AIS exam 2 (chapters 5-7, and 11)

Auditors' responsibilities to detect fraud under SAS #99

-SAS is statement on auditing standards, and became effective in December 2002. -requires auditors to: 1. understand fraud. (know how and why it is committed) 2. discuss the risks of material fraudulent misstatements (while planning the audit, team members discuss how and where the company's financial statements are susceptible to fraud) 3. obtain information (look for fraud risk factors, testing company records, and asking management and others whether they know of current or past fraud) 4)identify, assess, and respond to risks 5)evaluate the results of their audit tests (determine impact of fraud on financial statements) 6)document and communicate findings (to management and the audit committee) 7)incorporate a technology focus

MAC address

-a Media Access Control address: is a hardware address that uniquely identifies each node on a network.

patch

-a code released by software developers that fixes a particular software vulnerability.

denial-of-service (DoS) attack

-a computer attack in which the attacker sends so many email bombs or web page requests, often from randomly generated false addresses, that the internet service provider's email server or the web server is overloaded and shuts down -botnets are used to perform this attack, which is designed to make a resource unavailable to its users. -in an email DoS attack, so many emails (thousands per second) are received, often from randomly generated false addresses, that the internet service provider's email server is overloaded and shut down. -another attack involves sending so many web page requests that the web server crashes. -Ex: a DoS attack shut down 3000 websites for 40 hours on one of the busiest shopping weekends of the year.

man-in-the-middle (MITM) attack

-a hacker placing himself between a client and a host to intercept communications between them. -often called a session hijacking attack. -they're used to attack public-key encryption systems where sensitive and valuable info is passed back and forth. -once MITM presence is established, the hacker can read and modify client messages, mislead the two parties, manipulate transactions, and steal confidential data. -to prevent MITM attacks, most cryptographic protocols authenticate each communication endpoint.

zombie

-a hijacked computer, typically part of a botnet, that is used to launch a variety of internet attacks.

pressure (part of the fraud triangle)

-a person's incentive or motivation for committing fraud. (WHY do they commit fraud?) -types: employee pressure and financial statement pressure. -employee pressure: 1)financial- living beyond ones means; heavy financial losses, "inadequate" salary, high personal debt/expenses. 2)emotional- excessive greed, ego, pride, ambition; performance not recognized; job dissatisfaction; fear of losing job; need for power or control; challenge of beating the system 3)lifestyle- gambling habit, drug/alcohol addiction, sexual relationships, family/peer pressure -financial statement pressure: 1)management characteristics- questionable management ethics, management style, and track record 2)industry conditions- industry or technology changes leading to declining demand; new regulatory requirements that impair financial stability or profitability 3)financial- intense pressure to meet or exceed earnings expectations, significant cash flow probs

cookie

-a text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site. -data a website stores on your computer to identify the site so you do not have to log on each time you visit the site.

cross-site scripting (XSS)

-a vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victims browser to execute code, thinking it came from the desired website. -most attacks use executable JavaScript, although HTML, flash, or other code the browser can execute are also used. -XSS flaws are the most prevalent flaws in web applications today and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

zero-day attack

-also called zero-hour attack; an attack between the time a new software vulnerability is discovered and "released it into the wild" and the time a software developer releases a patch to fix the problem.

spoofing

-altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain trust of the recipient.

fraud

-any and all means a person uses to gain an unfair advantage over another person. -this is gaining an unfair advantage over another person. Legally, for an act to be fraudulent there must be: 1) a false statement, representation, or disclosure 2) a material fact, which is something that induces a person to act. 3) an intent to deceive 4) a justifiable reliance; that is, the person relies on the misrepresentation to take an action 5) an injury or loss suffered by the victim.

computer fraud

-any fraud that requires computer technology to perpetrate it. -any illegal act in which knowledge of computer technology is necessary for: perpetration, investigation, and prosecution. -Examples: 1)unauthorized theft, use, access, modification, copying, or destruction of software, hardware, or date. 2)theft of assets covered up by altering computer records. 3)obtaining info or tangible property illegally using computers.

phreaking

-attacking phone systems to obtain free phone line access, use phone lines to transmit malware, and to access, steal, and destroy data.

check kiting

-creating cash using the lag between the time a check is deposited and the time it clears the bank. -suppose an individual or a company opens accounts in banks A, B, and C. The perpetrator "creates" cash by depositing a $1000 check from bank B in bank C and withdrawing the funds. If it takes 2 days for the check to clear bank B, he has created $1000 for 2 days. After 2 days, the perpetrator deposits a $1000 check from bank A in bank B to cover the created $1000 for 2 more days. At the appropriate time, $1000 is deposited from bank C in bank A. -the scheme continues--writing checks and making deposits as needed to keep the checks from bouncing--until the perpetrator is caught or he deposits money to cover the created and stolen cash. -electronic banking systems make kiting harder because the time between a fraudster depositing the check in one bank and the check being presented to the other bank for payment is shortened.

IP address spoofing

-creating internet protocol packets with a forged IP address to hide the sender's identity or to impersonate another computer system. -IP spoofing is most frequently used in DoS attacks

sabotage

-deliberate destruction or harm to a system. -an intentional act where the intent is to destroy a system of some of its components

caller ID spoofing

-displaying an incorrect number on the recipients caller ID display to hide the caller's identity. -the spoofers trick cellphone users into divulging account info by sending an automated call or text message that appears to come from their bank. Using the obtained info, the fraudsters call the bank, spoofing the victim's phone number, and answer the security questions. They then instruct the bank to transfer cash and/or issue credit cards to addresses the fraudster controls.

war driving

-driving around looking for unprotected home or corporate wireless networks.

misappropriation of assets (pg 133)

-first category of fraud -often called employee fraud -theft of company assets by employees, including physical assets (cash, inventory) and digital assets (intellectual property such as protected trade securities, customer data) -largest factor for theft of assets: 1)absence of internal control system 2)failure to enforce internal control system

white-collar criminals

-fraud perpetrators are often referred to as this. -typically, businesspeople who commit fraud. They usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.

masquerading/impersonation

-gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user's ID and passwords. -or using someone's computer after they have logged in (while the user is in a meeting or at lunch, etc)

hijacking

-gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's acknowledge.

buffer overflow attack

-happens when the amount of data entered into a program is greater than the amount of the memory (the input buffer) set aside to receive it. -The input overflow overwrites the next computer instruction, causing the system to crash. -Hackers exploit this buffer overflow by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system, provide the attacker with full control of the system, access confidential data, destroy or harm system components, slow system operations, and carry out any number of other inappropriate acts.

computer fraud classification (data fraud)

-illegally using, copying, browsing, searching, or harming company data. -the biggest cause of data breaches is employee negligence. -ex: in the absence of controls, it is not hard for an employee to steal data. An employee using a small flash drive can steal large amounts of data and remove it without being detected.

SQL injection (insertion) attack

-in this attack, malicious code in the form of an SQL query is inserted into input so it can be passed to and executed by an application program. -the idea is to convince the application to run SQL code that it was not intended to execute by exploiting a database vulnerability. -a successful SQL injection can read sensitive data from the database; modify, disclose, destroy, or limit the availability of the data; allow the attacker to become a database administrator; spoof identity; and issue operating system commands.

computer fraud classification (computer instructions fraud)

-includes tampering with company software, copying software illegally, using software in an unauthorized manner, and developing software to carry out an unauthorized activity.

computer fraud classification (processor fraud)

-includes unauthorized system use, including the theft of computer time and services

round-down fraud

-instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmers account.

email spoofing

-making a sender address and other parts of an email header appear as though the email originated from a different source. -many spam and phishing attacks use special software to create random sender addresses.

click fraud

-manipulating the number of times an ad is clicked on to inflate advertising bills.

opportunity (part of fraud triangle)

-many opportunities are are the result of a deficient system of internal controls, such as deficiencies in proper segregation of duties, authorization procedures, clear lines of authority, proper supervision, adequate documents and records, safeguarding assets, or independent checks on performance. -the condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain. 1)commit the fraud- theft of assets is most common 2)conceal the fraud- (lapping, kiting) 3)convert the theft or misrepresentation to personal gain

minimize the threat of social engineering:

-never let people follow you into restricted areas -never log in for someone else on a computer -never give sensitive info over the phone or email -never share passwords or user IDs -be cautious of someone you don't know who is trying to gain access through you.

web cramming

-offering a free website for a month, developing a worthless website, and charging the phone bill of the people who accept the offer for months, whether they want to continue using the website or not.

war dialing

-programming a computer to dial thousands of phone lines searching for dial-up modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected.

fraudulent financial reporting

-second category of fraud -intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements (The Treadway commission) -management falsifies financial statements to deceive investors and creditors, increase a company's stock price, meet cash flow needs, or hide company losses and problems. (financial statement pressure) -a.k.a "cooking the books" (booking fictitious revenue, overstating assets, etc)

Address Resolution Protocol (ARP) spoofing

-sending fake ARP messages to an ethernet LAN. ARP is a computer networking protocol for determining a network host's hardware address when only its IP or network address is known. -ARP is critical for local area networking as well as for routing Internet traffic across gateways (routers). -ARP spoofing allows an attacker to associate his MAC address with the IP address of another code. any traffic meant for the intended IP address is mistakenly sent to the attacker instead. the attacker can sniff the traffic and forward it to its intended target, modify the data before forwarding it (called MITM attack), or launch a DoS attack.

botnet

-short for robot network -a network of powerful and dangerous hijacked computers that are used to attack systems or spread malware.

spamming

-simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something.

DNS spoofing

-sniffing the ID of a Domain Name System (DNS, the "phone book" of the internet that converts a domain, or website name, to an IP address) request and replying before the real DNS server can.

splog

-spam blogs created to increase a website's google PageRank, which is how often a web page is referenced by other web pages. -hackers create these with links to websites they own to increase their google PageRank. -they're created to artificially inflate paid-ad impressions from visitors, to sell links, or to get new sites indexed. -they're annoying, waste valuable disk space and bandwidth, and pollute search engine results.

salami technique

-stealing tiny slices of money from many different accounts.

computer fraud classification (output fraud)

-stealing, copying, or misusing computer printouts or displayed information.

rationalization (part of fraud triangle)

-the excuse that fraud perpetrators use to justify their illegal behavior 1) justification- (I am not being dishonest) 2)attitude- (I don't need to be honest) 3) lack of personal integrity (theft is valued higher than honesty or integrity) -Ex: I am only "borrowing" it, and I will repay my "loan", you would understand if you knew how badly I needed it, what I did was not that serious, It was for a good cause, the company owes me I am only taking what is rightfully mine.

bot herder

-the person who creates a botnet by installing software on PCs that responds to the bot herder's electronic instructions. -they install software that responds to the hacker's electronic instructions on unwitting PCs. Bot software is delivered in a variety of ways, including trojans, emails, instant messages, tweets, or an infected website. -bot herders use the combined power of the hijacked computers, to mount a variety of internet attacks.

computer fraud classification (input fraud)

-the simple and most common way to commit a computer fraud is to alter or falsify computer input. it requires little skill

social engineering

-the techniques or psychological tricks used to get people to comply with the perpetrators wishes in order to gain physical or logical access to a building, computer, server, or network. -it is usually to get the info needed to obtain confidential data.

data leakage

-the unauthorized copying of company data, often without leaving any indication that it was copied.

software piracy

-the unauthorized copying or distribution of copyrighted software. 1)selling a computer with preloaded illegal software 2)installing a single-license copy on multiple machines 3)loading software on a network server and allowing unrestricted access to it in violation of the software license agreement.

economic espionage

-theft of information, trade secrets, and intellectual property.

corruption

-this is dishonest conduct by those in power and it often involves actions that are illegitimate, immoral, or incompatible with ethical standards. -Examples: bribery and bid rigging.

investment fraud

-this is misrepresenting or leaving out facts in order to promote an investment that promises fantastic profiles with little or no risk. -Examples: Ponzi schemes and securities fraud

cyber-extortion

-threatening to harm a company or person if a specified amount of money is not paid.

email threats

-threats sent to victims by email. -the threats usually require some follow-up action, often at great expense to the victim.

hacking

-unauthorized access, modification, or use of an electronic device or some element of a computer system. -most hackers break into systems using known flaws in operating systems or application programs, or as a result of poor access controls.

podslurping

-using a small device with storage capacity (iPod, flash drive) to download unauthorized data from a computer.

internet auction fraud

-using an internet auction site to defraud another person.

war rocketing

-using rockets to let loose wireless access points attached to parachutes that detect unsecured wireless networks.

SMS spoofing

-using short message service (SMS) to change the name or number a text message appears to come from.

dictionary attack

-using special software to guess company email addresses and send them blank email messages. unreturned messages are usually valid email addresses that can be added to spammer email lists.

internet terrorism

-using the internet to disrupt electronic commerce and harm computers and communications.

internet pump-and-dump fraud

-using the internet to pump up the price of a stock and then sell it.

internet misinformation

-using the internet to spread false or misleading information

vishing

-voice phishing -it is like phishing except that the victim enters confidential data by phone.

social engineering techniques and why people fall victim to them:

1) compassion- desire to help others 2) greed- want a good deal or something for free 3)sex appeal- more cooperation with those that are flirtatious or good looking 4)sloth- lazy habits 5)trust- will cooperate if trust is gained 6)urgency- cooperation occurs when there is a sense of immediate need 7)vanity- more cooperation when appeal to vanity

piggybacking (has several meanings)

1) the clandestine use of a neighbor's WiFi network 2) tapping into a communications line and electronically latching onto a legitimate user before the user enters a secure system; the legitimate user unknowingly carries the perpetrator into the system 3) an unauthorized person following an authorized person through a secure door, bypassing physical security controls such as keypads, ID cards, or biometric identification scanners.

Treadway Commission Actions to Reduce fraud

1)establish an organizational environment that contributes to the integrity of the financial reporting process 2)identify and understand the factors that lead to fraudulent financial reporting 3)assess the risk of fraudulent financial reporting within the company 4)design and implement internal controls to provide reasonable assurance of preventing fraudulent financial reporting

reasons for rise in computer fraud

1)not everyone agrees on what constitutes computer fraud 2)many instances of computer fraud go undetected 3)a high percentage of frauds is not reported (some companies believe the publicity would result in copycat fraud and a loss of customer confidence, which could cost more than the fraud itself) 4)many networks are not secure 5)internet sites offer step-by-step instructions on how to perpetrate computer fraud and abuse 6)law enforcement cannot keep up with the growth of computer fraud. (FBI investigates only 1 in 15 computer crimes b/c lack of funds and skills) 7)calculating losses is difficult

Which of the following pressures are classified as Management Characteristics that can lead to financial statement fraud? a. High management and/or employee turnover b. Declining industry c. New regulatory requirements that impair financial stability or profitability d. Intense pressure to meet or exceed earnings expectations

a. High management and/or employee turnover

which of the following causes the majority of computer security problems? a. human errors b. software errors c. natural disasters d. power outages

a. human errors (the computer technology industry association estimates that human errors cause 80% of security problems.)

Kiting is a scheme in which: a. insufficient funds are covered up by deposits made at one bank by checks drawn at another bank. b. a computer system is infiltrated under false pretenses. c. an external user impersonates an internal user. d. None of the above

a. insufficient funds are covered up by deposits made at one bank by checks drawn at another bank.

once fraud has occurred, which of the following will reduce fraud losses? (select all correct answers) a. insurance b. regular backup of data and programs c. contingency plan d. segregation of duties

a. insurance (the right insurance will pay for all or a portion of fraud losses) b. regular backup of data and programs (regular backup helps the injured party recover lost or damaged data and programs) c. contingency plan (a contingency plan helps the injured party restart operations on a timely basis)

which of the following is a fraud in which later payments on account are used to pay off earlier payments that were stolen? a. lapping b. kiting c. ponzi scheme (meaning money from new investors is used to pay off earlier investors) d. salami technique

a. lapping

identity theft

assuming someone elses identity

All of the following are classification of computer fraud except: a. Input fraud. b. Reconciliation fraud. c. Computer instructions fraud. d. Processor fraud. e. Output fraud.

b. Reconciliation fraud.

According to the opportunity part of the fraud triangle, a person may do all of the following acts except: a. Convert the theft or misrepresentation for personal gain. b. Control the fraud. c. Commit the fraud. d. Conceal the fraud.

b. control the fraud

which type of fraud is associated with 50% of all auditor lawsuits? a. kiting b. fraudulent financial reporting c. ponzi schemes d. lapping

b. fraudulent financial reporting

which of the following statements is false? a.the psychological profiles of white-collar criminals differ from those of violent criminals b.the psychological profiles of white-collar criminals are significantly different from those of the general public c.there is little difference between computer fraud perpetrators and other types of white-collar criminals d.some computer fraud perpetrators do not view themselves as criminals

b.the psychological profiles of white-collar criminals are significantly different from those of the general public. (correct. this is false; the psychological profile of white-collar criminals is similar to that of the general public.)

According to Statement on Auditing Standards No. 99 (SAS 99) requires an auditor to do all of the following during an audit except: a. Incorporate a technology focus. b. Identify, assess, and respond to risks. c. Acquire malpractice insurance in case the auditor does not detect an actual fraud during the audit. d. Document and communicate findings.

c. Acquire malpractice insurance in case the auditor does not detect an actual fraud during the audit.

Which of the following creates an environment where computer fraud is less likely to occur? a. Hire employees without adequate security and criminal checks. b. Assume that corporate security policies are understood by all employees. c. Increase the penalties for committing fraud. d. None of the above.

c. Increase the penalties for committing fraud.

Which of the following actions are used to reduce fraud losses? a. Implement a fraud hotline. b. Conduct periodic external and internal audits. c. Maintain adequate insurance. d. Develop a strong system of internal controls.

c. Maintain adequate insurance

There are many threats to accounting information systems. Which of the following is an example of an Intentional Act. a. War and attack by terrorists b. Hardware or software failure c. Computer fraud d. Logic errors

c. computer fraud

which of the following is not an example of computer fraud? a. theft of money by altering computer records b. obtaining information illegally using a computer c. failure to perform preventive maintenance on a computer d. unauthorized modification of a software program

c. failure to perform preventive maintenance on a computer (correct. this is poor management of computer resources, but it is not computer fraud)

Which of the following is considered a financial pressure that can lead to employee fraud? a. Gambling habit. b. Greed. c. Poor credit ratings. d. Job dissatisfaction

c. poor credit ratings

which of the following is the most important, basic, and effective control to deter fraud? a. enforced vacations b. logical access control c. segregation of duties d. virus protection controls

c. segregation of duties (segregating duties among different employees is the most effective control for the largest number of fraud schemes, because it makes it difficult for any single employee to both commit and conceal a fraud)

data diddling

changing data before or during entry into a computer system in order to delete, alter, add, or incorrectly update key system data. Ex: forging or changing documents used for data entry and replacing files containing input data with modified files.

posing

creating a fake business to get sensitive info

Which of the following is not part of the fraud triangle? a. Pressure b. Opportunity c. Rationalization d. All are part of the fraud triangle.

d. all are parts of the fraud triangle

which of the following is not one of the responsibilities of auditors in detecting fraud according to SAS No. 99? a. evaluating the results of their audit tests b. incorporating a technology focus c. discussing the risks of material fraudulent misstatements d. catching the perpetrators in the act of committing the fraud

d. catching the perpetrators in the act of committing the fraud (correct. SAS #99 does not require auditors to witness the perpetrators committing fraud)

A scheme where the perpetrator steals the cash or check that customer A mails in to pay its accounts receivable, then the perpetrator takes the funds from customer B to later cover that account. And so on with Customer C. a. Computer fraud b. Employee fraud c. Kiting d. Lapping

d. lapping

In order for an act to be legally considered fraud it must be all of the following except: a. A material fact. b. Justifiable reliance. c. A false statement. d. No intent to deceive. e. An injury or loss suffered by the victim.

d. no intent to deceive

which of the following control procedures is most likely to deter lapping? a. encryption b. continual update of the access control matrix c. background check on employees d. periodic rotation of duties

d. periodic rotation of duties. (lapping requires a constant and ongoing cover-up to hide the stolen funds. Rotating duties such that the perpetrator does not have access to the necessary accounting records will most likely result in the fraud's discovery)

sexting

exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone.

lapping

in this type of scheme, an employee of company Z steals the cash or checks customer A mails in to pay the money it owes to company Z. Later, the employee uses funds from customer B to pay off customer A's balance. Funds from customer C are used to pay off customer B's balance, and so forth. because the theft involves two asset accts (cash and A/R), the cover-up must continue indefinitely unless the money is replaced or the debt is written off the books. -its another way to hide a theft of company assets. -concealing the theft of cash by means of a series of delays in posting collections to accounts receivables

which of the following conditions is/are usually necessary for a fraud to occur? (select all correct answers) a. pressure b. opportunity c. explanation d. rationalization

pressure, opportunity, rationalization

phishing

sending an email asking the victim to respond to a link that appears legitimate that requests sensitive data

web-page spoofing

this is also known as phishing.

pretexting

using a scenario (the pretext) to trick victims to divulge info or to gain access

cyber-bullying

using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.

password cracking

when an intruder penetrates a system's defenses, steals the file containing valid passwords, decrypts them, and uses them to gain access to programs, files, and data.