ACIS 3504 Exam 2 Study Guide
Fraudulent Financial Reporting
"cooking the books" (booking fictitious revenue, overstating assets, etc.)
Vulnerabilities of computer systems
- Company databases can be huge and access privileges can be difficult to create and enforce. Consequently, individuals can steal, destroy, or alter massive amounts of data in very little time - Organizations often want employees, customers, suppliers, and others to have access to their system from inside the organization and without. This access also creates vulnerability - Computer programs only need to be altered once, and they will operate that way until the system is no longer in use or someone notices - Modern systems are accessed by PCs, which are inherently more vulnerable to security risks and difficult to control *It is hard to control physical access to each PC *PCs are portable, and if they are stolen, the data and access capabilities go with them *PCs tend to be located in user departments, where one person may perform multiple functions that should be segregated *PC users tend to be more oblivious to security concerns)
Flowcharts vs. DFDs
- DFDs place a heavy emphasis on the logical aspects of a system - Flowcharts place more emphasis on the physical characteristics of the system - Changes in the physical characteristics of the process do affect the flowchart but have little or no impact on the DFD - When deciding which tool to employ, consider the information needs of those who will view it
Commit (opportunity)
- Lack of internal controls - Failure to enforce controls (the most prevalent reason) - Excessive trust in key employees - Incompetent supervisory personnel - Inattention to details - Inadequate staff - Management may allow fraud by: Not getting involved in the design or enforcement of internal controls, inattention or carelessness, overriding controls, using their power to compel subordinates to carry out the fraud
Business Process Diagrams Symbols
- Small Circle = start/begin - Small Bolded Circle = end - Rounded Edge Rectangle = activity in process - Diamond = decision - Arrow = flow - Bolded Dash Arrow = annotated information
System Flowcharts Organization/Rules
- The system flowchart begins by identifying the inputs to the system - Each input is followed by a process, i.e., the steps performed on the data - The process is followed by outputs -the resulting new information
Guidelines for drawing flowcharts
- Understand the system you are trying to represent - Identify business processes, documents, data flows, and data processing procedures - Organize the flowchart so that it reads from top to bottom and left to right - Clearly label all symbols - Use page connectors (if it cannot fit on a single page) - Edit/review/refine to make it easy to read and understand
Benefits of visualizing data
- Visualized data is processed faster than written or tabular information - Visualizations are easier to use. Users need less guidance to find information with visualized data - Visualization supports the dominant learning style of the population because most learners are visual learners
Outlier
a data point, or a few data points, that lie an abnormal distance from other values in the data - Can be performed on qualitative data by first transforming the qualitative data into numbers
Level 0 diagram
a projection of the process on the Context diagram. It is like opening up that process and looking inside to see how it works (to show the internal sub-processes) - you repeat the external entities but you also expand the main process into its subprocesses (Also data stores will appear at this level)
Null hypothesis
a proposed explanation worded as a statement of equality
DFD Symbols
add picture
Completeness
does not omit aspects of events or activities, and of enough breadth and depth (Violation - an annual evaluation of vendor performance only contains 7 months of data)
Pressure
either employee pressure or financial statement pressure
Data Contradiction Errors
errors that exist when the same entity is described in two conflicting ways - Contradiction errors need to be investigated and resolved appropriately
Violated Attribute Dependencies
errors that occur when a secondary attribute in a row of data does not match the primary attribute
Type 2 Error
failure to reject a false null hypothesis
Employee fraud pressure
financial, emotional, or lifestyle pressure
Static graphics
graphics that stay the same and don't change (most prevalent type of visualization in business and the only ones that can be used in print)
Data Fraud
illegally using, copying, browsing, searching, or harming company data
Program Flowcharts Purpose
illustrates the sequence of logical operations performed in a computer in executing a program (also follow input - process - output) related to systems
Type 1 Error
incorrect rejection of a true null hypothesis
Orientation
information should be presented and able to be read in a horizontal fashion
Weighting
make colors darker, greater contrast, size, and density
Data Structuring
the process of changing the organization and relationships among data fields to prepare the data for analysis (includes aggregate data, data joining, and data pivoting)
Quantity
(goldilocks principle) axis increments, information in labeling of axis, improper use of too many colors, number of data points
Failing to consider the variation
(the spread of the data about a prediction) inherent in a model
Document flowcharts Organization/Rules
- All departments using the system (the parties who "do" things in the story/each department gets its own column) - All documents or information flows (must show where each document originates and its final disposition) - All processes performed on the documents
How do accountants use documentation?
- At a minimum, they have to read documentation to understand how a system works (auditors need to assess risk) - They may need to evaluate the strengths and weaknesses of an entity's internal controls (Requires heavy reliance on documentation) - They may prepare documentation to: Demonstrate how a proposed system would work or Demonstrate their understanding of a system of internal controls
Guidelines for creating a DFD
- Understand the system that you are trying to represent - A DFD is a simple representation meaning that you need to consider what is relevant and what needs to be included - Start with a high level (context diagram) to show how data flows between outside entities and inside the system. Use additional DFDs at the detailed level to show how data flows within the system - Identify and group all the basic elements of the DFD - Name data elements with descriptive names, use action verbs for processes (e.g., update, edit, prepare, validate, etc.) - Give each process a sequential number to help the reader navigate from the abstract to the detailed levels - Edit/Review/Refine your DFD to make it easy to read and understand
Preventing and Detecting fraud
1. Make fraud less likely to occur 2. Make it difficult to commit 3. Improve detection 4. Reduce fraud losses
Four threats to AIS
1. Natural and political disasters 2. Software errors and equipment malfunctions 3. Unintentional acts 4. Intentional acts
Three steps to creating a predictive analytical model
1. Select the target outcome 2. Find and prepare the appropriate data 3. Create and validate a model
Miracles, black holes
?
Program Relationship to System flowcharts
A diagram is drawn for every process (rectangle) on a system flowchart
Business Process Diagrams Purpose
A visual way to represent the activities in a business process and the intent is that all business users can easily understand the process from a standard notation (BPMN: business process modeling notation)
Types of visualization for Comparison
Bar chart or bullet chart
Business Process Diagrams Structure
Can show the organizational unit performing the activity
Purposes of the visualization
Comparison, correlation, distribution, trend evaluation, part-to-whole
Conceal (opportunity)
Concealing the fraud often takes more time and effort and leaves more evidence than the actual theft or misrepresentation and may include: - Charge a stolen asset to an expense account or to an account receivable that is about to be written off - Create a ghost employee who receives an extra paycheck - Lapping (A/R) or kiting (banks)
Problems with data analytics
Data overfitting, extrapolation beyond the range of data, and failing to consider the variation
Computer fraud
Exists if a computer is used to commit fraud. In using a computer, fraud perpetrators can steal: More of something, in less time, with less effort - They may also leave very little evidence, which can make these crimes more difficult to detect
Financial statement fraud pressure
Financial statement fraud is distinct from other types of fraud in that the individuals who commit the fraud are not the direct beneficiaries (The company is the direct beneficiary and the perpetrators are typically indirect beneficiaries) - Reasons: deceive investors/creditors, increase a company's stock price, meet cash flow needs, hide company losses or other problems
Knowledgeable insiders
Former and current employees who are much more likely than non-employees to perpetrate frauds (and big ones) against companies. - Largely owing to their understanding of the company's systems and its weaknesses, which enables them to commit the fraud and cover their tracks
How data analytics can be used to prevent and detect fraud
Fraud detection is much more effective when data analytics software tools are used to examine an entire data population - Using data analytics software, every transaction or item in the data can be compared against selected criteria and any items identified as anomalies, unusual, or unexpected could be tagged for human examination - Data analytics don't directly detect fraud (Experienced humans are needed to examine and understand any suspicious activities identified and to determine if fraud is involved) - There are benefits as well as challenges when using data analytics to prevent and detect fraud
Rationalization
Fraudsters do not regard themselves as unprincipled, they regard themselves as highly principled individuals. The only way they can commit their frauds and maintain their self image as principled individuals is to create rationalizations that recast their actions as "morally acceptable" behaviors. These rationalizations may include: - I was just borrowing the money - It wasn't really hurting anyone (corporations are often seen as non-persons, therefore crimes against them are not "hurting" anyone) - Everybody does it - I've worked for them for 35 years and been underpaid all that time. I wasn't stealing; I was only taking what was owed to me - I didn't take it for myself. I needed it to pay my child's medical bills
Types of visualization for Distribution
Histogram or box-plot
Classifications of Computer Fraud
Input fraud, processor fraud, computer instructions fraud, data fraud, and output fraud
Types of visualization for Trend Evaluation
Line chart or area chart
Two Categories of Fraud
Misappropriation of assets and fraudulent financial reporting
Types of visualization for Part-to-Whole
Pie chart or tree map
Fraud Triangle/Conditions for Fraud
Pressure, opportunity, and rationalization
Types of visualization for Correlation
Scatterplot or heatmap
Forms of visualizations
Static graphics, tables, videos, static models, dynamic models, etc.
Balancing
The level 0 diagram must "balance" with the Context diagram. This means they should both have the same external entities with the same flows to and from those entities
Comparison of 3 people groups
They found significant differences between violent and white-collar criminals and few differences between white-collar criminals and the general public
Dummy variables
a field containing only two different responses - typically 0 or 1 and may also be called a dichotomous variable
Data deception
a graphical depiction of information, designed with or without an intent to deceive, that may create a belief about the message and/or its components, which varies from the actual message). Prevent by: 1. Showing representations of numbers proportional to the reported number by starting at 0 on the y-axis 2. In vizs designed to depict trends, show time progressing from left to right on the x-axis 3. Present complete data given the context
Data Flow Diagram (DFD)
a process model that focuses on data flows, processes, sources and destinations of the data, and data stores (DFD are visually simple and can be used to represent the same process at a high abstract (summary) or detailed level)
Extrapolation beyond the range of data
a process of estimating a value that is beyond the data used to create the model
Alternative Hypothesis
a proposed explanation worded as a statement of inequality
Attributes of High-Quality Data
accuracy, completeness, consistency, timely, validity
Document flowcharts Symbols
add picture
Flowchart symbols
add picture
System Flowcharts Symbols
add picture
Data Entry Errors
all types of errors that come from inputting data incorrectly - They often occur in human data entry and can also be introduced by the computer system - They may be indistinguishable from data formatting and data consistency errors in an output data file
Ordering
alphabetically, ascending, descending, etc.
Input Fraud
alteration or falsifying input
Flowcharts
an analytical technique that describes some aspect of an information system in a clear, concise, and logical manner (use a set of standard symbols to depict processing procedures and the flow of data)
Exploratory data analysis
an approach that explores data without testing formal models or hypotheses
Fraud definition
any means a person uses to gain an unfair advantage over another person; includes: - A false statement, representation, or disclosure - A material fact, which induces a victim to act - An intent to deceive - Victim relied on the misrepresentation - Injury or loss was suffered by the victim - Fraud is a white collar crime
Visualization
any visual representation of data, such as a graph, diagram, or animation; called a viz for short
Emphasis
assuring the most important message is easily identifiable (highlighting, weighting, ordering)
Basic Statistical Tests
can be performed to validate the data
Accuracy
correct, free of error, and accurately represents events and activities (Violation - a sale occurred on Dec 27 but is recorded as occurring the following year on Jan 4)
Data Threshold Violations
data errors that occur when a data value falls outside an allowable level
Cryptic data values
data items that have no meaning without understanding a coding scheme
Validity
data measures what it is intended to measure, and conforms to syntax rules and requirements (Violation - there are only 7 unique job positions at a company but 9 different positions are attributed to employees... 2 answers are not valid)
Misfielded data values
data values that are correctly formatted but not listed in the correct field
System Flowcharts Purpose
depicts the data processing cycle for a process; describes the relationship between inputs, processing, and outputs of an AIS (They are a pictorial representation of automated processes and files)
Four categories of data analytics
descriptive, diagnostic, predictive, prescriptive
Diagnostic Analytics
informal and formal analyses can be conducted, informal diagnostic analysis builds on descriptive analytics - Diagnostic analytics can also be much more formal and employ confirmatory data analysis techniques
Data parsing
involves separating data from a single field into multiple fields - It is often an iterative process that relies heavily on pattern recognition
Prescriptive Analytics
it can be either recommendations to take or programmed actions a system can take based on predictive analytics results - It uses techniques such as artificial intelligence, machine learning, and other statistics to generate predictions - The key to being successful is the development of initial predictive models and then applying appropriate learning algorithms so those models continue to improve their recommendations over time
Distance
labeling sections with subheadings instead of a key, adding numerical label for data value, or create close distance between relevant comparison groups
Non-proportional display of data
making width of bar size smaller (inappropriate visual weights) or failing to label y axis to scale
Computer Instructions Fraud
modifying software, illegal copying of software, using software in an unauthorized manner, creating software to undergo unauthorized activities
Data Overfitting
occurs when a model is designed to fit training data very well but does not predict well when applied to other datasets
Audit a Sample
one of the best techniques for assuring data quality
Advanced Testing Techniques
possible with a deeper understanding of the content of data
Consistency
presented in same format over time (Violation - a company switches the denomination of amounts (thousands, millions, etc.) irregularly)
Timely
provided in time for decision makers to make decisions (Violation - customer purchasing metrics are 2 years old)
Ethical presentation
refers to avoiding the intentional or unintentional use of deceptive practices that can alter the user's understanding of the data being presented
Simplification
refers to making a visualization easy to interpret and understand (quantity, distance, orientation)
Auditor's Responsibility (via SAS No. 99)
requires auditors to: - Understand fraud - Discuss the risks of material fraudulent misstatements - Obtain information - Identify, assess, and respond to risks - Evaluate the results of their audit tests - Document and communicate findings - Incorporate a technology focus
Sarbanes-Oxley Act (SOX)
requires management to assess internal controls and auditors to evaluate the assessment
SAS-94
requires that auditors understand the automated and manual procedures an entity uses - This understanding can be gleaned through documenting the internal control system ~ a process that effectively exposes strengths and weaknesses of the system
Data pivoting
rotating data from rows to columns
Document flowcharts Purpose
shows the flow of documents and data between departments or units, useful in evaluating internal controls
Three types of design principles
simplification, emphasis, and ethical presentation
Output Fraud
stealing, copying, or misusing computer printouts or displayed information
Confirmatory data analysis
tests a hypothesis and provides statistical measures of the likelihood that the evidence (data) refutes or supports a hypothesis
Data concatenation
the combining of data from two or more fields into a single field - It is often used to create a unique identifier for a row
Context diagram
the highest level of DFD - Provides a summary-level view of the system - Depicts a data processing system and the external entities that are: sources of its input and destinations of its output - The process symbol is numbered with a "0"
Opportunity
the opening or gateway that allows an individual to commit the fraud, conceal the fraud, and convert the proceeds
Aggregate data
the presentation of data in a summarized form
Data consistency
the principle that every value in a field should be stored in the same way
Data De-Duplication
the process of analyzing data and removing two or more records that contain identical information
Data validation
the process of analyzing data to make certain the data has the properties of high-quality data - It is both a formal and informal process - It is an important precursor to data cleaning - The techniques used to validate data can be thought of as a continuum from simple to complex
Data joining
the process of combining different data sources
Visual Inspection
the process of examining data using human vision to see if there are problems
Data Filtering
the process of removing records or fields of information from a data source
Data Imputation
the process of replacing a null or missing value with a substituted value - It only works with numeric data
Data Standardization
the process of standardizing the structure and meaning of each data element so it can be analyzed and used in decision making - It is particularly important when merging data from several sources - It may involve changing data to a common format, data type, or coding scheme - It encompasses ensuring the information is contained in the correct field and the fields are organized in a useful manner
Data cleaning
the process of updating data to be consistent, accurate, and complete - Dirty data is data that is inconsistent, inaccurate, or incomplete - To be useful, dirty data must be cleaned
Choosing the right visualization
the right type of visualization strengthens the ability of the viz to communicate effectively
Misappropriation of Assets
theft of company assets which can include physical assets (cash, inventory, etc.) and digital assets (intellectual property such as protected trade secrets, customer data)
Training and test datasets
this is important in creating and validating a model
White-collar criminals
those who commit fraud
Processor Fraud
unauthorized system use
Convert (opportunity)
unless the target of the theft is cash, then the stolen goods must be converted to cash or some form that is beneficial to the perpetrator - Checks can be converted through alterations, forged endorsements, check washing, etc. - Non-cash assets can be sold (online auctions are a favorite form) or returned to the company for cash
Descriptive Analytics
uses exploratory data analysis techniques*
Predictive Analytics
uses historical data to find patterns likely to manifest themselves in the future - The more data, the better chance of finding patterns
Highlighting
using colors in specific places by only using color in some places