CHAPTER 10

CONTROL AND ACCOUNTING INFORMATION SYSTEMS

1. Some restaurants use customer checks with prenumbered sequence codes.

Each food server uses these checks to write up customer orders. Food servers
are told not to destroy any customer checks; if a mistake is made, they are to
void that check and write a new one. All voided checks are to be turned in to the
manager daily. How does this policy help the restaurant control cash receipts?

2. Explain how independent performance evaluation procedures are either

violated or effectively applied in each of the following situations. Identify the
problem and suggest the check required (or applied) to prevent the identified
problem from occurring.

a. The manager who oversees the corporate fleet of vehicles signed off on the
purchase of 15 luxury SUVs to expand the company’s fleet of cars. As soon as
this was done, he instructed that the payment be made.

b. At a newly opened local restaurant, waiters work six-hour shifts. There are
three six-hour shifts per day, with each shift overlapping the next. The
restaurant currently has two cash registers and these can be operated by any
one of the waiters during a shift without them requiring any form of
identification. The new manager has decided that the cash in the cash register
box will be checked once every 24 hours, i.e., in the mornings before the new
shift for the day begins.

c. A company’s financial clerk does a spot check of the account books and finds
that there is a discrepancy between the balances of the checking account and
the bank statement.

d. In July of the previous year, the inventory clerk suspects that the warehouse
inventory level is not being reflected accurately. When the year-end
inventory was reviewed at the end of February of this year, his suspicions
were confirmed.

e. There was a spike in credit sales that was not picked up by the credit sales
controller. When he was confronted by his line manager about it, he blamed
 the accounts receivable department for not identifying the issue earlier. The
accounts receivable department denies that there was a spike in credit sales
as their records do not indicate

f. A new employee at a company identifies a discrepancy between the total

debits and total credits after payroll entries were finalized.

g. A client calls up a store to check the availability of a specific product at the

store. The client is informed by the sales manager that he has checked their
inventory system and the stock is available for the specific product. The
customer visits the store, only to find that the product is no longer in stock.
Upon querying the cashier, the client is again informed that the inventory
system shows a relatively large quantity of the

h. Over a period of five years, one of the managers in a company realizes that
the company does not seem to be performing as well as it forecasts and
budgets for. However, he optimistically goes on believing that things will turn
for the better.

i. In order to speed up the processing of sales transactions, one person was

made responsible both for the sales journal as well as the accounts receivable
master file.

j. The supervisor at a local hypermarket verifies the accuracy of the cash in the
cash register box assigned to a retail clerk. Every so often an internal auditor
verifies if the supervisor actually performed this check.

k. The payroll clerk realizes that the time sheets and absence records of a
specific department in the organization were not in line with company policy.
The supervisor of this specific department has been on sick leave for the last
three months.

CHAPTER 11

CONTROLS FOR INFORMATION SECURITY

3. The following table lists the tasks that an employee is required to perform:

Employee Tasks
Gerald Check network logs of employee logins to determine who logged in
 remotely over the weekend.
Malusi Maintain supplier information.
Wande Update regulatory tax changes. Add new employees.
Olwethu Check supplier payment terms.
Samjay Update reorder levels when new products are added to
the stock list.

Use the following codes to complete the access control matrix so that each employee will
have the appropriate rights and privileges to perform their tasks:

0 = 5 no access
1 = 5 read only access
2 = 5 read and modify records
3 = 5 read, modify, create, and delete records

Employee Inventory master Supplier master Payroll master file System log
file file files
Gerald
Malusi
Wande
Olwethu
Samjay

4. Which preventive, detective, and/or corrective controls would best mitigate the
following threats?

a. An employee’s laptop was stolen at the airport. The laptop contained

personally identifying information about the company’s customers that could
potentially be used to commit identity theft.

b. A salesperson successfully logged into the payroll system by guessing the

payroll supervisor’s password.

c. A criminal remotely accessed a sensitive database using the authentication

credentials (user ID and strong password) of an IT manager. At the time the
attack occurred, the IT manager was logged into the system at his
workstation at company headquarters.

d. An employee received an email purporting to be from her boss informing her

of an important new attendance policy. When she clicked on a link embedded
in the email to view the new policy, she infected her laptop with a keystroke
logger.
e. A company’s programming staff wrote custom code for the shopping cart
feature on its web site. The code contained a buffer overflow vulnerability
that could be exploited when the customer typed in the ship-to address.

f. A company purchased the leading “off-the-shelf” e-commerce software for

linking its electronic storefront to its inventory database. A customer
discovered a way to directly access the back-end database by entering
appropriate SQL code.

g. Attackers broke into the company’s information system through a wireless

access point located in one of its retail stores. The wireless access point had
been purchased and installed by the store manager without informing central
IT or security.

h. An employee picked up a USB drive in the parking lot and plugged it into
their laptop to “see what was on it,” which resulted in a keystroke logger
being installed on that laptop.

i. Once an attack on the company’s website was discovered, it took more than
30 minutes to determine who to contact to initiate response actions.

j. To facilitate working from home, an employee installed a modem on his office

workstation. An attacker successfully penetrated the company’s system by
dialing into that modem.

k. An attacker gained access to the company’s internal network by installing a

wireless access point in a wiring closet located next to the elevators on the
fourth floor of a high-rise office building that the company shared with seven
other companies.