9. SECURITY AND CONROL ASSESSMENT
The potential risks in BBC new computer-based information system are as
follows:
Security
Chapter 1 Page 2
Systems Development
Program Changes
1. NETWORK ACCESS CONTROL
Chapter 1 Page 3
11. INTERNAL CONTROL AND FRAUD
Weakness: Lack of Background Check.
Control: An appropriate level background check should be performed on
all new employees. In the case of John, it would have revealed any
Chapter 1 Page 4
Weakness: Security over Confidential Material.
John learned key operational features, controls, and financial trigger
points by browsing information located in employee offices.
Weakness: Lack of Adequate Password Control.
Kent manufacturing uses a reusable password system. Once John
obtained the necessary passwords he was able to access the system and
play many roles to perpetrate his frauds.
Weakness: Lack of Adequate Application Control.
By keeping transactions under the trigger threshold John was able to
perpetrate $100, 000 in frauds each month that went undetected for 1½
years.
Weakness: Lack of Security Software.
John was able to successfully install a Trojan Horse that went
undetected.
Chapter 1 Page 5
12. DATABASE AUTHORIZATION TABLE
A) The table below illustrates the appropriate access privileges for the AP clerk whose job is
to review the supplier’s invoice and set up a liability, which will later be paid.
Database Table Purchase Order Receiving Report Vendor Invoice
Authority
Level
Read Y Y Y
Insert N N Y
Modify
Delete
N
N
N
N
N
N
B) The process involves performing a three-way-match of the PO, receiving report,
and the Vendor Invoice. Before setting up an account payable the clerk will verify
the items invoiced were ordered (PO), received in good condition (receiving report),
The AP clerk normally would not have “modify” or “delete” access to the Vendor
Also, the clerk should not have insert, modify, or delete access to the PO and
receiving report tables. Such access would allow the AP clerk to enter fraudulent PO
Chapter 1 Page 6
13. DATABASE AUTHORIZATION TABLE
The table below illustrates the appropriate access privileges for the sales clerk
Database Table Customer Table Inventory Table Sales Invoice
Authority
Level
Read Y Y Y
Insert N N Y
Modify
Delete
N
N
N
N
N
N
B) The clerk needs “Read” access to the Customer Table attributes (including
“available credit”) and to the “Quantity on Hand” and “Sales Price” attributes in the
The Sales clerk normally would not have “modify” or “delete” access to the Sales
Chapter 1 Page 7
Also, the clerk should not have “insert”, “modify”, or “delete” access to the Customer
Table or the Inventory Table. Such access would allow the sales clerk to alter a