P1 SEC F - Technology and Analytics

Topics covered in this section include information systems, data governance, technology-enabled finance transformation, data analytics, business intelligence, data mining, analytical tools, and visualization.

Primary role of AIS in the value chain

To provide reliable and timely information to decision makers both inside and outside of the organization—in the form of official financial statements or as performance reports for internal users. AIS could connect an organization with the value chains of its customers, suppliers, and distributors.

Ownership status and reverse tracking

Supply chain applications are generally considered a good fit for blockchain technology due to:

Focused IT costs

Main advantage of an ERP (Enterprise Resource Planning) system. With a single source of accurate contextual information an ERP system reduces administrative and operational costs. Instead of spending resources on multiple systems that require dedicated staff, you can focus the cost on just one ERP system.

Internal Use Only

Most appropriate Data Classification tag to apply to a document that contains nonpublic information but is not considered sensitive, a trade secret, or personally identifiable information.

Preventive and Deterrent control

Fences and locks are both a _______. They deter and prevent unwanted activity as well as access to unauthorized areas.

Correlation

A term frequently used in conjunction with regression analysis, and is measured by the value of the coefficient of correlation, r. The best explanation of the value r is that it is a measure of the relative relationship between 2 variables.

transactional ; management

ERP systems focus on automating _______ processes, while EPM systems focus on automating _______ processes.

Ability to examine the contents of a packet

The characteristic that makes a firewall "advanced"

Permission

One single characteristic that separates a pen test from a real cyber attack. Attacks and pen tests should look the same. The only difference is that pen tests should be formally permitted by the target's owner.

Outliers

Histograms can help detect _____ in a data set. They show the number of observations in ranges of the variable. If relatively few observations are at either the upper or lower range, this could indicate the presence of this.

Dynamic cloud computing provisioning

Allows organizations to pay only for the IT capacity they need at a particular point in time.

Distributed denial-of-service (DDoS)

Occurs when multiple machines or a botnet—a group of internet-connected devices—send an attack to the target. Unfortunately, Internet of Things devices often do not have robust security features, so hackers can access them without owners noticing. It also increases the difficulty of attribution, as the real source of the attack is harder to identify.

Smurf attack

Occurs when the attacker sends Internet Control Message Protocol broadcast packets to several hosts with a spoofed source Internet Protocol (IP) address that belongs to the target machine.

SYN flood

Occurs when an attacker keeps sending requests but maliciously leaves a connected port open by failing to complete a three-way handshake in a Transmission Control Protocol (TCP)/IP network. This makes the port unavailable for further requests so that legitimate users cannot connect.

Virtualization

Rapid advances in what technology made cloud computing an affordable reality for nearly all organizations.

Rapid answers to ad hoc questions based on queries using basic keywords

What database query tools such as Structured Query Language can provide but generic reports from a database cannot.

Reversed ; re-entered

Blockchain cannot be change, but they can be _____ and ______.

Unreadable

To address concerns about privacy of its data being transmitted over the internet, a company may implement data encryption because transforming plain text into ciphertext makes data ______ to unauthorized users.

Secure gateways

Another term for firewalls.

Pen test

A collection of activities in which security professionals carry out attacks against information systems to simulate attackers' actions.

Ex. Healthy Life, Inc. (HLI), is a health services company that specializes in managing health services scheduling. To ensure HIPAA compliance, HLI has engaged White Hat Security Group (WHSG) to evaluate the strength of its security controls. HLI wants WHSG to attempt to "break in" to its information systems to see how resilient it is to attacks.

Prescriptive vs. Diagnostic Analytics

• Prescriptive analytics focuses on what should happen.

  • Examples include optimization and simulation models.

• Diagnostic analytics focuses on why things happen.

  • Examples include correlation analysis and the size and strength of statistical relationships.

Descriptive vs. Predictive Analytics

• Descriptive analytics focuses on what has already taken place.

  • Examples include statistical figures such as mean, median, and standard deviation.

• Predictive analytics focuses on what will happen in the future.

  • Examples include what-if? analysis and expected values.

Critical analysis and pattern recognition

AI works best with functions requiring ________, not with routine activities.

Dependent data mart

Created using a subset of data from an existing data warehouse. It is constructed using a top-down approach wherein all data is stored in one, single central location. A definite part of the data is drawn out when needed for analysis.

Defining business objectives

The most important step when developing a predictive analytics model to ensure that the model provides actionable results.

Difference between on-premises and SaaS applications

SaaS applications are web-based applications delivered over the Internet and on-premises applications require access to an enterprise network.

Detect-and-respond

Regarding cyberattacks, this is a fundamental tenet of the defense-in-depth strategy.

Independent data mart

Constructed using a bottom-up approach. It is a stand-alone system and data is drawn from internal/external sources, instead of a data warehouse.

Binary

Logistic regression is used to predict this type of dependent variable, which can take two possible values (e.g. 0 or 1, True or False, Yes or No). It estimates the probability that a given input point belongs to a certain class.

Logistic regression

A statistical method used for predicting one of two outcomes for an event. Can help show the relationship bet. categorical and quantitative input/output.

Ex.

• Predicting whether a customer will renew their subscription.

• Classifying prospective customers as likely to respond favorably or unfavorably to a promotional campaign based on their demographic info.

Challenge to leverage insight from Big Data

To determine the veracity of a set of high-volume, high-variety data.

Benefits of cloud computing

Generally less expensive and provides greater agility. Allows multiple employees to use a browser to remotely access and use application software.

Large and structured

The systems development life cycle approach is best suited for projects that are:

Access log

The most effective technique for monitoring the security of access in an order-entry system. Helps identify unsuccessful access attempts.

Data management vs. Data governance

Data management handles technical aspects, whereas data governance sets policies.

Oversight of data from creation to disposal

The primary objective of data management within an organization. 

Multiple module software package

Best describes an ERP system as it designed to manage all aspects of an enterprise.

Financing cycle

Encompasses all transactions involving the investment of capital, borrowing money, payment of interest, and loan repayments.

Advanced firewall

Also known as a next-generation firewall (NGFW) can do far more than stateful inspection, including being able to determine what kind of application is accessing the firewall (application filtering) and based on certain rules allow or deny the access.

Smart contract

A computer code used to automate the issuance of virtual tokens or virtual coins.

“Break-the-glass procedure” scenario within the SDLC

A developer needs access to the production environment to fix a query that is causing performance issues; all his or her changes are approved subsequent to resolving the problem.

Decision tree

Visually depicts what steps are taken within the process flow of elements that would be automated by instructions or by bots.

Activity logging

A control under defenses against cyberattacks, when implemented, would best assist in meeting control objective that a system have the capability to hold users accountable for functions performed.

Compensating control

It is deployed to augment or enhance existing controls.

Ex. The addition of encrypting data in transit (i.e. HTTPS) that was previously encrypted at rest.

5 Key Principles of ISACA's COBIT

1. Meeting Stakeholder Needs

2. Covering the Enterprise End-to-End

3. Applying a Single-Integrated Framework

4. Enabling a Holistic Approach

5. Separating Governance from Management

Functions of a database management system (DBMS)

• Backup and recovery

• Encryption

• Data integrity

Information technology (IT) governance

Consists of the leadership, organizational structures, and processes that ensure that the enterprise's IT supports the organization's strategies and objectives.

Information security governance

Can be defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Corporate governance

Represents the highest level of governance in terms of oversight function; controls all the other governance sub-functions such as data governance, information security governance, and information technology governance. Refers to the combination of processes and structures implemented by the board of directors to inform, direct, manage, and monitor the activities of an organization toward the achievement of its objectives.

Performance

An organization's ability to attain its goals by using resources in an efficient and effective manner.

Effectiveness

It is the degree to which an organization achieves a stated goal or objective.

Efficiency

It is the use of minimal resources—raw materials, money, and people—to provide a desired volume of output.

Performance measures of corporate performance management (CPM)

Productivity, effectiveness, efficiency, cycle times, and business velocities.

Productivity

A major common element between a corporate performance management (CPM) program and a country's gross domestic product (GDP) is best reflected in:

PDCA Process

When implementing strategy, most companies use this:

• Plan: Management designs or revises business strategies.

• Do: The company implements these strategies.

• Check: The company assesses and reports performance.

• Act: Determine how strategies can be changed or maintained in the future.

Foresight

Means future showing compliance awareness, strategic planning, and operations planning. This is the ultimate goal of EPM.

Reduced human intervention

The major benefit of implementing corporate performance management (CPM) software.

3 Key sub-processes of EPM

1. Planning, Budgeting, and Forecasting

2. Performance Reporting

3. Profitability and Cost Analysis

Strategic implementation

EPM facilitates what?

Characteristics of an Enterprise Resource Planning (ERP)

• Modular

• A common or central database to support the entire system

• Integrated and a consistent look and feel

Accounting Information System (AIS)

Adds value by providing necessary information that is used for analysis, evaluation, regulation, and strategic decision making.

Rapid elasticity

A key characteristic of cloud computing as systems can be configured to automatically increase their resources such as storage, RAM, or CPU based on the current utilization of the system.

On-demand self-service

A key characteristic of cloud computing as organizations can deploy new systems without direct interaction with the cloud service provider.

Resource pooling

A key characteristic of cloud computing as resources such as CPU cycles or RAM can be utilized based on the system needs.

Key characteristics of cloud computing

• Rapid elasticity

• On-demand self-service

• Resource pooling

Intrusive scanning

Refers to automated testing that may cause target service disruptions or even service or device crashes.

Security audit

Evaluates whether controls exist that enforce compliance with security policy.

Vulnerability vs. Penetration assessment

• A vulnerability assessment just identifies vulnerabilities that exist in assessed environments, but doesn't attempt to carry out any exploits against identified vulnerabilities.

• A penetration test attempts to identify vulnerabilities and then carry out exploits against vulnerabilities to attempt to compromise a computing system.

Cyclical analysis

A type of time series analysis that exists when data exhibits rises and falls that are not of fixed period. The duration of these fluctuations is usually at least 2 years. Think of business cycles which usually last several years, but where the length of the current cycle is unknown beforehand.

Trend analysis

A type of time series analysis that provides quantified patterns in plotted data points over time. Often refers to techniques for extracting an underlying pattern of behavior in a time series which would otherwise be partly or nearly completely hidden by noise.

Seasonal analysis

A type of time series analysis that exists when a series is influenced by seasonal factors (e.g., the quarter of the year, the month, or day of the week). Seasonality is always of a fixed and known period. Hence, it is sometimes called periodic time series.

Irregular patterns

A type of time series analysis that results from short-term fluctuations in a series which are not systematic and, in some instances, not predictable (e.g., uncharacteristic weather patterns). Some irregular effects can, however, be expected in advance.

Steps needed when a data analyst is applying data mining tools and methods

Raw data→ Normalized data→ Data extraction→ Data insights

Before data mining software tools are applied, the target raw datasets must be cleaned and normalized to remove missing, erroneous, or inappropriate data. Then, the normalized data is extracted or analyzed using several methods such as data analytics, statistical analysis, data mining methods, simulation technique, or forecasting methods to yield new insights.

Data Hierarchy

Data→Information→Knowledge→Insights→ Results

Shows the progression of data from its origination to destination (i.e., data evolution). Raw data is edited and processed to give knowledge-embedded information that is subjected to analysis to yield actionable insights that lead to making decisions to produce expected results.

Ideal candidate (process) for the utilization of blockchain

A process to automatically create a record of who has accessed information or records.

Systems design

Divided into conceptual design (logical design) and physical design.

• Logical design: defining data elements, database structures, and data dictionaries; mapping computer screen flows; defining computer program flows with interfaces to other programs; and defining input, processing, and output requirements.

• Physical design: developing computer program specifications; developing data file layout specifications; defining computer job flows; and defining computer hardware, software, and mobile devices needed to operate and use the new system.

Advantages of DBMS

• Data security

• Robust data integrity capabilities

• Logging and auditing of activity

Non-normalized

A characteristic of a data warehouse. Quite often, the data contained in a data warehouse is redundant.

Component in both COSO + ERM

Control activities exist in both of COSO's Internal Control and Enterprise Risk Management frameworks.

Major challenges in maintaining separate financial systems and nonfinancial systems

I. Two sets of books

II. Unsynchronized data

III. Inconsistent results

IV. Conflicting decisions

Closest to zero

To identify the weakest correlation, we need to determine the coefficient of correlation that is:

Revenue to Cash Cycle

Refers to the process of taking orders, shipping products or delivering services, billing customers, and collecting cash from sales.

Relevant records—Revenue to Cash Cycle

Customer purchase orders, sales orders, picking tickets, shipping documents, invoices, and cash receipts.

Expenditure Cycle

The process of placing orders, receiving shipment of products or delivery of services, approving invoices, and making cash payments.

Relevant records—Expenditure Cycle

Purchase requisitions, purchase orders, receiving reports, and invoices.

Production Cycle

The process by which materials are converted into finished goods.

Relevant records—Production Cycle

Cost accounting reports, bills of materials, customer orders, production schedules, production orders, material requisitions, move tickets, operations reports, job-time tickets, and cost of goods manufactured reports.

Human Resources and Payroll Cycle

The process of recruiting, interviewing, and hiring personnel, paying employees for their work, promoting employees, and finalizing employees’ status from retirements, firings, or voluntary terminations.

Relevant records—Human Resources and Payroll Cycle

Master payroll files, time reports, hiring, promotion, transfer, and firing records, tax and insurance rate records, and individual employment records with data such as withholdings and deductions.

Financing Cycle

The process of obtaining funding, through debt or equity, to run an organizations’ activities and to purchase PPE, servicing the financing, and ultimate repayment of financial obligations.

Relevant records—Financing Cycle

Cash budgets, debt instrument records, equity holding records, and repayment schedules.

Property, Plant, and Equipment Cycle

The process of acquiring resources (e.g., land, buildings, and machinery) needed to enable an organizations’ business activities.

Relevant records—Property, Plant, and Equipment Cycle

Acquisition records, depreciation schedules, and disposal reports.

General Ledger and Reporting System

The process of recording, classifying, and categorizing an organization's economic transactions and producing summary financial reports.

Relevant records—General Ledger and Reporting System

General and subsidiary ledgers, financial statements, and managerial reports.

Challenges of having separate financial and nonfinancial systems.

Primary challenge: data maintenance—that is, making sure the data is accurately linked in both systems.

• When the two systems are separate, the data must be reconciled to make sure they are measuring the same thing.

• If the data the systems draw upon is not located in the same place or database, extensive controls must be created and maintained in order to avoid costly errors and inconsistencies.

Enterprise Resource Planning (ERP)

The integrated management of core business processes. Brings together business functions such as inventory management, operations, accounting, finance, human resources, and supply chain management.

Advantages of ERP

Include the availability of real-time data, wide distribution of information, single system learning, and lower operational costs.

• Data security

• Customization

• Transparency

• Centralization of data

Disadvantages of ERP

Include high initial monetary, implementation, and training costs.

How ERP helps overcome the challenges of separate financial & nonfinancial systems

ERP enables a single information system to provide both financial and nonfinancial information to users. This reduces the errors that can arise when different systems draw on different information sources.

Ex. An ERP can link the CRM system to AIS to reduce errors and increase information usefulness.