Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
65 Cards in this Set
- Front
- Back
What are 6 main risks that are heightened when using computerized accounting systems? |
1. Reliance on faulty programs
2. Unauthorized access to data
3. Unauthorized changes made to files, systems, programs
4. Failure to make necessary program changes
5. Inappropriate manual intervention
6. Loss of data |
|
Do the objectives of controls differ between manual and computerized accounting systems? |
The objectives are the same, but the control procedures differ |
|
How does the SOD control differ between manual and computerized accounting systems? |
Computerized accounting systems combine functions that would be separated in a manual environment
-internal checks |
|
How does computerized accounting systems make up for the lack of paper audit trail? |
Audit trails are built into accounting IS; electronic audit trails are as effective as paper trails |
|
For ensuring accurate transaction processing (regarding calculation/input error), what are the differences in risks associated with manual vs. computerized accounting systems? |
For computerized, clerical errors are eliminated
For manual, "systematic" errors such as errors in programming logic are reduced |
|
Since computerized accounting IS have the ability to auto-generate transactions, what are the risks/how are the risks mitigated? |
Risks: transactions generated by a system are not subject to the same authorization; not as well documented
Mitigate by: regularly review transactions, identifying frequent/large transactions for review |
|
What are 4 characteristics of computerized data that may increase the likelihood of undetected fraud? |
1. remote access data - chance of unauthorized access
2. concentration of info - if security is breached, potential for substantial damage
3. decreased human involvement: decreased opportunity for observation
4. Erroneous design or maintenance of programs: allow for fraud or errors |
|
How do computerized accounting systems allow for management to have better control? |
-reports allow for management to perform analytical reviews
-embedded audit modules allow for continuous transaction monitoring |
|
How do you ensure appropriate SOD controls in a small business? |
involve the business owner is an important compensating control |
|
define COBIT |
widely used international standard for identifying best practices in IT security and control
-provides framework that aligns IT with organizational governance
|
|
who is COBIT to be used by? |
IT managers, IT professionals, and internal/external auditors |
|
What are the 3 basic components of the COBIT framework? |
1. domains and processes
2. effective monitoring processes
3. 300 COBIT control abjectives |
|
4 Domains within which basic IT processes reside... |
1. Plan and Organize: establish a strategic vision
2. Acquire and Implement: acquire, implement or develop IT solutions that address objectives (i.e. identify automated solutions)
3. Deliver and Support: how to best deliver IT services like operations, security and training (i.e. provide security and continuous service)
4. Monitoring: periodically assess IT quality and compliance (i.e. reviewing system response time logs) |
|
What are the 4 interrelated Monitoring processes for COBIT? |
M1: monitor and evaluate IT performance
M2: monitor and evaluate control (SOX)
M3: ensure regulatory compliance
M4: provide IT guidance (establish and IT governance framework) |
|
What are the 2 main components of the computerized accounting system monitoring process? |
1. information criteria: data must have certain attributes
2. IT resources: certain physical resources comprise the system |
|
What 7 Information Criteria are required for effective IT performance management monitoring? |
1. effectiveness
2. efficiency
3. confidentiality
4. integrity
5. availability
6. compliance
7. reliability |
|
What 5 IT resources are required for effective IT performance management monitoring? (physical resources that comprise IT system) |
1. people
2. applications
3. technology
4. facilities
5. data |
|
How many generic COBIT control objectives are there? |
300 |
|
How many basic IT processes are identified in COBIT? |
34 |
|
Enterprise Architecture (defined) |
efforts to understand, manage and plan for IT assets; important to be used with IT security governance plan |
|
ERP Systems (defined) |
provide transaction processing, management support and decision-making support in a single, integration, organization-wide package
-attempt to eliminate problem of consolidating info across apartments, regions or divisions |
|
What are the 4 goals of ERP systems? |
1. global visibility: data is in a single database, available to anyone with authorization
2. cost reduction
3. employee empowerment: improves lower-level communication and decision-making
4. implementation of "best practices" |
|
How are ERP systems typically purchased? |
typically purchased in modules: Sales, Logistics, Planning, Financial Reporting, etc.
- |
|
Are ERP systems typically chosen from one or multiple vendors, and why? |
most organizations choose ERP modules from several vendors according to what they view fits with their company
"best of breed" |
|
What are the 3 overall components of an ERP system? |
1. Online Transaction Processing System (OLTP): core business functions that provide motivation to purchase ERP (sales, purchasing, etc.)
2. Online Analytical Processing System (OLAP): incorporates data warehouse and data mining capabilities (Analytical Tool)
3. ERP system architecture: client/server network configuration -usually internet-based connections |
|
IT Sourcing Strategy (defined) |
organization's plan to insource, outsource or purse a hybrid strategy for IT assets |
|
How does cloud-based storage work? |
a virtual data pool is created by contracting with a third-party data storage provider
|
|
What are the 5 potential benefits of cloud-based storage? |
1. Universal Access
2. Cost Reductions
3. Scalability: can grow with an organization
4. Outsourcing & Economies of Scale: reduced need for IT personnel
5. Enterprise-Wide Integration |
|
What is a VPN and what is it used for? |
Virtual Private Network: used to limit access to the system and encrypt sensitive information |
|
What are the 3 types of cloud-based system applications? |
1. Infrastructure as a Service (IaaS): access virtual hardware (i.e. Amazon Web Services)
2. Platform as a Service (PssS): creating cloud-based software
3. Software as a Service (SaaS): remote access to software |
|
What are the risks of cloud-based systems? |
1. data loss and outages if stored at one location
2. hackers
3. rely on competence of service provider |
|
What does IaaS stand for, and what does it allow? |
Infrastructure as a Service
allows access to virtual hardware |
|
What does PaaS stand for, and what does it allow? |
Platform as a Service
allows for creating cloud-based software and programs |
|
What does SaaS stand for, and what does it allow? |
Software as a Service
allows for remote access to software |
|
Differentiate between 2- and 3-tiered architectures |
2-tiered: combined database and application server; ideal for small systems
3-tiered: separates application and database functions; ideal for large or complex systems |
|
What is a risk of installing an ERP system? |
business failure due to badly managed installation |
|
6 steps in BCM process: |
1. create a BCM policy & program: define the scope, identify roles
2. understand & evaluate risks: Business Impact Analysis will identify max tolerable interruption periods
3. determine strategies: different methods
4. develop & implement response: define protocols & train incident response teams
5. exercise, maintain and review plan: test required technology and implement process
6. embed BCM into culture: educate & train |
|
Prioritization of BCP Risks by importance of organization's mission: (3 levels) |
1. Mission Critical (customer services, manufacturing, financials)
2. Business Critical (ERP systems, payroll, order entry)
3. Task Critical (print service, file service) |
|
Disaster Recovery Plan (DRP) defined |
enable continuing operations during a disaster
-identify mission-critical tasks and ensure that they can continue with virtually no interruptions at a decent cost |
|
2 Goals of DRP |
1. Recovery Point Objective (RPO): defines the acceptable amount of data lost in an incident
2. Recovery Time Objective (RTO): defines the acceptable downtime for a system or organization |
|
Cold Site |
"Empty Shell"
off-site location with all electrical connections and physical requirements, but no actual equipment or files
-often require 1-3 days to become operational -least expensive |
|
Warm Site |
off-site location that is already stocked with computer hardware but no copies of data and information |
|
Hot Site |
off-site location completely equipped to resume data processing; all equipment plus copies of essential files
-minimal disruption -more expensive |
|
Reciprocal Agreements in BCM |
shared-use facilities that house IT capabilities
-can be cold, warm or hot
|
|
Mirrored Site in BCM |
redundant, fully staffed and equipped site with real-time data replication of mission-critical systems
-extra expensive |
|
3 Main Functional Areas within IT Department |
1. applications development
2. systems administration and programming
3. computer operations |
|
What is the role of the Applications Development IT functional area? |
responsible for creating new end-user computer applications and for maintaining existing applications
-development is completed in a "test" or "sandbox" environment rather than in "live" system |
|
Applications Development: 2 main positions |
Systems Analyst: analyze and design computer systems; work with end users
Application Programmer: code the programs that process data and produce reports; work under the direction of Systems Analyst |
|
What is the role of Systems Administration and Programming IT functional area? |
maintains the computer hardware and computing infrastructure; grants access to system |
|
Systems Admin & Programming: 2 main positions |
Systems Administrators: (aka database admin, network admin, web admin) responsible for management activities associated with the system they control i.e. grant access to system resources w/ user names and passwords
System Programmers: maintain the various operating systems and related hardware i.e. update system for new software releases and installing new hardware |
|
What is the role of the Computer Operations IT functional area? |
responsible for the day-to-day operations
i.e. receipt of batch input, conversion of data to electronic form, scheduling computer activities, running programs |
|
Computer Operations: 4 positions |
Data Control (quality assurance): controls flow of all documents, reconcile control totals
Data Entry Clerk (data conversion operator): keys records into electronic form
Computer Operator: loading programs and data files, running programs, producing output, etc.
File Librarian: maintains control over all files, checking them in and out as necessary |
|
Data Entry Clerk SOD limitations |
Data Entry Clerk: should not... -reconcile batch totals, -run programs, -access system output, -be involved in app development and programming
|
|
Computer Operator SOD limitations |
Computer Operator: should not... -enter data into the system -reconcile control totals for data they process |
|
Data Control SOD limitations |
Data Control: should not... -access the data, equipment or programs |
|
File Librarian SOD limitations |
File Librarian: should not... -have access to any operating equipment or data unless it has been checked into the library |
|
Computer Operators and Data Entry Personel should not... |
be allowed to act as programmers |
|
Systems Programmers SOD limitations |
System Programmer: should not... -have access to application program |
|
Application Programmers and Systems Analysts SOD limitations |
App Programmers & Systems Analysts: should not... -control access to data, programs or computer resources |
|
Application Programmers and Systems Analyst and Data Administrator SOD limitation... |
Application Programmers & Systems Analysts & Data Admins: should not... -have access to computer operations ("live" data) |
|
Personnel Policies & Procedures: 5 main things to focus on |
1. hiring practices
2. performance evaluation
3. employee handbook
4. competence
5. firing (termination): disabling login, escorting through building after firing |
|
SOD limitations: Data Entry, Data Control, File Librarian
access to... Live System? App Programming? Systems Programming? |
NO to all 3! |
|
SOD limitations: Computer Operators
access to... Live System? App Programming? Systems Programming? |
Live System only |
|
SOD limitations:
Systems Programmers
access to... Live System? App Programming? Systems Programming? |
Live System and Systems Programming
(NOT app programming) |
|
SOD limitations: App Programmers, System Analysts, Data Admins
access to... Live System? App Programming? Systems Programming? |
App Programming only |