ACCTING2503 · Accounting Systems And Analytics
Fraud & AIS Controls for Information Security
This is the defensive core of ACCTING 2503: who attacks an accounting information system, why they succeed, and the controls that stop them. You learn to classify a threat, apply the fraud triangle (pressure, opportunity, rationalisation), tell social engineering from malware from technical attacks, and structure controls with COSO and the time-based model P > D + C. It is almost pure concept-and-classify: marks come from naming the exact term and mapping a scenario's facts to it. This material is prime Test 1 content and reappears in the final exam's case questions.
What this chapter covers
- 011. Threats to an AIS — natural disasters, software/hardware failure, unintentional acts (carelessness) and intentional acts (fraud, sabotage)
- 022. What fraud is — a false statement about a material fact, intent to deceive, justifiable reliance and resulting loss; the two forms are misappropriation of assets and fraudulent financial reporting
- 033. The fraud triangle — pressure (motive), opportunity (weak controls), rationalisation (excuse); only opportunity is created by the system, so controls target it
- 044. Computer fraud by data-cycle point — input, processor, computer-instructions, data and output fraud
- 055. Attacks vs social engineering vs malware — a human tricked vs software that harms vs a machine/network exploited; virus (host + human) vs worm (self-propagating)
- 066. Internal control — reasonable (not absolute) assurance; functions (preventive/detective/corrective) and categories (general/application)
- 077. Frameworks — SOX section 404, COSO Internal Control (5 components) vs COSO-ERM (8 components), inherent vs residual risk, the four risk responses
- 088. Defence-in-depth and the time-based model — layered redundant controls; a system is secure when P > D + C (break-in time exceeds detect + respond time)
Apply the fraud triangle: the fake-supplier scheme at Torrens Manufacturing
- +2Pressure: the failed property investment and resulting financial strain are the pressure (motive/incentive) leg — the pressure that starts the fraud.
- +2Opportunity: being able to add suppliers to the master file AND approve invoices is no segregation of duties, giving him the opportunity to both commit (create the fake supplier) and conceal (approve its invoices) the fraud.
- +2Rationalisation: 'the company owes me for unpaid overtime' is the rationalisation — the excuse that lets an otherwise honest person justify the theft.
- +1Loss estimate: about five months is roughly 22 weeks, so 22 x $2,600 = about $57,200 misappropriated — a misappropriation-of-assets fraud caused by weak control.
- +2Best control: segregate duties over the supplier master file and payment approval — the person who adds or edits suppliers must not approve payments — supported by independent review of new suppliers and matching invoices to purchase orders and receiving reports. This attacks the opportunity leg.
Key terms
- Fraud
- Gaining an unfair advantage by a false statement about a material fact, made with intent to deceive, on which the victim justifiably relies and thereby suffers a loss. All four elements must be present.
- Fraud triangle
- The three conditions usually present in a fraud: pressure (the motive), opportunity (weak controls that let it be committed and concealed) and rationalisation (self-justification). Only opportunity is created by the system.
- Social engineering
- Attacks that manipulate a person rather than exploit software — phishing, pretexting, pharming, tailgating, shoulder surfing. The giveaway is that a human is tricked.
- Virus vs worm
- A virus attaches to a host file and needs a human action to trigger and spread; a worm is stand-alone and self-propagates across networks with no human help.
- Preventive / detective / corrective controls
- Controls classified by function: deter before it happens, discover after it happens, and fix/recover. A separate axis classifies controls by scope as general (whole-system) or application (transaction-level).
- COSO vs COSO-ERM
- Internal-control frameworks: COSO has 5 components (control environment, risk assessment, control activities, information & communication, monitoring); COSO-ERM extends it to 8, adding objective setting, event identification and risk response.
- Inherent vs residual risk
- Inherent risk is the risk before any controls; residual risk is what remains after controls are applied. Controls shrink inherent down toward the residual level the board will accept.
- Time-based model (P > D + C)
- A security system is effective when the time for an attacker to break preventive controls (P) exceeds the time to detect (D) plus the time to correct/respond (C).
Fraud & AIS Controls for Information Security FAQ
What is the single most important idea in this chapter?
The fraud triangle. A fraud needs pressure, opportunity and rationalisation together, but internal control can only remove opportunity — so almost every case answer should name all three legs, map the scenario's facts to them, and recommend a control (usually segregation of duties) that attacks opportunity.
How is virus different from a worm?
A virus attaches to a host file and needs a human to open or run it before it spreads; a worm is a stand-alone program that self-propagates across a network with no human action, consuming bandwidth. Exam scenarios test this exact distinction, so read for whether a human trigger is needed.
What is the difference between COSO and COSO-ERM?
COSO Internal Control has 5 components (control environment, risk assessment, control activities, information & communication, monitoring). COSO-ERM extends this to 8 by adding objective setting, event identification and risk response. Memorise both lists and note the three ERM additions.
How do I use the P > D + C rule?
It says a system is secure when the time to break through preventive controls (P) is greater than the time to detect an attack (D) plus the time to correct or respond (C). Do not reverse it — if detection and response are slower than the break-in, the attacker is in and out before you react. Improving detection speed (shrinking D) is often the cheapest fix.
Is this topic on the tests or the final exam?
Both. Fraud and internal control are core Test 1 material (case-based, 50 questions), and the same ideas appear in the final exam's open-ended case questions where a vignette hides a control weakness. Power BI is not examinable in the final, but this control material is. Check your course outline for current weightings.
What is the most common mistake students make here?
Naming only two legs of the fraud triangle, reversing virus and worm, confusing COSO (5) with COSO-ERM (8), swapping inherent and residual risk, or merging the two control splits (function versus scope). Each is an easy mark lost to imprecision.
Exam move
Treat this chapter as a set of clean classifications you can apply, not a list to memorise. For each concept keep a one-line definition, the distinction the examiner loves, and a single business example: the three fraud-triangle legs (and that only opportunity is controllable), the two forms of fraud, the attack families (human tricked = social engineering, software = malware, machine = technical attack), virus versus worm, the function-versus-scope split of controls, COSO's 5 versus COSO-ERM's 8, inherent versus residual risk, and the P > D + C inequality. Drill by taking short vignettes and forcing yourself to name the exact term and the matching control before reading on. In the STUVAC/revision week before the end-of-semester exam period, rehearse the answer shape the case questions reward — state the concept, apply it to the facts, evaluate the specific weakness, then conclude with a concrete control aimed at opportunity — so structure and mark-allocation become automatic under time pressure.