Please comment on the text below and answer the question beneath it.
One of the most common fraud schemes used for information assets is employees gaining access to customer data, including social security numbers and checking account numbers, and then using the info. to commit various types of fraud. H&R Block had a huge problem with this for a few years. Employees would steal customer data through a back door in the software program that would lock customer information after the employees had entered it into the computer, and the employees then used the information to shop online from the victim's bank account, and a variety of other frauds. It was all over the news for a while. Management can do a few things to mitigate risk from this type of fraud. So many companies assume that their employees will never try and access data that they shouldn't, so their firewalls and general IT security lacks in strength. There needs to be a secure IT environment with firewalls and sensitive information should be restricted from anyone accessing it that doesn't "have" to have it. In addition, the IT system should be designed as to where the old customer data doesn't sit on a server that isn't needed any longer. It should be moved to microfilm and removed from the server.
Process related risks are usually system related changes. These include unauthorized changes to programs or computer systems to alter the processing of information and the output. For example, a programmer working for a financial institution could deduct .10 from customer's interest payments and draw off the funds into his own account.
A key control is testing a system after changes to ensure the functionality of the system has not changed and changes are fully authorized. Test data must think through many presentations of what is possible. In addition, procedures should be in place to detect security violations by recording certain events as they occur.
Please provide an example of an attestation engagement, and explain the levels of assurance that should be given in attestation engagement reports.
This is also the main reason why companies go through the expense of setting up an internal auditing department. The internal auditing department periodically checks transactions and adheres to a certain structure, like running data mining techniques to determine if specific patterns are present (like $1 missing from every 10th transaction). There are so many actions that can be detected by an internal audit department, particularly when the company is a large company dealing with either a lot of customers, a lot of cash from either cash sales or incoming from A/R, or both. Internal auditing really mitigates the process related risks because there is a team, even if it is only two or three internal auditors, continually monitoring internal control conditions and test for changes, deviations, and other actions that are outside of the standard range.
- Please provide an example of an attestation ...
This solution gives a thorough explanation of common fraud and levels of assurance. Examples of attestation engagements are given with a detailed explanation of the levels of assurance that should be given in attestation engagement reports.