bcs

avatar
Created by
ruby ann gonzales

Cards (339)

  • Internal controls for IT systems
    Controls that help minimize threats and risks to IT systems
  • Computer systems are critical to ongoing operations for most organizations
  • Accounting information systems collect, process, store, and report accounting information
  • IT systems have become so critical that organizations would hardly be able to operate if their IT systems were to fail
  • General controls
    Controls that apply overall to the IT accounting system, not restricted to any particular accounting application
  • During the early 2000s, a wave of information appeared in the news regarding company after company named in fraudulent financial reporting. Among the names were Enron Corp., Global Crossing USA, Inc., Adelphia Communications Corp., WorldCom Inc., and Xerox Corporation.
  • Application controls
    Controls used specifically in accounting applications to control inputs, processing, and outputs
  • In the case of Enron alone, fraudulent financial reporting led to the loss of billions of dollars for investors, job and retirement‐fund losses for employees, the collapse of the Arthur Andersen LLP audit firm, and further depression of an already weak stock market.
  • General control categories
    • Authentication of users and limiting unauthorized access
    • Hacking and other network break-ins
    • Organizational structure
    • Physical environment and physical security of the system
    • Business continuity
  • Authentication of users
    Process or procedure in an IT system to ensure the person accessing the system is a valid and authorized user
  • The Phar‐Mor fraud scheme is an older example, but it is important to study it as a classic case of the wrong approach to concepts in this chapter and the chapters that follow.
  • Phar‐Mor had unethical leaders, shoddy ethics enforcement, poor internal controls, relaxed corporate governance, weak IT systems, and faulty audits. It represents the poster child of a poor control environment.
  • Password requirements
    • At least 8 characters, contain at least one non-alphanumeric character, case-sensitive, changed every 90 days
  • Two-factor authentication

    Authentication based on something the user has (token/smart card) and something the user knows (password)
  • When management is unethical, as in the Phar‐Mor case, fraud is likely to occur.
  • In the case of Phar‐Mor, management did not act ethically and did not encourage ethical behavior. Although the company had written and adopted a code of ethics, most of the officers in the company were not aware that it existed.
  • Biometric devices
    Devices that use unique physical characteristics of the user to identify and authenticate them
  • Maintaining high ethics and following proper procedures can help prevent or detect many kinds of fraud.
  • Stewardship
    The careful and responsible oversight and use of the assets entrusted to management
  • Management has an obligation to provide accurate and complete accounting records and reports with full disclosure.
  • When a vice president at Phar‐Mor became concerned about the adequacy of the IT system and the resulting reports, he formed a committee to address the problems; however, the committee was squelched by members of senior management who were involved in the fraud.
  • Nonrepudiation
    Ensures a user cannot deny any particular action they took on the IT system
  • User profile
    Determines each user's access levels to hardware, software, and data according to their job responsibilities
  • Authority table
    Contains a list of valid, authorized users and the access level granted to each one
  • Internal control
    A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations
  • Configuration tables
    Contain the appropriate set-up and security settings for hardware, software, and application programs
  • If accounting internal controls and IT controls are operating effectively, many types of fraud can be avoided or detected.
  • Code of ethics
    A set of documented guidelines for moral and ethical behavior within the organization
  • Firewall
    Hardware, software, or combination of both that is designed to block unauthorized access to a network
  • Authorization and access controls cannot be completely effective, so additional controls are needed
  • Firewall
    Prevents the unauthorized flow of data in both directions, blocking access to data on the network server by preventing unauthorized requests to log in or read data
  • Ideally, a firewall would be like a brick wall and allow nothing to pass through it
  • Management that emphasizes and models ethical behavior is more likely to encourage ethical behavior in employees.
  • A company that maintains a good system of accounting and IT internal controls and values ethical behavior will be more likely to avoid fraud, other ethical problems, and errors in accounting records.
  • This would stop legitimate as well as illegitimate network traffic
  • Fraud
    The theft, concealment, and conversion to personal gain of another's money, physical assets, or information
  • Firewall
    Examines data flow and attempts to block only the traffic that appears to be unauthorized
  • Types of fraud
    • Misappropriation of assets
    • Misstatement of financial records
  • Fraud triangle
    The three conditions that must exist for fraud to be perpetrated: incentive to commit the fraud, opportunity to commit the fraud, and rationalization of the fraudulent action
  • Packets passing through a firewall
    Must have the proper ID, otherwise they are stopped by the firewall