All 22 Chapter's End Questions Solved
All Solution are in .doc format. Instant Download
For Order
This Contact Us At
Whisperhills@Gmail.com
chapter 1
accounting information systems: An
overview
1.1 The value of information is the
difference between the benefits realized from using that information and the
costs of producing it. Would you, or any organization, ever produce
information if its expected costs exceeded its benefits? If so, provide
some examples. If not, why not?
1.2 Can the characteristics of
useful information listed in Table 1-1 be met simultaneously? Or does
achieving one mean sacrificing another?
1.3 You and a few of your classmates
decided to become entrepreneurs. You came up with a great idea for a new
mobile phone application that you think will make lots of money. Your
business plan won second place in a local competition, and you are using the
$10,000 prize to support yourselves as you start your company.
1. a. Identify
the key decisions you need to make to be successful entrepreneurs, the
information you need to make them, and the business processes you will need to
engage in.
2. b. Your
company will need to exchange information with various external parties.
Identify the external parties, and specify the information received from and
sent to each of them.
1.4 How do an organization’s business processes and lines of business
affect the design of its AIS? Give several examples of how differences
among organizations are reflected in their AIS.
1.5 Figure 1-4 shows that organizational culture and the design of an
AIS influence one another. What does this imply about the degree to which
an innovative system developed by one company can be transferred to another
company?
1.6 Figure 1-4 shows that developments in IT affect both an
organization’s strategy and the design of its AIS. How can a company
determine whether it is spending too much, too little, or just enough on IT?
1.7 Apply the value chain concept to
S&S. Explain how it would perform the various primary and support
activities.
1.8 Information
technology enables organizations to easily collect large amounts of information
about employees. Discuss the following issues:
1. To what extent should
management monitor employees’ e-mail?
1. To what extent should
management monitor which Web sites employees visit?
1. c. To
what extent should management monitor employee performance by, for example,
using software to track keystrokes per hour or some other unit of time? If such
information is collected, how should it be used?
2. d. Should
companies use software to electronically “shred” all traces of e-mail?
3. e. Under
what circumstances and to whom is it appropriate for a company to distribute
information it collects about the people who visit its Web site?
Problems
1.1 Information technology is
continually changing the nature of accounting and the role of accountants.
Write a two-page report describing what you think the nature of the accounting
function and the accounting information system in a large company will be like
in the year 2020.
1.2
Adapted from the CMA Examination
a. Identify
and discuss the basic factors of communication that must be considered in the
presentation of the annual report.</para></listitem>
b. Discuss
the communication problems a corporation faces in preparing the annual report
that result from the diversity of the users being addressed.
c. Select two types of information found in an annual report, other
than the financial statements and accompanying footnotes, and describe how they
are helpful to the users of annual reports.
d. </inst>Discuss at
least two advantages and two disadvantages of stating well-defined corporate
strategies in the annual report.</para></listitem>
e. Evaluate
the effectiveness of annual reports in fulfilling the information needs of the
following current and potential users: shareholders,
c</para></listitem>reditors</para></listitem>,
<listitem><para><inst></inst>employees</para></listitem>,
c<ustomers, and f</para></listitem>inancial
analysts</para></listitem></orderedlist></listitem>
f. Annual reports are public and
accessible to anyone, including competitors. Discuss how this affects
decisions about what information should be provided in annual reports.
1.3
The use of IT at USAA
a. Why
should USAA collect data on which auto parts are fixed most frequently?
What could it do with this data?</para></listitem>
b. Even
though USAA offered to waive the deductible, the repair shops still managed to
convince 95% of the owners to replace rather than repair their damaged
windshields. How could USAA use its AIS to persuade more shop owners to
repair rather than replace their windows?</para></listitem>
1. a. How
does the image-processing system at USAA add value to the organization?
2. b. How
do the remote deposit capture and mobile banking system at USAA add value to
the organization?
3. c. Do
an Internet search and find out what other advancements USAA has
introduced. Write a brief paragraph on each new application or other
newsworthy item you find (maximum limit of three applications or items).
1.4
Match the description in the right column with the information characteristic
in the left column.
1. Relevant
|
a. The report was carefully designed so that the data
contained on the report became information to the reader
|
2. Reliable
|
b. The manager was working one weekend and needed to find
some information about production requests for a certain customer. He
was able to find the report on the company’s network.
|
3. Complete
|
c. The data on a report was checked by two clerks working
independently
|
4. Timely
|
d. An accounts receivable aging report that included
all customer accounts
|
5. Understandable
|
e. A report checked by 3 different people for accuracy
|
6. Verifiable
|
f. An accounts receivable aging report used in credit
granting decisions
|
7. Accessible
|
g. An accounts receivable aging report was received before
the credit manager had to make a decision whether to extend customer credit
|
1.5 The Howard
Leasing Company
1. a. What
is an accounts receivable aging report?
2. Why is an accounts
receivable aging report needed for an audit?
3. What is an accounts
receivable aging report used for in normal company operations?
4. What data will you need to
prepare the report?
5. Where will you collect the
data you need to prepare the report?
6. How will you collect the necessary
data for the report?
7. What will the report look
like (i.e., how will you organize the data collected to create the information
your supervisor needs for the audit)? Prepare an accounts receivable aging
report in Excel or another spreadsheet package.
8. How will you distribute the
report? How many copies will you make? Who should receive the copies? What
security features will you implement?
1.6 The use of IT at Tesco
a. What kind of information do you think Tesco
gathers?
1. a. How
do you think Tesco has motivated over 12 million customers to sign up for its
Clubcard program?
2. b. What
can Tesco accomplish with the Clubcard data it collects? Think in term of
strategy and competitive advantage.
3. c. What
are some of the disadvantages to the Clubcard program?
4. d. Do
an Internet search to find out how Tesco is doing in comparison to Wal Mart and
other grocers and retailers. Write a few paragraphs explaining your
findings.
1.7 Have you
ever imagined having one electronic device that does everything you would ever
need? Mobile phone makers in Japan have gone beyond the imagining
phase. Cell phones in Japan are becoming more versatile than ever. Newer
models of cell phones contain a myriad of applications and can do many of the
things that a personal computer (PC) can do. PCs are also able to
function as phones. A small but growing number of professionals are
trading in their laptops for handheld computers. Cell phone manufacturers
in the United States and elsewhere are quickly catching up to their Japanese
counterparts.
1. a. What
commercial activities can be done with a cell phone? With a cell phone/PC
combination device? What do you do when you’re on your cell phone?
What do you expect to be doing in five years?
b. How can
businesses utilize this technology to attract more customers, sell more
products, advertise their products, facilitate the sale of products, and
conduct and manage their businesses more efficiently and effectively?
c. What are some problems or drawbacks you can see with using these
devices in business?
1.8 Classify each of the following items as belonging in the revenue,
expenditure, human resources/payroll, production, or financing cycle.
1. Purchase raw materials
2. Pay off mortgage on
factory
3. Hire a new assistant
controller
4. Establish a $10,000
credit limit for a new customer
5. Pay for raw materials
6. Disburse payroll checks
to factory workers
7. Record goods received
from vendor
8. Update the allowance for
uncollectible accounts
9. Decide how many units to
make next month
10. Complete picking ticket
for customer order
11. Record factory employee
timecards
12. Sell concert tickets
13. Draw on line-of-credit
14. Send new employees to a
business ethics course
15. Pay utility bills
16. Pay property taxes on
office building
17. Pay federal payroll taxes
18. Sell DVD player
19. Collect payment on
customer accounts
20. Obtain a bank loan
21. Pay sales commissions
22. Send an order to a vendor
23. Put purchased goods into
the warehouse
Cases
1-1 The Web
site for this book contains an adaption of Russell L. Ackoff’s classic article
“Management Misinformation Systems” from Management Science.
In the article, Ackoff identified five common assumptions about information
systems and then explained why he disagreed with them.
Read the five assumptions, contentions, and Ackoff’s
explanations. For each of the five assumptions, decide whether you agree
or disagree with Ackoff’s contentions. Prepare a report in which you
defend your stand and explain your defense.
CHAPTER 2
Overview of Business Processes
2.1 Table 2-1 lists some of the documents used in the
revenue, expenditure, and human resources cycle. What kinds of input or
output documents or forms would you find in the production (or conversion)
cycle?
2.2 With respect to the data processing cycle, explain the phrase
“garbage in, garbage out.” How can you prevent this from happening?
2.3 </inst><para>What kinds of documents are most likely
to be turnaround documents? Do an internet search to find the answer and
to find example turnaround documents.
2.4 The data processing cycle in Figure 2-1 is an example of a basic
process found throughout nature. Relate the basic
input/process/store/output model to the functions of the human body.
2.5 Some individuals argue that accountants should focus on producing
financial statements and leave the design and production of managerial reports
to information systems specialists. What are the advantages and
disadvantages of following this advice? To what extent should accountants
be involved in producing reports that include more than just financial measures
of performance?
Why?</para></question></general-problem></problemset>
2.1 The chart of accounts must be tailored to an organization’s
specific needs. Discuss how the chart of accounts for the following organizations
would differ from the one presented for S&S in <link
linkend="ch02table04" preference="0">Table 2-2<xref
linkend="ch02table04" label="2-4"/></link>.</para>
2.2 <para>Design a chart of accounts for SDC. Explain how
you structured the chart of accounts to meet the company’s needs and operating
characteristics. Keep total account code length to a minimum, while still
satisfying all of Mace’s desires.</para><source>
2.3 An audit trail enables a person to trace a source
document to its ultimate effect on the financial statements or work back from
amounts in the financial statements to source documents. Describe in
detail the audit trail for the following:</para>
2.4 Your nursery sells various types and sizes of trees, bedding
plants, vegetable plants, and shrubs. It also sells fertilizer and
potting soil. Design a coding scheme for your nursery.
2.5 Match the following terms with their definitions
TERM
|
DEFINITION
|
a. data processing
|
1. Contains summary-level
data for every asset, liability, equity, revenue, and expense account
|
b. source documents
|
2. Items
are numbered consecutively to account for all items; missing items cause a
gap in the numerical sequence
|
c. turnaround documents
|
3. Path of
a transaction through a data processing system from point of origin to final
output, or backwards from final output to point of origin
|
d. source data automation
|
4. List of
general ledger account numbers; allows transaction data to be coded,
classified, and entered into proper accounts; </para
<para>facilitates preparation of financial statements and reports
|
e. general ledger
|
5. Contents
of a specific field, such as “George” in a name field
|
f. subsidiary ledger
|
6. Portion
of a data record that contains the data value for a particular attribute,
like a cell in a spreadsheet
|
g. control account
|
7. Company
data sent to an external party and then returned to the system as input
|
h. coding
|
8. Used to
record infrequent or non-routine transactions
|
i. sequence code
|
9.
Characteristics of interest that need to be stored
|
j. block code
|
10. The steps a company
must follow to efficiently and effectively process data about its
transactions
|
k. group code
|
11. Something about
which information is stored
|
l. mnemonic code
|
12. Stores cumulative
information about an organization; like a ledger in a manual AIS.
|
m. chart of accounts
|
13. Contains detailed
data for any general ledger account with many individual subaccounts
|
n. general journal
|
14. Contains records of
individual business transactions that occur during a specific time period
|
o. specialized journal
|
15. Updating each
transaction as it occurs
|
p. audit trail
|
16. Devices that
capture transaction data in machine-readable form at the time and place of
their origin
|
q. entity
|
17. Used to record
large numbers of repetitive transactions
|
r. attribute
|
18. Set of
interrelated, centrally coordinated files
|
s. field
|
19. Two or more
subgroups of digits are used to code items
|
t. record
|
20. Updating done
periodically, such as daily
|
u. data value
|
21. Systematic
assignment of numbers or letters to items to classify and organize them
|
v. master file
|
22. Letters and
numbers, derived from the item description, are interspersed to identify
items; usually easy to memorize
|
w. transaction file
|
23. Initial record of a
transaction that takes place; usually recorded on preprinted forms or
formattted screens
|
x. database
|
24. Fields containing
data about entity attributes; <keyterm linkend="ch02kt29"
role="strong" preference="1">like a row in a
spreadsheet
|
y. batch processing
|
25. Sets of numbers are
reserved for specific categories of data
|
z. online, real-time processing
|
26. The general ledger account
corresponding to a subsidiary ledger, where the sum of all subsidiary ledger
entries should equal the amount in the general ledger account
|
2.6 For each of the following scenarios identify which data processing
method (batch or online, real-time) would be the most appropriate.
2.7 <para>After viewing the Web sites, and based on your reading
of the chapter, write a 2 page paper that describes how an ERP can connect and
integrate the revenue, expenditure, human resources/payroll, and financing
cycles of a business.
2.8 Which
of the following actions update a master file and which would be stored
as a record in a transaction file?
1. Update customer address
change
2. Update unit pricing
information
3. Record daily sales
4. Record payroll checks
5. Change employee pay rates
6. Record production run
variances
7. Record Sales Commissions
8. Change employee office
location
9. Update accounts payable
balance
10. Change customer credit
limit
11. Change vendor payment
discount terms
12. Record purchases
2.9 You were hired
to assist Ashton Fleming in designing an accounting system for S&S.
Ashton has developed a list of the journals, ledgers, reports, and documents
that he thinks S&S needs (see <link linkend="ch02table06"
preference="1">Table 2-6<xref linkend="ch02table06"
label="2-8"/></link>). He asks you to complete the
following tasks:</para>
a. Specify what data you think should be collected on each of the
following four documents:
b. Design a report to manage inventory.</para></listitem>
1. Design a report to assist
in managing credit sales and cash collections.
2. Visit a local office supply
store and identify what types of journals, ledgers, and blank forms for various
documents (sales invoices, purchase orders, etc.) are available. Describe
how easily they could be adapted to meet S&S’s needs.
2.1 Bar Harbor Blueberry Farm
Data from Case
Date
|
Supplier Invoice
|
Supplier Name
|
Supplier Address
|
Amount
|
March 7
|
AJ34
|
Bud’s Soil Prep, Inc.
|
PO Box 34
|
$2,067.85
|
March 11
|
14568
|
Osto Farmers Supply
|
45 Main
|
$ 67.50
|
March 14
|
893V
|
Whalers Fertilizer, Inc.
|
Route 34
|
$5,000.00
|
March 21
|
14699
|
Osto Farmers Supply
|
45 Main
|
$3,450.37
|
March 21
|
10102
|
IFM Package Wholesale
|
587 Longview
|
$4,005.00
|
March 24
|
10145
|
IFM Package Wholesale
|
587 Longview
|
$ 267.88
|
CHAPTER 3
SYSTEMS DEVELOPMENT AND DOCUMENTATION TECHNIQUES
3.1 Identify
the DFD elements in the following narrative: A customer purchases a few items
from a local grocery store. Jill, a salesclerk, enters the transaction in the
cash register and takes the customer’s money. At closing, Jill gives both the
cash and the register tape to her manager.
3.2 Do you agree with the following statement: “Any one of the systems
documentation procedures can be used to adequately document a given system”?
Explain.
3.3 Compare the guidelines for preparing flowcharts and DFDs. What
general design principles and limitations are common to both documentation
techniques?
3.4 Your classmate asks you to explain flowcharting conventions using real-world
examples. Draw each of the major flowchart symbols from memory, placing
them into one of four categories: input/output, processing, storage, and flow
and miscellaneous. For each symbol, suggest several uses.
3.1 Prepare flowcharting segments for each of the following
operations:
1. a. processing
transactions stored on magnetic tape to update a master file stored on magnetic
tape
1. b.
processing transactions stored on magnetic tape to update a database stored on a
magnetic disk
1. c. converting
source documents to magnetic tape using a computer-based optical character
reader (OCR)
1. d. processing
OCR documents online to update a database on magnetic disk
e. reading data from a
magnetic disk into the computer to be printed on a report
f. using a
computer or terminal to </inst>key data from source documents to a file
stored on a magnetic disk
g. manually sorting and
filing invoices numerically
h. using a terminal to
enter source document data and send it to a </inst>remote location where
an online processing system records it in a database stored on magnetic disk
1. i.
a scheduled automatic backup of an internal hard drive to an external hard
drive
j. using a
terminal to </inst>query customer sales data maintained on a magnetic
disk
k.
enter employee
hours recorded on time cards in the payroll transaction file maintained on disk
and update wage data maintained on the payroll master file
l. use a
terminal to </inst>access a price list maintained on disk to complete a
purchase order. An electronic copy of the purchase order is sent to the vendor
and a backup copy is printed and filed by vendor name
m. update an airline
reservation on a Web-based airline reservation system from a home
computer
3.2
Happy Valley Utility Company
1. a. Draw
a system flowchart of the billing operations, commencing with the computer
preparation of the meter reading forms and ending with the mailing of customer
bills.
b. Draw a system
flowchart depicting customer payments processing, starting with the mail room
operations and ending with the two printed reports.
3.3 <para>Prepare a system flowchart of the process described.</para></problem>
3.4 Prepare a document flowchart to reflect how ANGIC Insurance
Company processes its casualty claims.
3.5
1. a. Prepare
a document flowchart that indicates the interaction and use of these documents
among all departments at Beccan Company’s central facility. It should provide
adequate internal control over the receipt, issuance, replenishment, and
payment of tires and supplies. You may assume that there is a sufficient number
of document copies to ensure that the perpetual inventory system has the
necessary basic internal controls.</para><source>
2. b. Use
the instructor proUsing the flowcharting conventions discussed in Focus 3.2,
critique the instructor provided CMA solution. List all the ways the CMA
solution violates those flowcharting guidelines.
3.6
a. Prepare a
context diagram and level 0 DFD to document the payroll processing system at
No-Wear Products.
b. Prepare a document flowchart to document
the payroll processing system at No-Wear Products.
3.7
1. a.
Prepare a context diagram and a level 0 DFD to document accounts payable
processing at S&S.
b. Prepare a document flowchart to
document accounts payable processing at S&S.
3.8
a. Develop a
context diagram and a level 0 DFD of the acquisition/payment system at Oriental
Trading.
b. Prepare a document flowchart to
document the acquisition/payment system at Oriental Trading.
3.9
a. Develop a context diagram
and a level 0 DFD for the cash receipts system at S&S.</para></listitem>
1. b.
Prepare a document flowchart to document the cash receipts system at S&S.
3.10 <para>Draw a context
diagram and at least two levels of DFDs for the preceding
3.11
1. a.
Prepare a context diagram and at least two levels of DFDs for this operation.
2. b.
Prepare a document flowchart to document this operation.
3.12 You recognize weaknesses
in the existing system and believe a document flowchart would be beneficial in
evaluating this client’s internal control in preparing for your examination of
the financial statements.</para>
1. a.
Complete the flowchart given in <link linkend="ch03fig12"
preference="1">Figure 3-12<xref linkend="ch03fig12"
label="3-12"/></link>, for sales and cash receipts of
Charting, Inc., by labeling the appropriate symbols and indicating information
flows.
Adapted from the 1969 CPA Exam
1. b.
Using the guidelines for preparing flowcharts in <link
linkend="ch03sb02" preference="0">Focus 3-2<xref
linkend="ch03sb02" label="3-2"/></link> and the
flowcharting symbols shown in <link linkend="ch03fig08" preference="0">Figure
3-8<xref linkend="ch03fig08"
label="3-8"/></link>, critique the flowchart shown in
<link linkend="ch03fig12" preference="0">Figure
3-12<xref linkend="ch03fig12"
label="3-12"/></link>. List the ways the flowchart violates
the guidelines or uses improper symbols.
3.13
Bottom Manufacturing Corporation
Charge Sales System
a. List the procedures or the
internal documents that are labeled letters <emphasis>c</emphasis> to <emphasis>r</emphasis> in the flowchart of Bottom
Manufacturing Corporation’s charge sales system. Organize your answer as follows
(Note that the explanations of the letters <emphasis>a</emphasis> and <emphasis>b</emphasis> in the flowchart are entered as
examples):
</para></listitem>
<informaltable id="informaltable2"
frame="none" float="0"
type="untbl1"><tgroup cols="2" colsep="0"
rowsep="0" align="left"><colspec
colnum="1" colname="c01"
colwidth="500"/><colspec colnum="2"
colname="c02" colwidth="500"/><thead><row><entry
valign="top"><para>Flowchart Symbol Letter</para></entry>
|
<entry valign="top"><para>Procedures or Internal Document</para></entry></row></thead>
|
<tbody><row><entry
valign="top"><para>a</para></entry>
|
<entry valign="top"><para>Prepare six-part
sales order.</para></entry></row>
|
<row><entry
valign="top"><para>b</para></entry>
|
<entry valign="top"><para>File by order
number.</para></entry></row></tbody></tgroup></informaltable>
|
b. Using the guidelines for
preparing flowcharts in <link linkend="ch03sb02"
preference="0">Focus 3-2<xref linkend="ch03sb02"
label="3-2"/></link> and the flowcharting symbols shown in
<link linkend="ch03fig08" preference="0">Figure
3-8<xref linkend="ch03fig08"
label="3-8"/></link>, critique the flowchart shown in
<link linkend="ch03fig13" preference="0">Figure
3-13<xref linkend="ch03fig13"
label="3-13"/></link>. List the ways the flowchart violates
the guidelines or uses improper
symbols.
3.14
1. a.
Prepare and file a tax return with the tax owed to the Internal Revenue
Service.
b. A customer pays an invoice with a
check. Accounts receivable is updated to reflect the payment. The check is
recorded and deposited into the bank.
c. A customer
places an online order to purchase merchandise. The order is approved, filled,
and sent to the customer with an invoice.
d. An inventory request
is received by the purchasing department. The purchasing
e. A vendor invoice is
received, reviewed, and compared against the appropriate purchase order, then
paid and filed.</para></listitem>
f. A bill of
lading for ordered inventory is received from a vendor, recorded, checked
against the appropriate purchase order, and filed.
3 .15 <para>Prepare a program flowchart to help Melanie
program this process.</para></problem>
3.16
1. 1. Statements
are prepared and sent to customers from data contained in the accounts
receivable data store.
2. 2. A
customer sends a sales invoice to the accounts payable process.
3. 3. A
check is manually prepared from data on a vendor invoice.
4. 4. The
cash receipt process updates the cash receipts data store.
5. 5. A
sales invoice is manually prepared and sent to a customer.
6. 6. A
report is prepared from data stored on magnetic tape.
7. 7. Billing
data are entered online and used to update the sales order file and the
customer master file.
8. 8. Data
from a cancelled invoice are used to update the cash disbursements ledger.
9. 9. A
sales order is prepared manually. Copy 1 is sent to the warehouse and copy 2
is filed.
10. 10. An
accounts receivable aging report is prepared from the accounts receivable
master file and the cash receipts master file, both stored on disk.
11. 11. An error
listing and batch total are compared and filed.
|
|
3-1
<para>You are the systems analyst for the Wee Willie
Williams Widget Works (also known as Dub 5, which is a shortened version of 5
Ws). Dub 5 produces computer keyboard components. It has been producing
keyboards for more than 20 years and has recently signed an exclusive 10-year
contract to provide the keyboards for all Dell personal computers. As the
systems analyst, you have been assigned the task of developing a level 0 DFD
for Dub 5’s order processing system. You have finished gathering all the
information you need to develop the first-pass DFD and now want to complete the
diagram.</para>
CHAPTER 4
RELATIONAL DATABASES
4.1 Contrast the logical and the physical view of data and discuss why
separate views are necessary in database applications. Describe which perspective
is most useful for each of the following employees: a programmer, a manager,
and an internal auditor. How will understanding logical data structures
assist you when designing and using database systems?</para></question><question id="ch04ques02"
label="4.2">
4.2 The relational data model represents data as being stored in
tables. Spreadsheets are another tool that accountants use to employ a
tabular representation of data. What are some similarities and
differences in the way these tools use tables? How might an accountant’s
familiarity with the tabular representation of spreadsheets facilitate or
hinder learning how to use a relational DBMS?
4.3 Some people believe database
technology may eliminate the need for double-entry accounting. This
creates three possibilities: (1) the double-entry model will be abandoned; (2)
the double-entry model will not be used directly, but an external-level schema
based on the double-entry model will be defined for accountants’ use; or (3)
the double-entry model will be retained in database systems. Which
alternative do you think is most likely to occur? Why?
4.4 Relational DBMS query languages
provide easy access to information about the organization’s activities.
Does this mean that online, real-time processing should be used for all
transactions? Does an organization need real-time financial
reports? Why or why not?</para></question></general-problem></problemset>
4.5 Why is it so important to have good data?
4.6 What is a data dictionary, what does it
contain, and how is it used?
4.7 Compare and contrast the file-oriented approach and the database
approach. Explain the main advantages of database systems.
4.1
a. Identify three potential users and design a subschema for
each. Justify your design by explaining why each user needs access to the
subschema data elements.
b. Use Microsoft Access or some other relational database product to
create the schema tables. Specify the primary key(s), foreign key(s), and
other data for each table. Test your model by entering sample data in
each table.
4.2 Most DBMS packages contain data definition, data manipulation, and
data query languages. For each of the following, indicate which language
would be used and why.
1. A database administrator
defines the logical structure of the database
b. The controller requests a cost accounting report containing a list
of all employees being paid for more than 10 hours overtime in a given week.
c. A programmer develops a program to update the fixed-assets records
stored in the database.
d. The human resources manager requests a report noting all employees
who are retiring within five years.
e. The inventory serial number field is extended in the inventory records
to allow for recognition of additional inventory items with serial numbers
containing more than 10 digits.
f. A user develops a program to print out all purchases made during
the past two weeks.
g. An additional field is added to the fixed-asset records to record
the estimated salvage value of each asset.
4.3 Ashton
wants to store the following data about S&S’s purchases of inventory:
1. a. Design
a set of relational tables to store this data. Do all of the data items
need to be stored in a table? If not, which ones do not need to be stored
and why do they not need to be stored?
2. b. Identify
the primary key for each table.
3. c. Identify
the foreign keys needed in the tables to implement referential integrity.
1. d. Implement
your tables using any relational database product to which you have access.
2. e. Test
your specification by entering sample data in each table.
3. f. Create
a few queries to retrieve or analyze the data you stored.
4.4 Retrieve the S&S In-Chapter Database (in Microsoft Access
format) from the text’s Web site (or create the tables in <link
linkend="ch04table05" preference="0">Table 4-5<xref
linkend="ch04table05" label="4-5"/></link> in a
relational DBMS product). Write queries to answer the following
questions. <emphasis>Note</emphasis>:
For some questions, you may have to create two queries—one to calculate an
invoice total and the second to answer the question asked.
1. a. How
many different kinds of inventory items does S&S sell?
1. b. How
many sales were made during October?
c. What were total sales in October?
d. What was the average amount of a sales transaction?
e. Which salesperson
made the largest sale?
f. How many units
of each product were sold?
g. Which product was sold most
frequently?</para></listitem></orderedlist></problem>
4.5
Enter the tables in <link linkend="ch04table15"
preference="1">Table 4-15<xref linkend="ch04table15" label="4-15"/></link>
into a relational DBMS package. Write queries to answer the following
questions. <emphasis>Note</emphasis>:
For some questions, you may have to create two queries—one to calculate a total
and the second to answer the question asked.<inlinemediaobject
role="titleicon" id="ch04dg03"
type="dg01"><imageobject><imagedata/></imageobject><textobject/></inlinemediaobject></para>
1. a. Which
customers (show their names) made purchases from Martinez?
1. b. Who
has the largest credit limit?
c. How many sales
were made in October?
d. What were the item
numbers, price, and quantity of each item sold on invoice number 103?
e.
How much did each salesperson sell?
1. f. How
many customers live in Arizona?
2. g. How
much credit does each customer still have available?
3. h. How
much of each item was sold? (Include the description of each item in your
answer.)
Which customers still have more than $1,000 in available credit?
1. j. For
which items are there at least 100 units on hand?
4.6 The
BusyB Company wants to store data about employee skills. Each employee
may possess one or more specific skills and several employees may have the same
skill. Include the following facts in the database:
date hired
date of birth
date skill acquired
employee name
employee number
pay rate </pa
1. a. Design
a set of relational tables to store these data.<inlinemediaobject
role="titleicon" id="ch04dg04"
type="dg01"><imageobject><imagedata/></imageobject><textobject/></inlinemediaobject></para></listitem>
<listitem><para><inst>b.
</inst>Identify the primary key for each table, and identify any needed
foreign keys.</para></listitem>
<listitem><para><inst>c.
</inst>Implement your schema using any relational DBMS. Specify
primary and foreign keys, and enforce referential integrity. Demonstrate
the soundness of your design by entering sample data in each
table.</para></listitem></orderedlist></problem>
4.7 You want to extend the schema shown in
<link linkend="ch04table16" preference="0">Table
4-16<xref linkend="ch04table16"
label="4-16"/></link> to include information about customer
payments. Some customers make installment payments on each invoice.
Others write a check to pay for several different invoices. </para>
<listitem><para><inst>a.
</inst>Modify the set of tables in <link
linkend="ch04table16" preference="1">Table 4-16<xref
linkend="ch04table16" label="4-16"/></link> to
store this additional data.<inlinemediaobject role="titleicon"
id="ch04dg05"
type="dg01"><imageobject><imagedata/></imageobject><textobject/></inlinemediaobject></para></listitem>
<listitem><para><inst>b.
</inst>Identify the primary key for each new table you create.</para></listitem>
<listitem><para><inst>c.
</inst>Implement your schema using any relational DBMS package.
Indicate which attributes are primary and foreign keys, and enter
sample data in each table you create.
</para></listitem></orderedlist></problem
4.8 Create
relational tables that solve the update, insert, and delete anomalies in
<link linkend="ch04table17" preference="1">Table
4-17.
4.9 Create relational tables that
solve the update, insert, and delete anomalies in <link
linkend="ch04table18" preference="1">Table 4-18.
4.10 From the database created in the
comprehensive problem, perform queries based on the tables and query grid shown
in <link linkend="ch04table19" preference="1">Table
4-19<xref linkend="ch04table19"
label="4-19"/></link>.
1. a. Which
borrowers use Advent Appraisers?
b. What is the average
amount borrowed from National Mortgage?
c. List all of the
property appraisers.
1. d. List
all of the lenders.
2. List the lenders that lent
more than $100,000.
f. Which
borrower requested the largest mortgage?
g. Which borrower
requested the smallest mortgage?
4.1 As in all areas of information technology, DBMSs are constantly
changing and improving. Research how businesses are using DBMSs, and
write a report of your findings. Address the following issues:
1. 1. Which
popular DBMS products are based on the relational data model?
2. 2. Which
DBMS products are based on a logical model other than the relational data
model?
3. 3. What
are the relative strengths and weaknesses of the different types (relational
versus other logical models) of DBMSs
CHAPTER 5
COMPUTER FRAUD
5.1 Do you agree that the most effective way to obtain adequate system
security is to rely on the integrity of company employees? Why or why not? Does
this seem ironic? What should a company do to ensure the integrity of its
employees?
5.2 You are the president of a multinational company where an
executive confessed to kiting $100,000. What is kiting and what can your
company do to prevent it? How would you respond to the confession? What
issues must you consider before pressing charges?
5.3 Discuss the following statement by Roswell Steffen, a convicted
embezzler: “For every foolproof system, there is a method for beating
it.” Do you believe a completely secure computer system is
possible? Explain. If internal controls are less than 100%
effective, why should they be employed at all?
5.4 Revlon hired Logisticon to install a real-time invoice and
inventory processing system. Seven months later, when the system crashed,
Revlon blamed the Logisticon programming bugs they discovered and withheld
payment on the contract. Logisticon contended that the software was fine
and that it was the hardware that was faulty. When Revlon again refused
payment, Logisticon repossessed the software using a telephone dial-in feature
to disable the software and render the system unusable. After a three-day
standoff, Logisticon reactivated the system. Revlon sued Logisticon,
charging them with trespassing, breach of contract, and misappropriation of
trade secrets (Revlon passwords). Logisticon countersued for breach of
contract. The companies settled out of court.
Would
Logisticon’s actions be classified as sabotage or repossession? Why?
Would you find the company guilty of committing a computer crime? Be
prepared to defend your position to the class.
5.5 Because improved computer security
measures sometimes create a new set of problems—user antagonism, sluggish
response time, and hampered performance—some people believe the most effective
computer security is educating users about good moral conduct. Richard
Stallman, a computer activist, believes software licensing is antisocial
because it prohibits the growth of technology by keeping information away from
the neighbors. He believes high school and college students should have
unlimited access to computers without security measures so that they can learn
constructive and civilized behavior. He states that a protected system is
a puzzle and, because it is human nature to solve puzzles, eliminating computer
security so that there is no temptation to break in would reduce hacking.
<para>Do
you agree that software licensing is antisocial? Is ethical teaching the
solution to computer security problems? Would the removal of computer
security measures reduce the incidence of computer fraud? Why or why not?
5.1 You were asked to investigate extremely high, unexplained
merchandise shortages at a department store chain. Classify each of the
five situations as a fraudulent act, an indicator of fraud, or an event
unrelated to the investigation. Justify your answers.
a. The receiving department supervisor owns and operates a boutique
carrying many of the same labels as the chain store. The general manager is
unaware of the ownership interest.
b. The receiving supervisor signs receiving reports showing that the
total quantity shipped by a supplier was
received and then diverts 5% to 10% of each shipment to the boutique.
c. The store is unaware of the short shipments because the receiving
report accompanying the merchandise to the sales areas shows that everything
was received.
d. Accounts Payable paid vendors for the total quantity shown on the
receiving report.
e. Based on the receiving department supervisor’s instructions,
quantities on the receiving reports were not counted by sales personnel.
5.2 A client heard through its hot
line that John, the purchases journal clerk, periodically enters fictitious
acquisitions. After John creates a fictitious purchase, he notifies
Alice, the accounts payable ledger clerk, so she can enter them in her ledger.
When the payables are processed, the payment is mailed to the nonexistent
supplier’s address, a post office box rented by John. John deposits the
check in an account he opened in the nonexistent supplier’s name.
a. Define fraud, fraud
deterrence, fraud detection, and fraud investigation.
1. a. List
four personal (as opposed to organizational) fraud symptoms, or red-flags, that
indicate the possibility of fraud.</para></listitem> Do not confine
your answer to this example.
1. b. List
two procedures you could follow to uncover John’s fraudulent behavior.
5.3 The computer frauds that are publicly revealed represent only the
tip of the iceberg. Although many people perceive that the major threat
to computer security is external, the more dangerous threats come from
insiders. Management must recognize these problems and develop and enforce
security programs to deal with the many types of computer fraud.
Explain how each of the following six types of fraud is committed.
Using the format provided, also identify a different method of protection for
each and describe how it
works
5.4 Environmental, institutional, or
individual pressures and opportune situations, which are present to some degree
in all companies, motivate individuals and companies to engage in fraudulent
financial reporting. Fraud prevention and detection require that pressures and
opportunities be identified and evaluated in terms of the risks they pose to a
company.
Adapted from the CMA Examination.
1. a. Identify
two company pressures that would increase the likelihood of fraudulent
financial reporting.
2. b. Identify
three corporate opportunities that make fraud easier to commit and detection
less likely.
1. c. For
each of the following, identify the external environmental factors that should
be considered in assessing the risk of fraudulent financial reporting
§ · The
company’s industry
§ · The
company’s business environment
§ · The
company’s legal and regulatory environment
1. d. What
can top management do to reduce the possibility of fraudulent financial
reporting?
5.5 For each of the following independent cases of employee fraud,
recommend how to prevent similar problems in the future.
1. a. Due
to abnormal inventory shrinkage in the audiovisual department at a retail chain
store, internal auditors conducted an in-depth audit of the department.
They learned that a customer frequently bought large numbers of small
electronic components from a certain cashier. The auditors discovered that they
had colluded to steal electronic components by not recording the sale of items
the customer took from the store.
b. During an
unannounced audit, auditors discovered a payroll fraud when they distributed
paychecks instead of department supervisors. When the auditors
investigated an unclaimed paycheck, they discovered that the employee quit four
months previously after arguing with the supervisor. The supervisor continued
to turn in a time card for the employee and pocketed his check.
1. c. Auditors
discovered an accounts payable clerk who made copies of supporting documents
and used them to support duplicate supplier payments. The clerk deposited the
duplicate checks in a bank account she had opened using a name similar to the
supplier’s.</para></listitem></orderedlist><source>
5.6 An auditor found that Rent-A-Wreck management does not always
comply with its stated policy that sealed bids be used to sell obsolete cars.
Records indicated that several vehicles with recent major repairs were sold at
negotiated prices. Management vigorously assured the auditor that performing
limited repairs and negotiating with knowledgeable buyers resulted in better
sales prices than the sealed-bid procedures. Further investigation revealed
that the vehicles were sold to employees at prices well below market value.
Three managers and five other employees pleaded guilty to criminal charges and
made restitution.
a. List the fraud symptoms that should have aroused the auditor’s
suspicion.
b. What audit procedures would show that fraud had in fact occurred.
5.7 A bank auditor met with the senior operations manager to discuss a
customer’s complaint that an auto loan payment was not credited on time.
The customer said the payment was made on May 5, its due date, at a teller’s
window using a check drawn on an account in the bank. On May 10, when the
customer called for a loan pay-off balance so he could sell the car, he learned
that the payment had not been credited to the loan. On May 12, the
customer went to the bank to inquire about the payment and meet with the
manager. The manager said the payment had been made on May 11. The
customer was satisfied because no late charge would have been assessed until
May 15. The manager asked whether the auditor was comfortable with this
situation.
The auditor located the customer’s paid check and found that it
had cleared on May 5. The auditor traced the item back through the
computer records and found that the teller had processed the check as being
cashed. The auditor traced the payment through the entry records of May
11 and found that the payment had been made with cash instead of a check.
What type of
embezzlement scheme does this appear to be, and how does that scheme
operate?
5.8
AICPA adapted
a. Prepare a schedule showing how
much the cashier embezzled.
1. a. Describe
how the cashier attempted to hide the theft.
5.9 An accountant with the Atlanta
Olympic Games was charged with embezzling over $60,000 to purchase a
Mercedes-Benz and to invest in a certificate of deposit. Police alleged that he
created fictitious invoices from two companies that had contracts with the
Olympic Committee: International Protection Consulting and Languages Services.
He then wrote checks to pay the fictitious invoices and deposited them into a
bank account he had opened under the name of one of the companies. When he was apprehended,
he cooperated with police to the extent of telling them of the bogus bank
account and the purchase of the Mercedes-Benz and the CD. The accountant was a
recent honors graduate from a respected university who, supervisors stated, was
a very trusted and loyal employee.
1. a. How
does the accountant fit the profile of a fraudster?
How does he not fit the profile?
1. b. What
fraud scheme did he use to perpetrate his fraud?
2. c. What
controls could have prevented his fraud?
3. d. What
controls could have detected his fraud?
5.10 Lexsteel, a manufacturer of steel furniture, has facilities
throughout the United States. Problems with the accounts payable system
have prompted Lexsteel’s external auditor to recommend a detailed study to determine
the company’s exposure to fraud and to identify ways to improve internal
control. Lexsteel’s controller assigned the study to Dolores Smith. She
interviewed Accounts Payable employees and created the flowchart of the current
system shown in Figure 5-3.
Lexsteel’s purchasing, production control, accounts payable, and
cash disbursements functions are centralized at corporate headquarters. The
company mainframe at corporate headquarters is linked to the computers at each
branch location by leased telephone lines.
The mainframe generates production orders and the bills of
material needed for the production runs. From the bills of material, purchase
orders for raw materials are generated and e-mailed to vendors. Each purchase
order tells the vendor which manufacturing plant to ship the materials to. When
the raw materials arrive, the manufacturing plants produce the items on the
production orders received from corporate headquarters.
The manufacturing plant checks the goods received for quality, counts
them, reconciles the count to the packing slip, and e-mails the receiving data
to Accounts Payable. If raw material deliveries fall behind production, each
branch manager can send emergency purchase orders directly to vendors.
Emergency order data and verification of materials received are e-mailed to
Accounts Payable. Since the company employs a computerized perpetual inventory
system, periodic physical counts of raw materials are not performed.
Vendor invoices are e-mailed to headquarters and entered by
Accounts Payable when received. This often occurs before the branch offices
transmit the receiving data. Payments are due 10 days after the company
receives the invoices. Using information on the invoice, Data Entry calculates
the final day the invoice can be paid, and it is entered as the payment due
date.
Once a week, invoices due the following week are printed in
chronological entry order on a payment listing, and the corresponding checks
are drawn. The checks and payment listing are sent to the treasurer’s office
for signature and mailing to the payee. The check number is printed by the
computer, displayed on the check and the payment listing, and validated as the
checks are signed. After the checks are mailed, the payment listing is returned
to Accounts Payable for filing. When there is insufficient cash to pay all the
invoices, the treasurer retains certain checks and the payment listing until
all checks can be paid. When the remaining checks are mailed, the listing is
then returned to Accounts Payable. Often, weekly check mailings include a few
checks from the previous week, but rarely are there more than two weekly
listings involved.
When Accounts Payable receives the payment listing from the
treasurer’s office, the expenses are distributed, coded, and posted to the
appropriate cost center accounts. Accounts Payable processes weekly
summary performance reports for each cost center and branch location.
Adapted from the CMA Examination
1. 1. Discuss
three ways Lexsteel is exposed to fraud and recommend improvements to correct
these weaknesses.
1. 2. Describe
three ways management information could be distorted and recommend improvements
to correct these weaknesses.
1. 3. Identify
and explain three strengths in Lexsteel’s procedures
5.11 The Association of Certified Fraud Examiners periodically prepares
an article called “What Is Your Fraud IQ?” It consists of 10 or more
multiple choice questions dealing with various aspects of fraud. The answers,
as well as an explanation of each answer, are provided at the end of the
article. Visit the Journal of Accountancy site
(http://www.journalofaccountancy.com) and search for the articles. Read
and answer the questions in three of these articles, and then check your
answers.
5.12 Explore the Anti-Fraud and Forensic
Accounting portion of the AICPA Web site
(http://www.aicpa.org/INTERESTAREAS/FORENSICANDVALUATION/RESOURCES/Pages/default.aspx),
and write a two-page report on the three most interesting things you found on
the site.
5.1
1.
How does Miller fit the profile of the average fraud perpetrator?
1. 2. Explain
the three elements of the opportunity triangle (commit, conceal, convert) and
discuss how Miller accomplished each when embezzling funds from Associated
Communications. What specific concealment techniques did Miller use?
1. 3. What
pressures motivated Miller to embezzle? How did Miller rationalize his actions?
1. 4. Miller
had a framed T-shirt in his office that said, “He who dies with the most toys
wins.” What does this tell you about Miller? What lifestyle red
flags could have tipped off the company to the possibility of fraud?
1. Why do companies hesitate
to prosecute white-collar criminals?
1. What could the victimized
companies have done to prevent Miller’s embezzlement?
5.2
1. 1. Figure
5-4 shows the employees and external parties that deal with Heirloom.
Explain how Heirloom could defraud the bank and how each internal and external
party except the bank could defraud Heirloom.
2. 2. What
risk factor, unusual item, or abnormality would alert you to each fraud?
3. 3. What
control weaknesses make each fraud possible?
4. 4. Recommend
one or more controls to prevent or detect each means of committing fraud.
CHAPTER 6
COMPUTER FRAUD AND ABUSE TECHNIQUES
6.1 When U.S. Leasing (USL) computers
began acting sluggishly, computer operators were relieved when a software
troubleshooter from IBM called. When he offered to correct the problem
they were having, he was given a log-on ID and password. The next
morning, the computers were worse. A call to IBM confirmed USL’s
suspicion: Someone had impersonated an IBM repairman to gain unauthorized
access to the system and destroy the database. USL was also concerned
that the intruder had devised a program that would let him get back into the
system even after all the passwords were changed.
What techniques might the impostor have employed to breach USL’s internal
security?
What could USL do to avoid these types of incidents in the future?</para></question><question
id="ch05ques04" label="5.4">
6.2 What motives do people have for hacking? Why has hacking
become so popular in recent years? Do you regard it as a crime?
Explain your position.
6.3 The UCLA computer lab was filled to capacity when the system
slowed and crashed, disrupting the lives of students who could no longer log
into the system or access data to prepare for finals. IT initially
suspected a cable break or an operating system failure, but diagnostics revealed
nothing. After several frustrating hours, a staff member ran a virus
detection program and uncovered a virus on the lab’s main server. The
virus was eventually traced to the computers of unsuspecting UCLA
students. Later that evening, the system was brought back online after
infected files were replaced with backup copies.
<para>What
conditions made the UCLA system a potential breeding ground for the virus?
What symptoms indicated that a virus was present?
6.1 A few years ago, news began
circulating about a computer virus named Michelangelo that was set to “ignite” on
March 6, the birthday of the famous Italian artist. The virus attached itself to the computer’s
operating system boot sector. On the magical date, the virus would release
itself, destroying all of the computer’s data. When March 6 arrived, the virus
did minimal damage. Preventive techniques limited the damage to isolated
personal and business computers. Though the excitement surrounding the virus
was largely illusory, Michelangelo helped the computer-using public realize its
systems’ vulnerability to outside attack.
a. What is a computer
virus? Cite at least three reasons why no system is completely safe from
a computer virus.
b. Why do viruses represent
a serious threat to information systems? What damage can a virus do to a
computer system?
c. How does a
virus resemble a Trojan horse?
d. What steps can be taken to prevent the spread
of a computer virus?
6.2 The controller of a small
business received the following e-mail with an authentic-looking e-mail address
and logo:
From:
Big Bank [antifraud@bigbank.com]
To:
Justin Lewis, Controller, Small Business USA
Subject:
Official Notice for all users of Big Bank!
Due to the increased incidence of fraud and identity theft, we are
asking all bank customers to verify their account information on the following
Web page: www.antifraudbigbank.com
Please confirm your account information as soon as possible.
Failure to confirm your account information will require us to suspend your
account until confirmation is made.
A week later, the following e-mail was delivered to the
controller:
From:
Big Bank [antifraud@bigbank.com]
To:
Justin Lewis, Controller, Small Business USA
Subject:
Official Notice
for all users of Big Bank!
Dear Client of Big Bank,
Technical services at Big Bank is currently updating our software.
Therefore, we kindly ask that you access the website shown below to confirm
your data. Otherwise, your access to the system may be blocked.
web.da-us.bigbank.com/signin/scripts/login2/user_setup.jsp
We are grateful for your cooperation.
a. What should Justin do about these
e-mails?
b. What should Big Bank
do about these e-mails?
c. Identify the
computer fraud and abuse technique illustrated.
6.3 A purchasing department received the following e-mail.
Dear Accounts Payable Clerk,
You can purchase everything you need online—including peace of
mind—when you shop using Random Account Numbers (RAN). RAN is a free
service for Big Credit Card customers that substitutes a random credit card
number in place of your normal credit card number when you make online
purchases and payments. This random number provides you with additional
security. Before every online purchase, simply get a new number from RAN
to use at each new vendor. Sign up for an account at www.bigcreditcard.com.
Also, take advantage of the following features:
§ Automatic Form automatically
completes a vendor’s order form with the RAN, its expiration date, and your
shipping and billing addresses.
§ Set the spending limit and
expiration date for each new RAN.
§ Use RAN once or use it for
recurring payments for up to one year.
<para>Explain which computer fraud and abuse techniques
could be prevented using a random account number that links to your corporate
credit card.
</para></problem>
6.4
<para>Match the internet related computer fraud and abuse technique in
the left column with the scenario in the right column. Terms may be used once,
more than once, or not at all.</para>
6. 5
<para>Match the data communications-related computer fraud and abuse
technique in the left column with the scenario in the right column. Terms may
be used once, more than once, or not at all.
</para>
6.6
<para>Match the data related computer fraud and abuse technique in the
left column with the scenario in the right column. Terms may be used once, more
than once, or not at all.</para>
6.7
<para>Match the data security computer fraud and abuse technique in the
left column with the scenario in the right column. Terms may be used once, more
than once, or not at all.</para>
6.8 Match the
data security computer fraud and abuse technique in the left column with the
scenario in the right column. Terms may be used once, more than once, or not at
all.</para>
6.9 Identify
the computer fraud and abuse technique used in each the following actual
examples of computer wrongdoing.
a. A teenage gang known as the “414s” broke into the Los Alamos
National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific
Bank. One gang member appeared in Newsweek with
the caption “Beware: Hackers at play.”
|
|
b. Daniel Baas was the systems administrator for a company that
did business with Acxiom, who manages customer information for companies.
Baas exceeded his authorized access and downloaded a file with 300 encrypted
passwords, decrypted the password file, and downloaded Acxiom customer files
containing personal information. The intrusion cost Acxiom over $5.8 million.
|
|
c. Cyber-attacks left high-profile sites such as Amazon.com,
eBay, Buy.com, and CNN Interactive staggering under the weight of tens of
thousands of bogus messages that tied up the retail sites’ computers and
slowed the news site’s operations for hours.
|
|
d. Susan Gilmour-Latham got a call asking why she was sending
the caller multiple adult text messages per day. Her account records proved
the calls were not coming from her phone. Neither she nor her mobile company
could explain how the messages were sent. After finding no way to block the
unsavory messages, she changed her mobile number to avoid further
embarrassment by association.
|
|
e. A federal grand jury in Fort Lauderdale claimed that four
executives of a rental-car franchise modified a computer-billing program to
add five gallons to the actual gas tank capacity of their vehicles. Over
three years, 47,000 customers who returned a car without topping it off ended
up paying an extra $2 to $15 for gasoline.
|
|
f. A mail-order company programmer truncated odd cents in
sales-commission accounts and placed them in the last record in the
commission file. Accounts were processed alphabetically, and he created a
dummy sales-commission account using the name of Zwana. Three years later,
the holders of the first and last sales-commission accounts were honored.
Zwana was unmasked and his creator fired.
|
|
g. MicroPatent, an intellectual property firm, was notified that
their proprietary information would be broadcast on the Internet if they did
not pay a $17 million fee. The hacker was caught by the FBI before any damage
was done.
|
|
h. When Estonia removed a Russian World War II war memorial,
Estonian government and bank networks were knocked offline in a distributed
DoS attack by Russian hackers. A counterfeit letter of apology for
removing the memorial statue was placed on the Web site of Estonia’s prime
minister.
|
|
i. eBay customers were notified by e-mail that their accounts
had been compromised and were being restricted unless they re-registered
using an accompanying hyperlink to a Web page that had eBay’s logo, home page
design, and internal links. The form had a place for them to enter their
credit card data, ATM PINs, Social Security number, date of birth, and their
mother’s maiden name. Unfortunately, eBay hadn’t sent the e-mail.
|
|
j. A teenager hijacked the eBay.de domain name and several
months later the domain name for a large New York ISP. Both hijacked Web
sites pointed to a site in Australia.
|
|
k. Travelers who logged into the Alpharetta, Georgia, airport’s
Internet service had personal information stolen and picked up as many as 45
viruses. A hacker had set up a rogue wireless network with the same name as
the airport’s wireless access network.
|
|
l. Criminals in Russia used a vulnerability in Microsoft’s
server software to add a few lines of Java code to users’ copies of Internet
Explorer. The code recorded the users’ keyboard activities, giving the
criminals access to usernames and passwords at many banking Web sites. The
attacks caused $420 million in damage.
|
|
m. America Online subscribers received a message offering free
software. Users who opened the attachments unknowingly unleashed a program
hidden inside another program that secretly copied the subscriber’s account
name and password and forwarded them to the sender.
|
|
n. Rajendrasinh Makwana, an Indian citizen and IT contractor who
worked at Fannie Mae’s Maryland facility, was terminated at 1:00 P.M. on
October 24. Before his network access was revoked, he created a program to
wipe out all 4,000 of Fannie Mae’s servers on the following January 31.
|
|
o. A man accessed millions of ChoicePoint files by claiming in
writing and on the phone to be someone he was not.
|
|
p. A 31-year-old programmer unleashed a Visual Basic program by
deliberately posting an infected document to an alt.sex Usenet newsgroup
using a stolen AOL account. The program evaded security software and infected
computers using the Windows operating system and Microsoft Word. On March 26,
the Melissa program appeared on thousands of e-mail systems disguised as an
important message from a colleague or friend. The program sent an
infected e-mail to the first 50 e-mail addresses on the users’ Outlook
address book. Each infected computer would infect 50 additional computers,
which in turn would infect another 50 computers. The program spread rapidly
and exponentially, causing considerable damage. Many companies had to
disconnect from the Internet or shut down their e-mail gateways because of
the vast amount of e-mail the program was generating. The program caused more
than $400 million in damages.
|
|
q. Microsoft filed a lawsuit against two Texas firms that
produced software that sent incessant pop-ups resembling system warnings. The
messages stated “CRITICAL ERROR MESSAGE! REGISTRY DAMAGED AND CORRUPTED” and
instructed users to visit a Web site to download Registry Cleaner XP at a
cost of $39.95.
|
|
r. As many as 114,000 Web sites were tricked into running
database commands that installed malicious HTML code redirecting victims to a
malicious Web server that tried to install software to remotely control the
Web visitors’ computers.
|
|
s. Zeus records log-in information when the user of the infected
computer logs into a list of target Web sites, mostly banks and other
financial institutions. The user’s data is sent to a remote server where it
is used and sold by cyber-criminals. The new version of Zeus will
significantly increase fraud losses, given that 30% of Internet users bank
online.
|
|
t. It took Facebook 15 hours to kill a Facebook application that
infected millions of PCs with software that displays a constant stream of
pop-up ads. The program posted a “Sexiest Video Ever” message on Facebook
walls that looked like it came from a friend. Clicking the link led to a
Facebook installation screen, where users allowed the software to access
their profiles and walls. Once approved, the application told users to
download an updated, free version of a popular Windows video player. Instead,
it inserted a program that displayed pop-up ads and links. A week later a “Distracting
Beach Babes” message did the same thing.
|
|
u. Robert Thousand, Jr. discovered he lost $400,000 from his
Ameritrade retirement account shortly after he began receiving a flood of
phone calls with a 30-second recording for a sex hotline. An FBI investigation
revealed that the perpetrator obtained his Ameritrade account information,
called Ameritrade to change his phone number, created several VoIP accounts,
and used automated dialing tools to flood the dentist’s phones in case
Ameritrade called his real number. The perpetrator requested multiple
monetary transfers, but Ameritrade would not process them until they reached
Thousand to verify them. When the transfers did not go through, the attacker
called Ameritrade, gave information to verify that he was Thousand, claimed
he had been having phone troubles, and told Ameritrade he was not happy that
the transfers had not gone through. Ameritrade processed the transfers, and
Thousand lost $400,000.
|
|
v. The Internet Crime Complaint Center reports a “hit man” scam.
The scammer claims that he has been ordered to assassinate the victim and an
associate has been ordered to kill a family member. The only way to prevent
the killings is to send $800 so an Islamic expatriate can leave the United
States.
|
|
w. In an economic stimulus scam, individuals receive a phone
call from President Obama telling them to go to a Web site to apply for the
funds. To receive the stimulus money, victims have to enter personal
identification information, complete an online application, and pay a $28
fee.
|
6.10 On a Sunday afternoon at a hospital in the Pacific Northwest, computers became sluggish, and documents would not print. Monday morning, the situation became worse when employees logged on to their computers. Even stranger things happened—operating room doors would not open, pagers would not work, and computers in the intensive care unit shut down. By 10:00 A.M., all 50 IT employees were summoned. They discovered that the hospital was under attack by a botnet that exploited a Microsoft operating system flaw and installed pop-up ads on hospital computers. They got access to the first computer on Sunday and used the hospital’s network to spread the infection to other computers. Each infected computer became a zombie that scanned the network looking for new victims. With the network clogged with zombie traffic, hospital communications began to break down. The IT staff tried to halt the attack by shutting off the hospital’s Internet connection, but it was too late. The bots were inside the hospital’s computer system and infecting other computers faster than they could be cleaned. Monday afternoon IT figured out which malware the bots were installing and wrote a script, which was pushed out hourly, directing computers to remove the bad code. The script helped to slow the bots down a bit.
a. What could the hospital do
to stop the attack and contain the damage?
b. Which computer fraud and
abuse technique did the hackers use in their attack on the hospital?
c. What steps should
the hospital have taken to prevent the damage caused by the attack?
Aftermath:
6.1
1.
How did Shadowcrew members concealed their
identities?
2. How has the Internet
made detecting and identifying identity fraudsters difficult?
3. What are some of the
most common electronic means of stealing personal
4. What is the most
common way that fraudsters use personal data?
5. What measures can
consumers take to protect against the online brokering of their personal data?
6. What are the most
effective means of detecting identity theft?
1. 7. What
pieces of personal information are most valuable to identity fraudsters?
The rest of the story:
CHAPTER 7 CONTROL AND ACCOUNTING INFORMATION SYSTEMS
7.1 Answer the following
questions about the audit of Springer’s Lumber & Supply
a. What deficiencies existed in
the internal environment at Springer’s?
b.
Do you agree with the decision to settle with the Springers rather than to
prosecute them for fraud and embezzlement? Why or why not?
c. Should the company have told
Jason and Maria the results of the high-level audit? Why or why not?
7.2
Effective segregation of duties is sometimes not economically feasible in a
small business. What internal control elements do you think can help compensate
for this threat?
7.3 One function of the AIS is to provide adequate controls to
ensure the safety of organizational assets, including data. However, many
people view control procedures as “red tape.” They also believe that,
instead of producing tangible benefits, business controls create resentment and
loss of company morale. Discuss this position.
7.4
In recent years, Supersmurf’s external auditors have given clean opinions on
its financial statements and favorable evaluations of its internal control
systems. Discuss whether it is necessary for this corporation to take any
further action to comply with the Sarbanes–Oxley Act.
7.5 When you go to a movie theater, you buy a prenumbered ticket
from the cashier. This ticket is handed to another person at the entrance
to the movie. What kinds of irregularities is the theater trying to
prevent? What controls is it using to prevent these irregularities?
What remaining risks or exposures can you identify?
7.6
Some restaurants use customer checks with prenumbered sequence
codes. Each food server uses these checks to write up customer
orders. Food servers are told not to destroy any customer checks; if a
mistake is made, they are to void that check and write a new one. All
voided checks are to be turned in to the manager daily. How does this
policy help the restaurant control cash receipts?
7.7 Compare and contrast the following three frameworks: COBIT, COSO
Integrated Control, and ERM.
7.8 Explain
what an event is. Using the Internet as a resource, create a list of some
of the many internal and external factors that COSO indicated could influence
events and affect a company’s ability to implement its strategy and achieve its
objectives.
7.9 Explain what is meant by objective setting and describe the four
types of objectives used in ERM.
7.10 Discuss several
ways that ERM processes can be continuously monitored and modified so that
deficiencies are reported to management.
7.1 You
are an audit supervisor assigned to a new client, Go-Go Corporation, which is
listed on the New York Stock Exchange. You visited Go-Go’s corporate
headquarters to become acquainted with key personnel and to conduct a
preliminary review of the company’s accounting policies, controls, and
systems. During this visit, the following events occurred:
1. a.
You met with Go-Go’s audit committee, which consists of the corporate
controller, treasurer, financial vice president, and budget director.
2. b.
You recognized the treasurer as a former aide to Ernie Eggers, who was
convicted of fraud several years ago.
3. c.
Management explained its plans to change accounting methods for depreciation
from the accelerated to the straight-line method. Management implied that if
your firm does not concur with this change, Go-Go will employ other auditors.
4. d.
You learned that the financial vice president manages a staff of five internal
auditors.
5. e.
You noted that all management authority seems to reside with three brothers,
who serve as chief executive officer, president, and financial vice president.
6. f.
You were told that the performance of division and department managers is
evaluated on a subjective basis, because Go-Go’s management believes that
formal performance evaluation procedures are counterproductive.
7. g.
You learned that the company has reported increases in earnings per share for
each of the past 25 quarters; however, earnings during the current quarter have
leveled off and may decline.
8. h.
You reviewed the company’s policy and procedures manual, which listed policies
for dealing with customers, vendors, and employees.
9. i.
Your preliminary assessment is that the accounting systems are well designed
and that they employ effective internal control procedures.
10. j.
Some employees complained that some managers occasionally contradict the
instructions of other managers regarding proper data security procedures.
11. k.
After a careful review of the budget for data security enhancement projects,
you feel the budget appears to be adequate.
12. l.
The enhanced network firewall project appeared to be on a very aggressive
implementation schedule. The IT manager mentioned that even if he put all of
his personnel on the project for the next five weeks, he still would not
complete the project in time. The manager has mentioned this to company
management, which seems unwilling to modify the schedule.
13. m.
Several new employees have had trouble completing some of their duties, and
they do not appear to know who to ask for help.
14. n.
Go-Go’s strategy is to achieve consistent growth for its shareholders. However,
its policy is not to invest in any project unless its payback period is no more
than 48 months and yields an internal rate of return that exceeds its cost of
capital by 3%.
15. o.
You observe that company purchasing agents wear clothing and exhibit other
paraphernalia from major vendors. The purchasing department manager proudly
displays a picture of himself holding a big fish on the deck of a luxury
fishing boat that has the logo of a major Go-Go vendor painted on its
wheelhouse.
7.2
Explain how the principle of separation of duties is violated in each of the
following situations. Also, suggest one or more procedures to reduce the risk
and exposure highlighted in each example.
a. A payroll clerk recorded a
40-hour workweek for an employee who had quit the previous week. He then
prepared a paycheck for this employee, forged her signature, and cashed the
check.
b. While opening the mail, a
cashier set aside, and subsequently cashed, two checks payable to the company
on account.
c. A cashier prepared a fictitious
invoice from a company using his brother-in-law’s name. He wrote a check
in payment of the invoice, which the brother-in-law later cashed.
d. An employee of the
finishing department walked off with several parts from the storeroom and
recorded the items in the inventory ledger as having been issued to the
assembly department.
e. A cashier
cashed a check from a customer in payment of an account receivable, pocketed
the cash, and concealed the theft by properly posting the receipt to the
customer’s account in the accounts receivable ledger
f. Several
customers returned clothing purchases. Instead of putting the clothes
into a return bin to be put back on the rack, a clerk put the clothing in a
separate bin under some cleaning rags. After her shift, she transferred
the clothes to a gym bag and took them home.
g.
A receiving clerk noticed that four cases of MP3 players were included in a
shipment when only three were ordered. The clerk put the extra case aside
and took it home after his shift ended.
h.
An insurance claims adjuster had check signing authority of up to $6,000.
The adjuster created three businesses that billed the insurance company for
work not performed on valid claims. The adjuster wrote and signed checks
to pay for the invoices, none of which exceeded $6,000.
i. An accounts payable clerk
recorded invoices received from a company that he and his wife owned and
authorized their payment.
j. A cashier created false
purchase return vouchers to hide his theft of several thousand dollars from his
cash register.
k. A purchasing agent received a
10% kickback of the invoice amount for all purchases made from a specific
vendor.
7.3 The
following description represents the policies and procedures for agent expense
reimbursements at Excel Insurance Company.
Agents submit a completed expense reimbursement form to their
branch manager at the end of each week. The branch manager reviews the expense
report to determine whether the claimed expenses are reimbursable based on the
company’s expense reimbursement policy and reasonableness of amount. The
company’s policymanual states that agents are to document any questionable
expense item and that the branch manager must approve in advance expenditures
exceeding $500.
1. After the expenses
are approved, the branch manager sends the expense report to the home office.
There, accounting records the transaction, and cash disbursements prepares the
expense reimbursement check. Cash disbursements sends the expense reimbursement
checks to the branch manager, who distributes them to the agents.
2.
To receive cash advances for anticipated expenses, agents must
complete a Cash Advance Approval form. The branch manager reviews and approves
the Cash Advance Approval form and sends a copy to accounting and another to
the agent. The agent submits the copy of the Cash Advance Approval form to the
branch office cashier to obtain the cash advance.
3.
At the end of each month, internal audit at the home office
reconciles the expense reimbursements. It adds the total dollar amounts on the
expense reports from each branch, subtracts the sum of the dollar totals on
each branch’s Cash Advance Approval form, and compares the net amount to the
sum of the expense reimbursement checks issued to agents. Internal audit
investigates any differences.
4.
Identify the internal control strengths and weaknesses in
Excel’s expense reimbursement process. Look for authorization, recording,
safeguarding, and reconciliation strengths and weaknesses.
7.3 The Gardner Company, a client of your firm, has come to you with
the following problem. It has three clerical employees who must perform
the following functions:
1. a.
Maintain the general ledger
2. b.
Maintain the accounts payable ledger
3. c.
Maintain the accounts receivable ledger
4. d.
Prepare checks for signature
5. e.
Maintain the cash disbursements journal
6. f.
Issue credits on returns and allowances
7. g.
Reconcile the bank account
8. h.
Handle and deposit cash receipts
Assuming equal abilities among the three employees, the company
asks you to assign the eight functions to them to maximize internal control.
Assume that these employees will perform no accounting functions other than the
ones listed.
a. List four possible
unsatisfactory pairings of the functions
b. State how you would distribute the functions
among the three employees. Assume that with the exception of the nominal
jobs of the bank reconciliation and the issuance of credits on returns and
allowances, all functions require an equal amount of time.
7.5 During a recent review, ABC Corporation discovered that it has a
serious internal control problem. It is estimated that the impact associated
with this problem is $1 million and that the likelihood is currently 5%. Two
internal control procedures have been proposed to deal with this problem.
Procedure A would cost $25,000 and reduce likelihood to 2%; procedure B would
cost $30,000 and reduce likelihood to 1%. If both procedures were implemented,
likelihood would be reduced to 0.1%.
7.6 The
management at Covington, Inc., recognizes that a well-designed internal control
system provides many benefits. Among the benefits are reliable financial
records that facilitate decision making and a greater probability of preventing
or detecting errors and fraud. Covington’s internal auditing department
periodically reviews the company’s accounting records to determine the
effectiveness of internal controls. In its latest review, the internal audit
staff found the following eight conditions:
1. 1.
Daily bank deposits do not always correspond with cash receipts.
2. 2.
Bad debt write-offs are prepared and approved by the same employee.
3. 3.
There are occasional discrepancies between physical inventory counts and
perpetual inventory records.
4. 4.
Alterations have been made to physical inventory counts and to perpetual
inventory records.
5. 5.
There are many customer refunds and credits.
6. 6.
Many original documents are missing or lost. However, there are substitute
copies of all missing originals.
7. 7.
An unexplained decrease in the gross profit percentage has occurred.
8. 8.
Many documents are not approved.
For each of the eight conditions detected by the Covington
internal audit staff:
<a. Describe a possible cause
of the condition.
b. Recommend
actions to be taken and/or controls to be implemented that would correct the
condition.
7.7 Consider the following
two situations:
For the situations presented, dDescribe the recommendations the
internal auditors should make to prevent the following problems.
Situation 1: Many employees of a firm that manufactures small
tools pocket some of the tools for their personal use. Since the quantities
taken by any one employee are immaterial, the individual employees do not
consider the act as fraudulent or detrimental to the company. The company
is now large enough to hire an internal auditor. One of the first things
she did was to compare the gross profit rates for industrial tools to the gross
profit for personal tools. Noting a significant difference, she
investigated and uncovered the employee theft.
Situation 2: A manufacturing firm’s controller created a
fake subsidiary. He then ordered goods from the firm’s suppliers, told them to
ship the goods to a warehouse he rented, and approved the vendor invoices for
payment when they arrived. The controller later sold the diverted
inventory items, and the proceeds were deposited to the controller’s personal
bank account. Auditors suspected something was wrong when they could not
find any entries regarding this fake subsidiary office in the property, plant,
and equipment ledgers or a title or lease for the office in the real-estate
records of the firm
7.8 Tralor Corporation
manufactures and sells several different lines of small electric components.
Its internal audit department completed an audit of its expenditure processes.
Part of the audit involved a review of the internal accounting controls for
payables, including the controls over the authorization of transactions,
accounting for transactions, and the protection of assets. The auditors noted
the following items:
1. 1.
Routine purchases are initiated by inventory control notifying the purchasing
department of the need to buy goods. The purchasing department fills out a
prenumbered purchase order and gets it approved by the purchasing manager. The
original of the five-part purchase order goes to the vendor. The other four
copies are for purchasing, the user department, receiving for use as a
receiving report, and accounts payable.
2. 2.
For efficiency and effectiveness, purchases of specialized goods and services
are negotiated directly between the user department and the vendor. Company
procedures require that the user department and the purchasing department
approve invoices for any specialized goods and services before making payment.
3. 3.
Accounts payable maintains a list of employees who have purchase order approval
authority. The list was updated two years ago and is seldom used by accounts
payable clerks.
4. 4.
Prenumbered vendor invoices are recorded in an invoice register that indicates
the receipt date, whether it is a special order, when a special order is sent
to the requesting department for approval, and when it is returned. A review of
the register indicated that there were seven open invoices for special
purchases, which had been forwarded to operating departments for approval over
30 days previously and had not yet been returned.
5. 5.
Prior to making entries in accounting records, the accounts payable clerk
checks the mathematical accuracy of the transaction, makes sure that all
transactions are properly documented (the purchase order matches the signed
receiving report and the vendor’s invoice), and obtains departmental approval
for special purchase invoices.
6. 6.
All approved invoices are filed alphabetically. Invoices are paid on the 5th
and 20th of each month, and all cash discounts are taken regardless of the
terms.
7. 7.
The treasurer signs the checks and cancels the supporting documents. An
original document is required for a payment to be processed.
8. 8.
Prenumbered blank checks are kept in a locked safe accessible only to the cash
disbursements department. Other documents and records maintained by the
accounts payable section are readily accessible to all persons assigned to the
section and to others in the accounting function.
RRReview the eight items listed and decide whether they
represent an internal control strength or weakness
1. a.
For each internal control strength you identified, explain how the procedure
helps achieve good authorization, accounting, or asset protection control.
For each internal control weakness you identified, explain why
it is a weakness and recommend a way to correct the weakness
7.7 Lancaster Company makes electrical parts for contractors and
home improvement retail stores. After their annual audit, Lancaster’s auditors
commented on the following items regarding internal controls over equipment:
1. 1.
The operations department that needs the equipment normally initiates a
purchase requisition for equipment. The operations department supervisor
discusses the proposed purchase with the plant manager. If there are sufficient
funds in the requesting department’s equipment budget, a purchase requisition
is submitted to the purchasing department once the plant manager is satisfied
that the request is reasonable.
2. 2.
When the purchasing department receives either an inventory or an equipment
purchase requisition, the purchasing agent selects an appropriate supplier and
sends them a purchase order.
3. 3.
When equipment arrives, the user department installs it. The property, plant,
and equipment control accounts are supported by schedules organized by year of
acquisition. The schedules are used to record depreciation using standard
rates, depreciation methods, and salvage values for each type of fixed asset.
These rates, methods, and salvage values were set 10 years ago during the
company’s initial year of operation.
4. 4.
When equipment is retired, the plant manager notifies the accounting department
so the appropriate accounting entries can be made.
5. 5.
There has been no reconciliation since the company began operations between the
accounting records and the equipment on hand.
Identify the internal control weaknesses in Lancaster’s system,
and recommend ways to correct them.
7.10
The Langston Recreational Company (LRC) manufactures
ice skates for racing, figure skating, and hockey. The company is located in
Kearns, Utah, so it can be close to the Olympic Ice Shield, where many Olympic
speed skaters train.
Given the precision required to make skates, tracking
manufacturing costs is very important to management so it can price the skates
appropriately. To capture and collect manufacturing costs, the company acquired
an automated cost accounting system from a national vendor. The vendor provides
support, maintenance, and data and program backup service for LRC’s system.
LRC operates one shift, five days a week. All manufacturing data
are collected and recorded by Saturday evening so that the prior week’s
production data can be processed. One of management’s primary concerns is how
the actual manufacturing process costs compare with planned or standard
manufacturing process costs. As a result, the cost accounting system produces a
report that compares actual costs with standards costs and provides the
difference, or variance. Management focuses on significant variances as one
means of controlling the manufacturing processes and calculating bonuses.
Occasionally, errors occur in processing a week’s production
cost data, which requires the entire week’s cost data to be reprocessed at a
cost of $34,500. The current risk of error without any control procedures is
8%. LRC’s management is currently considering a set of cost accounting control
procedures that is estimated to reduce the risk of the data errors from 8% to
3%. This data validation control procedure is projected to cost $1,000 per
week.
7.11 Spring Water Spa
Company is a 15-store chain in the Midwest that sells hot tubs, supplies, and
accessories. Each store has a full-time, salaried manager and an assistant
manager. The sales personnel are paid an hourly wage and a commission based on
sales volume.
The company uses electronic cash registers to record each
transaction. The salesperson enters his or her employee number at the beginning
of his/her shift. For each sale, the salesperson rings up the order by scanning
the item’s bar code, which then displays the item’s description, unit price,
and quantity (each item must be scanned). The cash register automatically
assigns a consecutive number to each transaction. The cash register prints a
sales receipt that shows the total, any discounts, the sales tax, and the grand
total.
The salesperson collects payment from the customer, gives the
receipt to the customer, and either directs the customer to the warehouse to
obtain the items purchased or makes arrangements with the shipping department
for delivery. The salesperson is responsible for using the system to determine
whether credit card sales are approved and for approving both credit sales and
sales paid by check. Sales returns are handled in exactly the reverse manner,
with the salesperson issuing a return slip when necessary.
At the end of each day, the cash registers print a sequentially ordered
list of sales receipts and provide totals for cash, credit card, and check
sales, as well as cash and credit card returns. The assistant manager
reconciles these totals to the cash register tapes, cash in the cash register,
the total of the consecutively numbered sales invoices, and the return slips.
The assistant manager prepares a daily
Cash sales, check sales, and credit card sales are reviewed by
the manager, who prepares the daily bank deposit. The manager physically makes
the deposit at the bank and files the validated deposit slip. At the end of the
month, the manager performs the bank reconciliation. The cash register tapes,
sales invoices, return slips, and reconciled report are mailed daily to
corporate headquarters to be processed with files from all the other stores.
Corporate headquarters returns a weekly Sales and Commission Activity Report to
each store manager for review.
Please respond to the following questions about Spring Water Spa
Company’s operations:
7.12 PriceRight Electronics (PEI) is a small wholesale discount
supplier of electronic instruments and parts. PEI’s competitive advantage is
its deep-discount, three-day delivery guarantee, which allows retailers to
order materials often to minimize in-store inventories. PEI processes its
records with stand-alone, incompatible computer systems except for integrated
enterprise resource planning (ERP) inventory and accounts receivable modules.
PEI decided to finish integrating its operations with more ERP modules, but
because of cash flow considerations, this needs to be accomplished on a
step-by-step basis.
It was decided that the next function to be integrated should be
sales order processing to enhance quick response to customer needs. PEI
implemented and modified a commercially available software package to meet
PEI’s operations. In an effort to reduce the number of slow-paying or
delinquent customers, PEI installed Web-based software that links to the Web
site of a commercial credit rating agency to check customer credit at the time
of purchase. The following are the new sales order processing system modules:
§ Sales. Sales orders are
received by telephone, fax, e-mail, Web site entry, or standard mail. They are
entered into the sales order system by the Sales department. If the order does
not cause a customer to exceed his credit limit, the system generates multiple
copies of the sales order.
§ Credit. When orders are
received from new customers, the system automatically accesses the credit
rating Web site and suggests an initial credit limit. On a daily basis, the
credit manager reviews new customer applications for creditworthiness, reviews
the suggested credit limits, and accepts or changes the credit limits in the
customer database. On a monthly basis, the credit manager reviews the accounts
receivable aging report to identify slow-paying or delinquent accounts for
potential revisions to or discontinuance of credit. As needed, the credit
manager issues credit memos for merchandise returns based on requests from
customers and forwards copies of the credit memos to Accounting for appropriate
account receivable handling.
§ Warehousing. Warehouse personnel
update the inventory master file for inventory purchases and sales, confirm
availability of materials to fill sales orders, and establish back orders for
sales orders that cannot be completed from stock on hand. Warehouse personnel
gather and forward inventory to Shipping and Receiving along with the
corresponding sales orders. They also update the inventory master file for
merchandise returned to Receiving.
§ Shipping and receiving. Shipping and Receiving
accepts inventory and sales orders from Warehousing, packs and ships the orders
with a copy of the sales order as a packing slip, and forwards a copy of the
sales order to Billing. Customer inventory returns are unpacked, sorted,
inspected, and sent to Warehousing.
§ Accounting. Billing prices all
sales orders received, which is done approximately 5 days after the order
ships. To spread the work effort throughout the month, customers are placed in
one of six 30-day billing cycles. Monthly statements, prepared by Billing, are
sent to customers during the cycle billing period. Outstanding carry forward
balances reported by Accounts Receivable and credit memos prepared by the
credit manager are included on the monthly statement. Billing also prepares
electronic sales and credit memos for each cycle. Electronic copies of invoices
and credit memos are forwarded to Accounts Receivable for entry into the
accounts receivable master file by customer account. An aging report is
prepared at the end of each month and forwarded to the credit manager. The
general accounting office staff access the accounts receivable master file that
reflects total charges and credits processed through the accounts receivable
system for each cycle. General accounting runs a query to compare this
information to the electronic sales and credit memo and posts the changes to
the general ledger master file.
7.1 Nino
Moscardi, president of Greater Providence Deposit & Trust (GPD&T),
received an anonymous note in his mail stating that a bank employee was making
bogus loans. Moscardi asked the bank’s internal auditors to investigate the
transactions detailed in the note. The investigation led to James Guisti,
manager of a North Providence branch office and a trusted 14-year employee who
had once worked as one of the bank’s internal auditors. Guisti was charged with
embezzling $1.83 million from the bank using 67 phony loans taken out over a
three-year period.
Court documents revealed that the bogus loans were 90-day notes
requiring no collateral and ranging in amount from $10,000 to $63,500. Guisti
originated the loans; when each one matured, he would take out a new loan, or
rewrite the old one, to pay the principal and interest due. Some loans had been
rewritten five or six times.
The 67 loans were taken out by Guisti in five names, including
his wife’s maiden name, his father’s name, and the names of two friends. These
people denied receiving stolen funds or knowing anything about the
embezzlement. The fifth name was James Vanesse, who police said did not exist.
The Social Security number on Vanesse’s loan application was issued to a
female, and the phone number belonged to a North Providence auto dealer.
Lucy Fraioli, a customer service representative who cosigned the
checks, said Guisti was her supervisor and she thought nothing was wrong with
the checks, though she did not know any of the people. Marcia Perfetto, head
teller, told police she cashed checks for Guisti made out to four of the five
persons. Asked whether she gave the money to Guisti when he gave her checks to
cash, she answered, “Not all of the time,” though she could not recall ever
having given the money directly to any of the four, whom she did not know.
Guisti was authorized to make consumer loans up to a certain
dollar limit without loan committee approvals, which is a standard industry
practice. Guisti’s original lending limit was $10,000, the amount of his first
fraudulent loan. The dollar limit was later increased to $15,000 and then
increased again to $25,000. Some of the loans, including the one for $63,500,
far exceeded his lending limit. In addition, all loan applications should have
been accompanied by the applicant’s credit history report, purchased from an
independent credit rating firm. The loan taken out in the fictitious name would
not have had a credit report and should have been flagged by a loan review
clerk at the bank’s headquarters.
News reports raised questions about why the fraud was not
detected earlier. State regulators and the bank’s internal auditors failed to
detect the fraud. Several reasons were given for the failure to find the fraud
earlier. First, in checking for bad loans, bank auditors do not examine all
loans and generally focus on loans much larger than the ones in question.
Second, Greater Providence had recently dropped its computer services
arrangement with a local bank in favor of an out-of-state bank. This changeover
may have reduced the effectiveness of the bank’s control procedures. Third, the
bank’s loan review clerks were rotated frequently, making follow-up on
questionable loans more difficult.
Guisti was a frequent gambler and used the embezzled money to
pay gambling debts. The bank’s losses totaled $624,000, which was less than the
$1.83 million in bogus loans, because Guisti used a portion of the borrowed
money to repay loans as they came due. The bank’s bonding company covered the
loss.
The bank experienced other adverse publicity prior to the
fraud’s discovery. First, the bank was fined $50,000 after pleading guilty to
failure to report cash transactions exceeding $10,000, which is a felony.
Second, bank owners took the bank private after a lengthy public battle with
the State Attorney General, who alleged that the bank inflated its assets and
overestimated its capital surplus to make its balance sheet look stronger. The
bank denied this charge.
CHAPTER 8
INFORMATION SYSTEM CONTROLS
for SYSTEMS RELIABILITY
Part 1: Information
Security
8.1
Explain why an organization would want to use all of the following information
security controls: firewalls, intrusion prevention systems, intrusion detection
systems, and a CIRT.
8.2 What are the
advantages and disadvantages of having the person responsible for information
security report directly to the chief information officer (CIO), who has
overall responsibility for all aspects of the organization’s information
systems?
8.3
Reliability is often included in service level agreements (SLAs)
when outsourcing. The toughest thing is to decide how much reliability is
enough. Consider an application like e-mail. If an organization outsources its
e-mail to a cloud provider, what is the difference between 95%, 99%, 99.99%,
and 99.9999% reliability?
8.4 What is the
difference between authentication and authorization?
8.5 What are the limitations, if any, of relying on the results of
penetration tests to assess the overall level of security?
8.6 Security awareness training is necessary to teach employees “safe
computing” practices. The key to effectiveness, however, is that it changes
employee behavior. How can organizations maximize the effectiveness of their
security awareness training programs?
8.7 What is the
relationship between COSO, COBIT, and the AICPA’s Trust Services frameworks?
8.1 Match the
following terms with their definitions:
|
Term
|
Definition
|
|
1. Vulnerability
|
1. a. Code that corrects a
flaw in a program.
|
|
2. Exploit
|
1. b. Verification of claimed
identity.
|
|
3. Authentication
|
1. c. The firewall technique
that filters traffic by comparing the information in packet headers to a
table of established connections.
|
|
4. Authorization
|
1. d. A flaw or weakness in a
program.
|
|
5. Demilitarized zone
(DMZ)
|
1. e. A test to determine the
time it takes to compromise a system.
|
|
6. Deep packet
inspection
|
1. f. A subnetwork that is
accessible from the Internet but separate from the organization’s internal
network.
|
|
7. router
|
1. g. The device that
connects the organization to the Internet.
|
|
8. social engineering
|
1. h. The rules (protocol)
that govern routing of packets across networks.
|
|
9. firewall
|
1. i. The rules (protocol)
that govern the division of a large file into packets and subsequent
reassembly of the file from those packets.
|
|
10. hardening
|
1. j. An attack that involves
deception to obtain access.
|
|
11. CIRT
|
1. k. A device that provides
perimeter security by filtering packets.
|
|
12. patch
|
1. l. The set of employees
assigned responsibility for resolving problems and incidents.
|
|
13. virtualization
|
1. m. Restricting the actions
that a user is permitted to perform.
|
|
14. Transmission
Control Protocol (TCP)
|
1. n. Improving security by
removal or disabling of unnecessary programs and features.
|
|
15. static packet
filtering
|
1. o. A device that uses the
Internet Protocol (IP) to send packets across networks.
|
|
16. border router
|
1. p. A detective control
that identifies weaknesses in devices or software.
|
|
17. vulnerability scan
|
1. q. A firewall technique
that filters traffic by examining the packet header of a single packet in
isolation.
|
|
18. penetration test
|
1. r. The process of applying
code supplied by a vendor to fix a problem in that vendor’s software.
|
|
s. patch management
|
1. s. Software code that can
be used to take advantage of a flaw and compromise a system.
|
|
t. cloud computing
|
1. t. A firewall technique
that filters traffic by examining not just packet header information but also
the contents of a packet.
|
|
|
1. u. The process of running
multiple machines on one physical server.
|
|
|
1. v. An arrangement whereby
a user remotely accesses software, hardware, or other resources via a
browser.
|
8.2 Install and run the latest version of the Microsoft Baseline
Security Analyzer on your home computer or laptop. Write a report explaining
the weaknesses identified by the tool and how to best correct them. Attach a
copy of the MBSA output to your report.
1. 1. Then
there is a section about other system information
8.3 The following table
lists the actions that various employees are permitted to perform:
8.4 Which preventive,
detective, and/or corrective controls would best mitigate the following
threats?
1. An employee’s laptop was
stolen at the airport. The laptop contained personally identifying information
about the company’s customers that could potentially be used to commit identity
theft.
2. A salesperson successfully
logged into the payroll system by guessing the payroll supervisor’s password.
3. A criminal remotely
accessed a sensitive database using the authentication credentials (user ID and
strong password) of an IT manager. At the time the attack occurred, the IT
manager was logged into the system at his workstation at company headquarters.
4. An employee received an
email purporting to be from her boss informing her of an important new attendance
policy. When she clicked on a link embedded in the email to view the new
policy, she infected her laptop with a keystroke logger.
5. A company’s programming
staff wrote custom code for the shopping cart feature on its web site. The code
contained a buffer overflow vulnerability that could be exploited when the
customer typed in the ship-to address.
6. A company purchased the
leading “off-the-shelf” e-commerce software for linking its electronic
storefront to its inventory database. A customer discovered a way to directly
access the back-end database by entering appropriate SQL code.
7. Attackers broke into the
company’s information system through a wireless access point located in one of
its retail stores. The wireless access point had been purchased and installed
by the store manager without informing central IT or security.
8. An employee picked up a USB
drive in the parking lot and plugged it into their laptop to “see what was on
it,” which resulted in a keystroke logger being installed on that laptop.
9. Once an attack on the
company’s website was discovered, it took more than 30 minutes to determine who
to contact to initiate response actions.
10. To facilitate working from
home, an employee installed a modem on his office workstation. An attacker
successfully penetrated the company’s system by dialing into that modem.
11. An attacker gained access
to the company’s internal network by installing a wireless access point in a
wiring closet located next to the elevators on the fourth floor of a high-rise
office building that the company shared with seven other companies.
8.5 What are
the advantages and disadvantages of the three types of authentication
credentials (something you know, something you have, and something you are)?
8.6 a. Apply the following data to evaluate the time-based
model of security for the XYZ Company. Does the XYZ Company satisfy the
requirements of the time-based model of security? Why?
§ Estimated time for attacker
to successfully penetrate system = 25 minutes
§ Estimated time to detect an
attack in progress and notify appropriate information security staff = 5
minutes (best case) to 10 minutes (worst case)
§ Estimated time to implement
corrective actions = 6 minutes (best case) to 20 minutes (worst case)
Which of the following security investments to you recommend? Why?
1. 1. Invest
$50,000 to increase the estimated time to penetrate the system by 4 minutes
2. 2. Invest
$50,000 to reduce the time to detect an attack to between 2 minutes (best case)
and 6 minutes (worst case)
3. 3. Invest
$50,000 to reduce the time required to implement corrective actions to between
4 minutes (best case) and 14 minutes (worst case).
8.7 Explain how the following items individually and collectively
affect the overall level of security provided by using a password as an
authentication credential.
a. Length
b. Complexity
requirements (which types of characters are required to be used: numbers,
alphabetic, case-sensitivity of alphabetic, special symbols like $ or !) –
c. Maximum
password age (how often password must be changed)
d. Minimum
password age (how long a password must be used before it can be changed)
e. Maintenance
of password history (how many prior passwords does system remember to prevent
reselection of the same password when required to change passwords)
f. Account
lockout threshold (how many failed login attempts before the account is locked)
g. Time
frame during which account lockout threshold is applied (i.e., if lockout
threshold is five failed login attempts, time frame is whether those 5 failures
must occur within 15 minutes, 1 hour, 1 day, etc.).
h. Account
lockout duration (how long the account remains locked after exceeding the
maximum allowable number of failed login attempts)
8.8 The chapter briefly discussed the following three common attacks
against applications
a. Buffer overflows
b. SQL injection
c. Cross-site scripting
Required
Research each of these three attacks and write a report that
explains in detail how each attack actually works and that describes suggested
controls for reducing the risks that these attacks will be successful.
b. SQL injection
c. Cross-site scripting
8.9 Physical security is
extremely important. Read the article “19 Ways to Build Physical Security into
a Data Center,” which appeared in the CSO Magazine November 2005. (You can find
the article at
www.csoonline.com/read/110105/datacenter.html).
Which methods would you expect to find used by almost any major
corporation?
Which might likely only be justified at a financial institution?
Case 8.1 Costs of
Preventive Security
Firewalls are one of the most fundamental and important security
tools. You are likely familiar with the software-based host firewall that you
use on your laptop or desktop. Such firewalls should also be installed on every
computer in an organization. However, organizations also need corporate-grade
firewalls, which are usually, but not always, dedicated special-purpose
hardware devices. Conduct some research to identify three different brands of
such corporate-grade firewalls and write a report that addresses the following
points:
§ Cost
§ Technique (deep packet
inspection, static packet filtering, or stateful packet filtering)
§ Ease of configuration and
use
Case 8.2 Developing an
Information Security Checklist
Design a checklist for assessing each of the 11 detailed
information security control objectives. The checklist should contain questions
to which a Yes response represents a control strength, a No response represents
a control weakness, plus a possible N/A response.
Provide a brief reason for asking each question. Organize your
checklist as follows:
|
Question
|
Yes
|
No
|
N/A
|
Reason for asking
|
|
1. Is there regular
security awareness training?
|
|
|
|
Training is one of the
most important preventive controls because many security incidents happen due
to either human error or social engineering.
|
|
|
|
|
|
|
|
|
|
|
|
|
CHAPTER
9
INFORMATION SYSTEMS
CONTROLS FOR SYSTEMS RELIABILITY – Part 2: Confidentiality and Privacy
9.1 From the viewpoint of the customer, what are the advantages and
disadvantages to the opt-in versus the opt-out approaches to collecting
personal information? From the viewpoint of the organization desiring to
collect such information?
9.2 What risks, if any, does offshore outsourcing of various
information systems functions pose to satisfying the principles of
confidentiality and privacy?
9.3 Should
organizations permit personal use of e-mail systems by employees during working
hours?
9.4 What
privacy concerns might arise from the use of biometric authentication
techniques? What about the embedding of RFID tags in products such as clothing?
What other technologies might create privacy concerns?
9.5 What do you
think an organization’s duty or responsibility should be to protect the privacy
of its customers’ personal information? Why?
9.6 Assume you
have interviewed for a job online and now receive an offer of employment. The
job requires you to move across the country. The company sends you a digital
signature along with the contract. How does this provide you with enough
assurance to trust the offer so that you are willing to make the move?
9.1 Match the terms with
their definitions:
|
Virtual Private Network
(VPN)
|
a. A hash encrypted
with the creator’s private key
|
|
Data Loss Prevention
(DLP)
|
b. A company that
issues pairs of public and private keys and verifies the identity of the
owner of those keys.
|
|
Digital signature
|
c. A secret mark used
to identify proprietary information.
|
|
Digital certificate
|
d. An encrypted tunnel
used to transmit information securely across the Internet.
|
|
Data masking
|
e. Replacing real data
with fake data.
|
|
Symmetric encryption
|
f. Unauthorized use of
facts about another person to commit fraud or other crimes.
|
|
Spam
|
g. The process of
turning ciphertext into plaintext.
|
|
Plaintext
|
h. Unwanted e-mail.
|
|
Hashing
|
i. A document or file
that can be read by anyone who accesses it.
|
|
Ciphertext
|
j. Used to store an
entity’s public key, often found on web sites.
|
|
Information rights
management (IRM)
|
k. A procedure to
filter outgoing traffic to prevent confidential information from leaving.
|
|
Certificate authority
|
l. A process that
transforms a document or file into a fixed length string of data.
|
|
Non-repudiation
|
m. A document or file
that must be decrypted to be read.
|
|
Digital watermark
|
n. A copy of an
encryption key stored securely to enable decryption if the original
encryption key becomes unavailable.
|
|
Asymmetric encryption
|
o. An encryption process
that uses a pair of matched keys, one public and the other private. Either
key can encrypt something, but only the other key in that pair can decrypt
it.
|
|
Key escrow
|
p. An encryption
process that uses the same key to both encrypt and decrypt.
|
|
|
q. The inability to
unilaterally deny having created a document or file or having agreed to
perform a transaction.
|
|
|
r. Software that limits
what actions (read, copy, print, etc.) that users granted access to a file or
document can perform.
|
9.2 Cost-effective
controls to provide confidentiality require valuing the information that is to
be protected. This involves classifying information into discrete categories.
Propose a minimal classification scheme that could be used by any business, and
provide examples of the type of information that would fall into each of those
categories.
9.3 Download a hash calculator that can create hashes for both files
and text input. Use it to create SHA-256 (or any other hash algorithm your
instructor assigns) hashes for the following:
a. A document that contains this text: “Congratulations! You
earned an A+”
b. A document that contains this text: “Congratulations! You
earned an A-”
c. A document that contains this text: “Congratulations! You
earned an a-”
d. A document that contains this text: “Congratulations! You
earned an A+” (this message contains two spaces between the exclamation point
and the capital letter Y).
e. Make a copy of the document used in step a, and calculate its
hash value.
f. Hash any multiple-page text file on your computer.
9.4 Accountants often need to print financial statements with the
words “CONFIDENTIAL” or “DRAFT” appearing in light type in the background.
a. Create a watermark with the word “CONFIDENTIAL” in a Word
document. Print out a document that displays that watermark.
b. Create the same watermark in Excel and print out a spreadsheet
page that displays that watermark.
c. Can you make your
watermark “invisible” so that it can be used to detect whether a document
containing sensitive information has been copied to an unauthorized location?
How? How could you use that “invisible” watermark to detect violation of
copying policy?
9.5 Create a spreadsheet to compare current monthly mortgage payments
versus the new monthly payments if the loan were refinanced, as shown (you will
need to enter formulas into the two cells with solid borders like a box: D9 and
D14)
1.
a. Restrict access to the
spreadsheet by encrypting it.
Further protect the spreadsheet by limiting users to only being
able to select and enter data in the six cells without borders.
9.6 Research the information rights
management software that may be available for your computer. What are its
capabilities for limiting access rights? Write a report of your findings.
Optional: If you can download and install IRM software, use it to
prevent anyone from being able to copy or print your report.
9.7 The principle of
confidentiality focuses on protecting an organization’s intellectual property.
The flip side of the issue is ensuring that employees respect the intellectual
property of other organizations. Research the topic of software piracy and
write a report that explains:
a. What software piracy is.
b. How organizations attempt to prevent their employees from
engaging in software piracy.
c. How software piracy violations are discovered.
d. The consequences to both individual employees and to
organizations who commit software piracy.
9.8 Practice encryption.
Required:
1.
a. Use your computer operating
system’s built-in encryption capability to encrypt a file.
In Windows, if you are working with an open document, you can
encrypt it by choosing that option under the “Prepare” menu:
b. TrueCrypt is one of several free software programs
that can be used to encrypt files stored on a USB drive. Download and install a
copy of TrueCrypt (or another program recommended by your professor). Use it to
encrypt some files on a USB drive. Compare its functionality to that of the
built-in encryption functionality provided by your computer’s operating system.
9.9 Research the problem of
identity theft and write a report that explains:
a. Whether the problem of identity theft is increasing or
decreasing
b. What kind of identity theft protection services or
insurance products are available. Compare and contrast at least two products.
9.10 Certificate authorities are an important
part of a public key infrastructure (PKI). Research at least two certificate
authorities and write a report that explains the different types of digital
certificates that they offer.
9.11 Obtain a copy of COBIT (available at www.isaca.org) and read the control objectives that relate to encryption (DS5.8
and DS5.11). What are the essential control procedures that organizations
should implement when using encryption?
SUGGESTED SOLUTIONS TO THE
CASES
Case 9-1 Protecting Privacy of Tax Returns
The department of taxation in your state is developing a new
computer system for processing individual and corporate income-tax returns. The
new system features direct data input and inquiry capabilities. Identification
of taxpayers is provided by using the Social Security number for individuals
and federal tax identification number for corporations. The new system should
be fully implemented in time for the next tax season.
The new system will serve three primary purposes:
1 Data will either be automatically input
directly into the system if the taxpayer files electronically or by a clerk at
central headquarters scanning a paper return received in the mail.
2 The returns will be processed using the main
computer facilities at central headquarters. Processing will include four
steps:
a. Verifying mathematical accuracy
b. Auditing the reasonableness of deductions, tax due,
and so on, through the use of edit routines, which also include a comparison of
current and prior years’ data.
c. Identifying returns that should be considered for
audit by department revenue agents
d. Issuing refund checks to taxpayers
3 Inquiry services. A taxpayer will be allowed
to determine the status of his or her return or get information from the last
three years’ returns by calling or visiting one of the department’s regional
offices, or by accessing the department’s web site and entering their social
security number.
The state commissioner of taxation and the state attorney general
are concerned about protecting the privacy of personal information submitted by
taxpayers. They want to have potential problems identified before the system is fully developed and
implemented so that the proper controls can be incorporated into the new
system.
Required
Describe the potential privacy problems that could arise in each
of the following three areas of processing, and recommend the corrective
action(s) to solve each problem identified:
a. Data input
b. Processing of returns
c. Data inquiry
Case 9-2 Generally Accepted Privacy Principles
Obtain the practitioner’s version of Generally Accepted Privacy
Principles from the AICPA’s web site (www.aicpa.org). You will find it
located under professional resources and then information technology. Use it to
answer the following questions:
1.
1. What is the difference between confidentiality and
privacy?
2.
2. How many categories of personal information exist?
Why?
3.
3. In terms of the principle of choice and consent,
what does GAPP recommend concerning opt-in versus opt-out?
4.
4. Can organizations outsource their responsibility for
privacy?
5.
5. What does principle 1 state concerning top
management’s and the Board of Directors’ responsibility for privacy?
6.
6. What does principle 1 state concerning the use of
customers’ personal information when testing new applications?
7.
7. Obtain a copy of your university’s privacy policy
statement. Does it satisfy GAPP criterion 2.2.3? Why?
8.
8. What does GAPP principle 3 say about the use of
cookies?
9.
9. What are some examples of practices that violate
management criterion 4.2.2?
10. 10. What
does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
11.
11. What does management criterion 5.2.3 state
concerning the disposal of personal information? How can organizations satisfy
this criterion?
12. 12. What
does management criterion 6.2.2 state concerning access? What controls should
organizations use to achieve this objective?
13. 13. According
to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
14. 14. What
does GAPP principle 8 state concerning the use of encryption?
15.
15. What is the relationship between GAPP
principles 9 and 10?
CHAPTER
10
INFORMATION SYSTEMS CONTROLS
FOR SYSTEMS RELIABILITY – PART 3: PROCESSING INTEGRITY AND AVAILABILITY
10.1 Two ways to create processing integrity controls in Excel
spreadsheets are to use the built-in Data Validation tool or to write custom
code with IF statements. What are the relative advantages and disadvantages of
these two approaches?
10.2 What is the difference between using check digit verification and
a validity check to test the accuracy of an account number entered on a
transaction record?
10.3 For each of the three basic options for replacing IT
infrastructure (cold sites, hot sites, and real-time mirroring) give an example
of an organization that could use that approach as part of its DRP.
Be prepared to defend your answer.
10.4 Use the numbers
10–19 to show why transposition errors are always divisible by 9.
10.5 What are some business processes for which an organization might
use batch processing?
10.6 Why do you
think that surveys continue to find that a sizable percentage of organizations
either do not have formal disaster recovery and business continuity plans or
have not tested and revised those plans for more than a year?
10.1 Match the following terms with their
definitions:
|
1. business continuity
plan (BCP)
|
1. a. A
file used to store information for long periods of time.
|
|
2. completeness check
|
1. b. A
plan that describes how to resume IT functionality after a disaster.
|
|
3. hash total
|
1. c. An
application control that verifies that the quantity ordered is greater than
0.
|
|
4. incremental daily
backup
|
1. d. A
control that verifies that all data was transmitted correctly by counting the
number of odd or even bits.
|
|
5. archive
|
1. e. An
application control that tests whether a customer is 18 or older.
|
|
6. field check
|
1. f. A
daily backup plan that copies all changes since the last full backup.
|
|
7. sign check
|
1. g. A
disaster recovery plan that contracts for use of an alternate site that has
all necessary computing and network equipment, plus Internet connectivity.
|
|
8. change control
|
1. h. A
disaster recovery plan that contracts for use of another company’s
information system.
|
|
9. cold site
|
1. i. A
disaster recovery plan that contracts for use of an alternate site that is
pre-wired for Internet connectivity but has no computing or network
equipment.
|
|
10. limit check
|
1. j. An
application control that ensures that a customer’s ship-to address is entered
in a sales order.
|
|
11. zero-balance test
|
1. k. An
application control that makes sure an account does not have a balance after
processing.
|
|
12. recovery point
objective (RPO)
|
1. l. An
application control that compares the sum of a set of columns to the sum of a
set of rows.
|
|
13. recovery time
objective (RTO)
|
1. m. A
measure of the length of time that an organization is willing to function
without its information system.
|
|
14. record count
|
1. n. The
amount of data an organization is willing to re-enter or possibly lose in the
event of a disaster.
|
|
15. validity check
|
1. o. A
batch total that does not have any intrinsic meaning.
|
|
16. check digit
verification
|
1. p. A
batch total that represents the number of transactions processed.
|
|
17. closed-loop
verification
|
1. q. An
application control that validates the correctness of one data item in a
transaction record by comparing it to the value of another data item in that
transaction record.
|
|
18. parity checking
|
1. r. An
application control that verifies that an account number entered in a
transaction record matches an account number in the related master file.
|
|
19. reasonableness test
|
1. s. A
plan that describes how to resume business operations after a major calamity,
like Hurricane Katrina, that destroys not only an organization’s data center
but also its headquarters.
|
|
20. financial total
|
1. t. A
data-entry application control that verifies the accuracy of an account
number by recalculating the last number as a function of the preceding
numbers.
|
|
21. turnaround document
|
1. u. A
daily backup procedure that copies only the activity that occurred on that
particular day.
|
|
|
1. v. A
data-entry application control that could be used to verify that only numeric
data is entered into a field.
|
|
|
1. w. A
plan to ensure that modifications to an information system do not reduce its
security.
|
|
|
1. x. A
data-entry application control that displays the value of a data item and
asks the user to verify that the system has accessed the correct record.
|
|
|
1. y. A
batch total that represents the total dollar value of a set of transactions.
|
|
|
1. z. A
document sent to an external party and subsequently returned so that
preprinted data can be scanned rather than manually reentered.
|
10.2 Excel Problem
Enter the following data into a spreadsheet and then perform the
following tasks:
|
Employee Number
|
Pay rate
|
Hours worked
|
Gross Pay
|
Deductions
|
Net pay
|
|
12355
|
10.55
|
38
|
400.90
|
125.00
|
275.90
|
|
2178g
|
11.00
|
40
|
440.00
|
395.00
|
45.00
|
|
24456
|
95.00
|
90
|
8550.00
|
145.00
|
8405.00
|
|
34567
|
10.00
|
40
|
400.00
|
105.00
|
505.00
|
1. a. Calculate
examples of these batch totals:
§
A hash total
§
A financial total
§
A record count
1.
b. Assume the following rules
govern normal data:
§ Employee numbers are five-digits
in length and range from 10000 through 99999.
§ Maximum pay rate is $25,
and minimum is $9.
§ Hours worked should never
exceed 40.
§ Deductions should never
exceed 40% of gross pay.
Give a specific example of an error or probable error in the data set
that each of the following controls would detect:
§
Field check
§
Limit check
§
Reasonableness test
§
Cross-footing balance test
1.
c. Create a control
procedure that would prevent, or at least detect, each of the errors in the
data set.
§
Employee number not numeric
10.3 Excel Problem
The Moose Wings Cooperative Flight Club owns a number of airplanes
and gliders. It serves fewer than 2,000 members, who are numbered sequentially
from the founder, Tom Eagle (0001), to the newest member, Jacques Noveau (1368).
Members rent the flying machines by the hour, and all must be returned on the
same day. The following six records were among those entered for the flights
taken on September 1, 2010:
|
Member #
|
Flight Date
MM/DD/YY
|
Plane Used
|
Takeoff time
|
Landing time
|
|
1234
|
09/10/10
|
G
|
6:25
|
8:46
|
|
4111
|
09/01/10
|
C
|
8:49
|
10:23
|
|
1210
|
09/01/10
|
P
|
3:42
|
5:42
|
|
0023
|
09/01/10
|
X
|
1:59
|
12:43
|
|
012A
|
09/01/10
|
P
|
12:29
|
15:32
|
|
0999
|
09/01/10
|
L
|
15:31
|
13:45
|
Valid plane codes (plane used column): C = Cessna, G = glider, L =
Lear Jet, P = Piper Cub)
1. a. Identify
and describe any errors in the data.
1.
b. For each of the five data
fields, suggest one or more input edit controls that could be used to detect
input errors.
Enter
the data in a spreadsheet and create appropriate controls to prevent or at
least detect the input errors.
1.
d. Suggest other controls to
minimize the risk of input errors.
10.4 The first column in Table 10-3
lists transaction amounts that have been summed to obtain a batch total.
Assume that all data in the first column are correct. Cases a through d each
contain an input error in one record, along with a batch total computed from
that set of records.
For each case (a-d), compute the difference between the correct
and erroneous batch totals and explain how this difference could help identify
the cause of the error.
10.5 Excel Problem
Create a spreadsheet with the following columns:
§ Plaintext character
§ ASCII code (7-bits, binary
number)
§ First bit
§ Second bit
§ Third bit
§ Fourth bit
§ Fifth bit
§ Sixth bit
§ Seventh bit
§ Number of bits with value =
1
§ Parity bit for odd parity
coding
§ Parity bit for even parity
coding
1.
a. Enter the 26 letters a-z
(lowercase) and the ten digits (0-9) in the plaintext column
2.
b. The ASCII column should
convert the plaintext character to the binary code used by your computer.
3.
c. The next seven columns
should each display one bit of the ASCII code, beginning with the leftmost
digit. (Hint: Excel provides text functions that can select individual
characters from a string).
4.
d. The tenth column should sum
the number of bits that have the value ‘1’. (Hint: the text functions used to
populate columns 3-9 return a text string that you will need to convert to a
numeric value).
5.
e. The eleventh column
should have a 1 if the number in the tenth column is odd and 0 if the number in
the tenth column is even.
6.
f. The twelfth column
should have a 1 if the number in the tenth column is even and a 0 if the number
in the tenth column is odd.
10.6 The ABC Company is considering
the following options for its backup plan:
1. Daily full backups:
§
Time to perform backup = 60 minutes
§
Size of backup = 50 GB
§
Time to restore from backup = 30 minutes
2. Weekly full backups plus daily incremental backup:
§ Same time, storage, and
restoration as above to do a weekly backup on Friday, plus
§ Time to perform daily
backup = 10 minutes
§ Size of daily backup = 10
GB
§ Time to restore each daily
backup file = 5 minutes
3. Weekly full backups plus daily differential backup:
§ Same time, storage, and
restoration as above to do a weekly backup on Friday, plus
§ Time to perform daily
backup = 10 minutes first day, growing by 5 minutes each day thereafter
§ Size of daily backup = 10
GB first day, growing by 10 GB each day
§ Time to restore
differential backup file = 5 minutes first day, increasing by 2 minutes each
subsequent day
Which approach would you recommend? Why?
10.7 Which control(s) would best
mitigate the following threats?
a. The hours worked field in a payroll transaction record
contained the value 400 instead of 40. As a result, the employee received a
paycheck for $6,257.24 instead of $654.32.
b. The accounts receivable file was destroyed because it
was accidentally used to update accounts payable.
c. During processing of customer payments, the digit 0 in a
payment of $204 was mistakenly typed as the letter “O.” As a result, the
transaction was not processed correctly and the customer erroneously received a
letter that the account was delinquent.
d. </inst>A salesperson mistakenly entered an online
order for 50 laser printers instead of 50 laser printer toner cartridges.
e. A 20-minute power
brownout caused a mission-critical database server to crash, shutting down
operations temporarily.
f. A fire destroyed the data center, including all
backup copies of the accounts receivable files.
1.
g. After processing sales
transactions, the inventory report showed a negative quantity on hand for
several items.
1.
h. A customer order for an
important part did not include the customer’s address. Consequently, the order
was not shipped on time and the customer called to complain.
i. When entering a large credit sale, the clerk typed in the
customer’s account number as 45982 instead of 45892. That account number did
not exist. The mistake was not caught until later in the week when the weekly
billing process was run. Consequently, the customer was not billed for another
week, delaying receipt of payment.
1. i. A
visitor to the company’s Web site entered 400 characters into the five-digit
Zip code field, causing the server to crash.
1.
j. Two traveling
sales representatives accessed the parts database at the same time. Salesperson
A noted that there were still 55 units of part 723 available and entered an
order for 45 of them. While salesperson A was keying in the order, salesperson
B, in another state, also noted the availability of 55 units for part 723 and
entered an order for 33 of them. Both sales reps promised their customer
next-day delivery. Salesperson A’s customer, however, learned the next day that
the part would have to be back-ordered. The customer canceled the sale and
vowed to never again do business with the company.
1. k. The
warranty department manager was upset because special discount coupons were
mailed to every customer who had purchased the product within the past 3 years,
instead of to only those customers who had purchased the product within the
past 3 months.
The clerk entering details about a large credit sale mistakenly
typed in a nonexistent account number. Consequently, the company never received
payment for the items.
1.
l. A customer
filled in the wrong account number on the portion of the invoice being returned
with payment. Consequently, the payment was credited to another customer’s
account.
1. m. A
batch of 73 time sheets was sent to the payroll department for weekly
processing. Somehow, one of the time sheets did not get processed. The mistake
was not caught until payday, when one employee complained about not receiving a
paycheck.
q. Sunspot activity resulted in the loss of some data
being sent to the regional office. The problem was not discovered until several
days later when managers attempted to query the database for that information.
10.8 MonsterMed Inc. (MMI) is an online
pharmaceutical firm. MMI has a small systems staff that designs and writes
MMI’s customized software. The data center is installed in the basement of its
two-story headquarters building. The data center is equipped with halon-gas
fire suppression equipment and an uninterruptible power supply system.
The computer operations staff works a two-shift schedule, five
days per week. MMI’s programming staff, located in the same building, has access
to the data center and can test new programs and program changes when the
operations staff is not available. Programmers make changes in response to oral
requests by employees using the system. Since the programming staff is small
and the work demands have increased, systems and programming documentation is
developed only when time is available. Backups are made whenever time permits.
The backup files are stored in a locked cabinet in the data center.
Unfortunately, due to several days of heavy rains, MMI’s building recently
experienced serious flooding that destroyed not only the computer hardware but
also all the data and program files that were on-site.
a. Identify at least five weaknesses in MonsterMed Inc.’s backup
and DRP procedures.
b. Evaluate change controls at MonsterMed Inc.
10.9 Excel Problem
Create data validation rules in a spreadsheet to perform each of
the following controls:
1.
a. Limit check – that values in
the cell are < 70
2.
b. Range check – that values in
the cell are between 15 and 65
3.
c. Sign check – that
values in the cell are positive
4.
d. Field check – that values in
a cell are only numeric
5.
e. Size check – that cell
accepts no more than 40 characters of text
6.
f. Reasonableness check –
that cell’s value is less than 75% of cell to its left
A. g. Validity
check – that a value exists in a list of allowable values
10.10 Excel Problem
Creating and testing check digits.
a. Create a spreadsheet that will take as input a
five-digit account number and calculate a check digit using this formula: (5 x
left-most digit + 4 x next digit + 3 x third digit + 2 x fourth digit + fifth
digit) modulus division by 7. (Modulus division returns the remainder – for
example: 11 modulus division by 3 = 2). The check digit then becomes the 6th (right-most) digit in
the account number. Your spreadsheet should look like this:
b.
Add another panel to the spreadsheet that takes as input a six-digit account
number and uses the check digit formula in part a to test whether or not the
account number is valid. Your solution should look like this:
10. 11 For each of the following scenarios, determine
whether the company’s current backup procedures enable it to meet its recovery
objectives and explain why:
a. Scenario 1:
§
Recovery point objective = 24 hours
§
Daily backups at 3:00 am, process takes 2 hours
§
Copy of backup tapes picked up daily at 8:00 am for storage
off-site
b. Scenario 2: Company makes daily incremental backups
Monday-Saturday at 7:00 pm each night. Company makes full backup weekly, on
Sunday at 1:00 pm.
§ Recovery time objective = 2
hours
§ Time to do full backup = 3
hours
§ Time to restore from full
backup = 1 hour
§ Time to make incremental
daily backup = 1 hour
§ Time to restore each incremental
daily backup = 30 minutes
c. Scenario 3: Company makes daily differential backups
Monday-Friday at 8:00 p.m each night. Company makes full backup weekly, on
Saturdays, at 8:00 am.
§
Recovery time objective = 6 hours
§
Time to do full backup = 4 hours
§
Time to restore from full backup = 3 hours
§
Time to do differential daily backups = 1 hour on Monday,
increasing by 30 minutes each successive day
§
Time to restore differential daily backup = 30 minutes for Monday,
increasing by 15 minutes each successive day
Case 10-1 Ensuring Systems Availability
The Journal of Accountancy (available at www.aicpa.org) has published a series of articles that address different
aspects of disaster recovery and business continuity planning:
1. Gerber, J. A., and
Feldman, E. R. 2002. “Is Your Business Prepared for the Worst?” Journal of Accountancy (April): 61-64.
2. McCarthy, E. 2004. “The
Best-Laid Plans,” Journal of Accountancy (May):
46-54.
3. Myers, R. 2006.
“Katrina’s Harsh Lessons,” Journal of Accountancy (June):
54-63.
4. Phelan, S., and Hayes, M.
2003. “Before the Deluge – and After,” Journal of Accountancy (April):
57-66.
Read one or more of the following articles that your professor
assigns plus section DS4 of COBIT version 4.1 (available at www.isaca.org) to answer the following questions:
1. 1. What
does COBIT suggest as possible metrics for evaluating how well an organization
is achieving the objective of DS4? Why do you think that metric is useful?
1.
2. For each article
assigned by your professor, complete the following table, summarizing what each
article said about a specific COBIT control objective (an article may not
address all 10 control objectives in DS4):
Case 10-2 Change Controls
Read section AI6 in version 4.1 of COBIT (available at www.isaca.org) and answer the following questions:
1. 1. What
is the purpose of each detailed control objective – why is it important?
AI6.1 Change Standards and Procedures
AI6.3 Emergency Changes
AI6.4 Change Status Tracking and Reporting
AI6.5 Change Closure and Documentation
1. 2. How
is each of the suggested metrics useful?
CHAPTER 11
AUDITING COMPUTER-BASED
INFORMATION SYSTEMS
11.1 Auditing an AIS
effectively requires that an auditor have some knowledge of computers and their
accounting applications. However, it may not be feasible for every
auditor to be a computer expert. Discuss the extent to which auditors
should possess computer expertise to be effective auditors.
11.2 Should internal auditors be members of systems development teams
that design and implement an AIS? Why or why not?
11.3 <para>At present, no Berwick employees have auditing
experience. To staff its new internal audit function, Berwick could (a)
train some of its computer specialists in auditing, (b) hire experienced
auditors and train them to understand Berwick’s information system, (c) use a
combination of the first two approaches, or (d) try a different approach.
Which approach would you support, and why?
</para></question><question
id="ch09ques14" label="9.4">
11.4 The assistant finance director for the city of Tustin, California,
was fired after city officials discovered that she had used her access to city
computers to cancel her daughter’s $300 water bill. An investigation
revealed that she had embezzled a large sum of money from Tustin in this manner
over a long period. She was able to conceal the embezzlement for so long
because the amount embezzled always fell within a 2% error factor used by the
city’s internal auditors. What weaknesses existed in the audit
approach? How could the audit plan be improved? What internal
control weaknesses were present in the system? Should Tustin’s internal
auditors have discovered this fraud earlier?
11.5 Lou Goble, an internal auditor for a large manufacturing
enterprise, received an anonymous note from an assembly-line operator who has
worked at the company’s West Coast factory for the past 15 years. The
note indicated that there are some fictitious employees on the payroll as well
as some employees who have left the company. He offers no proof or
names. What computer-assisted audit technique could Lou use to help him
substantiate or refute the employee’s claim?
11.6. Explain the four steps of the risk-based audit
approach, and discuss how they apply to the overall security of a company.
11.7. Compare and contrast the frameworks for auditing
program development/acquisition and for auditing program modification.
11.1 You are the director of internal auditing at a university.
Recently, you met with Issa Arnita, the manager of administrative data processing,
and expressed the desire to establish a more effective interface between the
two departments. Issa wants your help with a new computerized accounts payable
system currently in development. He recommends that your department assume line
responsibility for auditing suppliers’ invoices prior to payment. He also wants
internal auditing to make suggestions during system development, assist in its
installation, and approve the completed system after making a final review.
<para>Would you accept or reject each of the following? Why?</para>
a. The recommendation that your
department be responsible for the pre-audit of supplier's invoices.
b. The request that you
make suggestions during system development.
c. The request that you assist
in the installation of the system and approve the system after making a final
review.
11.2 As an internal auditor for the Quick
Manufacturing Company, you are participating in the audit of the company’s AIS.
You have been reviewing the internal controls of the computer system that
processes most of its accounting applications. You have studied the company’s
extensive systems documentation. You have interviewed the information system
manager, operations supervisor, and other employees to complete your
standardized computer internal control questionnaire. You report to your
supervisor that the company has designed a successful set of comprehensive
internal controls into its computer systems. He thanks you for your efforts and
asks for a summary report of your findings for inclusion in a final overall
report on accounting internal controls.
<para>Have you forgotten an important audit step?
Explain. List five examples of specific audit procedures that you might
recommend before reaching a conclusion.
</para></problem>
11.3 As an internal auditor, you have been assigned to
evaluate the controls and operation of a computer payroll system. To test the
computer systems and programs, you submit independently created test transactions
with regular data in a normal production run.
<orderedlist numeration="loweralpha"
inheritnum="ignore" type="ll"
continuation="restarts"><listitem><para><inst></inst>List
four advantages and two disadvantages of this technique.</para></listitem>
<listitem><para><ins</i</para></listitem></orderedlist>
11.4 You are involved in the audit of accounts receivable, which
represent a significant portion of the assets of a large retail corporation.
Your audit plan requires the use of the computer, but you encounter the
following reactions:
<para><para>For each situation, state how the auditor
should proceed with the accounts receivable audit.</para>
1. a. The
computer operations manager says the company’s computer is running at full
capacity for the foreseeable future and the auditor will not be able to use the
system for audit tests.</para></listitem>
1.
b. The
computer scheduling manager suggests that your computer program be stored in
the computer program library so that it can be run when computer time becomes
available.
1.
c. You
are refused admission to the computer room.</para></listitem>
1.
d. The
systems manager tells you that it will take too much time to adapt the
auditor’s computer audit program to the computer’s operating system and that
company programmers will write the programs needed for the audit.
11.5 You are a manager for the CPA firm of Dewey, Cheatem, and Howe
(DC&H). While reviewing your staff’s audit work papers for the state
welfare agency, you find that the test data approach was used to test the agency’s
accounting software. A duplicate program copy, the welfare accounting data file
obtained from the computer operations manager, and the test transaction data
file that the welfare agency’s programmers used when the program was written
were processed on DC&H’s home office computer. The edit summary report
listing no errors was included in the working papers, with a notation by the
senior auditor that the test indicates good application controls. You note that
the quality of the audit conclusions obtained from this test is flawed in
several respects, and you decide to ask your subordinates to repeat the
test.
Identify three existing or potential problems with the way this
test was performed. For each problem, suggest one or more procedures that
might be performed during the revised test to avoid flaws in the audit
conclusions.
</para></problem>
11.6 You are performing an information system audit to evaluate internal controls in Aardvark Wholesalers’ (AW) computer system. From an AW manual, you have obtained the following job descriptions for key personnel:
Director of information systems: Responsible for defining the mission of the information systems
division and for planning, staffing, and managing the IS department.
Manager of systems development and programming: Reports to director of information systems.
Responsible for managing the systems analysts and programmers who design, program, test, implement, and
maintain the data processing systems. Also
responsible for establishing and monitoring documentation standards.
Manager of operations: Reports to director of information systems. Responsible for
management of computer center operations, enforcement of processing standards,
and systems programming, including implementation of operating system upgrades.
Data entry supervisor: Reports to manager of operations. Responsible for supervision of data entry operations and monitoring data
preparation standards.
Operations supervisor: Reports to manager of operations. Responsible for supervision of computer operations staff and monitoring
processing standards.
Data control clerk: Reports
to manager of operations. Responsible for logging and distributing computer
input and output, monitoring source data control procedures, and custody of
programs and data files.
Name two positive and two negative aspects (from an internal
control standpoint) of this organizational structure.
c.
What additional information would you require before making a final judgment on
the adequacy of AW’s separation of functions in the information systems
division?
11.7 Robinson’s Plastic Pipe Corporation uses a
data processing system for inventory. The input to this system is shown in
Table 11-7. You are using an input controls matrix to help audit the source data
controls.
<para>Prepare an input controls matrix using the format and
input controls shown in <link linkend="ch09fig03"
preference="0">Figure 11-3<xref linkend="ch09fig03"
label="9-3"/></link>; however, replace the field names shown
in <link linkend="ch09fig03" preference="0">Figure
11-3<xref linkend="ch09fig03"
label="9-3"/></link> with those shown in <link
linkend="ch09table08" preference="0">Table 11-7<xref
linkend="ch09table08" label="9-8"/></link>.
Place checks in the matrix cells that represent input controls you might expect
to find for each field.
</para></problem>
11.8 As an internal auditor for the state auditor’s office, you are
assigned to review the implementation of a new computer system in the state
welfare agency. The agency is installing an online computer system to maintain
the state’s database of welfare recipients. Under the old system, applicants
for welfare assistance completed a form giving their name, address, and other
personal data, plus details about their income, assets, dependents, and other
data needed to establish eligibility. The data are checked by welfare examiners
to verify their authenticity, certify the applicant’s eligibility for
assistance, and determine the form and amount of aid.
Under the new system, welfare applicants enter data on the agency’s Web site or
give their data to clerks, who enter it using online terminals. Each applicant
record has a “pending” status until a welfare examiner can verify the
authenticity of the data used to determine eligibility. When the verification
is completed, the examiner changes the status code to “approved,” and the
system calculates the aid amount.
Periodically, recipient circumstances (income, assets, dependents, etc.)
change, and the database is updated. Examiners enter these changes as soon as
their accuracy is verified, and the system recalculates the recipient’s new
welfare benefit. At the end of each month, payments are electronically
deposited in the recipient’s bank accounts.
Welfare assistance amounts to several hundred million dollars annually. You are
concerned about the possibilities of fraud and abuse.
a. Describe how to
employ concurrent audit techniques to reduce the risks of fraud and abuse.
b. Describe how to use computer audit software to review the work
welfare examiners do to verify applicant eligibility data. Assume that
the state auditor’s office has access to other state and local government
agency databases.</para></listitem></orderedlist></problem>
11.9 Melinda Robinson, the director of internal
auditing at Sachem Manufacturing Company, believes the company should purchase
software to assist in the financial and procedural audits her department
conducts. Robinson is considering the following software packages:
§ A generalized audit
software package to assist in basic audit work, such as the retrieval of live
data from large computer files. The department would review this information
using conventional audit investigation techniques. The department could perform
criteria selection, sampling, basic computations for quantitative analysis,
record handling, graphical analysis, and print output (i.e., confirmations).
§ An ITF package that uses,
monitors, and controls dummy test data processed by existing programs. It also
checks the existence and adequacy of data entry and processing controls.
§ A flowcharting package that
graphically presents the flow of information through a system and pinpoints
control strengths and weaknesses.
§ A parallel simulation and modeling
package that uses actual data to conduct the same tests using a logic program
developed by the auditor. The package can also be used to seek answers to
difficult audit problems (involving many comparisons) within statistically
acceptable confidence limits.
a. Without regard to any specific computer audit
software, identify the general advantages of using computer audit software to
assist with audits.
b. Describe the audit purpose
facilitated and the procedural steps to be followed by the internal auditor in
using the following:</para>
<itemizedlist
mark="bull"
type="bl"><listitem><inst><listitem><inst>
</inst><para>Generalized audit software package.
Flowcharting package
Parallel simulation and modeling package
11.10 The
fixed-asset master file at Thermo-Bond includes the following data
items: <para>
|
Asset number
|
Date of retirement (99/99/2099 for assets still in service)
|
|
Description
|
Depreciation method code
|
|
Type code
|
Depreciation rate
|
|
Location code
|
Useful life (years)
|
|
Date of acquisition
|
Accumulated depreciation at beginning of year
|
|
Original cost
|
Year-to-date depreciation
|
E<para>xplain several ways auditors can use computer audit
software in performing a financial audit of Thermo-Bond’s fixed
assets.</para></problem>
11.11 You are auditing the financial statements of a cosmetics
distributor that sells thousands of individual items. The distributor keeps its
inventory in its distribution center and in two public warehouses. At the end
of each business day, it updates its inventory file, whose records contain the
following data:
|
Item number
|
Cost per item
|
|
Item description
|
Date of last purchase
|
|
Quantity-on-hand
|
Date of last sale
|
|
Item location
|
Quantity sold during year
|
You will use audit software to examine inventory data as of the
date of the distributor’s physical inventory count. You will perform the
following audit procedures:
1.
1. Observe the
distributor’s physical inventory count at year-end and test a sample for
accuracy.
2.
2. Compare the auditor’s
test counts with the inventory records.
3.
3. Compare the company’s
physical count data with the inventory records.
4.
4. Test the mathematical
accuracy of the distributor’s final inventory valuation.
5.
5. Test inventory pricing
by obtaining item costs from buyers, vendors, or other sources.
6.
6. Examine inventory
purchase and sale transactions on or near the year-end date to verify that all
transactions were recorded in the proper accounting period.
7.
7. Ascertain the
propriety of inventory items located in public warehouses.
8.
8. Analyze inventory for
evidence of possible obsolescence.
9.
9. Analyze inventory for
evidence of possible overstocking or slow-moving items.
10. 10. Test
the accuracy of individual data items listed in the distributor’s inventory
master file.
<para>Describe how the use of the audit software package and
a copy of the inventory file data might be helpful to the auditor in performing
each of these auditing procedures.</para>
11.12 Which of the following should have
the primary responsibility to detect and correct data processing errors?
Explain why that function should have primary responsibility and why the others
should
not.
1.
The data processing manager
2.
The computer operator
3.
The corporate controller
4.
The independent public accountant
11.1 You are performing a financial audit of the general ledger
accounts of Preston Manufacturing. As transactions are processed, summary
journal entries are added to the general ledger file at the end of the day. At
the end of each day, the general journal file is processed against the general
ledger control file to compute a new current balance for each account and to
print a trial balance.
The following resources are available as you complete the audit:
§ Your firm’s generalized
computer audit software
§ A copy of the general journal
file for the entire year
§ A copy of the general
ledger file as of fiscal year-end
(current balance = year-end balance)
§ A printout of Preston’s
year-end trial balance listing the account number, account name, and balance of
each account on the general ledger control file
Create an audit program for Preston Manufacturing. For each audit step, list
the audit objectives and the procedures you would use to accomplish the audit
program step.
CHAPTER 12
THE REVENUE CYCLE: SALES
AND CASH COLLECTIONS
12.1 Customer relationship management systems hold great promise, but
their usefulness is determined by the amount of personal data customers are
willing to divulge. To what extent do you think concerns about privacy-related
issues affect the use of CRM systems?
12.2 Some products, like music and software, can be digitized. How does
this affect each of the four main activities in the revenue cycle?
12.3 Many companies use accounts receivable aging schedules to project
future cash inflows and bad-debt expense. Review the information typically
presented in such a report (see Figure 12-8). Which specific metrics can be
calculated from those data that might be especially useful in providing early
warning about looming cash flow or bad-debt problems?
12.4 Table 12-1 suggests that restricting physical access to inventory
is one way to reduce the threat of theft. How can information technology help
accomplish that objective?
12.5 Invoiceless pricing has been adopted by some large businesses for
B2B transactions. What are the barriers, if any, to its use in B2C commerce?
12.6 The use of some form of electronic “cash” that would provide the
same kind of anonymity for e-commerce that cash provides for traditional
physical business transactions has been discussed for a long time. What are the
advantages and disadvantages of electronic cash to customers? To businesses?
What are some of the accounting implications of using electronic cash?
SUGGESTED ANSWERS TO THE
PROBLEMS
12.1 Match the term in the left column with its definition in the right
column.
|
1. CRM system
|
a. Document used
to authorize reducing the balance in a customer account
|
|
2. Open-invoice method
|
b. Process of
dividing customer account master file into subsets and preparing invoices for
one subset at a time
|
|
3. Credit memo
|
c. System that
integrates EFT and EDI information
|
|
4. Credit limit
|
d. System that
contains customer-related data organized in a manner to facilitate customer
service, sales, and retention
|
|
5. Cycle billing
|
e. Electronic
transfer of funds
|
|
6. FEDI
|
f. Method of
maintaining accounts receivable that generates one payments for all sales
made the previous month
|
|
7Remittance advice
|
g. Method of
maintaining customer accounts that generates payments for each individual
sales transaction
|
|
8. Lockbox
|
h. Maximum
possible account balance for a customer
|
|
9. Back order
|
i. Electronic
invoicing
|
|
10. Picking ticket
|
j. Post office box to
which customers send payments
|
|
11. Bill of lading
|
k. Document used to
indicate stock outs exist
|
|
|
l. Document used to
establish responsibility for shipping goods via a third party
|
|
|
m. Document that
authorizes removal of merchandise from inventory
|
|
|
n. Turnaround document
returned by customers with payments
|
12.2 What internal control procedure(s) would provide protection
against the following threats?
1. a. Theft
of goods by the shipping dock workers, who claim that the inventory shortages reflect
errors in the inventory records.
b. Posting the sales amount to the wrong customer account because a
customer account number was incorrectly keyed into the system.
c. Making a credit sale to a customer
who is already four months behind in making payments on his account.
d. Authorizing a credit memo for a sales
return when the goods were never actually returned.
e. Writing off a customer’s accounts
receivable balance as uncollectible to conceal the theft of subsequent cash
payments from that customer.
f. Billing customers for the quantity
ordered when the quantity shipped was actually less due to back ordering of
some items.
g. Theft of checks by the mailroom clerk,
who then endorsed the checks for deposit into the clerk’s personal bank
account.
h. Theft of funds by the cashier, who
cashed several checks from customers.
1.
i. Theft of cash by
a waiter who destroyed the customer sales ticket for customers who paid cash.
2.
j. Shipping goods
to a customer but then failing to bill that customer.
1. k. Lost
sales because of stockouts of several products for which the computer records
indicated there was adequate quantity on hand.
1.
l. Unauthorized
disclosure of buying habits of several well-known customers.
2.
m. Loss of all information about amounts
owed by customers in New York City because the master database for that office
was destroyed in a fire.
3.
n. The company’s Web site was
unavailable for seven hours because of a power outage.
4.
o. Interception and theft of
customers’ credit card numbers while being sent to the company’s Web site.
1.
p. A sales clerk sold a $7,000
wide-screen TV to a friend and altered the price to $700.
2.
q. A shipping clerk who was
quitting to start a competing business copied the names of the company’s 500
largest customers and offered them lower prices and better terms if they
purchased the same product from the clerk’s new company.
3.
r. A fire in the
office next door damaged the company’s servers and all optical and magnetic
media in the server room. The company immediately implemented its disaster
recovery procedures and shifted to a backup center several miles away. The
company had made full daily backups of all files and stored a copy at the
backup center. However, none of the backup copies were readable.
12.3 For good internal control, which of
the following duties can be performed by the same individual?
1. Approve changes to customer credit limits
2. Sales order entry
3. Shipping merchandise
4. Billing customers
5. Depositing customer payments
6. Maintaining accounts receivable
7. Issuing credit memos
8. Reconciling the organization’s bank accounts
9. Checking inventory availability
12.4 Excel Project. (Hint: For help on steps b and c, see the article
“Dial a Forecast,” by James A. Weisel, in the December 2006 issue of the Journal of Accountancy. The Journal of Accountancy is available in print or
online at the AICPA’s Web site: www.aicpa.org
Required:
a. Create a 12-month cash flow budget in Excel using
the following assumptions:
§
· Initial sales of $5,000,000 with
forecasted monthly growth of 1%
§
· 40% of each month’s sales for cash; 30%
collected the following month; 20% collected 2 months later; 8% collected 3
months later; and 2% never collected
§
· Initial cash balance of $350,000
b. Add a “spinner” to your spreadsheet that will
enable you to easily change forecasted monthly sales growth to range from 0.5%
to 1.5% in increments of 0.1%.
d.
Design appropriate data entry and processing controls to ensure spreadsheet
accuracy.
12.5 For each of the following activities identify the data that must
be entered by the employee performing that activity and list the appropriate
data entry controls:
1.
a. Sales order entry clerk
taking a customer order
1. b. Shipping
clerk completing a bill of lading for shipment of an order to a customer
12.6 Create a questionnaire checklist that can be used to evaluate
controls for each of the four basic activities in the revenue cycle (sales
order entry, shipping, billing, and cash collections).
a. For each control issue, write a Yes/No question
such that a “No” answer represents a control weakness. For example, one
question might be “Are customer credit limits set and modified by a credit
manager with no sales responsibility?”
b. For each Yes/No question, write a brief
explanation of why a “No” answer represents a control weakness.
12.7 O’Brien Corporation is a midsize, privately owned, industrial
instrument manufacturer supplying precision equipment to manufacturers in the
Midwest. The corporation is 10 years old and uses an integrated ERP system. The
administrative offices are located in a downtown building and the production,
shipping, and receiving departments are housed in a renovated warehouse a few
blocks away.
Customers place orders on the company’s website, by fax, or by
telephone. All sales are on credit, FOB destination. During the past year sales
have increased dramatically, but 15% of credit sales have had to written off as
uncollectible, including several large online orders to first-time customers
who denied ordering or receiving the merchandise.
Customer orders are picked and sent to the warehouse, where they
are placed near the loading dock in alphabetical sequence by customer name. The
loading dock is used both for outgoing shipments to customers and to receive
incoming deliveries. There are ten to twenty incoming deliveries every day, from
a variety of sources.
The increased volume of sales has resulted in a number of errors
in which customers were sent the wrong items. There have also been some delays
in shipping because items that supposedly were in stock could not be found in
the warehouse. Although a perpetual inventory is maintained, there has not been
a physical count of inventory for two years. When an item is missing, the
warehouse staff writes the information down in log book. Once a week, the
warehouse staff uses the log book to update the inventory records.
The system is configured to prepare the sales invoice only after
shipping employees enter the actual quantities sent to a customer, thereby
ensuring that customers are billed only for items actually sent and not for
anything on back order.
No comments:
Post a Comment