Threat
any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization
Exposure/Impact
potential dollar loss should a particular threat become reality
Likelihood
the probability that the threat will happen
Internal control
the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that certain control objectives are followed
Preventive control
deter problems before they arise
Detective control
discover problems as soon as they arise
Corrective control
remedy control problems that have been discovered
General control
designed to make sure an organization's control environment is stable and well managed
Application control
prevent, detect, and correct transaction errors and fraud
Foreign corrupt practices act
meant to prevent the bribery of foreign officials in order to obtain business. Required corporations to maintain good systems of internal accounting control. Not sufficient enough.
Sarbanes
Oxley act (SOX)-applies to publicly held companies and their auditors and is intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen the internal controls at public companies, and
Public company accounting oversight board (PCAOB)
five member board that controls the auditing profession. Appointed and overseen by the SEC.
Belief system
communicates company core values to employees and inspires them to live by them. Should draw attention to how the organization creates value and help employees understand the direction management wants the company to take.
Boundary system
helps employees ethically by setting limits beyond which an employee must not pass. Often results in lower creativity and initiative.
Diagnostic control system
measures company progress by comparing actual performance to planned performance. Planned performance takes the form of budgets or performance goals like sales, profitability, or revenue per employee.
Interactive control system
helps top-level managers with high-level activities that demand frequent and regular attention, like developing company strategy, setting company objectives, understanding and assessing threats and risks, monitoring changes in competitive conditions and e
Control objectives for information and related technology (COBIT)
framework of generally applicable information systems security and control practices for IT control. The framework allows management to benchmark the security and control practices of IT environments, users of IT services to be assured that adequate secur
Committee of Sponsoring Organizations (COSO)
a framework developed by COSO to define internal controls as well as to provide guidance for evaluating and enhancing internal control systems. It is widely accepted as the authority on internal controls.
Internal Control
Integrated Framework-defines internal controls and provides guidance for evaluating and enhancing internal control systems.
Enterprise Risk Management
Integrated Framework (ERM)-A COSO developed internal framework that expands on the elements of COSO's Internal Control Integrated Framework and provides an all-encompassing focus on the broader subject of enterprise risk management.
Analytical review
The examination of relationships between different sets of data
Audit committee
The committee responsible for overseeing a corporation's internal control structure, financial reporting process, and compliance with related laws and regulations. It is usually comprised of outside members of the board of directors
Audit trail
A traceable path of a transaction through a data processing system from point of origin (whether paper or electronic) to final output or backwards from final output to point of origin. An audit trail provides a means to check the accuracy and validity of
Authorization
The empowerment of an employee to perform certain functions within an organization, such as to purchase or sell on behalf of the company. Authorization can either be general or specific. General authorization is when regular employees are authorized to ha
Background check
When a potential or current employee verifies educational and work experience data on resumes, talks to references, checks to see if the person has a criminal record, checks credit records, and checks other publicly available data about an individual
Change management
The process of making sure that changes to the system do not negatively affect systems reliability, security, confidentiality, integrity, and availability
Collusion
cooperation between two or more people in an effort to thwart internal controls
Compliance objective
objectives to help the company comply with all applicable laws and regulations
Computer forensic specialist
computer experts whose job entails discovering, extracting, safeguarding, and documenting computer evidence so that its authenticity, accuracy, and integrity will not succumb to legal challenges
Computer operator
people who run software on the company's computers. They ensure that data are properly input to the computer, processed correctly, and needed output is produced
Computer security officer (CSO)
an employee independent of the information system function who monitors the system and disseminates information about improper system uses and their consequences
Control activities
policies, procedures, and rules that provide reasonable assurance that management's control objectives are met and their risk responses are carried out
Data control group
the group charged with ensuring that source data have been properly approved, monitoring the flow of work through the computer, reconciling input and output, maintaining a record of input errors to ensure their correction and resubmission, and distributin
Data processing schedule
a schedule of data processing tasks designed to maximize the use of scarce computer resources
Digital signature
a piece of data signed on a document by a computer. A digital signature cannot be forged and is useful in tracing authorization. Can also be information encrypted with the creator's private key.
Event
An incident or occurrence emanating from internal or external sources that affects the implementation of strategy or the achievement of objectives
Expected loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called exposure) and the risk or probability that the threat will occur (called likelihood)
Forensic accountant
accountants who specialize in fraud auditing and investigation. Upon qualification forensic accountants may receive a certified fraud examiner certificate
Fraud hot line
a phone number employees can call to anonymously report abuses such as fraud
General authorization
when regular employees are authorized to handle routine transactions without special approval
Information system library
a collection of corporate databases, files, and programs in a separate storage area
Inherent risk
the susceptibility of a set of accounts of transactions to significant control problems in the absence of internal control
Internal environment
the tone or culture of a company that helps determine the risk consciousness of employees, it is the foundation for all other ERM components, providing discipline and structure. It is essentially the same thing as the control environment in the internal c
Network manager
responsible for ensuring that applicable devices are linked to the organization's internal and external networks and that the networks operate continuously and properly
Neural network
computing systems that imitate the brain's learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically. Neural networks recognize and understand voice, face, and word patterns m
Operations objective
objectives that deal with the effectiveness and efficiency of company operations, such as performance and profitability goals and safeguarding assets
Performance evaluation
a project development control that requires evaluating each module or task as it is completed
Policy and procedures manual
a management tool for assigning authority and responsibility. It explains proper business practices, describes the knowledge and experience needed by key personnel, spells out management policy for handling specific transactions, and documents the systems
Post implementation review
review made after a new system has been operating for a brief period. The purpose is to ensure that the new system is meeting its planned objectives, to identify the adequacy of system standards, and to review system controls.
Programmer
the person that takes the design provided by systems analysts and creates an information system by writing the computer programs
Project development plan
a document that shows how a project will be completed, including the modules or tasks to be performed and who will perform them, the dates they should be completed, and project costs
Project milestone
significant points in a development effort where a formal review of progress is made
Reporting objective
objectives to help ensure the accuracy, completeness, and reliability of internal and external company reports, of both a financial and non-financial nature. They also improve decision-making and monitor company activities and performance more efficiently
Residual risk
the risk that remains after management implements internal controls or some other form of response to risk
Response time
the amount of time that elapses between making a query and receiving a response
Risk appetite
the amount of risk a company is willing to accept to achieve its goals and objectives
Security management
ensures that all aspects of the system are secure and protected from all internal and external threats
Segregation of accounting duties
separating the accounting functions of authorization, custody, and recording so as to minimize an employee's ability to commit fraud
Segregation of systems duties
implementing control procedures to clearly divide authority and responsibility within the information system function to prevent employees from perpetrating and concealing fraud
Specific authorization
when an employee must get special approval before handling a transaction
Steering committee
an executive-level committee to plan and oversee the information systems function. The committee typically consists of management from the systems department, the controller, and other management affected by the information systems function
Strategic master plan
an organization's multiple-year plan that serves as a technological road map and lays out the projects the company must complete to achieve its long-range goals
Strategic objective
high-level goals that are aligned with and support the company's mission
System performance measurements
measurements used to evaluate and assess a system. Common measurements include throughput (output per unit of time), utilization (% of time the system is being productively used), and response time (how long it takes the system to respond)
Systems administrator
ensures that an information system operates smoothly and efficiently
Systems analyst
a rigorous and systematic approach to decision making, characterized by a comprehensive definition of available alternatives and an exhaustive analysis of the merits of each alternative a basis for choosing the best alternative. Also is an examination of
Systems integrator
a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors
Throughput
the total amount of useful work performed by a computer system during a given period of time. Also a measure of production efficiency representing the number of "good" units produced in a given period of time
Utilization
the percentage of time a system is being productively used