Stewardship - the careful and responsible oversight and
use of the assets entrusted to management.
-maintain systems which allow it to demonstrate that it
has appropriately used these funds and assets.
COSO report defines internal control:
a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives
Fraud can be defined as the theft, concealment, and
conversion to personal gain of another money, physical
assets, or information.
Misappropriation of assets
- involves theft of any item of value.
- defalcation, or internal theft,
- most common examples are theft of cash or inventory.
Misstatement of financial records
- involves the falsification of accounting reports. -
earnings management, or fraudulent financial reporting.
Fraud triangle
 Incentive to commit the fraud. - pressure
 Opportunity to commit the fraud.
 Rationalization of the fraudulent action. moral
-plan, do, justify
Management fraud
- conducted by one or more top-level managers within
the company
-usually in the form of fraudulent financial reporting.
management override
- Involves top management’s circumvention of the
systems or internal controls that are in place
Employee fraud
- conducted by non-management employees.
Examples: Inventory & cash receipts theft, acct. Payable
fraud, payroll fraud, expense fraud
kickback - cash payment that the vendor gives the
employee in exchange for the sale; it is like a business
bribe.
Skimming - cash is stolen before it is entered into the
accounting
- most difficult to discover kasi no record
Larceny -steal the company’s cash after it has been
recorded in the accounting records.
Collusion - occurs when two or more people work
together to commit a fraud.
Customer fraud - customer improperly obtains cash or
property from a company, or avoids a liability through
deception.
Ex: credit card fraud, check fraud, refund fraud
Vendor fraud - vendors obtain payments to which they
are not entitled.
- intentionally submit duplicate or incorrect invoices,
send shipments in which the quantities are short
Vendor audits - involve the examination of vendor
records in support of amounts charged to the company.
industrial espionage - the theft of proprietary company
information, by digging through the trash of the
intended target company.
software piracy - the unlawful copying of software
programs.
internal computer fraud - When an employee of an
organization attempts to conduct fraud through the
misuse of a computer-based System
- Input manipulation,Program manipulation, Output
manipulation
salami technique -alter a program to slice a small
amount from several accounts and then credit those
small amounts to the perpetrator’s benefit.
Trojan horse program - small, unauthorized program
within a larger, legitimate program trap door alteration
is a valid programming tool that is misused to commit
fraud.
Hacking is the term commonly used for computer
network break-ins.
A denial of service attack (DOS Attack) -intended to
overwhelm an intended target computer system with
so much bogus network traffic that the system is
unable to respond to valid network traffic
Spoofing occurs when a person, through a computer
system, pretends to be someone else.
1. Preventive controls
2. Detective controls
3. Corrective controls
According to COSO report, there are five interrelated
components of internal control:
 the control environment - sets the tone of an
organization and influences the control
consciousness of its employees.
 risk assessment - considers existing threats and
the potential for additional risks
 Control activities - the policies and procedures
that help ensure that management directives are
carried out and that management objectives are
achieved.
 information and communication -
 monitoring. - involves the ongoing review and
evaluation of the system.
General authorization is a set of guidelines that allows
transactions to be completed as long as they fall within
established parameters. authorization.
Specific authorization means that explicit
approval is needed for a transaction to be completed.
Segregation of duties
Supervision - compensating control
Reasonable assurance means that the controls achieve
a sensible balance of reducing risk when compared with
the cost of the control.
General controls apply overall to the IT accounting
system; they are not restricted to any particular
accounting application.
Application controls
- used specifically in accounting applications to control
inputs, processing, and outputs
- intended to ensure that inputs and processing
are accurate and complete and that outputs are
properly distributed, controlled, and disposed.
Ex: validity check
General Controls
1. Authentication of Users and Limiting Unauthorized
Users
- ensure that the person accessing the IT system is a
valid and authorized user.
Log in means to make the computer recognize you in
order to create a connection at the beginning of a
computer session.
password is a secret set of characters that identifies the
user as the authentic owner of that associated user ID.
smart card - plugged into the computer’s card reader
and helps authenticate that the user is valid.
security token - plugs into the USB port and thereby
eliminates the need for a card reader.
two-factor authentication - Like smart cards or tokens ,
since the person who logs in must physically possess
and use the smart card or token.
Biometric devices use some unique physical
characteristic of the user to identify the user and allow
the appropriate level of access to that user.
The computer log is a complete record of all dates,
times, and uses for each user.
Nonrepudiation means that a user cannot deny any
particular act that he or she did on the IT system.
authority table contains a list of valid, authorized users
and the access level granted to each one.
configuration tables for hardware, software, and
application programs that contain the appropriate
set-up and security settings.
A firewall is hardware, software, or a combination of
both that is designed to block unauthorized access.
Encryption is the process of converting data into secret
codes referred to as cipher text.
Symmetric encryption uses a single encryption key that
must be used to encrypt data and also
to decode the encrypted data.
Public key encryption uses both a public key and a
private key. The public key, which can be known by
everyone, is used to encrypt the data, and a private key
is used to decode the encrypted data.
Wireless network equipment, such as access points and
wireless network cards, uses an encryption method
called wireless protected access, or WPA,
-WPA can check to see whether encryption keys have
been tampered with.
service set identifier, or SSID - password that is passed
between the sending and receiving nodes of a wireless
network.
A virtual private network utilizes tunnels,
authentication, and encryption within the Internet
network to isolate Internet communications so that
unauthorized users cannot access or use certain data.
secure sockets layer, or SSL.- communication protocol
built into Web server and browser software that
encrypts data transferred on that website.
virus is a self- replicating piece of program code that
can attach itself to other programs and data and
perform malicious actions such as deleting files or
shutting down the computer.
Vulnerability assessment is the process of proactively
examining the IT system for weaknesses that can be
exploited by hackers, viruses, or malicious employees.
Intrusion detection systems are specific software tools
that monitor data flow within a network and alert the IT
staff to hacking attempts or other unauthorized access
attempts.
Penetration testing is the process of legitimately
attempting to hack into an IT system to find whether
weaknesses can be exploited by unauthorized hackers.
IT governance committee - function is to govern the
overall development and operation of IT systems.
Operations personnel are employees who are
responsible for processing operating data.
database administrator develops and maintains the
database and ensures adequate controls over data
within the database.
system development life cycle can be generally
described as the systematic steps undertaken to plan,
oversee , implement large-scale changes to the IT
system.
uninterruptible power supply includes a battery to
maintain power in the event of a power outage
emergency power supply is an alternative power supply
that provides electrical power in the event that a main
source is lost.
redundant servers—two or more computer network or
data servers that can run identical processes or
maintain the same data.
off-site backup, an additional copy of the backup files
stored in an off-site location.
disaster recovery plan (DRP) - plan for the continuance
of IT systems after a disaster
operating system is the software that controls the basic
input and output activities of the computer.
database management system (DBMS) is a software
system that manages the interface between many users
and the database.
A limit check has only an upper limit; for example,
hours worked cannot exceed a value of 70 hours per
week.
A range check has both an upper and a lower limit.
reasonableness check compares the value in a field with
those fields to which it is related to determine whether
the value is reasonable.
completeness check assesses the critical fields
in an input screen to make sure that a value is in those
fields.
sign check examines a field to determine that it has the
appropriate sign, positive or negative.
sequence check ensures that the batch of transactions
is sorted in order, but does not help find missing
transactions because it checks only sequence, not
completeness.
self-checking digit is an extra digit added to a coded
identification number, determined by a mathematical
algorithm.
Control totals are subtotals of selected fields for an
entire batch of transactions.
Record counts are a simple count of the number of
records processed.
Batch totals are totals of financial data, such as total
gross pay or total federal tax deducted.
Hash totals are totals of fields that have no apparent
logical reason to be added.
run-to-run control totals. - reconciliation of
controlntotals at various stages of the process