• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/192

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

192 Cards in this Set

  • Front
  • Back
describes procedures to be followed in an emergency and the role of each member of the team, and assignment of responsibilities.
- Disaster Recovery Plan (Business Continuity Plan)
Power backup can be provided through ________ and ____________.
- surge protectors, uninterruptible power system (UPS).
a location, during an emergency, where power and space are available to install processing equipment on short notice
Cold site
a location, during an emergency, that includes a computer system configured similarly to the system used at the main data processing center.
o Hot site
during an emergency, a site capable of assuming full data processing operations within seconds or minutes
Flying-start site
Data Recovery Plan doesn’t need to be revised periodically. T/F?
F. It must be tested periodically and thoroughly by simulating a disaster, and revised when necessary.
Involves controlling physical access to the assets of data processing center
Computer Facility Controls
what computer facility control is employed when the ff are implemented: guarded entrance, self-locking door, dial lock combinations, magnetic, electronic, or optical coded identification badge that can be only read by special badge-reading devices?
Limit employee access
Companies do what to compensate for losses when they occur? It is usually limited in coverage, restricted to actual losses suffered by a company.
buy insurance
voice patterns, fingerprints, facial pattern and a combination of these features
biometric identifications
The objective of IT controls
1) restrict access to authorized users

2) assure accuracy and completeness of data.
IT control that ensure that data or messages are routed to the correct network address by looking up the header label
Routing verification procedures
prevent the loss of data on a network system by looking up the trailer label.
Message acknowledge procedures
designed to prevent, detect, and correct errors and irregularities in transactions that are processed.
Application Controls
Application Controls are not embedded in business process applications. t/f?
False. Application Controls are embedded in business process applications
three major types of application controls
1) input controls

2) processing controls

3) output controls
______ attempt to ensure the validity, accuracy and completeness of the data entered into an AIS
Input controls
_________ are specific types of validity and accuracy checks using _________, they examine selected fields of input data and reject those transactions whose data fields do not meet the pre-established standards of data quality
Edit tests, input validation routines (edit programs)
data fields contain only numbers. Examples: SSN
Numeric field
data fields contain only alphabetic letters. Examples: customer name
Alphabetic field
data fields contain letters and/or numbers, but no special characters. Examples: invoice number, purchase order number
Alphanumeric field
a numerical amount has lower and upper limits. Examples: sales price, pay rate
Range (Limit)
Correct number of digits are entered. Examples: customer no., invoice no.
Length
data fields contain a range of acceptable values. Examples: 1=cash sale; 2=credit sale
Valid code
Correct logical relationship between two data items. Examples: pay rate of $25/hour is excessive for an employee with a job skill code of 216 (e.g. janitor)
Reasonableness
Data have the appropriate arithmetic sign. Examples: hours worked per week can’t be negative
Sign
All required data items have been entered. Examples: a sales transaction record must include the customer number
Completeness
Successive input data are in some prescribed order. Examples: ascending, descending, chronological or alphabetical order
Sequence
A digit computed from the other digits is appended to the original number and can be used to verify the accuracy of the data
Check digit
focus on the accurate and complete processing accounting data after they are input to the computer system.
Processing controls
Major types of processing controls
Batch total controls & File security controls
Summarizes key values for a batch of input records. Calculated and recorded when data is entered, and used later to verify that input was processed correctly.
Batch Total Controls
Three commonly used batch totals:
financial control totals, record count and hash total
sums a field that contains dollar values, such as the total dollar amount of all sales for a batch of sales transactions
financial control total
sums a non financial numeric field, such as the total of sales order number
hash total
sums the number of records in a batch
record count
to protect computer files from accidental and intentional errors, and to ensure that the correct files are used in processing.
File Security Controls
identifying contents of a computer file that is human readable
external file labels
Examples of internal file labels
header and trailer record
record name, date and other identifying data on the file that can be read and verified by the computer
Header record
batch totals during input
Trailer record
prevent two applications from updating the same record or data item at the same time.
lockout procedures (concurrent control)
Validate processing results and regulate the distribution and use of printed output
Output controls
Output controls validate processing results through the use of …
source documents, transaction listings and activity listings.
involves evaluating the computer’s role in achieving audit objectives and control objectives, and ensures that controls are functioning properly
IT Auditing
IT auditing is performed by both the internal and external auditor. t/f?
true
Control objectives [4]
1) Security
2) Availability
3) Processing integrity
4) Online privacy and confidentiality
protection against unauthorized access
Security
Control Objective: the Information System is available for use
Availability
Control Objective: Processing is complete, timely, authorized and accurate
Processing integrity
Control Objective: protection of personal and all sensitive information
Online privacy and confidentiality
Internal auditing is carried out by _________ reporting to _______ and/or the ____________.
company personnel, top management, Audit Committee of the Board of Directors
is external to the corporate department or division being audited
Internal auditing
scope of internal audit
1) Employee adherence to company policies and procedures,

2) Evaluation of internal controls

3) Evaluation of operational efficiency and effectiveness
is carried out by an independent CPA firm
external auditing
3 Scopes of external auditing
1) internal control audit
2) financial audit
3) fraud audit (forensic accounting)
gives an opinion on the effectiveness of internal control
internal control audit
gives an opinion on the accuracy and fairness of financial statements
financial audit
prevents and detects fraud
fraud audit (forensic accounting)
What step in the IT Audit process: Review general and application controls and compliance testing
Testing the control procedures (audit through the computers)
What step in the IT Audit process: To decide if computer processing is significant and complex enough to warrant an examination of the computer-based system itself
preliminary evaluation of the system
Performing substantive tests of account balances means audit with computers using _________
CAATs
Strong controls means (more / fewer?) substantive tests
Fewer
Weak controls means (more / fewer?) substantive tests
more
The 4 Risk-based Audit Approach
1. Determining the threats
2. Systems review
3. Evaluating control procedures
4. Evaluating weaknesses
inspecting documents, records, and reports, observing system operations, checking samples of system inputs and outputs, and tracing transactions through the system
Evaluating control procedures
a Risk-based Audit Approach that involves identifying the control procedures that should be in place to minimize the threats
Systems review
identifying control deficiencies, determining compensating controls to make up for the deficiency
Evaluating weaknesses
In an automated AIS, auditing with the computer is not mandatory t/f?
False, it is virtually mandatory
CAAT stands for
computer-assisted audit techniques
3 Types of CAATs
[1] General-use software
[2] Generalized audit software (GAS)
[3] Automated workpaper software
2 Types of General-use software
[1] Spreadsheet software
[2] Database management systems
Software capable of the basic data manipulation and calculation tasks performed by spreadsheet and database software; specifically tailored to auditor tasks
Generalized audit software
Software that makes complex mathematical calculations such as interest, depreciation, and ratios
Spreadsheet software
Similar to general ledgers software because it can prepare adjusting entries and adjusted trial balances. Creates common size income statements and balance sheets and calculates financial statement ratios
Automated workpaper software
Software that retrieves and manipulates large sets of data in fairly simple ways; performs simple mathematical computations
Database management systems
to work as a team, to interact with clients and other auditors, and to interview many people constantly for evaluation
People skills
Testing computer programs, validating computer programs, review of systems software, validating users and access privileges, continuous auditing: Auditing around or through the computer?
Auditing through the computer
Examines the inputs and the outputs on a sample basis. If outputs are expected, then the processing must be accurate. It tests normal transactions but ignores the exceptions: Auditing around or through the computer?
Auditing around the computer
A more effective approach is “auditing (around or through?) the computer”, which involves direct testing of control procedures
through
______ _______ can check if program edit test controls are in place and working
Test data
A more comprehensive test technique that audits an AIS in an operational setting; is effective in evaluating integrated online systems and complex programming logic
Integrated Test Facility (ITF)
Test data can be developed using software programs called _________
test data generators
________ procedure involves developing test data that tests the range of exception situations as completely as possible, comparing the results with a predetermined set of answers, investigating further if the results do not agree.
test data procedure
The procedure of __________ involves: establishing a fictitious entity such as a department, branch, customer, or employee, entering artificial transactions for that entity, and observing how these transactions are processed.
Integrated Test Facility
Drawback of Integrated Test Facility: the effect of artificial transactions must be _______ out of the system.
Reversed
With __________ , the auditor writes and controls a program that simulates the operations of the client’s program and compares the results of the two programs to detect errors in programming logic
parallel simulation
parallel simulation saves time and costs less. t/f?
false, parallel simulation can be very time-consuming and thus cost-prohibitive
parallel simulation usually involves replicating only certain critical functions of a program. t/f?
true
With parallel simulation, the auditor needs to thoroughly understand the client system, should possess sufficient technical knowledge, and know how to predict the results. t/f?
true
is a set of control procedures developed to protect against unauthorized programs changes
Program change control
guards against unauthorized program tampering by performing certain control total tests of program authenticity
program comparison
[2] components of program comparison
1) test of length
2) comparison program
comparing length of the tested program with that of a previously reviewed, valid program
test of length
comparing the code directly on a line-by-line basis
comparison program
comparing length of the tested program with that of a previously reviewed, valid program
test of length
What generates outputs that are important for monitoring a company’s computer system?
System software
record the use of computer resources; unusual occurrences such as programs run at odd times or programs run with greater frequency than usual call for further investigation
Logs
who needs to make sure that all users are valid and each has access privileges appropriate to their job
IT auditor
list events that are unusual or interrupt operations including security violations, hardware failures, and software failures
Incident reports
Who needs to verify that the parameters of access control software are set appropriately and must make sure that IT staff are using them appropriately
IT auditor
Used to continuously monitor transaction activity and collect audit evidence
Continuous Auditing
segments of code that capture data for audit purposes
Embedded audit modules (EAM)
When transactions meet a pre-specified criteria, they are written to a special log called ______; they are printed out periodically for review by the auditor
systems control audit review file (SCARF)
Done to verify programming logic and the process of handling unusual transactions
Transaction tagging
_________ are traced through the entire application
Tagged transactions
Most efficient type of control is what?
preventive control
Involves taking “pictures” of transactions and their general ledger files before and after specified processing points; provides a basis for evaluating the accuracy and completeness of the processing
Snapshot technique
The process of embedding of an audit module in a DBMS; for transactions of special audit significance, the audit module independently processes the data (similar to parallel simulation), records the results and compares them with the DBMS results; if discrepancies exist, they are written to an audit log for subsequent review. In case of serious discrepancies, the CIS may stop DBMS from executing the update process
Continuous and intermittent simulation (CIS)
_________ identifies important information technologies and specific risks related to these technologies, recommends controls to mitigate risks and suggests audit procedures to validate these controls; this report is issued by _________
Systems Auditability and Control (SAC), Institute of Internal Auditors
provides guidance in assessing business risks, controlling for business risks, and evaluating the effectiveness of controls
Control Objectives for Information and Related Technology (COBIT)
assurance about data security and privacy as well as reliable business practices
WebTrust
assurance about the reliability of information systems
SysTrust
WebTrust and SysTrust combined into one. Principles are security, availability, processing integrity, online privacy and confidentiality
Trust Services
[2] Professional certifications that are available to IT auditors include:
1) Certified Information Systems Auditor (CISA)
2) Certified Information Security Managers (CISM)
Professional IT audit certifications are issued by …
Information Systems Audit and Control Association (ISACA)
Example of preventative control is…
Firewall
Most important component of internal control is the…
control environment
Preventive control and corrective control are used in conjunction with each other. t/f?
False. It’s Detective control not preventive
Who is responsible for assignment of authority and responsibility under internal control?
Management
a company method of implementing controls whose projected benefits outweigh their costs
cost-benefit analysis
Each IP address is mapped to a human-readable domain name, which is also called a ______. Every time you type in a domain address it is translated into the machine-readable IP address.
- Universal resource locator (URL).
www.google.com is an IP address or a URL?
- URL
First level of a domain name:
-COM, .ORG, .NET, .EDU, and .GOV
2nd level of a domain name:
site name
3rd level of a domain name:
specific computer
74.125.95.99 is an IP address or a URL?
IP address
The internet uses ____________ to transmit data. Information to be sent is divided into small blocks called __________.
- packet switching, packets
Each packet is coded with the _______ and is sent separately via different routes over the network. Upon arrival at the destination, the packets are assembled together in the correct order.
- destination address (IP address)
_________ are rules and procedures that govern the process of data transmission over the Internet.
- Protocols
_______ protocol that specifies the procedures for dividing a file into packets and the methods for reassembling the original file at the destination
- TCP (Transmission Control Protocol)
_______ protocol that specifies the structure of those packets and routing path.
- IP (Internet Protocol)
_____ comprises information made available using similar technology as the Internet but only to authorized users.
- Intranet
Through _______ and _____ , information published on such Intranets is shielded from the general public.
- user accounts & passwords
________ allows controlled access to the corporation's Intranet by selected outside users such as suppliers and customers.
- extranet
_______ is a private network that uses a public network (such as Internet) to connect remote sites or users together.
- Virtual Private Networks (VPN)
The cost of establishing a VPN is much (more or less?) than creating a private network by leasing dedicated lines.
- less
A VPN enables secure data transmission by:
1. creating private communication channels (i.e. tunnels)
2. authenticating all users before permitting any data transmission
3. encrypting all data transmission
___________ refers to buying and selling goods/services electronically.
- Electronic Commerce (EC)
__________ is automating business processes in general over the internet.
- Electronic Business
__________ represents a business arrangement between the buyer and seller in which they agree, in advance, to the terms of their relationship.
- Electronic Data Interchange (EDI)
General categories of E-Commerce:
1. Business-to-consumer (B2C) transactions: between business and end-user consumer
2. Business-to-Business (B2B) transactions: between vendor and business
Most e-commerce is B2C or B2B?
- B2B
_______ acts as a trusted online intermediary, collecting payments from buyers and paying similar amounts to sellers.
- E-payment service
Examples of e-payment service:
- PayPal, Google Checkout
________ allows organizations to transmit standard business documents over high-speed data communications channels.
- Electronic Data Interchange (EDI)
Two ways to implement EDI applications:
1. Value-Added Networks (VANs) based EDI
2. Internet-based EDI.
What EDI application where data security can be enhanced by using encryption technology?
- Internet-based EDI.
The act of capturing data packets as they travel over computer networks and sift captured data for confidential information.
- Sniffing (electronic eavesdropping)
What EDI application has private, point-to-point communication channels?
- Value-Added Networks (VANs) based EDI
a coordinated attack on a computer system from a botnet (a network of hijacked computers, aka zombies) to deny legitimate users access.
- Denial of service (DoS) attack
What EDI application involves leasing secure, dedicated transmission lines from long-distance carriers such as AT&T?
- Value-Added Networks (VANs) based EDI
removing software protection designed to prevent unauthorized duplication
- Cracking
Which EDI application use well-understood Internet technology, a preexisting, costless network to transmit business data, and convenience?
- Internet-based EDI
accessing and using computer systems without permission, usually by means of a personal computer and a telecommunication network
- Hacking
When someone uses another person’s personal data in some way that involves fraud or deception, usually for economic gain.
- Identity theft
attacking a phone system in order to make free calls or disrupt services
- Phreaking
sending unsolicited mass emails
– Spamming
gaining access to confidential information by searching corporate or personal records.
- Scavenging
obtain confidential information by tricking people.
- Social engineering
Social engineering examples:
Spoofing and Phishing, Vishing, Posing
emails pretending to be from a legitimate company and requesting confidential information. Example: http://pages.ebay.com/education/spooftutorial/spoof_2.html
- Spoofing and Phishing
voice phishing, emails requesting recipients to call a specified phone number
- Vishing
creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering a product.
- Posing
any type of malicious software designed to disrupt or disable a computer system.
- Malware
secretly collects personal information and communicates it to others
- Spyware
displays banner ads as users surf the net and monitors users’ web-surfing and spending habits
- Adware
a set of malicious computer instructions in an innocent-looking computer program
- Trojan horse
Trojan horses that lie dormant until triggered by a specified time or circumstance.
- time bombs
back door, a way into a system that bypasses normal system controls
- trap door
a self-replicating malicious program.
- virus /worm
_______ safeguard an organization’s electronic resources and limit access to authorized users
- Security procedures
Examples of Security procedures are
1. Firewall,
2. Proxy servers,
3. Intrusion detection systems
4. Data Encryption
Firewall is only software-based. t/f?
- False. Firewall can be either hardware or software-based.
Two primary methods of firewall protection:
• Inclusion: limits access to authorized users
• Exclusion: denies access to unauthorized users
guards against unauthorized access to sensitive file information from external Internet users.
- firewall
creates logs of network traffic and analyzed those logs for signs of attempted or successful intrusions.
- Intrusion Detection Systems (IDS)
__________ examines packets of incoming messages and uses the access control list (ACL) to control the network traffic.
• firewall
compare logs to a database containing patterns of traffic associated with known attacks.
- IDS
2 Types of IDS
- passive ids and reactive ids
is a computer and related software can be used to control Web accesses.
- Proxy Server
type of IDS that creates logs of potential intrusions and alert network administrators to them
- Passive IDSs
detect potential intrusions dynamically, log off potentially malicious users, and even reprogram a firewall to block further messages from the suspected source.
- Reactive IDSs
transforms plaintext messages into unintelligible cyphertext ones using an encryption key.
- Data Encryption
decodes the encrypted messages back plaintext.
- Decryption
Example of a simple encryption method
• Caesar Cypher (Shifting each letter by 3 positions to the right)
2 Types of Encryption System
– Secret key encryption and public key encryption
The same key is used both to encrypt and to decrypt and shared by the communication parties. Secret key encryption or public key encryption?
- Secret key encryption
a pair of public/private encryption keys are used. Secret key encryption or public key encryption?
– Public key encryption
The sending party uses the recipient’s public key to encode the message, and the receiving party uses the corresponding private key to decode it. Secret key encryption or public key encryption?
- Public key encryption
The number of secret keys become difficult to manage when a large number of parties are involved. Secret key encryption or public key encryption?
– Secret key encryption
A spyware that records keystrokes
Key logger