Term
|
Definition
any potential adverse occurent (or unwanted event)...
that could injure the AIS or org. |
|
|
Term
|
Definition
$$$ lost if a threat becomes a reality |
|
|
Term
|
Definition
probability a threat will turn to reality |
|
|
Term
|
Definition
process implemented w/in the company...
to provide reasonable assurance...
the 7 control objectives are achieved |
|
|
Term
|
Definition
- Safeguard assets
- Maintain detailed records
- Accurate & reliable info
- GAAP accordance
- ↑ operational efficiency
- ↑ adherence to mgmt policies
- comply w/ laws
|
|
|
Term
|
Definition
deter problems before they arise
- ex. -
hire qualified ppl
segregation of duties
physical security |
|
|
Term
|
Definition
discover problems ASAP
- ex. -
2x check work
reconciliations
trial balances |
|
|
Term
|
Definition
remedy control problems that have been discovered
...essentially detective controls + fixes
- ex. -
master files
data correction procedures
submission guidelines |
|
|
Term
|
Definition
make sure an org.'s controls are stable & well-managed
- ex. -
security mgmt
IT infrastructure controls
software controls |
|
|
Term
Internal Controls
Application Controls |
|
Definition
prevent, detect, & correct transaction errors & fraud
...accuracy, completeness, validity, authorization, etc. |
|
|
Term
Foreign Corrupt Practices Act |
|
Definition
prevent bribary of foreign officials in order to obtain business
...effectively forced orgs. to ↑ internal controls |
|
|
Term
|
Definition
prevent financial statement fraud
↑ transparency
investor protection
↑ internal controls
punish fraud |
|
|
Term
|
Definition
- Public Company Acctg. Oversight Board
- New Auditor Rules
- New Role for the Audit Committee
- New Rules for Mgmt
- New Internal Control Requirements
|
|
|
Term
Sarbanes-Oxley Act
Public Company Accounting Oversight Board (PCAOB) |
|
Definition
controls auditing profession
SEC appoints & oversees
Enforces quality control, ethics, & independence |
|
|
Term
Sarbanes-Oxley Act
New Auditing Rules |
|
Definition
Rotation rules
report to the audit committee
prohibits certain non-auditing roles |
|
|
Term
Sarbanes-Oxley Act
Audit Committee Role |
|
Definition
on Board of Directors, but also "Independent" from mgmt.
1 must be a "financial expert"
oversees external auditors |
|
|
Term
Sarbanes-Oxley Act
Rules for Management |
|
Definition
CEO/CFO certify results
Mgmt responsible for internal controls
Report concerns w/ auditors |
|
|
Term
Sarbanes-Oxley Act
Internal Control Requirements |
|
Definition
Report stating mgmt's responsibility for internal controls
Adequacy of internal control structure |
|
|
Term
|
Definition
Communicates core values
inspires employees to live values |
|
|
Term
|
Definition
↑ ethics
sets boundaries for actions |
|
|
Term
Diagnostic Control System |
|
Definition
Measures company progress
compares actual vs. planned performance |
|
|
Term
Interactive Control System |
|
Definition
helps top-level managers w/ high-level activities...
that require frequent & regular attention
...develops proactive tools |
|
|
Term
Control Objectives for Information & related Technology
(COBIT) |
|
Definition
Generally applicable... IS security & controls
- mgmt. benchmarks for controls
- assures users of controls
- auditor opinions & advice
|
|
|
Term
Committee of Sponsoring Organizations
(COSO) |
|
Definition
issed the "Internal Control - Integrated Framework"
...generally accepted standard
- defines internal controls
- guidance for evaluation & enhancement
|
|
|
Term
|
Definition
|
|
Term
COSO - ERM Cube
Top (x4) - Objectives to acheive org. goals |
|
Definition
Strategic - ↑-level goals, aligned w/ mission
Operations - efficiency of operations
Reporting - accuracy, completeness, reliability of internal/external reports
Compliance - compliance w/ applicable laws, etc. |
|
|
Term
COSO - ERM Cube
8 interrelated risk & control components
(horizontal rows) |
|
Definition
Internal Environment - company culture, risk appetite, etc.
Objective Setting - process to set up strategic, operational, etc. objectives
Event Identification - determine events that could affect objectives
Risk Assessment - how to manage them? how will they affect objectives?
Risk Response - align identified risks w/ company's risk appetite...take action
Control Activities - implemented to enable mgmt's risk response
Info & Communication - provide org & ERM info to employees
Monitoring - ongoing basis...changed if necessary |
|
|
Term
ERM
Internal Environment Components (x7) |
|
Definition
- Mgmt's philosophy, style, risk appetite
- Board of Directors
- Commitment to integrity, ethics, etc.
- Org. Structure
- Assigment of authority & responsibility
- HR Standards
- External Influences
|
|
|
Term
|
Definition
Amount of risk an org. is willing to take on to achieve goals
Must align w/ org. strategy |
|
|
Term
SOX
Audit Committee Responsibilities |
|
Definition
oversee org. internal controls
works w/ external & internal auditors
independent review of mgmt. |
|
|
Term
Internal Environment
HR Standards |
|
Definition
Hire the Right People...need to be qualified
Fair & Aligned Compensation
Training - ethics, strategy, reponsibilities, etc. |
|
|
Term
|
Definition
External
- Economic
- Natural Environment
- Political
- Social
- Technology
Internal
- Infrastructure
- Personnel
- Process
- Technology |
|
|
Term
|
Definition
risk existing before mgmt takes any steps to control risk |
|
|
Term
|
Definition
risk that remains after mgmt implements internal controls, etc. |
|
|
Term
|
Definition
Reduce
implement effective controls to ↓ risk
...most effective
Accept
Take no action...accept likelihood & impact
Share
Transfer some risk
...buy insurance, hedging,etc.
Avoid
avoid risky activities
...sell a bad division, avoid new products, etc. |
|
|
Term
Risk Assessment & Response
(Steps...x5) |
|
Definition
Estimate likelihood & impact of risk
↓
Identify Controls
↓
Estimate Costs & Benefits
↓
Determine Cost/Benefit Feasibility
↓
Implement Control...or Avoid, Share, Accept risk |
|
|
Term
|
Definition
policies, procedures, & rules...
that provide reasonable assurance...
that mgmt's control objectives are met...
& risk response occurs |
|
|
Term
|
Definition
empowerment to employees to perform mgmt policies |
|
|
Term
Authorization
Digital Signature |
|
Definition
signing a doc. w/ some data that can't be forged |
|
|
Term
Authorization
Specific Authorization |
|
Definition
Major activities/transactions that are...
important, big, unique enough
...to warrant singular attention |
|
|
Term
Authorization
General Authorization |
|
Definition
authorize employees to handle...
routine transactions...
w/o special approval |
|
|
Term
Segregation of Acctg. Duties
...what activities need to be seperated |
|
Definition
- Authorization - approving transactions
- Recording - source docs, journals, etc.
- Custody - handling cash, writing checks, inv.
|
|
|
Term
Segregation of Duties
System Duties |
|
Definition
Systems Admin - admins ensure smooth operations
Ntwk Mgmt - ensure devices are linked
Security Mgmt - secure ntwk
Change Mgmt - smooth, error-free ntwk changes
Users - record transactions, authorize, outputs
Systems Analysis - determine needs & develop system
Progamming - write programs based on ↑
Comp. Operations - run software on comps.
IS Library - maintain storage databases
Data Control - monitor data flows, ensure authorizations, etc. |
|
|
Term
Safeguarding info & physical assets
Methods |
|
Definition
Creat & Enforce appropriate policies & procedures
Maintain accurate asset records
Restrict access to assets
Protect records & docs. - offsite backups, etc. |
|
|
Term
|
Definition
- Top-level reviews
- Analytical reviews
- Reconcile 2+ independent records
- Actual Quantities vs. Recorded amounts
- Double-entry Acctg.
- Independent review
|
|
|
Term
ERM - #7. Info & Communication
Audit Trail |
|
Definition
trace individual transactions through system from
...start → finish
Must Understand How:
- transactions are initiated
- source docs → machine-readable form
- files are updated & accessed
- data processed
- info is reported to in/external users
|
|
|
Term
Systems Development
Reasons to change the system (x8) |
|
Definition
- Need changes - user, biz, etc.
- Technology change
- Improved biz process
- Competitive Advantage
- ↑ Productivity
- Growth
- ↓ Costs
- System Integration & Age
|
|
|
Term
Systems Development Life Cycle (SDLC)
Definition |
|
Definition
5-step process used to role out new systems
- Systems Analysis
- Conceptual Design
- Physical Design
- Implementation & Conversion
- Operations & Maintenance
|
|
|
Term
Systems Development Life Cycle (SDLC)
1 - Systems Analysis |
|
Definition
Gather info needed to develop new system
Initial Investigation - is the current system OK? Improvement needed?
Systems Survey - Identify info needs
Feasibility Study
Determine & Deliver system requirements |
|
|
Term
Systems Development Life Cycle (SDLC)
2 - Conceptual Design |
|
Definition
How to meet user needs?
Identify & Evaluate Design Alternatives - Boxed? Modified? Custom? (Buy, Develop, Outsource?)
Develop & Design Specifications - what should the system accomplish
Deliver Conceptual Design Requirements
→ steering committee |
|
|
Term
Systems Development Life Cycle (SDLC)
3 - Physical Design |
|
Definition
Conceptual Design → detailed specs → code/test programs
Design outputs, databases, inputs, controls
Develop programs & procedures
Deliver developed systems |
|
|
Term
Systems Development Life Cycle (SDLC)
Implementation & Conversion |
|
Definition
bring system together...(capstone)
- Develop implementation & conversion plan
- Install hard/software
- Test system
- Train users
- Documentation
- Deliver operational system
|
|
|
Term
Systems Development Life Cycle (SDLC)
5 - Operation & Maintenance |
|
Definition
use system & modify as needed
- post-implementation review
- Operate system
- Modify system
- Ongoing maintenance
|
|
|
Term
Systems Development Life Cycle (SDLC)
User Roles |
|
Definition
Management
Support, $$$, staff, big-picture decisions
Accountants
specify needs
development or steering committee members
design controls & monitor
IS Steering Committee - high-level employees
plan & oversee project
↑ goal congruence
Project Development Team -full-time on project
Design, test, review, & sell/deliver system
System Analysts & Programmers
Analysts - study, design, & prepare new systems
Programmers - code based on ↑ specs
|
|
|
Term
Systems Development Life Cycle (SDLC)
Project Development Plan
Master Plan |
|
Definition
Project Development Plan
cost/benefit
requirements/needs
schedule of activities
Master Plan
long-range of where AIS is headed
system components, development, players, resources
|
|
|
Term
Program Evaluation & Review Technique (PERT) |
|
Definition
identifies all activites & their relationships
diagram w/ arrows, nodes, & completion estimates
more detailed than Gantt Chart
Critical Path
path w/ most time to complete
if delayed...the whole project is delayed |
|
|
Term
|
Definition
|
|
Term
|
Definition
is the project feasible?...should we continue?, etc.
- Economic - cost/benefit
- Technical - can existing tech build system?
- Legal
- Scheduling - timely? on schedule?
- Operational - are the right ppl building/using system?
|
|
|
Term
|
Definition
basic framework for feasibility studies
cost savings, other benefits, intial investments...
translated → $$$ estimates
- ex. -
Payback period
NPV, IRR |
|
|
Term
SDLC - Systems Analysis
Systems Survey |
|
Definition
study the present AIS
- understand operations, policies, strengths, weaknesses, available tech, etc.
- assess current & future needs
- relationships w/ users... ↑ support
- identify user needs (interviews, questionnaires, documents, etc.)
|
|
|
Term
|
Definition
Physical Model
how a system functions
describes doc. flow, comp. processes, users, etc.
Logical Model
what is being done
essential activities
information flow |
|
|
Term
|
Definition
describes how the AIS is intended to work |
|
|
Term
|
Definition
Canned Software
sold to users w/ similar requirements
Turnkey Systems
vendor installation of entire system
sold as a package
Application Service Provider (ASP)
web-based software
"rent" the software |
|
|
Term
Requst for Proposal (RFP) |
|
Definition
invitation to propose a system
Large companies → vendors |
|
|
Term
|
Definition
Benchmark Problem
Measure times for RFP solutions to complete tasks
Point Scoring
weight categories
give pts. to vendor solutions
Requirements Costing
estimate cost of buying components separately
total...provides a basis of comparison to RFP
|
|
|
Term
End-User Computing & Development |
|
Definition
hands-on development, use, & control...
of comp.-based IS by users
Development
users develop their own applications
best for simple projects |
|
|
Term
Benefits & Risks of End-User Computing |
|
Definition
Benefits
user interaction
meets user needs
timely
versatile
uses fewer resources
Risks
development errors
↓ testing
inefficient
poor documentation
system incompatibility |
|
|
Term
Business Process Reengineering (BPR) |
|
Definition
analysis & redesign of biz processes & IS...
to achieve significant performance improvements
assisted by BPM - Biz Process Mgmt |
|
|
Term
|
Definition
approach to system design...
a simplified working model of a system is developed
Used when:
- users don't fully know needs
- requirements are hard to define
- unknown in/outputs
- un/semi-structured tasks
- uncertain technology to use
- system is needed ASAP
|
|
|
Term
Prototyping
Advantages & Disadvantages |
|
Definition
Advantages
clarify user needs
↑ user involvement
timely
↓ cost to implement change
Disadvantages
takes up a lot of users' time
↓ efficient use of resources
incomplete system development
possible poor behavioral reactions if abandoned
constant development |
|
|
Term
Prototyping
Operational vs. Non-operational |
|
Definition
Operational
Prototype placed into full-use
Controls, efficiency, backup/recovery, etc. added
Non-operational (throwaway)
used to identify needs for 2nd-gen system
used as a model |
|
|
Term
Computer Aided Software Engineering (CASE) |
|
Definition
integrated package of comp-based tools...
automate important aspects of the software development process
Used to plan, analyze, design, program, & maintain an IS |
|
|
Term
SDLC - Conceptual Design
Conceptual Design Specifications |
|
Definition
Output - what's necessary? how often? online?
Data Storage - what's needed to produce reports? How should if be stored?
Input - how?...based on the output
Processing Procedures & Operations - how is info processed? frequency? |
|
|
Term
Conceptual Systems Design Report |
|
Definition
@ end of conceptual design phase
- guide physical design
- communicate how needs will be met
- help steering committee assess feasibility
|
|
|
Term
Categories of Outputs (x4) |
|
Definition
Scheduled Reports
prespecified content & format....regularly prepared
Special-Purpose Analysis Reports
opposite of scheduled reports
no pre-perscribed guidelines, etc.
Triggered Exception Reports
like schedule reports, but only prepared in response to abnormal conditions
Demand Reports
like scheduled reports, but only prepared when requested |
|
|
Term
|
Definition
small, well-defined modules
↓ complexity, ↑ reliability & modifiability |
|
|
Term
Hiearchical Program Design |
|
Definition
designing a program...
from the top-down (less → more detailed) |
|
|
Term
Physical Systems Design Report |
|
Definition
summarizes what was accomplished
serves as the basis for mgmt's decision...
to proceed to implementation phase |
|
|
Term
SDLC - Implementation
Testing the System |
|
Definition
Walk-throughs
step-by-step reviews of procedures or program logic
Processing Test Transactions
determines if a program operates as designed
checks transactions to see if they're handled right
Acceptance Tests
use copies of real transactions/files vs. hypothetical ones |
|
|
Term
Systems Conversion
Conversion Approaches (x4) |
|
Definition
Direct Conversion
immediately terminates the old AIS when the new one becomes operational
Parallel Conversion
operate the old & new AIS simultaneously for a time
ex. - process sales w/ both, compare outputs, & correct problems w/ new AIS
Phase-In Conversion
elements of old AIS are gradually replaced by new AIS
ex. - inv. system → disbursements → collections
Pilot Conversion
implement new AIS in just one part of the org.
ex. - 1 branch location vs. all |
|
|
Term
|
Definition
necessary to transition between systems
mgmt. needs info from old & new AIS
what data should be transferred? presentation? etc. |
|
|
Term
SDLC - Operation & Maintenance
Post-Implementation Review |
|
Definition
performed on new AIS to ensure it meets its planned objectives
results placed in post-implemenation review report
- objectives met?
- users satisfied?
- actual costs?
- reliable, accurate, timely?
|
|
|
Term
Systems Reliability
5 Principles |
|
Definition
- Security
- Confidentiality
- Privacy
- Processing Integrity
- Availibility
|
|
|
Term
Systems Reliability
#1 - Security |
|
Definition
controlled access to the system & its data |
|
|
Term
Systems Reliability
#2 - Confidentiality |
|
Definition
protect sensitive info from unauthorized disclosure |
|
|
Term
Systems Reliability
#3 - Privacy |
|
Definition
Appropriately...
collect, use, disclose, & maintain...
customer's personal info |
|
|
Term
Systems Reliability
#4 - Processing Integrity |
|
Definition
data processed accurately, completely, & timely
w/ proper authorization |
|
|
Term
Systems Reliability
#5 - Availability |
|
Definition
system is available to meet operational & contractual obligations |
|
|
Term
3 Fundamental Info Security Concepts |
|
Definition
1) Security is Mgmt's Issue...not a technical one
SOX requirements
mgmt governing policies
2) Time Based Model of Security
time it takes to respond to events that get past detective & preventative controls
3) Defense in Depth
Multiple control layers to prevent "single-point" failure
↑ redundancy = ↑ effectiveness |
|
|
Term
Preventative Controls
Authentication |
|
Definition
focuses on verifying the identity of the person or device attempting to access the system |
|
|
Term
Preventative Controls
Multifactor Authentication |
|
Definition
requiring 2+ basic authentication controls
- something you know: passwords, etc.
- something you have: ID cards, etc.
- biometric identifier: fingerprints, etc.
|
|
|
Term
|
Definition
restricts access of authenticated users to specific portions of the system
specifies what actions they can perform |
|
|
Term
|
Definition
implements authorization controls
table specifying which portions of the system users can access & what they can then do
uses compatibility tests to match user credentials vs. matrix to allow access |
|
|
Term
|
Definition
Border Router - connects org IS to internet
Firewall - sits behind the border router...protects access to info |
|
|
Term
Intrusion Prevention Systems (IPS) |
|
Definition
filters designed to identify & drop packets that are part of an attack
includes deep packet inspection - firewalls that examine the data w/in an IP packet |
|
|
Term
Detective Controls
Log Analysis |
|
Definition
examining logs to monitor security
- ex. -
How many times have ppl tried & failed to access system?
How frequently are attacks? |
|
|
Term
Detective Controls
Intrusion Detection Systems (IDS) |
|
Definition
logs of ntwk traffic that was allowed to pass firewall
...look for attempted & successful intrusions |
|
|
Term
|
Definition
turns plaintext → ciphertext
ciphertext → plaintext = decryption |
|
|
Term
Computer Emergency Response Team (CERT)
&
Steps in incident response (x4) |
|
Definition
response team that deals w/ major incidents
- Recognition a problem exists
- Contain the problem
- Recovery
- Follow-up...minimize likelihood of similar incidents
|
|
|
Term
|
Definition
Symmetric Encryption Systems
uses the same key to encrypt/decrypt
Asymmetric Encryption Systems
2 encryption keys: public & private
only private key can decrypt |
|
|
Term
|
Definition
e-document...
created & digitally signed by a 3rd party...
verifies the identity of the owner of a public key |
|
|
Term
|
Definition
info encrypted w/ the creator's private key
created by asymmetrick encryption & hashing |
|
|
Term
Detective Controls
Managerial Reports |
|
Definition
COBIT mgmt guidelines - performance indicators:
- downtime caused by security incidents
- # of incidents w/ IDS installed
- time to react
|
|
|
Term
Detective Controls
Security Testing |
|
Definition
test the effectiveness of existing security procedures:
Vulnerability Scans automated tools identifies if well-known vulnerabilities exist
Penetration Test
authorized attempt to break into an AIS |
|
|
Term
5 Principles of System Reliability
4 Criteria for Successfully Implementation |
|
Definition
- Develop & Document...policies
- Communicate #1 to users
- Use controls to implement policies
- Monitor system & correct as needed
|
|
|
Term
Virtual Privacy Network (VPN) |
|
Definition
encrypting info before sending it over the internet
...provides the functionality of a private network |
|
|
Term
AICPA/CICA - 10 Best Practices
...for protecting privacy of customer info |
|
Definition
- Management - set policies
- Notice - privacy policies → customers @ collection
- Choice/Consent - opt-out vs. opt-in
- Collection - only necessary info
- Use & Retention - retain only as long as needed
- Access - customers can't delete their info
- 3rd Party Disclosure - as described w/ equal protection
- Security - protect from loss or unauthorized disclosure
- Quality - maintain info integrity
- Monitoring & Enforcement - verifies compliance w/ privacy policy
|
|
|
Term
Examples of Data Entry Controls
...Checks |
|
Definition
Field Check
are characters right? ###s vs. letters
Sign Check
+ vs. -
Limit Check
# value < limit
Range Check
# value w/in a range
Size Check
input data will fit into field
Completeness Check
have all required fields been filled?
Validity Check
verifies entered data w/ master record
Reasonableness Test
Logical relationship...does the entry make sense? |
|
|
Term
Processing Integrity
Source Data Controls |
|
Definition
Form Design
designed to minimize mistakes
Pre-Numbered
ensure all docs are included
Turnaround Docs
returned from outsiders...machine-readable form
Cancellation & Storage
deface doc (void, paid, etc.)
stored securely
Authorization & Duty Segregation
only the right ppl have access
no one person has too much access
Visual Scanning
"eye check"...docs should make sense
|
|
|
Term
|
Definition
Incremental Backup
copying only data changed since last backup
results of one day
Differential Backup
copies all changes since the last full backup |
|
|