Please read the attachment and answer the question.

Video Clip: Fraud, Evidence, and Computer Sabotage Planning, Part 1 Transcript Al Arens: Hi, I'm Al Arens, co-author of Auditing and Assurance Services: An Integrated Approach. I would like to briefly introduce this segment. For many years, auditors have reminded anyone who would listen that it was not their job to detect fraud - and they didn't. According to a recent survey, auditors detect only 5% of all significant business frauds. As a result, auditing standards were revised. Auditors now have a positive and affirmative duty to plan and perform their engagements to detect fraud. In recent years, with advances in technology, the auditor's role has become more difficult. On one hand, information technology can certainly enhance a company's internal controls. On the other hand, it can lead to substantial losses if warning signals are ignored. In this segment, Jason Froth, of Corrole-Lagar, Inc., a worldwide leader in risk mitigation and security, shows how to protect a company from computer crime. Host: Can you give us an example of computer crime? Can you tell us about a specific corporate incident? Jason: Yes. We had an incident where there was an employee that was increasingly dissatisfied with his work environment and the people he was working for. He decided to secure employment somewhere else, with a different company, and he did secure other employment. And after he left, he left a goingaway present or a parting gift for the First Corporation, which was essentially a logic bomb that he planted in email servers around the country ... this was a global company. He planted these logic bombs in email servers around the country all from the location that he was at, because it was all networked together. And basically, the logic bombs were set to go off at a certain time and a certain date. What happened to the corporation was that at about 5AM one morning, all of the email servers in the company that this particular individual attacked self-destructed and essentially erased all of the files on the hard disks of the computers and they could no longer function. What we did was we came in, we were not only able to show that this logic bomb existed on all of the computers, but we also found remnants of the logic bomb and previous iterations of it - in other words, he was practicing before he actually planted the logic bomb - on his personal computer at his desktop. This was very good evidence in proving that this particular person was the one that created this and created this problem. Host: So, it's important that companies be able to accumulate this type of evidence? Jason: Yes. Every corporation should realize that this is a possibility from an insider. The insiders in your corporation ... they have the best ability to attack your system and to hurt your system, and this can happen. Every corporation should realize that this is a possibility ======================================================================== == Video Clip: Fraud, Evidence, and Computer Sabotage Planning, Part 2 Transcript Host: I guess this gets at the whole issue of policies and procedures and other steps relating to what companies should have in place to help protect themselves against the situation where they don't have the proper evidence, or they don't have the right procedures. Can you talk to us about that? Jason: Absolutely, Becky. Basically, your computer security policy is the cornerstone of any case in which you have a civil or criminal case against an individual that may be in your corporation for wrongdoing or misuse of the computer system. If you don't have good policies, then later on, it's going to be very difficult to claim that this person did something wrong with the computer system and they knew that they did something wrong. Every corporation should have a well thought-out, well organized, planned policy that says important things to the corporation. Number one, that the computers are only used for business purposes, and possibly limited personal purposes. For instance, if somebody's getting email through the Internet from their family, that may not be a violation of the computer policy, but it's limited personal purposes. Also, obviously, people should not be downloading pornography from the Internet - that should be a violation of business policy. But whatever your business policies are, they should be clear-cut, they should be well-defined, they should be presented to the employee upon his employment, and they should be read by the employee and acknowledged and agreed to, and the document should be signed. Likewise, exit interviews, when people are leaving employment ... they should also be provided with a copy of the computer policy, whatever that is, and sign that they received it, they understood it, and they haven't violated the policy. They should do that before they exit employment. They may refuse to sign it when they exit employment, but that in and of itself can tell you something about what the employee has or hasn't done, and it's still a good practice to ask the employee to sign and to acknowledge it before he leaves. And lastly, the computer system itself - the first thing you should have is a log-on screen, a splash screen that comes on, where the person acknowledges every time they log on to the system that the system belongs to the corporation, that it's to be used only for business purposes and possibly limited personal purposes, which are defined in the computer use policy, and they should have to acknowledge that before they go any further. Before they're allowed to proceed into the networked computer system of the corporation, they should have to acknowledge that they understand this and accept it and agree to it. (end) Please read the paragraph below and answer the following question. Briefly discuss what you perceive to be the most significant point made by the speakers regarding the auditor's role in detecting fraud. Al Arens: Hi, I'm Al Arens, co-author of Auditing and Assurance Services: An Integrated Approach. I would like to briefly introduce this segment. For many years, auditors have reminded anyone who would listen that it was not their job to detect fraud - and they didn't. According to a recent survey, auditors detect only 5% of all significant business frauds. As a result, auditing standards were revised. Auditors now have a positive and affirmative duty to plan and perform their engagements to detect fraud. In recent years, with advances in technology, the auditor's role has become more difficult. On one hand, information technology can certainly enhance a company's internal controls. On the other hand, it can lead to substantial losses if warning signals are ignored. In this segment, Jason Froth, of Corrole-Lagar, Inc., a worldwide leader in risk mitigation and security, shows how to protect a company from computer crime. Host: Can you give us an example of computer crime? Can you tell us about a specific corporate incident? Jason: Yes. We had an incident where there was an employee that was increasingly dissatisfied with his work environment and the people he was working for. He decided to secure employment somewhere else, with a different company, and he did secure other employment. And after he left, he left a goingaway present or a parting gift for the First Corporation, which was essentially a logic bomb that he planted in email servers around the country ... this was a global company. He planted these logic bombs in email servers around the country all from the location that he was at, because it was all networked together. And basically, the logic bombs were set to go off at a certain time and a certain date. What happened to the corporation was that at about 5AM one morning, all of the email servers in the company that this particular individual attacked self-destructed and essentially erased all of the files on the hard disks of the computers and they could no longer function. What we did was we came in, we were not only able to show that this logic bomb existed on all of the computers, but we also found remnants of the logic bomb and previous iterations of it - in other words, he was practicing before he actually planted the logic bomb - on his personal computer at his desktop. This was very good evidence in proving that this particular person was the one that created this and created this problem. Host: So, it's important that companies be able to accumulate this type of evidence? Jason: Yes. Every corporation should realize that this is a possibility from an insider. The insiders in your corporation ... they have the best ability to attack your system and to hurt your system, and this can happen. Every corporation should realize that this is a possibility ======================================================================== == Video Clip: Fraud, Evidence, and Computer Sabotage Planning, Part 2 Transcript Host: I guess this gets at the whole issue of policies and procedures and other steps relating to what companies should have in place to help protect themselves against the situation where they don't have the proper evidence, or they don't have the right procedures. Can you talk to us about that? Jason: Absolutely, Becky. Basically, your computer security policy is the cornerstone of any case in which you have a civil or criminal case against an individual that may be in your corporation for wrongdoing or misuse of the computer system. If you don't have good policies, then later on, it's going to be very difficult to claim that this person did something wrong with the computer system and they knew that they did something wrong. Every corporation should have a well thought-out, well organized, planned policy that says important things to the corporation. Number one, that the computers are only used for business purposes, and possibly limited personal purposes. For instance, if somebody's getting email through the Internet from their family, that may not be a violation of the computer policy, but it's limited personal purposes. Also, obviously, people should not be downloading pornography from the Internet - that should be a violation of business policy. But whatever your business policies are, they should be clear-cut, they should be well-defined, they should be presented to the employee upon his employment, and they should be read by the employee and acknowledged and agreed to, and the document should be signed. Likewise, exit interviews, when people are leaving employment ... they should also be provided with a copy of the computer policy, whatever that is, and sign that they received it, they understood it, and they haven't violated the policy. They should do that before they exit employment. They may refuse to sign it when they exit employment, but that in and of itself can tell you something about what the employee has or hasn't done, and it's still a good practice to ask the employee to sign and to acknowledge it before he leaves. And lastly, the computer system itself - the first thing you should have is a log-on screen, a splash screen that comes on, where the person acknowledges every time they log on to the system that the system belongs to the corporation, that it's to be used only for business purposes and possibly limited personal purposes, which are defined in the computer use policy, and they should have to acknowledge that before they go any further. Before they're allowed to proceed into the networked computer system of the corporation, they should have to acknowledge that they understand this and accept it and agree to it. (end)