Shared Flashcard Set


AIS Test 2
OSU Acct + MIS 631 Smith; Accounting Information Systems 10/11 edition
Undergraduate 4

Additional Accounting Flashcards




Fraud and 5 points

any means used by 1 person to gain an unfair advantage over another person


1.  There has to be a false statement


2.  Must be about a material fact


3.  the person making the false statement knew the statement was false (intent to deceive)


4.  A victim relies on the false statement


5.  As a result of that reliance, he suffers a loss or injury

2 Types of fraud (+defs)

Misappropriation of assets - theft or unauthorized use of company assets (called employee fraud, caused by lack of controls/following them)


Fraudulent Financial Reporting - misstating the financial health of a company by intentionally misstating or omitting amounts and disclosures in the financial statements (overstating revs=most common, understating liab=2nd)

National Commission of Fraudulent Reporting (Treadway Commission) - 4 things to minimize fraudulent reporting

1.  Create an organization environment to contribute to the integrity of the financial reporting process


2.  Understand the facts that lead to fraudulent statements


3.  Assess the risk that cooking the books occurs @ your company


4.  Implement a set of internal controls to provide reasonable assurance that cooking the books will not occur

SAS 99

Consideration of fraud in a financial statement:


requires auditors @ all phases of an audit to consider + test for fraud

3 conditions for fraud to occur

1.  Pressure - motivation of incentive to commit fraud


2.  Opportunity - an opening that allows someone to commit, conceal and convert the payments


3.  Rationalization - reasons used by fraudster to justify the crime

Concealing the fraud (2 ways)

Lapping - steal from cust a, pay w/b, pay b w/c, etc.


Kiting - creating cash with floating checks btwn 3 accts

Computer Fraud (def+5 types + defs)

any illegal act where the knowledge of computers is essential in committing, investigating +/or prosecuting the crime


1.  Input Fraud - alter the input before entering


2.  Processing Fraud - committed w/unauthorized use of the system


3.  Computer Instructions Fraud - altering the software that processes the data (viruses)


4.  Stored Data Fraud - altering or destroying company data, copying + searching company data w/o permission


5.  Output Fraud - altering or stealing system output (check countering)

Types of Input Fraud (4)

1.  Cash Receipts Fraud - alter the input to steal cash


2.  Cash disbursement fraud - attempt to get the company to overpay for ordered goods, or goods not ordered at all


3.  Inventory fraud - enter into the system that stolen inventory was scrapped


4.  Payroll fraud - creat a phantom employee or adjust pay rates

Specific Techniques of computer fraud  (in book p 160-161)
in book p 160-161
Internal Controls (def+ 6 objectives)

Policies + procedures established by the company to provide reasonable assurance that the objectives are met


1.  Assets, including data, are safeguarded


2.  Accurate, reliable information is provided to the decision makers


3.  Financial statements are prepared according to GAAP


4.  The company operates efficiently

5.  Policies established by management are being followed


6.  The company is following all applicable laws and regulations


3 Important functions of Internal Controls (+defs)

1.  Preventive Controls - deter problems from occurring


2.  Detective Controls - identify problems quickly when they arise


3.  Corrective Controls - fix the problem by

1- identifying the cause

2- fixing the problem

3-modifying the system to stop repeats

2 Main Categories of Internal Controls

1.  General Controls - designed to make sure the control environment of the company is stable and functioning properly (segregation of duties)


2.  Application Controls - designed to prevent, detect, and correct transaction errors + fraud (prep of a monthly bank reconciliation)

Foreign Corrupt Practices Act

wanted to stop companies from bribing foreign officials for business


ended up requiring companies to implement a set of good internal controls

Sarbanes Oxley Act

To prevent financial statement fraud + make companies more transparent


requires companies to implement continually test internal controls

3 Important Control Frameworks (+short defs)

1.  COBIT - framework for IT  and system security controls


2.  COSO - published Internal Controls an Integrated Framework -

A: defines what controls are

B: provides guidance to companies in establishing, testing, and enhancing their internal controls

C: Regarded as the #1 source of info on internal controls


3.  ERM - an improvement on the risk section of COSO

COSO (5 components)
1.  Control Environment – people who work for the company and the environment in which they operate

2.  Control Activities – procedures implemented to see the organization’s objectives are met

3.  Risk Assessment – Identify risks that exist

4.  Information and Communication – systems that provide information to enable business activities to occur

5.  Monitoring – the internal control system should be constantly monitored and modified
8 Components of ERM (+brief defs)
1.  Internal Environment - the environment in which employees operate

2.  Objective Setting - objectives the company wants to achieve (reason the co exists - mission statement)

3.  Event Identification - involves identifying the events that impact achieving objectives

4.  Risk Assessment – inherent/residual risk

5.  Risk Response – reduce, avoid, ignore, share

6.  Control activities - segregation of duties

7.  Information and communication - systems that provide info that enable bus activities to occur

8.  Monitoring - the internal controls system should be constantly monitored + modified as necessary
ERM - Internal Environment (3 things)

the environment in which employees operate (most important component)  Consists of:


1.  Management style + philosophy


2.  Board of Directors + Audit Committee


3.  HR standards

ERM - Risk Assessment (types + procedure)

Inherent risk - natural risk that exists before controls are put in place


residual risk - the risk that exists after controls are put in place


procedure: asses natural, put in controls, assess residual

ERM - Risk Responses (4)

1.  Reduce the Risk - implement an internal control


2.  Avoid the risk - don't engage in the activity


3.  Ignore the Risk - do nothing


4.  Share the Risk - transfer some of the risk to others (insurance)

Steps to Risk Assessment and Response (5)

1.  Identify the events that lead to the risk in achieving your objectives


2.  Estimate the likelihood + impact of the event occurring


3.  Consider controls to reduce the risk


4.  Estimate the costs + benefits associated with the controls


5.  Decide on a risk response

ERM - Controls Activities (3 to sep)

Segregation of duties (to stop collusion), 3 to separate:


1.  Authorization - ability to approve transactions + decisions


2.  Recording - maintaining journals + ledgers


3.  Custody - physical 'ownership' of company assets

Trust Services Framework ( 5 principles of reliability  + defs)

1.  Security - the system + its data are protected


2.  Confidentiality - sensitive company data is protected from unauthorized disclosure


3.  Privacy - personal data about customers is gathered, stored, and used in an appropriate manner


4.  Processing Integrity - Data is processed accurately, timely, completely, and with proper authorization


5.  Availability - when needed, the system can be accessed

Time Based Model of Security (letters, defs, formula)

P = time it takes an attacker to break through the preventive controls


D = Time is takes a company to realize an attack is underway


C = Time it takes to respond to the attack


IF P>D+C the security procedures are effective

Major Problems with the Time Based Model of Security (2)

1.  It's virtually impossible to accurately estimate P,D, and C


2.  Even if they are estimated, the estimates are valid for a very short period of time


(so use Defense in Depth for day to day)

Defense in Depth
employing multiple layers of controls to avoid a single point of failure
Preventive Security Controls (def +2 main funcs)

intent is to deter security issues from occurring

2 main funcs:

1.  Authentication - the process of verifying the identity of the person or device attempting to access the sytem

2.  Authorization - the process of restricting where authenticated users can go in the system and what actions they can perform

Authentication Controls (3 types + probs)

1.  passwords - difficult to remember so ppl choose easy ones


2.  smart cards + id badges - can be stolen


3.  Biometric identifiers - expensive

Authentication Controls: Passwords (5 reqs)

1.  Combination of upper.lower, alpha, numeric + symbols


2.  Random


3.  changed frequently (90days standard)


4.  Kept secret


5.  at least 8 char long

Authentication Controls: Biometrics (2 pros/3cons)


1.  make is easier to identify specific ppl

2.  can't be lost



1.  very costly

2.  not flexible to account for slight changes (colds)

3.  very high security required to store templates w/recognition data

Multi-factor authentication
use multiple authentication techniques to minimize the disadvantages of each
Access Control Matrix (2-3 things)

An implementation of authorization controls that shows for each user, pw, etc, + shows


where in the system they can go + what actions they can perform


cons: has to be continually updated

Other preventive Controls (3+rules)

1.  Training - train employees to never open unsolicited email or allow others into restricted areas


2.  Physical Access Controls -

a - have only 1 unlocked  entry door

b - have security log in visitors + escort them around

c - mantraps (double security w/closing hind door)


3.  Encryption - convert the data to be unusable

Detective Controls
main func is to identify security problems that occur (ex log analysis - a listing of everything that occurred + was attempted w/in the system.  mult bad logins=bad)
Corrective Controls (def +2)

respond to + fix problems


CERTS - Computer Emergency Response Teams


Patch management systems

Confidentiality (3 times + fix)

protecting sensitive company data from unauthorized disclosures

necessary when...:


1.  data is stored


2.  data is transferred (Use encrypted VPN)


3.  data is disposed of (shred it)

Threats to Confidentiality (2 main)

1.  email + IM - employees should be trained what is appropriate for email + IM


2.  cell phones (cams...)

Privacy (def + 10 Best Practices)

protecting sensitive customer information


1.  Management - organization should establish policies + procedures to protect client data


2.  Notice - tell customers ~ privacy policies when you collect data


3.  Choice + Consent - inform customers of their choices + get their consent (opt in/out)


4.  Collection - collect personal data only for purposes described in privacy policies


5.  Use + Retention - Use data only as described in privacy policy + keep it only as long as necessary


6.  Access - Customers should have access to their personal data for review, change + deletion


7.  Disclosure to 3rd Parties - Only share the data according to privacy policies + w/companies w/similar standards


8.  Security - reasonable protections should be in place to keep personal data secure


9.  Quality - the organization maintains the integrity of the data


10.  Monitoring + Enforcement - assign responsibility + accountability to an indiv/group to ensure following.  Also a means of taking customer complaints

Processing Integrity (def + 5 cats)

relates to the ability of the system to provide accurate + timely information based only on authorized transactions


1.  Source Document Controls - how data is initially recorded (POs + invoices)


2.  Data Entry Controls - entering data from source docs into teh system


3.  Data Processing Controls - processing of data


4.  Data Transmission Controls - encryption


5.  Output Controls - output...

Processing Integrity - Source Document Controls (4)

1.  design of forms (easy to use)


2.  turnaround docs  (bills)


3.  prenumber sequence (checks)


4.  segregation of duties

Processing Integrity - Data Entry Controls (8)

1.  Field Check - proper type of data


2.  Sign Check - check +/-


3.  limit check - make sure less than predetermined amount


4.  range check - make sure in certain range (1-10)


5.  Size check - check if the field has enough capacity


6.  Completeness Check - check to see all data filled


7.  Validity Check - check data against acceptable values


8.  Reasonableness Check - compares relationship btwn 2 data items

Processing Integrity - Data Processing Controls (2)

1.  Data Matching Test - match sources to invoices before paying


2.  Cross Footing (add rows) and Footing (add columns) and check sums

Processing Integrity -Output Controls (2)

1.  User Reviews - review the ouput (check printout)


2.  Reconciliation Procedures - reconcile system data w/data that is independent (external) of the system

Availability (def, 4 threats + control)

when needed, the system can be accessed



1.  Hardware problems

2.  Random Acts (power outages)

3.  User/Human Error

4.  Viruses/worms/system attacks


control: backups

Supporting users have an ad free experience!