Case study 2 AUD 679 PDF

Preview

Summary

ACNACAB9AAUD 679INTERNAL AUDITINGCASE STUDY: NATIONAL MALAYSIAN BANKFOR: DR AIDA HAZLIN ISMAILGROUP MEMBERS: MATRIC NO: CHE MASHETAH BINTI MOHAMMAD ADNAN 2017146939 LIYANA IZYAN BINTI ZAINAL ABIDIN 2017525427 NURHAYATI BINTI JAMALUDIN 2017960849 ZARIFAH ZAIDAH BINTI ZAINI 2018842284 NURFATIN SYAHIRA...

Description

AC220 NACAB9A

AUD 679 INTERNAL AUDITING

CASE STUDY: NATIONAL MALAYSIAN BANK

FOR: DR AIDA HAZLIN ISMAIL GROUP MEMBERS: CHE MASHETAH BINTI MOHAMMAD ADNAN LIYANA IZYAN BINTI ZAINAL ABIDIN NURHAYATI BINTI JAMALUDIN ZARIFAH ZAIDAH BINTI ZAINI NURFATIN SYAHIRAH BINTI ABDUL AZIZ

MATRIC NO: 2017146939 2017525427 2017960849 2018842284 2019588513

Question 1. Based on this case, identify scenarios where the unauthorised changes to the mailing address were a result of internal data breaches and external data breaches. What internal controls could have prevented these data breaches? What internal controls could have detected these data breaches? The first question has three parts. The first part is based on this case, identify scenarios where the unauthorised changes to the mailing address were a result of internal data breaches and external data breaches. a) The first part has a three scenario, the first scenario is when the national Malaysian Bank received an email complain from one of the card holders. The card holder which is Yasmin tan stated that she didn’t receive the hard copy of her credit card statement for the month of February 2018, when she called the bank, it’s said that her mailing is different from she lives. And the address for the national Malaysian bank account were not change with her mailing address. Hence, we can see that, this is the result of the internal data breaches and external data breaches, why because Yasmin Tan herself is suspicious which this situation and her mailing address were change to an address with is located in is east Malaysia, where she said that she’s doesn’t have a business dealing at east Malaysia nor she visited east Malaysia b) The next scenario is when the bank information technology team produces exception report for Adam. What is the exception report? An exception report is a document that states, those instances in which actual performance deviated significantly from expectations, usually in a negative way. Johan which is the internal audit manager suggest Adam the manager of the credit card services to perform credit card customer data base checking, the result showed that there were 80 different customers whose credit card account mailing address differs from the mailing address of their other bank accounts which is the current situation face by Yasmin Tan. One of the mailing addresses that were link to the customers is the Eden Healing Spa which is the address that is mentioned by Yasmin’s in her email. Hence, we can see that this is the result of internal data breaches and external data breaches, because none of those mailing address changes were evidenced by eithers a computer changes in personal details form or proof of identity document which means that the policies or procedure of changing address request were not followed. c) The last scenario is when Johan found out that the Eden Healing Spa address matches the home address of a former employee. The formal employee had previously spent two years in the bank credit card services department, processing credit card application, the formal employee was a close friend with another data entry clerk who was currently responsible for keying in changes in customers personal details. Hence this the result of internal data breaches and external data breaches, because there is the possibility that was collusion between the former employee and the data entry clerk due two position they hold.

Move on the second part of this question, and the question is what internal controls could have prevented these data breaches? Here are the internal data control which is first authorisation and second security of access. a) Authorization Authorization is the power rented to an employee to perform task for example, management will authorise employee to perform certain transaction within limited areas for this case in order for the bank to change the customer personal details such as mailing address after receiving an original identities document as proof of her or his identity the change of personal details form must be authorise by authorise personnel. This to avoid data breaches by irresponsible employees. b) Security of access Security of access is the access to the bank, equipment, inventories, securities cash and others restricted access for example only one authorised are given the access to the bank access for this case in order to prevent data breaches, only certain employees is allowed to have access to the bank data and information. This is where Adam immediately assigns the data entry clerk to a less data sensitive task for the next month because the data entry clerk is risk expected to have breached internal data and external data.

Next is the third part of this question, and the question is what internal controls could have detected these data breaches? There are two points here: a) Reconciliation Reconciliation is where an employee related with different sets of data to one another, identify sense of data to one another identify an investigate differences and take corrective action when necessary for this national Malaysian bank the bank did the credit card data customer data based checking and there have found out that there are differences in 80 difference customer information base on the data and information detected the bank have taken necessary action to avoid for this kind of situation to happen in the future. b) Audits Audit is an official inspection of an organization account, typically by independent body. For this case in order for the bank detected data breaches is through internal audit and external audit but more to internal audit because external audit is incidentally consent which the prevention and detection of fraud in general but is directly consent when financial statement maybe materially affected. whereas for internal audit directly involve with the prevention and detection of fraud in any form or extend in any activity review. By having an internal audit function in the bank, they will be able to detect any fraud occurred in the bank.

Question 2. What do you propose that the National Malaysian Bank should do to prevent further unauthorised changes in customers’ personal details? Who do you think is responsible for these preventive measures?

Question 3. What do you propose that Adam — with the assistance of Johan and Anna, if required — should do to determine if the credit cards that were compromised have been used for fraudulent transactions? Fraud can occur at various levels in an organization. Therefore, it is important to establish appropriate detective techniques. We proposed that Adam should use fraud detections to determine if the credit cards that were compromised have been used for fraudulent transactions. The ways to determine if the credit cards that were compromised have been used for fraudulent transactions by using fraud detections. This entails activities and programs designed to identify fraud or misconduct that is occurring or has occurred. Detective controls are designed to provide warnings or evidence that fraud is occurring or has occurred. Effective internal controls are one of the strongest deterrents to fraudulent behaviour and actions. Although detective internal controls may provide evidence that fraud exists, they cannot prevent fraud. Fraud detection methods need to be flexible, adaptable and continuously changing to meet the changes in the risk environment. While preventive measures are apparent and readily identifiable, detective controls may not be as apparent. An effective way for an organization to learn about existing fraud is to provide employees, suppliers and stakeholders with a variety of methods to report their concerns about illegal or unethical behaviour. There are several ways to collect the information on fraud includes code of conduct confirmation, whistle-blower hotline, exit interviews and proactive employee survey. The code of conduct confirmation is when employees sign an annual code of conduct outlining their responsibilities in the prevention and detection of fraud, they can be asked to report any known violations. While the whistle-blower hotline can take the form of a telephone call or a web-based reporting system where the whistle-blower can remain anonymous. While an exit interviews is conducting exit interviews for terminated employees or those who have resigned can help identify fraudulent schemes. These interviews may also determine whether there are issues regarding management's integrity, and may provide information regarding conditions conducive to fraud. Last but not least is proactive employee survey, routine employee surveys can be conducted to elicit employees' knowledge of fraud and unethical behaviour within the organization. A proactive survey could elicit anonymous information from employees, which would aid the organization in catching fraud sooner than waiting for employees. Other methods of fraud detection include surprise internal or external audits in high fraud risk areas, continuous monitoring by management on critical data and related trends to identify unusual situations or variances, routine or ad hoc matching of public data or proprietary data against relevant transactions, vendor lists, employee roaster and other data. With the assistance of Johan, the internal audit manager of the National Malaysian Bank to determine if the credit cards that were compromised have been used for fraudulent transactions he can launch an initial or full investigation of suspected fraud, perform cause analysis and control improvement recommendations, monitor reporting or whistle blowing hotlines, conducts proactive audits to find misrepresentations and misstatements of information using CAAT techniques and data mining, uses analytical procedures and other high-risk accounts and transactions to identify potential fraud.

With the assistance of Anna, the IT security manager of the National Malaysian Bank to determine if the credit cards that were compromised have been used for fraudulent transactions, she can perform the checks on the bank information technology system and the credit card customer database. As an employee, she also can be the eyes and ears of an organisation, and she should be empowered to maintain a workplace of integrity, she can report their suspicion of fraud to the employee hotline, the internal audit department or a member of management. To deter and detect fraud and abuse, many experts believe an employee hotline that is appropriately monitored is the single most cost effective fraud detection and deterrence mechanism.

Question 4

Question 5...