Accounting Information System (AIS)

(AcFn 201)
Chapter Four
Fraud, Control and AIS

Content:
- Fraud
- Overview of Control Concepts
- IS Security: Basic Concepts

1
What is Fraud?
• Fraud means different things to different people
under different circumstances.
• Fraud can be perceived as deception.
 One might say that fraud in the form of intentional
deception (including lying and cheating) is the opposite of
truth, justice, fairness, and equity
• Fraud can also be associated with injury.
 One person can injure another either by force or through
fraud

1–2
What is Fraud? Five Conditions of Fraud

• False representation - false statement or

disclosure
• Material fact - a fact must be substantial in
inducing someone to act
• Intent to deceive must exist
• The misrepresentation must have resulted in
justifiable reliance upon information, which
caused someone to act
• The misrepresentation must have caused injury or
loss
Why Fraud Occurs

Fire needs...

Oxygen Fuel

Spark
1–5
Employee Fraud

• Committed by non-management personnel

• Usually consists of: an employee taking cash or
other assets for personal gain by circumventing
a company’s system of internal controls
 Management Fraud

• It is perpetrated at levels of management above

the one to which internal control structure relates.
• It frequently involves using the financial statements
to create an illusion that an entity is more healthy
and prosperous than it actually is.
• If it involves misappropriation of assets, it
frequently is shrouded in a maze of complex
business transactions.
Fraud Schemes
• There are three categories of fraud schemes
according to the Association of Certified
Fraud Examiners:
A. fraudulent statements
B. corruption
C. asset misappropriation
A. Fraudulent Statements
• Misstating the financial statements to make the
copy appear better than it is
• Usually occurs as management fraud
• May be tied to focus on short-term financial
measures for success
• May also be related to management
bonus packages being tied to financial statements
B. Corruption

• Examples:
 bribery
 illegal gratuities
 conflicts of interest
 economic extortion
C. Asset Misappropriation
• Most common type of fraud and often occursas
employee fraud.

• Examples:
 making charges to expense accounts to cover theft of
asset (especially cash)
 lapping: using customer’s check from one account to
cover theft from a different account
 transaction fraud: deleting, altering, or adding false
transactions to steal assets
 Computer Fraud
• Theft, misuse, or misappropriation of assets by
altering computer data
• Theft, misuse, or misappropriation of assets by
altering software programming
• Theft or illegal use of computer
data/information
• Theft, corruption, illegal copying or destruction
of software or hardware
• Theft, misuse, or misappropriation of computer
hardware
Using the general IS model, explain how fraud can occur
at the different stages of information processing?
Data Collection Fraud

• This phase of the system is most vulnerable

because it is very easy to change data as it is
being entered into the system.
• Also, GIGO (garbage in, garbage out) reminds
usthat if the input data isinaccurate,
processing will result in inaccurate output.
Data Processing Fraud
Program Frauds
• altering programs to allow illegal access to and/or
manipulation of data files
• destroying programs with a virus
Operations Frauds
• misuse of company computer resources, such
as using the computer for personal business
Database Management Fraud
Altering, deleting, corrupting, destroying, or stealing
an organization’s data
• Oftentimes conducted by disgruntled or ex-
employee
Information Generation Fraud
Stealing, misdirecting, or misusing computer output
Scavenging
• searching through the trash cans on the computer
center for discarded output (the output should be
shredded, but frequently is not)
From Research Outcomes
• Findings by COSO, (from 1987-1997, 200
randomly selected cases)
 Most fraud among public companies is committed:
 by small firms
 BoD were dominated by insiders and inexperienced people,
 Executive officers were identified as associated with financial
statement fraud in 83% of the cases
 COSO identified the inability and unwillingness to
implement effective IC is the cause

1–18
From Research Outcomes
• Findings by KPMG, (in 2009 after interviewing
204 executives)
 32% reported at least on of the three categories (C,
SM, & FSF) was going to increase in the next 12
months in their organizations
 74% of employees reported they had personally
observed wrongdoing in their organization in the prior
12 months
 65% of the executives reported that fraud and
misconduct is a significant risk for their industry
 71% of the executive showed potential loss of public
trust as their concern

1–19
Overview of Control Concepts
• Internal Controls are processes implemented to
provide reasonable assurance.
• Internal control has the following objectives.
• Safeguard assetsof the firm
• Ensure accuracy and reliability of accounting
recordsand information
• Promote efficiency of the firm’s operations
• Measure compliance with management’s
prescribed policiesand procedures

1–20
Modifying Assumptions to the Internal
Control Objectives

• Management Responsibility
The establishment and maintenance of a system of internal control
is the responsibility of management.
• Reasonable Assurance
The cost of achieving the objectives of internal control should not
outweigh its benefits.
• Methods of Data Processing
The techniques of achieving the objectives will vary with different
types of technology.
Limitations of Internal Controls
• Possibility of honest errors
• Circumvention via collusion
• Management override
• Changing conditions--especially in companies with
high growth
Exposures of Weak Internal Controls (Risk)

• Destruction of an asset
• Theft of an asset
• Corruption of information
• Disruption of the information system
The Internal Controls Shield
Overview of Control Concepts
• Developing an internal control system requires a thorough
understanding of IT capabilities as well as use IT to achieve
an organization’s control objectives.
• IT capabilities:
 refer to an organization's ability to identify IT meeting business
needs, to deploy IT to improve business process in a cost-
effective manner, and to provide long-term maintenance and
support for IT-based systems.
 Has the following components:
 IT infrastructure
 IT strategy/business experience
 IT relationship resources
 IT human resource

1–25
IT Capabilities
• IT infrastructure: includes communication technologies
for firms to share information across varying functions, and
react to changes in the market.
• IT business experience: is a competence to integrate IT
strategy and business strategy.
• IT relationship resources: are abilities to associate IT
functions into business units and IT resources.
• IT human resources represent an organizational
resource and capability

1–26
Primary objective of AIS
• The primary objective of AIS is to control the
organization so the organization can achieve its
objectives.
• Management expects accountants to:
 Take a proactive approach to eliminating system threats
 Detect, correct, and recover from threats when they occur
• Threats

1–27
Functions of Internal Control
• There are two categories of control: general and application
• The general controls ensure that organization's control
environment is stable and well managed.
 E.g. include security; IT infrastructure, and software acquisition,
systemsdevelopment, and maintenance controls
• The application controls are concerned with the accuracy,
completeness, validity, and authorization of the data
captured, entered, processed, stored, transmitted to other
systems, and reported
 Identify and correct problems; correct and recover from the problems
• The application controls prevent, detect, and correct
transaction errors and fraud in application programs

1–28
Functions of Internal Control
• The application controls prevent, detect, and correct transaction errors
and fraud in application programs.
• Preventive controls
 Deter problems from occurring.
 E.g. hiring qualified personnel, segregating employee duties, chart
of accounts, controlling physical access:to assetsand information,
and employee training
• Detective Controls
 Discover problemsthat are not prevented
 E.g. duplicate checking of calculations and preparing bank
reconciliations and monthly trial balances
• Corrective controls
 Identify and correct problems; correct and recover from the problems
 E.g. maintaining backup copies of files, correcting data entry
errors, and resubmitting transactionsfor subsequent processing
1–29
Preventive, Detective, and Corrective Controls
Control Frameworks
• To develop internal control system, there are three possible
control frameworks.
• These include:
 COBIT framework
 COSO framework
 COSO-ERMframework

1–31
 Control Frameworks
• The COBIT framework
 COBIT (Control Objectives for Information and Related
Technology) is developed by ISACA (the Information Systems
Audit and Control Association)
 Is a framework for IT Control
 It consolidates control standards from different sourcesinto a
single framework that allows:
 Management to benchmark security and control practices of IT
environments,
 Users to be assured that adequate IT security and controls exist, and
 Auditors to substantiate their internal control opinions and to advise
on IT security and control matters
 The COBIT 2019 framework describes best practices for
effective governance and management of IT.
1–32
The Current COBIT version is COBIT 5 framework based on the
following principles

COBIT 5
Framework

1–33
COBIT5 Separates Governance from Management

1–34
Control Frameworks
• The COSO’s Internal Control Framework
 COSO refers (The Committee Of Sponsoring
Organizations)
 In 1992 COSO issued Internal control – Integrated
Framework (IC), which is widely accepted as the authority
on internal controls and is incorporated into policies, rules ,
and regulations used to control business activities
 It is a framework for enterprise internal controls (control
based approach)

1–35
Components of COSO Frameworks

COSO Internal Control Framework

1–36
Control Frameworks
• The COSO – ERM framework
• COSO-ERM
 Expands COSO framework taking a risk-
based approach
• The COSO ERM framework is one of the widely
accepted risk management standards
organizations use to help manage risks in an
increasingly turbulent, unpredictable business landscape.

• The initial mission of COSO was to study financial

reporting and develop recommendations to prevent
fraud.
1–37
1–38
1–39
IS Security: Basic Concepts
• What is Security?
 “The quality or state of being secure-to be free
from danger” or
 To be protected from adversaries– from those
who would do harm, intentionally or otherwise.
 A successful organization should have multiple
layers of security in place: Physical security,
Personal security, Operations security,
Communications security, Network security,
and Information security

1–40
 IS Security: Basic Concepts
• What is Security?
 Physical security:
 To protect the physical items, objects, or areas of an organization from
unauthorized access and misuse.
 Personal security:
 To protect the individual or group of individuals who are authorized to
accessthe organization and its operations.
 Operations security:
 To protect the details of a particular operation or series of activities.
 Communications security:
 To protect an organization’s communication media, technology, and
content
 Network security:
 To protect networking components, connection, and contents

1–41
IS Security: Basic Concepts
• What is Security?
 In essence, all security is about the protection of
assets through security controls from the various
threats posed by certain inherent
vulnerabilities.
 Security processes usually deal with the selection
and implementation of security controls (also
called counter measures) which help to reduce
the risk posed by these vulnerabilities

1–42
 IS Security: Basic Concepts
• What is Information Systems(IS) Security?
 Is the process of Protecting information and information
systems from unauthorized access, use, disclosure,
disruption, modification, or destruction.
 Information security’s primary mission is to ensure that
systems and their contents remain the same!
 In terms of ICT-based systems, the information alone
cannot be deemed to be secure unless all resources and
processes dealing with that information are secure as well.
 ICTis the infrastructure that processes, stores and
communicates information. In this case it is information that is
deemed to be the asset that requires protection

1–43
 IS Security: Basic Concepts
• What is Information Systems(IS) Security?
 As a process, it can be said to be about examining and
answering three fundamental questions to ensure that
critical assets are sufficiently protected in a cost-effective
manner:
 What assets do we need to protect?
 How are those assets threatened?
 What can we do to encounter those threats?

 It can also be seen as a process composed of plan-

do-check-act

1–44
 IS Security: Basic Concepts
• What is Information Systems(IS) Security?
 It can also be seen as a process composed of plan-
do-check-act
 Plan: establish security policy, objectives, process and
procedures, perform risk assessment, develop risk
treatment plan wit appropriate selection of controls or
acceptance.
 Do: implement the risk treatment plan
 Check: Monitor and maintain the risk treatment plan
 Act: maintain and improve the information security risk
management process in response to incidents, review or
identified changes

1–45
1–46
IS Security: Basic Concepts
• The three fundamental IS concepts
• Security isa management issue, not just a technology issue
• People: the critical factor
• The time-based model of information security
 It is:
 P >D +R, where
 P= the time it takes an attacker to break through the
various controls that protect the organization’s
information assets
 D= the time it takes for the organization to detect that
an attack is in progress
 R =the time it takes to respond to and stop the attack

1–47
Security Life Cycle

1–48
IS Security: Basic Concepts
• Primary focuses of ISSecurity
• These include:
 Confidentiality,
 Integrity and
 Availability

1–49
IS Security: Basic Concepts
• Primary focuses of ISSecurity
• Confidentiality
• The quality or state of preventing disclosure or exposure to
unauthorized individuals or systems.
 Data confidentiality: Assures that confidential information is not
disclosed to unauthorized individuals
 Of personal data and information
 Credit card account numbers and bank account number
 Of intellectual property of businesses
 Copyrights, patents, and secret formulas
 Of national security
 Military intelligence
 Homeland security and government-related information

1–50
 IS Security: Basic Concepts
• Primary focuses of ISSecurity
• Integrity
• The quality or state of being whole, complete, and uncorrupted.
 Data integrity: assures that information and programs are changed only in a
specified and authorized manner
 System integrity: Assures that a system performs its operations in unimpaired
manner
• The integrity of information is threatened when the information is exposed
to corruption, damage, destruction, or other disruption of its authentic
state.
• Data has integrity if the data is not altered, is valid, and is accurate
• Of user names and passwords; patents and copyrights, source code;
diplomatic information, financial data

1–51
 IS Security: Basic Concepts
• Primary focuses of ISSecurity
• Availability
• Enables users who need to access information to do so without interference or
obstruction and in the required format.
• Assures that systems works promptly and service is not denied to authorized users
• The information is said to be available to an authorized user when and where
needed and in the correct format.
• In the context of information security, availability is generally
expressed as the amount of time users can use a system, application,
and data.
 ▪Uptime: The total amount of time that a system, application, and data
are
accessible.
 ▪Downtime: The total amount of time that a system, application, and
data are not accessible.
 ▪Availability =(Total Uptime) / (Total Uptime +Total Downtime)
1–52
IS Security Threats
• There are varieties of definitions for IS security threats.
 It is a malicious event or action targeted at interrupting the
integrity of corporate or personal computer systems.
 The motivation is to compromise data for the purposes of exploitation.
 anything that has the potential to cause serious harm to an
IS/computer system.
 A possible danger that might exploit a vulnerability to breach
security to cause possible harm
 Can lead to attacks on computer systems, networks and more.
• ISsecurity threatscan be categorized as follows:

1–53
 IS Security Threats: classifications
IS Security Threat Explanation

Deliberate - Occurs when an individual or group designs and develops

Software Attacks software to attack a system
- Designed to damage, destroy, or deny service to the target
systems
- Include: viruses, worms, other malwares
Espionage or - Occurs when an unauthorized individual gains access to the
Trespass information an organization is trying to protect
- Intelligence gathering:
- Legal-competitive intelligence
- Illegal – industrial espionage
- Thin line
- One technique – shoulder surfing
- The classic perpetrator of espionage or trespass is the
hacker
- Hackers are “people who use and create computer
software [to] gain access to information illegally
Forces of Nature - Pose some of the most dangerous threats
- Unexpected and occur with little or no warning
Compiled by Habtamu B. Abera (PhD) AcFn 612-AAU 1–54
- Fire, tornado, tsunami, flood, earthquake, landslide, etc
Classification

1–55
 IS Security Threats: classifications
IS Security Threat Explanation

Act of Human  Acts performed without intent or malicious purpose by

Error authorized user
 Greatest threat to organizations’ IS security
 Organization’s own employees
 Closest to the data
 Mistakes
 Revelation of classified data
 Entry of erroneous data
 Accidental deletion or modification of data

Information - Typically involves: attacker or insider steals information;

Extortion demand compensation and agree not to disclose information.

Sabotage or - Deliberate sabotage of a computer system or business or acts

Vandalism to destroy an asset or damage to an image of an organization
- Unexpected and occur with little or no warning
- Fire, tornado, tsunami, flood, earthquake, landslide, etc
Technology - Outdated infrastructure (HW and SW) can lead to unreliable
Obsolescence
Compiled by Habtamu B. Abera (PhD) and untrustworthy systems.
AcFn 612-AAU 1–56
- Management must recognize that when technology becomes
IS Security Attacks
 An attack is an act that takes advantage of a vulnerability to
compromise a controlled system.
 A vulnerability is an identified weakness in a controlled system,
where controls are not present or are no longer effective.
 Unlike threats, which are always present, attacks only exist
when a specific act may cause a loss.

1–57
IS Security Controls
• There are two categories of controls:
 Technical control
 Management Control:
 Include:
– Policies, standards, practices and guidelines
– Education, training, and awareness programs targeting internal
users and external associates
– Contingency planning

1–58
Potential Topic for Individual Assignment
- Use of Accounting Information System
(AIS) in public sector
- AIS and Artificial Intelligence
- How AIS is relevant for Auditing?
- Effects of digital transformation on AIS
- Issues in IS security control
- Digital currency and AIS
• Etc.
1–59
End of Chapter Four

1–60