ACC 492 - HOMEWORK Amanda Grieco J00687082 CHAPTER ONE: Accounting Information Systems and the Accountant DISCUSSION QUESTIONS: 3. Advances in IT are likely to have a continuing impact on financial accounting. What are some changes you think will occur in the way financial information is gathered, processed, and communicated as a result of increasingly sophisticated IT? Advances in IT that allow transactions to be captured immediately, accountants and even the AIS itself can produce financial statements almost in real-time. Interactive data allows for information to be reused and carried seamlessly among a variety of applications or reports. 4. XBRL is emerging as the language that will be used to create interactive data that financial managers can use in communication. How do you think the use of interactive data might enhance the value of a company’s financial statements? It will allow the data to be used between programs, allowing for faster access and calculations, meaning that the company can quickly prepare financial statements at any time. 5. Discuss suspicious activity reporting. For example, do you think that such reporting should be a legal requirement, or should it be just and ethical matter? Do you think that the majority of SAR activity is illegal, or are these mostly false alarms? SAR laws now require accountants to report questionably financial transactions to the U.S. Department of Treasury. It should be a legal requirement because of the ease of committing fraud through an AIS and the fact that it can be used as a deterrent. Most of the activity is probably false alarms, but it is better to be safe than sorry. 6. Managerial accounting is impacted by IT in many ways, including enhancing CPM. How do you think a university might be able to use a scorecard or dashboard approach to operate more effectively? The scorecard and dashboard approach allow a university to track and assess the functionality of its activities and match it against its strategic values. It can trace unfavorable performance to be able to correct it. This ensures the university has successful internal controls as well. The dashboard will allow it to be easier to understand given there are many elements/departments within a university. 7. Look again at the list of assurance services shown in Figure 1-9. Can you think of other assurance services that CPA’s could offer which would take advantage of their AIS experience? They could offer an assurance/IT help for individuals and their AISs and computer systems. They could vouch for compliance with organizations or other companies that might come in contact with them, as in to recommend them. They could offer a “seal of approval.” 10. This chapter stressed the importance of IT for understanding how AISs operate. But is this the only skill valued by employers? How important do you think analytical thinking skills or writing skills are? Discuss. No. Due to the fact that AISs are complex, analytical skills are necessary to make decisions and figure out whatever is needed. Writing skills are important to communication and also programming AISs. Both of these skills are very valued by employers. A well-rounded mix would make an ideal candidate in accounting/IT fields. PROBLEMS 11. a. AAA – American Accounting Association b. ABC – Activity Based Costing c. AICPA – American Institute of Certified Public Accountants d. AIS – Accounting Information Systems e. CFO – Certified Financial Officer f. CISA – Certified Information Systems Auditor g. CITP- Certified Information Technology Professional h. CPA – Certified Public Accountant i. CPM – Corporate Performance Measurement j. ERP – Enterprise Resource Planning k. FASB – Financial Accounting Standards Board l. HIPPA – Health Insurance Portability and Accountability Act m. ISACA – Information Systems Audit and Control Association n. IT – Information Technology o. KPI – Key Performance Indicators p. OSC q. PATRIOT Act - Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism r. REA – resources, events, and agents s. SAR – Suspicious Activity Reporting t. SEC – Securities Exchange Commission u. SOX – Sarbanes- Oxley Act v. VARs – Value-Added Resellers w. XBRL – Extensible Business Reporting Language 16. a. Dues paid, expenses, donations, operating costs, and capital investments and costs. b. Yes, because AISs do not have to be computerized. c. No, fraud tends to occur when there isn’t a separation of duties. d. Benefits would include ease of information collected/entered, real-time reporting, ease of access to information, e-commerce style record keeping. It would only be cost effective if system is easy to use/user-friendly. CHAPTER TWO: Information Technology and AISs DISCUSSION QUESTIONS 1. Why is important to view and AIS as a combination of hardware, software, data, people, and procedure? It takes ALL components to work successfully. 2. Why is information technology important to accountants? 1. On CPA exam 2. Used a lot therefore need to understand it 3. To be able to audit systems 4. Task Identification 5. Help clients make hardware and software purchases 6. To evaluate efficiency and effectiveness 7. IT profoundly affects work today and in the future 3.Why do most AISs try to avoid data transcription? To avoid errors, time-consuming, costly, inefficient, nonproductive, can bottleneck data at transcription site, embeds errors, and provides opportunities for fraud, embezzlement, or sabotage. 11. What are local area networks? What advantages do LANs offer accounting applications? LANs consist of microcomputers, printers, terminals, and similar devices that are connected together for communications purposes. Most use file servers to store centralized software and data files and also to coordinate data transmissions between devices. Most LANs occupy single building and are wireless. Advantages include: 1. Facilitating communications 2. Sharing computer equipment 3. Sharing computer files 4. Saving software costs 5.Enabling unlike computer equipment to communicate with one another 12. What is client/server computing? How does it differ from host/mainframe computing? What are some advantage and disadvantages of client/server systems? It is an alternative technology to mainframe and/or hierarchal networks; typically a microcomputer. Mainframe systems normally centralize everything, whereas client/server applications distribute data and software among the server and client computers of the system. Advantages: flexibility of distributing capabilities, reduced telecommunications costs, and ability to install thin/client systems. Disadvantages: must maintain multiple copies of same databases making backup and recovery difficult, difficult data synchronization, system consistency makes it difficult to change versions of a program, and user training is greater. PROBLEMS: 17. a. ALU – CPU component b. CD-ROM - secondary storage c. keyboard – input equipment d. Modem – data communications e. dot-matrix printer – output equipment f. POS device - input equipment g. MICR reader - input equipment h. laser printer - output equipment i. flash memory – secondary storage j. OCR reader - input equipment k. magnetic (hard) disk – secondary storage l. ATM - data communications m. Primary memory - CPU component 18. a. POS – Point of sale devices, gather and record electronic data b. CPU – Central processing unit, processes tasks within a computer c. OCR – Optical character recognition, optical readers to interpret data d. MICR – Magnetic ink character recognition, magnetically-encoded paper coding e. ATM – Automated teller machine, to communicate to banking customers f. RAM – Random access memory, primary memory, operating instructions g. ALU- Arithmetic-logic unit, performs arithmetic and logic tasks h. MIPS – Millions of instructions per second, computer processing speeds i. OS – Operating system, helps computer run itself and programs within j. MHz – Megahertz, computer processing speeds k. pixel – Picture elements, dots of color in video output l. CD-ROM – Compact disk-read only memory, secondary storage m. worm – Write-once, read-many, type of cd-rom n. modem – modulator-demodulator, transmission over phone lines o. LAN – Local area network, small area connected devices p. WAN – Wide are network, large area connected devices q. RFID – Radio frequency Identification, enables identification using radio waves r. WAP – Wireless application protocol, set of communication standards and language s. Wi-Fi – Wireless fidelity, transmitting over wireless channels t. ppm – Pages per minute, printing speeds u. dpi – Dots per inch, resolution of ink-jet printers v. NFC – Near-field communication, enables communication with other NFC devices CHAPTER SIX: Documenting Accounting Information Systems DISCUSSION QUESTIONS 1. Why is documentation important to AISs? Why should accountants be interested in AIS documentation? Documentation explains how AISs operate: describes the tasks for recording data, the procedures that users must perform, the processing steps that AISs follow, and the logical and physical flows of accounting data through systems. 1. Depicting how system works 2. Training Users 3. Designing new systems 4. Controlling system development and maintenance 5. Standardizing communications with others 6. Auditing AISs 7. Documenting business processes 8. Complying with SOX Act 9. Establishing Accountability It is important for accountants to understand the documentation that describes how processing takes place. 2. Distinguish between documentation flowcharts, system flowcharts, data flow diagrams, and program flowcharts. How are they similar and different? Document Flowchart – traces the physical flow of documents through an organization from who first created them to their final destination. System Flowchart – Concentrate on computerized data flow of AISs. Data Flow Diagrams – (DFDs) development process, as a tool for analyzing an existing system or as a planning aid for creating a new system, describes the sources of data stored in a database and the ultimate destinations of these data. Program Flowchart – outline the processing logic of computer programs as well as the order in which processing take place. All four use symbols and linage to describe the flow/activity. Data flow diagrams describe the source and flow of data in a database. Document flowcharts trace the flow of documents. System flowcharts are created when there is computerized/electronic data and processing. Program flowcharts outline computer programs and how they determine each process. System flowcharts, data flow diagrams, and program flowcharts can be designed at different levels/hierarchal process maps of detail. 5. What are the four symbols in a data flow diagram? What does each mean? External Entity (data source or destination) Data Flow Internal Entity (physical DFDs) or Transformational Process (logical DFDs) Data Store (file) 8. What is the purpose of a decision table? How might they be useful to accountants? The purpose of a decision table is to indicate what action to take for each possibility of conditions and processing tasks and as an alternative to program flowcharts. They will be useful to accountants because they provide a large number of conditions in a compact, easily understood format. This ensures accuracy, completeness, and fewer omissions of important processing possibilities. CHAPTER SEVEN: AISs and Business Processes: Part 1 DISCUSSION QUESTIONS 1. As you might imagine, the chart of accounts for a manufacturing firm would be different from that of a service firm. Not surprisingly, service firms differ so much that software now exists for almost any type of firm that you could name. Think of yourself as an entrepreneur who is going to start up your own business. Now, go online to find at least two different software packages that you might use for the type of firm you are going to start up. What does the chart of accounts include? Are both software packages the same? What are the differences between the packages? 1. Intuit® QuickBooks® Premier Retail Edition 2014 Difference from QuickBooks Pro: Organize your business finances all in one place and save time on everyday tasks Accounting tools for retailers Save time managing retail activities, tracking sales results and profitability Organize your customer information on one screen –see who’s paid and who owes you Gain greater insight with retail specific reports to help manage your business better Use tools to create and track service work orders Get reliable records for tax time 2. QuickBooks Pro 2014 – cheaper than Retail Edition. For both versions, when you start up the program it will ask you questions in order to tailor a chart of accounts for what is needed. The retail version is tailored to retailers to provide insight beyond financial aspects. 3. What are some typical outputs of an AIS? Why do system analysts concentrate on managerial reports when they start to design an effective AIS? Why not start with the inputs to the system instead? Outputs include: Reports to management, reports to investors and creditors, files that retain transaction data, files that retain current data about accounts, i.e. customer billing statements, aging report, bad debt report, cash receipts forecast, approved customer listing, sales analysis reports, check register, discrepancy reports, and cash requirements forecast. Most of the accounting data collected by an organization ultimately appears on come type of internal/external report, therefore the design of an effective AIS usually begin with the outputs (reports) that users will expect from the system. PROBLEMS 14. Recommend a type of coding: a. Employee id number on a computer file – Sequence, simple identification b. Product number for a sales catalog – Group c. Inventory number for the products of a wholesale drug company - Block d. Inventory part number for a bicycle mfg company - Block e. ID numbers on the forms waiters use to take orders – Sequence, simple identification f. ID numbers on airline ticket stubs – Sequence, simple identification g. Auto registration numbers – Sequence, simple identification h. Auto engine block numbers – Sequence, simple identification i. Shirt sizes for men’s shirts – Mnemonic, lettering used to identify sizing j. Color codes for house paint – Mnemonic, lettering used to identify color combonations k. ID numbers on payroll check forms – Sequence, simple identification l. Listener ID for a radio station – Block, numbering based on region m. Numbers on lottery tickets – Sequence, simple identification n. ID numbers on a credit card – Block, first numbers indicate type of card o. ID numbers on dollar bills – Block, lettering first then numbers p. Passwords used to gain access to a computer – Mnemonic, lettering used to create pw q. Zip codes – Block, based on regional areas r. A chart of accounts for a department store – Block, categorized by type s. A chart of accounts for a flooring contractor – Block, categorized by type t. Shoe sizes – Sequence, simple identification by size u. ID number on a student exam – Sequence, simple identification v. ID number on an insurance policy – Block, identifiers on region/policy type/etc. CHAPTER EIGHT: AISs and Business Processes: Part 2 DISCUSSION QUESTIONS 2. Why are accounting transactions associated with payroll processing so repetitive in nature? Why do some companies choose to have payroll processed by external service companies rather than do it themselves? There are standards for payroll that are government mandated, including very strict control procedures, and with the transactions occurring very frequently, it causes payroll processing to be repetitive. Many companies find it cost-effective to outsource the process for payroll reports and paychecks. 5. What are the basic concepts of lean manufacturing? What concepts are the root of lean production and lean manufacturing? Lean manufacturing involves making the commitment to eliminate waste throughout the organization (not just production). It focuses on the elimination or reduction of non-valueadded waste to improve overall customer value and to increase the profitability of the products or services that the organization offers. It was developed through the concepts of just-in-time and Total Quality Management. PROBLEMS 14. How could an automated time and billing system help your firm? What is the name of the software package and what are the primary features of this BPM software? Automated time and billing systems could be more cost-effective, as well as help with tedious transaction and reporting, aid in detecting and reducing errors, and help with keeping up with delinquent accounts. Tabs3 Billing will keep track of time easily, bill exactly the way you want to, get bills out faster, create useful reports to stay on top of the business of law, secure your information, has advanced compensation formulas to compute with, and has free practice management included. CHAPTER NINE: Introduction to Internal Control Systems DISCUSSION QUESTIONS 1. What are the primary provisions of the 1992 COSO Report? The 2004 COSO Report? 1992- Internal Control-Integrated Framework: Defines internal control and describe its components, Presents criteria to evaluate internal control systems, provides guidance for public reporting on internal controls, and offers materials to evaluate internal control system. 2004 – Focuses on enterprise risk management, include 5 components of 1992 Report, and adds three components: objective setting, event identification, and risk response. 2. What are the primary provisions of COBIT? Control Objectives for Business and IT; A framework for IT management; provides managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices to maximize benefits of IT and develop appropriate IT governance and control. 5. Why are accountants so concerned about their organization having an efficient and effective internal control system? Accountants rely on an internal control system to safeguard assets, check the accuracy and reliability of accounting data, promote operational efficiency, and enforce prescribed managerial policies. If it is not efficient and effective, the accountants will suffer. 6. Discuss what you consider to be the major differences between preventative, detective, and corrective control procedures. Give two examples of each type of control. Preventative controls are put in place to prevent problems, such as scenario planning and firewalls. Detective controls alert managers when preventative controls fails, such as motion detection and log monitoring and review. Corrective controls are what a company uses to solve or correct a problem, such as changing back up procedures and camera systems. 7. Why are competent employees important to an organization’s internal control system? Competent and honest employees are more likely to create value for an organization and lead to efficient use of the company’s assets. 8. How can separation of duties reduce the risk of undetected errors and irregularities? The purpose of separation of duties is to structure work assignments so that one employee’s work serves as a check on another employee(s). 9. Discuss some of the advantages to an organization from using a voucher system and prenumbered checks for its cash disbursement transaction. A voucher system reduces the number of cash disbursement checks that are written, since several invoices to the same vendor can be included on one disbursement voucher, the disbursement voucher is an internally generated document, and can be prenumbered to simplify the tracking of all payables, thereby contributing to an effective audit train over cash disbursements. 10. What role does cost-benefit analysis play in an organization’s internal control system? Companies develop their own optimal internal control package by applying the costbenefit concept: only those controls whose benefits are expected to be greater than, or at least equal to, the expected costs are implemented. 11. Why is it important for managers to evaluate internal controls? SOX compliance, managers must acknowledge their responsibility for establishing and maintaining adequate internal control structure and procedures. 12. Why did COSO think it was so important to issue the 2009 Report on monitoring? COSO observed that many organizations did not fully understand the benefits and potential of effective monitoring and were not effectively using their monitoring results to support assessments of their internal control systems. PROBLEMS 13. Internal control weaknesses: *Oral authorization to remove items from storeroom: should be documented not oral. * Physical Inventory count by storeroom clerks: should be management if documentation of inventory is not going to occur; regardless of supervision. * Reordering when below reorder level: should not order until at reorder level, excess of inventory will allow for possible theft. * Number of items ordered available to storeroom clerks: should be a separate receiving person, separation of duties. CHAPTER TEN: Computer Controls for Organizations and AISs DISCUSSION QUESTIONS 1. What is a security policy? What do we mean when we say organizations should have an integrated security policy? A security policy is an integrated plan that helps protect an enterprise from both internal and external threats. An integrated security policy combines logical and physical security technologies. 2. What do we mean when we talk about convergence of physical and logical security? Why might this be important to an organization? Combining technologies of physical and logical securities, supported by a comprehensive security policy, can significantly reduce the risk of attack because it increases the costs and resources needed by the intruder. 4. What controls must be used to protect data that is transmitted across wireless networks? Virtual private network to remote access to entity’s resources and data encryption to avoid electronic eavesdropping. 5. Why is business continuity planning so important? Identify several reasons why testing the plan is a good idea? They use BCP to be reasonably certain that they will be able to operate in spite of any interruptions, such as, power failures, IT system crashes,, natural disasters, supply chain problems, and others. 6. What is backup and why is it important when operating an accounting system? Backup is similar to the redundancy concept in fault-tolerant systems. It is important when operating an accounting system because you could lose all of your work and client information. 7. Discuss some of the unique control risks associated with the use of PC’s and laptop computers compared to using mainframes. PC’s are relatively in-expensive, therefore it is not cost-effective for a company to go to elaborate lengths to protect them. Important safeguards are: (1) backup important laptop data often, (2) password protect them, and (3) encrypt sensitive files. Antitheft systems can help avoid theft. Control procedures include: Identify your laptop and keeping information in a safe place, use non-breakable cables to attach laptops to stationary furniture to avoid theft, load antivirus software onto the hard disk to avoid theft of data, and back up laptop information to ensure data integrity. 9. Explain how each of the following can be used to control the input, processing, and output of accounting data: a. EDIT TESTS- examine selected fields of input data and reject those transactions whose data fields so not meet the pre-established standards of data quality. INPUT CONTROL b. CHECK DIGITS – computed as a mathematical function of the other digits in a numeric field and its sole purpose is to test the validity of the associated data. INPUT CONTROL c. PASSWORDS – INPUT CONTROL, to ensure validity d. ACTIVITY LISTINGS - OUTPUT CONTROL, documents processing activities e. CONTROL TOTALS – PROCESSING CONTROL, to control large amounts of data processing 10. What is the difference between logical and physical access to the computer? Why is the security of both important? Logical refers to the access of technology on a computer while physical access refers to the access to the actual computer equipment. Both are important because they are both assets of the company, and an integrated security system that includes both logical and physical security can significantly reduce the risk of theft and attack. 11. Discuss the following statement: “The separation of duties control is very difficult in computerized accounting information systems because computers often integrate functions when performing data processing tasks. Therefore, such a control is not advisable for those organizations using computers to perform their accounting functions.” This is incorrect. Due to the fact that functions are integrated, extra measures need to be taken to separate functions of authority and responsibility between accounting and IT subsystems or departments. PROBLEMS 13. I think both types of controls, personnel and edit tests, are set forth to eliminate potential errors and frauds of both intentional and accidental natures. Not specifically for one type or the other. 15. Separation of duties to stop him from setting up companies, ordering, payments, etc to these fictitious companies. Also, input controls, such as edit and validity tests to disallow the creation of new vendors. 16. a. Input controls, such as edit and validity tests. b. Output controls to notify aged accounts, and input controls to disallow the ability to sell to the company. c. Separation of duties, to eliminate potential of fraud. d. Input controls to disallow the creation of new master files for wrong codes entered. e. Separation of duties, to keep him from being able to pay vendors and write off inventory at same time. 17. a. Input to disallow incorrect deposit code, b. input/check digits, c. input/edit tests, d. input/edit tests, e. input/check digits, f. input/edit tests or check digits, g. general to disallow access without proper identification, h. Processing/batch control total CHAPTER ELEVEN: Computer Crime, Fraud, Ethics, & Privacy DISCUSSION QUESTIONS 1. The cases of computer crime that we know about have been described as just “the tip of the iceberg.” Do you consider this description accurate? Since most computer crimes are caught through luck, chance, or accident, generally only an estimated 1% of computer crime is detected. This description is correct due to exponential growth in the use of computer resources, continuing lax security, and availability of information on how to commit computer crime. 2. Most computer crimes are not reported. Give as many reasons as you can why much of this crime is purposely downplayed. Do you consider these reasons valid? From a business’ perspective, reasons could include costs to persecute, wanting to avoid the media, reputation issues, easier to just fire people rather than persecute, company not wanting consumers/customers knowing about lack of controls, possible auditing issues. None of these reasons are technically valid because crime cannot be controlled without reporting. 5. What enabled employees at TRW to get away with their crime? What controls might have prevented the crime from occurring? What enabled the employees was the fact that they were able to enter false information into the computer procedures. Controls that could have prevented the crime are authorization and validation of credit changes and separation of duties. 11. The fact that Mr. Allen has never taken a vacation is a key red flag that he may have been manipulating the account data. Making him Employee-of-the-Year should not be a consideration until he/his department had been audited for the potential fraud. Giving him such a title would entice him to continue committing frauds. PROBLEMS 12. a. The university had too strict policy about releasing passwords. There should have been additional controls that allowed someone who had lost a password to obtain it, i.e. personal data question, etc. This would allowed for assurance that the student was who she said she was and also avoiding complaints of that nature. b. The company should have adopted a policy against personal use on company computers regardless of on company time or not, and the fact that the computers are owned by the company, it shouldn’t be an issue of privacy. c. The company should require a certain level of password and adopt a policy that is any passwords are found there will be consequences. Otherwise they need to use a biometric way of logging in to systems. d. The company should have a policy against personal use of company computers and also on the fact that he is holding and attending to a second job instead of at the hospital. e. This is an indication of a possible fraud, and the company needs to investigate the 20 employees and the departments associated with inputting of the data. f. Ebay needs to clearly state this in their seller’s policies, and also create a control that disallows someone to bid on their own items for sale. This also needs to extend to users with similar addresses, phone number, email address, etc. g. The Web company should have a control restricting its employees from visiting certain sites it does business with. 15. a. A policy that only allows certain employees access to mail, or a separate mailing address that is accessible only by certain people. b. The checks should only be drawn on one account, and the bookkeeper shouldn’t be allowed to assign paychecks. c. Separation of duties, the HR personnel should not have access to paychecks. d. Separation of duties and access to certain authorizations. e. Separation of duties, the purchasing agent should not be accounts payable. f. The company should have strict password requirements that are more difficult to hack. g. The clerk should have been taking vacations or time off in three years. h. The company should have a system that disallows the loading of unapproved programs. i. The company should use serial numbers for patients and also have a strict privacy policy. CHAPTER TWELVE: InformationTechnology Auditing DISCUSSION QUESTIONS 1. Distinguish between the roles of an internal and an external auditor. Cite at least two examples of auditing procedures that might reasonably be expected of an internal audition but not and external. Which type of auditor would you rather be? Why? Internal auditors work for their own company while external work for an independent CPA firm. The difference is in purpose: staff positions that report to top management, an audit committee or board of directors, and also involve evaluation of the company to provide assurance about the efficiency and effectiveness of almost any aspect of its organization. I would rather be an internal auditor. The duties are more broad and less of risk of being sued in the end. 4. IT auditors need people skills as well as technical skills. One such skill is the ability to interview effectively. Discuss some techniques or tools that might help an interviewer get the best information from an interviewee, including sensitive material. Being more personable and able to build trust quickly will get people to open up to you and deliver information they may not have otherwise. Learning skills on how to interrogate would have read body language and signs hidden between the lines of lies. Learning the aspects of the position the person works in will help the interviewer ask better questions and delivery whatifs. 5. Describe how an auditor might use through-the –computer techniques such as test data, an integrated test facility, parallel simulation, or validation of computer programs to accomplish audit objectives relative to accounts payable. Test data will allow an auditor to check the range of exception situations and compare the results with a predetermined set of answers on an audit worksheet, such as invalid dates and use of alphabetic data in numeric codes. An integrated test facility will allow an audit in an operational setting by using artificial transactions and companies, such as payments to vendors and shipments/orders from vendors. Parallel simulation allows the auditor to run live data instead of test data in a second system that duplicates the client system to look for differences, such as payments to vendors only system and not the entire accounts payable program. Validation allows an auditor to guard against program tampering with program change controls, program comparison, reviews of the system software, validating users and access privileges, and continuous auditing for real-time assurance. 6. A company always wants to be safe, but when costs are an issue, priority guidance is a must. The auditor and the company should invest in a computerized auditing software to help audit. The controls, even though all beneficial, should still be portrayed in a hierarchy to show which ones are technically worth more (risk assessment). The auditor should evaluate those control procedures (systems review) and then evaluate the weaknesses. Control weaknesses in one area of an AIS may be acceptable if control strengths in other areas of the AIS compensate for them. PROBLEMS 8. a & b. According to the risk analysis, the high probability of occurrence is VANDALISM, medium probability is BROWNOUT and POWER SURGE, and low probability is EQUIPMENT FAILURE, SOFTWARE FAILURE, EMBEZZELMENT, FLOOD, and FIRE. When using a cost-basis analysis, the figures would indicate that the only two that wouldn’t be affordable to enlist controls for are EMBEZZELMENT and SOFTWARE FAILURE. Considering the low cost compared to the losses and the fact that they could stop a business from continuation, FLOOD and FIRE must have physical general controls in place. EQUIPMENT FAILURE would also need similar controls because of the low cost compare to high losses estimates. Due to the medium probability of occurrence and low cost to control BROWN OUT and POWER SURGE would need physical general controls in place.