Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
192 Cards in this Set
- Front
- Back
describes procedures to be followed in an emergency and the role of each member of the team, and assignment of responsibilities.
|
- Disaster Recovery Plan (Business Continuity Plan)
|
|
Power backup can be provided through ________ and ____________.
|
- surge protectors, uninterruptible power system (UPS).
|
|
a location, during an emergency, where power and space are available to install processing equipment on short notice
|
Cold site
|
|
a location, during an emergency, that includes a computer system configured similarly to the system used at the main data processing center.
|
o Hot site
|
|
during an emergency, a site capable of assuming full data processing operations within seconds or minutes
|
Flying-start site
|
|
Data Recovery Plan doesn’t need to be revised periodically. T/F?
|
F. It must be tested periodically and thoroughly by simulating a disaster, and revised when necessary.
|
|
Involves controlling physical access to the assets of data processing center
|
Computer Facility Controls
|
|
what computer facility control is employed when the ff are implemented: guarded entrance, self-locking door, dial lock combinations, magnetic, electronic, or optical coded identification badge that can be only read by special badge-reading devices?
|
Limit employee access
|
|
Companies do what to compensate for losses when they occur? It is usually limited in coverage, restricted to actual losses suffered by a company.
|
buy insurance
|
|
voice patterns, fingerprints, facial pattern and a combination of these features
|
biometric identifications
|
|
The objective of IT controls
|
1) restrict access to authorized users
2) assure accuracy and completeness of data. |
|
IT control that ensure that data or messages are routed to the correct network address by looking up the header label
|
Routing verification procedures
|
|
prevent the loss of data on a network system by looking up the trailer label.
|
Message acknowledge procedures
|
|
designed to prevent, detect, and correct errors and irregularities in transactions that are processed.
|
Application Controls
|
|
Application Controls are not embedded in business process applications. t/f?
|
False. Application Controls are embedded in business process applications
|
|
three major types of application controls
|
1) input controls
2) processing controls 3) output controls |
|
______ attempt to ensure the validity, accuracy and completeness of the data entered into an AIS
|
Input controls
|
|
_________ are specific types of validity and accuracy checks using _________, they examine selected fields of input data and reject those transactions whose data fields do not meet the pre-established standards of data quality
|
Edit tests, input validation routines (edit programs)
|
|
data fields contain only numbers. Examples: SSN
|
Numeric field
|
|
data fields contain only alphabetic letters. Examples: customer name
|
Alphabetic field
|
|
data fields contain letters and/or numbers, but no special characters. Examples: invoice number, purchase order number
|
Alphanumeric field
|
|
a numerical amount has lower and upper limits. Examples: sales price, pay rate
|
Range (Limit)
|
|
Correct number of digits are entered. Examples: customer no., invoice no.
|
Length
|
|
data fields contain a range of acceptable values. Examples: 1=cash sale; 2=credit sale
|
Valid code
|
|
Correct logical relationship between two data items. Examples: pay rate of $25/hour is excessive for an employee with a job skill code of 216 (e.g. janitor)
|
Reasonableness
|
|
Data have the appropriate arithmetic sign. Examples: hours worked per week can’t be negative
|
Sign
|
|
All required data items have been entered. Examples: a sales transaction record must include the customer number
|
Completeness
|
|
Successive input data are in some prescribed order. Examples: ascending, descending, chronological or alphabetical order
|
Sequence
|
|
A digit computed from the other digits is appended to the original number and can be used to verify the accuracy of the data
|
Check digit
|
|
focus on the accurate and complete processing accounting data after they are input to the computer system.
|
Processing controls
|
|
Major types of processing controls
|
Batch total controls & File security controls
|
|
Summarizes key values for a batch of input records. Calculated and recorded when data is entered, and used later to verify that input was processed correctly.
|
Batch Total Controls
|
|
Three commonly used batch totals:
|
financial control totals, record count and hash total
|
|
sums a field that contains dollar values, such as the total dollar amount of all sales for a batch of sales transactions
|
financial control total
|
|
sums a non financial numeric field, such as the total of sales order number
|
hash total
|
|
sums the number of records in a batch
|
record count
|
|
to protect computer files from accidental and intentional errors, and to ensure that the correct files are used in processing.
|
File Security Controls
|
|
identifying contents of a computer file that is human readable
|
external file labels
|
|
Examples of internal file labels
|
header and trailer record
|
|
record name, date and other identifying data on the file that can be read and verified by the computer
|
Header record
|
|
batch totals during input
|
Trailer record
|
|
prevent two applications from updating the same record or data item at the same time.
|
lockout procedures (concurrent control)
|
|
Validate processing results and regulate the distribution and use of printed output
|
Output controls
|
|
Output controls validate processing results through the use of …
|
source documents, transaction listings and activity listings.
|
|
involves evaluating the computer’s role in achieving audit objectives and control objectives, and ensures that controls are functioning properly
|
IT Auditing
|
|
IT auditing is performed by both the internal and external auditor. t/f?
|
true
|
|
Control objectives [4]
|
1) Security
2) Availability 3) Processing integrity 4) Online privacy and confidentiality |
|
protection against unauthorized access
|
Security
|
|
Control Objective: the Information System is available for use
|
Availability
|
|
Control Objective: Processing is complete, timely, authorized and accurate
|
Processing integrity
|
|
Control Objective: protection of personal and all sensitive information
|
Online privacy and confidentiality
|
|
Internal auditing is carried out by _________ reporting to _______ and/or the ____________.
|
company personnel, top management, Audit Committee of the Board of Directors
|
|
is external to the corporate department or division being audited
|
Internal auditing
|
|
scope of internal audit
|
1) Employee adherence to company policies and procedures,
2) Evaluation of internal controls 3) Evaluation of operational efficiency and effectiveness |
|
is carried out by an independent CPA firm
|
external auditing
|
|
3 Scopes of external auditing
|
1) internal control audit
2) financial audit 3) fraud audit (forensic accounting) |
|
gives an opinion on the effectiveness of internal control
|
internal control audit
|
|
gives an opinion on the accuracy and fairness of financial statements
|
financial audit
|
|
prevents and detects fraud
|
fraud audit (forensic accounting)
|
|
What step in the IT Audit process: Review general and application controls and compliance testing
|
Testing the control procedures (audit through the computers)
|
|
What step in the IT Audit process: To decide if computer processing is significant and complex enough to warrant an examination of the computer-based system itself
|
preliminary evaluation of the system
|
|
Performing substantive tests of account balances means audit with computers using _________
|
CAATs
|
|
Strong controls means (more / fewer?) substantive tests
|
Fewer
|
|
Weak controls means (more / fewer?) substantive tests
|
more
|
|
The 4 Risk-based Audit Approach
|
1. Determining the threats
2. Systems review 3. Evaluating control procedures 4. Evaluating weaknesses |
|
inspecting documents, records, and reports, observing system operations, checking samples of system inputs and outputs, and tracing transactions through the system
|
Evaluating control procedures
|
|
a Risk-based Audit Approach that involves identifying the control procedures that should be in place to minimize the threats
|
Systems review
|
|
identifying control deficiencies, determining compensating controls to make up for the deficiency
|
Evaluating weaknesses
|
|
In an automated AIS, auditing with the computer is not mandatory t/f?
|
False, it is virtually mandatory
|
|
CAAT stands for
|
computer-assisted audit techniques
|
|
3 Types of CAATs
|
[1] General-use software
[2] Generalized audit software (GAS) [3] Automated workpaper software |
|
2 Types of General-use software
|
[1] Spreadsheet software
[2] Database management systems |
|
Software capable of the basic data manipulation and calculation tasks performed by spreadsheet and database software; specifically tailored to auditor tasks
|
Generalized audit software
|
|
Software that makes complex mathematical calculations such as interest, depreciation, and ratios
|
Spreadsheet software
|
|
Similar to general ledgers software because it can prepare adjusting entries and adjusted trial balances. Creates common size income statements and balance sheets and calculates financial statement ratios
|
Automated workpaper software
|
|
Software that retrieves and manipulates large sets of data in fairly simple ways; performs simple mathematical computations
|
Database management systems
|
|
to work as a team, to interact with clients and other auditors, and to interview many people constantly for evaluation
|
People skills
|
|
Testing computer programs, validating computer programs, review of systems software, validating users and access privileges, continuous auditing: Auditing around or through the computer?
|
Auditing through the computer
|
|
Examines the inputs and the outputs on a sample basis. If outputs are expected, then the processing must be accurate. It tests normal transactions but ignores the exceptions: Auditing around or through the computer?
|
Auditing around the computer
|
|
A more effective approach is “auditing (around or through?) the computer”, which involves direct testing of control procedures
|
through
|
|
______ _______ can check if program edit test controls are in place and working
|
Test data
|
|
A more comprehensive test technique that audits an AIS in an operational setting; is effective in evaluating integrated online systems and complex programming logic
|
Integrated Test Facility (ITF)
|
|
Test data can be developed using software programs called _________
|
test data generators
|
|
________ procedure involves developing test data that tests the range of exception situations as completely as possible, comparing the results with a predetermined set of answers, investigating further if the results do not agree.
|
test data procedure
|
|
The procedure of __________ involves: establishing a fictitious entity such as a department, branch, customer, or employee, entering artificial transactions for that entity, and observing how these transactions are processed.
|
Integrated Test Facility
|
|
Drawback of Integrated Test Facility: the effect of artificial transactions must be _______ out of the system.
|
Reversed
|
|
With __________ , the auditor writes and controls a program that simulates the operations of the client’s program and compares the results of the two programs to detect errors in programming logic
|
parallel simulation
|
|
parallel simulation saves time and costs less. t/f?
|
false, parallel simulation can be very time-consuming and thus cost-prohibitive
|
|
parallel simulation usually involves replicating only certain critical functions of a program. t/f?
|
true
|
|
With parallel simulation, the auditor needs to thoroughly understand the client system, should possess sufficient technical knowledge, and know how to predict the results. t/f?
|
true
|
|
is a set of control procedures developed to protect against unauthorized programs changes
|
Program change control
|
|
guards against unauthorized program tampering by performing certain control total tests of program authenticity
|
program comparison
|
|
[2] components of program comparison
|
1) test of length
2) comparison program |
|
comparing length of the tested program with that of a previously reviewed, valid program
|
test of length
|
|
comparing the code directly on a line-by-line basis
|
comparison program
|
|
comparing length of the tested program with that of a previously reviewed, valid program
|
test of length
|
|
What generates outputs that are important for monitoring a company’s computer system?
|
System software
|
|
record the use of computer resources; unusual occurrences such as programs run at odd times or programs run with greater frequency than usual call for further investigation
|
Logs
|
|
who needs to make sure that all users are valid and each has access privileges appropriate to their job
|
IT auditor
|
|
list events that are unusual or interrupt operations including security violations, hardware failures, and software failures
|
Incident reports
|
|
Who needs to verify that the parameters of access control software are set appropriately and must make sure that IT staff are using them appropriately
|
IT auditor
|
|
Used to continuously monitor transaction activity and collect audit evidence
|
Continuous Auditing
|
|
segments of code that capture data for audit purposes
|
Embedded audit modules (EAM)
|
|
When transactions meet a pre-specified criteria, they are written to a special log called ______; they are printed out periodically for review by the auditor
|
systems control audit review file (SCARF)
|
|
Done to verify programming logic and the process of handling unusual transactions
|
Transaction tagging
|
|
_________ are traced through the entire application
|
Tagged transactions
|
|
Most efficient type of control is what?
|
preventive control
|
|
Involves taking “pictures” of transactions and their general ledger files before and after specified processing points; provides a basis for evaluating the accuracy and completeness of the processing
|
Snapshot technique
|
|
The process of embedding of an audit module in a DBMS; for transactions of special audit significance, the audit module independently processes the data (similar to parallel simulation), records the results and compares them with the DBMS results; if discrepancies exist, they are written to an audit log for subsequent review. In case of serious discrepancies, the CIS may stop DBMS from executing the update process
|
Continuous and intermittent simulation (CIS)
|
|
_________ identifies important information technologies and specific risks related to these technologies, recommends controls to mitigate risks and suggests audit procedures to validate these controls; this report is issued by _________
|
Systems Auditability and Control (SAC), Institute of Internal Auditors
|
|
provides guidance in assessing business risks, controlling for business risks, and evaluating the effectiveness of controls
|
Control Objectives for Information and Related Technology (COBIT)
|
|
assurance about data security and privacy as well as reliable business practices
|
WebTrust
|
|
assurance about the reliability of information systems
|
SysTrust
|
|
WebTrust and SysTrust combined into one. Principles are security, availability, processing integrity, online privacy and confidentiality
|
Trust Services
|
|
[2] Professional certifications that are available to IT auditors include:
|
1) Certified Information Systems Auditor (CISA)
2) Certified Information Security Managers (CISM) |
|
Professional IT audit certifications are issued by …
|
Information Systems Audit and Control Association (ISACA)
|
|
Example of preventative control is…
|
Firewall
|
|
Most important component of internal control is the…
|
control environment
|
|
Preventive control and corrective control are used in conjunction with each other. t/f?
|
False. It’s Detective control not preventive
|
|
Who is responsible for assignment of authority and responsibility under internal control?
|
Management
|
|
a company method of implementing controls whose projected benefits outweigh their costs
|
cost-benefit analysis
|
|
Each IP address is mapped to a human-readable domain name, which is also called a ______. Every time you type in a domain address it is translated into the machine-readable IP address.
|
- Universal resource locator (URL).
|
|
www.google.com is an IP address or a URL?
|
- URL
|
|
First level of a domain name:
|
-COM, .ORG, .NET, .EDU, and .GOV
|
|
2nd level of a domain name:
|
site name
|
|
3rd level of a domain name:
|
specific computer
|
|
74.125.95.99 is an IP address or a URL?
|
IP address
|
|
The internet uses ____________ to transmit data. Information to be sent is divided into small blocks called __________.
|
- packet switching, packets
|
|
Each packet is coded with the _______ and is sent separately via different routes over the network. Upon arrival at the destination, the packets are assembled together in the correct order.
|
- destination address (IP address)
|
|
_________ are rules and procedures that govern the process of data transmission over the Internet.
|
- Protocols
|
|
_______ protocol that specifies the procedures for dividing a file into packets and the methods for reassembling the original file at the destination
|
- TCP (Transmission Control Protocol)
|
|
_______ protocol that specifies the structure of those packets and routing path.
|
- IP (Internet Protocol)
|
|
_____ comprises information made available using similar technology as the Internet but only to authorized users.
|
- Intranet
|
|
Through _______ and _____ , information published on such Intranets is shielded from the general public.
|
- user accounts & passwords
|
|
________ allows controlled access to the corporation's Intranet by selected outside users such as suppliers and customers.
|
- extranet
|
|
_______ is a private network that uses a public network (such as Internet) to connect remote sites or users together.
|
- Virtual Private Networks (VPN)
|
|
The cost of establishing a VPN is much (more or less?) than creating a private network by leasing dedicated lines.
|
- less
|
|
A VPN enables secure data transmission by:
|
1. creating private communication channels (i.e. tunnels)
2. authenticating all users before permitting any data transmission 3. encrypting all data transmission |
|
___________ refers to buying and selling goods/services electronically.
|
- Electronic Commerce (EC)
|
|
__________ is automating business processes in general over the internet.
|
- Electronic Business
|
|
__________ represents a business arrangement between the buyer and seller in which they agree, in advance, to the terms of their relationship.
|
- Electronic Data Interchange (EDI)
|
|
General categories of E-Commerce:
|
1. Business-to-consumer (B2C) transactions: between business and end-user consumer
2. Business-to-Business (B2B) transactions: between vendor and business |
|
Most e-commerce is B2C or B2B?
|
- B2B
|
|
_______ acts as a trusted online intermediary, collecting payments from buyers and paying similar amounts to sellers.
|
- E-payment service
|
|
Examples of e-payment service:
|
- PayPal, Google Checkout
|
|
________ allows organizations to transmit standard business documents over high-speed data communications channels.
|
- Electronic Data Interchange (EDI)
|
|
Two ways to implement EDI applications:
|
1. Value-Added Networks (VANs) based EDI
2. Internet-based EDI. |
|
What EDI application where data security can be enhanced by using encryption technology?
|
- Internet-based EDI.
|
|
The act of capturing data packets as they travel over computer networks and sift captured data for confidential information.
|
- Sniffing (electronic eavesdropping)
|
|
What EDI application has private, point-to-point communication channels?
|
- Value-Added Networks (VANs) based EDI
|
|
a coordinated attack on a computer system from a botnet (a network of hijacked computers, aka zombies) to deny legitimate users access.
|
- Denial of service (DoS) attack
|
|
What EDI application involves leasing secure, dedicated transmission lines from long-distance carriers such as AT&T?
|
- Value-Added Networks (VANs) based EDI
|
|
removing software protection designed to prevent unauthorized duplication
|
- Cracking
|
|
Which EDI application use well-understood Internet technology, a preexisting, costless network to transmit business data, and convenience?
|
- Internet-based EDI
|
|
accessing and using computer systems without permission, usually by means of a personal computer and a telecommunication network
|
- Hacking
|
|
When someone uses another person’s personal data in some way that involves fraud or deception, usually for economic gain.
|
- Identity theft
|
|
attacking a phone system in order to make free calls or disrupt services
|
- Phreaking
|
|
sending unsolicited mass emails
|
– Spamming
|
|
gaining access to confidential information by searching corporate or personal records.
|
- Scavenging
|
|
obtain confidential information by tricking people.
|
- Social engineering
|
|
Social engineering examples:
|
Spoofing and Phishing, Vishing, Posing
|
|
emails pretending to be from a legitimate company and requesting confidential information. Example: http://pages.ebay.com/education/spooftutorial/spoof_2.html
|
- Spoofing and Phishing
|
|
voice phishing, emails requesting recipients to call a specified phone number
|
- Vishing
|
|
creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering a product.
|
- Posing
|
|
any type of malicious software designed to disrupt or disable a computer system.
|
- Malware
|
|
secretly collects personal information and communicates it to others
|
- Spyware
|
|
displays banner ads as users surf the net and monitors users’ web-surfing and spending habits
|
- Adware
|
|
a set of malicious computer instructions in an innocent-looking computer program
|
- Trojan horse
|
|
Trojan horses that lie dormant until triggered by a specified time or circumstance.
|
- time bombs
|
|
back door, a way into a system that bypasses normal system controls
|
- trap door
|
|
a self-replicating malicious program.
|
- virus /worm
|
|
_______ safeguard an organization’s electronic resources and limit access to authorized users
|
- Security procedures
|
|
Examples of Security procedures are
|
1. Firewall,
2. Proxy servers, 3. Intrusion detection systems 4. Data Encryption |
|
Firewall is only software-based. t/f?
|
- False. Firewall can be either hardware or software-based.
|
|
Two primary methods of firewall protection:
|
• Inclusion: limits access to authorized users
• Exclusion: denies access to unauthorized users |
|
guards against unauthorized access to sensitive file information from external Internet users.
|
- firewall
|
|
creates logs of network traffic and analyzed those logs for signs of attempted or successful intrusions.
|
- Intrusion Detection Systems (IDS)
|
|
__________ examines packets of incoming messages and uses the access control list (ACL) to control the network traffic.
|
• firewall
|
|
compare logs to a database containing patterns of traffic associated with known attacks.
|
- IDS
|
|
2 Types of IDS
|
- passive ids and reactive ids
|
|
is a computer and related software can be used to control Web accesses.
|
- Proxy Server
|
|
type of IDS that creates logs of potential intrusions and alert network administrators to them
|
- Passive IDSs
|
|
detect potential intrusions dynamically, log off potentially malicious users, and even reprogram a firewall to block further messages from the suspected source.
|
- Reactive IDSs
|
|
transforms plaintext messages into unintelligible cyphertext ones using an encryption key.
|
- Data Encryption
|
|
decodes the encrypted messages back plaintext.
|
- Decryption
|
|
Example of a simple encryption method
|
• Caesar Cypher (Shifting each letter by 3 positions to the right)
|
|
2 Types of Encryption System
|
– Secret key encryption and public key encryption
|
|
The same key is used both to encrypt and to decrypt and shared by the communication parties. Secret key encryption or public key encryption?
|
- Secret key encryption
|
|
a pair of public/private encryption keys are used. Secret key encryption or public key encryption?
|
– Public key encryption
|
|
The sending party uses the recipient’s public key to encode the message, and the receiving party uses the corresponding private key to decode it. Secret key encryption or public key encryption?
|
- Public key encryption
|
|
The number of secret keys become difficult to manage when a large number of parties are involved. Secret key encryption or public key encryption?
|
– Secret key encryption
|
|
A spyware that records keystrokes
|
Key logger
|