Threats to AIS PDF

Preview

Summary

Cynthia Turner...

Description

11/01/2016 

Threats to AIS  Natural and political disasters  Software errors and equipment malfunctions  Unintentional acts o Greatest risk 

 

Intentional acts (computer crimes)

Sabotage- intentional act where the intent is to destroy a system or

some of its components  Cyber thieves have stolen more than1 trillion worth of intellectual property worldwide  greatest transfer of wealth in history   Fraud- gaining an unfair advantage over another person  

1) a false statement, representation or disclosure 2) A material fact, which induces a person to act

  

3) 4) 5)  

 

A intent to deceive A justifiable reliance A injury or loss suffered by the victim 5% annual revenue loss to fraud, over 2.9 trillion yearly global 85% of perpetrators have never been charged/convicted

white collar criminals- business people who commit fraud

   

resort to trickery or cunning involve a violation of trust or confidence

corruption- dishonest conduct by those in power that involves actions

that are illegitimate, immoral or incompatible with ethical standards  bribery, bid rigging   investment fraud- misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk  ponzi scheme and securities fraud    

Misappropriation of assets- theft of company assets by employees  Absence of internal controls or failure to enforce Fraudulent financial reporting- intentional or reckless conduct,

whether by act or omission, that results in materially misleading financial statements   SAS 99- The Auditors Responsibility to Detect Fraud  Understand fraud  Discuss the risks of material fraudulent misstatements  Obtain information  

Identify, assess, and respond to risks Evaluate the results of their audit tests



Document and communicate findings



Incorporate a technology focus

 

The fraud triangle- pressure, an opportunity, and rationalization  Pressure- persons incentive or motive for committing fraud o Employee Fraud  Financial  Emotional 

Lifestyle o Financial Statement Fraud  Management characteristics  Industry conditions  Financial 

Opportunity- condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain . Allows perpetrator to o Commit the fraud o Conceal the fraud – keeping accounting equation in balance, etc  

Lapping- stealing customer payments to cover up theft of other customers payments Check kiting-creating cash using the lag between the

time a check is deposited and the time it clears the bank o Convert the theft or misrepresentation to personal gain 

Rationalization- the excuse that fraud perpetrators use to justify their o o o

illegal behavior Justification Attitude Lack of personal integrity

11/01/2016 

Why threats to AIS are increasing

    

Information is available to an unprecedented # of workers Information on distributed networks is hard to control Customers and suppliers have access to each other’s systems and data Companies view loss of data as a distant threat Productivity and cost pressures take precedent

Threat- any potential adverse occurrence or unwanted event that could injure the AIS or the organization Exposure/impact- the potential dollar loss should a particular threat become a reality Likelihood- the probability that a threat will come to pass Internal Controls- the processes and procedures implemented to provide reasonable assurance that control objectives are met  Permeates operating activities and is an integral part of 

management activities Perform 3 functions  Preventive control- controls that deter problems before they arise  Detective controls- controls designed to discover control 



problems that were not prevented Corrective controls- controls that identify and correct problems as

well as correct and recover from the resulting errors 2 categories  general controls- make sure an organizations control environment is stable and well managed o security, IT infrastructure, and software acquisition, 

development and maintenance controls application controls- prevent, detect, and correct transaction errors and fraud in application programs

o concerned with accuracy, completeness, validity, and authorization of the data captured/entered/processed/stored/transmitted  

4 levers of control

  

1) belief system- help employees understand mission 2) Boundary system- help employees act ethically 3) Diagnostic control system – measures, monitors, and compares

actual company progress to budgets and performance goals  4) interactive control system- helps managers to focus subordinates attention on key strategic issues and to be more involved in their decisions   Foreign Corrupt Practices Act 1977- passed to prevent companies from bribing foreign officials to obtain business. Also required all publicly owned corporations maintain a system of internal accounting controls   Sarbanes Oxley Act 2002- prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who fraud  Public companies and their auditors  PCAOB to control auditing profession – sets and controls auditing,    

quality control, ethics, independence, and other auditing standards New rules for auditors Section 404- internal controls

Control Objectives for Information and Related Technology-

COBIT  Allows management to benchmark the security and control 

practices of IT environments Allows users of IT services to be assured that adequate security and



control exist Allows auditors to substantiate their internal control opinions and advise on IT security and control matters



COBIT 5 framework describes best practices for the effective

governance and management of IT  1) meeting stakeholder needs- customize business processes and procedures to create value  2) Cover the enterprise end to end –  3) Apply a single, integrated framework  4) Enable a holistic approach- effective governance and management of all IT functions in the company  5) Separating Governance from management  governance- create value by optimizing the use of organizational resources to produce benefits in a manner that effectively addresses risk o evaluate stakeholder needs to identify objectives o provide management with direction by prioritizing o monitor managements performance 

management- planning, building, running, and monitoring the activities and processes used to pursue the objectives established by the board of directors o Plan- align, plan organize o Build- build acquire, implement o Run- Deliver, service, support o Monitor- monitor, evaluate, and assess

 

COSO’s Internal control framework-accepted as the authority on

internal controls and is incorporated into policies, rules, and regulations used to control business activities  Defines internal controls and provides guidance for evaluating and 

enhancing internal control systems 5 components o control environment o risk assessment o control activities

o information and communication o monitoring  

COSO’s Enterprise Risk Management Framework- improves risk

management process by expanding COSO’s Internal Control  Each of the 8 risk and control elements applies to each of the four 

objectives Objectives = strategic, operations, reporting, compliance



Risks= objective setting, event identification, risk assessement, risk response, control activities, information and communication, monitoring

 

Segregation of Duties – no single employee be given too much

responsibility over business transactions or processes  Segregation of accounting duties- separating the accounting functions of the organization, custody, and recording to minimize an employee’s ability to commit fraud o Authorization – approving transactions/decisions o Recording- preparing source documents, entering data into computer systems, maintaining ledgers o Custody- handling cash, tools, inventory  

Segregation of systems duties System administration  Network management  Security management  Change management  

Users Systems Analysis

 

Programming Computer Operations

 

Information system library Data control

11/01/2016 ...