KOLEJ PROFESIONAL MARA

DIPLOMA IN ACCOUNTING

COURSE NAME : ACCOUNTING INFORMATION SYSTEM

COURSE CODE : ACC 2543
ACADEMIC SESSION : 2 2022/2023
TYPE OF ASSESSMENT : ASSIGNMENT
DURATION : 3 WEEKS (4th - 21st October 2022)

CLO2 : Prepare business cycles flowcharts showing internal control activities to

mitigate the risk of fraud(C3, PLO2)

INSTRUCTION TO CANDIDATES:
• 1. This is a group assignment which consist of 3-4 students per group.
• Carefully check the submission date and the instructions given with the
assignment/project. Late submission will not be accepted.
• Ensure that you give yourself enough time to complete the assignment by the due date.
• Total mark for this assignment is 20 %.
• NOTE: If you are caught cheating or plagiarizing, you will be referred to the Disciplinary Board
and may be granted a failing “F” grade for the course work or for the unit undertaken.

Personal Details Section /

Marks
Question No.
1) MUHAMMAD ADHAM WAFIQ BINTI
Group ZULKIFLI
Members’ 2) ZULFADHLI BIN ZUBAIDI
Names 3) NUR FATIHAH BINTI BORHAN
4) NURUL SYAZWANI BINTI MD.
MUNAWAR
5) NUR SAFIRA ALEYA BINTI AB
RAHMAD
1) PDA-2107-126 Total / 40
I/D Number 2) PDA-2107-001
3) PDA-2107-131
4) PDA-2107-062
5) PDA-2107-112
DIA 4A
Class
NOR SAFUAN BIN MOHD JAAFAR
Lecturer
TABLE OF CONTENTS

NO. PARTICULARS PAGES

1. TASK 1 3
2. TASK 2 4-7
- CASE 1
- CASE 2
- CASE 3
- CASE 4
3. TASK 3 8-9
4. REFERENCES 10

2
 TASK 1

Although many information securities threats, such as viruses, worms, natural

disasters, hardware failures, and human errors are often random events, organizations are
also frequently the target of deliberate attacks. There are few actions to be taken to protect
the security.
Firstly, set different access levels according to the position. Managers and
employees are given different levels of access to corporate data depending on their
experience and role in the company. This can limit access to the company's system and
prevent the company's data from being spread easily.
Next, scan and map the target. If an attacker cannot successfully penetrate the
target system via social engineering, the next step is to conduct more detailed
reconnaissance to identify potential points of remote entry. The attacker uses a variety of
automated tools to identify computers that can be remotely accessed and the types of
software they are running.
Then, secure system design. This security can reduce exposure to hackers and
thieves by limiting access to technology infrastructure. Additionally, minimize points of
failure by eliminating unnecessary access to hardware and software, and limiting individual
user and system privileges to only necessary equipment and programs. the next is to reduce
the scope of potential damage to the network by using a unique set of email addresses,
logins, servers, and domain names for each user.
Install antivirus software and keep all software up to date. Program called
an antivirus is designed to identify and get rid of viruses and other harmful software
from computers or laptops. It can prevent information loss brought on by the virus.
Examples of anti-virus are McAfee, Total AV, Norton, and many more. It's important to keep
all software updated, including security updates, which help safeguard against new viruses
and variants of established threats.
Provide basic training also important to protect the security. Human error or
carelessness is the cause of numerous security lapses. Through training programs that warn
of the risks of careless password practices and careless use of networks, programs, and
devices, this fundamental training can aid in the development of a corporate culture that
emphasizes computer security. Members of the organization must be accustomed to all
security measures, from fundamental document disposal procedures to protocols for
handling lost passwords.

3
 TASK 2

CASE 1

First, obtain variance management reports. Multiple management reports can

prevent employees from covering up their behavior. Every action will be explicitly reported
and required to be real. Two, specific authorization. Determines what activities
authorized users are allowed to take while restricting their access to certain system areas.
Finally, training and procedures should be updated. To avoid future mistakes and
abnormalities, the human resources department must update the company's personnel
training programs and operating procedures. The identified control above falls under
preventive controls.

4
CASE 2

Firstly, internal audit staff review. Employees involved in personal financial

dilemmas will create fake transaction who charge small fees by paying important figures
multiple times. You should review the trail of authorizations for all wire transfers. Second,
journal entry and general ledger reviews. Fraudsters are wily, agile people. A review of
the journal and general ledger can detect some of their finances, like a controller cutting
herself a check but reclassifying it to another account. Third, daily bank reconciliation.
Train multiple people in your finance department to perform this important task and relate
disparate data sets to each other, identify and investigate discrepancies, and take corrective
action, when necessary. Fourth, monthly performance check. Management compares
information about current performance to budgets, forecasts, prior periods, or other
benchmarks to measure the extent to which goals and objectives are being achieved and to
identify unexpected results or unusual conditions that require follow-up. Lastly, security of
assets. Restrict access to equipment, inventory, cash and other assets. Assets are counted
periodically and compared with the amount shown on the control records. The identified
control above falls under detective controls.

5
CASE 3

The first thing I would suggest is utilizing email security tools and procedures.
Email security is improved by email security protocols and technologies, and efficient spam
filters shield users from harmful communications. Use two-factor authentication after
that. Even if a hacker is successful in guessing your password, they will be prevented by
two-factor authentication since there is still a code they must enter before they can view
your emails. Next, keep an eye out for fraudulent emails. One of the several ways
hackers might acquire your account information is through phishing emails. Business email
security will inevitably be compromised if you don't pay attention to the email address, voice
tone, and even the grammar of the email. Last but not least, avoid utilizing public Wi-Fi
since malicious actor can monitor and obtain private information via email by using free
source packet sniffers like Wireshark.

6
CASE 4

Weaknesses How to overcome

Jonathan as a purchasing manager for the Majestic Bookstore need to hire another
Majestic Bookstore has too much employees for each task to avoid any
responsibility which has no separation of activities of fraud.
duties. Authorization or approval of related
transaction affecting those assets

7
 TASK 3

Based on the scenarios presented, as a consultant, I would advise each of the above
companies to strengthen internal controls, which would assist to reduce the possibility of
fraud and embezzlement occurring within the organization. Given that Enron was able to
conceal billions of dollars in debt through poor accounting techniques, I would advise the
corporation to implement effective document control. Documentation of firm rules and
procedures is vital since modifications are unavoidable. A written documentation can provide
staff with guidance on what to do in the event of an unexpected turnover. It will also make
employees more aware of their unique responsibilities in accordance with the stated internal
control and provide the organization with an opportunity.
Every company can apply any control activities to make sure the fraud or
embezzlement is avoidance or under control, which rules that provide reasonable assurance
that management’s control objectives are achieved. A company can apply a proper
authorization whether its general or specific authorization. This can be linked with the
WorldCom accounting scandal the underreporting of line costs and inflation of revenue has
causing a bankruptcy to the company. Which the authorize employees to handle routine
transactions without explicit approval from management
Following that, the firm should have segregation of tasks to avoid fraud and
embezzlement. The same individual should not be in charge of having possession of the
assets, maintaining records, and authorizing transactions. Basically, if a person is allowed to
do so, he will be able to easily commit embezzlement because he is in charge of the tasks.
When various people are in charge of different tasks, fraud is less likely to occur since it
requires the collaboration of more than one person. This shown in Enron collapse where
Jeffrey Skilling, who served as president COO and CEO that has access to mostly all of the
transaction of the company, so separation of duties is needed to have a health business
company.
Next, company should have a strict policy about the documents and records of every
transaction that happened during the incorporate business. This control will help to ensure
accurate and complete recording of all relevant data about transaction and events, and it
will help the company to be more secured and trusted. Lastly, independent checks can be
done as a control. Company can do reconciliation of two independent sets of records or do
comparison of actual quantities to record amounts. Independent checks on performance,
which are carried out by employees who did not do the work being checked, help ensure the
reliability of accounting information and the efficiency of operations.

8
For example, a supervisor verifies the accuracy of a retail clerk's cash drawer at the end of
the day.
There are many corrective controls that the company can apply to any of the fraud
error, however, rely on human judgment. Consequently, their effectiveness depends to
great extent on proper planning and preparation. Therefore, the efforts implemented are
emphasized. The first corrective control can be applying is Computer Incidents Response
Team (CIRT). A key component to being able to respond to security able to respond to
security incidents promptly and effectively is the establishment of CIRT. The CIRT should
include not only technical specialist but also senior operations management because some
potential responses to security incidents have significant economic consequences. For
example, just like has been mentioned in WorldCom accounting scandal stated that the CEO
has taken an action for conspiracy and securities fraud and filling false statement with
securities regulators.
Identifies organizational structure as a critical enabler to achieve effective control
and security. It is especially important that organization assign responsibility for information
security to someone to someone at an appropriate senior level of management. One way to
satisfy this objective is to create the position of CISO, who should be independent of other
information system function and should report to either the chief operating officer or the
chief executive officer. The CISO is responsible for developing, implementing, and promoting
effective security policies and procedures. Furthermore, the CISO should act as an unbiased
auditor and examiner of the IT ecosystem. A CISO should be in charge of ensuring that
vulnerability and risk assessments are completed on a regular basis, as well as security
audits. Furthermore, CISOs must collaborate closely with the person in charge of physical
security since unauthorized access is a risk.
The last thing that the company can do to avoid any of the cases that has been
mentioned above is patch management. Patch management is the process of distributing
and applying updates to software. These patches are often necessary to correct errors (also
referred to as “vulnerabilities” or “bugs”) in the software. When a vulnerability is found after
the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that
assets in your environment are not susceptible to exploitation. This type of control can
create a more secure environment: When you’re regularly patching vulnerabilities, you’re
helping to manage and reduce the risk that exists in your environment. This helps protect
your organization from potential security breaches.

9
 REFERENCES

Chen, S. (2022, September 22). 10 Best Practices for Email Security in 2022. TitanFile.
Retrieved October 21, 2022, from https://www.titanfile.com/blog/10-best-practices-for-
email-security/

Internal Control. (n.d.). Retrieved October 21, 2022, from

https://www.cliffsnotes.com/study-guides/accounting/accounting-principles-i/principles-of

accounting/internal-control

Types of Internal Controls –. (n.d.). Finance & Accounting. Retrieved October 21, 2022,
from https://www.fa.ufl.edu/directives/types-of-internal-controls/

What is Patch Management? Benefits & Best Practices. (n.d.). Rapid7. Retrieved October 21,

2022, from https://www.rapid7.com/fundamentals/patch-management/

Types of Internal Controls –. (n.d.). Finance & Accounting. Retrieved October 21,

2022, from https://www.fa.ufl.edu/directives/types-of-internal-controls/

Cybersecurity Analytics and Operations (B.S.). (n.d.). Penn State Harrisburg.

Retrieved October 21, 2022, from https://harrisburg.psu.edu/business-

administration/cybersecurity-analytics-bs

10