Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
69 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
Threat / Event |
Any potential adverse occurrence or unwanted event that could inujure the AIS or the organization. |
|
|
|
Exposure / Impact |
The potential dollar loss should a particular threat become a reality. |
|
|
|
Likelihood |
The probability that a threat will come to pass. |
|
|
|
Internal Controls |
The processess and procedures implemented to provide reasonable assurance that control objectives are met. |
|
|
|
Preventive Controls |
Controls that deter problems before they arise. |
|
|
|
Detective Controls |
Controls designed to discover control problems that were not prevented. |
|
|
|
Corrective Controls |
Controls that identify and correct problems as well as correct and recover from the resulting errors. |
|
|
|
General Controls |
Controls designed to make sure an organization's information system and control environment are stable and well managed. |
|
|
|
Application Controls |
Controls that prevent, detect, and correct transaction errors and fraud in application programs. |
|
|
|
Belief System |
System that describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values. |
|
|
|
Boundary System |
System that helps employees act ethically by setting boundaries on employee behavior. |
|
|
|
Diagnostic Control System |
System that measures, monitors, and compares actual company progress to budgets and performance goals. |
|
|
|
Interactive Control System |
System that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions. |
|
|
|
Foreign Corrupt Practices Act (FCPA) |
Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls. |
|
|
|
Sarbanes-Oxley Act (SOX) |
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud. |
|
|
|
Public Company Accounting Oversight Board (PCAOB) |
A board created by SOX that regulates the auditing profession; created as part of SOX. |
|
|
|
Control Objectives for Information and Related Technology (COBIT) |
A security and control framework that allows 1) management to benchmark the security and control practices of IT environments, 2) users of IT services to be assured that adequate security and control exist, and 3) auditors to substantiate their internal control opinions and advise on IT security and control matters. |
|
|
|
Committee of Sponsoring Organizations (COSO) |
A private sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. |
|
|
|
Internal Control - Integrated Framework (IC) |
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems. |
|
|
|
Enterprise Risk Management Integrated Framework (ERM) |
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control - Integrated. |
|
|
|
Internal Environment |
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk. |
|
|
|
Risk Appetite |
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy. |
|
|
|
Audit Committee |
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors. |
|
|
|
Policy and Procedures Manual |
A document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties. |
|
|
|
Background Check |
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information. |
|
|
|
Strategic Objectives |
High-level goals that are aligned with and support the company's mission and create shareholder value. |
|
|
|
Operations Objectives |
Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources. |
|
|
|
Reporting Objectives |
Objectives that help ensure the accuracy, completeness, and reliability of company reports; improve decision-making; and monitor company activities and performance. |
|
|
|
Compliance objectives |
Objectives to help the company comply with all applicable laws and regulations. |
|
|
|
Event |
A positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy with the achievement of objectives. |
|
|
|
Inherent risk |
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control. |
|
|
|
Residual risk |
The risk that remains after management implements internal controls or some other response to risk. |
|
|
|
Expected Loss |
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood). |
Expected loss = impact X likelihood |
|
|
Control activities |
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out. |
|
|
|
Authorization |
Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record. |
|
|
|
Digital signature |
A means of electronically signing a document with data that cannot be forged. |
|
|
|
Specific authorization |
Special approval an employee needs in order to be allowed to handle a transaction. |
|
|
|
General authorization |
The authorization given employees to handle routine transactions without special approval. |
|
|
|
Segregation of accounting duties |
Separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud. |
|
|
|
Collusion |
Cooperation between two or more people in an effort to thwart internal controls. |
|
|
|
Segregation of systems duties |
Implementing control procedures to clearly divide authority and responsibility within the information system function. |
|
|
|
Systems administrator |
Person responsible for making sure the system operates smoothly and efficiently. |
|
|
|
Network manager |
Person responsible for ensuring that applicable devices are linked to the organization's networks and that the networks operate properly. |
|
|
|
Security Management |
People that make sure systems are secure and protected from internal and external threats. |
|
|
|
Change management |
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. |
|
|
|
Users |
People who record transactions, authorize data processing, and use system output. |
|
|
|
Systems analyst |
People who help users determine their information needs and design systems to meet those needs. |
|
|
|
Programmers |
People who take the analysts' designs and develop, code, and test computer programs. |
|
|
|
Computer operators |
People who operate the company's computers. |
|
|
|
Information system Library |
A collection of corporate data bases, files, and programs stored in a separate storage area and managed by the system librarian. |
|
|
|
Data control group |
People who ensure that source data is properly approved, monitor the flow of work, reconcile systems input and output, handle input errors to ensure their correction and resubmission, and distribute systems output. |
|
|
|
Steering committee |
An executive level committee to plan and oversee the information systems function. |
|
|
|
Strategic Master Plan |
A multiple year plan that lays out the projects the company must complete to achieve its long-range goals and the resources needed to achieve the plan. |
|
|
|
Project Development Plan |
A document that shows how a project will be completed. |
|
|
|
Data Processing Schedule |
A schedule that shows when each data processing task should be performed. |
|
|
|
System Performance Measurements |
Ways to evaluate and assess a system. |
|
|
|
Throughput |
The amount of work performed by a system during a given period of time. |
|
|
|
Utilization |
The percentage of time a system is used. |
|
|
|
Response Time |
How long it takes for a system to respond. |
|
|
|
Postimplementation Review |
Review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives. |
|
|
|
Systems Integrator |
An outside party hired to manage a company's systems development efforts. |
|
|
|
Analytical Review |
Examination of the relationships between different sets of data. |
|
|
|
Audit Trail |
A path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin. |
|
|
|
Computer Security Officer (CSO) |
An employee independent of the information system function and monitors the system, disseminates information about improper system uses and the consequences, and reports to top management. |
|
|
|
Chief Compliance Officer (CCO) |
Employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings. |
|
|
|
Forensic Investigators |
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as certified fraud examiner CFE. |
|
|
|
Computer Forensics Specialists |
Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges. |
|
|
|
Neural Networks |
Computing systems that imitate the brain's learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically. |
|
|
|
Fraud Hotline |
A phone number employees can call to anonymously report fraud and abuse. |
|
