Deck 10: Data Analytics in Accounting: Tools and Practice

What is hashing? Does it serve the same purpose as encryption? Why?

Hashing
It refers to the transformation of large characters into a small length or a key that represent the original transformed character. It indexes the items in the database. It also retrieve the items in the database. Hash keys make it easy to find an item in the database.
Encryption
It is the protection of digital data which is kept in computers or which is shifted from one device to another device using internet or other computer network. Now-a-days encryption plays a vital role in the security information technology system and communication as they provide confidentiality.
Even though hashing and encryption are both used for confidentiality of the information shared. Both the functions encrypt the information so that the other users do not get access to the information shared.
But still, both the functions do not serve each other's purpose. The time when hashing would be preferred to use will differ from the times when the encryption function will be used.
Hashing and encryption are the two present security tools but work apart from each other. Hashing is one way, which means that once the data that has to be shared is converted into the encrypted, non-readable data it cannot be converted back to the raw data.
Whereas, encryption is two way, which means that the data can be brought back to the original values by the help of the key, Private Key, which is given to the receiver to decrypt the encrypted data. It serves the purpose of easy transmission of information.
Encryption generally transforms the data in the cipher text using the key on the other hand hash key just convert larger words in a small length words and the function is used in the process of generating message digest. Hence, it can be said that encryption and hashing does not serve the same function.

Phishing is a type of social engineering. Give two examples of phishing.

Phishing: It is a cyber fraud in which intruder uses the duplicity of websites for getting sensitive and private information of the user that can be used for identity theft. In phishing users are sent misleading mails so that private information like credit card details, password, bank account or social security numbers can be taken from them.
Social engineering is a technique used by hackers which depends largely on individual interaction. In this technique people are being tricked with the aim of breaking their normal security system. Phishing is a type of social engineering because in phishing also a confidence trick is performed by pretending as a trustworthy organization and sending mail or creating fake website with the aim of gathering sensitive and personal information or for accessing system.
Most of the phishing frauds done by making a duplicate site for any bank, so that intruder gets account number and PIN of an innocent bank customer. Some examples of phishing are, an intruder can create a duplicate web page of any bank's site for getting PIN and account holder's account number; an attacker can use the duplicate link for any social website for getting personal information of the user.
Another way of phishing is it can be done from services, sites and companies with which the person is not having any account and thus asking for personal information.
 

Motive to commit fraud usually will include all of the following, except: a. Inadequate segregation of duties
B) Financial pressure
C) Personal habits and lifestyle
D) Feelings of resentment
E) Alcohol, drug, or gambling addiction

Corporate Fraud:
A fraud is an intentional deception for securing an unfair or unlawful gain. It is a civil wrong. A corporate fraud refers to that fraud that is done by the corporates and executives of the company. These frauds are undertaken by the employees or the companies in dishonest and illegal manner.
Consideration of all the options for the option which is not a motive of committing a fraud:
b.
Financial pressure refers to the pressure faced by an individual, generally an employee when he is in financial distress. Whenever a person is in a situation of financial distress he finds himself crushed under the financial pressure.
Thus, the option b is incorrect , as financial pressure can be motive for committing fraud.
c.
Personal habits and lifestyle refers to the way a person lives his day to day life. The perception of a person towards things shows his lifestyle and the way a person do a thing comes under his habits. When a person is not able to afford his habits and lifestyle he becomes a part of a fraud.
Thus, option c is incorrect as personal habits can be a motive of a fraud.
d.
Feeling of resentment refers to a feeling where a person has the emotions of anger, sadness and disappointment. It is a foundation of hatred. This feeling many times becomes a motive of committing a wrongful act like fraud.
Thus, the option d is incorrect , as resentment feeling is a motive for committing fraud.
e.
Alcohol, drug or gambling addiction also sometimes becomes a reason for getting involved in financial frauds. When a person is not able to complete his addition by his basic revenue sources he starts getting involving into frauds.
Thus, the option e is incorrect , as this addition is a motive for committing fraud.
a.
Inadequate segregation of duties means that the duties have not been distributed correctly. When the duties are segregated the person gets the respective duty to complete the task by his part.
Thus, option a is correct, as this cannot be considered a motive to commit a fraud.

(CISA exam, adapted) Authentication is the process by which the a. System verifies that the user is entitled to enter the transaction requested
B) System verifies the identity of the user
C) User identifies him- or herself to the system
D) User indicates to the system that the transaction was processed correctly

How can data integrity be ensured when conducting e-business? Why is it critical toe-business?

Compare and contrast symmetric-key and asymmetric-key encryption methods in conducting e-business. Why do companies prefer one method over the other? If a company chooses to use both methods, what might be the reasons? How can the company truly use both methods for e-business?

(CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing? a. Internal control policy
B) System hardware policy
C) System security policy
D) Disaster recovery plan
E) Supply chain management policy

If social engineering is a common reason that confidential information was revealed, what needs to be done to prevent this from occurring?

Both COBIT and ISO 27000 series are security frameworks. Are there significant differences between the two frameworks?

(CMA exam, adapted) Data processing activities may be classified in terms of three stages or processes: input, processing, and output. An activity that is not normally associated with the input stage is a. Batching
B) Recording
C) Verifying
D) Reporting

A message digest is the result of hashing. Which of the following statements about the hashing process is true? a. It is reversible.
B) Comparing the hashing results can ensure confidentiality.
C) Hashing is the best approach to make sure that two files are identical.
D) None of the above is true.

Many internal auditors and IT professionals believe wireless networks and mobile devices pose high risks in a firm's network system. Collect information to examine whether this concern is valid. If so, identify the risks and the general controls to help reduce these risks.

Compare disaster recovery planning (DRP) and business continuity management (BCM).

Payment Card Industry Data Security Standards (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPPA) are examples of the laws related to information security. Discuss the major requirements of these legislations.

Which one of the following vulnerabilities would create the most serious risk to a firm? a. Using open source software (downloaded for free) on the firm's network
B) Employees recording passwords in Excel files
C) Employees writing instant messages with friends during office hours
D) Unauthorized access to the firm's network

Under PKI, Certification Authority (CA) plays a critical role in the success of maintaining information security. Search over the Internet to find a few public firms who are CAs. Compare these firms, and provide suggestions on how to choose a CA as part of information security management.

Give an example of employee fraud, and identify reasons it may occur.

To authenticate the message sender in an asymmetric-key encryption system, which of the following keys is required to decrypt the receive message? a. Sender's private key
B) Sender's public key
C) Receiver's private key
D) Receiver's public key

What are the differences between authentication and authorization?

To ensure the data sent over the Internet are protected, which of the following keys is requiredto encrypt the data (before transmission) using an asymmetric-key encryption method? a. Sender's private key
B) Sender's public key
C) Receiver's private key
D) Receiver's public key

Explain how to use the asymmetric-key encryption method to maintain confidentiality in transmitting a business document electronically.

Which of the following groups/laws was the earliest to encourage auditors to incorporate fraud examination into audit programs? a. COSO
B) COBIT
C) PCAOB
D) SAS No. 99
E) Sarbanes-Oxley Act