4.

Internal Control and Fraud

Required: a. What weaknesses in the organizations control structure must have existed
to permit this type of embezzlement?
Response: The control over output documents (i.e. the MRP, inventory ordering system,
billing, sales order, accounts payable, and the operating manuals) was very weak. These
documents should not be discarded in a manner in which they can be retrieved and read by
anyone. Inadequate operating system controls were in place that allowed a Trojan horse program
to retrieve user IDs and passwords. Management reports reflecting new vendors, new suppliers,
and new systems personnel IDs were either not being prepared or not being carefully reviewed.
Inadequate reports reflecting changes to the transaction log were being kept or the changes in
them would have been noticed.
Required: b. What specific control techniques and procedures could have helped
prevent or detect this fraud?
Response: All documentation manuals should be shredded or placed into an incinerator.
An operating system should have controls to protect it against breaches such as the Trojan horse
programming technique. Reports reflecting any additions to vendors or suppliers should be
carefully reviewed by management for accuracy. A periodic list of all systems personnel and
their passwords should be printed and reviewed. A sign-off procedure for verification of these
reports would send a strong message to the managers that these reports should be carefully
reviewed. The numbering of transactions on the transaction log, such as sales orders and
purchase orders should be implemented so that transactions cannot be deleted without the
occurrence of a gap in the sequence.
5. Input Controls and Networking
Required:
a. Identify and explain the data security and integrity problems that can occur.
b. For each problem identified, describe a control procedure that could be employed to
minimize or eliminate the problem.

Problem Identification and Explanation

Control Procedure and Explanation

Establish access privileges based on need

Unauthorized access to the reporting system

Implement Passwords and password

management procedures
Encrypt password file
Establish system audit trail
Employ antiviral software

Unauthorized access to report database

Establish database authority table based on

need
Assign user views based on need
Establish user-defined procedures
Encrypt financial data in the database

Unauthorized intrusion to system and data

from the internet, including denial of service
attack

Implement an application-level firewall

Encrypt financial data in the database
Use digital signatures
Implement security software to identify open
connections that indicate a SYN flood
Use message sequence numbering
Use security techniques such as requestresponse and call-back

Transmitted data received at corporate

headquarters from the reporting units may be
corrupted by line errors or other hardware
failure.

They system should have built-in controls

including echo check and parity check to
correct line errors.

9. Security and Control Assessment

Required: Based on BBCs plans for the implementation of a new computer system,
describe the potential risks and needed controls. Classify these according to the relevant areas of
the COSO framework.
Response: The potential risks in BBC new computer-based information system are as follows:
Security
BBC should hold a training seminar since most employees will be using the computer system.
The purpose of the seminar is to educate users on the policies and procedures of the system and
to inform them about viruses and measures they can take to prevent infection.
Virus updates should be performed on a daily basis by the systems administrator rather than on a
weekly basis.
If a password is entered incorrectly three times, the system should automatically reject any
further entries, this is a security measure that prevents someone from attempting to gain
unauthorized access to another users account. If this situation arises, the system should make
note of the date and time in case this information is ever needed in an investigation.
Passwords should be changed at least twice a year. The more often passwords are changed the
more secure the system will be. Furthermore, software should be installed that rejects weak
passwords.
Event monitoring should be used for purposes of a systems audit trail. The system will record the
user name and then all information regarding the tasks performed during the period that they are
logged on.
An upper level manger should also have access to the transaction log. This will prevent the
systems administrator from potentially trying to hide his own fraudulent actions involving the
computer system.
To prevent against physical damage in the case of fire, a water sprinkler system is not appropriate
due to the damage it can cause to a computer. The automatic fire extinguishing systems should
dispense an appropriate type of suppressant, such as carbon dioxide.
Systems Development
Employees should not be allowed to purchase and install software on company computers even if
it is for work related reasons. All software should be purchased from single company to ensure
reliability and compatibility.
Program Changes
The newly hired systems administrator should not be involved in the initial computer
programming since they will be updating the system when needed. This person would have the
knowledge of how to hide illegal changes.

All systems changes should be carefully documented and filed. This serves as a control and can
help somebody see exactly what was done if a problem with the change occurs.