ACCT 427 - Chapter 11-13 IT Controls

Who created the COBIT framework?

Information Systems Audit and Control Association (ISACA)

Explain the COBIT framework.

• Focuses on IT controls

• IT general controls that electronic information is complete and accurate

• Accounting and IT work together

Why do we need the COBIT framework in addition to the ERM and IC frameworks?

Because the COSO frameworks do not specifically address IT controls.

What do the COSO-IC and COSO-ERM frameworks address?

Business Process contrils designed to address specific financial risks.

What is the difference between Financial and Operational IT controls?

the control actions are the same but the involved systems are different.

Explain the difference between IT Controls and Business Process Controls.

IT Controls - intended to protect ALL cycles

BP Controls - Intended to address the risks of a specific business process cycle. 

Explain the common user access structure in AIS.

1. Tasks - the individual functions a user can do in an AIS

2. Roles - a grouping of tasks to save time in granting access… assign a role to a user instead of 100s of tasks

3. User ID - used to grant access to tasks via its assigned roles

What are the 3 types of authentication methods?

1. something the user knows (passwords)

2. something the user has (random PIN like DUO)

3. something apart of the user (biometrics)

What is multifactor authentication?

when more than one user authentication type is used.

Explain User Access Review.

Both Tasks and Roles have to be reviewed together. An appropriate person is reviewing access, and should not review their own access.

Explain Encryption.

“Keys” that are required to open digital files so that they are readable.

Explain Keys and Algorithm.

Recipients public key is found first (by computer) and is sent with the encrypted message. Then recipients private key is used to match public key and open encrypted message.

Algorithm is the formula that converts the encryption to actual text if the private key is correct.

Why is change management considered a high risk/SOX area?

Because changes to code can affect how financial transactions are processed, and can be difficult to detect.

What were the two specific encryption types listed in the notes?

Digital Certificates and Digital signatures

Explain Digital Certificate. Give an example.

certifies the owner of the document is who they say they are. Example - the secure lock demonstrates a website certificate.

List and explain the 4 encryption regulations.

1. Payment Card Industry(PCI) - credit card data

2. Health Insurance Portability and Accountability Act (HIPAA) - Individual health record information (protected health information - PCI)

3. Gramm-Leach-Bliley Act (GBLA) - Customer data maintained in the financial services industry

4. Equal Employment Opportunity Commission (EEOC) - Personally identifiable Information (PII) of company employees

Explain Firewalls.

software and hardware that surrounds our network to keep invalid users out. Therefore, a source of a message can only come from inside the network.

Explain risks caused by Portable Devices.

Portable devices can be lost or stolen, and third party apps or service providers could have access to saved data.

Explain Cloud Computing and possible risks.

Using a network of computers to manage files or software, which allows for easier collaboration and less reliance on physical hardware. But some risks include increased transit activity, or third party host having access to saved data.

Explain Intrusion Detection Systems.

monitor network activity for “strange” access attempts.

What are the Risks associated with Change Management?

Some changes to the AIS functionality or reports may make financial data incomplete or inaccurate

What are the Controls associated with Change Management

Changes to the AIS should be tested and approved (by developer/programmer) prior to being implemented by the operations department.

Appropriate personnel should make the changes through segregation of duties, and should be logged and monitored.

What does RAID stand for?

redundant arrays of independent drives

What is the difference between RAID and real-time mirroring?

The number of computers involved.

RAID - two twin in one computer

RT mirroring - twins saved on two different computer

Explain the difference between Disaster Recovery Plan and Business Recovery Plan.

DRP - should be defined for data centers that house financial data; how a company will restore its IT functions when data center fails due to a disaster.

BRP - should be defined for non-IT functions; how a company’s operations are affected by disaster

List the examples given in the notes to make a building natural-disaster proof.

Flood - raise computers above ground

Fire - fire suppression foam or an oxygen vacuum

Lightning - surge protectors

Define UPS and explain its purpose along with a backup generator.

UPS stands for Uninterrupted Power Supply, it looks like a bunch of car batteries and provides immediate power if there is an outage, but can only really keep datacenter running for minutes until the backup generators can turn on (they are the size of a train car)

Explain the difference between Full, Incremental and Differential backups.

Full - usually includes ALL master and transactional data history; very inefficient

Incremental - data since the last backup of ANY KIND

Differential - all data since the last FULL BACKUP

Which backup type is best if the company needs to quickly recover data or is paranoid about losing data and is fine with redundant backups.

Differential

Which backup type is best if we want backups to finish quickly, the company is concerned about high costs, or the company has a low recovery point objective.

Incremental

Explain the periodic testing of backups.

About once a year, a test should be conducted to make sure the backups can actually be used in the AIS if they are needed.

What is a Recovery Point Objective? What does it mean if it is low versus high?

RPO is how much data would be lost potentially, and what the companies goal is.

low means that the company cannot tolerate a lot of data loss, but high means that they can.

Consider the following facts to answer the question: 1) Full backups occur monthly at 12:00 AM (midnight) the first day of the month (e.g. May 1) 2) Incremental backups occur daily at 12:00 AM (midnight) on all days other than the first of the month, and take 15 minutes to back up 3) Full backups take 1 hour to be restored and incremental backups take 30 minutes to be restored; there is no transition time to move from restoring one to another 4) Assume a disaster occurred at 1:00 AM on May 9th. How long will recovering the backups take?

5 hours

What is the difference between a cold, hot, and warm site?

The amount of time it would take to relocate to this data site, if needed.

Cold - Purchase rights to a secondary location that is empty and without any computers. Takes time to set up if needed

Hot - Almost duplicate of the current data center. Can switch to at any time if needed.

Warm - Somewhere in between

Why should companies have a disaster recovery plan? Select all that apply.(3)

1. Because without one, a company would take an extremely long amount of time to start a new data center

2. Because situations that may disrupt a data center's operations are more common than we'd like to think and its good to be prepared

3. Because insurance companies probably require it