An Assignment

on
Accounting Information System
Course Code – 6403

Submitted To
Dr A.N.M Asaduzzaman Fakir
Associate Professor
Department of Accounting & Information Systems
Jagannath University

Submitted By-
Group-02
Section – A
Batch- 2nd
Name ID
Tahmina Yesmin Tamanna M22020201515
Md. Sakil Ahmed M22020201517
Imdadul Haque Abir M22020201521
Joya Abedin Rupa M22020201522
Sagar Krishna Sikder M22020201523

Date of Submission- 15 March, 2024

1
Question 01- Along with natural and political threats, business also faces AIS threats,
do you agree? Describe the threats to AIS and discuss why threats are growing?
Yes, I agree with the statement, Society has increasingly relied on accounting information
systems, which have developed increasingly complex to meet the increasing need for
information. In line with the increase in system complexity and dependence on the system,
companies face an increased risk of the system being negotiated. Almost every year, more than
60% experience a major failure in controlling the security and integrity of computer
information systems. The causes are as follows: information is available for a very large
number of employees and information distributed in the information network is difficult to
monitor; Society has increasingly relied on accounting information systems, which have
developed more complex to meet the increasing need for information. Increased system
information threats occur because the client/server system distributes data to many users, which
is why the system is more difficult to control than the main computer system that is centralized
and information is available to workers who are not good. An accounting information system
as an open system cannot be guaranteed as a system that is free from errors or fraud. Good
internal control is a way for the systems to protect themselves from harmful actions. The
concept of control is increasingly important and occupies a strategic position because the threat
to the Accounting Information System increases both in terms of type and intensity. In line
with the increase in complexity and dependence systems on the system, companies face
increased risk for systems that are being developed and negotiated. The potential for
unexpected events or activities that cannot endanger both the accounting and organizational
information systems are referred to as threats. The study was conducted by reviewing several
papers relating to the attention of developers to the threat of accounting information system
security.
1) Creating Illegal Programs
2) Accessing or deleting files
3) Destroying or corrupting a programs’ logic through viruses.
4) Unauthorized access that allows
- Altering
- Deleting
- Corruption
- Destroying or stealing data

2
The failure to maintain backup files or other retrieval techniques represent a potentially
devastating loss of data. Threat to the information generation and reporting phase must also be
considered.
For example, the theft, misdirection or misuse of computer output could damage the
competitiveness or reputation of the company.
Advances in information technology and increased accountants, auditors and professors
become more knowledgeable and conversant in design, operation and control of accounting
information systems.

Information system security is any form of mechanism that must be carried out in a system that
is intended to prevent the system from all threats that endanger the data security of information
and security of system perpetrators. Threats include various types of employee behavior such
as employee ignorance, carelessness, taking other employee passwords and providing
passwords for other employees. Threats that may arise from information processing activities
can come from nature, namely: water threats, land threats, and natural threats such as: forest
fires, lightning, tornadoes, hurricanes, and so on.

Threat-1 for accounting information systems: Destruction due to Natural Disasters and Politics
One of the threats faced by companies is due to natural and political disasters, such as fires,
excessive heat, floods, earthquakes, wind storms, and war. Disasters that cannot be predicted
can completely destroy the information system and cause a downfall of a company. When a
disaster occurs, many companies are affected at the same time.
Threat-2 of Accounting Information Systems: Error in software and malfunction of
equipment. The second threat to the company is software errors and equipment malfunctions,
such as hardware failures, errors or software malfunctions, operating system failures, electrical
interference and fluctuations, and undetected data transmission errors.

Threat-3 of the Accounting Information System: Accidental actions A third threat to

companies is unintentional actions, such as errors or deletions due to ignorance or accident.
This usually happens due to human error, failure to follow established procedures, and
personnel who are not supervised or trained properly. Users often lose or misplace data, and
accidentally delete or change files, data and programs. Computer operators and users can enter
incorrect or unreliable input, use the wrong version of the program, use the wrong data file, or
put the file in the wrong place. Analysts and system programmers make mistakes in the logic

3
of the system, develop systems that do not meet the needs of the company, or develop systems
that are unable to handle the tasks assigned.

Threat-4 of Accounting Information Systems: Accidental Actions (computer crime) The

fourth threat facing the company is intentional action, which is usually referred to as computer
crime. This threat is in the form of sabotage, the purpose of which is to destroy the system or
some of its components. Computer fraud is another type of computer crime, with the aim of
stealing valuable objects such as money, data, or computer time / services. This fraud can also
involve theft, namely theft or improper use of assets by employees, accompanied by
falsification of records to hide theft. The quality accounting information system is a quality
accounting information system.

Reason of threats are growing:

Based on the results of reviews of various papers, the threat that often occurs comes from
hackers. The threat of hackers becomes very potential when there are no physical limits and
controls are centralized. Threats to the security of accounting information systems can be in
the form of user negligence, employee ignorance, employee carelessness, hacker virus,
spyware attack, server power failure, malicious code, data theft, espionage activity, social
engineering, workstation system power failure, copying without permission, information
warfare, data theft, decrease in electricity voltage, pollution, chemical effects, leakage and theft
and are affected by natural threats such as water threats, land threats and other threats such as
fires and lightning. The threat of a computer virus is the result of the work of a programmer
who has malicious intent or just to satisfy the lust of programming that successfully infiltrated
the virus into someone else's computer system. Viruses infiltrate the computer system through
various methods, including:
1. Exchange files, for example copy-paste from other computers that have contracted the virus.
2. E-mail, reading e-mails from unknown sources can risk contracting the virus, because the
virus has been attached to an e-mail file.
3. Chat channels can be used as a way for viruses to enter the computer.

By looking at some aspects that pose a threat to the security of the health information system
presented in the reviewed papers, several things that need to be considered by the information
system manager are:
1. Conduct a security risk analysis to protect information assets.

4
2. Carry out safeguards regarding policies, procedures, processes and activities to protect
information from various types of threats.
3. Conduct adequate protection in supporting aspects of confidentiality, integrity and
availability for investigation.

Question 02- What is Computer Fraud? Classify the Computer Fraud with illustration.
Do you think Computer Fraud is rising? Why? Explain the ways of preventing and
detecting fraud and abuse.

Computer Fraud
Computer Fraud is a term that may refer to a wide range of malicious activities that involve the
use of computers. It is a type of fraud that involves the use of computers to obtain personal or
financial information from unsuspecting victims in order to gain access to funds or assets.

• The U.S. Department of Justice defines computer fraud as any illegal act for which
knowledge of computer technology is essential for its perpetration, investigation; or
prosecution.
• In using a computer, fraud perpetrators can steal more of something in less time and
with less effort. They may also leave very little evidence, which can make these crimes
more difficult to detect.
• Computer systems are particularly vulnerable to computer crimes for several reasons:
– Individuals can steal, destroy, or alter massive amounts of data in very little
time.
– Access provided to customers and vendors creates added vulnerability.
– Computer programs only need to be altered once, and they will operate that way
until the system is no longer in use or someone notices.
– Modern systems are accessed by PCs, which are inherently more vulnerable to
security risks and difficult to control.
– Computer systems face a number of unique challenges.
• Computer frauds cost billions of dollars each year, and their frequency is increasing
because:
– Not everyone agrees on what constitutes computer fraud.
– Many computer frauds go undetected.
– Many that are detected are not reported.

5
 – There are a growing number of competent computer users aided by easier
access.
– Some folks believe “it can’t happen to us.”
– Many networks have a low level of security.
– Instructions on how to perpetrate computer crimes and abuses are readily
available on the Internet.
– Law enforcement is unable to keep up.

Computer Fraud Classification:

Frauds can be categorized according to the data processing model: input frauds; processor
frauds; computer instruction frauds; stored data frauds; and output frauds.

Input fraud is the simplest and most common way to commit a fraud. Altering computer
input requires little computer skills. It can take a number of forms, including disbursement
frauds, inventory frauds, payroll frauds, cash receipt frauds, and fictitious refund frauds.

Processor fraud involves computer fraud committed through unauthorized system use. It
includes theft of computer time and services. Incidents could involve employees surfing
the Internet; using the company computer to conduct personal business; or using the
company computer to conduct a competing business.

Computer instruction fraud involves tampering with the software that processes company
data. It may include modifying the software, making illegal copies, using it in an
unauthorized manner, or developing a software program or module to carry out an
unauthorized activity. Computer instruction fraud used to be one of the least common types
of frauds because it required specialized knowledge. Today these frauds are more frequent.

Data fraud involves altering or damaging a company’s data files; or copying, using, or
searching the data files without authorization. In many cases, disgruntled employees have
scrambled, altered, or destroyed data files. Theft of data often occurs so that perpetrators
can sell the data.

6
 Output fraud involves stealing or misusing system output. Output is usually displayed on
a screen or printed on paper. Unless properly safeguarded, screen output can easily be read
from a remote location using inexpensive electronic gear. This output is also subject to
prying eyes and unauthorized copying. Fraud perpetrators can use computers and
peripheral devices to create counterfeit outputs, such as checks.

Reason of rising Computer Fraud:

• Researchers have found significant differences between violent and white-collar

criminals but few differences between white-collar criminals and the general public.
White-collar criminals tend to mirror the general public in education, age, religion,
marriage, length of employment, and psychological makeup.
• Perpetrators of computer fraud tend to be younger and possess more computer
knowledge, experience, and skills. Hackers and computer fraud perpetrators tend to be
more motivated by curiosity, a quest for knowledge, the desire to learn how things
work, and the challenge of beating the system. They may view their actions as a game
rather than dishonest behavior.
• Another motivation may be to gain stature in the hacking community. Some see
themselves as revolutionaries spreading a message of anarchy and freedom. But a
growing number want to profit financially. To do so, they may sell data to spammers,
organized crime, other hackers, and the intelligence community.
• Some fraud perpetrators are disgruntled and unhappy with their jobs and are seeking
revenge against their employers. Others are regarded as ideal, hard-working employees
in positions of trust. Most have no prior criminal record.
• Criminologist Donald Cressey, interviewed 200+ convicted white-collar criminals in
an attempt to determine the common threads in their crimes. As a result of his research,
he determined that three factors were present in the commission of each crime. These
three factors have come to be known as the fraud triangle.
– Pressure
– Opportunity
– Rationalization
• The most common pressures were: not being able to pay one’s debts, nor admit it to
one’s employer, family, or friends; fear of loss of status because of a personal failure;

7
 business reversals, physical isolation, status gaining, and difficulties in employer-
employee relations.
• Opportunity is the opening or gateway that allows an individual to commit the fraud,
conceal the fraud, and convert the proceeds. There are many opportunities that enable
fraud. Some of the most common are:
– Lack of internal controls
– Failure to enforce controls (the most prevalent reason)
– Excessive trust in key employees
– Incompetent supervisory personnel
– Inattention to details
– Inadequate staffing
• Internal controls that may be lacking or un-enforced include authorization procedures,
clear lines of authority, adequate supervision, adequate documents and records, a
system to safeguard assets, independent checks on performance, and separation of
duties. One control feature that many companies lack is a background check on all
potential employees.
• Rationalizations take many forms, including:
– I was just borrowing the money.
– It wasn’t really hurting anyone.
– Everybody does it.
– I was only taking what was owed to me.
– I didn’t take it for myself. I needed it to pay my child’s medical bills.
• Unfortunately, there is usually a mixture of pressure, opportunity, and rationalization
in play, and there is no reliable method to predict when an individual may commit a
fraud.

PREVENTING AND DETECTING COMPUTER FRAUD

Organizations must take every precaution to protect their information systems. Certain
measures can significantly decrease the potential for fraud and any resulting losses. These
measures include:
– Make fraud less likely to occur
– Increase the difficulty of committing fraud
– Improve detection methods
– Reduce fraud losses

8
Make fraud less likely to occur - By creating an ethical cultural, adopting an appropriate
organizational structure, requiring active oversight, assigning authority and responsibility,
assessing risk, developing security policies, implementing human resource policies,
supervising employees effectively, training employees, requiring vacations, implementing
development and acquisition controls, and prosecuting fraud perpetrators vigorously.

Increase the difficulty of committing fraud - By designing strong internal controls,

segregating duties, restricting access, requiring appropriate authorizations, utilizing
documentation, safeguarding assets, requiring independent checks on performance,
implementing computer-based controls, encrypting data, and fixing software vulnerabilities.

Improve detection methods - By creating an audit trail, conducting periodic audits, installing
fraud detection software, implementing a fraud hotline, employing a computer security officer,
monitoring system activities, and using intrusion detection systems.

Reduce Fraud Losses - By maintaining adequate insurance, developing disaster recovery

plans, backing up data and programs, and using software to monitor system activity and recover
from fraud.

9
Question 03- Define internal control. Differentiate among Preventive control, detective
control and corrective control. Discuss The Internal Control Model given by the
committee of Sponsoring Organizations (COSO).

Internal control:
Internal controls are the mechanisms, rules, and procedures implemented by a company to
ensure the integrity of financial and accounting information, promote accountability and
prevent fraud.
Differentiate among Preventive control, detective control and corrective control.
Preventive, detective, and corrective controls are three types of control techniques used in
various domains, such as information security, risk management, and quality assurance. Here's
a comparison of these control techniques with examples:

Preventive Controls:
Preventive controls aim to proactively prevent or reduce the likelihood of risks and issues from
occurring. These controls are implemented to avoid potential problems before they arise.
Examples of preventive controls include:
a. Access Control: Limiting access to sensitive information or systems by using strong
passwords, multifactor authentication, and role-based access control (RBAC).

b. Firewall Configuration: Configuring firewalls to block unauthorized network traffic and

prevent potential attacks.

c. Security Awareness Training: Providing training and education to employees about

security best practices to prevent social engineering attacks and other security breaches.

d. Regular Backups: Performing regular backups of critical data to prevent loss in case of
hardware failure, data corruption, or cyber attacks.

Detective Controls:
Detective controls focus on identifying and detecting risks, issues, or anomalies that have
already occurred. These controls are designed to detect and respond to incidents as quickly as
possible. Examples of detective controls include:

10
a. Intrusion Detection Systems (IDS): Monitoring network traffic and identifying suspicious
activity or potential intrusions.

b. Security Incident and Event Management (SIEM) Systems: Collecting and analyzing
logs and security events to detect and respond to security incidents.

c. Video Surveillance: Monitoring and recording activities in physical spaces to identify

unauthorized access, theft, or other security breaches.

d. Log Monitoring: Analyzing system logs, application logs, and event logs to identify
abnormal behavior or potential security incidents.

Corrective Controls:
Corrective controls are implemented after an issue or incident has occurred to mitigate the
damage, restore normal operations, and prevent future occurrences. These controls focus on
correcting the root cause of the problem. Examples of corrective controls include:

a. Patch Management: Applying software patches and updates to fix vulnerabilities and
prevent further exploitation.

b. Incident Response: Implementing a structured process to respond to security incidents,

including containment, eradication, and recovery.

c. System Restore: Restoring systems from a known good backup or configuration to eliminate
the effects of malware or system compromise.

d. Change Management: Implementing a formal process to review, approve, and document

changes to systems or infrastructure to prevent unauthorized or uncontrolled changes.

11
Discuss The Internal Control Model given by the committee of Sponsoring Organizations
(COSO).
The COSO model defines internal control as “a process effected by an entity’s board of
directors, management and other personnel designed to provide reasonable assurance of the
achievement of objectives in the following categories:
• Operational Effectiveness and Efficiency
• Financial Reporting Reliability
• Applicable Laws and Regulations Compliance
1. Control Environment
• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the board of directors and audit committee.
• Facilitate management’s philosophy and operating style.
• Create organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures.
2. Risk Assessment
• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.
3. Control Activities
• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.
4. Information and Communication
• Measure quality of information.
• Measure effectiveness of communication.
5. Monitoring
• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.

12
 Question 04- Compare Preventive, Detective control, Corrective control techniques with
examples.

Preventive control Detective control Corrective control

Preventative controls are Detective controls are Corrective controls are
designed to prevent designed to discover designed to take corrective
misstatements from mistakes made despite the action on discovered
occurring, whether due to existence of preventative mistakes
fraud or error controls
Examples : segregation of Examples: • credit card blocked when
Account
duties, computer password reconciliation , Budget to defrauded, Disciplinary
and access control , Security actual review Action
Awareness Training,
Employee Handbook,
User Access Reviews.
•

A preventive control tries to A detective control tries to A corrective control tries to

stop something bad from see if something bad has fix it after something bad has
happening. already happened happened.

Their primary goal is to To Identification of Risks The aim is to restore

prevent compliance breaches and Anomalies compliance and mitigate any
from occurring in the first negative consequences.
place.

13
Question 05- Explain the interrelated components of COSO's internal control model.

COSO, which stands for the Committee of Sponsoring Organizations of the Treadway
Commission, developed a widely recognized framework for internal control known as the
COSO Internal Control Integrated Framework. This framework comprises five interrelated
components, which work together to help organizations achieve their objectives effectively and
efficiently, provide reliable financial reporting, and comply with laws and regulations. Here
are the components of the COSO internal control model:
Control Environment
The control environment sets the tone for an organization and influences the control
consciousness of its people. It encompasses factors such as integrity and ethical values, the
commitment to competence, management's philosophy and operating style, the organizational
structure, the assignment of authority and responsibility, and human resource policies and
practices. A strong control environment fosters a culture of accountability and integrity
throughout the organization.
Risk Assessment:
Risk assessment involves identifying, analyzing, and managing risks that may affect the
achievement of an organization's objectives. This process includes identifying internal and
external factors that may threaten the organization's ability to achieve its objectives, assessing
the likelihood and potential impact of these risks, and determining how to manage or mitigate
them. Effective risk assessment ensures that the organization can anticipate and respond to
risks in a timely manner.
Control Activities:
Control activities are the policies and procedures that help ensure that management directives
are carried out to mitigate risks and achieve objectives. These activities may include
segregation of duties, authorization and approval processes, physical controls, information
processing controls, and performance reviews. Control activities are designed to prevent or
detect errors, fraud, or noncompliance and are an essential part of the organization's internal
control system.
Information and Communication:
Information and communication systems enable the organization to capture and exchange
relevant, timely, and accurate information necessary for effective internal control. This
component involves the systems and processes used to identify, capture, and communicate
information about internal and external events relevant to the organization's objectives.

14
Monitoring Activities :
Monitoring activities involve ongoing assessments of the effectiveness of internal control
processes and procedures. This includes regular management and supervisory activities,
internal audits, and other evaluations to ensure that internal controls are operating as intended.
Monitoring activities help identify deficiencies or weaknesses in the internal control system
and enable management to take corrective action promptly.
These five components of the COSO internal control model are interrelated and collectively
contribute to the effectiveness of an organization's internal control system. By implementing
and integrating these components into their operations, organizations can better manage risks,
achieve objectives, and maintain integrity and accountability in their activities.

15
Question 06- Describe the information processing operations required to update the
general ledger and to produce reports for internal and external users. What are the treats
of preparing financial statements?
The information processing operations required to update the general ledger and produce
reports for internal and external users involve several steps and controls to ensure accuracy,
reliability, and timeliness of financial information. Here's an overview of the typical process:
Recording Transactions:

➢ Financial transactions are initially recorded in journals, such as sales journals, cash
receipts journals, and purchases journals. Each transaction is documented with relevant
details, including date, amount, accounts affected, and description.
➢ These transactions are then posted to the appropriate accounts in the general ledger,
where individual account balances are maintained.

Adjusting Entries:

➢ At the end of an accounting period, adjusting entries may be required to ensure that the
financial statements reflect the accrual basis of accounting and comply with accounting
principles (GAAP). Adjusting entries may include accruals, deferrals, and estimates for
items such as depreciation or bad debts.
➢ Adjusting entries are recorded in the general journal and posted to the general ledger
accounts.

Trial Balance:

➢ After all transactions and adjusting entries have been posted, a trial balance is prepared
to verify that debits equal credits and to ensure that the ledger is in balance. Any
discrepancies are investigated and corrected before proceeding.

Financial Statements:

➢ Once the trial balance is confirmed, financial statements are prepared, including the
income statement, balance sheet, statement of cash flows, and statement of retained
earnings.
➢ The income statement shows the company's revenues, expenses, and net income or loss
for the period.

16
 ➢ The balance sheet presents the company's assets, liabilities, and shareholders' equity at
a specific point in time.
➢ The statement of cash flows provides information about the company's cash inflows
and outflows from operating, investing, and financing activities.

Reporting:

➢ The prepared financial statements are distributed to internal stakeholders, such as

management and the board of directors, for decision-making purposes.
➢ External users, including investors, creditors, regulators, and analysts, rely on the
financial statements for assessing the company's financial performance and position.

Threats to preparing financial statements include:

Errors and Omissions:
Inaccurate recording or processing of transactions can lead to errors in the financial statements,
impacting decision-making and compliance.
Fraud:
Deliberate misrepresentation of financial information, such as fraudulent reporting of revenues
or assets, can mislead stakeholders and damage the organization's reputation.
Lack of Internal Controls:
Inadequate internal controls increase the risk of errors, fraud, and unauthorized access to
financial information, compromising the reliability and integrity of financial reporting.
Regulatory Compliance:
Failure to comply with applicable accounting standards, regulations, and disclosure
requirements can result in legal and financial consequences for the organization and its
stakeholders.
Technology Risks:
Dependence on information technology systems for processing financial transactions and
generating reports exposes the organization to risks such as system failures, cybersecurity
threats, and data breaches.
To mitigate these threats, organizations implement internal control measures, such as
segregation of duties, authorization procedures, reconciliation processes, and regular audits, to
ensure the accuracy, integrity, and reliability of financial information. Additionally, adherence

17
to accounting standards and regulatory requirements helps maintain transparency and
accountability in financial reporting.

Question 07- What are the motives for hacking? Why does hacking become so popular
in recent years? Do you consider it as a crime? Explain.

The motives behind hacking can vary widely and may include:
Financial Gain
Many hackers seek to steal sensitive financial information, such as credit card numbers or login
credentials, to commit fraud or extortion.
Espionage:
Some hackers are motivated by espionage, seeking to steal sensitive information from
governments, corporations, or individuals for political, economic, or personal gain.
Personal Challenge:
For some hackers, the primary motivation is the intellectual challenge and thrill of
circumventing security measures and gaining unauthorized access to systems or data.
Malicious Intent
Some hackers engage in destructive or disruptive activities simply for the sake of causing harm,
such as spreading malware or launching denial-of-service attacks.
Intellectual Property Theft:
Hackers may target businesses to steal valuable intellectual property, such as trade secrets,
proprietary software, or research and development data.
These motives can overlap, and individuals or groups may have multiple reasons for engaging
in hacking activities.

Hacking has become more prevalent in recent years for several reasons:
Increased Connectivity: With the widespread adoption of the internet and the proliferation of
connected devices through the Internet of Things , there are more entry points and potential
vulnerabilities for hackers to exploit.
Financial Incentives:
Many hackers are motivated by financial gain. They target individuals, businesses, and
organizations to steal sensitive information such as credit card details, personal data, or
intellectual property that can be sold on the dark web or used for identity theft.

18
Advancements in Technology:
As technology evolves, so do hacking techniques. Hackers are constantly developing new
methods and tools to exploit vulnerabilities in software, networks, and systems.
Low Risk:
The anonymity provided by the internet and tools like virtual private networks (VPNs) makes
it easier for hackers to operate without fear of being caught. Additionally, the global nature of
cybercrime often makes it difficult for law enforcement agencies to track down and prosecute
offenders.
Availability of Resources:
There is a wealth of information and resources available online that can help aspiring hackers
learn new skills and techniques. This includes tutorials, forums, and even specialized courses
on hacking and cybersecurity.
Weak Security Practices:
Despite increased awareness of cybersecurity threats, many individuals and organizations still
have inadequate security measures in place. This creates opportunities for hackers to exploit
vulnerabilities and gain unauthorized access to systems and data.
Overall, the combination of these factors has contributed to the rise in hacking activity in recent
years. As technology continues to advance, it's likely that hacking will remain a significant
concern, highlighting the importance of robust cybersecurity measures and vigilance in
protecting sensitive information.

➢ Hacking as a crime, hacking is generally considered a crime because it involves

unauthorized access to computer systems, networks, or data. Here are several reasons
why hacking is viewed as a criminal activity:

Unauthorized Access:
Hacking typically involves gaining access to computer systems, networks, or data without
permission from the owner or administrator. This unauthorized access violates the privacy and
security of individuals and organizations.
Damage and Disruption
Hackers may cause damage to computer systems, networks, or data through various means,
such as installing malware, deleting files, or disrupting services. This can result in financial
losses, reputational damage, and operational disruptions for the affected parties.
Theft of Information

19
Hacking often involves stealing sensitive information, such as personal data, financial records,
or intellectual property. This theft of information can lead to identity theft, fraud, and other
forms of cybercrime.
Violation of Laws and Regulations:
Hacking violates various laws and regulations, including the Computer Fraud and Abuse Act
(CFAA) in the United States and similar laws in other countries. These laws prohibit
unauthorized access to computer systems, as well as the theft, damage, or disruption of
computer-related assets.
As such, hacking is widely recognized as a criminal activity that can have serious consequences
for both individuals and society as a whole.

20
Q: 8 Explain the COSO enterprise risk management framework. Compare and contrast
the frameworks: COBIT and COSO.
The COSO Enterprise Risk Management (ERM) framework is a widely recognized and
comprehensive approach for organizations to manage risks effectively. The COSO ERM
framework provides organizations with a structured approach to identifying, assessing,
responding to, and monitoring risks, helping them to achieve their objectives while navigating
uncertainties and challenges effectively.
Internal Environment:
This component emphasizes the importance of establishing a strong internal environment that
promotes ethical values, integrity, and a risk-aware culture throughout the organization.
Objective Setting:
Objectives provide the foundation for the risk management process. They should be aligned
with the organization's mission and strategic goals and be specific, measurable, achievable,
relevant, and time-bound (SMART).
Event Identification:
Events or circumstances that could affect the achievement of the organization's objectives
must be identified. These events can be internal or external, positive or negative.
Risk Assessment:
Risk assessment involves evaluating both the inherent risk (the risk without considering any
controls) and the residual risk (the risk remaining after considering the effectiveness of existing
controls).
Risk Response:
Risk responses can include avoiding, mitigating, transferring, or accepting risks, depending on
their significance and the organization's risk appetite.
Information and Communication:
Effective communication of risk-related information is essential for informed decision-making
and risk management. Information and communication processes should enable the timely and
relevant dissemination of risk-related information .
Monitoring
Continuous monitoring of the risk management process is necessary to ensure that it remains
effective over time. Monitoring activities involve assessing the performance of the
organization's risk management activities, evaluating the effectiveness of controls, and making
adjustments.

21
The COSO ERM framework provides organizations with a structured approach to identifying,
assessing, responding to, and monitoring risks, helping them to achieve their objectives while
navigating uncertainties and challenges effectively.

Compare and contrast the frameworks: COBIT and COSO

COBIT (Control Objectives for Information and Related Technologies) and COSO (Committee
of Sponsoring Organizations of the Treadway Commission) are both frameworks designed to
help organizations manage risks and establish effective internal controls, but they have
different focuses and approaches. Here's a comparison and contrast of the two frameworks:
Topic COBIT (Control Objectives for COSO (Committee of Sponsoring
Information and Related Organizations of the Treadway
Technologies) Commission)
Focus COBIT primarily focuses on COSO has a broader focus on
information technology (IT) enterprise risk management (ERM)
governance and management. and internal control
Scope COBIT covers a wide range of IT- COSO's scope extends beyond IT to
related processes, governance, encompass all aspects of enterprise
management, and operations. risk management and internal
control.
Structure COBIT is structured around five key COSO consists of several
principles: meeting stakeholder needs, interrelated components: control
covering the enterprise end-to-end Etc. environment, risk assessment
,information and communication,
and monitoring activities.
Origin COBIT was developed by the COSO was established by the
Information Systems Audit and Committee of Sponsoring
Control Association (ISACA) Organizations of the Treadway
Commission.
Integration COBIT can be integrated with other OSO is often integrated with other
such as ITIL (Information Technology risk management and internal
Infrastructure Library), ISO/IEC control, such as ISO 31000 (Risk
27001 (Information Security Management)
Management System)

22
Question 09- Explain with example how 2 combinations of preventive, detective and
corrective controls can be employed to provide reasonable assurance about information
security.

Preventive, detective, and corrective controls are fundamental components of information

security management. Employing a combination of these controls helps organizations establish
a robust security posture. Let's delve into two combinations of these controls along with
examples:

Combination 1:
Preventive Control: Access Control Measures
Example: Implementing role-based access control (RBAC) where users are granted
permissions based on their roles and responsibilities. This prevents unauthorized users from
accessing sensitive information or performing actions beyond their authorization.

Detective Control: Intrusion Detection System (IDS)

Example: Deploying an IDS that monitors network traffic for suspicious activities or known
attack patterns. It can detect unauthorized access attempts or abnormal behavior, triggering
alerts for further investigation.

Corrective Control: Incident Response Plan

Example: Developing an incident response plan that outlines steps to be taken in case of a
security breach. This includes procedures for containing the incident, mitigating damage, and
restoring affected systems to their normal state.

Combination 2:
Preventive Control: Encryption
Example: Encrypting sensitive data both at rest and in transit using strong encryption
algorithms. This prevents unauthorized individuals from accessing or understanding the
information even if they gain unauthorized access to the system.

23
Detective Control: Security Information and Event Management (SIEM)
Example: Implementing a SIEM system that aggregates and analyzes logs from various
sources such as servers, firewalls, and applications. It can detect security incidents by
correlating events across the IT environment, providing real-time alerts for suspicious
activities.

Corrective Control: Regular Security Audits

Example: Conducting periodic security audits and vulnerability assessments to identify
weaknesses in the system. Based on the findings, corrective actions can be taken such as
patching software vulnerabilities, updating security configurations, or enhancing security
policies.

By combining preventive, detective, and corrective controls, organizations can create layers of
defense against potential security threats. Preventive controls help in stopping incidents before
they occur, detective controls aid in identifying security breaches or anomalies in real-time,
and corrective controls enable organizations to respond effectively to incidents and minimize
their impact. This comprehensive approach enhances the overall security posture and provides
reasonable assurance about information security.

24
Question 10- Explain the value Chain concept to Bexi Garments Ltd. Explain how it
would perform in various Primary and Support Activities.
Value Chain:
Ans- value chain is a set of activities that a firm operating in a specific industry performs in
order to deliver a valuable product or service for the market. The concept comes from business
management and was first described and popularized by Michael Porter in1985.
Value chain in Bexi Garments Ltd. is shown in below figure.

Value Chain In Bexi Garments Ltd.

Bleaching,
Weaving/ Make-
Fiber Spinning Dyeing, Retailing
Knitting Printing, Up
Finishing

Primary Activities:
1. Inbound Logistics – Involve relationships with suppliers and include all the activities
required to receive, store, and disseminate inputs.
2. Operations – Are all the activities required to transform inputs into outputs (products and
services).
3. Outbound Logistics – Include all the activities required to collect, store, and distribute the
output.
4. Marketing and Sales – Activities inform buyers about products and services, induce buyers
to purchase them, and facilitate their purchase.
5. Service – Includes all the activities required to keep the product or service working
effectively for the buyer after it is sold and delivered.

Support Activities (Secondary):

1. Procurement – Is the acquisition of inputs, or resources, for the firm.
2. Human Resource management – Consists of all activities involved in recruiting, hiring,
training, developing, compensating and (if necessary) dismissing or laying off personnel.
3. Technological Development – Pertains to the equipment, hardware, software, procedures
and technical knowledge brought to bear in the firm’s transformation of inputs into outputs.

25
4. Infrastructure – Serves the company’s needs and ties its various parts together, it consists
of functions or departments such as accounting, legal, finance, planning, public affairs,
government relations, quality assurance and general management.

Question 11- Can the characteristics of useful information be met simultaneously?

Explain with example.

Yes, the characteristics of useful information can be met simultaneously. Useful information
is often described using the acronym "ACCURATE," which stands for:

1. Accurate: Information should be free from errors or distortions, providing a true

representation of the facts.

2. Complete: Information should contain all the relevant details necessary for its purpose,
leaving no significant gaps.

3. Clear: Information should be presented in a way that is easily understandable to the intended
audience, avoiding ambiguity or confusion.

4. Concise: Information should be brief and to the point, without unnecessary details that may
distract from the main message.

5. User-friendly: Information should be presented in a format that is accessible and easy for
the intended users to comprehend.

6. Relevant: Information should be directly related to the subject or decision at hand, avoiding
irrelevant details.

7. Timely: Information should be provided in a timely manner, aligning with the needs of the
decision-making process or the context in which it is used.

26
Let's consider an example:
Imagine a financial analyst preparing a report on a company's quarterly performance. The
analyst gathers accurate and complete financial data, ensuring that all relevant figures are
included. The report is presented in a clear and concise format, avoiding unnecessary jargon.
The document is user-friendly, with visual aids such as charts and graphs to enhance
understanding. The information is highly relevant to the stakeholders, focusing on key financial
metrics impacting the company's performance. Lastly, the report is delivered in a timely
manner, enabling decision-makers to act promptly based on the insights provided.

In this example, the characteristics of useful information are met simultaneously, making the
financial report a valuable tool for informed decision-making.

27