Question

• You have been hired by the CFO of Strayer University to develop a plan to protect its accounting and financial systems at a reasonable cost. Suggest a high-level plan for the CFO. Provide support for your suggestion.
• Based on your security plan recommendation, determine the system aspect that is most likely to be violated.

Answer 1

igh Level Plan will be:

1. Preventive Controls: Designed to prevent the occurrence of errors and misappropriation of resources. For example – security checks, access control, reference check for new employees, credit check for potential clients etc. Such controls include control on transactions, people and functions through:
   1. Separation of responsibilities for different functions of an activity. Authorization, Recording, Access to asset and Reconciliation for a transaction should be handled by 4 employees.
   2. Twofold controls for key functions or transactions above certain amount
   3. Cross-checking at every step (for example – reconciliations between sales ledger and debtors)
   4. Reasonableness checks (for example – amount of insurance premium should be reasonable with respect to the sum insured and / or cost of asset insured)
   5. Completeness checks (say for example – forms cannot be processed until all mandatory details are filled in)
2. Detective Controls: Preventive controls are complemented by detective controls that are designed to detect the errors which preventive controls fail to prevent. For example:
   1. Physical inventory check,
   2. Reconciliation of Bank statement, petty cash accounts etc.
   3. Such controls rely on sample checking and are often combined with preventive controls to provide extra layer of protection against potential risks. They are usually lesser expensive in comparison to preventive controls.
3. Corrective Controls: Such controls aim to rectify the issues highlighted by detective controls. For example: In case a discrepancy has been noted in the list of inventory booked in the inventory register and that physically checked, a corrective control will look into the issues of difference and rectify the register.

Support for my suggestion:

My suggestions primarily aim to design controls that:

• Should have adequate checks to ensure financial, accounting and operational information generated by the system is accurate and reliable
• Should generally complement each other towards safeguarding of assets, compliance with law, reliable financials, efficient operations and achieving firm’s objectives.

So my design controls are such that they

1. First attempt to prevent threat from occurring in the first place
2. Put in place adequate controls to detect the threat once it has occured and then
3. Attempt to reduce the possible losses

System aspect that will be most likely violated:

1. Effective internal control can prevent human errors (unintentional, due to carelessness or ignorance) but may not be efficient to prevent fraud.
2. Thus internal controls can give reasonable but not 100% assurance about prevention of errors and frauds.
3. Stealing of the data by authorized personnel
4. Passing on the stolen data to unauthorized personnel
5. Obsolescence in system technology
6. Hacks