https://quizlet.com/ca/451994292/chapter-3- B.

Expense account fraud

fraud-ethics-and-internal-control-flash- C. Payroll fraud
cards/ D. Refund fraud
D. Refund fraud
The careful and responsible oversight and Segregation of duties is a fundamental
use of the assets entrusted to management is concept in an effective system of internal
called controls. Nevertheless, the effectiveness of
A. Control environment this control can be compromised through
B. Stewardship which situation?
C. Preventive control A. A lack of employee training
D. Security B. Collusion among employees
C. Irregular employee reviews
B. Stewardship
D. The absence of an internal audit function
Which of the following is not a condition in
B.Collusion among employees
the fraud triangle?
A. Rationalization The most difficult type of misstatement to
B. Incentive discover is fraud that is concealed by:
C. Conversion A. Over-recording the transactions
D. Opportunity B. Nonrecorded transactions
C. Recording the transactions in subsidiary
C. Conversion
records
There are many possible indirect benefits to D. Related parties
management when management fraud
B. Nonrecorded transactions
occurs. Which of the following in not an
indirect benefit of management fraud? The review of amounts charged to the
A. Delayed exercise of stock options. company from a seller that it purchased from
B. Delayed cash flow problems. is called a:
C. Enhanced promotion opportunities. A. Vendor audit
D. Increased incentive-based compensation. B. Seller review
C. Collusion
A. Delayed exercise of stock options.
D. Customer review
Which of the following is not an example of
A. Vendor audit
employee fraud?
A. Skimming Which of the following is generally an
B. Larceny external computer fraud, rather than an
C. Kickbacks internal computer fraud?
D. Earnings management A. Spoofing
B. Input manipulation
D. Earnings management
C. Program manipulation
Which of the following is not a common D. Output manipulation
form of employee fraud?
A. Spoofing
A. Inventory theft
Which control activity is intended to serve A company's cash custody function should
as a method to confirm the accuracy or be separated from the related cash
completeness of data in the accounting recordkeeping function in order to:
system? A. Physically safeguard the cash
A. Authorization B. Establish accountability for the cash
B. Segregation of duties C. Prevent the payment of cash
C. Security of assets disbursements from cash receipts
D. Independent checks and reconciliations D. Minimize opportunities for
misappropriations of cash
D. Independent checks and reconciliations
D. Minimize opportunities for
COSO describes five components of internal
misappropriations of cash
control. Which of the following terms is best
described as "policies and procedures that The chance for fraud or ethical lapses will
help ensure management directives are not be reduced if management:
carried out and management objectives are A. Emphasizes ethical behavior
achieved"? B. Models ethical behavior
A. Risk assessment C. Hires ethical employees
B. Information and communication D. Is unethical
C. Control activities
D. Is unethical
D. Control environment
The Phar-Mor fraud began when
C. Control activities
management:
Proper segregation of functional A. Forgot to change the budgeted figures
responsibilities calls for separation of the that had been incorrectly computed.
functions of: B. Attempted to make the actual net income
A. Authorization, execution, and payment match the budgeted amounts.
B. Authorization, recording, and custody C. Overstated their expenses to cover
C. Custody, execution, and reporting amounts embezzled from the company.
D. Authorization, payment, and recording D. Understated the revenue in order to
reduce the tax payable to the IRS.
B. Authorization, recording, and custody
B. Attempted to make the actual net income
AICPA Trust Principles identify five
match the budgeted amounts.
categories of risks and controls. Which
category is best described by the statement, Each of the following companies was
"Information process could be inaccurate, involved in fraudulent financial reporting
incomplete, or not properly authorized"? during 2001 and 2002, except:
A. Security A. Adelphia Communications Corp.
B. Availability B. Microsoft Corporation
C. Processing integrity C. Enron Corp.
D. Confidentiality D. Xerox Corporation
C. Processing integrity B. Microsoft Corporation
In addition to ethical practices, management B. Erroneous processing
has an obligation to maintain a set of C. Service interruption
processes and procedures to assure accurate D. All of the above
financial reporting and protection of
D
company assets. This obligation arises
because: A set of documented guidelines for moral
A. Many groups have expectations of and ethical behavior within an organization
management. is termed a(n):
B. Management has a stewardship obligation A. Accounting Information System
to investors. B. Code of Ethics
C. Management has an obligation to provide C. Internal Control
accurate reports to non-investors. D. Sarbannes-Oxley
D. All of the above are reasons for the
obligation. B

D Which individual or group has the

responsibility to establish, enforce, and
The careful and responsible oversight and exemplify the principles of ethical conduct
use of the assets entrusted to management is within an organization?
referred to as: A. Board of Directors
A. Ethics B. Securities and Exchange Commission
B. Internal Control C. Management
C. Stewardship D. Audit Committee
D. Confidentiality
C
C
The theft, concealment, and conversion of
A process, effected by an entity's board of personal gain of another's money, physical
directors, management, and other personnel, assets, or information is termed:
designed to provide reasonable assurance A. Defalcation
regarding the achievement of objectives B. Skimming
related to the effectiveness and efficiency of C. Larceny
operations, reliability of financial reporting, D. Fraud
and compliance with applicable laws and
regulations is: D
A. COSO's definition of internal control An example of concealment would include:
B. AICPA's definition of stewardship A. Changing the payee on a check
C. ACFE's definition of confidentiality improperly paid by the organization.
D. IMA's definition of competency B. Selling a piece of inventory that has been
A stolen
C. Stealing money from an organization
If an organization's IT systems are not before the related sale and cash receipt has
properly controlled, they may become been recorded.
exposed to the risks of: D. All of the above are examples of
A. Unauthorized access concealment.
A D
Changing the accounting records to hide the Fraudsters typically try to justify their
existence of a fraud is termed: behavior by telling themselves that they
A. Theft intend to repay the amount stolen or that
B. Conversion they believe the organization owes them the
C. Collusion amount stolen. This justification is referred
D. Concealment to as:
A. Opportunity
D
B. Rationalization
The definition of fraud includes the theft of: C. Incentive
A. Assets D. Concealment
B. Money
D
C. Information
D. All of the above Which of the following types of fraud is the
most common, according to the Association
D
of Certified Fraud Examiners?
The theft of any item of value is referred to A. Corruption Schemes
as: B. Asset Misappropriation
A. Fraudulent financial reporting C. Earnings Management
B. Misappropriation of assets D. Financial Statement Misstatement
C. Misstatement of financial records
B
D. Earnings management
Which of the following is the most common
B
method of detecting occupational fraud?
Financial pressures, market pressures, job- A. Financial Statement Audit
related failures, and addictive behaviors are B. Management Review
all examples of which condition of the Fraud C. Internal Audit
Triangle? D. Tip from an employee, customer, or
A. Opportunity vendor
B. Conversion
D
C. Incentive
D. Rationalization The falsification of accounting reports is
referred to as:
C
A. Defalcation
Circumstances that provide access to the B. Internal Theft
assets or records that are the objects of the C. Misappropriation of Assets
fraudulent activity describes which D. Earnings Management
condition of the Fraud Triangle?
D
A. Rationalization
B. Incentive Management fraud may involve:
C. Concealment A. Overstating expenses
D. Opportunity B. Understating assets
C. Overstating revenues C. Collusion
D. Overstating liabilities D. Skimming
C D
Internal controls can be effective in A kickback is an example of which type of
preventing or detecting all of the following fraud?
types of fraud except: A. Cash Receipts Fraud
A. Customer Fraud B. Accounts Payable Fraud
B. Management Fraud C. Accounts Receivable Fraud
C. Vendor Fraud D. Expense Account Fraud
D. Employee Fraud
B
B
A situation where the organization's cash is
Management misstatement of financial stolen after it is entered in the accounting
statements often occurs in order to receive records is termed:
indirect benefits such as: A. Kickback
A. Decreased income taxes B. Larceny
B. Delayed cash flows C. Collusion
C. Increased stock prices D. Skimming
D. Increased dividends
A
C
A cash payment made by a vendor to an
Management circumvention of systems or organization's employee in exchange for a
internal controls that are in place is termed: sale to the organization by the vendor is
A. Management override termed:
B. Management collusion A. Bribery
C. Management stewardship B. Collusion
D. Management manipulations C. Kickback
D. Payment Fraud
A
A
The theft of assets by a non-management
employee is termed: When two or more people work together to
A. Inventory theft commit a fraud, it is called:
B. Employee fraud A. Collusion
C. Expense account fraud B. Larceny
D. Skimming C. Skimming
D. Override
B
A
A situation where the organization's cash is
stolen before it is entered in the accounting An example of Cash receipts fraud would
records is termed: include:
A. Kickback A. an employee steals checks collected from
B. Larceny customers.
B. an employee overstates hours worked on C
a timecard.
Which of the following would be considered
C. management understates accounts
a vendor fraud?
payable amounts .
A. The submission of duplicate or incorrect
D. an employee steals checks before being
invoices.
paid to vendors.
B. A customer tries to return stolen goods to
A collect a cash refund.
C. The use of stolen or fraudulent credit
Jamie Stark, a sales employee, stole
cards.
merchandise from her employer, and Frank
D. Inflating hours worked.
Adams, the accounting clerk, covered it up
by altering the inventory records. This is an A
example of:
The theft of proprietary company
A. Inventory theft
information is called:
B. Financial journal fraud
A. Vendor fraud
C. Skimming
B. Customer fraud
D. Collusion
C. Espionage
D D. Management fraud
The theft of proprietary company C
information, by digging through the trash of
Which of the following is a characteristic of
the intended target company is called what?
computer fraud?
A. Information Manipulation
A. A computer is used in some cases to
B. Proprietary Reconnaissance
conduct a fraud more quickly and
C. Industrial Information theft
efficiently.
D. Industrial Espionage
B. Computer fraud can be conducted by
D employees within the organization.
C. Computer fraud can be conducted by
When a customer improperly obtains cash or
users outside an organization.
property from a company, or avoids liability
D. All of the above are characteristics
through deception, it is termed:
A. Check fraud D
B. Customer fraud
A fraudster uses this to alter a program to
C. Credit card fraud
slice a small amount from several accounts,
D. Refund fraud
crediting those small amounts to the
B perpetrator's benefit.
A. Trap door alteration
Examples of customer fraud include all of
B. Salami technique
the following except:
C. Trojan horse program
A. Credit Card Fraud
D. Input manipulation
B. Check Fraud
C. Cash Fraud B
D. Refund Fraud
A small, unauthorized program within a B. Maintain an accounting information
larger legitimate program, used to system
manipulate the computer system to conduct C. Maintain a system of accounting internal
a fraud is referred to as a(n): controls
A. Trap door alteration D. Maintain a system of information
B. Salami technique technology controls
C. Trojan horse program
B
D. Input manipulation
The Sarbanes-Oxley act was passed in 2002
C
as a Congress's response to the many
42. When a person alters a system's checks situations of fraudulent financial reporting
or reports to commit fraud it is referred to discovered during 2001. The intention of the
as: Act was:
A. Input manipulation A. Police the accounting firms responsible
B. Output manipulation for auditing the corporations.
C. Program manipulation B. Punish the companies that had been
D. Collusion involved in the cases of fraudulent financial
reporting.
B
C. Establish accounting standards that all
This type of external computer fraud is companies are to follow.
intended to overwhelm an intended target D. Reform accounting, financial reporting,
computer system with so much bogus and auditing functions of companies that are
network traffic so that the system is unable publicly traded.
to respond to valid traffic.
D
A. DoS Attack
B. Hacking The types of concepts commonly found in a
C. Spoofing code of ethics would not include:
D. Phishing A. Obeying applicable laws and regulations
that govern business.
A
B. Avoiding all conflicts of interest.
When a person, using a computer system, C. Operating at a profit in all reporting
pretends to be someone else, it is termed: periods.
A. DoS Attack D. Creating and maintaining a safe work
B. Hacking environment.
C. Spoofing
C
D. Phishing
The objectives of an internal control system
C
include all of the following except:
Which of the following is NOT one of the A. Maintain ongoing education
three critical actions that a company can B. Safeguard assets
undertake to assist with fraud prevention and C. Maintain accuracy and integrity of
fraud detection? accounting data
A. Maintain and enforce a cost of ethics.
D. Ensure compliance with management C. Avoiding some conflicts of interest
directives D. Conducting business in a manner that is
honest, fair and trustworthy
A
C
The authors presented their "picture" of
internal control as a series of umbrellas The accounting profession has accepted this
which represent different types of controls. report as the standard definition and
Which of the following is not one of those description of internal control.
types of controls? A. Sarbanes-Oxley Report
A. Prevention B. FCPA Report
B. Investigation C. ERI Report
C. Detection D. COSO Report
D. Correction
D
B
The COSO report is also known as:
This type of control is designed to avoid A. Fraud Triangle
errors, fraud, or events not authorized by B. Internal Control Integrated Framework
management. C. Code of Ethical Behavior
A. Prevention D. Report to the Nation
B. Judicial
B
C. Detection
D. Correction All of the following are reasons why it is not
possible to eliminate all fraud risks, except
A
A. Human Error
This type of control is included in the B. Human Behavior
internal control system because it is not C. Opportunity
always possible to prevent all frauds. They D. May not be cost effective
help employees to discover or uncover
C
errors, fraud, or unauthorized events.
A. Investigation According to the COSO report, there are
B. Judicial five different interrelated components of
C. Detection internal control. Which of the following is
D. Correction not one of those five components?
A. Code of Ethics
C
B. Control Environment
Establishing and maintaining a culture C. Information and Communication
where ethical conduct is recognized, valued, D. Monitoring
and exemplified by all employees can be
A
accomplished by doing all of the following
except: Which of the following statements related to
A. Obeying applicable laws and regulations the COSO report is false?
that govern business A. The COSO report provided the standard
B. Protecting the Environment definition of internal control accepted be the
accounting industry. C
B. The COSO report is commonly known as
The process of risk assessment would
the Internal Control Integrated Framework.
include all of the following actions, except:
C. The COSO report has not been updated
A. Identify sources of risk, both internal and
since it was issued in 1992.
external
D. The COSO report was the result of a
B. Determine the impacts of identified risks
comprehensive study of interest control.
C. Develop and execute an action plan to
C reduce the impact and probability of
identified risks
The component of internal control,
D. Report the risks to the audit committee
identified in the COSO report, that sets the
tone of an organization and includes the D
consciousness of its employees is:
The COSO report identified a component of
A. Risk Assessment
internal control as the policies and
B. Control Activities
procedures that help ensure that
C. Control Environment
management directives are carried out and
D. Information and Communication
that management directives are achieved
C The component is:
A. Control activities
The control environment component of
B. Risk assessment
internal control was identified to have a
C. Monitoring
number of different factors. Which of the
D. Information and communication
following is NOT one of those factors?
A. Management's oversight responsibility, A
including its philosophy and operating style
The approval or endorsement from a
B. The identification of sources of risk
responsible person or department of an
C. The integrity and ethical values of the
organization that has been sanctioned by top
entity's people
management is the process of:
D. The attention and direction provided by
A. Securing assets
the board of directors
B. Segregating duties
B C. Authorizing transactions
D. Adequate recording
One of the components of internal control
identified by COSO required that B
management must be considering threats and
6Which of the following statements is false,
the potential for risks, and stand ready to
related to the authorization of transactions?
respond should these events occur. This
A. Every transaction that occurs must be
component is referred to as:
properly authorized in some manner.
A. Control Environment
B. General authorization is the set of
B. Control Activities
guidelines that allows transactions to be
C. Risk Assessment
completed as long as they fall within
D. Communication
established parameters.
C. It is not possible, nor is it important, to D
try to ensure that an organization engage
The existence of verifiable information
only in transactions that are authorized.
about the accuracy of accounting records is
D. Specific authorization that explicit
called a(n):
approval is needed for that single transaction
A. Audit trail
to be completed.
B. Internal control
C C. Risk assessment
D. Supporting documentation
The category of control activities referred to
as segregation of duties requires that certain A
activities should be the responsibility of
When discussing the security of assets and
different person or department. The three
documents, there are many actions that can
duties that are to be separated are:
be taken. Which of the following would not
A. Authorizing, recording, and paying
be related to this category of internal
B. Recording, custody, and disposition
control?
C. Authorizing, paying, and custody
A. Securing the assets and records so that
D. Authorizing, recording, and custody
they are not misused or stolen.
D B. Limiting access to certain assets to the
extent that is practical.
If an accounting supervisor were allowed to
C. Identifying sources of risk and estimating
hire employees, approve the hours worked,
the possibility of that risk.
prepare the paychecks, and deliver the
D. Enacting physical safeguards, such as
paychecks, which of the categories of
security cameras, to protect some assets.
control activities would be violated?
A. Adequate records C
B. Segregation of duties
Independent checks on the performance of
C. Authorization of transactions
others is one of the categories of internal
D. Independent checks
control. These independent checks would
B include all of the following, except:
A. Reviewing batch totals
A good system of internal control includes
B. Reconciliation
many types of documentation. Which of the
C. Comparison of physical assets with
following types of documentation is not part
records
of the adequate records and documents
D. Use of appropriate ID to enter restricted
category of internal control?
areas
A. Schedules and analyses of financial
information D
B. Supporting document for all significant
This activity serves as a method to confirm
transactions
the accuracy and completeness of data in the
C. Accounting cycle reports
accounting system:
D. All of the following are types of
A. Compensating control
documentation
B. Independent checks
C. Audit trail A. Flawed judgment applied in decision
D. Supporting documentation making
B. Human error
B
C. Controls can be circumvented or ignored
Which of the following was NOT listed as a D. All of the above are factors that limit the
procedure to accomplish independent effectiveness of internal controls
checks?
D
A. Recalculation of amounts
B. Analysis of reports In order to have the segregation of duties
C. Review of auditing procedures recommended by COSO, it would be
D. Reconciliation necessary for a small organization to hire
two additional individuals. At this time,
C
there is not enough work for the one office
Which of the following objectives were not employee to stay busy. The reason for not
identified as necessary to be provided by an hiring the additional people would have to
effective accounting system? do with:
A. Prepare the appropriate documents A. Human error
B. Identify all relevant financial events B. Cost versus benefit
C. Capture the important data C. Collusion
D. Proper recording and processing of the D. Authorization
data
B
...
In response to the need for internal controls
The ongoing review and evaluation of a above and beyond what was described by
system of internal control is referred to as: COSO, the Information Systems Audit and
A. Risk assessment Control Association developed an extensive
B. Monitoring framework of IT controls entitled:
C. Segregating A. Trust Principles
D. Communication B. Control Objectives for Information
Technology (COBIT)
B C. Control Instrument for Certified
This level of assurance means that controls Accountants (CICA)
achieve a sensible balance of reducing risk D. American Internal Control Practice
when compared with the cost of the control. Association (AICPA)
A. Absolute assurance B
B. Probable assurance
C. Reasonable assurance The Trust Services Principles document
D. Convincing assurance divided the risks and controls in IT into five
categories. Which of the following is not
C one of those categories?
Factors that limit the effectiveness of A. Certification
internal controls include all of the following B. Security
except:
C. Processing Integrity When management does not act ethically,
D. Confidentiality fraud is more likely to occur.
A T
The main risk related to this category of In the Phar-Mor fraud case, management did
Trust Services Principles is unauthorized not write or adopt a code of ethics.
access.
FALSE: Phar-Mor did write and adopt a
A. Online privacy
code of ethics, but most officers of the
B. Confidentiality
organization were not aware that it existed.
C. Processing integrity
D. Security Maintaining high ethics can help prevent
fraud but will not help to detect fraud.
D
FALSE: Maintaining high ethics can help to
The risk related to this category of Trust
detect fraud.
Services Principles could be inaccurate,
incomplete, or improperly authorized Due to management's responsibility to
information. monitor operations by examining reports
A. Online privacy that summarize the results of operations, it is
B. Confidentiality necessary that the system provide timely and
C. Processing integrity accurate information.
D. Security
T
C
In order to fulfill the obligations of
The risk related to this category of Trust stewardship and reporting, management has
Services Principles is that personal to create a code of ethics.
information about customers may be used
inappropriately or accessed by those either FALSE: Management must create AND
inside or outside the company. enforce a code of ethics.
A. Confidentiality In most cases, a fraud will include altering
B. Online privacy accounting records to conceal the fact that a
C. Security theft has occurred.
D. Availability
T
B
According to the 2010 Report to the Nation
The risk related to this category of Trust by the Association of Certified Fraud
Principles is system or subsystem failure due Examiners, the estimate of global losses due
to hardware or software problems. to fraud would total approximately $650
A. Availability billion.
B. Security
C. Integrity FALSE: The amount is $2.9 Trillion
D. Confidentiality The most common method for detecting
A occupational fraud is a tip - from an
employee, a customer, vendor, or T
anonymous source.
Collusion between employees is one of the
T easiest frauds to detect and prevent
Small businesses, those having fewer than F - Hardest
100 employees, are less vulnerable to fraud
Collusion can make it much easier to
and abuse than are larger businesses.
commit and conceal a fraud or theft, even
FALSE: Small business is more vulnerable when proper internal controls are in place.
to fraud.
T
According to the ACFE 2010 Report to the
Customer fraud is a common problem for
Nation, fraudulent financial statements
companies that sell merchandise online.
account for less than 5% of the cases, and
were the least costly form of fraud. T
FALSE: Fraudulent financial statements Collusion can occur only when two
were the most costly form of fraud employees who work for the same firm
conspire to circumvent the internal controls
Defalcation and internal theft are names that
to commit fraud or theft.
refer to the misstatement of financial
records. FALSE: Collusion can also occur when two
employees who work for different firms
FALSE: They are names that refer to the
conspire to circumvent internal controls.
misappropriation of assets.
A vendor audit occurs when a vendor
The three conditions that make up the fraud
examines the books and records of a
triangle are theft, concealment, and
customer.
conversion.
FALSE: Vendor audits involve the
FALSE: The three conditions are incentive
examination of vendor records in support of
(pressure), opportunity, and rationalization.
amounts charged to the company.
A good set of internal controls may not be as
Industrial espionage can occur with or
effective in reducing the chance of
without the use of a computer
management fraud as it would be in
reducing the chance of fraud committed by T
an employee.
It is necessary to use a computer to
T accomplish software piracy.
The most effective measure to prevent T
management fraud is to establish a
professional internal audit staff that A hacker is someone who has gained
periodically checks up on management and unauthorized access to the computer and
reports directly to the audit committee of the must be someone outside the organization.
board of directors.
FALSE: A hacker could be someone inside T
the organization.
The tone at the top of the organization tends
If an organization has the policy of allowing to flow through the entire organization and
employees to work from home via affects behavior at all levels.
telecommunications, they could be opening
T
themselves up to an opportunity for a hacker
to break-in to their network. A poor control environment can be
overcome if the remaining components of
T
internal control are strong.
E-mail spoofing is more of an irritation to an
FALSE: If the control environment is week,
organization that a fraud threat.
it is likely to be the cause of errors and
T irregularities occurring in an organization,
regardless of the strength of the other
In order for a code of ethics to reduce
components.
opportunities for managers and employees to
commit fraud, it is necessary that The difference between a general
management emphasizes this code. authorization and a specific authorization is
Punishment related to violations of the code that with a general authorization, a
are not necessary. transaction is allowed if it falls within
specified parameters, whereas with a
FALSE: The punishment of violators is
specific authorization, explicit authorization
necessary.
is needed for that singe transaction to be
It is not always possible to avoid all completed.
mistakes and frauds because there will
T
always be human error, human nature, and it
is not always cost-effective to close all the When safeguarding assets, there is no trade-
holes off between access and efficiency
T FALSE: There is a trade-off. The more
limited the access, the less efficient is
The risk assessment is the foundation for all
operations
other components of internal control and
provides the discipline and structure of all Independent checks can serve as a
other components preventive control in that they uncover
problems in the data or the processing.
FALSE: The description above applies to
the control environment FALSE: The description has to do with
detective controls, not preventive.
Companies that reward management with
incentives to achieve a growth in earnings is Feedback needed by management to assess,
running the risk that management will also manage, and control the efficiency and
have more motivation and pressure to falsify effectiveness of the operations of an
the financial statements to show the higher organization relates to both financial and
amounts. operational information.
T
A sophisticated accounting system will
provide the necessary accurate and effective
feedback needed by management to assess,
manage and control the operations of an
organization.
FALSE: Sophisticated is not the proper
"adjective" - effective should be used
The risks related to computerized systems
are adequately covered by the COS internal
control report.
FALSE: The extra risks require that internal
controls related to the computer system go
beyond those stated in COSO
The acronym COBIT stands for Control
Objectives for Information Technology, an
extensive framework of information
technology controls developed by
Information Systems Audit and Control
Association.
T
The AICPA and the Canadian Institute of
Chartered Accountants worked together to
develop IT guidelines, commonly referred to
as COBIT.
FALSE: The guidelines created were
referred to as Trust Service Principles
The risk related to confidentiality category
of Trust Principles is that confidential
information about the company or its
business partners may be subject to
unauthorized access during its transmission
or storage in the IT system.