Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
71 Cards in this Set
- Front
- Back
Threat
|
A potential adverse occurrence or unwanted event that could injure an organizations AIS
|
|
Exposure/Impact
|
Potential dollar loss if a threat becomes a reality
|
|
Likelihood
|
Probability that the threat will happen
|
|
Preventive controls
|
Controls that detect problems before they arise
|
|
Detective controls
|
Controls that discover problems as soon as they arise
|
|
Corrective controls
|
Controls that remedy problems that have been discovered
|
|
General controls
|
Controls designed to make sure an organization's control environment is stable and well managed
|
|
Application controls
|
Prevent, detect and correct transaction errors and fraud. They are concerned with accuracy, completeness, validity, and authorization of the data captured...
|
|
Sarbanes-Oaxley Act (SOX)
|
Applies to publicly held companies and their auditors. Intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and punish executives who perpetrate fraud
|
|
Belief system
|
Communicates core values to employees and inspires them to live by them
|
|
Boundary system
|
Helps employees act ethically by setting limits beyond which an employee must not pass
|
|
Diagnostic control system
|
Measures company progress by comparing actual performance to planned performance. It provides feedback to make adjustments so future outputs will more closely match goals
|
|
Interactive control system
|
Helps top-level mgmt. with high-level activities that demand frequent and regular attention such as developing company strategy, setting company objectives...
|
|
Control Objectives for Information and related Technology (COBIT)
|
Framework of generally applicable information systems security and control practices for IT Control
|
|
Committee of Sponsoring Organizations (COSO)
|
Private-sector group consisting of the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute. They created the Internal Control-Integrated Framework, and later the Enterprise Risk Management-Integrated Framework (ERM)
|
|
Enterprise Risk Management-Integrated Framework (ERM)
|
Framework that expands on the internal control integrated framework. It focuses on the subject of enterprise risk management.
|
|
Strategic Objective
|
high level goals that are aligned with and support the company's mission
|
|
Operations Objective
|
deal with the effectiveness and efficiency of company operations, such as performance and propfiability foals and safeguarding assets.
|
|
Reporting Objective
|
help ensure the accuracy, completeness and reliability of internal and external company reports, of both a financial and non financial nature.
|
|
Compliance Objective
|
help company comply with all applicable laws and reulations
|
|
Internal environment
|
Tone/culture of company that helps determine how risk conscious employees are. (Same as control environment in the internal control integrated framework)
|
|
Risk apetite
|
Amount of risk a company is willing to accept in order to achieve its goals and objectives
|
|
Audit committee
|
Composed entirely of outside, independent directors. Responsible for overseeing the corporation's internal control structure, its financing reporting process, and its compliance with related laws, regulations and standards
|
|
Policy and procedures manual
|
explains proper business practices, describes the knowledge and experience needed by key personnel, spells out management poolicy for handling specific transactions, and documents the systems and procedures employed to process those transactions. It includes the chart of accounts and sample copies of forms and documents.
|
|
Background check
|
inlcues verifying educational and work experience, talking to references, checking for a criminal record and checking credit records.
|
|
Event
|
an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have posiitve or negative impacts or both. Represents uncertainty. May occur.
|
|
Foreign Corrupt Act
|
Act whose primary purpose is to prevent the bribery of foreign officials in order to obtain business, and to require corporations to maintain good systems of internal accounting control
|
|
Public Company Accounting Oversight Board (PCAOB)
|
A five-member board created by the SOX to control the auditing profession. They are overseen by the SEC. PCAOB members can't be CPAs
|
|
Inherent Risk
|
Risk that exists before management takes any steps to control the likelihood or impact of a risk
|
|
Residual Risk
|
The risk that remains after management implements internal controls, or some other response to risk
|
|
Expected Loss
|
= impact x liklihood
|
|
Control Activities
|
policies, procedures, and rules that provide reasonable assurance that management's control objectives are met and the risk responses are carried out.
|
|
Authorization
|
empowerment from management
|
|
Digital Signature
|
signing a document digitally, unforgable
|
|
Specific Authorization
|
transactions of specific consequence
|
|
General Authorization
|
no need for spedcial authorization
|
|
Segregation of Accounting Duties
|
separation in authorization, recording and custody
|
|
Collusion
|
fraud by 2+ people
|
|
Segregation of Systems Duties
|
1 Systems administration, 2 Network management, 3 Security management, 4 Change management, 5 Users, 6 Systems analysis, 7 Programming, 8 Computer operations, 9 Information system library, 10 Data control
|
|
Systems administrator
|
Responsible for ensuring that different parts of an information system operate smoothly and efficiently
|
|
Network manager
|
Ensure that all applicable devices are linked to the organization's internal and external networks and that the networks operate continuously and properly
|
|
Security manager
|
Ensure that all aspects of the system are secure and protected from all internal and eternal threats
|
|
Systems analyst
|
Helps users determine their information needs and then design an information system to meet those needs
|
|
Programmer
|
Take design provided by systems analysts and create an information system to meet those needs
|
|
Computer operator
|
Run the software on the company's computer. Ensure that data are input properly and correctly processed and needed output is produced
|
|
Information system librarian
|
Maintain custody of corporate databases, files, and programs in a separate storage area called the INFORMATION SYSTEM LIBRARY
|
|
Data control group
|
Ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and redistributes systems output
|
|
Strategic master plan
|
shows the projects that must be completed to achieve long-range company goals and addresses the company's hardware, software, peronnel, and infrastructure req'ts
|
|
Project development plan
|
shows how a project will be completed
|
|
Project milestone
|
signifi cant points when progress is reviewed and actual and estimated completion times are compared
|
|
Performance evaluation
|
made of team members after each project
|
|
Data processing schedule
|
schedules use of data processing tasks to effectively use computer resources
|
|
Steering committee
|
guides and oversees projects
|
|
System performance measurements
|
check throughput, utilization, response time
|
|
Throughput
|
#/time
|
|
Utilization
|
% useful time
|
|
Response time
|
how long to respond
|
|
Post-implementation review
|
achieve benefits?
|
|
Systems integrator
|
A vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors
|
|
Analytical review
|
relationships between different data
|
|
Audit trail
|
When individual company transactions can be traced through the system from where they originate to where they end up on the financial statements
|
|
Computer security officer
|
in charge of ais security
|
|
Chief compliance officer
|
manages all compliance issues
|
|
Forensic accountants
|
Specialize in fraud detection and investigation
|
|
Computer forensics specialist
|
Specialists in discovering, extracting safeguarding, and documenting computer evidence such that its authenticity, accuracy and integrity will not succumb to legal challenges
|
|
Neural networks
|
Programs that mimic the brain and have learning capabilities. They are accurate in identifying suspected fraud
|
|
Fraud hot line
|
anonymous fraud reporting
|
|
Change manager
|
Manage all changes to an organization's information system to ensure they are made smoothly and efficiently and to prevent errors and fraud
|
|
User
|
Records transactions, authorizes data to be processed, and uses system output
|
|
Internal Control-Integrated Framework
|
Framework issued by the COSO which defines internal controls and provides guidance for evaluating and enhancing internal control systems
|
|
Internal control
|
process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved. E.g.; assets are safe, information is accurate and reliable, financial statements are in accordance with GAAP, promote and improve operational efficiency, encourage adherence to management policies, comply with applicable laws and regulations
|