Upgrade to remove ads
Only $2.99/month

ACC 413 Chapter 7

Terms in this set (65)

Bring Your Own Device (BYOD)
A policy whereby organizations allow associates to access business email, calendars, and other data on their personal laptops, smartphones, tablets, or other devices
Information Systems Auditor
An auditor who works extensively in the area of computerized information systems and has deep IT risk, control, and audit expertise
Networks
A computer network links two or more computers or devices so they can share information and/or workloads.
Types of networks
1. A client-server network connects one or more client computers with a server and data processing is shared between the client ann the server in a manner that optimizes processing efficiency

2. A local area network (LAN) spans a relatively small area such as a building or group of adjacent buildings

3. A wide area network (WAN) comprises a system of LANs connected together to span a regional, national, or global area

4. An Intranet isn't organization's private network accessible only to that organization's personnel

5. An extranet is accessible to selected third parties such as authorized suppliers and/or customers

6. A value added network (VAN) is a third party network that connects an organization with its trading partners

7. The Internet (interconnected networks) is the very large and complex public system of computer networks that enables users to communicate globally

8. Two devices can share information just between themselves without being attached to other networks
Big data
A term used to refer to the large amount of constantly streaming digital information, massive increase in the capacity to store large amounts of data, and the amount of data processing power required to manage, interpret, and analyze the large volumes of digital information
People
Specific information system roles very significantly from one organization to another. Typically, these roles include those of the chief information officer, a database administrator, systems developers, data processing personnel, and end-users.
CIO
responsible for the day-to-day oversight and direction of IT in for ensuring the IT objectives and strategies are aligned with the organizations business objectives and strategies
Database administrator
Responsible for supervising the design, development, implementation, and maintenance of the database, controlling access to the database, monitoring database performance, and upgrading the database in response to changes in users needs.
Systems developers
Include analysts and programmers

Analysts survey users' IT needs, perform "what is" versus "what should be" analysis of IT systems, and design new IT systems.

Programmers construct and test the software used to execute data processing tasks.
Data processing personnel
Manage centralized IT resources and perform centralized day today input, processing, and output activities
End users
The managers and employees for whom the information system was built. They use the information produced by the system to carry out their day-to-day roles and responsibilities
ERP system
A modular software system that enables an organization to integrate its business processes using a single operating database
EDI
The computer to computer exchange of business documents in electronic form between an organization and its trading partners
Selection risk
Selection of an IT solution that is misaligned with a strategic objective may preclude the execution of the IT dependent strategy.

Selection of an IT solution that is insufficiently flexible and/or scalable may result in incompatibilities between the IT solution and the organization's existing systems and/or hinder future organizational changes and growth
Development/accusation and deployment risk
Problems and countered as the IT solution is being developed/acquired and deployed may cause unforeseen delays, cost overturns, or even abandonment of the project
Availability risk
Unavailability of the system when needed may cause delays in decision-making, business interruptions, lost revenue, and customer dissatisfaction
Hardware/software risk
Failure of hardware/software to perform properly may cause business interruptions, temporary or permanent damage to or destruction of data, and hardware/software repair or replacement costs
Access risk
Unauthorized physical or logical access to the system may result in theft or misuse of hardware, malicious software modifications, and theft, misuse, or destruction of data
System reliability and information integrity risk
Systematic errors or inconsistencies in processing may produce irrelevant, incomplete, inaccurate, and/or untimely information.

In turn, the bad information produced by the system may adversely affect the decisions that are based on the information
Confidentiality and privacy risk
Unauthorized disclosure of business partners' proprietary information or individuals' personal information may result in a loss of business, lawsuits, negative press, and reputation impairment.
Fraud and malicious acts risk
Theft of IT resources, intentional misuse of IT resources, or intentional distortion or destruction of information may result in financial losses and/or misstated information that decision makers rely upon
Information and communication
The purpose of an organization's information system is to identify, capture, and communicate high-quality information to decision-makers on a timely basis.
Internal environment
And organizations internal environment includes the tone at the top of the organization
Objective setting
The IT governance process begins with the definition of IT objectives, which establish the direction of IT activities
Event identification
Potential events arising inside or outside the organization that could affect the execution of the organization strategies and each evening of its objectives must be identified
Risk assessment
Identified IT risk events must be assessed in terms of their inherent impact and likelihood
Risk response
Appropriate risk responses must be formulated for identified IT risk events
Control activities
Appropriate risk response policies must be defined and procedures (actions taken to apply the policies) must be designed adequately and operates actively to provide assurance that residual IT risk levels are within managements risk tolerance
Monitoring
Management is responsible for monitoring the IT risk management process, including the IT control process, over time to ensure that the process continues to operate effectively and efficiently as internal and External environmental factors affecting the organization change
General controls
Apply to all systems components, processes, in data forgiven organization or systems environment
Application controls
Pertain to the scope of individual business processes or application systems and include controls within an application around input, processing, and output
Segregation of duties
An organization's structure should not allow responsibility for all aspects of processing data to rest with one individual
Change management processes
Ensure that changes to the IT environment, systems software, application systems, and data are applied in a manner that enforces appropriate segregation of duties; ensures that changes work and are implemented as required; and prevents changes from being exploited for fraudulent purposes
Systems software controls
1. Access rights allocated in control according to the organization's stated policy

2. Division of duties enforced through systems software and other configuration controls

3. Intrusion in vulnerability assessment, prevention, and detection in place in continuously monitored

4. Intrusion testing performed on a regular basis

5. Encryption services applied where confidentiality is a stated requirement

6. Change management processes-including patch management-in place to ensure a tightly controlled process for applying all changes and patches the software, systems, network components, and data
Systems development and accusation controls
1. User requirements should be documented, and there achievement should be measured

2. Systems design should follow a formal process to ensure that user requirements and controls are designed into the system

3. Systems development should be conducted in a structured manner to ensure that requirements and approved design features are incorporated into the finished product

4. Testing should ensure that individual system elements work as required, system interfaces operate as expected, and that the system owner has confirmed that the intended functionality has been provided

5. Application maintenance processes should ensure that changes in application systems follow a consistent pattern of control. Change management should be subject to structured assurance validation processes
Application based controls are implemented to ensure that
1. All input data is accurate, complete, authorized, and correct

2. All data is processed as intended

3. All data stored is accurate and complete

4. All output is accurate and complete

5. A record is maintained to track the process of data from input to storage and to the eventual output
Application based controls
1. Input controls
2. Processing controls
3. Output controls
4. Integrity controls
5. Management trail
Input controls
These controls are used mainly to check the integrity of data entered into a business application, whether the source is input directly by staff, remotely by a business partner, or through a web enabled application
Processing controls
These controls provide automated means to ensure processing is complete, accurate, and authorized
Output controls
These controls address what is done with the data. They should compare results with the intended result and check them against the input
Integrity controls
These controls can monitor data in the process and/or storage to ensure that data remains consistent and correct
Management trail
Processing history controls, often referred to as an audit trail, enable management to track transactions from the source to the ultimate result into trace backward from results to identify the transactions and events they record
Physical access control
Provide security over tangible IT resources
Logical access controls
Provide security over software and information imbedded in the system
IT proficiency and due professional care
Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor who's primary responsibility is information technology auditing

In exercising due professional care, internal auditors must consider the use of technology based audit and other data analysis techniques
Technology based audit techniques
Also referred to as computer assisted audit techniques (CAAT).

CAATs include generalized audit software (GAS) such as ACL and IDEA.

GAS is an example of an IT audit tool that internal audit functions are increasingly expecting all staff members to understand and apply effectively.
IT control related certifications
CISA: Certified Information System Auditor

CISSP: Certified Information Systems Security Professional
CAE is responsible for...
Ensuring that the internal audit function has the IT proficiency needed to fulfill its assurance engagement responsibilities
3 Performance Implementation Standards
1. The internal audit activity must asses whether the information technology governance of the organization supports the organization's strategies and objectives

2. The internal audit activity must evaluate risk exposures relating to the organization's information systems

3. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's information systems
IT Outsourcing
Transferring IT functions to an outside provider to achieve cost reductions while improving service quality and efficiency
Integrated Auditing
IT risks and control assessments are assimilated into assurance engagements conducted to assess process-level reporting, operations and/or compliance risks and controls
IT Outsourcing Board and Management
IT outsourcing brings with it risks that an organization's board and management must understand and manage.

The board and management also retain responsibility for the controls over the outsources IT functions and will call upon the CAE to provide them with assurance regarding the design adequacy and operating effectiveness of these controls
Integrated Continuous Auditing
Audit around the computer: looks at input and output and does not seek to understand what processes happen inside the computer.

Audit through the computer: means that, for example, by the use of test data you seek to understand the computerised procedures
Integrating IT auditing into assurance engagements
Instead of conducting separate assurance engagements focused strictly on process-level IT risks and controls, these internal audit functions assimilate IT risk and control assessments into assurance engagements conducted to assess process-level financial reporting, operations, and/or compliance risks and controls

Improves effectiveness and efficiency of their internal audit assurance services
Continuous Auditing
Any method used by internal auditors to perform audit-related activities in a more continuous or continual basis.

Comprised of 2 main activities:

1. Continuous controls assessment: the purpose of which is "to focus audit attention on control deficiencies as early as possible

2. Continuous risk assessment: The purpose of which is "to highlight processes or systems that are experiencing higher than expected levels of risk"
GTAG
Provide internal auditors with guidance that will help them better understand the governance risk and control issues surrounding it
GAIT
Describes the relationships among financial reporting risks, key process controls, automated controls and other critical IT functionality and key IT general controls
The software that manages the interconnectivity of the system hardware devices is the
Operating system software
An Internet firewall is designed to provide protection against
Unauthorized access from outsiders
Which of the following best illustrates the use of EDI
Computerized placement of a purchase order from a customer to its supplier
The possibility of someone maliciously shutting down in information system is most directly in element of
Availability risk
An organization's IT governance committee has several important responsibilities. Which of the following is not normally such a responsibility?
Designing IT application based controls
If a sales transaction record was rejected during input because the customer account number entered was not listed in the customer master file, the error was most likely detected by a
Validity check
The purpose of logical security controls is to
Restrict access to data
Which of the following statements regarding an internal audit function is continuous auditing responsibilities is/are true?
The intern audit function is responsible for assessing the effectiveness of managements continuous monitoring activities

AND

In areas of the organization in which management has implemented effect of monitoring activities, the internal audit function can conduct less stringent continuous assessment of risks and controls
THIS SET IS OFTEN IN FOLDERS WITH...