AIS Exam 2

Preventive, Detective, Corrective

Internal Controls

-Internal environment
-Objective setting
-Event identification
-Risk assessment
-Risk response
-Control activities
-Information and communication
-Monitoring

COSO-ERM

Threat or Event

Any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization

Exposure or Impact

The potential dollar loss should a particular threat become a reality

Likelihood

The probability that the threat will happen

Preventive Controls

Deter problems from occurring
Uses segregation of duties with cash handling

Detective Controls

Discover problems that are not prevented
-Log Analysis
-Intrusion Detection Systems
-Penetration Testing
-Continuous Monitoring

Corrective Controls

-Identify and correct problems
-Recovers from those problems
+Computer Incident Response Team
+Chief Information Security Officer
+Patch Management

-Data Matching
-File Labels
-Recalculation of batch totals
-Cross-footing
-Zero-balance tests
-Write-protection mechanisms
-Concurrent update controls

Processing controls for computer processing

Limit Check

Tests numerical amount against a fixed value

Forms Design

Source documents and other forms should be designed to minimize the chances for errors and omissions

Inherent Risk

Susceptibility to significant control problems in the absence of internal controls

Write-Protection Mechanisms

Protect against overwriting or erasing of data files stored on magnetic media

Compatibility Test

Test that matches the user's authentication credentials against the access control matrix to determine whether they should be allowed

Data Matching

Two or more items of data must be matched before an action can take place

Closed-Loop Verification

Input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data

Objectives of a Disaster Recovery Plan

-Resume normal operations as soon as possible
-Train employees for emergency operations
-Minimize the extent of the disruption, damage, or loss

Sequence Check

Determines if a batch of input data is in the proper numerical or alphabetical order

-Field Check
-Sign Check
-Limit Check
-Range Check
-Size Check
-Completeness Check
-Validity Check
-Reasonableness Check

Source Data Entry Controls

Cancellation and storage of source document

Source documents that have been entered into the system should be canceled so they cannot be fraudulent reentered

Visual Scanning

-Checklists
-Second Reviewer

Recalculation of Batch Totals

Batch totals should be recomputed as each transaction record is processed and the total of the batch should then be compared to the values in the trailer record

File Labels

Need to be checked to ensure that the correct and most current files are being updated
-External Labels - Readable by humans
-Internal Labels - Readable by machine

Authorization

Restricts access of authenticated users to specific portions of the system and specifies what actions they are permitted to perform

Validity Check

Compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists

Collusion

Cooperation between two or more people in an effort to prevent internal controls

Completeness Check

Verifies that all data required has been entered

Size Check

Test that ensures the input data will fit into the assigned field

Range Check

Test that determines if data item falls within predetermined upper and lower limits

Sign Check

Determines the appropriate arithmetic sign

Field Check

Tests whether characters in a field are the correct type

Cross-Footing

A processing control which verifies accuracy by comparing two alternative ways of calculating the same total

Zero-Balance

Verifies that the balance of a control account equals zero after all entries to it have been made

Concurrent Update Controls

Prevent error of two or more users updating the same record at the same time

Differential Backup

A type of partial backup that involves copying all changes made since the last full backup

Incremental Backup

A type of partial backup that involves copying only that date items that have changed since the last partial backup

Full Backup

Exact copy of an entire database

Access Control Matrix

Table specifying which portions of the system users are permitted to access and what actions they can perform

Defaced

Paper document stamped "Paid

Investigative Audit

An examination of incidents of possible fraud, misappropriation of assets, waste, and abuse

Hot Site

A disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired, but also contains all the necessary hardware and software

Cold Site

A disaster recovery option that relies on access to an alternative facility that is prewired for necessary telephone and internet access, but does not contain any computing equipment

Batch Totals

The sum of numerical items for a batch of documents, calculated prior to processing the batch, when data is entered, and subsequently compared with computer-generated totals after each processing step to verify that the data is processed correctly

Compliance Audit

Examination of organizational compliance with applicable laws, regulations, policies, and procedures

Operational Audit

Examination of the economical and efficient use of resources and accomplishments of established goals and objectives

Operational Audit

Purpose is to evaluate effectiveness, efficiency, and goal achievement

Information Systems Audit

Examination of the general and application controls of information systems

Financial Audit

Examination of the reliability and integrity of financial transactions, accounting records, financial statements

-Financial Audit
-Information Systems Audit
-Operational Audit
-Compliance Audit
-Investigative Audit

Types of internal audit work

IS Audit

Purpose is to review and evaluate the internal controls the protect a system

Reasonable Assurance

Obtaining complete assurance that information is correct is prohibitively expensive, so auditors accept a reasonable degree of risk that the audit conclusion is incorrect

Analytical Review

Examination of the relationships between different sets of data; abnormal or unusual relationships and trends are investigated

Materiality

Amount of an error, fraud, or omission that would affect the decision of a prudent user of financial information

Detection Risk

Risk that auditors and their audit procedures will fail to detect a material error or misstatement

Control Risk

Risk that a material misstatement will get through the internal control structure and into the financial statements

Computer Audit Software

Computer assisted audit software that can perform audit tasks on a copy of a company's data

Auditing Planning

Determines why, when, and how the audit will be performed

Check Digit

ID numbers can contain a check digit computed from other digits

Reasonableness Test

Logical correctness of relationships among data items

Privacy

Personal information about trading partners, investors and employees are protected

Process Integrity

Data are processed accurately, completely in a timely manner and proper authorization

Phishing

Sending an email asking the victim to respond to a link that appears legitimate that requests sensitive data

Security

Access to the system and data is controlled and restricted to legitimate users

Pharming

Redirects website to a spoofed website

Firewall

A combination of security algorithms and router communications protocols that prevent outsiders from tapping into corporate databases

COSO-ERM

Expands COSO framework
-Risk-based Approach

Inherent

Type of risk that exists before plans are made to control it

COSO

Framework for enterprise internal controls
-Control-based approach

Patch Management

The process of regularly applying patches and updates to software

War Dialing

Calls every telephone number assigned to the organization to identify those which are connected to modems; which in turn identifies the rogue modems

COBIT

Framework for IT controls

Segregation of Duties

Makes sure that different people handle different duties of the same transaction

Hashing

Transforming plaintext of any length into a short code

Ciphertext

Plaintext transformed into unreadable gibberish using encryption

Symmetric

Type of encryption that uses only one key to encrypt and decrypt

Asymmetric

Type of encryption system that uses two keys

Decryption

Transforming ciphertext back to plaintext

Plaintext

Normal text that has not yet been encrypted

Encryption

Process of transforming normal text called plaintext into unreadable gibberish called ciphertext

When P>D+C

When is the time based model of security effective?

Risk Appetite

Amount of risk a company is willing to accept to achieve its goals and objectives

-Control Environment
-Risk Assessment
-Control Activities
-Information & Communication
-Monitoring

What are COSO's 5 components to its internal control model?

Preventive Controls

People
Process
IT Solutions
Physical Security
Change Controls & Management

Authentication

Process of verifying the person

Border Router

Connects and organizations information system to the internet

-Security
-Confidentiality
-Privacy
-Process Integrity
-Availability

What does COBIT focus on?

Choice & Consent

Opt in vs opt out approaches

Foreign Corrupt Practices Act

Requires all publicly owned corporations to maintain a system of internal accounting controls

-Identify & Classify information to be protected
-Encrypt the Information
-Control access to the information
-Train employees to properly handle information

What are the 4 steps to obtain confidentiality?

Notice

Provide notice of privacy policies and practices prior to collecting data

Management

Has to establish a set of procedures and policies within assigned responsibility and accountability before requesting information

Digital Watermark

Code embedded in documents that enables an organization to identify confidential information that has been disclosed

Residual

Type of risk that is left over after you control

Data Loss Prevention

Software which works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with IP or other sensitive data

-Internal Environment
-Objective Setting
-Event Identification
-Risk Assessment
-Risk Response
-Control Activities
-Information & Communication
-Monitoring

COSO-ERM internal controls model 8 things

Disclosure to Third Parties

Provide same level of privacy

Confidentiality

Sensitive organizational data is secured

Safeguard Assets

Prevent or detect the unauthorized acquisition use or disposition

Access

Customer should be able to review, correct, or delete information on them

Information Rights Management

Software that offers the capability not only to limit access to specific files or documents but also o specify the actions

Virtual Private Network

-Extends a private network across a public network, such as the internet
-Enables users to send and receive data across shared or public networks

Monitoring & Enforcement

Procedures to respond to complaints

Internal Environment

-Management's philosophy, operating style, and risk appetite
-Commitment to integrity, ethical values
-Internal control oversight of Board of Directors
-Organizational Structure
-Methods of assigning authority & responsibility
-Human resource standards