1/186
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
---|
No study sessions yet.
any potential adverse occurrence or unwanted event that could injure the AIS or the organization; aka event
threat
potential dollar loss if a particular threat becomes a reality
exposure/impact
probability that a threat will come to pass
likelihood/risk
processes and procedures implemented to provide reasonable assurance that control objectives are met
internal controls
Controls that deter problems before they arise
preventative controls
Ex(s) of ___ controls: hiring qualified personnel, segregating employee duties, controlling physical access to assets and info
preventative
Controls designed to discover control problems that were not prevented
detective controls
Ex(s) of ___ controls: duplicate checking of calculations, preparing monthly bank reconciliations and trial balances, and reports
detective
Controls that identify and correct problems as well as correct and recover from the resulting errors
corrective controls
Ex(s) of ___ controls: maintaining backup copies of files, correcting data entry errors, resubmitting transactions for subsequent processing
corrective
Controls designed to make sure an organizations info system and CONTROL ENVIRONMENT is stable and well managed
general controls
Ex(s) of ___ controls: security, IT infrastructure, software acquisition/development/maintenance controls
general
Controls that prevent, detect, and correct TRANSACTION errors and fraud in application programs; concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported
application controls
What are the four levels to help management reconcile the conflict between creativity and controls
belief system
boundary system
diagnostic control system
interactive control system
system that describes how a company creates value, helps employees understand management’s vision, communicates company core values
belief system
system that helps employees act ethically by setting boundaries on employee behavior; instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off limit activities, and avoiding actions that might damage their reputation
boundary system
system that measures, monitors, and compares actual company progress to budgets and performance goals; feedback is used to help management adjust and fine-tune inputs and processes so future outputs more closely match goals
diagnostic control system
system that helps managers focus subordinates attention on key strategic issues and to be more involved in their decisions; data are interpreted and discussed in face to face meetings with superiors, subordinates, and peers
interactive control system
legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corps to maintain a system of internal accounting controls
Foreign Corrupt Practices Act of 1977 (FCPA)
legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud
Sarbanes-Oxley Act of 2002 (SOX)
What are the most important aspects of SOX (5)?
PCAOB created
Audit standards raised
Audit committees required
Management must certify financial statements
Section 404- separate internal controls report from auditors
board created by SOX that regulates the auditing profession
Public Company Accounting Oversight Board (PCAOB)
What are the three frameworks used to develop internal control systems?
COBIT
COSO IC
COSO ERM
a security and control framework that allows:
(1) management to benchmark the security and control practices of IT environments,
(2) users of IT services to be assured that adequate security and control exist, and
(3) auditors to substantiate their internal control opinions and advise on IT security and control matters
Control Objectives for Information and Related Technology (COBIT)
What are the 5 key principles of IT governance and management that COBIT 2019 is based on?
Meeting stakeholder needs
Covering the enterprise end to end
Applying a single, integrated frame work
Enabling a holistic approach
Separating governance from management
a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Management Accountants, and the Financial Executives Institute
Committee of Sponsoring Organizations (COSO)
a framework that defines the internal controls and provides guidance for evaluating and enhancing internal control systems; widely accepted authority on internal controls incorporated into policies, rules, and regulations used to control business activities
COSO IC
What are the five components of the COSO IC framework?
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives, structure to busn activities, and identify/assess/respond to risk
control environment
What does a control environment consist of? (7 factors)
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by the BOD
Organizational structure
Methods of assigning authority and responsibility
HR standards (to attract, develop, and retain competent individuals)
External influences
What is an example of an ineffective control environment that resulted in financial failure?
Enron- management engaged in risky and dubious practices which BOD never questioned
to avoid undue risk, the risk appetite must be aligned with:
company strategy
committee that is outside/independent of the BOD where members are responsible for financial reporting, regulatory compliance, internal control, and hiring/overseeing internal and external auditors
Audit committee
document that explains proper busn practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties; includes the chart of accounts and copies of forms and documents; helpful for on the job reference for current employees and training new employees
Policy and procedures manual
susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
inherent risk
risk that remains after management implements internal controls or some other response to risk
residual risk
mathematical product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur
expected loss
Expected loss=
impact x likelihood
policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
control activities
Control procedures fall into the following categories: (7)
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform
authorization
hash encrypted with the hash creator’s private key
digital signature
special approval an employee needs in order to be allowed to handle a transaction
specific authorization
authorization given employees to handle routine transactions without special approval
general authorization
What needs to be separated for proper separation of accounting duties?
Authorization
Custody
Recording
cooperation between two or more people in an effort to thwart internal controls
collusion
implementing control procedures to clearly divide authority and responsibility within the information system function
segregation of systems duties
What are the 7 functions of information systems that need to have authority and responsibility divided amongst for proper segregation of systems duties
Authorization
Monitoring
Data Entry
Programming
Operations
Data Storage
Users
people who help users determine their info needs, study existing systems, design new ones, and prepare specifications used by computer programmers
system analysts
people who use the analysts design to create and test computer programs
computer programmers
people who operate the company’s computers; they ensure that data are input properly, processed correctly, and that needed output is produced
computer operators
people who record transactions, authorize data processing, and use system output
users
people responsible for making sure all info systems operate smoothly and efficiently
system administrators
people who ensure that devices are linked to the organizations internal and external networks and that those networks operate properly
network administrators
What are some people that management teams to manage and monitor the AIS?
systems administrators, network managers, security managers, change management, and database administrators
people who make sure that systems are secure and protected from internal and external threats
security management
people who makes sure that changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability
change management
ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record or input errors to ensure their correction and resubmission, and distributes systems output
data control
responsible for coordinating, controlling, and managing the database
database administrators
examination of the relationships between different sets of data
analytical review
percentage of time a system is used
utilization
amount of work a system processes in a given period of time
throughput
Employee independent of all info system functions who monitors the system, disseminates info about improper system uses and their consequences, and reports to top management
Computer security officer (CSO)
employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings
Chief Compliance Officer (CCO)
individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have processional certifications such as Certified Fraud Examiner (CFE)
Forensic investigators
computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges
computer forensics specialist
Computer systems that imitate the brains learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically
neural networks
what is an effective way to comply with the law and resolve whistle blower conflicts
fraud hotline
What is the downside of fraud hotlines?
many calls are not worth investigating
The Trust Services Framework organizes IT related controls into 5 principles that contribute to systems reliability
Security
Confidentiality
Privacy
Processing Integrity
Availability
protection of sensitive corporate data from unauthorized disclosure
confidentiality
ensures accuracy of data
processing integrity
means system and data can be accessed when needed
availability
ensures that personal info from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies
privacy
controls and restrict access to systems and data
security
What is the equation for the time based model of information security
P>D+R
employing multiple layers of controls to avoid a single point of failure
defense in depth
What are the types of preventative controls in the time based model of info security (7)?
Physical access controls
Authentication
Authorization
Anti malware
Network access controls (firewalls/intrusion prevention systems)
Device and software hardening
Encryption
What are the types of detective controls in the time based model of info security?
Log analysis
Intrusion detection systems
Honeypots
Continuous monitoring
What are the types of response controls in the time based model of info security
Computer incident response teams (CIRT)
Chief information security officer (CISO )
process of verifying the identity of the person or device attempting to access the system
authentification
What are the three things that can be used for authentication?
Something the person has
knows
or biometric identifier
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security
Multi factor authentication
the use of multiple authentication credentials of the same type to achieve a greater level of security
multi modal authentication
table used to implement authorization controls
access control matrix
matching the user authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action
compatibility test
device that connects an organizations info system to the internet
border router
special purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind this device and other networks; is behind the border router
firewall
a separate network located outside the organizations internal info system that permits controlled access from the internet
Demilitarized sone (DMZ)
special purpose devices designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next
routers
Sets If Then rules used to determine what to do with arriving packets
access control list (ACL)
process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet
packet filtering
a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the info in the IP and TCP headers
deep packet inspection
Soft or hardware that monitors patterns in the traffic flow to identify and automatically block attacks
intrusion prevention systems
Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network
endpoints
automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats
vulnerability scanners
What are the activities involved in managing endpoint security that COBIT finds most important?
Endpoint configuration
User account management
Software design
program designed to take advantage of a known vulnerability
exploit
process of regularly applying patches and updates to software
patch management
process of modifying the default configuration of endpoints to eliminate unnecessary settings and services
hardening