ACCOUNTING 20​ 3.

Complete - does not omit important

ROMNEY (CH. 1-7) aspects of the events or activities it
measures.

4. Timely - provided in time for decision

CHAPTER 1: ACCOUNTING makers to make decisions.
INFORMATION SYSTEMS: AN 5. Understandable - presented in a useful
OVERVIEW and intelligible format.

A system is a set of two or more 6. Verifiable - two independent,

interrelated components that interact to knowledgeable people produce the same
achieve a goal. information.

Goal conflict occurs when a subsystem’s 7. Accessible - available to users when they
goals are inconsistent with the goals of need it and in a format they can use.
another subsystem or with the system as a
whole. Information overload occurs when those
limits are passed, resulting in a decline in
Goal congruence occurs when a subsystem decision-making quality and an increase in
achieves its goals while contributing to the the cost of providing that information.
organization’s overall goal.
Information technology (IT) - the
Data are facts that are collected, recorded, computers and other electronic devices
stored, and processed by an information used to store, retrieve, transmit, and
system. manipulate data.

Information is data that have been Value of information = benefit produced by

organized and processed to provide the information – the cost of producing it.
meaning and improve the decision-making
process. Benefits of information include reduced
uncertainty, improved decisions, and
CHARACTERISTICS OF USEFUL improved ability to plan and schedule
INFORMATION: activities.

1. Relevant - reduces uncertainty, improves Costs include the time and resources spent
decision making, or confirms or corrects to produce and distribute the information.
prior expectations.
A business process is a set of related,
2. Reliable - free from error or bias; coordinated, and structured activities and
accurately represents organization events or tasks that are performed
activities.

1
by a person, a computer, or a machine, and 5. Financing Cycle - companies sell shares in
that help accomplish a specific the company to investors and borrow
organizational goal. money, and where investors are paid
dividends and interest is paid on loans.
A transaction is an agreement between two
entities to exchange goods or services or Note: To make effective decisions,
any other event that can be measured in organizations must decide what decisions
economic terms by an organization. they need to make, what info they need to
make the decisions, and how to gather and
Transaction Processing - process of
process the data needed.
capturing transaction data, processing it,
storing it for later use, and producing General Ledger and Reporting System -
information output, such as a managerial information-processing operations involved
report or a financial statement. in updating the general ledger and
preparing reports for both management
Give-get Exchange - transactions that
and external parties.
happen a great many times, such as giving
up cash to get inventory from a supplier and Accounting Information System (AIS) - a
giving employees a paycheck in exchange system that collects, records, stores, and
for their labor. processes data to produce information for
decision makers.
FIVE MAJOR BUSINESS PROCESSES OR
TRANSACTION CYCLES: SIX COMPONENTS OF AIS:
1. People
1. Revenue Cycle - goods and services are
2. Procedures and Instructions
sold for cash or a future promise to receive
3. Data
cash.
4. Software
2. Expenditure Cycle - companies purchase 5. Information Technology Infrastructure
inventory for resale or raw materials to use 6. Internal Controls and Security Measures
in producing products in exchange for cash
SIX COMPONENTS ENABLE AIS TO FULFILL
or a future promise to pay cash.
THREE IMPORTANT BUSINESS FUNCTIONS:
3. Production or Conversion Cycle - raw 1. collect and store data about
materials are transformed into finished organizational activities, resources, and
goods. personnel
2. transform data into information so
4. Human Resource/Payroll Cycle - management can plan, execute, control,
employees are hired, trained, compensated, and evaluate activities, resources, and
evaluated, promoted, and terminated. personnel

2
3. provide adequate controls to safeguard
PRIMARY ACTIVITIES IN THE VALUE CHAIN:
the organization’s assets and data
1. Inbound Logistics - receiving, storing, and
HOW AN AIS CAN ADD VALUE TO AN
distributing the materials an organization
ORGANIZATION:
uses to create the services and products it
1. Improving the quality and reducing the
sells. (receiving and storing)
costs of products or services.
2. Improving efficiency. 2. Operations - transform inputs into final
3. Sharing knowledge. products or services. (manufacturing and
4. Improving the efficiency and packaging)
effectiveness of its supply chain.
5. Improving the internal control structure. 3. Outbound Logistics - distribute finished
6. Improving decision making. products or services to customers.
●​ Identify situations needing (distribution and shipping)
management action.
4. Marketing and Sales - help customers
●​ Reduce uncertainty.
buy the organization’s products or services.
●​ Store information about previous
(advertising and selling)
decisions.
●​ Provide accurate information in a 5. Service - provide post-sale support to
timely manner. customers. (repair and maintenance)
●​ Analyze sales data to discover items
Support activities allow the five primary
purchased together etc.
activities to be performed efficiently and
Predictive Analysis - the use of data effectively.
warehouses and complex algorithms to
FOUR CATEGORIES OF SUPPORT
forecast future events, based on historical
ACTIVITIES:
trends and calculated probabilities.
1. Firm Infrastructure - accounting, finance,
Value Chain - linking together of all the
legal, and general administration activities.
primary and support activities in a business.
Note: The AIS is part of the firm
infrastructure.

2. Human Resources - recruiting, hiring,

training, and compensating employees.

3. Technology - improve a product or

service.

3
4. Purchasing - procure raw materials,
supplies, machinery, and the buildings used
to carry out the primary activities.

Supply Chain - an extended system that

includes an organization’s value chain as
well as its suppliers, distributors, and
customers.

4
CHAPTER 2: OVERVIEW OF Note: The most frequent revenue cycle
TRANSACTION PROCESSING AND transaction is a sale, either for cash or
ENTERPRISE RESOURCE PLANNING credit.
SYSTEMS Note: Historically, most businesses use
source documents to collect data about
Data Processing Cycle - the operations
performed on data to generate meaningful business activities.
and relevant information. Source documents - used to capture
transaction data at its source when the
transaction takes place.

Turnaround documents - records of

company data sent to an external party and
then returned to the system as input.
Turnaround documents are in
FOUR STEPS IN DATA PROCESSING CYCLE: machine-readable form to facilitate their
subsequent processing as input records.
1.) Data Input
●​ The first step in processing input is Source data automation - the collection of
to capture transaction data and transaction data in machine-readable form
enter them into the system. at the time and place of origin.
●​ The second step in processing input
is to make sure captured data are 2.) Data Storage
accurate and complete. ●​ A company’s data are one of its most
●​ The third step in processing input is important resources.
to make sure company policies are ●​ To function properly, an organization
followed, such as approving or must have ready and easy access to
verifying a transaction. its data.
●​ Usually triggered by business LEDGERS:
activity.
●​ Data must be collected about three General ledger - contains summary-level
facets of each business activity. data for every asset, liability, equity,
○​ a. Each activity of interest. revenue, and expense account.
○​ b. The resource(s) affected
Subsidiary ledger - used to record detailed
by each activity.
data for a general ledger account with many
○​ c. The people who
individual subaccounts, such as accounts
participate in each activity.
receivable, inventory and accounts payable.

5
Control account - a general ledger account JOURNALS:
that summarizes the total amounts
General journal - used to record infrequent
recorded in a subsidiary ledger.
or nonroutine transactions, such as loan
Note: Cumulative accounting information is payments and end-of-period adjusting and
stored in general and subsidiary ledgers. closing entries.

CODING TECHNIQUES: Specialized journal - records large numbers

of repetitive transactions such as sales, cash
Coding is the systematic assignment of
receipts, and cash disbursements.
numbers or letters to items to classify and
organize them. AUDIT TRAIL

Sequence codes - items are numbered Audit trail - a traceable path of a

consecutively so that gaps in the sequence transaction through a data processing
code indicate missing items that should be system from point of origin to final output,
investigated. or backward from final output to point of
origin. It is used to check the accuracy and
Block code - blocks of numbers are reserved
validity of ledger postings.
for specific categories of data.
COMPUTER-BASED STORAGE CONCEPTS:
Group codes - two or more subgroups of
digits used to code items, are often used in Entity - the item about which information is
conjunction with block codes. stored in a record.

Mnemonic codes - letters and numbers are Attributes - the properties, identifying
interspersed to identify an item. numbers, and characteristics of interest of
an entity that is stored in a database.
CHART OF ACCOUNTS:
Field - the portion of a data record where
Chart of accounts is a listing of all the
the data value for a particular attribute is
numbers assigned to balance sheet and
stored.
income statement accounts. The account
numbers allow transaction data to be Record - a set of fields whose data values
coded, classified, and entered into proper describe specific attributes of an entity,
accounts. They also facilitate financial such as all payroll data relating to a single
statements and report preparation. employee.

Note: A chart of accounts is tailored to the Data value - the actual value stored in a
nature and purpose of an organization. field and it describes specific attributes of
an entity.

6
 or weekly and are usually sorted into some
File - a set of logically related records, such
sequence before processing.
as the payroll records of all employees.
Note: Although batch processing is cheaper
Master file - a permanent file of records
and more efficient, the data are current and
that stores cumulative data about an
accurate only immediately after processing.
organization. as transactions take place,
For that reason, batch processing is used
individual records within a master file are
only for applications, such as payroll.
updated to keep them current.
Online, real-time processing - the computer
Transaction file - a file that contains the
system processes data immediately after
individual business transactions that occur
capture and provides updated information
during a specific fiscal period.
to users on a timely basis.
Database - a set of interrelated centrally
Note: Online, real-time processing ensures
controlled data files that are stored with as
that stored information is always current,
little data redundancy as possible. A
thereby increasing its decision-making
database consolidates records previously
usefulness.
stored in separate files into a common pool
and serves a variety of users and data Online batch processing - transaction data
processing applications. are entered and edited as they occur and
stored for later processing.
3.) Data Processing
4.) Information Output
FOUR TYPES (CRUD):
●​ The final step in the data processing
1. Creating new data records, such as
cycle.
adding a newly hired employee to the
payroll database. THREE FORMS OF INFORMATION:

2. Reading, retrieving, or viewing existing 1. Documents - records of transaction or

data. other company data. Some, such as checks
and invoices, are transmitted to external
3. Updating previously stored data.
parties.
4. Deleting data, such as purging the vendor
2. Reports - system output, organized in a
master file of all vendors the company no
meaningful fashion, that is used by
longer does business with.
employees to control operational activities,
Batch Processing - accumulating transaction by managers to make decisions and design
records into groups or batches for strategies, and by investors and creditors to
processing at a regular interval such as daily understand a company's business activities.

7
 ●​ Changes to business processes.
3. Query - a request for the database to
●​ Complexity.
provide the information needed to deal
●​ Resistance.
with a problem or answer a question.
Note: Because it is too difficult for most
ENTERPRISE RESOURCE PLANNING (ERP)
companies to implement ERP software by
SYSTEMS
themselves, they often hire an ERP vendor
●​ A system that integrates all aspects or a consulting company to do it for them.
of an organization’s activities—such These firms usually provide three types of
as accounting, finance, marketing, services: consulting, customization, and
human resources, manufacturing, support.
inventory management—into one
system.
●​ An ERP system is modularized;
companies can purchase the
individual modules that meet their
specific needs.
●​ An ERP facilitates information flow
among the company’s various
business functions and manages
communications with outside
stakeholders.
●​ The ERP system collects, processes,
and stores data and provides the
information managers and external
parties need to assess the company
●​ ERP systems use a centralized
database to share information
across business processes and
coordinate activities.

Note: The AIS has been referred to as a

transaction processing system because its
only concern was financial data and
accounting transactions.

DISADVANTAGES OF ERP:

●​ Cost.
●​ Amount of time required.

8
CHAPTER 3: SYSTEMS DOCUMENTATION Process - the action that transforms data
TECHNIQUES into other data or information.

Documentation - narratives, flowcharts, Data store - the place or medium where

diagrams, and other written materials that system data is stored.
explain how a system works.
Context diagram - highest-level DFD; a
Narrative description - Written, summary-level view of a system, showing
step-by-step explanation of system the data processing system, its input(s) and
components and how they interact. output(s), and their sources and
destinations.
SYSTEM DOCUMENTATION TOOLS:
GUIDELINES FOR DRAWING A DFD:
1.) Data flow diagram (DFD) - a graphical
description of data sources, data flows, 1. Understand the system
transformation processes, data storage, and 2. Ignore certain aspects of the system
data destinations. 3. Determine system boundaries
4. Develop a context diagram
5. Identify data flows
6. Group data flows
7. Identify transformation process
8. Group transformation process
9. Identify all files or data sources
10. Identify all data sources and
destinations
11. Name all DFD elements
12. Subdivide the DFD
13. Give each process a sequential number
14. Refine the DFD
15. Prepare a final copy.

2.) Flowchart - a graphical description of a

system.
Data source - the entity that produces or
sends the data that is entered into a system. Internal control flowchart - used to
describe, analyze, and evaluate internal
Data destination - the entity that receives
controls, including identifying system
data produced by a system.
strengths, weaknesses, and inefficiencies
Data flow - the movement of data among
CATEGORIES OF FLOWCHART:
processes, stores, sources, and destinations.

9
1. Input/output symbols - show input to or b. System flowchart - which shows the
output from a system. relationship among the input, processing,
and output in an information system.
2. Processing symbols show data
processing, either electronically or by hand.

3. Storage symbols show where data is

stored.

4. Flow and miscellaneous symbols indicate

the flow of data, where flowcharts begin or
end, where decisions are made, and how to
add explanatory notes.

TYPES OF FLOWCHARTS:

a. Document flowchart - shows the flow of c. Program flowchart - which shows the
documents and information between sequence of logical operations a computer
departments or areas of responsibility. performs as it executes a program.

3. Business Process diagrams - graphical

descriptions of the business processes used
by a company

10
CHAPTER 4: RELATIONAL DATABASES Scrubbing the data - verifying the accuracy
and is often one of the most
Database - a set of interrelated, centrally time-consuming and expensive steps in
coordinated data files that are stored with creating a data warehouse.
as little data redundancy as possible.
ADVANTAGES OF DATABASE SYSTEMS:
Database consolidates records previously
stored in separate files into a common pool 1. Data integration
and serves a variety of users and data 2. Data Sharing
processing applications. 3. Minimal data redundancy and data
inconsistencies
Database Management System (DBMS) - 4. Data independence
the program that manages and controls the 5. Cross-functional analysis
data and the interfaces between the data
and the application programs that use the LOGICAL AND PHYSICAL VIEWS OF DATA:
data stored in the database.
Record layout - document that shows the
Database system - the database, the DBMS, items stored in a file, including the order
and the application programs that access and length of the data fields and the type of
the database through the DBMS. data stored.

Database Administrator (DBA) - the person Logical view - how people conceptually
responsible for coordinating, controlling, organize and understand the relationships
and managing the database. among data items.

Data warehouse - very large databases Physical view - the way data are physically
containing detailed and summarized data arranged and stored in the computer
for a number of years that are used for system.
analysis rather than transaction processing.
Schema - a description of the data elements
Business intelligence - analyzing large in a database, the relationships among
amounts of data for strategic decision them, and the logical model used to
making. organize and describe the data.

Online Analytical Processing (OLAP) - using THREE LEVELS OF SCHEMAS:

queries to investigate hypothesized
1. Conceptual-level schema - The
relationships among data.
organization-wide view of the entire
Data mining - using sophisticated statistical database that lists all data elements and the
analysis to “discover” unhypothesized relationships between them.
relationships in the data.

11
 ●​ have the potential to increase the
2. External-level schema - An individual
use and value of accounting
user’s view of portions of a database; also
information.
called a subschema.
●​ can accommodate multiple views of
Subschema - A subset of the schema; the the same underlying phenomenon.
way the user defines the data and the data
Data model - an abstract representation of
relationships.
database contents.
3. Internal-level schema - A low-level view
Relational data model - a two-dimensional
of the entire database describing how the
table representation of data; each row
data are actually stored and accessed.
represents a unique entity (record) and
Data dictionary - contains information each column is a field where record
about the structure of the database, attributes are stored.
including a description of each data
Tuple - a row in a table that contains data
element.
about a specific item in a database table.
DBMS LANGUAGES:
TYPES OF ATTRIBUTES:
Data Definition Language (DDL) - builds the
1. Primary key - the database attribute, or
data dictionary, creates the database,
combination of attributes, that uniquely
describes logical views for each user, and
identifies a specific row in a table.
specifies record or field security constraints.
2. Foreign key - an attribute in a table that
Data Manipulation Language (DML) -
is also a primary key in another table and is
changes database content, including data
used to link the two tables
element creations, updates, insertions, and
deletions. DESIGNING A RELATIONAL DATABASE:

Data Query Language (DQL) - a high-level, 1.) Store all data in one uniform table
English-like language that contains
TYPES OF ANOMALIES:
powerful, easy-to-use commands that
enable users to retrieve, sort, order, and 1. Update anomaly - a non-primary key
display data. item is stored multiple times; updating the
item in one location and not the others
Report Writer - simplifies report creation.
causes data inconsistencies.
RELATIONAL DATABASES:
2. Insert anomaly - results in the inability to
Relational Database add records to a database.

●​ capable of integrating financial and 3. Delete anomaly - loss of all information

operational data. about an entity when a row is deleted.

12
2.) Vary the number of columns.

3.) The solution: A set of tables.

BASIC REQUIREMENTS OF A RELATIONAL

DATABASE:

1. Every column in a row must be single

valued.

2. Primary keys cannot be null.

3. Foreign keys, if not null, must have values

that correspond to the value of a primary
key in another table.

4. All nonkey attributes in a table must

describe a characteristics of the object
identified by the primary key.

TWO APPROACHES TO DATABASE DESIGN:

1. Normalization - following relational

database creation rules to design a
relational database that is free from delete,
insert, and update anomalies.

2. Semantic data modeling - using

knowledge of business processes and
information needs to create a diagram that
shows what to include in a fully normalized
database.

Note: A significant advantage of database

systems is the ability to create ad hoc
queries to provide the information needed
for decision making.

13
CHAPTER 5: FRAUD LEGALLY, FOR AN ACT TO BE FRAUDULENT
THERE MUST BE:
THREATS TO ACCOUNTING INFORMATION
SYSTEMS: 1. A false statement, representation, or
disclosure.
1. Natural and Political Disasters - such as 2. A material fact, which is something that
fires, floods, earthquakes, hurricanes, induces a person to act.
tornadoes, blizzards, wars, and attacks by 3. An intent to deceive.
terrorists. 4. A justifiable reliance; that is, the person
2. Software Errors - software errors, relies on the misrepresentation to take an
operating system crashes, hardware action.
failures, power outages and fluctuations, 5. An injury or loss suffered by the victim.
and undetected data transmission errors Note: Fraud perpetrators are often referred
constitute a second type of threat. to as white-collar criminals.
3. Unintentional Acts - accidents or White-collar criminals - typically,
innocent errors and omissions, is the businesspeople who commit that usually
greatest risk to information systems and resort to trickery or cunning, and their
causes the greatest dollar losses; Caused by crimes usually involve a violation of trust or
human carelessness, failure to follow confidence.
established procedures, and poorly trained
or supervised personnel. Corruption - dishonest conduct by those in
power and it often involves actions that are
4. Intentional Act - such as a computer illegitimate, immoral, or incompatible with
crime, a fraud, or sabotage, which is ethical standards.
deliberate destruction or harm to a system.
Investment fraud - misrepresenting or
Sabotage - an intentional act where the leaving out facts in order to promote an
intent is to destroy a system or some of its investment that promises fantastic profits
components. with little or no risk.
Cookie - a text file created by a website and TWO TYPES OF FRAUD:
stored on a visitor’s hard drive; cookies
store information about who the user is and 1. Misappropriation of Assets - theft of
what the user has done on the site. company assets by employees.

INTRODUCTION TO FRAUD: 2. Fraudulent Financial Reporting -

intentional or reckless conduct, whether by
Fraud - gaining an unfair advantage over act or omission, that results in materially
another person. misleading financial statements.

14
Cook the books - most frequent schemes Computer fraud perpetrators - typically
that involve fictitiously inflating revenues, younger and possess more computer
holding books open, closing the books early, experience and skills.
overstating inventories or fixed assets, and
Blue-collar criminals - look to prey on
concealing losses and liabilities.
others by robbing them.
FOUR ACTIONS RECOMMENDED TO
THE FRAUD TRIANGLE:
REDUCE FRAUDULENT FINANCIAL
REPORTING:

1. Establish an organizational environment

that contributes to the integrity of the
financial reporting process.

2. Identify and understand the factors that

lead to fraudulent financial reporting.

3. Assess the risk of fraudulent financial

reporting within the company. A.) Pressure - a person’s incentive or
motivation for committing fraud.
4. Design and implement internal controls ●​ Financial pressures - often motivate
to provide reasonable assurance of misappropriation frauds by
preventing fraudulent financial reporting. employees.
●​ Emotional - many employee frauds
Note: Asset misappropriation is more likely
are motivated by greed; some
than fraudulent financial reporting but that
employees turn to fraud because
the amounts involved are much smaller.
they have strong feelings of
Statement on Auditing Standard (SAS) No. resentment or believe they have
99, Consideration of Fraud in Financial been treated unfairly.
Statement Audit, became effective in ●​ Lifestyle - the person may need
December 2002. It required the auditor to: funds to support a gambling habit or
support a drug or alcohol addiction.
a) Understand fraud.
b) Discuss the risks of material fraudulent B.) Opportunity - condition or situation that
misstatements. allows a person or organization to commit
c) Obtain information. and conceal a dishonest act and convert it
d) Identify, assess, and respond to risk. to personal gain.
e) Evaluate the results of their audit tests. ●​ Commit
f) Document and communicate findings. ●​ Conceal
g) Incorporate a technology focus. ●​ Convert

15
Lapping - concealing the theft of cash by E.) Output fraud - unless properly
means of a series of delays in posting safeguarded, displayed or printed output
collections to accounts receivable. can be stolen, copied or misused.

Check kiting - creating cash using the lag

between the time a check is deposited and
the time it clears the bank.

C.) Rationalization - allows perpetrators to

justify their illegal behavior.

Computer fraud - any fraud that requires

Note: The biggest cause of data breaches is
computer technology to perpetrate it.
employee negligence.
COMPUTER FRAUD CLASSIFICATIONS:

A.) Input fraud - the simplest and most

common way to commit computer fraud is
to alter or falsify computer input and it
requires little skill; perpetrators need only
understand how the system operates so
they can cover their tracks

B.) Processor fraud - includes unauthorized

system use, including the theft of computer
time and services.

C.) Computer instructions fraud - includes

tampering with company software, copying
software illegally, using software in an
unauthorized manner, and developing
software to carry out an unauthorized
activity.

D.) Data fraud - illegally using, copying,

browsing, searching, or harming company
data.

16
CHAPTER 6: COMPUTER FRAUD AND Splog - spam blogs created to increase a
ABUSE TECHNIQUES website’s Google PageRank, which is how
often a web page is referenced by other
COMPUTER ATTACKS AND ABUSE: web pages.
Hacking - the unauthorized access, Spoofing - making an electronic
modification, or use of an electronic device communication look as if someone else sent
or some element of a computer system. it to gain the trust of the recipient.
Hijacking - gaining control of someone FORMS OF SPOOFING:
else’s computer to carry out illicit activities,
such as sending spam without the computer A.) E-mail spoofing - making an e-mail
user’s knowledge. appear as though it originated from a
different source.
Botnet - short for robot network, is a
powerful network of hijacked computers. B.) Caller ID spoofing - displaying an
incorrect number (any number the attacker
Zombie - a hijacked computer, typically part chooses) on a caller ID display to hide the
of a botnet, that is used to launch a variety caller’s identity.
of Internet attacks.
C.) IP address spoofing - creating Internet
Bot herder - the person who creates a Protocol (IP) packets with a forged source IP
botnet by installing software on PCs that address to conceal the identity of the
responds to the bot herder’s electronic sender or to impersonate another computer
instructions. system.
Denial-of-Service (DoS) attack - a computer D.) Address Resolution Protocol (ARP)
attack in which the attacker sends so many spoofing - sending fake ARP messages to an
e-mail bombs or web page requests, often Ethernet LAN.
from randomly generated false addresses,
that the Internet service provider’s e-mail ●​ ARP - a networking protocol for
server or the web server is overloaded and determining a network host’s
shuts down. hardware address when only its IP or
network address is known.
Spamming - simultaneously sending the
same unsolicited message to many people, E.) SMS spoofing - using the short message
often in an attempt to sell them something. service (SMS) to change the name or
number a text message appears to come
Dictionary attacks (also called direct from.
harvesting attacks) - spammers use special
software to guess e-mail addresses at a F.) Web-page spoofing - also called
company and send blank e-mail messages. phishing.

17
 authorized user. This requires that the
G.) DNS spoofing - sniffing the ID of a
perpetrator know the legitimate user’s ID
Domain Name System (DNS, the “phone
and passwords.
book” of the Internet that converts a
domain, or website name, to an IP address) Piggybacking:
request and replying before the real DNS
(1) Tapping into a communications line and
server can.
electronically latching onto a legitimate user
Zero-day attack (or zero-hour attack) - an who unknowingly carries the perpetrator
attack between the time a new software into the system.
vulnerability is discovered and the time a
(2) The clandestine use of a neighbor’s Wi-Fi
software developer releases a patch that
network.
fixes the problem.
(3) An unauthorized person following an
Patch - code released by software
authorized person through a secure door,
developers that fixes a particular software
bypassing physical security controls.
vulnerability.
Password cracking - penetrating a system’s
Cross-site scripting (XSS) - a vulnerability in
defenses, stealing the file containing valid
dynamic web pages that allows an attacker
passwords, decrypting them, and using
to bypass a browser’s security mechanisms
them to gain access to programs, files, and
and instruct the victim’s browser to execute
data.
code, thinking it came from the desired
website. War dialing - programming a computer to
dial thousands of phone lines searching for
Buffer overflow attack - happens when the
dial-up modem lines.
amount of data entered into a program is
greater than the amount of the memory War driving - driving around looking for
(the input buffer) set aside to receive it. unprotected wireless networks.
SQL injection (insertion) attack - inserting War rocketing - using rockets to let loose
a malicious SQL query in input such that it is wireless access points attached to
passed to and executed by an application parachutes that detect unsecured wireless
program. networks.
Man-in-the-middle (MITM) attack - a Phreaking - attacking phone systems to
hacker placing himself between a client and obtain free phone line access; use phone
a host to intercept communications lines to transmit malware; and to access,
between them. steal, and destroy data.
Masquerading/impersonation - gaining Data diddling - changing data before or
access to a system by pretending to be an during entry into a computer system in

18
order to delete, alter, add, or incorrectly
Internet terrorism - using the Internet to
update key system data.
disrupt electronic commerce and
Data leakage - the unauthorized copying of communications and to harm computers.
company data, often without leaving any
Internet misinformation - using the Internet
indication that it was copied.
to spread false or misleading information.
Podslurping - using a small device with
E-mail threats - threats sent to victims by
storage capacity, such as an iPod or Flash
e-mail; the threats usually require some
drive, to download unauthorized data.
follow-up action, often at great expense to
Salami technique - stealing tiny slices of the victim.
money from many different accounts.
Internet auction fraud - using an Internet
Round-down fraud - instructing the auction site to defraud another person.
computer to round down all interest
Internet pump-and-dump fraud - using the
calculations to two decimal places. The
Internet to pump up the price of a stock and
fraction of a cent rounded down on each
then selling it.
calculation is put into the programmer’s
account. Click fraud - manipulating click numbers to
inflate advertising bills.
Economic espionage - the theft of
information, trade secrets, and intellectual Web cramming - offering a free website for
property. a month, developing a worthless website,
and charging the phone bill of the people
Cyber-extortion - threatening to harm a
who accept the offer for months, whether
company or a person if a specified amount
they want to continue using the website or
of money is not paid.
not.
Cyber-bullying - using the Internet, cell
Software piracy - the unauthorized copying
phones, or other communication
or distribution of copyrighted software.
technologies to support deliberate,
repeated, and hostile behavior that SOCIAL ENGINEERING:
torments, threatens, harasses, humiliates,
embarrasses, or otherwise harms another Social engineering - techniques or
person. psychological tricks used to get people to
comply with the perpetrator’s wishes in
Sexting - exchanging sexually explicit text order to gain physical or logical access to a
messages and revealing pictures, usually by building, computer, server, or
means of a phone. network—usually to get the information
needed to access a system and obtain
confidential data.

19
 victim will divulge information or do
SEVEN HUMAN TRAITS:
something.
1. Compassion - the desire to help others
Posing - creating a seemingly legitimate
who present themselves as really needing
business collecting personal information
your help.
while making a sale, and never delivering
2. Greed - people are more likely to the product.
cooperate if they get something free or
Phishing - sending an electronic message
think they are getting a once-in-a-lifetime
pretending to be a legitimate company,
deal.
usually a financial institution, and
3. Sex Appeal - people are more likely to requesting information or verification of
cooperate with someone who is flirtatious information and often warning of some
or viewed as “hot.” negative consequence if it is not provided.

4. Sloth - few people want to do things the Voice phishing (Vishing) - is like phishing
hard way, waste time, or do something except that the victim enters confidential
unpleasant; fraudsters take advantage of data by phone.
our lazy habits and tendencies.
Carding - performed on stolen credit cards,
5. Trust - people are more likely to including making a small online purchase to
cooperate with people who gain their trust. determine whether the card is still valid and
buying and selling stolen credit card
6. Urgency - a sense of urgency or numbers.
immediate need that must be met leads
people to be more cooperative and Pharming - redirecting website traffic to a
accommodating. spoofed website.

7. Vanity - people are more likely to Evil twin - a wireless network with the same
cooperate if you appeal to their vanity by name (called Service Set Identifier, or SSID)
telling them they are going to be more as a legitimate wireless access point.
popular or successful.
Typosquatting (URL hijacking) - setting up
Identity theft - assuming someone’s similarly named websites so that users
identity, usually for economic gain, by making typographical errors when entering
illegally obtaining and using confidential a website name are sent to an invalid site.
information, such as a Social Security
QR barcode replacements - fraudsters
number or a bank account or credit card
cover valid Quick ­Response codes with
number.
stickers containing a replacement QR code
Pretexting - using an invented scenario (the to fool people into going to an unintended
pretext) to increase the likelihood that a site that infects their phones with malware.

20
Tabnapping - secretly changing an already Malware writers - create new viruses,
open browser tab in order to capture user spyware, and Trojan horses that are used to
IDs and passwords when the victim logs infect computers.
back into the site.
Malware owners - buy the malware (often
Scavenging (Dumpster diving) - searching custom written).
documents and records to gain access to
Botnet owners - control an army of
confidential information.
malware-infected zombie computers.
Shoulder surfing - perpetrators look over a
Identity fraudsters - buy the
person’s shoulders in a public place to get
malware-captured information and
information such as ATM PIN numbers or
identities.
user IDs and passwords.
Identity intermediaries - buy stolen credit
Lebanese looping - the perpetrator inserts a
card identities, buy goods online, and have
sleeve into an ATM that prevents the ATM
the goods sent to a drop service.
from ejecting the card.
Drop services - employ drops (criminal
Skimming - double-swiping a credit card in
fences or unsuspecting individuals) to sell
a legitimate terminal or covertly swiping a
the goods online or to people or stores
credit card in a small, hidden, handheld card
looking for cheap goods.
reader that records credit card data for later
use. Guarantors - guarantee that the various
people who deal with each other make the
Chipping - planting a small chip that records
agreed-upon exchanges.
transaction data in a legitimate credit card
reader. Antivirus software vendors - produce
software that combats malware.
Eavesdropping - listening to private
communications or tapping into data Note: Antivirus software is reactive; it does
transmissions. not detect a new signature until a virus is
“in the wild” and attacking systems.
MALWARE:
Spyware - secretly monitors and collects
Malware - any software that is used to do
personal information about users and sends
harm.
it to someone else.

Adware - spyware that can pop banner ads

THE ONLINE UNDERGROUND FRAUD on a monitor, collect information about the
COMMUNITY: user’s web-surfing and spending habits, and
forward it to the adware creator.

21
Torpedo software - destroys competing Rootkit - conceals processes, files, network
malware, resulting in “malware warfare” connections, memory addresses, systems
between competing developers. utility programs, and system data from the
operating system and other programs.
Scareware - software that is often
malicious, is of little or no benefit, and is Superzapping - the unauthorized use of
sold using scare tactics. special system programs to bypass regular
system controls and perform illegal acts, all
Ransomware - encrypts programs and data
without leaving an audit trail.
until a ransom is paid to remove it.
Virus - a segment of self-replicating,
Keylogger - records computer activity, such
executable code that attaches itself to a file
as a user’s keystrokes, e-mails sent and
or program.
received, websites visited, and chat session
participation. Worm - a program rather than a code
segment hidden in a host program; a worm
Trojan horse - a set of malicious computer
also copies itself automatically and actively
instructions in an authorized and otherwise
transmits itself directly to other systems.
properly functioning program.
Bluesnarfing - stealing (snarfing) contact
Time bombs and logic bombs - are Trojan
lists, images, and other data using
horses that lie idle until triggered by a
Bluetooth.
specified date or time, by a change in the
system, by a message sent to the system, or Bluebugging - taking control of someone
by an event that does not occur. else’s phone to make or listen to calls, send
or read text messages, connect to the
Trap door or back door - a set of computer
Internet, forward the victim’s calls, and call
instructions that allows a user to bypass the
numbers that charge fees.
system’s normal controls.

Packet sniffers - capture data from

information packets as they travel over
networks.

Steganography program - a program that

can merge confidential information with a
seemingly harmless file, password protect
the file, and send it anywhere in the world,
where the file is unlocked and the
confidential information is reassembled.
CHAPTER 7: CONTROL AND
ACCOUNTING INFORMATION SYSTEMS

22
Threat/Event - any potential adverse 2. Application controls prevent, detect, and
occurrence or unwanted event that could correct transaction errors and fraud in
injure the AIS or the organization. application programs. They are concerned
with the accuracy, completeness, validity,
Exposure/Impact - the potential dollar loss
and authorization of the data captured,
should a particular threat become a reality.
entered, processed, stored, transmitted to
Likelihood/Risk - the probability that a other systems, and reported.
threat will come to pass.
FOUR LEVERS OF CONTROL:
Internal controls - the processes and
1. Belief system describes how a company
procedures implemented to provide
creates value, helps employees understand
reasonable assurance that control
management’s vision, communicates
objectives are met.
company core values, and inspires
Note: Internal control systems have employees to live by those values.
inherent limitations, such as susceptibility
2. Boundary system helps employees act
to simple errors and mistakes, faulty
ethically by setting boundaries on employee
judgments and decision making,
behavior.
management overrides, and collusion.
3. Diagnostic control system measures,
THREE FUNCTIONS OF INTERNAL
monitors, and compares actual company
CONTROL:
progress to budgets and performance goals.
1. Preventive controls deter problems
4. Interactive control system helps
before they arise.
managers to focus subordinates’ attention
2. Detective controls discover problems on key strategic issues and to be more
that are not prevented. involved in their decisions.

3. Corrective controls identify and correct Foreign Corrupt Practices Act (FCPA) -
problems as well as correct and recover legislation passed to prevent companies
from the resulting errors. from bribing foreign officials to obtain
business; also requires all publicly owned
TWO CATEGORIES OF INTERNAL CONTROL: corporations maintain a system of internal
accounting controls.
1. General controls make sure an
organization’s control environment is stable Sarbanes–Oxley Act (SOX) - legislation
and well managed. Examples include intended to prevent financial statement
security; IT infrastructure; and software fraud, make financial reports more
acquisition, development, and maintenance transparent, provide protection to investors,
controls. strengthen internal controls at public

23
companies, and punish executives who 5. Separating governance from
perpetrate fraud. management.

Public Company Accounting Oversight Governance is the responsibility of the

Board (PCAOB) was created to control the board of directors who:
auditing profession. The PCAOB sets and
(1) evaluate stakeholder needs to identify
enforces auditing, quality control, ethics,
objectives.
independence, and other auditing
standards. It consists of five people who are (2) provide management with direction by
appointed by the Securities and Exchange prioritizing objectives.
Commission (SEC).
(3) monitor management’s performance.
Section 404 requires companies to issue a
report accompanying the financial Process reference model - the model
statements stating that management is identifies the five governance processes
responsible for establishing and maintaining (referred to as evaluate, direct and
an adequate internal control system. monitor—or EDM).

Control Objectives for Information and THE 32 MANAGEMENT PROCESSES ARE

Related Technology (COBIT) - A security and BROKEN DOWN INTO THE FOLLOWING
control framework that allows: FOUR DOMAINS:

(1) management to benchmark the security 1. Align, plan, and organize (APO)
and control practices of IT environments. 2. Build, acquire, and implement (BAI)
3. Deliver, service, and support (DSS)
(2) users of IT services to be assured that 4. Monitor, evaluate, and assess (MEA)
adequate security and control exist.
Committee of Sponsoring Organizations
(3) auditors to substantiate their internal (COSO) - a private sector group consisting of
control opinions and advise on IT security the American Accounting Association, the
and control matters. AICPA, the Institute of Internal Auditors, the
Institute of Management Accountants, and
COBIT 5 - a comprehensive framework that
the Financial Executives Institute.
helps enterprises achieve their IT
governance and management objectives. Internal Control—Integrated Framework
(IC) - a COSO framework that defines
COBIT 5 PRINCIPLES:
internal controls and provides guidance for
1. Meeting stakeholder needs. evaluating and enhancing internal control
2. Covering the enterprise end-to-end. systems.
3. Applying a single, integrated framework.
Note: IC is widely accepted as the authority
4. Enabling a holistic approach.
on internal controls and is incorporated into

24
policies, rules, and regulations used to
3. Control activities
control business activities.
●​ Control policies and procedures help
Enterprise Risk Management—Integrated
ensure that the actions identified by
Framework (ERM) - a COSO framework;
management to address risks and
process the board of directors and
achieve the organization’s objectives
management use to set strategy, identify
are effectively carried out.
events that may affect the entity, assess and
●​ Control activities are performed at
manage risk, and provide reasonable
all levels and at various stages within
assurance that the company achieves its
the business process and over
objectives and goals.
technology.
ERM ADDS THREE ADDITIONAL ELEMENTS
4. Information and communication
TO COSO’S IC FRAMEWORK:
●​ Capture and exchange the
1. setting objectives
information needed to conduct,
2. identifying events that may affect the
manage, and control the
company
organization’s operations.
3. developing a response to assessed risk.
5. Monitoring
FIVE COMPONENTS OF COSO’S INTERNAL
CONTROL MODEL: ●​ The entire process must be
monitored, and modifications made
1. Control environment
as necessary so the system can
●​ This is the foundation for all other change as conditions warrant.
components of internal control.
Internal Environment
●​ The core of any business is its
people—their individual attributes, ●​ First ERM component.
including integrity, discipline, ethical ●​ The company culture that is the
values, and competence—and the foundation for all other ERM
environment in which they operate. components, as it influences how
organizations establish strategies
2. Risk assessment
and objectives; structure business
●​ The organization must identify, activities; and identify, assess, and
analyze, and manage its risks. respond to risk.
●​ Managing risk is a dynamic process.
AN INTERNAL ENVIRONMENT CONSISTS OF
●​ Management must consider changes
THE FOLLOWING:
in the external environment and
within the business that may be 1.) Management’s philosophy, operating
obstacles to its objectives. style, and risk appetite

25
 ●​ Risk appetite - the amount of risk a HR POLICIES AND PROCEDURES:
company is willing to accept to
1. Hiring - employees should be hired based
achieve its goals and objectives.
on educational background, experience,
2.) Commitment to integrity, ethical values, achievements, honesty and integrity, and
and competence meeting written job requirements.

●​ Organizations need a culture that Background check - an investigation of a

stresses integrity and commitment prospective or current employee that
to ethical values and competence. involves verifying their educational and
work experience, talking to references,
3.) Internal control oversight by the board
checking for a criminal record or credit
of directors
problems, and examining other publicly
●​ Audit committee - the outside, available information.
independent board of director
2. Compensating, Evaluating, and
members responsible for financial
Promoting - poorly compensated
reporting, regulatory compliance,
employees are more likely to feel
internal control, and hiring and
resentment and financial pressures that can
overseeing internal and external
motivate fraud.
auditors. (required by SOX)
3. Training - training programs should teach
4.) Organizational structure
new employees their responsibilities;
●​ Organizational structure provides a expected levels of performance and
framework for planning, executing, behavior; and the company’s policies and
controlling, and monitoring procedures, culture, and operating style.
operations
4. Managing Disgruntled Employees -
5.) Methods of assigning authority and companies need procedures to identify
responsibility disgruntled employees and either help
them resolve their feelings or remove them
●​ Policy and procedures manual from sensitive jobs.
explains proper business practices,
describes needed knowledge and 5. Discharging - dismissed employees
experience, explains document should be removed from sensitive jobs
procedures, explains how to handle immediately and denied access to the
transactions, and lists the resources information system.
provided to carry out specific duties.
6. Vacations and Rotation of Duties - fraud
6.) Human resource standards that attract, schemes that require ongoing perpetrator
develop, and retain competent individuals

26
attention are uncovered when the
Reporting objectives - help ensure the
perpetrator takes time off.
accuracy, completeness, and reliability of
7. Confidentiality Agreements and Fidelity company reports; improve decision making;
Bond Insurance - all employees, suppliers, and monitor company activities and
and contractors should sign and abide by a performance.
confidentiality agreement.
Compliance objectives - help the company
Fidelity bond insurance coverage of key comply with all applicable laws and
employees protects companies against regulations.
losses arising from deliberate acts of fraud.
COSO defines an event as “an incident or
8. Prosecute and Incarcerate Perpetrators occurrence emanating from internal or
external sources that affects
7.) External influences
implementation of strategy or achievement
Note: One of the greatest control strengths of objectives. Events may have positive
is the honesty of employees; one of the (opportunity) or negative (risk) impacts or
greatest control weaknesses is the both.”
dishonesty of employees.
Note: An event represents uncertainty; it
Objective Setting may or may not occur. Events may occur
individually or concurrently.
●​ Second ERM component.
●​ Management determines what the Inherent risk - the susceptibility of a set of
company hopes to achieve, often accounts or transactions to significant
referred to as the corporate vision or control problems in the absence of internal
mission. control.
●​ Management sets objectives at the
Residual risk - the risk that remains after
corporate level and then subdivides
management implements internal controls
them into more specific objectives
or some other response to risk.
for company subunits.

Strategic objectives - high-level goals that

are aligned with and support the company’s FOUR RESPONSES TO RISK:
mission and create shareholder value.
●​ Reduce. Reduce the likelihood and
Operations objectives - deal with the impact of risk by implementing an
effectiveness and efficiency of company effective system of internal controls.
operations and determine how to allocate ●​ Accept. Accept the likelihood and
resources. impact of the risk.

27
 ●​ Share. Share risk or transfer it to
Specific authorization - special approval an
someone else by buying insurance,
employee needs in order to be allowed to
outsourcing an activity, or entering
handle a transaction.
into hedging transactions.
●​ Avoid. Avoid risk by not engaging in General authorization - the authorization
the activity that produces the risk. given employees to handle routine
This may require the company to sell transactions without special approval.
a division, exit a product line, or not
expand as anticipated. 2.) Segregation of duties

Expected loss - the mathematical product of ACHIEVED WHEN FOLLOWING FUNCTIONS

the potential dollar loss that would occur ARE SEPARATED:
should a threat become a reality and the
●​ Authorization - approving
risk or probability that the threat will occur. transactions and decisions.
Expected loss = Impact x Likelihood ●​ Recording - preparing source
documents; entering data into
Note: Costs are usually easier to measure computer systems; and maintaining
than benefits. journals, ledgers, files, or databases.
●​ Custody - handling cash, tools,
Control activities are policies, procedures,
inventory, or fixed assets; receiving
and rules that provide reasonable assurance
incoming customer checks; writing
that control objectives are met and risk
checks.
responses are carried out.
Collusion - cooperation between two or
Note: It is management’s responsibility to
more people in an effort to thwart internal
develop a secure and adequately controlled
controls.
system.
Segregation of systems duties -
CONTROL PROCEDURES CATEGORIES:
implementing control procedures to clearly
1.) Proper authorization of transactions divide authority and responsibility within
and activities the information system function.

Authorization - establishing policies for AUTHORITY AND RESPONSIBILITY SHOULD

employees to follow and then empowering BE DIVIDED CLEARLY AMONG THE
them to perform certain organizational FOLLOWING FUNCTIONS:
functions.
1. Systems administration. Systems
Digital signature - a means of electronically administrators make sure all information
signing a document with data that cannot system components operate smoothly and
be forged. efficiently.

28
2. Network management. Network 10. Data control. The data control group
managers ensure that devices are linked to ensures that source data have been
the organization’s internal and external properly approved, monitors the flow of
networks and that those networks operate work through the computer, reconciles
properly. input and output, maintains a record of
input errors to ensure their correction and
3. Security management. Security
resubmission, and distributes systems
management makes sure that systems are
output.
secure and protected from internal and
external threats. 3.) Project development and acquisition
controls
4. Change management. Change
management is the process of making sure IMPORTANT SYSTEMS DEVELOPMENT
changes are made smoothly and efficiently CONTROL:
and do not negatively affect systems
1. Steering committee guides and oversees
reliability, security, confidentiality, integrity,
systems development and acquisition.
and availability.
2. Strategic master plan is a multiple-year
5. Users. Users record transactions,
plan of the projects the company must
authorize data to be processed, and use
complete to achieve its long-range goals.
system output.
3. Project development plan shows how a
6. Systems analysis. Systems analysts help
project will be completed.
users determine their information needs
and design systems to meet those needs. Project milestones - points where progress
is reviewed and actual and estimated
7. Programming. Programmers take the
completion times are compared.
analysts’ design and develop, code, and test
computer programs. 4. Data processing schedule shows when
each task should be performed.
8. Computer operations. Computer
operators run the software on the 5. System performance measurements are
company’s computers. They ensure that established to evaluate the system.
data are input properly, processed correctly,
and that needed output is produced. Throughput - the amount of work
performed by a system during a given
9. Information system library. The period of time.
information system librarian maintains
custody of corporate databases, files, and Utilization - the percentage of time a
programs in a separate storage area called system is used.
the information system library.

29
 information needed to conduct, manage,
Response time - how long it takes for a
and control the organization’s operations.
system to respond.
Audit trail - a path that allows a transaction
6. Post implementation review is
to be traced through a data processing
performed after a development project is
system from point of origin to output or
completed to determine whether the
backward from output to point of origin.
anticipated benefits were achieved.
KEY METHODS OF MONITORING:
Systems integrator - an outside party hired
to manage a company’s systems i. Perform internal control evaluations.
development effort. ii. Implement effective supervision.
iii. Use responsibility accounting systems.
4.) Change management controls
iv. Monitor system activities.
5.) Design and use of documents and v. Track purchased software and mobile
records devices.
vi. Conduct periodic audits.
6.) Safeguarding assets, records, and data vii. Employ a computer security officer and
a chief compliance officer.
IT IS IMPORTANT TO:
viii. Engage forensic specialists.
i. Create and enforce appropriate policies ix. Install fraud detection software.
and procedures. x. Implement a fraud hotline.
ii. Maintain accurate records of all assets.
iii. Restrict access to assets. Internal audits - assess the reliability and
iv. Protect records and documents. integrity of financial and operating
information, evaluate internal control
7.) Independent checks on performance effectiveness, and assess employee
compliance with management policies and
INDEPENDENT CHECKS:
procedures as well as applicable laws and
1. Top-level reviews. regulations.
2. Analytical reviews.
Note: Internal audit should report to the
3. Reconciliation of independently
audit committee, not the controller or chief
maintained records.
financial officer.
4. Comparison of actual quantities with
recorded amounts. Computer Security Officer (CSO) - an
5. Double-entry accounting. employee independent of the information
6. Independent review. system function who monitors the system,
disseminates information about improper
Information and communication systems -
system uses and their consequences, and
should capture and exchange the
reports to top management.

30
Chief Compliance Officer (CCO) - an
employee responsible for all the compliance
tasks associated with SOX and other laws
and regulatory rulings.

Forensic investigators - individuals who

specialize in fraud, most of whom have
specialized training with law enforcement
agencies such as the FBI or IRS or have
professional certifications such as Certified
Fraud Examiner (CFE).

Computer forensics specialists - computer

experts who discover, extract, safeguard,
and document computer evidence such that
its authenticity, accuracy, and integrity will
not succumb to legal challenges.

Neural networks - computing systems that

imitate the brain’s learning process by using
a network of interconnected processors that
perform multiple operations simultaneously
and interact dynamically.

Fraud hotline - a phone number employees

can call to anonymously report fraud and
abuse.

31