pressures
 Mission statements, budgets, and action plans are discussed,
debated, challenged, and revised among managers
 New strategic initiatives may emerge
Interactive Control Systems
How new strategic initiatives may emerge
Simons’ Levers of Control
 An excessive focus on diagnostic control can cause a firm to ignore
strategic uncertainties
 Diagnostic control must be counterbalanced
 Implementing the four levers of control can assist a firm to achieve
performance, engage in ethical behavior, and inspire employees
Information System Security
 One basic function of an AIS is to provide pertinent information for
decision making
 In order to be pertinent, the information must be reliable, which
means:
• It provides an accurate and complete
picture of the firm’s activities
• The AIS that produces it is protected
Five Trust Service Principles for System Reliability
SECURITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
The Trust Services
Framework developed by
the AICPA and CPAC
identified five basic
principles that contribute to
systems reliability:
1.
2.
3.
4.
5.
Security
Confidentiality
Privacy
Processing integrity
Availability
Trust Services Framework
 Security: access to AIS and data is controlled and restricted to
legitimate users
 Confidentiality: sensitive organizational information (plans,
secrets) is protected
 Privacy: personal information about customers is protected from
unauthorized disclosure
 Processing Integrity:
data are processed accurately with
proper authorization
 Availability: AIS is available to meet operational obligations
Information Security Controls
 Preventive: Training; User access controls; Physical access;
Network access controls (firewalls, intrusion prevention systems)
 Detective: Log Analysis; Intrusion Detection System; Security
Testing; Managerial Reports
 Corrective: computer Incidents Response Team; Chief IS Officer;
Patch Management
Preventative Control
Authentication
 Users can be authenticated by verifying:
 Something they know, such as passwords or PINs.
 Something they have, such as smart cards or ID badges.
 Some physical characteristic (biometric identifier), such as
fingerprints or voice recognition.
 And better, a combination of the above!
Preventative Control
Access Control Matrix
User Identification
Code
Number Password
ABC
12345
DEF
12346
KLM
12354
NOP
12359
RST
12389
XYZ
12567
Programs
Files
A
0
0
1
3
0
1
B
0
2
1
0
1
1
C
1
0
1
0
0
1
1
0
0
0
0
0
1
2
0
0
0
0
3
1
Codes for type of access:
0 = No access permitted
1 = Read and display only
2 = Read, display, and update
3 = Read, display, update, create, and delete
3
0
0
0
0
0
1
4
0
0
0
0
0
1
Plaintext
The
project to
merge …
+
Key
Encryption
algorithm
Xb&j &m 2
ep0%fg . . .
+
Ciphertext
Decryption
algorithm
T
The project
to merge …
Plaintext
Key
Preventative
Control
 Encryption is the
process of transforming
normal text, called
plaintext, into
unreadable, called
ciphertext.
 Decryption reverses
this process.
 To encrypt or decrypt,
both a key and an
algorithm are needed.
By increasing
internal controls &
security, fraud risk
decreases
Fraud Triangle
The Wolf of Wall Street
Jordan Belfort (Leonardo DiCaprio) and his
associates engage in unethical financial
practices, such as inflating stock prices,
that harm other people to satisfy their own
desires for money, power, and status.
Belfort makes a huge fortune by defrauding
wealthy investors out of millions. The SEC
and the FBI close in on his illegal
behaviour.
In the movie, many turned a blind eye to
his transgressions due to the profits
involved.
Would the situation be different
if there was a stronger internal
control environment & an
emphasis placed on ethics?
The Big Short
The Big Short chronicles the years leading
up to the 2008 global economic crisis,
focusing on several financial professionals
who predicted the collapse.
Wall Street greed was largely to blame for
the collapse, as credit agencies conspired
to conceal high-risk loans by giving them
AAA ratings. The ratings given implied a
degree of safety for the loans far greater
than they deserved. This allowed financial
institutions to falsely prop up prices of the
investments relate to the loans & gain
immense profits. Eventually, the stock
market crashed because too many had
people had taken on loans they couldn't
afford (loan default).
Again, many turned a blind eye to the
unethical loan ratings due to the profits
involved.
How could the financial crisis
of 2008 be avoided?
Next week:
 IS Confidentiality, Privacy, Processing
Integrity and Availability
 Consult materials posted on Moodle
 Quiz 1 online
Related documents
PaySecuri - Credit Card Fraud Protection Services
PaySecuri - Credit Card Fraud Protection Services
Document17920367 17920367
Document17920367 17920367
WCMSRiskManagement
WCMSRiskManagement
Credit Card Fraud Detection Proposal
Credit Card Fraud Detection Proposal
PT19 ISP SUBMISSION UP 2110789 v1
PT19 ISP SUBMISSION UP 2110789 v1
Using CommonKADS Method to Build Prototype System in
Using CommonKADS Method to Build Prototype System in
Green Team Researcher/Presenter Jeremy Archey
Green Team Researcher/Presenter Jeremy Archey
Download
advertisement