Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
135 Cards in this Set
- Front
- Back
|
Threat
|
A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization
|
|
|
exposure or impact
|
of the threat is the potential dollar loss that would occur if the threat becomes a reality
|
|
|
One of the primary objectives of an AIS
|
is to control a business organization
|
|
|
Management expects accountants to
|
eliminating system threats; and
Detect, correct, and recover from threats when they do occur |
|
|
Internal control
|
is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved
Assets (including data) are safeguarded Records are maintained in sufficient detail to accurately and fairly reflect company assets Accurate and reliable information is provided There is reasonable assurance that financial reports are prepared in accordance with GAAP Operational efficiency is promoted and improved Adherence to prescribed managerial policies is encouraged The organization complies with applicable laws and regulations |
|
|
Internal control provides
|
reasonable, rather than absolute, assurance
|
|
|
Internal control systems have inherent limitations, including
|
They are susceptible to errors and poor decisions
They can be overridden by management or by collusion of two or more employees |
|
|
Internal control is a process because
|
It permeates an organization’s operating activities
It is an integral part of basic management activities |
|
|
Internal controls perform three important functions
|
Preventive controls
Detective controls Corrective controls |
|
|
Internal controls are segregated into two categories
|
General controls (entity level
|
|
|
Section 404 of SOX requires
|
States management is responsible for establishing and maintaining an adequate internal control structure and procedures
Contains management’s assessment of the company’s internal controls Attests to the accuracy of the internal controls, including disclosures of significant defects or material noncompliance found during the tests |
|
|
companies develop good internal control systems. Three of the most important are
|
The COBIT framework
The COSO internal control framework COSO’s Enterprise Risk Management framework (ERM) |
|
|
COBIT
|
Control Objectives for Information and Related Technology )
|
|
|
COBIT
|
Business objectives
IT resources IT processes |
|
|
COSO
|
The Committee of Sponsoring Organizations) (COSO) is a private sector group consisting of
|
|
|
COSO
|
Defines internal controls
Provides guidance for evaluating and enhancing internal control systems Widely accepted as the authority on internal controls Incorporated into policies, rules, and regulations used to control business activities |
|
|
COSO’s internal control model has five crucial components
|
Control environment
Risk assessment Control activities Information and communication Monitoring |
|
|
ERM
|
Enterprise Risk Manage Integrated Framework
|
|
|
ERM
|
An enhanced corporate governance document
Expands on elements of preceding framework Provides a focus on the broader subject of enterprise risk management |
|
|
ERM defines risk management as
|
A process effected by an entity’s board of directors, management, and other personnel
Applied in strategy setting and across the enterprise To identify potential events that may affect the entity And manage risk to be within its risk appetite In order to provide reasonable assurance of the achievement of entity objectives |
|
|
Major ERM objectives
|
Strategic objectives, Operations objectives, Reporting objectives, Compliance objectives
|
|
|
Major ERM control components
|
Internal environment
Objective setting Event identification Risk Assessment Risk response Control activities Information and Communication Monitoring |
|
|
The ERM model is
|
three-dimensional
|
|
|
Internal environment consists of the following
|
Management’s philosophy, operating style, and risk appetite
The board of directors Audit committee Commitment to integrity, ethical values, and competence Organizational structure Methods of assigning authority and responsibility Human resource standards External influences |
|
|
why the company exists
|
corporate vision or mission
|
|
|
COSO identified many
|
many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives
|
|
|
Companies should
|
Assess inherent risk / Develop a response / Then assess residual risk
|
|
|
The ERM model indicates four ways to respond to risk
|
Reduce it / Accept it / Share it / Avoid it
|
|
|
Jack Donaghy is trying to decide whether to install a motion detector system in the “TGS with Tracy Jordan” custom warehouse (located in the GE building) to reduce the probability of a catastrophic theft
A catastrophic theft could result in losses of $800,000 Local crime statistics suggest that the probability of a catastrophic theft at the GE building is 12% Companies with motion detectors only have about a 0.5% probability of catastrophic theft The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000 |
Expected loss without control procedure = $800,000 x .12 = $96,000.
Expected loss = Impact x Likelihood Expected loss with control procedure = $800,000 x .005 = $4,000. Estimated value of control procedure = $96,000 - $4,000 = $92,000. Estimated cost of control procedure = $43,000 (given). Benefits exceed costs by $92,000 - $43,000 = $49,000. |
|
|
Control activities
|
are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out
|
|
|
control procedures fall into one of the following categories
|
Proper authorization of transactions and activities
Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguard assets, records, and data Independent checks on performance |
|
|
levels of authorization
|
General authorization
Management authorizes employees to handle routine transactions without special approval Special authorization For activities or transactions that are of significant consequences, management review and approval is required. Might apply to sales, capital expenditures, or write-offs over a particular dollar limit |
|
|
Effective segregation of accounting duties is achieved when the following functions are separated
|
Authorization – approving transactions and decisions
Recording – preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports Custody – handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account |
|
|
collusion
|
would override segregation and renders the segregation of duties useless
|
|
|
Authority and responsibility must be divided clearly among the following functions
|
Systems administration
Network management Security management Change management Users Systems analysts Programming Computer operations Information systems library Data control |
|
|
in order to reduce the potential for cost overruns and project failure and to improve the efficiency and effectiveness of the IS
|
Strategic master plan
Project controls Data processing schedule Steering committee System performance measurements Post-implementation review |
|
|
Change management is the process of making sure that the changes do not negatively affect
|
Systems reliability
Security Confidentiality Integrity |
|
|
Form and content should be kept as simple as possible to
|
Promote efficient record keeping
Minimize recording errors Facilitate review and verification |
|
|
Maintain accurate records of all assets
|
Periodically reconcile recorded amounts to physical counts
Restrict access to assets Protect records and documents |
|
|
Segregation of duties only has value when supplemented by
|
independent checks
|
|
|
The following independent checks are typically used
|
Top-level reviews
Management at all levels should monitor company results and periodically compare actual performance Analytical reviews Examinations of relationships between different sets of data Reconciliation of independently maintained sets of records Check the accuracy and completeness of records by reconciling them with other records that should have the same balance Comparison of actual quantities with recorded amounts Periodically, count significant assets and reconcile the count to company records Double-entry accounting Ensure that debits equal credits Independent review After one person processes a transaction, another reviews their work |
|
|
According to the AICPA, an AIS has five primary objectives
|
Identify and record all valid transactions
Properly classify transactions Record transactions at their proper monetary value Record transactions in the proper accounting period Properly present transactions and related disclosures in the financial statements |
|
|
Monitoring can be
|
Perform ERM evaluation
Implement effective supervision Use responsibility accounting Monitor system activities Track purchased software Conduct periodic audits To monitor risk and detect fraud and errors, the company should have periodic External audits Internal audits Special network security audits Auditors should test system controls and browse system usage files looking for suspicious activities (discussed in Chapter 9). Employ a computer security officer, a Chief Compliance Officer, and security consultants Engage forensic specialists Install fraud detection software Implement a fraud hotline SOX mandates that companies set up mechanisms for employees to anonymously report abuses such as fraud. An effective way to comply with the law and resolve employee concerns is to provide access to an anonymous hotline. Anonymous reporting can be accomplished through Phone lines Web-based reporting Anonymous emails Snail mail |
|
|
Chapt 7
|
Chapt 7
|
|
|
The five basic principles that contribute to systems reliability
|
Security
Confidentiality Privacy Processing Integrity Availability |
|
|
COBIT information criteria
|
Effectiveness
Efficiency Confidentiality Integrity Availability Compliance Reliability |
|
|
COBIT domains
|
Plan and organize
Acquire and implement Deliver and support Monitor and evaluate |
|
|
three fundamental information security concepts
|
Security as a management issue, not a technology issue
The time-based model of security Defense in depth |
|
|
Security is a
|
top management issue
|
|
|
Security
|
is a key component of the internal control and systems reliability to which management must attest
|
|
|
in the COSO model, management’s philosophy and operating style are critical
|
to an effective control environment
|
|
|
The Trust Services framework identifies four essential criteria
|
Develop and document policies
Effectively communicate those policies to all authorized users Design and employ appropriate control procedures to implement those policies Monitor the system, and take corrective action to maintain compliance with the policies |
|
|
Developing a comprehensive set of security policies begins with taking an inventory of information systems resources, including
|
Hardware
Software Databases |
|
|
Once the organization’s information systems resources have been identified
|
they need to be valued in order to select the most cost-effective control procedures
|
|
|
COBIT stresses that the
|
CEO and CFO are accountable for ensuring that the organization has implemented a thorough risk assessment program
|
|
|
Technology advances
|
create new threats and alter the risks associated with existing threats
|
|
|
Effective control involves a continuous cycle of
|
Developing policies to address identified threats;
Communicating those policies to all employees; Implementing specific control procedures to mitigate risk; Monitoring performance; and Taking corrective action in response to problems |
|
|
The time-based model of security focuses on implementing a set of
|
preventive, detective, and corrective controls that enable an organization to recognize that an attack is occurring and take steps to thwart it before any assets have been compromised
|
|
|
The time-based model evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among three variables
|
P = Time it takes an attacker to break through the organization’s preventive controls.
D = Time it takes to detect that an attack is in progress. C = Time to respond to the attack. These three variables are evaluated as follows If P > (D + C), then security procedures are effective. Otherwise, security is ineffective |
|
|
of defense-in-depth
|
employ multiple layers of controls to avoid having a single point of failure
|
|
|
Reconnaissance
|
Collecting information to identify potential vulnerabilities
|
|
|
Social Engineering
|
Tricking unsuspecting employees into allowing access to system
|
|
|
Scan and Map
|
Detailed scan of system to identify potential points of remote entry
|
|
|
Research
|
Researching vulnerabilities of software identified during scan
|
|
|
Attack Execution
|
Unauthorized access to system
|
|
|
Cover
|
Removing evidence of attack
|
|
|
Preventive
|
The objective of preventive controls is to prevent security incidents from happening
|
|
|
Detective
|
Preventive controls are never 100% effective in blocking all attacks
So organizations implement detective controls to enhance security |
|
|
Corrective
|
Detection of attempted and successful intrusions is not enough
Therefore, the AICPA Trust Services Framework specifies the need for procedures to react to incidents and to take corrective actions on a timely basis |
|
|
Authentication
|
Focuses on verifying the identity of the person or device attempting to gain access
Password |
|
|
Authorization
|
Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform
|
|
|
Training (1st layer)
|
Employees should be trained to follow safe computing practices
|
|
|
Controlling Physical Access (2nd layer)
|
It is absolutely essential to achieve any degree of information security
|
|
|
Controlling Remote Access (3rd layer)
|
It is important to control which information is allowed to enter and leave the organization’s information system
|
|
|
Host and Application Hardening (4th layer)
|
Information security is enhanced by supplementing preventive controls on the network perimeter with additional preventive controls on the organization’s network
|
|
|
Encryption (5th layer)
|
Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder
Encryption is the process of transforming normal text, called plaintext, into unreadable gibberish, called cipher-text Decryption reverses this process To encrypt or decrypt, both a key and an algorithm are needed |
|
|
There are two basic types of encryption systems
|
Symmetric encryption systems
Use the same key to encrypt and decrypt Asymmetric encryption systems Use two keys The public key is publicly available The private key is kept secret and known only to the owner of that pair of keys Either key can be used to encrypt Whichever key is used to encrypt, the other key must be used to decrypt |
|
|
Hashing
|
Hashing takes plaintext of any length and transforms it into a short code called a hash
Encryption always produces cipher-text similar in length to the plaintext, but hashing produces a hash of a fixed short length. Encryption is reversible, but hashing is not; you cannot transform a hash back into its original plaintext |
|
|
Digital signatures
|
Asymmetric encryption and hashing are used to create digital signatures
|
|
|
Digital certificate
|
An electronic document, created and digitally signed by a trusted third party
|
|
|
Log analysis
|
Most systems come with extensive capabilities for logging who accesses the system and what specific actions each user performed
The log may indicate unsuccessful attempts to log in to different servers |
|
|
Intrusion detection systems
|
A major weakness of log analysis is that it is labor intensive and prone to human error
Intrusion detection systems (IDS) represent an attempt to automate part of the monitoring |
|
|
Managerial reports
|
Management can use COBIT to set up a report scorecard
COBIT provides Management guidelines that identify crucial success factors associated with each objective Key performance indicators that can be used to assess their effectiveness |
|
|
Security testing
|
The effectiveness of existing security procedures should be tested periodically
|
|
|
Computer emergency response team (CERT)
|
Responsible for dealing with major incidents
Should include technical specialists and senior operations management |
|
|
A chief security officer (CSO)
|
Should impartially assess and evaluate the IT environment, conduct vulnerability and risk assessments, and audit the chief information office (CIO)’s security measures
|
|
|
Patch management
|
Fixing known vulnerabilities and installing latest updates to all of an organization’s software
|
|
|
Chapter 8
|
Chapter 8
|
|
|
Maintaining confidentiality requires that management identify which information is sensitive
|
Each organization will develop its own definitions of what information needs to be protected
Most definitions will include Business plans Pricing strategies Client and customer lists Legal documents |
|
|
Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information
|
Confidential information should be encrypted
While stored and whenever transmitted If data is encrypted before sending it, a virtual private network (VPN) is created |
|
|
Primary difference is that privacy focuses on protecting personal information about customers
|
rather than organizational data
|
|
|
The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information *
|
As Follows
|
|
|
* Management
|
The organization establishes a set of procedures and policies for protecting privacy of personal information it collects
|
|
|
*Notice
|
Provides notice about its policies and practices when it collects the information or as soon as practicable thereafter
|
|
|
*Choice and consent
|
Describes the choices available to individuals and obtains their consent to the collection and use of their personal information
|
|
|
*Collection
|
The organization collects only that information needed to fulfill the purposes stated in its privacy policies
|
|
|
*Use and retention
|
The organization uses its customers’ personal information only according to stated policy and retains that information only as long as needed
|
|
|
*Access
|
The organization provides individuals with the ability to access, review, correct, and delete the personal information stored about them
|
|
|
*Disclosure to Third Parties
|
The organization discloses customers’ personal information to third parties only per stated policy and only to third parties who provide equivalent protection
|
|
|
*Security
|
The organization takes reasonable steps to protect customers’ personal information from loss or unauthorized disclosure
|
|
|
Quality
|
The organization maintains the integrity of its customers’ personal information
|
|
|
Monitoring and enforcement
|
The organization assigns one or more employees to be responsible for assuring and verifying compliance with its stated policies
|
|
|
encryption and access controls are
|
the two basic mechanisms for protecting consumers’ personal
|
|
|
COBIT control objective addresses
|
the need for controls over the input, processing, and output of data
|
|
|
These six AC categories are grouped into three groups of integrity controls
|
Input controls
Processing controls Output controls |
|
|
Input controls include
|
Forms design
Pre-numbered forms sequence test Turnaround documents Cancellation and storage of documents Authorization and segregation of duties Visual scanning Check digit verification RFID security |
|
|
Once data is collected, data entry control procedures are needed to ensure that it’s entered correctly
Common tests to validate input include |
Field check
Sign check Limit check Range check Size (or capacity) check Completeness check Validity check Reasonableness test Check digit verification |
|
|
Batch processing data entry controls
|
Sequence check
Error log Batch totals |
|
|
Online data entry controls
|
Automatic entry of data
Prompting Pre-formatting Closed-loop verification Transaction logs Error messages |
|
|
Processing controls to ensure that data is processed correctly include
|
Data matching
Two or more items must match before processing can proceed Example: The quantity billed on the vendor invoice must match the quantity ordered on the purchase order and the quantity received on the receiving report File labels External labels should be checked visually to ensure the correct and most current files are being updated Recalculation of batch totals Batch totals should be recomputed as processing takes place |
|
|
Common tests to validate input
|
Field check
Sign check Limit check Range check Size (or capacity) check Completeness check Validity check Reasonableness test Check digit verification |
|
|
Batch processing data entry controls
|
Sequence check
Error log Batch totals |
|
|
Online data entry controls
|
Automatic entry of data
Prompting Pre-formatting Closed-loop verification Transaction logs Error messages |
|
|
Processing controls to ensure that data is processed correctly include
|
Data matching, File labels, Recalculation of batch totals, Cross-footing balance test, Write-protection mechanisms, and Database processing integrity procedures
|
|
|
Data matching
|
Two or more items must match before processing can proceed
Example: The quantity billed on the vendor invoice must match the quantity ordered on the purchase order and the quantity received on the receiving report |
|
|
File labels
|
External labels should be checked visually to ensure the correct and most current files are being updated
|
|
|
Recalculation of batch totals
|
Batch totals should be recomputed as processing takes place
|
|
|
Cross-footing balance test
|
Compares arithmetic results produced by two different methods to verify accuracy
Example: Compute the sum of column totals in a spreadsheet and compare it to a sum of the row totals |
|
|
Write-protection mechanisms
|
Protect against accidental writing over or erasing of data files but are not foolproof
|
|
|
Database processing integrity procedures
|
Database systems use database administrators, data dictionaries, and concurrent update controls to ensure processing integrity
Concurrent update controls protect records from being updated by two users simultaneously |
|
|
Important output controls include
|
User review of output, Reconciliation procedures
, External data reconciliation, |
|
|
User review of output
|
Users carefully examine output for reasonableness, completeness, and to assure they are the intended recipient
|
|
|
Reconciliation procedures
|
Periodically, all transactions and other system updates should be reconciled to control reports, file status/update reports, or other control mechanisms
|
|
|
External data reconciliation
|
Database totals should periodically be reconciled with data maintained outside the system
Example: Compare number of employee records in the payroll file to number in the human resources file (excess records in payroll suggests a “ghost” employee). |
|
|
There are two basic types of data transmission controls
|
Parity checking and Message acknowledgment techniques
|
|
|
Parity checking
|
Computers represent characters as a set of binary digits (bits)
For example, “5” is represented by the seven-bit pattern 0000101 When data are transmitted some bits may be lost or received incorrectly Two basic schemes to detect these events are referred to as even parity and odd parity In either case, an additional bit is added to the digit being transmitted |
|
|
Message acknowledgment techniques
|
A number of message acknowledgment techniques can be used to let the sender of an electronic message know that a message was received
Echo check Trailer record Numbered batches |
|
|
Threats to system availability originate from many sources, including
|
Hardware and software failures
Natural and man-made disasters Human error Worms and viruses Denial-of-service attacks and other sabotage |
|
|
Minimizing
Risk of significant system downtime caused by the preceding threats These availability controls include ** |
Minimizing risk of system downtime
Organizations can take a variety of steps to minimize the risk of system downtime Physical and logical access controls (Chapter 7) can reduce the risk of successful denial-of-service attacks An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely ** |
|
|
Disaster recovery and business continuity planning
** |
Minimize the extent of the disruption, damage, and loss
Temporarily establish an alternative means of processing information Resume normal operations as soon as possible Train and familiarize personnel with emergency operations ** |
|
|
Key components of effective disaster recovery and business continuity plans include
Data backup procedures |
Data need to be backed up regularly and frequently.
|
|
|
Infrastructure Replacement
|
Reciprocal agreements – the organization enters into an agreement with another organization that uses similar equipment to have temporary access to and use of their information system resources in the event of a disaster
Cold site – an empty building is purchased or leased and pre-wired for necessary telephone and Internet access Hot site –a facility that is pre-wired for phone and Internet (like the cold site) but also contains the essential computing and office equipment |
|
|
Thorough documentation
|
The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented
|
|
|
Periodic testing
|
Plans should be tested on at least an annual basis to ensure they reflect recent changes in equipment and procedures
|
|
|
Adequate insurance
|
Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans
|
