Document Flowchart and Systems

Questions and Answers

A level 1 flowchart shows all major activity steps of a system.

False

Fraudulent financial statements are typically prepared to reduce a company's stock price.

False

The presence of strong internal controls guarantees that fraud will not occur.

False

Reconciliation checks on data are not a method of fraud detection.

False

Financial pressure is a key factor in fraudulent financial statements, but it is not a pressure that can influence fraudulent acts.

False

Social engineering involves using software to harm a computer system or electronic device.

False

The COSO-ERM framework is more focused on internal controls than the COSO framework.

False

A firewall is a type of intrusion detection system that monitors network traffic for suspect activity.

False

According to the Time-Based Model, if P is greater than D plus C, the system is likely to be vulnerable to attacks.

False

Authentication determines if a user has access to certain parts of a system.

False

Hashing is a reversible process that protects the confidentiality and privacy of information.

False

A Range check is used to verify that the input data is within a certain length or format.

False

In the Revenue Cycle, RFID is used in the Cash Collection Process to prevent theft of cash.

False

A Differential Backup is a type of backup that copies all data from the last full backup.

False

The Operational feasibility of a new system is concerned with whether the system can be developed and implemented using existing technology.

False

What is the primary purpose of hashing in information systems?

To ensure the delivered file is identical to the original and to verify the integrity of the data.

What is the main difference between encryption and hashing?

Encryption is reversible, whereas hashing is not reversible.

What is the purpose of a Range check in data entry controls?

To ensure that input data is within a certain guideline or limit.

What is the primary purpose of a Disaster Recovery Plan (DRP)?

To restore the system in the event that the data center is destroyed.

What is the main objective of the Revenue Cycle process?

To ensure accurate and efficient processing of sales, shipment, billing, and cash collection.

What is the primary purpose of the Expenditure Cycle process?

To manage the procurement of goods and services, ensuring accurate and efficient processing of orders, receipts, and payments.

What are the main obstacles to updating systems, and how can they be addressed?

Fear, lack of top management support, lack of communication, biases/emotions, and personal characteristics or backgrounds. These can be addressed through effective communication, training, and change management strategies.

What are the three feasibility factors to consider when implementing a new system?

Operational, Technical, and Economic feasibility.

What is the main purpose of incremental and differential backups?

To ensure data integrity and reduce data loss in the event of a disaster.

What is the main benefit of using RFID technology in the Revenue Cycle?

To improve accuracy and efficiency in shipment and inventory management.

Study Notes

Documentation of Flowchart

• A set of documents and models that includes narratives, data flow, models, and flowcharts.
• Consists of inputs, processes, storage, output, and controls.
• Allows auditors to monitor business operations and information.

Types of Systems

• Document: Illustrates the flow of documents through an organization.
• Program: Logical representation of system inputs, processes, and outputs.
• System: The actual steps of the activity, detailed to represent the logical sequence.
• Context: Highest level (most general) showing inputs and outputs into the system.
• Level 0: Shows all major activity steps of a system.
• Level 1: Shows one major activity divided into sub-activities.

Fraud

• Gaining an unfair advantage over another person.
• Includes false statements, representations, or disclosures, and material facts that induce a person to act.
• Requires an intent to deceive.
• Auditors need to understand fraud risks, evidence, and how to respond to fraud.
• Obtain information, understand fraud, and evaluate results of audit tests.

Forms of Fraud

• Theft of company assets.
• Financial reports are falsified.

Key Factors for Theft of Assets

• Absence of strong internal controls.
• Failure to enforce internal control systems.

Fraudulent Financial Statements

• Meet cash flow needs.
• Cover up losses.
• Increase a company's stock price.
• Heavy competition.
• Intense pressure to meet earnings expectations.

Pressure to Influence Fraudulent Acts

• Employee: Financial, emotional, or lifestyle pressures.
• Financial reporting: Industry conditions, management characteristics, financial pressure.

Fraud Detection Controls

• Segregation of duties.
• Insurance.
• Strong internal controls.
• Reconciliation checks on data.
• External and internal audits.
• Monitoring system activity.
• Use encryption.
• System authentication.
• Restrict access (authorization).

Computer Fraud and Abuse Techniques

• Hacking: Unauthorized access, modification, or use of a computer system or electronic device.
• Social engineering: Techniques used to trick or manipulate an individual to gain access to sensitive data or information.
• Malware: Any software used to harm.

Social Engineering Techniques

• Phishing: Receiving emails to trick individuals into providing sensitive information.
• Shoulder surfing: Observing individuals entering sensitive information.
• Spoofing: Creating fake emails, websites, or caller IDs to trick individuals.

Hacking and Embezzlement

• Stealing small amounts of money from multiple individuals.
• Can grow over time.

Identity Theft

• Assuming someone else's identity.

Ransomware

• Locks users out of programs and data using encryption.

Minimizing Social Engineering Threats

• Never let individuals follow you into restricted areas.
• Never log in for someone else on a computer.
• Never give sensitive information over the phone or email.
• Never share passwords or user IDs.

Control and Accounting Information Systems

• Functions of AIS:
  • Protect internal control data.
  • Identify problems.
  • Fix data, restore/backup data.

Sarbanes Oxley

• New roles for audit committees:
  • One member must be a financial expert.
  • Oversees external auditors.
• New rules for management:
  • Financial statements and disclosures are fairly presented and reviewed.
  • Auditors are informed about material internal control weaknesses and fraud.
• New internal control requirements:
  • Management is responsible for establishing and maintaining internal controls.
  • Fraud must be disclosed if management knows it exists.

Control Frameworks

• COBIT:
  • Meeting stakeholder needs.
  • Covering the enterprise end-to-end.
  • Applying a single, integrated framework.
  • Enabling a holistic approach.
  • Separating governance from management.
• COSO:
  • Control (internal) environment.
  • Risk assessment.
  • Control activities.
  • Information and communication.
  • Monitoring.
• COSO-ERM:
  • Internal environment.
  • Objective setting.
  • Event identification.
  • Risk assessment.
  • Risk response.
  • Control activities.
  • Information and communication.
  • Monitoring.

Time-Based Model

• P > D + C = likely to be safe.
• P = time it takes an attacker to break through preventive controls.
• D = time it takes to detect the attack.
• C = time it takes to respond to the attack.

Firewalls and Intrusion Systems

• Firewalls: Block unauthorized access.
• Intrusion prevention systems: Monitor and prevent suspect activity.
• Intrusion detection systems: Detect and alert administration to potential security breaches.

Authentication and Authorization

• Authentication: Verifies the person using passwords, PINs, ID cards, or biometric characteristics.
• Authorization: Determines access to specific parts of a system.

Hash and Encryption

• Hash: Converts text to a unique code, ensuring data integrity.
• Encryption: Converts text to unreadable text, protecting confidentiality.

Data Entry Controls

• Completeness: Ensuring all data is entered.
• Reasonable: Logical comparisons.
• Validity: Input compared with master data.
• Size check: Input length is correct.
• Range check: Input is within a certain range.
• Incremental backup: Copies only changed data.
• Differential backup: Copies only changed data from the last full backup.

Disaster Recovery Plan

• Procedures to restore the system in the event of a disaster.

Revenue Cycle

• Sales order entry: Ensuring no invalid or incomplete orders.
• Shipment: Ensuring correct items and quantities are shipped.
• Billing: Ensuring correct billing.
• Cash collection: Ensuring no theft or cash flow problems.

Expenditure Cycle

• Order materials: Ensuring no poor quality or excess inventory.
• Receive materials: Verifying correct goods and quantities.
• Approve supplier: Verifying invoices and purchase orders.
• Cash disbursement: Ensuring no duplicate payments or theft.

Updating Systems

• Improving efficiency and business procedures.
• Technology changes.
• Developing quality, error-free software.
• Increasing productivity gains.
• Creating competitive advantage.

Behavioral Problems in Updating Systems

• Fear.
• Lack of top management support.
• Lack of communication.
• Biases and emotions.
• Personal characteristics or backgrounds.

Resistance to Change

• Individuals may blame new systems for errors.
• Human error is often the underlying issue.

Feasibility

• Operational: Does the company have access to people to design, implement, and operate the new system?
• Technical: Can the system be developed and implemented using existing technology?
• Economic: Will the system justify the time, money, and resources required to implement?

Documentation of Flowchart

• A set of documents and models that includes narratives, data flow, models, and flowcharts.
• Consists of inputs, processes, storage, output, and controls.
• Allows auditors to monitor business operations and information.

Types of Systems

• Document: Illustrates the flow of documents through an organization.
• Program: Logical representation of system inputs, processes, and outputs.
• System: The actual steps of the activity, detailed to represent the logical sequence.
• Context: Highest level (most general) showing inputs and outputs into the system.
• Level 0: Shows all major activity steps of a system.
• Level 1: Shows one major activity divided into sub-activities.

Fraud

• Gaining an unfair advantage over another person.
• Includes false statements, representations, or disclosures, and material facts that induce a person to act.
• Requires an intent to deceive.
• Auditors need to understand fraud risks, evidence, and how to respond to fraud.
• Obtain information, understand fraud, and evaluate results of audit tests.

Forms of Fraud

• Theft of company assets.
• Financial reports are falsified.

Key Factors for Theft of Assets

• Absence of strong internal controls.
• Failure to enforce internal control systems.

Fraudulent Financial Statements

• Meet cash flow needs.
• Cover up losses.
• Increase a company's stock price.
• Heavy competition.
• Intense pressure to meet earnings expectations.

Pressure to Influence Fraudulent Acts

• Employee: Financial, emotional, or lifestyle pressures.
• Financial reporting: Industry conditions, management characteristics, financial pressure.

Fraud Detection Controls

• Segregation of duties.
• Insurance.
• Strong internal controls.
• Reconciliation checks on data.
• External and internal audits.
• Monitoring system activity.
• Use encryption.
• System authentication.
• Restrict access (authorization).

Computer Fraud and Abuse Techniques

• Hacking: Unauthorized access, modification, or use of a computer system or electronic device.
• Social engineering: Techniques used to trick or manipulate an individual to gain access to sensitive data or information.
• Malware: Any software used to harm.

Social Engineering Techniques

• Phishing: Receiving emails to trick individuals into providing sensitive information.
• Shoulder surfing: Observing individuals entering sensitive information.
• Spoofing: Creating fake emails, websites, or caller IDs to trick individuals.

Hacking and Embezzlement

• Stealing small amounts of money from multiple individuals.
• Can grow over time.

Identity Theft

• Assuming someone else's identity.

Ransomware

• Locks users out of programs and data using encryption.

Minimizing Social Engineering Threats

• Never let individuals follow you into restricted areas.
• Never log in for someone else on a computer.
• Never give sensitive information over the phone or email.
• Never share passwords or user IDs.

Control and Accounting Information Systems

• Functions of AIS:
  • Protect internal control data.
  • Identify problems.
  • Fix data, restore/backup data.

Sarbanes Oxley

• New roles for audit committees:
  • One member must be a financial expert.
  • Oversees external auditors.
• New rules for management:
  • Financial statements and disclosures are fairly presented and reviewed.
  • Auditors are informed about material internal control weaknesses and fraud.
• New internal control requirements:
  • Management is responsible for establishing and maintaining internal controls.
  • Fraud must be disclosed if management knows it exists.

Control Frameworks

• COBIT:
  • Meeting stakeholder needs.
  • Covering the enterprise end-to-end.
  • Applying a single, integrated framework.
  • Enabling a holistic approach.
  • Separating governance from management.
• COSO:
  • Control (internal) environment.
  • Risk assessment.
  • Control activities.
  • Information and communication.
  • Monitoring.
• COSO-ERM:
  • Internal environment.
  • Objective setting.
  • Event identification.
  • Risk assessment.
  • Risk response.
  • Control activities.
  • Information and communication.
  • Monitoring.

Time-Based Model

• P > D + C = likely to be safe.
• P = time it takes an attacker to break through preventive controls.
• D = time it takes to detect the attack.
• C = time it takes to respond to the attack.

Firewalls and Intrusion Systems

• Firewalls: Block unauthorized access.
• Intrusion prevention systems: Monitor and prevent suspect activity.
• Intrusion detection systems: Detect and alert administration to potential security breaches.

Authentication and Authorization

• Authentication: Verifies the person using passwords, PINs, ID cards, or biometric characteristics.
• Authorization: Determines access to specific parts of a system.

Hash and Encryption

• Hash: Converts text to a unique code, ensuring data integrity.
• Encryption: Converts text to unreadable text, protecting confidentiality.

Data Entry Controls

• Completeness: Ensuring all data is entered.
• Reasonable: Logical comparisons.
• Validity: Input compared with master data.
• Size check: Input length is correct.
• Range check: Input is within a certain range.
• Incremental backup: Copies only changed data.
• Differential backup: Copies only changed data from the last full backup.

Disaster Recovery Plan

• Procedures to restore the system in the event of a disaster.

Revenue Cycle

• Sales order entry: Ensuring no invalid or incomplete orders.
• Shipment: Ensuring correct items and quantities are shipped.
• Billing: Ensuring correct billing.
• Cash collection: Ensuring no theft or cash flow problems.

Expenditure Cycle

• Order materials: Ensuring no poor quality or excess inventory.
• Receive materials: Verifying correct goods and quantities.
• Approve supplier: Verifying invoices and purchase orders.
• Cash disbursement: Ensuring no duplicate payments or theft.

Updating Systems

• Improving efficiency and business procedures.
• Technology changes.
• Developing quality, error-free software.
• Increasing productivity gains.
• Creating competitive advantage.

Behavioral Problems in Updating Systems

• Fear.
• Lack of top management support.
• Lack of communication.
• Biases and emotions.
• Personal characteristics or backgrounds.

Resistance to Change

• Individuals may blame new systems for errors.
• Human error is often the underlying issue.

Feasibility

• Operational: Does the company have access to people to design, implement, and operate the new system?
• Technical: Can the system be developed and implemented using existing technology?
• Economic: Will the system justify the time, money, and resources required to implement?

Description

This quiz covers the concept of documentation in business operations, including the flow of documents, programs, and systems. It also explores the importance of documentation for auditing and monitoring purposes.