Textbook Notes/Key Terms

0.0(0)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/186

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

187 Terms

1
New cards

any potential adverse occurrence or unwanted event that could injure the AIS or the organization; aka event

threat

2
New cards

potential dollar loss if a particular threat becomes a reality

exposure/impact

3
New cards

probability that a threat will come to pass

likelihood/risk

4
New cards

processes and procedures implemented to provide reasonable assurance that control objectives are met

internal controls

5
New cards

Controls that deter problems before they arise

preventative controls

6
New cards

Ex(s) of ___ controls: hiring qualified personnel, segregating employee duties, controlling physical access to assets and info

preventative

7
New cards

Controls designed to discover control problems that were not prevented

detective controls

8
New cards

Ex(s) of ___ controls: duplicate checking of calculations, preparing monthly bank reconciliations and trial balances, and reports

detective

9
New cards

Controls that identify and correct problems as well as correct and recover from the resulting errors

corrective controls

10
New cards

Ex(s) of ___ controls: maintaining backup copies of files, correcting data entry errors, resubmitting transactions for subsequent processing

corrective

11
New cards

Controls designed to make sure an organizations info system and CONTROL ENVIRONMENT is stable and well managed

general controls

12
New cards

Ex(s) of ___ controls: security, IT infrastructure, software acquisition/development/maintenance controls

general

13
New cards

Controls that prevent, detect, and correct TRANSACTION errors and fraud in application programs; concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported

application controls

14
New cards

What are the four levels to help management reconcile the conflict between creativity and controls

belief system
boundary system
diagnostic control system
interactive control system

15
New cards

system that describes how a company creates value, helps employees understand management’s vision, communicates company core values

belief system

16
New cards

system that helps employees act ethically by setting boundaries on employee behavior; instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off limit activities, and avoiding actions that might damage their reputation

boundary system

17
New cards

system that measures, monitors, and compares actual company progress to budgets and performance goals; feedback is used to help management adjust and fine-tune inputs and processes so future outputs more closely match goals

diagnostic control system

18
New cards

system that helps managers focus subordinates attention on key strategic issues and to be more involved in their decisions; data are interpreted and discussed in face to face meetings with superiors, subordinates, and peers

interactive control system

19
New cards

legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corps to maintain a system of internal accounting controls

Foreign Corrupt Practices Act of 1977 (FCPA)

20
New cards

legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud

Sarbanes-Oxley Act of 2002 (SOX)

21
New cards

What are the most important aspects of SOX (5)?

PCAOB created
Audit standards raised
Audit committees required
Management must certify financial statements
Section 404- separate internal controls report from auditors

22
New cards

board created by SOX that regulates the auditing profession

Public Company Accounting Oversight Board (PCAOB)

23
New cards

What are the three frameworks used to develop internal control systems?

COBIT
COSO IC
COSO ERM

24
New cards

a security and control framework that allows:
(1) management to benchmark the security and control practices of IT environments,
(2) users of IT services to be assured that adequate security and control exist, and
(3) auditors to substantiate their internal control opinions and advise on IT security and control matters

Control Objectives for Information and Related Technology (COBIT)

25
New cards

What are the 5 key principles of IT governance and management that COBIT 2019 is based on?

Meeting stakeholder needs
Covering the enterprise end to end
Applying a single, integrated frame work
Enabling a holistic approach
Separating governance from management

26
New cards

a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Management Accountants, and the Financial Executives Institute

Committee of Sponsoring Organizations (COSO)

27
New cards

a framework that defines the internal controls and provides guidance for evaluating and enhancing internal control systems; widely accepted authority on internal controls incorporated into policies, rules, and regulations used to control business activities

COSO IC

28
New cards

What are the five components of the COSO IC framework?

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

29
New cards

company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives, structure to busn activities, and identify/assess/respond to risk

control environment

30
New cards

What does a control environment consist of? (7 factors)

Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by the BOD
Organizational structure
Methods of assigning authority and responsibility
HR standards (to attract, develop, and retain competent individuals)
External influences

31
New cards

What is an example of an ineffective control environment that resulted in financial failure?

Enron- management engaged in risky and dubious practices which BOD never questioned

32
New cards

to avoid undue risk, the risk appetite must be aligned with:

company strategy

33
New cards

committee that is outside/independent of the BOD where members are responsible for financial reporting, regulatory compliance, internal control, and hiring/overseeing internal and external auditors

Audit committee

34
New cards

document that explains proper busn practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties; includes the chart of accounts and copies of forms and documents; helpful for on the job reference for current employees and training new employees

Policy and procedures manual

35
New cards

susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

inherent risk

36
New cards

risk that remains after management implements internal controls or some other response to risk

residual risk

37
New cards

mathematical product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur

expected loss

38
New cards

Expected loss=

impact x likelihood

39
New cards

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

control activities

40
New cards

Control procedures fall into the following categories: (7)

Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance

41
New cards

process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform

authorization

42
New cards

hash encrypted with the hash creator’s private key

digital signature

43
New cards

special approval an employee needs in order to be allowed to handle a transaction

specific authorization

44
New cards

authorization given employees to handle routine transactions without special approval

general authorization

45
New cards

What needs to be separated for proper separation of accounting duties?

Authorization
Custody
Recording

46
New cards

cooperation between two or more people in an effort to thwart internal controls

collusion

47
New cards

implementing control procedures to clearly divide authority and responsibility within the information system function

segregation of systems duties

48
New cards

What are the 7 functions of information systems that need to have authority and responsibility divided amongst for proper segregation of systems duties

Authorization
Monitoring
Data Entry
Programming
Operations
Data Storage
Users

49
New cards

people who help users determine their info needs, study existing systems, design new ones, and prepare specifications used by computer programmers

system analysts

50
New cards

people who use the analysts design to create and test computer programs

computer programmers

51
New cards

people who operate the company’s computers; they ensure that data are input properly, processed correctly, and that needed output is produced

computer operators

52
New cards

people who record transactions, authorize data processing, and use system output

users

53
New cards

people responsible for making sure all info systems operate smoothly and efficiently

system administrators

54
New cards

people who ensure that devices are linked to the organizations internal and external networks and that those networks operate properly

network administrators

55
New cards

What are some people that management teams to manage and monitor the AIS?

systems administrators, network managers, security managers, change management, and database administrators

56
New cards

people who make sure that systems are secure and protected from internal and external threats

security management

57
New cards

people who makes sure that changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability

change management

58
New cards

ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record or input errors to ensure their correction and resubmission, and distributes systems output

data control

59
New cards

responsible for coordinating, controlling, and managing the database

database administrators

60
New cards

examination of the relationships between different sets of data

analytical review

61
New cards

percentage of time a system is used

utilization

62
New cards

amount of work a system processes in a given period of time

throughput

63
New cards

Employee independent of all info system functions who monitors the system, disseminates info about improper system uses and their consequences, and reports to top management

Computer security officer (CSO)

64
New cards

employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings

Chief Compliance Officer (CCO)

65
New cards

individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have processional certifications such as Certified Fraud Examiner (CFE)

Forensic investigators

66
New cards

computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges

computer forensics specialist

67
New cards

Computer systems that imitate the brains learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically

neural networks

68
New cards

what is an effective way to comply with the law and resolve whistle blower conflicts

fraud hotline

69
New cards

What is the downside of fraud hotlines?

many calls are not worth investigating

70
New cards

The Trust Services Framework organizes IT related controls into 5 principles that contribute to systems reliability

Security
Confidentiality
Privacy
Processing Integrity
Availability

71
New cards

protection of sensitive corporate data from unauthorized disclosure

confidentiality

72
New cards

ensures accuracy of data

processing integrity

73
New cards

means system and data can be accessed when needed

availability

74
New cards

ensures that personal info from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies

privacy

75
New cards

controls and restrict access to systems and data

security

76
New cards

What is the equation for the time based model of information security

P>D+R

77
New cards

employing multiple layers of controls to avoid a single point of failure

defense in depth

78
New cards

What are the types of preventative controls in the time based model of info security (7)?

Physical access controls
Authentication
Authorization
Anti malware
Network access controls (firewalls/intrusion prevention systems)
Device and software hardening
Encryption

79
New cards

What are the types of detective controls in the time based model of info security?

Log analysis
Intrusion detection systems
Honeypots
Continuous monitoring

80
New cards

What are the types of response controls in the time based model of info security

Computer incident response teams (CIRT)
Chief information security officer (CISO )

81
New cards

process of verifying the identity of the person or device attempting to access the system

authentification

82
New cards

What are the three things that can be used for authentication?

Something the person has
knows
or biometric identifier

83
New cards

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security

Multi factor authentication

84
New cards

the use of multiple authentication credentials of the same type to achieve a greater level of security

multi modal authentication

85
New cards

table used to implement authorization controls

access control matrix

86
New cards

matching the user authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action

compatibility test

87
New cards

device that connects an organizations info system to the internet

border router

88
New cards

special purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind this device and other networks; is behind the border router

firewall

89
New cards

a separate network located outside the organizations internal info system that permits controlled access from the internet

Demilitarized sone (DMZ)

90
New cards

special purpose devices designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next

routers

91
New cards

Sets If Then rules used to determine what to do with arriving packets

access control list (ACL)

92
New cards

process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet

packet filtering

93
New cards

a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the info in the IP and TCP headers

deep packet inspection

94
New cards

Soft or hardware that monitors patterns in the traffic flow to identify and automatically block attacks

intrusion prevention systems

95
New cards

Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network

endpoints

96
New cards

automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats

vulnerability scanners

97
New cards

What are the activities involved in managing endpoint security that COBIT finds most important?

Endpoint configuration
User account management
Software design

98
New cards

program designed to take advantage of a known vulnerability

exploit

99
New cards

process of regularly applying patches and updates to software

patch management

100
New cards

process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

hardening