Required: a. What weaknesses in the organizations control structure must have existed to permit this type of embezzlement? Response: The control over output documents (i.e. the MRP, inventory ordering system, billing, sales order, accounts payable, and the operating manuals) was very weak. These documents should not be discarded in a manner in which they can be retrieved and read by anyone. Inadequate operating system controls were in place that allowed a Trojan horse program to retrieve user IDs and passwords. Management reports reflecting new vendors, new suppliers, and new systems personnel IDs were either not being prepared or not being carefully reviewed. Inadequate reports reflecting changes to the transaction log were being kept or the changes in them would have been noticed. Required: b. What specific control techniques and procedures could have helped prevent or detect this fraud? Response: All documentation manuals should be shredded or placed into an incinerator. An operating system should have controls to protect it against breaches such as the Trojan horse programming technique. Reports reflecting any additions to vendors or suppliers should be carefully reviewed by management for accuracy. A periodic list of all systems personnel and their passwords should be printed and reviewed. A sign-off procedure for verification of these reports would send a strong message to the managers that these reports should be carefully reviewed. The numbering of transactions on the transaction log, such as sales orders and purchase orders should be implemented so that transactions cannot be deleted without the occurrence of a gap in the sequence. 5. Input Controls and Networking Required: a. Identify and explain the data security and integrity problems that can occur. b. For each problem identified, describe a control procedure that could be employed to minimize or eliminate the problem.
need Assign user views based on need Establish user-defined procedures Encrypt financial data in the database
Unauthorized intrusion to system and data
from the internet, including denial of service attack
Implement an application-level firewall
Encrypt financial data in the database Use digital signatures Implement security software to identify open connections that indicate a SYN flood Use message sequence numbering Use security techniques such as requestresponse and call-back
Transmitted data received at corporate
headquarters from the reporting units may be corrupted by line errors or other hardware failure.
They system should have built-in controls
including echo check and parity check to correct line errors.
9. Security and Control Assessment
Required: Based on BBCs plans for the implementation of a new computer system, describe the potential risks and needed controls. Classify these according to the relevant areas of the COSO framework. Response: The potential risks in BBC new computer-based information system are as follows: Security BBC should hold a training seminar since most employees will be using the computer system. The purpose of the seminar is to educate users on the policies and procedures of the system and to inform them about viruses and measures they can take to prevent infection. Virus updates should be performed on a daily basis by the systems administrator rather than on a weekly basis. If a password is entered incorrectly three times, the system should automatically reject any further entries, this is a security measure that prevents someone from attempting to gain unauthorized access to another users account. If this situation arises, the system should make note of the date and time in case this information is ever needed in an investigation. Passwords should be changed at least twice a year. The more often passwords are changed the more secure the system will be. Furthermore, software should be installed that rejects weak passwords. Event monitoring should be used for purposes of a systems audit trail. The system will record the user name and then all information regarding the tasks performed during the period that they are logged on. An upper level manger should also have access to the transaction log. This will prevent the systems administrator from potentially trying to hide his own fraudulent actions involving the computer system. To prevent against physical damage in the case of fire, a water sprinkler system is not appropriate due to the damage it can cause to a computer. The automatic fire extinguishing systems should dispense an appropriate type of suppressant, such as carbon dioxide. Systems Development Employees should not be allowed to purchase and install software on company computers even if it is for work related reasons. All software should be purchased from single company to ensure reliability and compatibility. Program Changes The newly hired systems administrator should not be involved in the initial computer programming since they will be updating the system when needed. This person would have the knowledge of how to hide illegal changes.
All systems changes should be carefully documented and filed. This serves as a control and can help somebody see exactly what was done if a problem with the change occurs.
General Ledger Would Always Be Current After Every Transaction But The Operating Efficiency May Be Affected Depending On The Size of The Company and The Number of Transactions That Are Processed
Microsoft Access Guide to Success: From Fundamentals to Mastery in Crafting Databases, Optimizing Tasks, & Making Unparalleled Impressions [III EDITION]
Hacking With Kali Linux : A Comprehensive, Step-By-Step Beginner's Guide to Learn Ethical Hacking With Practical Examples to Computer Hacking, Wireless Network, Cybersecurity and Penetration Testing