2. Internal Controls
Types of Controls
-Access controls -Application controls -Electronic access controls -General controls -Input controls -Physical access controls -Processing controls
Types of Risks
-Financial risk -Information risk -Operating risk -Strategic risk -Validity check
Flowchart
A chart that depicts some aspect of a system. May be a system flowchart of a program flowchart.
Batch Total
A total of a field in a transaction that might normally be added, such as dollar amounts.
Hash Total
A total of a field in a transaction that would not normally be added, such as a total of employee numbers.
Validity Check
A validation step performed on a data element to ensure that it is in a valid code table, such as product numbers, or that the data is within an appropriate range or that the data is otherwise valid in combination with other data elements.
Threat
Any eventuality that represents a danger to an asset or capability linked to hostile intent.
Biometrics
Authentication techniques that rely on measurable physical characteristics that can be automatically checked.
Backup
Cold site and Hot site
General Controls
Controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance.
Application Controls
Controls that apply to the processing of individual transactions and are built into the application itself.
Access Controls
Controls that limit access to program documentation, data files, programs, and computer hardware to those who require it in the performance of their job responsibilities. Include physical access controls and electronic access controls.
Segregation of Duties
Dividing responsibilities for different portions of a transaction (authorization, recording, and custody) among several different people/departments. In an IT environment, normally revolves around granting and/or restricting access to production programs and data.
Physical Access Controls
Encompass the physical security of IT assets, including access to facilities and access to programs and data.
Check Digit
Exist when some kind of technique is used to compute a digit to add to an existing number and other programs use the same computation when that number is used.
Vulnerability
For business information systems, a characteristic of a design, implementation, or operation that renders the system susceptible to a threat.
Backup - Cold Site
For disaster recovery - an off-site location that has all the electronic connections and other physical requirements for data processing, but does not have actual equipment. Usually require a few days to become operational. Normally utilize general hardware that can be readily and quickly obtained from hardware vendors.
Backup - Hot Site
For disaster recovery - offsite location that is "completely" equipped to "immediately" take over the company's data processing. Backup copies of essential files and programs may also be maintained at the location or a nearby storage facility. Personnel need to be shipped to the facility to load backup data on standby equipment.
Electronic Access Controls
Non-physical controls over access to data and application programs such as user identification codes, assignment and maintenance of security levels, file attributes, firewalls, etc.
Processing controls
Programmed controls that verify that all transactions are processed correctly during file maintenance.
Input Controls
Programmed controls that verify that transaction data is valid, complete, and accurate.
Strategic Risk
Risk of choosing inappropriate technology.
Operating Risk
Risk of doing the right things in the wrong way.
Financial Risk
Risk of having financial resources lost, wasted, or stolen.
Information Risk
Risk of loss of data integrity, incomplete transactions, or hackers. If a network system that is connected to the internet does not have a firewall, hackers could enter the system and corrupt or destroy data.
Audit Software
Software that is used for audit purposes such as generalized audit software package.