Term
|
Definition
any means used by 1 person to gain an unfair advantage over another person
1. There has to be a false statement
2. Must be about a material fact
3. the person making the false statement knew the statement was false (intent to deceive)
4. A victim relies on the false statement
5. As a result of that reliance, he suffers a loss or injury |
|
|
Term
|
Definition
Misappropriation of assets - theft or unauthorized use of company assets (called employee fraud, caused by lack of controls/following them)
Fraudulent Financial Reporting - misstating the financial health of a company by intentionally misstating or omitting amounts and disclosures in the financial statements (overstating revs=most common, understating liab=2nd) |
|
|
Term
| National Commission of Fraudulent Reporting (Treadway Commission) - 4 things to minimize fraudulent reporting |
|
Definition
1. Create an organization environment to contribute to the integrity of the financial reporting process
2. Understand the facts that lead to fraudulent statements
3. Assess the risk that cooking the books occurs @ your company
4. Implement a set of internal controls to provide reasonable assurance that cooking the books will not occur |
|
|
Term
|
Definition
Consideration of fraud in a financial statement:
requires auditors @ all phases of an audit to consider + test for fraud |
|
|
Term
| 3 conditions for fraud to occur |
|
Definition
1. Pressure - motivation of incentive to commit fraud
2. Opportunity - an opening that allows someone to commit, conceal and convert the payments
3. Rationalization - reasons used by fraudster to justify the crime |
|
|
Term
| Concealing the fraud (2 ways) |
|
Definition
Lapping - steal from cust a, pay w/b, pay b w/c, etc.
Kiting - creating cash with floating checks btwn 3 accts |
|
|
Term
| Computer Fraud (def+5 types + defs) |
|
Definition
any illegal act where the knowledge of computers is essential in committing, investigating +/or prosecuting the crime
1. Input Fraud - alter the input before entering
2. Processing Fraud - committed w/unauthorized use of the system
3. Computer Instructions Fraud - altering the software that processes the data (viruses)
4. Stored Data Fraud - altering or destroying company data, copying + searching company data w/o permission
5. Output Fraud - altering or stealing system output (check countering) |
|
|
Term
|
Definition
1. Cash Receipts Fraud - alter the input to steal cash
2. Cash disbursement fraud - attempt to get the company to overpay for ordered goods, or goods not ordered at all
3. Inventory fraud - enter into the system that stolen inventory was scrapped
4. Payroll fraud - creat a phantom employee or adjust pay rates |
|
|
Term
| Specific Techniques of computer fraud (in book p 160-161) |
|
Definition
|
|
Term
| Internal Controls (def+ 6 objectives) |
|
Definition
Policies + procedures established by the company to provide reasonable assurance that the objectives are met
1. Assets, including data, are safeguarded
2. Accurate, reliable information is provided to the decision makers
3. Financial statements are prepared according to GAAP
4. The company operates efficiently
5. Policies established by management are being followed
6. The company is following all applicable laws and regulations
|
|
|
Term
| 3 Important functions of Internal Controls (+defs) |
|
Definition
1. Preventive Controls - deter problems from occurring
2. Detective Controls - identify problems quickly when they arise
3. Corrective Controls - fix the problem by
1- identifying the cause
2- fixing the problem
3-modifying the system to stop repeats |
|
|
Term
| 2 Main Categories of Internal Controls |
|
Definition
1. General Controls - designed to make sure the control environment of the company is stable and functioning properly (segregation of duties)
2. Application Controls - designed to prevent, detect, and correct transaction errors + fraud (prep of a monthly bank reconciliation) |
|
|
Term
| Foreign Corrupt Practices Act |
|
Definition
wanted to stop companies from bribing foreign officials for business
ended up requiring companies to implement a set of good internal controls |
|
|
Term
|
Definition
To prevent financial statement fraud + make companies more transparent
requires companies to implement continually test internal controls |
|
|
Term
| 3 Important Control Frameworks (+short defs) |
|
Definition
1. COBIT - framework for IT and system security controls
2. COSO - published Internal Controls an Integrated Framework -
A: defines what controls are
B: provides guidance to companies in establishing, testing, and enhancing their internal controls
C: Regarded as the #1 source of info on internal controls
3. ERM - an improvement on the risk section of COSO |
|
|
Term
|
Definition
1. Control Environment – people who work for the company and the environment in which they operate
2. Control Activities – procedures implemented to see the organization’s objectives are met
3. Risk Assessment – Identify risks that exist
4. Information and Communication – systems that provide information to enable business activities to occur
5. Monitoring – the internal control system should be constantly monitored and modified |
|
|
Term
| 8 Components of ERM (+brief defs) |
|
Definition
1. Internal Environment - the environment in which employees operate
2. Objective Setting - objectives the company wants to achieve (reason the co exists - mission statement)
3. Event Identification - involves identifying the events that impact achieving objectives
4. Risk Assessment – inherent/residual risk
5. Risk Response – reduce, avoid, ignore, share
6. Control activities - segregation of duties
7. Information and communication - systems that provide info that enable bus activities to occur
8. Monitoring - the internal controls system should be constantly monitored + modified as necessary |
|
|
Term
| ERM - Internal Environment (3 things) |
|
Definition
the environment in which employees operate (most important component) Consists of:
1. Management style + philosophy
2. Board of Directors + Audit Committee
3. HR standards |
|
|
Term
| ERM - Risk Assessment (types + procedure) |
|
Definition
Inherent risk - natural risk that exists before controls are put in place
residual risk - the risk that exists after controls are put in place
procedure: asses natural, put in controls, assess residual |
|
|
Term
|
Definition
1. Reduce the Risk - implement an internal control
2. Avoid the risk - don't engage in the activity
3. Ignore the Risk - do nothing
4. Share the Risk - transfer some of the risk to others (insurance) |
|
|
Term
| Steps to Risk Assessment and Response (5) |
|
Definition
1. Identify the events that lead to the risk in achieving your objectives
2. Estimate the likelihood + impact of the event occurring
3. Consider controls to reduce the risk
4. Estimate the costs + benefits associated with the controls
5. Decide on a risk response |
|
|
Term
| ERM - Controls Activities (3 to sep) |
|
Definition
Segregation of duties (to stop collusion), 3 to separate:
1. Authorization - ability to approve transactions + decisions
2. Recording - maintaining journals + ledgers
3. Custody - physical 'ownership' of company assets |
|
|
Term
| Trust Services Framework ( 5 principles of reliability + defs) |
|
Definition
1. Security - the system + its data are protected
2. Confidentiality - sensitive company data is protected from unauthorized disclosure
3. Privacy - personal data about customers is gathered, stored, and used in an appropriate manner
4. Processing Integrity - Data is processed accurately, timely, completely, and with proper authorization
5. Availability - when needed, the system can be accessed |
|
|
Term
| Time Based Model of Security (letters, defs, formula) |
|
Definition
P = time it takes an attacker to break through the preventive controls
D = Time is takes a company to realize an attack is underway
C = Time it takes to respond to the attack
IF P>D+C the security procedures are effective |
|
|
Term
| Major Problems with the Time Based Model of Security (2) |
|
Definition
1. It's virtually impossible to accurately estimate P,D, and C
2. Even if they are estimated, the estimates are valid for a very short period of time
(so use Defense in Depth for day to day) |
|
|
Term
|
Definition
| employing multiple layers of controls to avoid a single point of failure |
|
|
Term
| Preventive Security Controls (def +2 main funcs) |
|
Definition
intent is to deter security issues from occurring
2 main funcs:
1. Authentication - the process of verifying the identity of the person or device attempting to access the sytem
2. Authorization - the process of restricting where authenticated users can go in the system and what actions they can perform |
|
|
Term
| Authentication Controls (3 types + probs) |
|
Definition
1. passwords - difficult to remember so ppl choose easy ones
2. smart cards + id badges - can be stolen
3. Biometric identifiers - expensive |
|
|
Term
| Authentication Controls: Passwords (5 reqs) |
|
Definition
1. Combination of upper.lower, alpha, numeric + symbols
2. Random
3. changed frequently (90days standard)
4. Kept secret
5. at least 8 char long |
|
|
Term
| Authentication Controls: Biometrics (2 pros/3cons) |
|
Definition
pros:
1. make is easier to identify specific ppl
2. can't be lost
cons:
1. very costly
2. not flexible to account for slight changes (colds)
3. very high security required to store templates w/recognition data |
|
|
Term
| Multi-factor authentication |
|
Definition
| use multiple authentication techniques to minimize the disadvantages of each |
|
|
Term
| Access Control Matrix (2-3 things) |
|
Definition
An implementation of authorization controls that shows for each user, pw, etc, + shows
where in the system they can go + what actions they can perform
cons: has to be continually updated |
|
|
Term
| Other preventive Controls (3+rules) |
|
Definition
1. Training - train employees to never open unsolicited email or allow others into restricted areas
2. Physical Access Controls -
a - have only 1 unlocked entry door
b - have security log in visitors + escort them around
c - mantraps (double security w/closing hind door)
3. Encryption - convert the data to be unusable |
|
|
Term
|
Definition
| main func is to identify security problems that occur (ex log analysis - a listing of everything that occurred + was attempted w/in the system. mult bad logins=bad) |
|
|
Term
| Corrective Controls (def +2) |
|
Definition
respond to + fix problems
CERTS - Computer Emergency Response Teams
Patch management systems |
|
|
Term
| Confidentiality (3 times + fix) |
|
Definition
protecting sensitive company data from unauthorized disclosures
necessary when...:
1. data is stored
2. data is transferred (Use encrypted VPN)
3. data is disposed of (shred it) |
|
|
Term
| Threats to Confidentiality (2 main) |
|
Definition
1. email + IM - employees should be trained what is appropriate for email + IM
2. cell phones (cams...) |
|
|
Term
| Privacy (def + 10 Best Practices) |
|
Definition
protecting sensitive customer information
1. Management - organization should establish policies + procedures to protect client data
2. Notice - tell customers ~ privacy policies when you collect data
3. Choice + Consent - inform customers of their choices + get their consent (opt in/out)
4. Collection - collect personal data only for purposes described in privacy policies
5. Use + Retention - Use data only as described in privacy policy + keep it only as long as necessary
6. Access - Customers should have access to their personal data for review, change + deletion
7. Disclosure to 3rd Parties - Only share the data according to privacy policies + w/companies w/similar standards
8. Security - reasonable protections should be in place to keep personal data secure
9. Quality - the organization maintains the integrity of the data
10. Monitoring + Enforcement - assign responsibility + accountability to an indiv/group to ensure following. Also a means of taking customer complaints |
|
|
Term
| Processing Integrity (def + 5 cats) |
|
Definition
relates to the ability of the system to provide accurate + timely information based only on authorized transactions
1. Source Document Controls - how data is initially recorded (POs + invoices)
2. Data Entry Controls - entering data from source docs into teh system
3. Data Processing Controls - processing of data
4. Data Transmission Controls - encryption
5. Output Controls - output... |
|
|
Term
| Processing Integrity - Source Document Controls (4) |
|
Definition
1. design of forms (easy to use)
2. turnaround docs (bills)
3. prenumber sequence (checks)
4. segregation of duties |
|
|
Term
| Processing Integrity - Data Entry Controls (8) |
|
Definition
1. Field Check - proper type of data
2. Sign Check - check +/-
3. limit check - make sure less than predetermined amount
4. range check - make sure in certain range (1-10)
5. Size check - check if the field has enough capacity
6. Completeness Check - check to see all data filled
7. Validity Check - check data against acceptable values
8. Reasonableness Check - compares relationship btwn 2 data items |
|
|
Term
| Processing Integrity - Data Processing Controls (2) |
|
Definition
1. Data Matching Test - match sources to invoices before paying
2. Cross Footing (add rows) and Footing (add columns) and check sums |
|
|
Term
| Processing Integrity -Output Controls (2) |
|
Definition
1. User Reviews - review the ouput (check printout)
2. Reconciliation Procedures - reconcile system data w/data that is independent (external) of the system |
|
|
Term
| Availability (def, 4 threats + control) |
|
Definition
when needed, the system can be accessed
threats:
1. Hardware problems
2. Random Acts (power outages)
3. User/Human Error
4. Viruses/worms/system attacks
control: backups |
|
|
