Week 10

Question 1

What are the two main categories of fraud?

Answer 1

Misappropriation of assets (theft) and fraudulent financial reporting (“cooking the books”).

Question 2

What three elements must exist for fraud (Fraud Triangle)?

Answer 2

Pressure (financial/emotional need), Opportunity (weak controls), Rationalization (justifying unethical behavior).

Question 3

Example of misappropriation in Malaysia?

Answer 3

MH370 case - bank officer stole RM110,643 from passengers’ accounts.

Question 4

Example of fraudulent financial reporting?

Answer 4

M K Land Holdings - overstated land disposal gains as revenue (RM80.77m tax penalty).

Question 5

Define computer fraud classification types:

Answer 5

Input fraud, Processor fraud, Computer instruction fraud, Data fraud, Output fraud.

Question 6

Most common cybercrime in Malaysia (2015)?

Answer 6

Fraud - #1 for 5 consecutive years per CyberSecurity Malaysia.

Question 7

What is a botnet?

Answer 7

46.2M Malaysian mobile records stolen (2017).

Question 8

Distinguish virus vs. worm:

Answer 8

Virus requires human action to replicate; worm self-replicates independently.

Question 9

Ransomware example in Malaysia?

Answer 9

WannaCry attack (2017) - encrypted files demanding Bitcoin ransom.

Question 10

Four social engineering techniques:

Answer 10

Phishing (fake emails), Pretexting (fabricated scenarios), Shoulder surfing, Dumpster diving.

Question 11

How to spot phishing?

Answer 11

Check sender address, urgency tactics, attachment requests (e.g., fake Citibank email).

Question 12

Three functions of internal controls:

Answer 12

Preventive (deter), Detective (identify), Corrective (recover).

Question 13

Why segregate accounting duties?

Answer 13

Prevent single-person fraud:

Custody (handle assets) ≠ Recording (bookkeeping) ≠ Authorization.

Question 14

Key components of COSO framework:

Answer 14

Control environment, Risk assessment, Control activities, Information/communication, Monitoring.

Question 15

Four risk response strategies:

Answer 15

Reduce (implement controls), Accept (tolerate risk), Share (insurance), Avoid (stop activity).

Question 16

COBIT5 vs. COSO-ERM:

Answer 16

COBIT5 focuses on IT governance; COSO-ERM expands to enterprise risk management.

Question 17

Inherent vs. Residual risk:

Answer 17

Inherent = pre-control risk; Residual = post-control risk.

Question 18

Auditor’s fraud detection duties (ISA):

Answer 18

Assess control risks, understand fraud schemes, document findings, use tech-focused approaches.

Question 19

Three ways to deter fraud:

Answer 19

Culture of integrity, strong internal controls, fraud detection software.

Question 20

How to minimize social engineering?

Answer 20

ever share passwords, verify unknown requests, restrict tailgating into secure areas

Question 21

Salami technique example:

Answer 21

Round-down fraud - stealing fractions of cents from transactions.

Question 22

ARP spoofing vs. IP spoofing:

Answer 22

ARP spoofing attacks LANs; IP spoofing hides DoS attack sources.

Question 23

Purpose of change management controls?

Answer 23

Ensure system updates don’t create vulnerabilities or disrupt operations.