Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
99 Cards in this Set
- Front
- Back
|
Organizational Governance
|
a process of which organizations select objectives, establish processes to achieve objectives, and monitor performance.
*Determine Objectives: Mission, Vision, Purpose, Strategy |
|
|
Enterprise Risk Management (ERM):
|
a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within appetite, to provide reasonable assurance regarding the achievement of entity objectives.
|
|
|
*You can’t mitigate a plan if you don’t know the risk.
**Underlying Principles: Every entry exists to create value & Value is directly correlated with management decision ***Enables MGT to: Deal effectively with uncertainty (risk) & Reduce risk while increasing opportunity. |
*You can’t mitigate a plan if you don’t know the risk.
**Underlying Principles: Every entry exists to create value & Value is directly correlated with management decision ***Enables MGT to: Deal effectively with uncertainty (risk) & Reduce risk while increasing opportunity. |
|
|
Internal Environment
|
tone at the to, philosophy of risk management, the entity is risk culture, considers how decisions affect risk
|
|
|
Objective Setting:
|
form management’s risk appetite for the entity, also helps us weigh risk TOLERANCE and align us with risk appetite
|
|
|
Event Identification
|
: differentiates risk from opportunities, the idea to determine where significant risk and opportunity are present in the org.
|
|
|
Risk Assessment
|
appetite for risk, capacity of risk, how to identify risk
|
|
|
-Risk Response
|
avoiding, accepting, reducing, or sharing risk
|
|
|
Control Activities
|
procedures to control above actions
|
|
|
Monitoring
|
: ensuring process is being implemented correctly
|
|
|
Components of Enterprise Management
|
Internal Environment
Objective Setting Event Identification -Risk Assessment Risk Response Control Activities Monitoring: |
|
|
risk
|
the possibility that an event or action will cause an organization to fail to meet its objectives.
|
|
|
process
|
: a series of actions or operations leading to a particular and usually desirable result
|
|
|
Internal Control
|
: a process-effected by an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations.
|
|
|
fraud
|
a deliberate act or untruth intended to obtain unfair or unlawful gain.
|
|
|
Under law 4 things must be present to classify as fraud
|
(1) Material false statement
(2) Knowledge that statement was false (3) Reliance on the statement by the victim (4) Damages (loss) resulting from (3) **Civil: preponderance of evidence **Criminal: 100% conviction |
|
|
Abuse: a deceitful act / a corrupt practice or custom
Types of abuse? |
-“Taking sick days when not sick”
-Surfing the web at work -Borrowing company equipment |
|
|
Classic “Red Flags”…
|
(1) Unduly aggressive earnings targets
(2) Mgt compensation based on (1) (3) Financial Statements require significant estimates (4) Related party transactions |
|
|
The Fraud Process
|
(1)Theft-->(2)Conversion to Cash-->(3)Concealment
|
|
|
The Fraud Triangle
|
Opportunity
Pressure Rationalization |
|
|
Computer Crime
|
crime in which the computer is the target of the crime or the means used to commit the crime
|
|
|
Computer Fraud Classifications
|
Data, Input, Process, Output, Computer Instruction (Fraud)
|
|
|
*Computer Fraud and Abuse Techniques
|
Social Engineering, Fishing, Dumpster Diving
|
|
|
Computer Virus
|
program code that can attach itself to other programs (including macros within word processing documents), thereby “infecting” those programs and macros.
|
|
|
Control Matrix
|
a tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans.
|
|
|
Control Environment:
|
a state of control consciousness that reflects the organization’s (primarily the board of director’s and management’s) general awareness of and communication to the importance of control throughout the organization. (Overall policies and procedures that demonstrate an organization’s commitment to the importance of control).
|
|
|
-Ethics & Control
|
-COSO Report stresses ethics as a part of control environment (tone at top)
-AICPA has built ethics issues into CPA exam -The institute of MGT. accountants has a code of ethics which also is tested on the CMA and CFM exams. -Internal auditing has ethics |
|
|
Framework for Ethical Decision Making
|
Ethics is NOT…
•Feelings, religion, following law, culturally accepted norms, science |
|
|
-Ethical Steps (approaches)
|
Recognize ethical issue
-Get facts -Evaluate alternative actions from various perspectives -Which option will produce the most good & least harm |
|
|
Ethical Approaches
|
Utilitarian: produces most good & does least amount of harm
-Rights: humans have rights & choice to do so as they please. Impair rights or choices of ppl. -Fairness or Justice approach: treat equally or proportionally if that’s better. -Common God approach: best for most (welfare for everyone) -Virtue approach: action consistent with being best **Make a decision and test it Ace, the reflect on the decision later |
|
|
Education Employees
Texas Instruments established a Quick Test for educating employees about what is right or wrong: |
Is this action legal?
Does it comply with our values? If you do it, will you feel bad? How’s it look in the newspaper |
|
|
Control Goals
|
business process objectives that an internal control system is designed to achieve
|
|
|
Effectiveness
|
a measure of success in meeting one of more goals for the operations process.
|
|
|
Efficiency
|
a measure of the productivity of the resources applied to achieve a set of goals.
|
|
|
Security of Resources
|
protecting an organization’s resources from loss, destruction, copying, sale, or other misuse.
|
|
|
Input Validity
|
input data are appropriately approved and represent actual economic events
|
|
|
-Input Completeness
|
all valid events or objects are captured and entered into a system
|
|
|
-Input Accuracy
|
all valid events must be correctly captured and entered into a system.
|
|
|
Update Completeness
|
: all events must be entered into a system must be reflected in the respective master data
|
|
|
Update Accuracy
|
data entered into a system must be reflected correctly in the respective master data.
|
|
|
Control Plans
|
information-processing policies and procedures that assist in accomplishing goals
|
|
|
Pervasive Control Plans
|
control plans that relate to a multitude of goals and processes. Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes; hence, they pervade all systems. (Address multiple goals and apple to many processes)
|
|
|
General Controls or IT General Controls
|
are applied to all IT activities. For example, preventing unauthorized access to a computer system would protect all the specific business processes that run on the computer (such as order entry/sales, billing/accounts receivable/cash receipts, inventory, payroll, and so on.
|
|
|
Business Process Control Plans
|
plans that relate those particular controls specific to a business process, such as billing or cash receipts. (Relate to specific AIS process or to the technology used to implement the process).
|
|
|
Application Controls
|
automated business process controls contained within IT application systems (i.e., computer programs).
|
|
|
Preventive Control Plans
|
a control plan that is designed to stop problems from occurring.
|
|
|
Detective Control Plans
|
discover that problems have occurred
|
|
|
Corrective Control Plans
|
rectify problems that have occurred
|
|
|
Which control plan is best?
|
preventative, but unrealistic so we would want a combination of the preventive, detective, and corrective
|
|
|
IT Governance
|
the responsibility of executives and board of directors, and consists of the leadership, and organizational structures, and processes that ensure the enterprise’s IT sustains and extends the organization’s strategies and objectives.
*Businesses with superior IT governance practices generated 20% greater profits on average |
|
|
IT Resources
|
Applications, Information, Infrastructure, Ppl. (Ppl are weakest link)
|
|
|
CIS-“Thin”
|
*1960-1980: No data; No processing on the client
|
|
|
-PC-“Thick
|
1981-1995: Data & Processing take place on client
-“Distributed Processing” a lot more control *1996-Present: Thin Why & How? Control & Broadband Internet |
|
|
IT Control Domains and Processes
|
*Planning and Operatioms
*Acquisition and Implementation *Delivery and Support *Monitoring |
|
|
Segregation of Duties
|
separating the four basic functions of event processing
|
|
|
4 functions of SOD
|
Function 1: Authorizing Events(Segregation)-approve phases of event processing
Function 2: Executing Events- physically move resources, complete source documents *Function 3: Recording Events- record entries in books of original entry, post event summaries to general ledger *Function 4: Safeguarding resources resulting from consummating events(custody)- physically protect resources, maintain accountability of physical evidence. **Through the design of an appropriate organizational structure, no single employee should be in a position both to perpetrate and conceal frauds, errors, or other kinds of system failures |
|
|
Security Officer
|
performs a multitude of control-related activities such as monitoring employees’ network access, granting security clearance for sensitive projects, and working with human resources to ensure that interview practices, such a background checks, are conducted during the hiring process.
|
|
|
IT Steering Committee
|
coordinates the organizational and IT strategic planning processes and reviews and approves strategic IT plan. Provides significant help to the org. in establishing and meeting user information requirements and in ensuring the effective and efficient use of the org.’s IT resources. Consists of 7 execs from major functional areas of the org
|
|
|
PERSONNEL CONTROL PLANS
|
Selection and Hiring: candidates should be carefully screened, selected and hired. Qualified, technically competent, HONEST & TRUSTWORTHY
-Retention Control Plans: provide opportunity for advancement and challenges & offer open channels to mngmt. -Personnel Development: training must be permanent, regular, & not haphazard. -Personnel Management Control Plans: project future managerial and technical skills of the staff, anticipate turnover and develop a strategy for filling necessary positions. |
|
|
Rotation of Duties
|
: a policy that requires an employee to alternate jobs periodically
|
|
|
Forced Vacations
|
policy that requires an employee to take leave from the job and substitutes another employee.
*So that is an employee is doing something irregular, the irregularity will be detected |
|
|
Fidelity Bonds
|
indenifies a company in case it suffers a losses from defalcations committed by its employees. Employees who have access to cash and other negotiable assets are usually bonded. (Banking)
|
|
|
Termination Control Plans
|
define a set of procedures a company follows when an employee voluntarily or involuntarily leaves an organization.
|
|
|
Systems Development Life Cycle (SDLC):
|
the progression of information systems through the systems development process, from birth, through implementation, to ongoing use.
|
|
|
Program Change Controls
|
provide assurance that all modifications to programs are authorized and that the changes are completed, tested, and properly implemented.
*DevelopmentTesting (Quality Assurance)StagingProduction |
|
|
Business Continuity Planning-(aka: Disaster Recovery Planning, Contingency Planning, Business Interruption Planning)
|
Process that identifies events that may threaten and organization and provides a framework to ensure that the org. will continue to operate when the threatened event occurs, or will resume operations with a minimum operation
|
|
|
Backup
|
we periodically make a copy of information stored data and documentation. They are typically stored in a secure location not located near the primary facility
|
|
|
Recovery
|
process whereby we restore the lost data and resume operations. Need not to be at an alternative site
|
|
|
Continuous Data Protection (CDP
|
data must be replicated in real-time on primary and secondary systems. This strategy is whereby all data changers are data stamped and saved to secondary as the changes are happening on the primary.
*Is a process for continuous and immediate replication of any data changes |
|
|
Mirror Site
|
site that maintains copies of the primary site’s programs and data
|
|
|
Electronic Valuting
|
a service whereby data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by the third party.
|
|
|
-Hot Site
|
: fully equipped data center, often housed in bunker-like facilities, that can accommodate many businesses and that is made available to client companies for monthly subscriber fees.
|
|
|
Cold Site
|
less costly, less responsive site. A facility usually comprised of air-conditioned space with a raised floor, telephone connections, and computer ports into which a subscriber can move equipment.
|
|
|
Denial-of-Service Attack
|
a web site is overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities.
|
|
|
Distributed Denial-of-Service Attack
|
: uses many computers that unwillingly cooperate in a denial-of-service-attack by sending messages to the target web sites.
|
|
|
Biometric Identification Systems
|
identify authorized personnel through some unique physical trait such as fingers, hands, voice, eyes, face, writing dynamics, and the like. Most common read fingerprints
|
|
|
Security Module
|
access control software that (1) ensure that only authorized users gain access to a system through a process of identification (e.g., a unique number given to each user) and authentication (e.g., a password to verify that the user is who they say they are), (2) associate with authorized users the computing resources they are permitted to access the privileges (e.g., read, copy, write data) they have with respect to those resources (access rights), and (3) report violations attempts.
|
|
|
Firewall
|
technique to protect one network from another “untrusted” network, may be used to protect the system from the Internet by blocking certain kinds of traffic from flowing into or out of the organization.
|
|
|
-Intrusion Detection Systems (IDS):
|
used to monitor a system and network resources and activities and “learn” how users typically behave on the system. The typical behavior is accumulated in user profiles.
|
|
|
*IDS’s can be used to detect attacks from outside the org. such as denial-of-service attacks, or from inside the org., when authorized users attempt to undertake unauthorized actions
|
*Organizations not wanting to wait until an unauthorized activity has occurred might emply an Intrusion-Prevention System (IPS) to actively block unauthorized traffic using rules specified by the organization.
|
|
|
Library Controls:
|
-Library Controls: restrict access to data, programs, and documentation. They are provided by a librarian function, a combination of people procedures, and computer software that serves two major purposes
*First, library controls limit the use of stored data, programs, and documentation to authenticated users with authorized requests *Second, they maintain storage media |
|
|
Computer Hacking and Cracking
|
: reflects the intentional, unauthorized access to an org’s computer system, accomplished by bypassing the system’s access security controls.
|
|
|
Preventive Maintenance
|
periodic cleaning, testing, and adjusting of computer equipment to ensure its continued efficient and correct operation.
|
|
|
Document Design
|
a control plan in which a source document is designed to make it easier to prepare the document initially and later input data from the document.
*We tend to fill in a well-designed document completely and legibly. If a document is legible, data entry errors will occur less frequently. |
|
|
Written Approvals
|
a signature or initials on a document to indicate that an event has been authorized. Ensures that the data input arises from a valid business event and that appropriate authorizations have been obtained
|
|
|
Electronic Approvals
|
using a computer system’s workflow facility to route business events to persons authorized to approve the event online.
|
|
|
Preformatted Screens
|
: a computer screen designed to control the entry of data by defining the acceptable format of each data field, automatically moving to the next field, requiring that certain fields are completed, and/or automatically by populating fields.
Simplifying data input |
|
|
Online Prompting
|
: a control plan that requests user input or asks questions that the user must answer.
|
|
|
Populate Input Screens with Master Data
|
: a control plan that operates when a clerk enters the identification code for an entity, such as a customer, and the system retrieves data about that entity from the master data, to eliminate the need for re-entry of those data.
|
|
|
Compare Input Data with Master Data
|
a process to determine the accuracy and validity of the input data. Such comparisons may be done manually or by the computer.
|
|
|
Procedures for Rejected Inputs
|
a control plan designed to ensure that erroneous data (i.e, not accepted for processing) are corrected and resubmitted for processing
|
|
|
Programmed Edit Checks
|
an edit that is automatically performed by data entry programs upon entry of the input data
*The edits identify erroneous or suspect data and reduce input errors. |
|
|
Document/Record Hash Totals
|
reflect a summarization of any numeric data field within the input document or record, such as item numbers or quantities on a customer order. The totaling of these numbers typically serves no purpose other than as a control. Calculated before an then again after entry of the document or record, this total can be used to determine that the applicable fields were entered accurately and completely.
|
|
|
Mathematical Accuracy Checks
|
compare calculations performed manually to those performed by the computer to determine whether a document has been entered correctly. For this check, the user might enter the individual item (e.g., quantity purchased, unit cost, tax, shipping cost) on a document, such as an invoice, and the total for that document. Then the computer adds the individual items and compares that the total to the one input by the user
|
|
|
Check Digit Verification
|
: involves the inclusion of an extra digit—a check digit—in the identification number of entities such as customers and vendors. More than likely, you have a check digit as part of the ID on your ATM card.
*The digit 6 might be appended to the customer code123 so the entire ID becomes 1236 |
|
|
Confirm Input Acceptance
|
this control causes the data entry program to inform the user that the input has been accepted for processing. The program may flash a message on the screen telling a user that the input has been accepted, or it might display a number assigned to the event.
*After input of a customer number, the computer might display the internal sales order number that will be used to track the sale. |
|
|
Automated Data Entry
|
a strategy for the capture and entry of event-related data using technology such as OCR, bar codes, RFID, and EDI. These methods use fewer human resources and capture more data in a period of time than is possible with manual entry. Improves accuracy of entered data & can validate authenticity of the entered data.
*By eliminating manual keying and using scanning and other technology, the input accuracy is improved |
|
|
Enter Data Close to the Originated Sourced
|
: a strategy for the capture and entry of event-related data close to the place that an event occurs. Online transaction entry (OLTE) and online real-time processing (OLRT) are examples of this strategy. Databases are more current and subsequent events can occur in a timelier manner.
*B/C operations personnel or business partners are familiar with the event being entered, they are less likely to make input errors and can more readily correct these errors if they occur. |
|
|
Digital Signature
|
: this technology validates the identity of the sender of an electronic message to reduce the risk that a communication was sent by an unauthorized system or user or was intercepted/modified in transit.
*Detects messages that have been altered in transit, thus preventing input of inaccurate data. |
