Upgrade to remove ads
Only $35.99/year

AIS Ch 13-15 Terms

Terms in this set (160)

Code of Ethics
A formal expectation on what is considered to be ethical within an organization to promote ethical behavior
Sarbanes-Oxley Act of 2002 (SOX)
A response to business scandals such as Enron, WorldCom, and Tyco International; requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting
Public Company Accounting Oversight Board (PCAOB)
Established by SOX to provide independent oversight of public accounting firms.
Corporate Governance
A set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. Promotes accountability, fairness, and transparency in the organization's relationship with stakeholders.
Internal Control
Involves the processes that an organization implements to safeguard assets, provide accurate and reliable information, promote operational efficiency, enforce prescribed managerial policies, and comply with applicable laws and regulations.
Preventive Controls
Deter problems before they arise. Require compliance with preferred procedures and thus stop undesirable events from happening. (Ex - transaction authorized to ensure validity; signed source document required before recording)
Detective Controls
Find problems when they arise. Procedures and techniques designed to identify undesirable events after they have already occurred. (Ex - bank reconciliation and monthly trial balance)
Corrective Controls
Fix problems that have been identified (Ex - using backup files to recover corrupted data)
General Controls
Pertain to enterprisewide issues such as controls over accessing the network, developing and maintaining applications, and documenting changes of programs.
Application Controls
Specific to a subsystem or an application to ensure the validity, completeness, and accuracy of the transaction. (Ex - input control when entering a sales transaction to ensure customer account number is entered correctly)
Committee of Sponsoring Organizations (COSO)
Composed of several organizations (AAA, AICPA, FEI, IIA, and IMA); studies the causal factors that lead to fraudulent financial reporting and develops recommendations for public companies, independent auditors, the SEC and other regulators, and educational institutions to improve the quality of financial reporting through internal controls and corporate governance.
American Accounting Association
AAA
American Institute of Certified Public Accountants
AICPA
Financial Executives International
FEI
Institute of Internal Auditors
IIA
Institute of Management Accountants
IMA
Internal Control - Integrated Framework
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems; 1992 and 2013
Enterprise Risk Management - Integrated Framework
a COSO framework that improves the risk management process by expanding COSO's Internal Control-Integrated Framework to provide guidance in defining, assessing, managing, and transferring risk in order to maximize firm value; 2017
COBIT
An internationally accepted set of best IT security and control practices for IT management released by the IT Governance Institute (ITGI).
Information Technology Infrastructure Library (ITIL)
A set of concepts and practices for IT service management.
International Organization for Standardization (ISO) 27000 series
This series contains a range of individual standards and documents specifically reserved by ISO for information security.
Internal Control (COSO)
Process - affected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations.
- Ongoing tasks and activities.
- Affected by people
- Reasonable (not absolute) assurance
- Geared toward the achievement of objectives
- Adaptable
Operations Objectives
Effectiveness and efficiency of a firm's operations on financial performance goals and safeguarding assets
Reporting Objectives
reliability of reporting, including internal and external financial and non-financial reporting
Compliance Objectives
adherence to applicable laws and regulations
Control Environment
sets the tone of an organization, influencing the control consciousness of its people, and establishes the foundation for the internal control system
- management philosophy and operating style
- integrity and ethical values of employees
- organizational structure
- role of audit committee
- proper board oversight for the development and performance of internal control
- personnel policies and practices
Risk assessment
involves a dynamic process for identifying and analyzing a firm's risks from external and internal environments. Allows a firm to understand the extent to which potential events might affect corporate objectives. Consider likelihood and potential loss.
Control Activities
All levels, all functions. Establish policies, procedures, and practices.
Information and Communication
supports all other control components by communicating effectively to ensure information flows down, across, and up the firm, as well as interacting with external parties such as customers, suppliers, regulators, and shareholders and informing them about related policy positions.
Monitoring Activities
the design and effectiveness of internal controls should be monitored by management and other parties outside the process on a continuous basis. findings should be evaluated, and deficiencies must be communicated in a timely manner. Necessary modifications should be made to improve the business process and internal control system.
Control Environment
Commitment to integrity and ethical values
Exercises oversight responsibility
Establishes structure, authority, and responsibility
Demonstrates commitment to competence
Enforces accountability
Risk assessment
Specifies suitable objectives
Identifies and analyzes risk
Assesses fraud risk
Identifies and analyzes significant change
Control Activities
Selects and develops control activities
Selects and develops general controls over technology
Deploys thorough policies and procedures
Information and Communication
Uses relevant information
Communicates internally
Communicates externally
Monitoring Activities
Conducts ongoing and/or separate evaluations
Evaluates and communicates deficiencies
enterprise risk management (ERM)
A process, affected by the entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.
Strategic (ERM)
High-level goals, aligned with and supporting the firm's mission and vision
Operations (ERM)
Effectiveness and efficiency of operations
Reporting (ERM)
reliability of internal and external reporting
Compliance (ERM)
compliance with applicable laws and regulations
Internal Environment (ERM)
Discipline and structure for all other components of ERM
Objective Setting (ERM)
Mission and Vision; set objectives first, then identify potential events affecting achievement. Have a process in place to set SORC objectives.
Event Identification (ERM)
Internal and external events.
Risk Assessment (ERM)
Same as COSO integrated framework.
Risk Response (ERM)
Select risk responses and develop a set of actions to align risks with risk tolerances and risk appetite. Reduce, share, avoid, accept
Control Activities (ERM)
Same as COSO integrated framework.
Information and Communication (ERM)
Same as COSO integrated framework.
Monitoring (ERM)
Process of evaluating the quality of internal control design and operation and effectiveness of ERM model. Monitor components and internal control process and modify as necessary.
Risk assessment
The process of identifying and analyzing risks systematically to determine the firm's risk response and control activities.
Inherent Risk
The risk related to the nature of the business activity itself.
Control Risk
The threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system.
Residual Risk
The product of inherent risk and control risk (i.e., = Inherent risk × Control risk).
Cost-Benefit Analysis
Important in determining whether to implement an internal control.
Expected benefit of an internal control
impact x decreased likelihood
Physical Controls
Mainly manual but could involve the physical use of computing technology.
- authorization to ensure transactions are valid
- segregation of duties to prevent fraud and mistakes
- supervision to compensate imperfect segregation of duties
- accounting documents and records to maintain audit trails
- access control to ensure only authorized personnel have access to physical assets and infromation
- independent verification to double-check for errorsand misrepresentations
IT Controls
Involve processes that provide assurance for information and help to mitigate risks associated with the use of technology.
IT general controls (ITGC)
Enterprise-level controls over IT.
- IT Control environment
- Access Controls
- Change management controls
- Project development and acquisition controls
- Computer operations controls
IT application controls
Activities specific to a subsystem's or an application's input, processing, and output.
Input controls
Ensure the authorization, entry, and verification of data entering the system.
- field checks (proper type)
- size checks (fit)
- range checks (within range)
- validity checks (existing data)
- completeness (all required data)
- reasonableness (logical relationship correct)
- check digit verification (prevent transpositions)
- closed-loop verification (retrieve and display related information to ensure accurate data entry)
Processing Controls
Ensure that data and transactions are processed accurately.
- prenumbered documents
- sequence checks
- batch totals (record count, control total, hash total)
- cross-footing
- concurrent update controls
Output controls
Provide output to authorized people and ensure the output is used properly.
Governance & Culture (ERM)
Exercise board risk oversight
Establish operating structures
Define desired culture
Demonstrate commitment to core values
Attract, develop, and retain capable individuals
Strategy & Objective Setting (ERM)
Analyze business context
Define risk appetite
Evaluate alternative strategies
Formulate business objectives
Performance (ERM)
Identify risks
Assess severity of risks
Prioritize risks
Implement risk responses
Develop portfolio view
Review and Revision (ERM)
Assess substantial change
Review risk and performance
Pursue improvement in ERM
Information Communication & Reporting (ERM)
leverage information and technology
communicate risk information
report on risk, culture, and performance
COBIT framework
align business and IT objectives
defines scope and ownership of IT process and control
consistent with good practices and standards
common language
regulatory requirements
COBIT control objectives
effectiveness, efficiency, confidentiality, integrity, availability, compliance, reliability
ITIL 5 Categories
Service Strategy
Service Design
Service Transition
Service Operation
Continual service improvement
ISO 27000 Series
Provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an information security management system
Confidentiality, Integrity, Availability
CIA of Information
Virus
a self-replicating program that runs and spreads by modifying other programs or files
Worm
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Trojan Horse
a non-self-replicating program that seems to have a useful purpose in appearance, but in reality has a different, malicious purpose
Spam
sending unsolicited bulk information
Botnet (bot)
a collection of software robots that overruns computers to act automatically in response to the bot-herder's control inputs through the internet
Denial of Service (DoS)
The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations.
Spyware
software that is secretly installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code
Spoofing
sending a network packet that appears to come from a source other than its actual source
Social Engineering
manipulating someone to take certain action that may not be in that person's best interest, such as revealing confidential information or granting access to physical assets, networks, or information
Encryption
Using algorithmic schemes to encode plaintext into nonreadable form. Preventive control providing confidentiality and privacy for data transmission and storage
Main factors of encryption
key length, encryption algorithm, key management
symmetric-key encryption
Both the sender and the receiver use the same key to encrypt and decrypt messages. Fast and suitable for encrypting large data sets or messages. Key distribution and key management are problematic because both the sender and the receiver use the same key to encrypt and decrypt messages.
asymmetric-key encryption
To transmit confidential information, the sender uses the receiver's public key to encrypt the message; the receiver uses his or her own private key for decryption upon receiving the message. Also known as public-key encryption or two-key encryption. Slow and not appropriate for encrypting large data sets. The sender uses the receiver's public key to encrypt the message; the receiver uses his or her own private key for decryption upon receiving the message
Public Key
A string of bits created with the private key and widely distributed and available to other users.
Private key
A string of bits kept secret and known only to the owner of the key.
authentication
A process that establishes the origin of information or determines the identity of a user, process, or device.
Session key
A symmetric key that is valid for a certain timeframe only.
Digital signature
A message digest of a document (or data file) that is encrypted using the document creator's private key.
Message digest (MD)
A short code, such as one 256 bits long, resulting from hashing a plaintext message using an algorithm.
Hashing
A process to run an original document or data through an algorithm to generate a message digest.
Data integrity
Maintaining and assuring the accuracy and consistency of data during transmission and at storage.
Certificate Authority (CA)
A trusted entity that issues and revokes digital certificates.
Digital certificate
A digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key.
Public-key infrastructure
A set of policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-/private-key pairs, including the ability to issue, maintain, and revoke public-key certificates.
Fraud Triangle
Three conditions exist for a fraud to be perpetrated: incentive, opportunity, and rationalization.
Incentive (Pressure)
Provides a reason to commit fraud
Opportunity
Absence of controls, ineffective controls, or the ability of management to override controls
Rationalization
Attitude of fraudster
AUP
Acceptable use policy
Examples of Vulnerabilities within a Physical IT Environment
Physical intrusion
Natural disasters
Excessive heat or humidity
Examples of Vulnerabilities within an Information System
system intrusion
logical access control failure
interruption of a system
Examples of Vulnerabilities within the Processes of IT operations
social engineering
unintentional disclosure of sensitive information by employee
intentional destruction of information
inappropriate end-user computing
Main components of vulnerability management and assessment
maintenance
identification
remediation
assessment
uninterruptible power supply
A device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power.
fault tolerance
Redundant units providing a system with the ability to continue functioning when part of the system fails.
virtualization
Using various techniques and methods to create a virtual (rather than actual) version of a hardware platform, storage device, or network resources.
cloud computing
Using redundant servers in multiple locations to host virtual machines.
SOC 1
Focuses on the impact of the cloud provider's controls on the user company's financial statements
SOC 1, SOC 2
provide evaluations on a broader set of controls relevant to the security, availability, processing integrity, confidentiality, or privacy implemented by the service provider
disaster recovery planning (DRP)
A process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur.
business continuity management (BCM)
The activities required to keep a firm running during a period of displacement or interruption of normal operations.
DRP, BCM
Both are important to firms because they are about whether the firms can continue their business or not
operating system (OS)
Performs the tasks that enable a computer to operate; comprised of system utilities and programs.
operating system functions
ensure integrity of the system
control the flow of multiprogramming and tasks of scheduling in the computer
allocate computer resources to users and applications
manage the interfaces with the computer
operating system control objectives
protect itself from users
protect users from each other
protect users from themselves
protected from itself
protected from its environment
database
A shared collection of logically related data for various uses.
database system
A term typically used to encapsulate the constructs of a data model, database management system (DBMS), and database.
data warehouse
A collection of information gathered from an assortment of external and operational (i.e, internal) databases to facilitate reporting for decision making and business analysis.
operational database
Often includes data for the current fiscal year only.
data mining
A process of using sophisticated statistical techniques to extract and analyze data from large databases to discern patterns and trends that were not previously known.
drill-down, consolidation, time-series analysis, exception reports, what-if simulations
data governance
The convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in a firm.
local area network (LAN)
A group of computers, printers, and other devices connected to the same network that covers a limited geographic range such as a home, small office, or a campus building.
local area network (LAN)
hubs and switches; packets
hub
Contains multiple ports.
switches
An intelligent device that provides a path for each pair of connections on the switch by storing address information in its switching tables.
MAC (media access control) address
A designated address that is connected to each device via the network and only sees traffic. Related to switches. Each device cannot eavesdrop on network traffic intended for other recipients.
wide area network (WAN)
Links different sites together; transmits information across geographically dispersed LANs; and covers a broad geographic area such as a city, region, nation, or an international link.
wide area network (WAN) 3 main purposes
provide remote access to employees or customers
link two or more sites within the firm
provide corporate access to the internet
wide area network (WAN)
firewalls and routers
router
Software-based intelligent device that chooses the most efficient communication path through a network to the required destination.
firewall
A security system comprised of hardware and software that is built using routers, servers, and a variety of software.
virtual private network (VPN)
Securely connects a firm's WANs by sending/receiving encrypted packets via virtual connections over the public Internet to distant offices, salespeople, and business partners.
remote access
Connection to a data-processing system from a remote location—for example, through a virtual private network.
wireless network
Comprised of two fundamental architectural components: access points and stations.
access point
Logically connects stations to a firm's network.
station
A wireless endpoint device equipped with a wireless network interface card.
benefits of wireless technology
mobility, rapid deployment, flexibility/scalability
general security objectives for both wired and wireless LANs
confidentiality, integrity, availability, access control
eavesdropping
the attacker passively monitors wireless networks for data, including authentication credentials
man-in-the-middle
The attacker actively intercepts communications between wireless clients and access points to obtain authentication credentials and data.
masquerading
The attacker impersonates an authorized user and gains certain unauthorized privileges to the wireless network
message modification
The attacker alters a legitimate message sent via wireless networks by deleting, adding to, changing, or reordering it
message replay
the attacker passively monitors transmissions via wireless networks and retransmits messages, acting as if the attacker was a legitimate user
misappropriation
the attacker steals or makes unauthorized use of a service
traffic analysis
the attacker passively monitors transmissions via wireless networks to identify communication patterns and participants
rogue access points
the attacker sets up an unsecured wireless network near the enterprise with an identical name and intercepts any messages sent by unsuspecting users who log onto it
management, operational, technical
security controls for wireless networks - 3 groups
management controls
assigning roles and responsibilities, creating policies and procedures, conducting risk assessment on a regular basis
Ex - determining which parties are authorized and responsible for installing and configuring access points and other wireless network equipment; types of information that may or may not be sent over wireless networks; and how transmission over wireless networks should be protected, including requirements for the use of encryption and for cryptographic key management
operational controls
protecting a firm's premise and facilities, preventing and detecting physical security breaches, and providing security training to employees, contractors, or third party users
Ex - define and document security roles and responsibilities; terms and conditions of employment; awareness training and updates
technical controls
security controls that are primarily implemented and executed through mechanisms contained in computing-related equipment, including access point management and encryption setup. change default configuration of all access points (SSID, admin credentials, radio signal strength, remote web-based configuration, internet protocol)
computer-assisted audit techniques (CAATs)
Essential tools for auditors to conduct an audit in accordance with heightened auditing standards.
audit around the computer (or black-box approach)
Auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results.
audit through the computer (or white-box approach)
Requires auditors to understand the internal logic of the system/application being tested.
test data technique
Uses a set of input data to validate system integrity.
parallel simulation
Attempts to simulate the firm's key features or processes.
integrated test facility (ITF)
An automated technique that enables test data to be continually evaluated during the normal operation of a system.
embedded audit module (EAM)
A programmed audit module that is added to the system under review.
generalized audit software (GAS)
Frequently used to perform substantive tests and used for testing of controls through transactional data analysis.
mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking, recomputation
continuous audit
Performing audit-related activities on a continuous basis.
Other sets by this creator