Textbook Notes/Key Terms

any potential adverse occurrence or unwanted event that could injure the AIS or the organization; aka event

threat

potential dollar loss if a particular threat becomes a reality

exposure/impact

probability that a threat will come to pass

likelihood/risk

processes and procedures implemented to provide reasonable assurance that control objectives are met

internal controls

Controls that deter problems before they arise

preventative controls

Ex(s) of ___ controls: hiring qualified personnel, segregating employee duties, controlling physical access to assets and info

preventative

Controls designed to discover control problems that were not prevented

detective controls

Ex(s) of ___ controls: duplicate checking of calculations, preparing monthly bank reconciliations and trial balances, and reports

detective

Controls that identify and correct problems as well as correct and recover from the resulting errors

corrective controls

Ex(s) of ___ controls: maintaining backup copies of files, correcting data entry errors, resubmitting transactions for subsequent processing

corrective

Controls designed to make sure an organizations info system and CONTROL ENVIRONMENT is stable and well managed

general controls

Ex(s) of ___ controls: security, IT infrastructure, software acquisition/development/maintenance controls

general

Controls that prevent, detect, and correct TRANSACTION errors and fraud in application programs; concerned with accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported

application controls

What are the four levels to help management reconcile the conflict between creativity and controls

belief system
boundary system
diagnostic control system
interactive control system

system that describes how a company creates value, helps employees understand management’s vision, communicates company core values

belief system

system that helps employees act ethically by setting boundaries on employee behavior; instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off limit activities, and avoiding actions that might damage their reputation

boundary system

system that measures, monitors, and compares actual company progress to budgets and performance goals; feedback is used to help management adjust and fine-tune inputs and processes so future outputs more closely match goals

diagnostic control system

system that helps managers focus subordinates attention on key strategic issues and to be more involved in their decisions; data are interpreted and discussed in face to face meetings with superiors, subordinates, and peers

interactive control system

legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corps to maintain a system of internal accounting controls

Foreign Corrupt Practices Act of 1977 (FCPA)

legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud

Sarbanes-Oxley Act of 2002 (SOX)

What are the most important aspects of SOX (5)?

PCAOB created
Audit standards raised
Audit committees required
Management must certify financial statements
Section 404- separate internal controls report from auditors

board created by SOX that regulates the auditing profession

Public Company Accounting Oversight Board (PCAOB)

What are the three frameworks used to develop internal control systems?

COBIT
COSO IC
COSO ERM

a security and control framework that allows:
(1) management to benchmark the security and control practices of IT environments,
(2) users of IT services to be assured that adequate security and control exist, and
(3) auditors to substantiate their internal control opinions and advise on IT security and control matters

Control Objectives for Information and Related Technology (COBIT)

What are the 5 key principles of IT governance and management that COBIT 2019 is based on?

Meeting stakeholder needs
Covering the enterprise end to end
Applying a single, integrated frame work
Enabling a holistic approach
Separating governance from management

a private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Management Accountants, and the Financial Executives Institute

Committee of Sponsoring Organizations (COSO)

a framework that defines the internal controls and provides guidance for evaluating and enhancing internal control systems; widely accepted authority on internal controls incorporated into policies, rules, and regulations used to control business activities

COSO IC

What are the five components of the COSO IC framework?

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives, structure to busn activities, and identify/assess/respond to risk

control environment

What does a control environment consist of? (7 factors)

Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by the BOD
Organizational structure
Methods of assigning authority and responsibility
HR standards (to attract, develop, and retain competent individuals)
External influences

What is an example of an ineffective control environment that resulted in financial failure?

Enron- management engaged in risky and dubious practices which BOD never questioned

to avoid undue risk, the risk appetite must be aligned with:

company strategy

committee that is outside/independent of the BOD where members are responsible for financial reporting, regulatory compliance, internal control, and hiring/overseeing internal and external auditors

Audit committee

document that explains proper busn practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties; includes the chart of accounts and copies of forms and documents; helpful for on the job reference for current employees and training new employees

Policy and procedures manual

susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

inherent risk

risk that remains after management implements internal controls or some other response to risk

residual risk

mathematical product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur

expected loss

Expected loss=

impact x likelihood

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

control activities

Control procedures fall into the following categories: (7)

Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance

process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform

authorization

hash encrypted with the hash creator’s private key

digital signature

special approval an employee needs in order to be allowed to handle a transaction

specific authorization

authorization given employees to handle routine transactions without special approval

general authorization

What needs to be separated for proper separation of accounting duties?

Authorization
Custody
Recording

cooperation between two or more people in an effort to thwart internal controls

collusion

implementing control procedures to clearly divide authority and responsibility within the information system function

segregation of systems duties

What are the 7 functions of information systems that need to have authority and responsibility divided amongst for proper segregation of systems duties

Authorization
Monitoring
Data Entry
Programming
Operations
Data Storage
Users

people who help users determine their info needs, study existing systems, design new ones, and prepare specifications used by computer programmers

system analysts

people who use the analysts design to create and test computer programs

computer programmers

people who operate the company’s computers; they ensure that data are input properly, processed correctly, and that needed output is produced

computer operators

people who record transactions, authorize data processing, and use system output

users

people responsible for making sure all info systems operate smoothly and efficiently

system administrators

people who ensure that devices are linked to the organizations internal and external networks and that those networks operate properly

network administrators

What are some people that management teams to manage and monitor the AIS?

systems administrators, network managers, security managers, change management, and database administrators

people who make sure that systems are secure and protected from internal and external threats

security management

people who makes sure that changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability

change management

ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record or input errors to ensure their correction and resubmission, and distributes systems output

data control

responsible for coordinating, controlling, and managing the database

database administrators

examination of the relationships between different sets of data

analytical review

percentage of time a system is used

utilization

amount of work a system processes in a given period of time

throughput

Employee independent of all info system functions who monitors the system, disseminates info about improper system uses and their consequences, and reports to top management

Computer security officer (CSO)

employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings

Chief Compliance Officer (CCO)

individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have processional certifications such as Certified Fraud Examiner (CFE)

Forensic investigators

computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges

computer forensics specialist

Computer systems that imitate the brains learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically

neural networks

what is an effective way to comply with the law and resolve whistle blower conflicts

fraud hotline

What is the downside of fraud hotlines?

many calls are not worth investigating

The Trust Services Framework organizes IT related controls into 5 principles that contribute to systems reliability

Security
Confidentiality
Privacy
Processing Integrity
Availability

protection of sensitive corporate data from unauthorized disclosure

confidentiality

ensures accuracy of data

processing integrity

means system and data can be accessed when needed

availability

ensures that personal info from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies

privacy

controls and restrict access to systems and data

security

What is the equation for the time based model of information security

P>D+R

employing multiple layers of controls to avoid a single point of failure

defense in depth

What are the types of preventative controls in the time based model of info security (7)?

Physical access controls
Authentication
Authorization
Anti malware
Network access controls (firewalls/intrusion prevention systems)
Device and software hardening
Encryption

What are the types of detective controls in the time based model of info security?

Log analysis
Intrusion detection systems
Honeypots
Continuous monitoring

What are the types of response controls in the time based model of info security

Computer incident response teams (CIRT)
Chief information security officer (CISO )

process of verifying the identity of the person or device attempting to access the system

authentification

What are the three things that can be used for authentication?

Something the person has
knows
or biometric identifier

The use of two or more types of authentication credentials in conjunction to achieve a greater level of security

Multi factor authentication

the use of multiple authentication credentials of the same type to achieve a greater level of security

multi modal authentication

table used to implement authorization controls

access control matrix

matching the user authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action

compatibility test

device that connects an organizations info system to the internet

border router

special purpose hardware device or software running a general purpose computer that controls both inbound and outbound communication between the system behind this device and other networks; is behind the border router

firewall

a separate network located outside the organizations internal info system that permits controlled access from the internet

Demilitarized sone (DMZ)

special purpose devices designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next

routers

Sets If Then rules used to determine what to do with arriving packets

access control list (ACL)

process that uses various fields in a packet’s IP and TCP headers to decide what to do with the packet

packet filtering

a process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the info in the IP and TCP headers

deep packet inspection

Soft or hardware that monitors patterns in the traffic flow to identify and automatically block attacks

intrusion prevention systems

Collective term for the workstations, servers, printers, and other devices that comprise an organization’s network

endpoints

automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats

vulnerability scanners

What are the activities involved in managing endpoint security that COBIT finds most important?

Endpoint configuration
User account management
Software design

program designed to take advantage of a known vulnerability

exploit

process of regularly applying patches and updates to software

patch management

process of modifying the default configuration of endpoints to eliminate unnecessary settings and services

hardening