ADELAIDE · S1 2026 · FACULTY OF BUSINESS & ECONOMICS

ACCTING2503 · Accounting Systems And Analytics

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters9-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 3 of 11 · ACCTING 2503

Fraud & AIS Controls for Information Security

This is the defensive core of ACCTING 2503: who attacks an accounting information system, why they succeed, and the controls that stop them. You learn to classify a threat, apply the fraud triangle (pressure, opportunity, rationalisation), tell social engineering from malware from technical attacks, and structure controls with COSO and the time-based model P > D + C. It is almost pure concept-and-classify: marks come from naming the exact term and mapping a scenario's facts to it. This material is prime Test 1 content and reappears in the final exam's case questions.

In this chapter

What this chapter covers

  • 011. Threats to an AIS — natural disasters, software/hardware failure, unintentional acts (carelessness) and intentional acts (fraud, sabotage)
  • 022. What fraud is — a false statement about a material fact, intent to deceive, justifiable reliance and resulting loss; the two forms are misappropriation of assets and fraudulent financial reporting
  • 033. The fraud triangle — pressure (motive), opportunity (weak controls), rationalisation (excuse); only opportunity is created by the system, so controls target it
  • 044. Computer fraud by data-cycle point — input, processor, computer-instructions, data and output fraud
  • 055. Attacks vs social engineering vs malware — a human tricked vs software that harms vs a machine/network exploited; virus (host + human) vs worm (self-propagating)
  • 066. Internal control — reasonable (not absolute) assurance; functions (preventive/detective/corrective) and categories (general/application)
  • 077. Frameworks — SOX section 404, COSO Internal Control (5 components) vs COSO-ERM (8 components), inherent vs residual risk, the four risk responses
  • 088. Defence-in-depth and the time-based model — layered redundant controls; a system is secure when P > D + C (break-in time exceeds detect + respond time)
Worked example · free

Apply the fraud triangle: the fake-supplier scheme at Torrens Manufacturing

Q [9 marks]. At Torrens Manufacturing, purchasing officer Marco set up a fictitious supplier and paid it $2,600 per week for about five months before an audit exposed it. Investigators found: Marco was under heavy financial pressure after a failed property investment; he could both add new suppliers to the master file and approve invoices for payment; and he told a colleague 'the company owes me for years of unpaid overtime anyway.' (a) Map each fact to a leg of the fraud triangle. (b) Estimate the loss. (c) Recommend the single most effective control and state which leg it attacks.
  • +2Pressure: the failed property investment and resulting financial strain are the pressure (motive/incentive) leg — the pressure that starts the fraud.
  • +2Opportunity: being able to add suppliers to the master file AND approve invoices is no segregation of duties, giving him the opportunity to both commit (create the fake supplier) and conceal (approve its invoices) the fraud.
  • +2Rationalisation: 'the company owes me for unpaid overtime' is the rationalisation — the excuse that lets an otherwise honest person justify the theft.
  • +1Loss estimate: about five months is roughly 22 weeks, so 22 x $2,600 = about $57,200 misappropriated — a misappropriation-of-assets fraud caused by weak control.
  • +2Best control: segregate duties over the supplier master file and payment approval — the person who adds or edits suppliers must not approve payments — supported by independent review of new suppliers and matching invoices to purchase orders and receiving reports. This attacks the opportunity leg.
Failed investment = pressure; add-supplier and approve-payment = opportunity; 'they owe me' = rationalisation; loss is about $57,200. The actionable fix is segregation of duties over the supplier master and payment approval, because opportunity is the only leg internal control can remove.
Sia tip — Examiners plant all three legs in one vignette and then ask what would have prevented it — always steer the fix at opportunity (segregation of duties, authorisation, independent reconciliation), because management cannot remove an employee's private pressure or change their attitude.
Glossary

Key terms

Fraud
Gaining an unfair advantage by a false statement about a material fact, made with intent to deceive, on which the victim justifiably relies and thereby suffers a loss. All four elements must be present.
Fraud triangle
The three conditions usually present in a fraud: pressure (the motive), opportunity (weak controls that let it be committed and concealed) and rationalisation (self-justification). Only opportunity is created by the system.
Social engineering
Attacks that manipulate a person rather than exploit software — phishing, pretexting, pharming, tailgating, shoulder surfing. The giveaway is that a human is tricked.
Virus vs worm
A virus attaches to a host file and needs a human action to trigger and spread; a worm is stand-alone and self-propagates across networks with no human help.
Preventive / detective / corrective controls
Controls classified by function: deter before it happens, discover after it happens, and fix/recover. A separate axis classifies controls by scope as general (whole-system) or application (transaction-level).
COSO vs COSO-ERM
Internal-control frameworks: COSO has 5 components (control environment, risk assessment, control activities, information & communication, monitoring); COSO-ERM extends it to 8, adding objective setting, event identification and risk response.
Inherent vs residual risk
Inherent risk is the risk before any controls; residual risk is what remains after controls are applied. Controls shrink inherent down toward the residual level the board will accept.
Time-based model (P > D + C)
A security system is effective when the time for an attacker to break preventive controls (P) exceeds the time to detect (D) plus the time to correct/respond (C).
FAQ

Fraud & AIS Controls for Information Security FAQ

What is the single most important idea in this chapter?

The fraud triangle. A fraud needs pressure, opportunity and rationalisation together, but internal control can only remove opportunity — so almost every case answer should name all three legs, map the scenario's facts to them, and recommend a control (usually segregation of duties) that attacks opportunity.

How is virus different from a worm?

A virus attaches to a host file and needs a human to open or run it before it spreads; a worm is a stand-alone program that self-propagates across a network with no human action, consuming bandwidth. Exam scenarios test this exact distinction, so read for whether a human trigger is needed.

What is the difference between COSO and COSO-ERM?

COSO Internal Control has 5 components (control environment, risk assessment, control activities, information & communication, monitoring). COSO-ERM extends this to 8 by adding objective setting, event identification and risk response. Memorise both lists and note the three ERM additions.

How do I use the P > D + C rule?

It says a system is secure when the time to break through preventive controls (P) is greater than the time to detect an attack (D) plus the time to correct or respond (C). Do not reverse it — if detection and response are slower than the break-in, the attacker is in and out before you react. Improving detection speed (shrinking D) is often the cheapest fix.

Is this topic on the tests or the final exam?

Both. Fraud and internal control are core Test 1 material (case-based, 50 questions), and the same ideas appear in the final exam's open-ended case questions where a vignette hides a control weakness. Power BI is not examinable in the final, but this control material is. Check your course outline for current weightings.

What is the most common mistake students make here?

Naming only two legs of the fraud triangle, reversing virus and worm, confusing COSO (5) with COSO-ERM (8), swapping inherent and residual risk, or merging the two control splits (function versus scope). Each is an easy mark lost to imprecision.

Study strategy

Exam move

Treat this chapter as a set of clean classifications you can apply, not a list to memorise. For each concept keep a one-line definition, the distinction the examiner loves, and a single business example: the three fraud-triangle legs (and that only opportunity is controllable), the two forms of fraud, the attack families (human tricked = social engineering, software = malware, machine = technical attack), virus versus worm, the function-versus-scope split of controls, COSO's 5 versus COSO-ERM's 8, inherent versus residual risk, and the P > D + C inequality. Drill by taking short vignettes and forcing yourself to name the exact term and the matching control before reading on. In the STUVAC/revision week before the end-of-semester exam period, rehearse the answer shape the case questions reward — state the concept, apply it to the facts, evaluate the specific weakness, then conclude with a concrete control aimed at opportunity — so structure and mark-allocation become automatic under time pressure.

A+Everything unlocked
Unlocks this Bible + all 244 of your ADELAIDE subjects - and 1,000+ Bibles across every Australian university.
Sia - your ACCTING2503 tutor, unlimited, worked the way the exam marks it
The full 9-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
ACCTING2503 · Accounting Systems And Analytics - independent study guide on the AskSia Library. More ADELAIDE subjects · Microeconomics across all universities
Unlock the full ACCTING2503 Bible + 244 ADELAIDE subjects解锁完整 ACCTING2503 Bible + ADELAIDE 244 门科目
$25/mo