Accounting Information Systems Flashcards - Exam 2

Threats to AIS

- Natural Disasters

- Unintentional Acts

- Software/Hardware issue

- Intentional Acts

Fraud

is any intentional deception made for personal gain or to damage another individual

Fraudulent acts must have:

•   False statement

• Intent to lie

• Victim lost something

• Made a person act

Most common forms of fraud

Most common: Financial Reporting Fraud

2nd most common: Asset Misappropriation

Fraud Opportunity

1. Can steal in the moment

2. Hide the fraud

3. Benefit from it

Fraud Triangle

1. Rationalize

2. Pressure

3. Opportunity

Rationalization Triangle

1. Justification

2. Lack of morals

3. Attitude

Pressure for Fraud

1. Lifestyle

2. Money

3. Emotional state

Pressure for financial statement fraud

1. State of the economy

2. Meet Quota

3. Management Pressure

Computer fraud

Any illegal act that involves the use of computers to misappropriate funds or data.

Data Processing Fraud

• Fraud Input

• Fraud process

• Storing Fraudulent Data

• Output Fraud

Security

access to data/system is controlled and restricted to legit users

Confidentiality

sensitive org data is protected

Privacy

Personal info on company is protected

Processing integrity

data is processed accurately, timely, and with proper authorization

Available

system and info is available

Ways to minimize risk of system downtime

• Preventative Maintenance

• Training

• Patching software

• Fault Tolerance: System ability to function when a part fails.

• Data center designs

Full backup

a full copy of the database

Partial backup

a copy of the changes made daily

Incremental backup

copies only items that have changed since partial backup

Differential back up

copies all changes from full backup.

Archive backup

a full backup used for historical preservation

Recover Point Object (RPO)

Max amount of data an org is willing to reenter or lose.

Recover time objective (RTO)

Max tolerable time to restore info system.

Disaster recovery plan (DRP)

Procedure to restore IT function

Business continuity plan (BCP)

how to resume all operations.

Reciprocal agreement

agreements with another org that use their equip and IT system resources

Cold site

prewired building for telephone/internet to one or more vendors to provide all equip

Hot site

cold site but it has all the needed equipment there

Real-time mirroring

maintain 2 copies of database at separate data centers

IT security fundamental concepts

P > D + R

• P = time to break through controls

• D = time to detect an attack

• R = time to respond and correct the damage

Prevention layers

Policy → Physical Location → Network → Database → Data

Authentication

verify person trying to access system

Authorization

restrict access to authenticated users to parts of a system + limit their actions

Access control matrix

table used to implement authorization controls

Compatibility test

matches user authentication against the ACM

IT solutions to protecting data

• Antimalware

• Encryption

• Device and software

• Network security

Router

info system to internet

Firewall

device/software that controls in/outbound communication

DMZ

separate network that limits functions to the internet

Intrusion Prevention System

monitor traffic flow for attacks

Transmission Control Protocol (TCP)

procedures for dividing files into packets to be sent over internet and reassembled at destination.

Internet Protocol (IP)

specified structure of packets and how to route them.

Packet Filtering

Reads packet headers to allow or deny traffic based on predefined rules.

Deep Packet Filtering

process in which firewalls examine data in a packet.

Log Analysis

Examine logs to find evidence of attacks.

Intrusion Detection System

System that creates logs of network traffic permitted to pass and analyzes those logs.

Honey Pots

decoy sys to trap and defer hacks, early decoy system

Incident Response

• Recognition, Contain, Recovery, Follow-up

Computer Incident Response Team

responsible for responding to and managing computer security incidents

Penetration Test

Authorized attempt to break into the organizations info system

Confidentiality

Protection of information that is designated as confidential

Privacy

Pertains to personal information collected, how its collected, destroyed, used, stored.

Private Data

Info about business (customers, business partners, etc

Confidential Data

Organizational data that needs proper access

Data loss prevention software

control over outbound communication to prevent unauthorized data exfiltration.

Info Rights Management Software

Specify action that a user can do with specific documents or data.

Digital Watermark

detective control that identifies the source of a data breach

Digital Masking

replace personal info with fake values

Encryption

way to protect data during transmission

Symmetric Encryption

one key to encrypt and decrypt

Asymmetric Encryption

• public to encrypt

• private to decrypt

• digital signatures

VPN

routes ip address through a proxy server

Hashing

plaintext → short code

Purposes of Digital Signatures

• Authentication

• Integrity

• Non-repudiation

Blockchain

distributed ledger of hashed documents with copies on multiple computers

Management

Management assigns accountability for its privacy policies and procedures.

Notice

notice users of policy to collecting data

Choice and consent

opt in vs opt out

Collection

collect needed info for analysis and decision-making purposes.

Use, retention, and disposal

use info for stated business purpose

Access

users can review, correct, and delete their info

Disclosure to third parties

3^rd party contracts and protections

Security

protect from data loss or unauthorized access

Quality

accuracy and completeness

Monitoring and enforcement

compliance with policies and regulations regarding accounting information systems.

General Internal Controls

Make sure an org’s environment is stable

IT Internal Controls

Ensures accuracy of data captured, entered, processed, etc.

FCPA

1. No bribery ro foreign officials

2. Requires all public corporations to maintain internal controls

SOX

• prevent fraud

• make financial reports transparent

• protect investors

• internal controls

• punish those to perpetrate fraud

COSO - Internal Control Integrated Framework

CRIME

• C: Control Environment

• R: Risk Assessment

• I: Information and Communication

• M: Monitoring Activities

• E: Existing Control Activities

Inherent Risk

Risk that exists before plans are made to control it

Residual Risk

Risk that is left after you control it

Risk Responses

• Reduce: implement controls

• Accept: do nothing, accept likelihood

• Share: buy insurance, outsource

• Do not engage in activity

Control Activities

Develop controls for risk and ensure policies are followed to mitigate risks.

Information and Communication

Communication and information systems that support the risk management process.

Monitoring

Evaluate ongoing controls and ensure they are effective in managing risks.

COSO - Enterprise Risk Framework

• Governance & Culture

• Strat/Objective Setting

• Performance

• Review/Revision

• Info, Communication, reporting

COBIT - Framework for IT controls

• Control Objectives

• Enterprise Governance of IT

• Business and IT Alignment

• Value Creation

• Service Organization Controls

Control Activities Categories

1. Safeguarding assets, records, and data

2. Independent check on performance

3. Segregation of Duties

Segregation of Duties

Custodial: Inventory, Cash, and Checks

Recording: Prepare source documents, maintain journals, and prep reconciliations and reports

Authorization: Authorization of decisions/transactions

Specific Authorization

Permission needed for non-routine actions

General Authorization

Routine activities that don’t need specific approval or permission (within normal limits)

Strategic Master Plan

A long-term roadmap aligning IT projects with the organization’s goals.

Project Milestones and Evaluation

Key checkpoints to track progress and performance of a project over time.

Data Processing Schedule

A timeline that outlines when data tasks should be run to keep systems on track.

Steering Committee

A group of senior stakeholders who oversee major IT projects and make strategic decisions.

System Performance Measurements

Metrics (like uptime, speed, error rate) used to evaluate how well a system is working.

Post-Implementation Reviews

An assessment done after a project goes live to evaluate what went well and what needs improvement.