Please comment on the text below and answer the question beneath it.
---
One of the most common fraud schemes used for information assets is employees gaining access to customer data, including social security numbers and checking account numbers, and then using the info. to commit various types of fraud. H&R Block had a huge problem with this for a few years. Employees would steal customer data through a back door in the software program that would lock customer information after the employees had entered it into the computer, and the employees then used the information to shop online from the victim's bank account, and a variety of other frauds. It was all over the news for a while. Management can do a few things to mitigate risk from this type of fraud. So many companies assume that their employees will never try and access data that they shouldn't, so their firewalls and general IT security lacks in strength. There needs to be a secure IT environment with firewalls and sensitive information should be restricted from anyone accessing it that doesn't "have" to have it. In addition, the IT system should be designed as to where the old customer data doesn't sit on a server that isn't needed any longer. It should be moved to microfilm and removed from the server.
Process related risks are usually system related changes. These include unauthorized changes to programs or computer systems to alter the processing of information and the output. For example, a programmer working for a financial institution could deduct .10 from customer's interest payments and draw off the funds into his own account.
A key control is testing a system after changes to ensure the functionality of the system has not changed and changes are fully authorized. Test data must think through many presentations of what is possible. In addition, procedures should be in place to detect security violations by recording certain events as they occur.
----
Please provide an example of an attestation engagement, and explain the levels of assurance that should be given in attestation engagement reports.