The Association of Digital Forensics, Security and Law (ADFSL)
Recent regulations in the United States (U.S.) such as the Sarbanes-Oxley Act of 2002 require top management of a public firm to provide reasonable assurance that they institute internal controls that minimize risks over the firm’s operations and financial reporting. External auditors are required to attest to the management’s assertions over the effectiveness of those internal controls. As firms rely more on information technology (IT) in conducting business, they also become more vulnerable to IT related risks. IT is critical for initiating, recording, processing, summarizing and reporting accurate financial and non-financial data. Thus, understanding IT related risks and instituting internal control mechanisms that minimize them have become important and created an urgent need for professionals who are equipped with IT audit and security skills and knowledge. However, there is severe shortage of teaching cases that can be used in courses aimed at training such professionals. This teaching case begins to address this gap by fostering classroom discussions around IT audit and security issues. It revolves around a hacking incident that compromised online order processing systems of AlphaCo and led to some fraudulent activity. The hacking incident raises a series of questions about IT security vulnerabilities, internal control deficiencies, integrity of financial statements, and independent auditors’ assessment of fraud in the context of the Sarbanes-Oxley Act. The case places students in the roles of executives, IT managers, and auditors and encourages them to discuss several important questions: how and why did the hacking incident happen; what harm did it cause to the firm; how can the firm prevent such hacking incidents in the future; if they do happen, how can the firm detect hacking incidents and fraud sooner; how do auditors assess the impact of such incidents in the context of a financial statement audit; and whether the management and auditors have responsibility in detecting and publicly reporting fraud? The case also facilitates the teaching of relevant conceptual frameworks such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) and COBIT (Control Objectives for Information and related Technology).
1. AuditNet. (2005). “Fraud/Investigative Resources”, http://www.auditnet.org/fraudres.htm, February 9, 2006.
2. AICPA. (2006). “Proposed Statement on Standards for Attestation Engagements, Reporting on an Entity’s Internal Control Over Financial Reporting”, http://www.aicpa.org/download/exposure/ED_AT_501.pdf, February 25, 2006.
3. COSO. (2006). http://www.coso.org/, February 9, 2006.
4. Fox, C. and Zonneveld, P. (2004). IT Control Objectives for SarbanesOxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control over Disclosure and Financial Reporting. IT Governance Institute, Rolling Meadows, IL.
5. Gelinas, U.J., Sutton, S.G., and Fedorowicz, J. (2004). Business Processes and Information Technology. Thomson Southwestern Publishing, Mason, Ohio.
6. Hayes Jr., A. (2005). “Fraud Happens. Peering over the Shoulder of an Auditor”, http://www.fraudhappens.com/FraudArticle.ivnu, April 18, 2005.
7. Heschl, J. (2005). “Overview of International IT Guidance”, COBIT®MAPPING, http://www.isaca.org/Template.cfm?Section=Deliverables&Template=/Co ntentManagement/ContentDisplay.cfm&ContentID=10016, April 23, 2005.
8. Hunton, J., Bryant, S., and Bagranoff, N. (2004). Core Concepts of Information Technology Auditing. John Wiley & Sons, Hoboken, New Jersey.
9. iLaw Eurasia 2004. (2004, December 14). “Emerging Legal and Policy Issues for the Information Age, Security in the Network Age: Cybercrime and Information Security”, http://cyber.law.harvard.edu/ilaw/eurasia_2004_schedule/tuesday, April 8, 2005.
10. ISACA. (2004). “IT Control Objectives for Sarbanes-Oxley: The importance of IT in the design, implementation and sustain ability of internal control over disclosure and financial reporting,” http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/IT_ Control_Objectives_for_Sarbanes-Oxley_7july04.pdf, February 9, 2006.
11. ISACA. (2006). http://www.isaca.org/, February 9, 2006.
12. McInturff, J.T. (2006). “Managing Cyber Risk”, http://www.loma.org/res- 05-04-cyber-risk.asp, February 9, 2006.
13. Montgomery D., Beasley M., Menelaides S., and Palmrose, Z. (2006). Auditors’ New Procedures for Detecting Fraud, http://www.aicpa.org/pubs/jofa/may2002/mont.htm, February 9, 2006.
14. North Carolina Wesleyan College. (2005). “Fraud Audit and Forensic Accounting”, http://faculty.ncwc.edu/toconnor/350/350lect05.htm, April 23, 2005.
15. Ramos M. (2006). “Auditors’ Responsibility for Fraud Detection-Adapted from Fraud Detection in a GAAS Audit—SAS No. 99 Implementation Guide”, http://www.aicpa.org/pubs/jofa/jan2003/ramos.htm, February 9, 2006.
16. Simmons, M. (2005, September 19). “Materiality and Reportable Conditions”, http://www.facilitatedcontrols.com/internalauditing/material.htm, April 18, 2005.
Tanriverdi, Hüseyin; Bertsch, Joshua; Harrison, Jonathan; Hsiao, Po-Ling; Mesuria, Ketan S.; and Hendrawirawan, David
"AlphaCo: A Teaching Case on Information Technology Audit and Security,"
Journal of Digital Forensics, Security and Law: Vol. 1
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol1/iss1/2