New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here


by: Arturo Hilll IV


Arturo Hilll IV
GPA 3.96

J. Soileau

Almost Ready


These notes were just uploaded, and will be ready to view shortly.

Purchase these notes here, or revisit this page.

Either way, we'll remind you when they're ready :)

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

J. Soileau
Class Notes
25 ?




Popular in Course

Popular in Accounting

This 34 page Class Notes was uploaded by Arturo Hilll IV on Tuesday October 13, 2015. The Class Notes belongs to ACCT 3122 at Louisiana State University taught by J. Soileau in Fall. Since its upload, it has received 40 views. For similar materials see /class/223045/acct-3122-louisiana-state-university in Accounting at Louisiana State University.




Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/13/15
AIS Threats gChapter 51 0 Natural and Political Disasters o EX Fire or excessive heat oods earthquakes high winds war and attack by terrorists 0 Software errors and Equipment malfunctions o EX Hardware or software failures software errors or bugs operating system crashes power outages and uctuations and undetected data transmission errors 0 Unintentional Acts 0 EX Accidents caused by human carelessness failure to follow established procedures and poorly trained or supervised personnel innocent errors or omissions lost destroyed or misplaced data logic errors systems that no not meet company needs or are incapable of handling their intended tasks 0 Intentional Acts 0 EX Sabotage corruption misrepresentation false use or unauthorized disclosure of data misappropriation of assets and financial statement fraud What is fraud 0 Definition any and all means a person uses to gain an unfair advantage over another person 0 Must involve 0 False statement representation or disclosure 0 A material fact 0 Intent to deceive or knowledge that the statement was false when it was uttered o Justifiable reliance meaning the victim relies on this statement 0 An injury or loss suffered by the victim as a result 0 Types of occupational fraud 0 Misappropriation of Assets the theft of assets and is committed by a person or group of people for personal financial gain aka employee fraud 0 Corruption wrongful use of a position to procure a benefit 0 Fraudulent Financial Reporting intentional or reckless conduct whether by act or omission that results in materially misleading financial statements Fraud Triangles Commit Altitude Rationalization Triangle Opportunity Triangle Pressure Triangle Computer Fraud Classi cation 0 Input Fraud alter computer input require little computer skill and is the simplest most common way perpetrator only needs to understand how the system operates Processor Fraud unauthorized system use includes theft of computer time and services Instructions Fraud making illegal copies changing the code involve tampering with any of the software of data Data Fraud changing data or copying it and redistributing it disgruntled employees have scrambled altered or destroyed data les theft of data often occurs so that perpetrators can sell the data Output Fraud involves stealing or misusing system output anything using counterfeit Computer Fraud and Abuse Techniques 0 Data diddling changing data before during or after it is entered into the system 0 Data leakag copyin of company data such as computer files without permission sending email bombs hundreds of messages per second from randomly generated false addresses The intemet service provider s email server is overloaded and shuts down 0 Email forgeryspoofing sending an email message that looks as if it were sent by someone else 0 Email threats sending an threatening message to try and get the recipient to do something that would make it possible to defraud them 0 Hijacking gaining control of someone else s computer to carry out illicit activities such as sending spam without the computer user s knowledge 0 Hacking accessing and using computer systems without permission usually by means of a personal computer and telecommunications network 0 Identity theft assuming someone else s identity usually for economic gain by illegally obtaining confidential information such as a SSN 0 Key logger using spyware to record a user s keystrokes emails sent and received and chat session participation 39r L using a computer to find user names and passwords as they travel through the intemet and other networks sending emails claiming to be legitimate companies primarily nancial institutions tricking an employee into providing the information needed to get into a system Software piracy copying computer software without the publisher s permission Spamming emailing the same unsolicited message to many people at the same time often in an attempt to sell them some product 0 Spyware using software to monitor computer habits and sending that data to someone else often without the computer user s permission 0 Trap door entering the system using a back door that bypasses normal system controls and perpetuates fraud 0 Trojan horse placing unauthorized computer instructions in an authorized and properly functioning program Methods used to commit computer fraud 0 Internet misinformation 7 urban legend slander Internet terrorism 7 viruses and worms disrupt commerce Logic time bombs 7 program that is dormant until a condition occurs Masquerading or impersonation 7 use of another s id amp password Packet sniffers 7 program that captures data traversing the Internet Password cracking 7 requires decrypting a systems password le Phishing 7 spoof email requesting login or credential update Piggybacking 7 following a legitimate user in without their knowledge Rounddown technique 7 office space Salami technique 7 small theft that adds up Social engineering 7tricking person into providing needed information e g system admin Software piracy 7 copying software without publishers permission Spamming 7 emailing of an unsolicited message to multitudes of people Spyware 7 software that gathers information on Internet sites viewed Keystroke loggers 7 records keystrokes of user and reports Jim l 5 7 use of special system programs to bypass regular system controls amp perform illegal acts Tra doors 7 back door into system to bypass normal controls Iquoter haw 7 unauthorized computer code included in a properly functioning program that allows control of computer w 7 search for idle modems via attempting 1000 s of phone lines 7 driving around looking for unprotected wireless networks wt Virus vs Worm 0 Virus is a segment of executable code that attaches itself to software 0 In the first phase the virus replicates itself and spreads to other systems or files when some predefined event occurs 0 In the attack phase triggered by a specified event the virus carries out its mission 0 Part of another program is similar to a virus except fo o It is a standalone program 0 It my 1 3911 0 Protection against 0 Have the latest patches to protect your computer 0 Install reliable virus software that scans for identifies and destroys viruses 0 Keep antivirus program up to date Identity Theft 0 Thieves usually steal corporate or individual identity by 0 Shoulder surfing watching or listening to people provide phone credit card numbers to sales clerks or others 0 Scavenging or dumpster diving searching garbage cans communal trash bins and city dumps for documents with confidential company information e g banldcredit card statements 0 Redirecting mail Intercepting mail amp having it delivered to a location for others to access 0 Using Internet email and other technology in spoofing phishing eavesdropping impersonating social engineering and data leakage schemes 0 DO suggests 4 ways to minimize risk 0 Only provide personal information for good reasons to people you trust 0 Check financial information regularly o Periodically review credit report 0 Maintain careful accounting records Decrease likelihood of Fraud by 0 Identify events that lead to increased fraud risk and identify controls to prevent avoid share or accept risk Develop and communicate security policies to guide the design and implementation of specific control procedures Implement HR policies for hiring compensating evaluating counseling promoting and discharging employees that sets standards for integrity and ethical behavior Effectively supervise employees Train employees in security and fraud prevention measures Require periodic rotation of duties of key employees and signed con dentiality agreements Implement formal amp rigorous project development and change management controls Increase penalty by prosecuting fraud perpetrators more vigorously Increase the difficulty of committing Fraud by Developing a strong system of internal controls Segregate the accounting and system functions 0 Authorization Recording and Custody Restrict physical and logical access to system resources to authorized personnel Use properly designed documents and records to capture and process transactions Safeguard all assets records and data Require independent checks on performance e g reconciliation Encrypt stored and transmitted data and programs Fix known software vulnerabilities Improve Detection Methods Implement a fraud hotline Create an IT Security Function 0 Employ a computer security officer 0 Monitor system activities including computer and network security efforts usage and error logs and all malicious actions 0 Use intrusion detection systems to help automate the monitoring process Create an audit trail to tracevouch transactions through the system Conduct periodic external and intemal audits including network security Install fraud detection software Control and the AIS gChapter 6 Chapter vocabulary terms Threat any potential adverse occurrence or unwanted event that could harm the AIS or the organization Exposure or impact potential dollar loss that would occur if a threat becomes a reality Likelihood the probability that the threat will occur Risk appetite the amount of risk a company is willing to accept to achieve its goals and objectives Inherent risk 7 risk existing before management takes any steps to control the likelihood or impact Residual risk risk remaining after management implements controls or other forms of response to risk Digital Signature 7 means of signing a document with a piece of data that cannot be forged Important Functions preventiveideter problems before they arise detectiveidiscover problems as soon as they arise correctiveiremedy control problems that have been discovered Categories generalidesigned to make sure an organization s control environment is stable and well managed applicationiprevent detect and correct transaction errors and fraud Foreign Corrupt Practices Act 1977 0 Primary purpose was to prevent bribery of foreign officials to obtain business 0 Significant effect was the requirement of corporations to maintain adequate systems of internal accounting control I Created management interest to design amp evaluate internal controls SOX SarbanesOxley Act of 2002 O O O O O 0 Created a five member Public Company Accounting Oversight Board PCAOB to control the auditing profession SEC appoints PCAOB members and oversees their activities The PCAOB sets and enforces auditing quality control ethics independence and other standards relating to audit reports Auditors must report speci c information to the company s audit committee such as critical accounting policies and practices alternative GAAP treatments and auditormanagement disagreements Audit partners must be rotated periodically SOX prohibits auditors from performing certain nonaudit services Audit committee members must be on the company s board of directors and be independent of the company One member of the committee must be a financial expert The audit committee hires compensates and oversees the auditors who report directly to them The CEO and CFO are required to certify that financial statements and disclosures are fairly presented were reviewed by management and are not misleading Publicly held companies are required to issue a report accompanying the financial statements that states management is responsible for establishing and maintaining an adequate internal control structure and appropriate control procedures After the act was passed the SEC mandated that management must I Base its evaluation on a recognized control framework ExCOSO I Disclose any and all material internal control weaknesses I Conclude that a company does not have effective internal controls over financial reporting if there are any material weaknesses COBIT Control Objectives for Information and related Technology 0 O O A framework of generally applicable information systems security and control practices for IT control The framework allows management to benchmark the security and control practices of IT environment users of IT services to be assured that adequate security and control exists and auditors to substantiate their opinions on internal control and to advise on IT security and control matters Addressed the issue of control from three vague points I business objectivesiinfo must conform to the business requirements of information such as effectiveness efficiency confidentiality integrity availability compliance with legal requirements and reliability I IT resourcesithis includes people application systems technology facilities and data I IT processesibroken into four domains including planning and organization acquisition and implementation delivery and support and monitoring COSO ERM model COSO is a privatesector group consisting of the American Accounting Association the AICPA the Institute of Internal Auditors the Institute of Management Accountants and the Financial Executives Institute Has five crucial components 0000 0 Control environment Control activities Risk assessment Information and communication Monitoring Widely accepted as authority on internal controls and incorporated into policies amp procedures used to control business COSO 7 Enterprise Risk Management ERM O O Enhances the COSO Control Framework Incorporates rather than replaces COSO s internal control framework and contains 3 additional elements I Setting objectives I Identifying positive and negative events that may affect the company s ability to implement strategy and achieve objectives 0 Risk 7 possibility something will happen to adversely affect ability to create value or erode existing value 0 Opportunity 7 possibility something will happen to positively affect ability to create or preserve value I Developing a response to assessed risk 0 Four types of Objectives top of the cube 0 Strategic highlevel goals that are aligned with and support the company s mission 0 Operations deal with the effectiveness and efficiency of company operations such as performance and profitability goals and safeguarding assets 0 Reporting help ensure the accuracy completeness and reliability of internal and external company reports of both financial and nonfinancial nature 0 Compliance help the company comply with all applicable laws and regulations 0 Four units are displayed on the model side of the cube 0 Entitylevel entire company 0 Division 0 Business unit 0 Subsidiary 0 Eight interrelated risk and control components front of cube 0 Internal Environment the tone or culture of a company I Management philosophy operating style and risk appetite I The Board of Directors I Commitment to Integrity Ethical Values and Competence I Organizational Structure I Methods of assigning authority and responsibility I Human resource standards I EXtemal in uences 0 Objective setting ensures a process in place to set objectives consistent with the company s risk tolerance 0 Event identification requires management to identify events the may affect the company s ability to implement its strategy and achieve its objectives 0 Risk Assessment determine how to manage the identified risks and how they affect the company s ability to achieve its objectives 0 Risk Response align identified risks with the company s tolerance for risk management can choose to avoid reduce share or accept the risks 0 Control Activities to implement mgt s risk responses control policies and procedures are established and implemented throughout the various levels and functions in the organization I Proper authorization I Segregation of duties 0 Effective segregation of accounting duties is achieved when the following functions are separated o AuthorizationiApproving transactions and decisions 0 RecordingiPreparing source documents maintaining journals ledgers or other les preparing reconciliations and preparing performance reports 0 CustodyiHandling cash maintaining an inventory storeroom receiving incoming customer checks writing checks on the organization s bank account I Project development and acquisition controls I Change management controls I Design and use of documents and records I Safeguard assets records and data I Independent checks on performance 0 Information and Communication identify capture and communicate information about ERM s components so employees can fulfill their responsibilities 0 Monitoring involves reporting and acting on deficiencies Periodic audits may be performed by External or Internal Audit and Information Security 0 Internal audit function should be organizationally independent 0 The CAE should report to the audit committee 0 Internal audits can detect events including 0 Excess overtime Underused assets Obsolete inventory Padded expense reimbursements Excessively loose budgets and quotas Poorly justified capital expenditures Production bottlenecks Three Fundamental Security Concepts gChapter 7 Systems reliability composed of 0 Confidentiality sensitive information is protected from unauthorized disclosure 0 Privacy personal information collected is used in an appropriate manner 0 Processing Integrity processed data is accurate complete timely and authorized 0 Availability system is operational to meet information needs amp obligations 0 Security 7 access to system and data is limited to those with a business need Control Objectives for Information related Technology COBIT o 7 Information Criteria to achieve business and governance objectives 0 Effectiveness 7 relevant and timely Efficiency 7 produced in a costeffective manner Confidentiality 7 protected from unauthorized disclosure Integrity 7 accurate complete and valid Availability 7 available when needed Compliance 7 collected and stored in compliance with internal and external requirements and regulations Reliability 7 access to appropriate information to make decisions 0 4 basic activities of IT management 0 Organized into 4 domains 0 Plan amp Organize PO 7 10 processes to manage IS 0 Acquire amp Implement AI 7 7 processes related to acquisition and implementation of technology solutions Deliver amp Support DS 7 l3 processes related to information needs of the organization 0 Monitor amp Evaluate ME 7 4 processes to monitor amp evaluate IS function 0 Used to organize 34 generic IT controls 0 Specifies 210 detailed control objectives for effectively managing information resources 0 Security is a management issue not a technology issue 0 Policy development amp documentation 0 Effectively communicate policies 0 Design amp employ appropriate control policies 0 Monitor the system and take corrective actions 0 The timebased model of security 000000 00000 O o Evaluates the effectiveness of an organization s security by measuring and comparing the relationship between preventative detective and corrective controls P the time it takes an attacker to break through the organization s preventative controls D the time it takes to detect that an attack is in progress C the time it takes to respond to the attack P gt D C 9 then the organization s security procedures are effective 0 Helps identify costeffective approaches to improving security via control investment DefenseinDepth o Idea is to employ multiple layers of controls in order to avoid having a single point of failure 0 Includes preventive detective and corrective controls 0000 How attacks are conducted Reconnaissance 7 collect data to identify vulnerabilities Social Engineering 7 trick users into allowing system access Scan and Map 7 detailed scan of system to identify potential remote entry points Research 7 identify vulnerabilities of software identified by scan Attack Execution 7 unauthorized access to system Cover Tracks 7 remove evidence of attack logs Preventive Controls Authentication focuses on verifying the identity by the person or device attempting to access the system Can be done by verifying something they know passwords or PINs something they have smart cards or ID badges or some physical characteristic biometric identifier such as fingerprints or voice Authorization restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform 0 Access control matrix a table specifying which portions of the system users are permitted to access and what actions they can perform Training employees must understand and follow the organization s security policies Physical Access to protect entry points to the building to rooms housing computer equipment to wiring and to devices such as laptops cell phones and PDAs Remote Access 0 Border router connects an organization s information system to the Internet 0 Firewall a specialpurpose hardware device or software running on a generalpurpose computer 0 Demilitarized zone DMZ a separate network that contains the organization s web servers and email servers sits outside the corporate network yet is accessible from the intemet 0 Transmission Control Protocol TCP specifies the procedures for dividing files and documents into packets to be sent over the intemet and the methods for reassembly of the original document or file at the destination 0 Internet Protocol IP specifies the structure of those packets and how to route them to the proper destination 0 Routers special purpose devices designed to read the destination address fields in IP packet headers to decide where to send the packet next 0 Access control list ACL set of rules that determine which packets are allowed in and which are dropped 0 Deep packet inspection process of examining the data in the body of an IP packet Intrusion prevention systems designed to identify and drop packages that are part of an attack major benefit is that is not only blocks known attacks but also blocks new attacks Host and Application Hardening 0 Information security is enhanced by supplementing preventive controls on the network parameter with additional preventive controls on the workstations servers printers and other devices 0 Hardening the process of turning off unnecessary features configuration Encryption O o The process of transforming normal text called plaintext into unreadable gibberish called ciphertext Decryption reverses this process Factors that determine the strength of any encryption system are key length key management policies and nature of the encryption algorithm 0 Types of encryption systems 0 Symmetric use same key to encrypt and decrypt o Asymmetric uses two keys the public key is widely distributed and available to everyone the private key is kept secret and known only to the owner of the pair of keys Either key can be used to encrypt but only the other key can decrypt the ciphertext o Hashing the process that takes plaintext of any length and transforms it into a short code called a hash that cannot be transformed back to plaintext Digital signatures a hashed document that has been encrypted with the sender s private key Esignature a cursive imprint of a person s name applied to an electronic document Digital certi cate certi es the owner of a particular public key Public key infrastructure PKI refers to the system and process used to issue and manage asymmetric keys and digital certi cates Detective Controls 0 Log Analysis process of examining logs to monitor security 0 Intrusion Detection Systems creates a log of network traf c that was permitted to pass the rewall and then analyze those logs for signs of attempted or successful intrusion 0 Security Testing 0 Vulnerability scans use automated tools designed to identify whether a given system possesses any well known vulnerabilities o Penetration tests an authorized attempt by either an internal audit team or an external security consulting rm to break into the organization s system Corrective Controls 0 Computer Emergency Response Team CERT enables an organization to respond to security incidents promptly and effectively by being responsible for dealing with major incidents includes technical specialists and senior operations management Incident response process through 4 steps 0 Recognition of a problem 0 Containment of a problem 0 Recovery 0 Followup 0 Chief Security Of cer 0 Must understand the company s technological environment and work with C10 to design implement and promote sound security policies and procedures 0 Disseminates info about fraud errors security breaches and other improper system uses and their consequences 0 An impartial assessor and evaluator of the IT environment 0 Hackers usually publish hacking instructions for vulnerabilities exploits on the Internet 0 Takes skill to discover exploits however 0 Published exploits can be executed by nearly anyone 0 Script kiddies execute these programmed exploits o A patch is code released by software developers to x discovered vulnerabilities 0 Patch Management 0 Process for regularly applying patches and updates to all software used by an organization 0 Challenging because patches can have unanticipated side effects that cause problems and many patches are created each year for each software and program Controls for systems reliability gChapter 8 o 5 principles are security con dentiality privacy processing integrity and availability O 0000 o Confidentiality7sensitive information is protected from unauthorized disclosure focuses on organizational data 0 0 000 O O O Encryption is a fundamental control procedure for protecting the con dentiality of information Internet provides inexpensive transmission but data is easily intercepted I A Virtual Private Network VPN is created by encrypting data before transmitting Provides the functionality of a private network Using the Internet reduced cost VPN software creates private communication channels often referred to as tunnels I It is critical to encrypt any sensitive information stored on devices that are easily lost or stolen VOIP 7sensitive communications should be encrypted Cell phones present risk Email amp IM are 2 of the greatest risks of confidentiality o Privacy7personal information about customers is collected used disclosed and maintained in an appropriate manner focuses on personal information o 10 best practices I Management 7 set of policies amp procedures to protect privacy I Notice 7 disclosure policies related to collection of information I Choice amp consent 7 Opt in amp Opt out options for personal info I Collection 7 limited to information stated in privacy policy I Use amp retention 7 specification of use and period available I Access 7user has ability to access update amp delete stored info I Disclosure to 3rd Parties 7 limited to terms amp limitation of 3rd party I Security 7 reasonable steps to protect information I Quality 7 integrity of information I Monitoring amp enforcement7 assignment of compliance verification and response Processing Integrity o A reliable system produces information that is accurate and timely re ects the results of only authorized transactions and includes the outcomes of all activities engaged in by the organization during a given period of time Source data controls ensure all documents are authorized accurate complete properly accounted for and entered into the system or sent to their intended destination in a timely manner Following are source data controls 0 O O O O O O 0 Forms design Prenumbered forms sequence test verify nothing is missing Turnaround documents record of company data sent to an external party and then returned to the system as input Cancellation and storage of documents documents should be canceled so they cannot be inadvertently or fraudulently reentered into the system Authorization and segregation of duties Visual scanning for reasonableness and propriety before entering Check digit verification use first nine digits to calculate the tenth digit each time an ID number is entered RFID security radio frequency identification 0 Data entry controls ensure that data is entered correctly 0 O O O 0 Field check determines if the characters in a field are of the proper type Sign check determines if the data in the field have the appropriate arithmetic sign Limit check tests a numerical amount to ensure that it does not exceed a predetermined value Range check is similar to limit check except that is has both upper and lower limits Size check ensure that the input data will fit into the assigned field o Completeness check determines if all required data items have been entered on each input record 0 Validity check compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists 0 Reasonableness test determines the correctness of the logical relationship between two data items Availability 0 Reliable systems are available for use whenever needed 0 Threats to availability include hardware or software failures natural and manmade disasters human error worms and viruses and denialofservice attacks and other acts of sabotage 0 System downtime7minimize the risk by 0 Fault tolerance enabling a system to continue functioning in the event that a particular component fails o Uninterruptible power supply UPS provides protection in the event of a prolonged power outage using battery power to enable the system to operate long enough to back up critical data and safely shut down 0 Preventive maintenance I Cleaning disk drivers I Proper storage of magnetic and optical media 0 Redundant components provide fault tolerance to enable system to function despite component failure I Dual processors I Arrays of multiple hard drives I Surge protection devices 0 Training is especially important I Welltrained operators fewer mistakes and quicker recovery I Security awareness training reduce risk of viruses amp worms 0 Antivirus software should be installed current amp run I Email should be scanned for viruses server amp desktop levels I Newly acquired software amp disks should be scanned and tested 0 Disaster Recover and Business Continuity Planning 0 Objectives are to l minimize the extent of the disruption damage and loss 2 temporarily establish an alternative means of processing information 3 resume normal operations as soon as possible and 4 train and familiarize personnel with emergency operations 0 Backup Procedures I Regular Frequent backups of databases fixed retention period I Full backup 7 exact copy of the entire set of data I Partial backup 7 copy of changes made 1 onsite l offsite o Incremental partial backup 7 copy of changes since last BU 0 Differential backup 7 copy of all changes since last fullBU I Mirroring 7 exact copies of dbases at 2 separate data centers I An archive is a copy of a database master file or software retained indefinitely historical record to satisfy legal and regulatory requirements 0 Tape or disk Usually both 7 Disk rst then copy to Tape 0 Disk backup is faster and disks are less easily lost 0 Tape is cheaper easier to transport and durable 0 Infrastructure replacement provisions for replacing computers network equipment and access telephone lines other office equipment and supplies Following are three options I Create a reciprocal agreement with another organization that uses similar equipment to have temporary access to and use of their information system resources least expensive O O I Purchasing or leasing a cold site which is an empty building that is prewired for necessary telephone and internet access Creating a hot site which is a facility that is not only prewired for telephone and internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities most expensive Documentation includes instructions for notifying appropriate staff and the steps to take to resume operations Testing need to be tested on at least an annual basis to ensure that they accurately re ect recent changes in equipment and procedures Change Management Controls Organizations constantly modify information systems to re ect new business practices and to take advantage of advantage of advances of information technology Controls ensure changes don t negatively impact reliability Existing controls related to security confidentiality privacy processing integrity and availability should be modified to maintain their effectiveness after the change Important change management controls include 0 O O O O O 0 All change requests should be documented and follow a standardized format that clearly identifies the nature of the change the reason for the request the data of the request and so on All changes should be approved by the appropriate levels of management I Approvals should be clearly documented to provide an audit trail Changes should be thoroughly tested prior to implementation All documentation should be updated to re ect authorized changes to the system Emergency changes or deviations from standard operating policies must be documented and subjected to a formal review and approval process as soon after implementation as practicable Develop backout plans for reverting to previous configurations in case approved changes need to be interrupted or abandoned User rights and privileges need to be carefully monitored during the change process to ensure the proper segregation of duties is maintained The most important change management control is adequate monitoring and review by top management to ensure that proposed and implemented changes are consistent with the organization s multiyear strategic plan AH LSU Accounting Information Systems An Overview Chapter1 mama mum sun muman L5LI Overview Chapter 1 information What is an accounting information system AIS Why is the AIS an important topic to study What is the role ofthe AIS in the value chain How does the AIS provide information for decision making What are the basic strategies and strategic positions an organization can pursue What is the meaning of system data and 7 mama LnuIsIAuA sun muman L5LI SYSTEMS DATA AND INFORMATION A system is a set of interrelated components that interact to achieve a goal Most systems are composed of smaller subsystems Data are facts regarding events that occur that are collected recorded stored and processed by an information system Information is data that have been organized and processed to provide meaning to a user mama LnuIsIAuA sun uulvsnsnv SYSTEM SESATA AN D l l N F O R M AT O N Benefits of information may include Reduction ofuncertainty lmpro ed decisions Improved ability to plan and schedule activities Costs may include time and resources spent Collecting data Processing data Storing data Distributing information to users Value of Information difficult to quantify mama LnuIsIAMA sun uulvsnsnv L5LI SYSTEMS DATA AND INFORMATION Characteristics that make information useful Relevance Reliability free from error or bias Completeness includes all information Timeliness Understandability comprehend and use Verifiability different people same result Accessibility lmmm LnuIsIAMA sun uulvsnsnv L5LI SYSTEMS DATA AND Information is provided to both External users Mandatory Information eg 10k 10q 8k etc Required to conduct business PO Invoices etc Focus on minimization of cost and compliance with regulation Internal users Discretionary information used to manage business Focus on producing positive value information costbene t mama LnuIsIAuA sun uulvsnsnv L5LI WHAT IS AN AIS An AIS is a system that collects records stores and processes data to produce information for decision makers Use advanced technology r Be a simple paperandpencil system or Be something in between Technology is simply a tool to create maintain or improve a system and usefulness of information mama LnuIsIAMA sun uulvsnsnv u L5LI WHAT IS AN AIS AIS functions Collect and store data about events resources and agents Process data into information used to make decisions about events allocate resources and agents Provide controls to ensure the entity s resources including data are Available when needed Accurate and reliable mama LnuIsIAMA sun uulvsnsnv L5LI WHY STUDY ACCOUNTING INFORMATION SYSTEMS Accounting is an infon39nationproviding activity so accountants need to understand How the system that provides information is designed implemented and used How nancial information is reported How information is used to make decisions Skills are critical to careersuccess Auditors accuracy and reliabilit Tax Accountants completeness and accuracy elerlinn 39 39 Tested on CPA Exam 25 Business Environmental Concepts Impact Corporate Strategy and Culture mama LnuIsIAuA sun muman u L5LI AIS IN THE VALUE CHAIN The objective of most organizations is to return value to shareholders by providing value to customers Value is provided by performing a series of activities referred to as the value chain Primary activities inbound logistics operations outbound logistics marketing amp sales service Support activities rm infrastructure HR technology purchasing mama LnuIsIAMA sun uulvsnsnv in L5LI AIS IN THE VALUE CHAIN Examples Good AIS value chain UPS spends over1 billion a yearon information systems resulting in greater customer control over delivery higher driver productivity and lower costs Bad AIS value chain Limited Brands tangled integration of over 60 incompatible information systems resulted in 400 trailers trying to jam into a 150 trailer lot lmmm LnuIsIAMA sun uulvsnsnv M L5H AIS IN THE VALUE CHAIN The linking of multiple value chains creates a supply chain Information technology can facilitate synergistic linkages that improve the performance of each company39s value chain mama LnuIsIAMA sun umvEnsnv L5LI AIS IN THE VALUE CHAIN Decision Structure Structured Decisions Repetitive and routine Can be delegated to lowerlevel employees Semistructured Decisions Incomplete rules Require subjective assessments Unstructured Decisions Nonrecurring and nonroutine Require a great deal of subjective assessment mama LnuIsIAMA sun uulvsnsnv L5LI AIS IN THE VALUE CHAIN Decision Scope Operational control decisions Relate to performance of speci c tasks Olten ofa daytoday nature Management control decisions Relate to utilizing resources to accomplish organizational objectives eg budgeting Strategic planning decisions Driving the direction ofthe organization Organizational objectives amp policies to achieve objectives mama LnuIsIAMA sun uulvsnsnv 4 L5LI AIS AND CORPORATE STRATEGY Corporations have Unlimited opportunities to invest in technology Limited resources to invest in technology Requires identification of projects with highest return and linkage to business strategy Business Strategy Productdifferentiation strategy Lowcost strategy mama LnuIsIAMA sun uulvsnsnv u L5LI AIS AND CORPORATE STRATEGY Business Strategy Productdifferentiation strategy Lowcost strategy Strategic Positions Varietybased position focus on specific services and do them well eg Jiffy Lube Needsbased position focus on specific groups of customerstarget market eg AARP Accessbased position focus on specific customers based on geography or size eg Edward Jones mama LnuIsIAuA sun uulvsnsnv L5LI AIS AND CORPORATE STRATEGY The Internet has affected value chain activities Inbound and outbound logistics can be streamlined Allows companies to cut costs which impacts strategy and strategic position The Internet may impede accessbased strategic positions Available to everyone intense price competition can result The outcome may be that many companies shift from lowcost to productdifferentiation strategies mama LnuIsIAMA sun uulvsnsnv L5LI AIS AND CORPORATE STRATEGY The AIS should help a company adopt and maintain its strategic position Requires that data be collected about each activity Requires the collection and integration of both financial and nonfinancial data lmmm LnuIsIAMA sun uulvsnsnv 1 LSU SUM MARY What we ve learned so far The meaning of system data and information What an AIS is Why its an important topic to study What its role is in the value chain How it provides information for decision making What are the basic strategies and strategic positions an organization can pursue How these interact with the AIS mama LnuIsIAuA sun uulvsnsnv Companies face 4 types of threats to their AIS Natural and political disasters Software errors and equipment malfunction Unintentional acts ntentional acts computer crime Fraud is any and all means a person uses to gain an unfair advantage over another person Definition differs in criminal reasonable doubt and civil preponderance of evidence Three types of occupational fraud Fraudulent statements misstating the financial condition of an entity by intentionally misstating amounts or disclosures to deceive users Misappropriation of assets theft embezzlement or misuse of company assets for personal gain Corruption the wrongful use of a position contrary to the responsibilities of that position to procurea benefit kickbacks amp conflict of interests Most significant contributing factor in most employee frauds is the absence of internal controls andor the failure to enforce existing controls The National Commission on Fraudulent Financial Reporting aka Treadway Commission defined fraudulent financial reporting as intentional or reckless conduct whether by act or omission that results in materially misleading financial statements Financial statements can be falsified to Deceive investors and creditors Cause a company s stock price to rise Meet cash flow needs Hide company losses and problems Treadway Commissions 4 recommended actions Tone at the Topquot Environment contributes to the integrity of the financial reporting process dentify and understand factors that lead to fraudulent financial reporting Risk assessment of fraudulent financial reporting Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented Opportunity is the opening or gateway that allows an individual to Commit the fraud asset misappropriation issuance of deceptive financial statementsaccepting bribes Conceal the fraud Charging a stolen asset to an account being written off Ghost employees Lapping and Kiting Convert the proceeds CashChecks vs NonCash assets Cressy s Fraud Triangle Pressure opportunity rationalization Aililucle Commit Opponunily oquot Triangle 9 fraud 0 P Tnnngle Pressure 1 I z Financial A Financial 7 a 39 39 6 a Financial 395quot Employee 0 a 6 Pressure 3 6 Triangle 1 quotP 1 o s a 06 Pressures leadingto employee fraud iFinances iEmotions revenge ability to walk away physical Living beyond means isolation High personal debtexpenses Greed quotnadeduate salaryincome Unrecognized performance Poor credit ratings Job dissatisfaction Heavy financial losses Fear of losingjob Bad investments Power or control Tagtlt avoidance Pride or ambition Meet unreasonable duotasgoals Beating the system iLifestyle The quotJones squot loss of status Frustration Support gambling habit Nonrconformity Drugoralcoholaddiction Envy resentment Support sexual relationships Arrogance dominance Familypeer pressure Nonrrules oriented 7Combination Fraud occurs when iPeople have perceived nonrshareable pressures iThe opportunity gateway is left ope iThey are able to rationalize their actions to reduce the moral impact in their minds ie they have low integrity Fraud is much less likely to occur when iThere is low pressure low opportunity and high integrity Computer Fraud Classi cation Input Fraud Alter computer input simplest amp most common IRequires little computer skills IPerpetrator only needs to understand how the system operates Can take a number of forms including IDisbursement frauds overpay or pay for goods not received Ilnventory frauds scrapping of stolen inventory IPayroll frauds increase salary hours ghostterminated employee ICash receipt frauds modify amount receivedlapping IFictitious refund fraud process undeserved refund


Buy Material

Are you sure you want to buy this material for

25 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Amaris Trozzo George Washington University

"I made $350 in just two days after posting my first study guide."

Steve Martinelli UC Los Angeles

"There's no way I would have passed my Organic Chemistry class this semester without the notes and study guides I got from StudySoup."


"Their 'Elite Notetakers' are making over $1,200/month in sales by creating high quality content that helps their classmates in a time of need."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.