AIS Final Exam
steps risk response
(1) Reduce risks: implement effective internal control (2) Share risks: buy insurance, outsource, or hedge (3) Avoid risks: do not engage in the activity (4) Accept risks: Do nothing, accept likelihood and impact of risk
Organization Capital
- investment in creating a unique corporate identity and culture -Ensuring that employees know and are aligned with the organization's strategic objectives
Human Capital
- investment in people -Ensuring the right people with the right skills are available
Proof of stake (how blockchain works)
-A set of validators who propose the next block lock up an amount of their cryptocurrency as a deposit to ensure honest behavior. -It reduced computer costs and centralization risks
Database Systems
-Accountants increasingly participate in designing internal control systems and improving business and IT processes in a database environment -shared collection of logically related data which meets the information needs of a firm -the core asset of many companies
Proof of work (how blockchain works)
-All miners compete to create the next block to be committed to the blockchain. This is done by solving a complex mathematical problem. -It requires the miners use computer power so it can prevent attacks as it requires tons of computer powers to overcome
Descriptive Analysis
-Analysis performed that characterizes, summarizes and organizes past performance. -Ex: Did we make a profit last year?How much did we pay in federal taxes last year?How long have the existing accounts receivable been past due?
Prescriptive Analytics
-Analysis performed which identifies the best possible options given constraints or changing conditions - ex: What is the level of sales needed to breakeven? How can revenues to maximized if there is a trade war with China? Should the company lease or buy its headquarters office? Should the company make its own products or outsource production to another company?
Physical Intrusion (threat physical IT environment)
-External parties entering facilities without permission and/or providing access information -Unauthorized hardware changes (vulnerability)
excessive heat or humidity (threat physical IT environment)
-Humidity alarm not in place -Outdated devices not providing information on temperature and humidity levels (vulnerability)
Interruption of a system (threat IT system)
-Improper system configuration and customization -Poor service level agreements (SLAs) monitoring on service providers (vulnerability)
Unintentional disclosure of sensitive information by employee (threat Processes of IT Operations)
-Inappropriate data classification rule -Poor user access management allows some users to retrieve sensitive information not pertaining to their roles and responsibilities
Inappropriate end-user computing (threat Processes of IT Operations)
-Ineffective training as to the proper use of computer -End-user computing policy has not been reviewed -Poor firewall rules allowing users to access illegitimate websites
disruption/blackout (threat physical IT environment)
-Insufficient backup power supply -No voltage stabilizer (vulnerability)
4 perspective BS
-Learning & Growth Perspective (Improve process) -Business Process Perspective (lower costs; enhance customer value) -Customer perspective (grow revenue) -Financial perspective
3 concepts traditional transactions (blockchain)
-Middleman -Delay -Service fee
Natural disasters (threat physical IT environment)
-No regular review of a policy that identifies how IT equipment is protected against environmental threats -Inadequate or outdated measures for environmental threats (vulnerability)
Intentional destruction of information (threat Processes of IT Operations)
-Not requiring approval prior to deleting sensitive data -Poor employee morale -Writable disk drive containing data which shall not be deleted such as transaction logs
Audit Data Standards Benefits
-Reduces the time and effort involved in accessing data by -Works well with standard audit and risk analytic tests often run against datasets in specific accounts or groups of accounts (such as inventory or accounts receivable or sales revenue transactions). -Allows software vendors (such as ACL Inc.) to produce data extraction programs for given enterprise systems to help facilitate fraud detection and prevention and risk management. -Facilitates testing of the full population of transactions, rather than just a small sample. -Connects/interacts well with XBRL GL Standards (to be introduced in Chapter 10).
water in data center (threat physical IT environment)
-Server room located in the basement -Clogged water drain (vulnerability)
system intrusion (threat IT system)
-Software not patched immediately -Open ports on a main server without router access -Outdated intrusion detection/prevention system (vulnerability)
Proof of authority (how blockchain works)
-The administrator identities who creating blocks are known and reputable. -The rest of the network can vote for admin removal in case of malicious behavior found in the network.
blockchain system - differences
-The transactions are done without any middleman involved .-Much faster transaction time (minutes vs days). -Lower service fee.
Logical access control failure (threat IT system)
-Work performed not aligned with business requirements -Poor choice of password -Failure to terminate unused accounts in a timely manner (vulnerability)
Computer Fraud Risk Assessment
-a systematic process that assists management and internal auditors in discovering where and how fraud may occur and whom may commit the specific fraud. -a component of a firm's enterprise risk management (ERM) program. -focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls might be circumvented.
Data analytics
-defined as the science of examining raw data, removing excess noise and organizing the data with the purpose of drawing conclusions for decision making. -often involves the technologies, systems, practices, methodologies, databases, and applications used to analyze diverse business data to help organizations make sound and timely business decisions.
Local Networks
-group of computers, printers, and other devices connected to the same network that covers a limited geographic range. -Includes hubs and switches
Information Capital
-investment in information -Ensuring required access to information and the ability to communicate
Criteria 1 ( Cybersecurity Risk Management)
-nature of business and operations, -nature of information at risk, -cybersecurity objectives, -factors significantly affecting inherent cybersecurity risks, -cybersecurity risk governance structure, -cybersecurity risk assessment process, -cybersecurity communications and quality of cybersecurity information, -monitoring of the cybersecurity risk management program, and -cybersecurity control processes.
3 objective internal control (COSO 2013)
-operations: effectiveness and efficiency of a firm's operations -reliability: reliability of reporting -compliance: adherence to applicable laws and regulations
switches
-provides a path for each pair of connections -provide a significant improvement over hubs: each device connected via the network only sees traffic that has been directed to it via its designated MAC (Media Access Controls) address and cannot eavesdrop on network traffic intended for other recipients
Vulnerability
-the characteristics of IT resources that can be exploited by a threat to cause harm. -as weaknesses or exposures in IT assets or processes that may lead to a business risk, compliance risk, or security risk.
Operating System
-the most important system software - Ensure the integrity of the system. -Control the flow of multiprogramming and tasks of scheduling in the computer. -Allocate computer resources to users and applications. -Manage the interfaces with the computer. -Part of IT governance
A - AMPS
1. Ask the Question •"Your Data Won't Speak Unless You Ask It the Right Questions." •The AMPS model starts with asking questions that can be addressed with data and that lead to a better decision making.
5 components COSO 2013
1. Control environment 2. risk assessment 3. control activities 4. Information and communication 5. Monitoring activities
Steps in preparing data
1. Get data 2. Set relationships among tables 3. Select attributes for the visualization 4. Select and modify the visualization
Steps to establish ISMS (ISO 27000)
1. Scope 2. Security Policy 3. Risk Assessment 4. Connotes 5. Risk Treatment ; statement applicability 6. ISMS 7. Internal Audits, Monitoring Reviews, Surveillance Audits
Cybersecurity Risk Management Criteria (by AICPA)
1. description of the company's cybersecurity risk management system. 2. an evaluation of the company's cybersecurity controls
AMPS Model
1.Ask the Question2.Master the data3.Perform the analysis4.Share the story
Vulnerability management prerequisites (2)
1.Determine the main objectives of its vulnerability management, as the firm's resource for managing vulnerabilities is limited (in some cases, it could be to comply with applicable laws, regulations, and standards) 2.Assign roles and responsibility for vulnerability management.
steps computer fraud (risk assessment)
1.Identifying relevant IT fraud risk factors. 2.Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact. 3.Mapping existing controls to potential fraud schemes and identifying gaps. 4.Testing operating effectiveness of fraud prevention and detection controls. 5.Assessing the likelihood and business impact of a control failure and/or a fraud incident
OS control objectives
1.Protect itself from users 2.Protect users from each other 3.Protect users from themselves 4.Be protected from itself 5.Be protected from its environment
Data Visualization Process
1.Understand the data 2.Select the data visualization tool •Excel •Tableau •Power BI •Others 3.Develop and present the visualization •Create or reinforce knowledge •Choose the right chart
AMPS Model: Perform the Analysis
1.What Happened? - Descriptive Analysis 2.Why Did it Happen? - Diagnostic Analysis 3.Will it Happen in the Future? - Predictive Analysis 4.What Should We Do, Based on What We Expect Will Happen? - Prescriptive Analysis
Key length
128-bit and longer key length are sufficient to secure data
M - AMPS
2. Master the data
P - AMPS
3. Perform the analysis
S - AMPS
4. Share the story
botnet (bot)
A collection of software robots that overruns computers to act automatically in response to the bot-herder's control through Internet.
Digital certificate (asymm key factor)
A digital document issued and digitally signed by the private key of a Certificate Authority that binds the name of a subscriber to a public key.
System Availability
A key component of IT service delivery and support is making sure the data is available at all times or, at a minimum, in the moment it is needed.
trojan horse
A non-self-replicating program that has a useful purpose in appearance, but in fact has a different, malicious purpose.
Virus
A self-replicating program that runs and spreads by modifying other programs/files
Worm
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Public Key Infrastructure (asymm key factor)
A set of policies, processes, server platforms, software and workstations used for the purpose of administering certificates and public-private key pairs to issue, maintain, and revoke public key certificates.
Certificate Authority (asymm key factor)
A trusted entity that issues and revokes digital certificates.
WANs 2 compnents
Access point, station
Consensus (how blockchain works)
All parties will be aware of transactions that take place on the network and agree to the transactions being written to the blockchain.
Predictive Analytics
Analysis performed to provide foresight by identifying patterns in historical data. -ex: What is the chance the company will go bankrupt?What is our expected sales and income next year?Can we predict if the financial statements will be misstated?Will the borrower pay us back the loan we've granted her?
Fraud
Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force.
Asymmetric-key Encryption Key Factors
Certificate Authority (CA), Digital Certificate, Public Key Infrastructure (PKI)
SAS (Statement of Auditing Standards) fraud
Consideration of Fraud in a Financial Statement Audit states that an entity's management has primary responsibility for establishing and monitoring all aspects of the entity's fraud risk-assessment and prevention activities, and has both the responsibility and the means to implement measures to reduce the incidence of fraud.
Learning & Growth Perspective (BS)
Describes the firm's objectives for improvements in tangible and intangible infrastructure
Social engineering (threat Processes of IT Operations)
Employee training not providing information about social engineering attempts
COSO ERM Framework
Expands COSO framework taking a risk-based approach •Internal environment •Objective setting •Event identification •Risk assessment •Risk response •Control activities •Information and communication •Monitoring
COSO Internal Control Framework
For evaluating, reporting, and improving internal control, widely accepted. 1.Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. 2.Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control. 3.Internal control can provide reasonable assurance, not absolute assurance, to an entity's management and board. 4.Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. 5.Internal control is adaptable to the entity structure.
Univariate Data
Histograms show the distribution of a single variable across a range of values, grouped into bins that show the frequency or percentage of values in that bin.
systems integrity
If users can perform the intended functions of a system without being degraded or impaired by unauthorized manipulation
Top tech issues CPAs
Information security management issue
Main factors of encryption
Key length, key management, encryption algorithm
Time Trends
Line charts are used to show values over time for one or more categories.
Framework Vulnerability Assessment and management
Maintenance, Identification, Assessment, Remediation
Risk Response
Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances, its risk appetite and cost versus benefit of potential risk responses
social engineering
Manipulating someone to take certain action that may not be in that person's best interest such as revealing confidential information or granting access to physical assets, networks, or information.
storage
Many companies choose to use a cloud platform to lower the cost of data storage.
Benefits WANs
Mobility, Rapid deployment, flexibility and scalability
2009 - History of block chain
Nakamoto used a distributed ledger system through resource intensive mining to eliminate the need for intermediaries in trustless, online, peer-to-peer digital currency transactions.
COSO Enterprise Risk Management—Integrated Framework
Objectives: -Strategic—high-level goals, aligned with and supporting the firm's mission and vision -Operations—effectiveness and efficiency of operations -Reporting—reliability of internal and external reporting -Compliance—compliance with applicable laws and regulations
Immutability (how blockchain works)
Once transactions are confirmed on the blockchain, they are tamperproof and cannot be altered.
3 main functions internal controls
Preventive controls, Detective controls, Corrective controls
Proportional
Proportion charts, such as pie or doughnut charts, show shares of a total at a single point in time. These charts should be limited to a few slices with clear differences in size.
scatter plot
Scatter plots show correlations between two continuous variables, such as height and weight, or GPA and SAT scores. Scatter plots present detailed data for the two variables; each dot represents a single data point.
Spoofing
Sending a network packet that appears to come from a source other than its actual source.
Spam
Sending unsolicited bulk information
Spyware
Software secretly installed into an information system to gather information on individuals or organizations without their knowledge of; a type of malicious code.
key management
Strong policy on key management are essential for info security
Encryption algorithm
Symmetric-key encryption methods;Asymmetric-key encryption methods
Distributed and decentralized (how blockchain works)
The data are distributed and synchronized among all the participants in the network.
Popularization - History of Blockchain
The internal data structure of transactions in the system is packaged in blocks and chained together, thus, this technology eventually became blockchain.
Denial-of-Servie (DoS)
The prevention of authorized access to resources (such as servers) or the delaying of time-critical operations.
Virtual Private Networks
VPNs
Categorical Charts
Vertical or horizontal bar charts present categorical information.
Info Security risks and attacks
Virus, worm, trojan horse, spam, botnet (bot), denial-of-service (DoS), Spyware, spoofing, social engineering
opportunity
_____ for fraud to be perpetrated
Uninterruptible power supply
a device using battery power to enable a system to operate long enough to back up critical data and shut down properly during the loss of power.
Encryption
a preventive control providing confidentiality and privacy for data transmission and storage. Main factors of encryption are key length, key management, and encryption algorithm.
Embedded audit module (white-box approach)
a programmed audit module that is added to the system under review.
Station
a wireless endpoint device equipped with a wireless Network Interface Card (NIC)
rationalize
an attitude that enables the individuals committing the fraud to rationalize
Criteria 2 ( Cybersecurity Risk Management)
an evaluation of the company's cybersecurity controls. It provides the trust services criteria and principles for security, availability, processing integrity, confidentiality, and privacy.
information security management
an integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats.
Types of Learning
applications are designed to perform either: -Classification -regression
integrated test facility (white-box approach)
approach is an automated technique that enables test data to be continually evaluated during the normal operation of a system.
Application controls (Computerized environment)
are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions.
Parallel simulation (white-box approach)
attempts to simulate the firm's key features or processes.
2009 - History of block chain
blockchain 2.0 emerged as a more robust and sophisticated technology to pull together logic and business rules into contracts represented in code called "smart contracts" through Ethereum.
Generally Accepted Auditing Standards (GAAS; CAATs)
broad guidelines regarding an auditor's professional responsibilities
Hubs
broadcasts through multiple ports
M - Data Accessibility
can we get the needed data to answer the question posed?
Security WANs and LANs
confidentiality, integrity, availability, access control
Corrective controls
correct and recover from the problems that have been identified (Backup files to recover corrupted data)
Big Data
datasets that are too large and complex for businesses' existing systems to handle using their traditional capabilities to capture, store, manage and analyze these data sets.
preventive controls
deter problems from occurring (Authorization)
hashing process
different from encryption. Hashing result is irreversible. Encrypted messages can be decrypted and become readable again.
detective controls
discover problems that are not prevented (Bank reconciliations and monthly trial balances)
IT general controls (ITGC)
enterprise-level controls over IT + IT control environment + Access controls + Change management controls + Project development and acquisition controls + Computer operations controls
Inherent risk
exists already before plans are made to address it
Input controls:
field checks, size checks, range checks, validity checks, completeness checks, reasonableness checks, check digit verifications, closed-loop verifications
Virtualization (Cloud computing)
good alternatives to backup data and applications.
Disaster recovery planning (DRP)
identifies significant events that may threaten a firm's operations, outlining the procedures that ensure the firm's smooth resuming of operations in the case this event occurs. -most critical corrective controls
Computer-assisted Audit Techniques (CAATs)
imperative tools for auditors to conduct an audit in accordance with heightened auditing standards.
3 conditions for fraud
incentive, opportunity, reationalize
Feed-forward neural networks
information moves in one direction.
IIA standard section (1220.A2)
internal auditors must consider the use of computer-assisted, technology-based audit tools and other data analysis techniques when conducting internal audits.
Message Digest (MD)
is a short code (256 bits or 32 characters) generated through a process called hashing, where the original document passes through an algorithm such as SHA-256 or MD-5.
M - Data Integrity
is the data accurate, valid and consistent over time?
M - Data Reliability
is the data clean?
M - Data Type
is the data structured? is the data internal? are there privacy concerns with the data?
access point
logically connects stations to a firm's network.
physical controls (control activities)
mainly manual but could involve the physical use of computing technology. + proper authorization of transactions and activities + segregation of duties + project development and acquisition controls + change management controls + design and use of documents and records + safeguarding assets, records, and data + independent checks on performance
risk management
more complex and strategic process, mostly conducted using a top-down, risk-based approach
Continual Service Improvement (ITIL 5 categories)
ongoing improvement of the service and the measurement of process performance required for the service.
General controls (Computerized environment)
pertain to enterprise-wide issues (controls over accessing the network, developing and maintaining applications, etc.)
Processing controls
pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls
Smart contracts - History of block chain
programmable in Ethereum. This flexibility drew the attention of corporations and government agencies.
Main objective ISO (27000)
provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS) using a "process approach"
IT controls (control activities)
provide assurance for information and help to mitigate risks associated with the use of technology.
incentive
provides a reason to commit fraud
Information Systems Auditing Standards (ISASs)
provides guidelines for conducting an IS/IT audit (issued by ISACA)
Service Transition (ITIL 5 categories)
realizing the requirements of strategy and design, and maintaining capabilities for the ongoing delivery of a service
Business continuity management (BCM)
refers to the activities required to keep a firm running during a period of interruption of normal operations. **DRP is is a component of BCM -most critical corrective controls
Velocity
refers to the fact that the data comes in at quick speeds or in real time, such as streaming videos and news feeds.
Volume
refers to the massive amount of data involved.
Veracity
refers to the quality of the data including extent of cleanliness (without errors or data integrity issues), reliability and representationally faithful
Variety
refers to unstructured and unprocessed data, such as comments in social media, emails, global positioning system (GPS) measurements, etc.
Output controls
required number of copies printed
Classification
seeks to assign labels, dividing the input into output groups, such as: -Yes or No -Spam or Not Spam
Regression
seeks to predict real numbers, such as: -The price of a house -The revenue in next quarter
limiting factors Big Data
storage and processing
Regulatory and social processes (process perspective)
such as financial reporting, accounting, and those that manage environmental, safety and health, employment, and community issues.
Innovation processes (process perspective)
such as identifying opportunities, research and development, product design and development, and product launch.
Operations management processes (process perspective)
such as supply, production, distribution, and risk management.
customer management processes (process perspective)
such as those involved with the selection, acquisition, and retention of customers, and growth of the firm's market.
Vulnerability Management
tactical and short-term effort, frequently conducted using an IT asset-based approach.
processing power
the ________ required to obtain information valuable to the company could be enormous or even impossible.
Recurrent neural networks
the connections between neurons include loops.
Service Design (ITIL 5 categories)
the design and development of IT services and service management processes
Service Operation (ITIL 5 categories)
the effective and efficient delivery and support of services, with a benchmarked approach for event, incident, request fulfillment, problem, and access management.
Bitcoin
the first cryptocurrency
residual risk
the product of inherent risk and control risk (risks that is left over after controlling it)
Service Strategy (ITIL 5 categories)
the strategic planning of IT service management capabilities and the alignment of IT service and business strategies
control risk
the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system.
test data technique (white-box approach)
uses a set of input data to validate system integrity.
fault tolerance
using redundant units to provide a system the ability to continue functioning when part of the system fails.
the four Vs
volume, velocity, veracity and variety—are often used to represent the defining features of Big Data.
TechnicalChallenges (Continuous Auditing)
• Access to all relevant data in a timely manner • Accumulating and quantifying the risks and the exposures that have been identified • Defining the appropriate analytic that will effectively identify exceptions to controls • Developing a suitable scoring/weighting mechanism to prioritize exceptions • Balancing the costs and efforts of reviewing large volumes of exceptions against the exposures of the exceptions themselves
Non-technicalBarriers (Continuous Auditing)
• Perceived negative impact of continuous auditing on the firm. • Priority of implementation in determined key areas. • Readiness of the internal audit group to develop and adopt continuous auditing • Unrealistic expectations of the benefits of continuous auditing
Continuous Audit Benefits (most firms)
• can reduce errors and frauds • increase operational effectiveness • better comply with laws and regulations • increase management confidence in control effectiveness and financial information
Wide Area Networks
• link different sites together, transmit information across geographically and cover a broad geographic area. -to provide remote access to employees or customers -to link two or more sites within the firm -to provide corporate access to the Internet routers and firewalls
Continuous Audit Benefits (Allows internal and external auditors)
• monitor transaction data in a timely manner • better understand critical control points, rules, and exceptions • perform control and risk assessments in real time or near real time • notify management of control deficiencies in a timely manner • reduce efforts on routine testing while focus on more valuable investigation activities
Balanced Scorecard Problem
•40% of financial executives say their company's IT investments are proving little or no ROI •A formal, structured approach that links IT investments to business performance can avoid problems •The balanced scorecard is a widely-used tool that can help companies link their IT investments to strategic performance
Continuous Audit
•A continuous audit is performing audit-related activities on a continuous basis. •Testing in continuous audits often consists of continuous controls monitoring and continuous data assurance. •Technology plays a key role in analyzing trends and patterns of transactions, identifying exceptions and anomalies, and testing controls.
Cryptocurrency Applications
•A cryptocurrency that eliminates the ability to double spend. •Anonymous peer-to-peer transactions, no middleman involved. •Public blockchain -anyone can join or leave at any time. •Validation through proof of work and rewards as an economic incentive via a resource intensive computation called mining. •Immutable history of transactions. •Distributed ledger. •One block is added to the blockchain approximately every 10 minutes. •The First-Mover - the first blockchain application in production.
ITIL (control framework)
•A de facto standard in Europe for the best practices in IT infrastructure management and service delivery. •value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives. •adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories. •Information Technology Infrastructure Library
(3) Control Activities
•A firm must establish control policies, procedures, and practices that ensure the firm's objectives are achieved and risk mitigation strategies are carried out. •Occur throughout a firm at all levels and in all functions.
Strategy Maps
•A one-page representation of the firm's strategic priorities •Shows the cause-and-effect linkages among strategic priorities •Allows organizations to assess and prioritize gaps between current and desired performance levels
Corporate governance
•A set of processes and policies in managing an organization with sound ethics, internal and external control mechanisms to safeguard the interests of its stakeholders. •Promotes accountability, fairness, and transparency in the organization's relationship with its stakeholders.
Balanced Scorecard
•A strategic planning and management system •Used extensively in business and industry, government, and nonprofit organizations worldwide •Aligns business activities to the vision and strategy of the organization •Improves internal and external communications •Monitors organization performance against strategic goals
Impact of Data Analytics -Business
•A study from McKinsey Global Institute estimates that Big Data could generate up to $3 trillion in value per year in just a subset of industries impacted. •In addition to producing more value externally, studies show that data analytics affects internal processes, improving productivity, utilization, and growth.
Management responsibility
•According to SOX, the establishment and maintenance of internal controls who's responsibility?
black-box approach
•Auditing around the computer •First calculating expected results from the transactions entered into the system •Then comparing these calculations to the processing or output results •The advantage of this approach is that the systems will not be interrupted for auditing purposes. could be adequate when automated systems applications are relatively simple.
white-box approach
•Auditing through the Computer •The white-box approach requires auditors to understand the internal logic of the system/application being tested. •The auditing through the computer approach embraces a variety of techniques: test data technique, parallel simulation, integrated test facility (ITF), and embedded audit module.
Extract, Transform, and Load
•Before data can be analyzed and be useful, it must be scrubbed from extraneous data and noise. •Reformatting, cleansing, and consolidating large volumes of data from multiple sources and platforms can be especially time consuming. Data analytics professionals estimate that they spend between 50 percent and 90 percent of their time cleaning data for analysis. •The cost to scrub the data includes the salaries of the data analytics scientists and the cost of the technology to prepare and analyze the data. As with other information, there is a cost to produce these data.
Encryption and Authentication
•Both the sender and receiver use asymmetric-key encryption method to authenticate each other. •Either the sender (or the receiver) generates a symmetric key (called session key because it is valid for a certain timeframe only) to be used by both parties. •Use asymmetric-key encryption method to distribute the session key. (For example, the sender uses the receiver's public key to encrypt the session key and sends it to the receiver. The receiver uses his/her own private key to decrypt to get the session key.) •After both parties have the session key, use the session key to transmit confidential data/information. This is because using symmetric key for encryption is faster in data transmission.
Cognitive Technologies
•Cognitive technologies employ self-learning algorithms that allow computers to examine connections and notice patterns without human intervention •Examples: -Machine learning -Neural networks -Robotic process automation (RPA) -Bots-Natural language processing
Financial Perspective
•Confirms the success of the firm's investments and its ability to deliver value to customers •Overall objective is shareholder value (for-profit companies) •Other objectives usually related to: -Long-term growth -Productivity
Using TABLEAU for data analysis
•Connect to the data •Review the data and join the tables •Prepare visualizations in worksheets •Use Show Me to find appropriate options •Use tools to modify the visualization •Combine multiple visualizations in a Dashboard
COBIT (control framework)
•Control Objectives for Information & related Technology •For the governance and management of enterprise IT •generally accepted framework for IT governance and management •Defines the scope and ownership of IT process and control •Is consistent with accepted IT good practices and standards •Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders •Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors.
key criteria business requirements for info
•Effectiveness - relevant and timely •Efficiency -produced economically •Confidentiality -protection of sensitive information •Integrity -valid, accurate and complete •Availability -available when needed• Compliance -complying with the laws and regulations •Reliability -reliable for daily decision making
Usefulness Blockchain
•Enable multiple parties that do not fully trust each other to collaborate with a shared source of truth. •Accelerate transaction settlement and verification by eliminating intermediaries. •Help cut costs and resources that would be spent on manual verification (help auditors collecting and evaluating evidence to support transactions).
Public Company Accounting Oversight Board (PCAOB)
•Established under SOX to provide independent oversight of public accounting firms. •PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls •analyzing control at financial statement level and focus on entity-level control
Why code of Ethics?
•Ethical behavior prompted by a code of ethics can be considered a form of INTERNAL CONTROL .•Employees with different culture backgrounds are likely to have different values → to promote ethical behavior within a group -Ex: AICPA, ISACA, IIA, IMA,
Using excel for data analysis
•Examine the data and determine how the tables connect •Insert tables for data in each worksheet -Rename the tables -Adjust the format as desired •Set the relationships between tables -Data > Relationships -Link the table with the foreign key to the table with the primary key •Summarize with a PivotTable -Format fields appropriately -Change names were desired -Add slicers as filters -Chart the results in a PivotChart
Implementation of Continuous Auditing
•Extensible Markup Language (XML) •Extensible Business Reporting Language (XBRL) •Database management systems •Transaction logging and query tools •Data warehouses •Data mining or computer-assisted audit techniques (CAATs)
Symmetric-key encryption
•Fast •Suitable for large data set •Key distribution and key management are problematic + difficult to distribute key in secure way +managing one key is not cost effective
Generalized Audit Software (GAS)
•Frequently used to perform substantive tests and is used for testing of controls through transactional-data analysis. •Directly read and access data from various database platforms •Provides auditors an independent means to gain access to data for analysis and the ability to use high-level, problem-solving software to invoke functions to be performed on data files. -Audit Control Language (ACL) -Interactive Data Extraction and Analysis (IDEA)
Risk Assessment
•Given AS 5, is also a first step in developing an audit plan to meet the mandate of SOX Section 404. •Types of risk: Inherent risk, control risk, residual risk
exposures
•Given an identified possible fraud, management's estimates of the potential loss from the fraud
(2) Risk Assessment
•Identifying and analyzing a firm's risks from external and internal environments. •Allows a firm to understand the extent to which potential events might affect corporate objectives. •Risk is assessed from two perspectives: -+ Likelihood -Probability that the event will occur -+ Impact -Estimate potential loss if event occurs
Event Identification
•Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives •Must distinguish between risks and opportunities •Opportunities are channeled back to strategy or objective-setting processes and identified risks should be forwarded to the next stage
Impact of Data Analytics -Accounting
•In financial accounting, data analytics may be used to scan the environment—that is, by scanning social media to identify potential risks and opportunities to the firm. •Data analytics plays a very critical role in the future of audit. •Data analytics also expands auditors' capabilities in services such as testing for fraudulent transactions and automating compliance-monitoring activities (e.g., filing financial reports with the SEC or IRS).
IT application controls (control activities)
•Input controls: field checks, size checks, range checks, validity checks, completeness checks, reasonableness checks, check digit verifications, closed-loop verifications •Processing controls: pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls •Output controls: required number of copies printed
Artificial Intelligence
•Intelligence exhibited by machines rather than humans. •The ability of computers to perform tasks that associated with human intelligence, such as: -thinking logically, acting rationally, visual perception, speech recognition, language translation • also called cognitive technologies. •AI can create up to $5.8 trillion annual value across all business sectors.
(1) Control Environment
•Management's philosophy, operating style •Commitment to integrity, ethical values, and competence •Internal control oversight by Board of Directors •Organizing structure •Methods of assigning authority and responsibility •Human resource standards
Control Concepts
•Processes implemented to provide assurance that the following objectives are achieved: -Safeguard assets-Maintain sufficient records -Provide accurate and reliable information -Prepare financial reports according to established criteria -Promote and improve operational efficiency -Encourage adherence with management policies -Comply with laws and regulations
Asymmetric-key Encryption
•Slow •Not suitable for large data set •Key distribution and key management are solved + public key is widely used while private key is kept secret + transmit confidential information
(4) Information and Communication
•Supports all other control components by communicating effectively -+ to ensure information flows within the firm •Down •Across •Up -+ to interact with external parties and inform them about related policy positions •customers •suppliers •regulators •shareholders
Blockchain Traditional system
•System is centralized. •Requires a middleman to approve and record transactions. •Only one copy of the ledger
Blockchain system
•System is decentralized, distributed ledger •No middleman needed, multiple copies •When a new transaction occurs, all nodes are in sync. •Information cannot be added or deleted without the knowledge of the entire network. •A write-once, read-many system.
Using CAATs
•Test of details of transactions and balances •Analytical review procedures •Compliance tests of IT general and application controls •Operating system and network vulnerability assessments •Application security testing and source code security scans•Penetration Testing
(5) Monitoring Activities
•The design and effectiveness of internal controls should be monitored by management in an ongoing basis. •Findings should be evaluated and deficiencies must be communicated in a timely manner. •Necessary modifications should be made to improve the business process and the internal control system.
Data Visualization
•The process of presenting information graphically •One way of sharing the story and turning data into information •Presenting relevant information to decision makers
common computer fraud (GTAG)
•The theft, misuse, or misappropriation of assets by altering computer-readable records and files. •The theft, misuse, or misappropriation of assets by altering the logic of computer software. •The theft or illegal use of computer-readable information. •The theft, corruption, illegal copying, or intentional destruction of computer software. •The theft, misuse, or misappropriation of computer hardware.
Customer Perspective
•The value proposition differentiates from the competition -Product attributes -Service attributes -Brand image •Creates customer satisfaction, retention, and new customer acquisition
creating digital signiture
•To create the document creator must use his/her own private key to encrypt the MD, so it also authenticates the document creator.
digital signature
•a message digest(MD) of a document (or data file) that is encrypted using the document creator's private key. •To create we need to use both hashing and encryption process. •can ensure data integrity and Prevent repudiation of Transactions •To create the document creator must use his/her own private key to encrypt the MD, so it also authenticates the document creator.
Audit Data Standards (ADS)
•a set of standards for data files and fields typically needed to support an external audit in a given financial business process area. •If both the provider and the user (e.g., a company and its external auditor) of the data had the same, this cost of cleaning and formatting the data could be alleviated
ISO (control framework)
•designed to address information security issues. •I particularly ISO 27001 and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines.
2 types os schemes
•encode plain text into non-readable form or cyphertext 1. Symmetric-key encryption methods 2. Asymmetric-key encryption methods
Cost and benefit analysis (risk assessment)
•important in determining whether to implement an internal control. -Internal control benefits > costs: IMPLEMENT
Authentication
•process that establishes the origin of information or determines the identity of a user, process, or device.•It is critical in e-business because it can prevent repudiation while conducting transactions online.
fraud detection
•program should include an evaluation by internal auditors on the effectiveness of business processes, along with an analysis of transaction-level data to obtain evidence on the effectiveness of internal controls and to identify indicators of fraud risk or actual fraudulent activities.•An effective approach is to have a continuous monitoring system with embedded modules to create detailed logs for transaction-level testing.
fraud prevention
•program starts with a fraud risk assessment across the entire firm, taking into consideration the firm's critical business divisions, processes, and accounts, performed by the management. •The audit committee typically has an oversight role in this process, often works with the internal audit group and external auditors. •Making employees aware of their obligations concerning fraud and misconduct begins with practical communication and training.
Sarbanes Oxley Act of 2002
•requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting.
Objective Setting
•set at the strategic level, establishing a basis for operations, reporting and compliance -support and align with the firm's mission and are consistent with its risk appetite.
IT governance
•subset of corporate governance and includes issues regarding IT management and security. •responsibility of management, to ensure that the firm's IT sustains and extends its business objectives •COBIT supports and management by providing a framework to ensure that IT is aligned with the business, IT enables the business and maximizes firm value, IT resources are used responsibly, and IT risks are managed appropriately.
Artificial neural networks
•the engines of machine learning. -are mathematical models that convert inputs to outputs/predictions, can be nested together -A cleaned and well-defined training data set is used to optimize predictions. -The trained model is applied to more test data or real-world data.
focus of information security (AICPA)
•the primary focus is the balanced protection of the confidentiality, integrity, and availability of data while maintaining efficient policy implementation and without disrupting organizational productivity. -confidentiality -integrity -availability
Machine Learning
•type of AI; Deep Learning is a type of Machine Learning. •involves the computer's ability to learn from experience rather than specific instructions. AI --> ML --> deep learning
