Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
28 Cards in this Set
- Front
- Back
Threat
|
Any potential adverse occurance
|
|
Exposure or Impact
|
The potential dollar loss from a threat
|
|
Likelihood
|
Probability that a threat will happen.
|
|
Internal Control
|
Process implemented to provide reasonable assurance that the following control objects are achieved:
-Safeguard assets -Maintain accurate records -Provide reliable information -Improve operational efficiency -Encourage adherence to policies |
|
Preventive Controls
|
Deter problems before they arise
Ex: Segregation of duties, controlling physical access to assets |
|
Detective Controls
|
Discover problems that are not prevented.
Ex: Duplicate checking and preparing bank reconciliations. |
|
Corrective Controls
|
Identify and correct problems as well as correct and recover from the resulting errors.
Ex: maintaining backup copies of files, correcting data entry errors. |
|
Categories of Internal Controls
|
General Controls (organization's control environment) & Application Controls (Correct processing of transactions)
|
|
Foreign Corrupt Practices Act (FCPA)
|
Prevent companies from bribing foreign officials to obtain business.
|
|
Sarbanes-Oxley Act (SOX) of 2002
|
Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls and punish executives who perpetrate fraud.
|
|
Control Objectives for Information and Related Technology (COBIT) framework
|
Consolidates control standards into a single framework by:
1. Management to benchmark security & control practices 2. Users to be assured that adequate IT security and controls exit 3. Auditors to substantiate their internal control opinions |
|
COBIT Vantage Points
|
1. Business Objectives (Seven categories of criteria that map objectives)
2. IT Resources (People, application systems, technology, etc.) 3. IT processes (planning & organization, acquisition & implementation, delivery & support, monitor & evaluate) |
|
Committee of Sponsoring Organizations (COSO)
|
Internal control—integrated framework
• Control environment • Control activities • Risk assessment • Information and communication • Monitoring |
|
Enterprise Risk Management--Integrated Framework (ERM)
|
Used to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives & goals.
|
|
Internal Environment
|
Company culture, influences how organizations establish strategies,objectives and structure business activities.
|
|
Inherent Risk
|
Exists before management takes any steps to control the likelihood or impact of an event.
|
|
Residual Risk
|
The remaining risk after management implements internal controls or some other response to risk.
|
|
Reduce
|
Reduce the likelihood and impact of risk by implementing an effective system of internal control
|
|
Accept
|
Accept the likelihood and impact of risk
|
|
Share
|
Share risk or transfer it to someone else by buying insurance, outsourcing an activity or enter into a hedging transaction.
|
|
Avoid
|
Avoid risk by not engaging in the activity that produces the risk.
|
|
Expected Loss
|
=impact x likelihood
|
|
Control Activities
|
policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out.
|
|
Segregation of duties
|
-Authorization (approving decisions)
-Recording (preparing source documents; maintaining ledgers, files or databases) -Custody (handling cash, tools, inventory, etc.) |
|
Collusion
|
Detecting fraud where two or more people try to commit and conceal the fraud.
|
|
Computer security officer (CSO)
|
In charge of system security, independent of the information system function and reports to the COO or CEO
|
|
Chief Compliance Officer (CCO)
|
In charge of compliance issues within the company.
|
|
Neural Networks
|
Programs with learning capabilities that can be used to accurately identify fraud.
|