Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
105 Cards in this Set
- Front
- Back
|
T/F: Data in a master file will normally be changed daily.
|
False
|
|
|
Which of the following best describes the purpose of a firewall?
A. Analyze network traffic entering the organization. B. Screen traffic entering the organization. C. Quarantine malware detected in email attachments. D. Ensure network traffic is scrambled. |
B. Screen traffic entering the organization.
|
|
|
During the year-end financial statement audit, the auditor found that the input entry controls over the sales module in the information system were operating effectively. Which of the following conclusion can the auditor make?
A. The auditor can conclude the sales data is complete and accurate. B. The auditor can conclude the sales data is complete, accurate, and valid. C. The auditor can make an indirect conclusion about the sales data. D. The auditor can make indirect conclusion about the controls over the system. |
C. The auditor can make an indirect conclusion about the sales data.
|
|
|
XYZ Company is considering using a cloud vendor to provide PaaS. The use of a cloud vendor for PaaS implies
A. XYZ wants the cloud vendor to store their (XYZ's) data. B. XYZ wants to use the cloud vendor's software applications. C. XYZ has developed their own software application. D. XYZ is very concerned with scalability issues. |
C. XYZ has developed their own software application.
|
|
|
Non-Repudiation is related to which aspect of information integrity?
|
Validity
|
|
|
T/F: Social media data represents an ongoing challenge for organiizatons interested in using business intelligence and analytics ("Big Data")
|
True
|
|
|
The Trust Services defintion of a system contains 5 key components. List the 5 key components.
|
Infrastructure, Software, Procedures, Data, People
|
|
|
T/F: The business strategy should be aligned to the IT strategy.
|
IT strategy should support business strategy
|
|
|
Joe has gambling debts and has been passed over for promotion several times. What would be the best option if Joe's employeer wants to impair Joe's ability to steal money from petty cash?
1. The employeer should terminate Joe. 2. The employerr should send Joe to counseling. 3. The employeer should segregate Joe's duties so that he does not have custodial, authorization, and record keeping reponsibilities over petty cash. 4. The employeer shoud segregate Joe's duties so that he does not have authorization, recording keeping, and reconciliation responsibilities over petty cash. |
3. The employeer should segregate Joe's duties so that he does not have custodial, authorization, and record keeping reponsibilities over petty cash.
|
|
|
According to Trust Services criteria which of the following is correct?
1. Passwords should be used to limit physical access to information contained in the information system. 2. Processing integrity is necessary for information integrity. 3.The collection and use of confidential information should be disclosed in accordance with GAPP issued by the AICPA and the CICA. 4. The IS should be availabe at all times. |
2. Processing integrity is necessary for information integrity.
|
|
|
If an employee is using a "rogue cloud", the employee is engaged in which of the following?
1. Using an unapproved cloud vendor to store company data or information. 2. Accessing inapropriate websites using a company computer. 3. Fraud. 4. Sharing trade secrets with competitors. |
1. Using an unapproved cloud vendor to store company data or information.
|
|
|
Using a highly automated computer based accounting information system will do which of the following?
1. Decrease the risk of systematic errors. 2. Have no effect on systematic errors. 3. Increase the risk of systematic errors. |
3. Increase the risk of systematic errors.
|
|
|
T/F: A database uses a flat file format.
|
False
|
|
|
According to the TAM, which of the below are determinants of actual IS use? (select all that apply)
1. Perceive user acceptance 2. Perceived ease of use 3. Perceived user contribution 4. Perceived usefulness 5. None of the above |
2. Perceived ease of use
4. Perceived usefulness |
|
|
T/F: One purpose of the post-implementation review is to identify areas where the SDLC could be improved.
|
True
|
|
|
Which of the following SDLC model approaches would an end-user be most likely to adopt?
Waterfall, Iterative, Agile, Big Bang, or None of the above |
Big Bang
|
|
|
During the acquisition and development phase, which individual is responsible for determining implementation scheduling?
|
Implementation roadmap is determined at the implementation phase
|
|
|
When performing program maintenance, users should have read, write, and execute privileges in which of the following environments?
|
Development and Production
|
|
|
On an e-commerce website, explicit constent should require the use of an opt-out button or check box.
|
Opt-in is required
|
|
|
Company ABC uses a framed website that contains a link to its competitor XYZ. When a consumer clicks the hyperlink to XYZ, information about XYZ is displayed such that it is surrounded by information about company ABC. This paractice is called?
|
Passing Off
|
|
|
T/F: To avoid cybersquatting, a domain name must be registered with ICANN.
|
True
|
|
|
T/F: According to a 2012 Kaplan survey, approximately 25% of college admission counselors indicated they checked applicants' social networking sites.
|
True
|
|
|
Digital signatures depend on which of the following technologies?
|
Encryption
|
|
|
Company XYZ has an online website that provides information to potential customers. XYZ's website provides no other capabilities. XYZ's IT department monitors the website for unusal activity. XYZ's internal auditor mentions that many organizatons purchase insurance for their websites in case the website is hacked and sensitive customer information is stolen. XYZ's management should do which of the following?
|
Make no changes.
|
|
|
An input control is which type of control?
|
Preventative
|
|
|
T/F: General controls are the reponsibility of the application owner.
|
False
|
|
|
A payroll system contains a control to checks that new employees' pay rates are between $15.00 and $25.00 per hour. This is an example of which type of control?
|
Range check
|
|
|
ABC company is a cloud-based ERP provider. ABC company should consider getting which type of report?
|
SOC 3 Type 2
|
|
|
What is a control?
|
A process designed and affected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to operations, reporting, and compliance with laws/regulations
|
|
|
What are the different types of controls?
|
Cybernetic and socio-cultural
|
|
|
What is a cybernetic control?
|
Self-monitoring system with goal-setting, performance monitoring and measurement
|
|
|
What is a socio-cultural control?
|
People centric approach to minimize variations between the goals and the observed behaviours and/or by a careful process of hiring, training a socialization
|
|
|
How do you determine what type of controls [cybernetic/sociocultural] to implement?
|
The specification and readiness for observation of processes/outcomes
|
|
|
What is strategic planning?
|
The process of deciding on goals and selecting strategies for attaining those goals
|
|
|
What is a managerial control?
|
Process of ensuring that departmental plans and programs designed to fulfill the strategic planning are carried out in the organization
|
|
|
What is an operational control?
|
Process of ensuring that specific tasks are carried out
|
|
|
What are control systems?
|
An organized way of applying preventative, detective, and corrective controls to help an entity achieve its objectives
|
|
|
What constitutes as a personnel failure?
|
1. Motivate officers and employees to take positive constructive action
2. Deter organization employees from engaging in counter productive activities 3. Detect errors and irregularities on a timely basis |
|
|
What is the most important factor to consider in addressing control issues?
|
Detect errors and irregularities on a timely basis
|
|
|
What is the most important factor to consider in addressing control issues?
|
Focus on people: facilitate positive activities and discourage negative ones by focusing on people
|
|
|
What are the COSO components of internal control?
|
Control environment, risk assessment, control activities, information and communication, and monitoring activities
|
|
|
How can we establish a strong control environment?
|
Enforce strong tone from the top of integrity and ethics
|
|
|
How can we enforce strong tone from the top?
|
0. Commitment to competence
1. Participation by BOD/Management, maintain independence 2. Monitor business risks and communicate philosophy/operating style 3. Reporting hierarchy in organizational structure 4. Assignment of authority and responsibility 5. Background and qualification checks for HR policies and practices |
|
|
What is the entity’s risk assessment process?
|
Identify, evaluate, and respond to business/financial reporting risks based on their significance, likelihood of occurrence and management
|
|
|
What are steps in identifying and managing risk?
|
Risk categories, consequences, weighted exposure
|
|
|
What are some common risk categories?
|
Destruction of IS, availability of IS, manipulation, privacy,
|
|
|
What is the difference between error and fraud?
|
Continuity risk, fraud indicative of widespread control deficiencies [collusion, override], errors may be unpredictable and difficult to confine
|
|
|
How do errors relate to the strength of controls?
|
Errors may reflect pervasive weaknesses in controls, implying the presence of many more undiscovered errors in the system
|
|
|
How do we calculate a risk rating?
|
Likelihood x impact
|
|
|
How do we determine the likelihood of a risk?
|
Based on internal experience and industry
|
|
|
How do we estimate the impact of a risk?
|
Financially, customer based, goodwill impairment, regulatory scrutiny, lawsuits
|
|
|
What are risk factors for online security?
|
Online involvement
Openness Amount of private/sensitive information Customer/supplier integration Public presence Reputation |
|
|
What are some strategies dealing with risk exposure?
|
Accept, prevent, share, avoid
|
|
|
What are some sources of risk exposure?
|
Regulatory/operating environment
New business models Products or activities Corporate restructurings Expanded foreign operations, rapid growth New personnel, accounting pronouncements, and technology Significant/rapid changes in IT |
|
|
What are some warning signs of control failure in IS?
|
Recurring computer system outages
Rapid and continued growth of IS budget Continued dissatisfaction of LOB leaders Large backlog of system development and system modification requests |
|
|
What is the difference between root causes and symptoms
|
Misalignment of IT strategy and business strategies
Absence of policies/ inadequate communication of existing policies Failure to define responsibilities of various groups involved in IS Adequate provision for the assimilation of the information function |
|
|
What are the different categories of controls?
|
Directive, preventative, detective, corrective
|
|
|
What are general controls?
|
Extend across multiple environments, e.g. network access security login (data center, network operations, system software acquisition, change/maintenance, access security, SDLC, applies to mainframe/end-user environments
|
|
|
What are application controls?
|
Operate at the business process level to ensure the integrity of records in procedures to initiate, record, process and report transactions
|
|
|
What is an information system comprised of?
|
Infrastructure, software, people, procedures and data
|
|
|
What are some general control procedures / activities
|
Manuals and procedure policies (documentation)
Authorization: Logical access control (e.g., RBAC) Performance reviews, Physical controls, Help desk or information centre Standard setting, Hardware/software acquisition, Personnel review Segregation of duties |
|
|
In the segregation of duties, what duties should be kept separate?
|
Initiation, Authorization
Custody of Assets, Record Keeping and Reconciliation |
|
|
What most often circumvents the segregation of duties?
|
Collusion
|
|
|
What are role based access controls?
|
Access and authorization based on position
|
|
|
What are drop-down or look-up menus?
|
General controls to restrict entry
|
|
|
Why do we perform record-checking of data entered
|
Input control to preserve referential integrity
|
|
|
What are drop-down or look-up menus?
|
General controls to restrict entry
|
|
|
Why do we perform record-checking of data entered?
|
Input control to preserve referential integrity
|
|
|
Example of confirmation of data entered
|
Pop-up box confirmation
|
|
|
What are referential integrity controls
|
Cannot process a transaction in transaction table unless it relates to an actual customer # in the master table
|
|
|
Format checks to limit data
|
Postal code space or not?
|
|
|
Validation rules to limit the data
|
Postal code L#L #L#, no $%^@
|
|
|
Defaults from data entered in prior sessions
|
Limits potential human error; restriction against leaving a field blank
|
|
|
Logic checks
|
Can’t enter date that payment received before sold
|
|
|
Reasonableness checks
|
Often with confirmation check
|
|
|
Range check
|
New employees: pay should be between range or ask to verify
|
|
|
Sign check
|
Entering negative sign
|
|
|
Field established as a primary key
|
cust # in master file, trans # in trans table
must be unique, only occur once as primary key |
|
|
Computer-generated values entered in records (auto-fill)
|
uses referential integrity and other things
|
|
|
What does effective communication require?
|
Right information to right person at right time through
|
|
|
What is monitoring in the COSO framework?
|
Considering whether controls are operating as intended and ensuring thatn they are modified as appropriate for changes in conditions
|
|
|
How do organizations monitor?
|
Dashboards of key metrics; customer activity (Green Grass)
Periodically audit/review design and operation of controls : must be done on a timely basis Benchmarking: assess the quality of internal control performance over time |
|
|
What is continuous monitoring
|
Have program go into system and look for where there is weird or odd transactions, then tell it what they want to identify as weird and the red flags will pop up when those types of transactions happen. This is a promising field and will take over some of our responsibilities of auditors. However currently slow down system and aren’t that functional yet.
|
|
|
What is the purpose of monitoring?
|
To take corrective action
|
|
|
What are some limitations of internal controls?
|
Circumvention: collusion or management override
Trade-off operating efficiencies and complex control procedures [encryption] Cost benefit analysis: reliability of data vs cost of implementing controls Changing conditions within entities Reliance on human judgement in the design, implementation, and monitoring of controls Practical materiality limits: Salami technique, pass multiple checks threshold, circumvention |
|
|
Why do auditors test controls?
|
SOX compliance, support traditional FS assertions
|
|
|
How do auditors determine whether a control should be in scope?
|
Materiality, entity size, nature of business, diversity/complexity of operations, legal and regulatory requirements
Nature/complexity of systems – including use of service organizations |
|
|
What controls may an auditor choose to test?
|
Non-financial data using analytical procedures [complaints on privacy]
Physical controls |
|
|
How do auditors test non-financial data using analytical procedures?
|
Quantity complaints about something, can be an indication control is not working effectively or missing
|
|
|
What are the trust services principals?
|
Security, availability, process integrity, confidentiality and privacy of information?
|
|
|
What does SOC1 cover?
|
Financial reporting controls
|
|
|
What does SOC3 cover?
|
Controls using TrustServices criteria, includes criteria and procedures (tests and results) – limited distribution
|
|
|
What does SOC2 cover?
|
SOC 3 but is a general use report that doesn’t detail procedures performed.
Can display SysTrust seal |
|
|
What is CoCo?
|
designing, assessing, and reporting on the control system of an organization
|
|
|
What does CoCo define control objectives as?
|
Effective and efficiency of operation
Reliability of internal and external reporting |
|
|
What are the components of the Coco framework?
|
Purpose, commitment, capability, monitoring and learnings
|
|
|
What are the easiest types of controls to implement?
|
Preventative: prevent an error from entering into a master file – preventing it from becoming a systematic error
|
|
|
o Spyware. Malware
|
collects sensitive information – to harvest information, usually comes on a valid application
|
|
|
Anti-viruses
|
need updates because it requires a set of patterns
|
|
|
Zero day threat
|
until a threat has been identified, no protection
|
|
|
viruses
|
[proliferate throughout the system]
|
|
|
When should systems scans for viruses occur?
|
During non peak hours
|
|
|
What should be scan during a network scan
|
Scan the network: access points, routers
|
|
|
RTO
|
Recovery time objective
|
|
|
RPO
|
Recovery point objective – how much information are you willing to lose?
|
