ACCT 4540 - AIS Final Exam
Control Activities (5 Components - COSO 2013):
- A firm must establish control policies, procedures, and practices that ensure the firm's objectives are achieved, and risk mitigation strategies are carried out.
Characteristics of Blockchain
- Decentralized system with distributed ledger - No middleman - All nodes in sync when new transaction - Info cannot be changed/added/deleted without knowledge of the entire network
Key Components of Blockchain
- Distributed and Decentralized - Consensus - Immutability
COBIT - Key Requirements for Information
- Effectiveness - Efficiency - Confidentiality - Integrity - Availability - Compliance - Reliability
When to Use Blockchain
- Enable multiple parties who don't trust each-other to collaborate - Accelerate transaction settlement and verification - Cut costs and resources that would be spent on manual verification
Bitcoin
- First cryptocurrency - Anonymous peer-to-peer transactions - Public blockchain - One block added to blockchain about every 10 minutes.
Risk Assessment (5 Components - COSO 2013):
- Identifying and Analyzing a firm's risks from external and internal environments. - Understand the extent to which potential events might affect corporate objectives.
Examples of Cognitive Technologies
- Machine Learning - Neural Networks - Robotic Process Automation (RPA) - Bots - Natural Language Processing
Control Environment (5 Components - COSO 2013):
- Management's philosophy, operating style - Internal control oversight by Board of Directors - Commitment to integrity, ethical values, and competence
How Does Blockchain Work?
- Proof of Work - Proof of Authority - Proof of Stake
Benefits of ADS
- Reduce time/effort involved in accessing data - Works well with XBRL GL Standards - Facilitates testing of the full population of transactions, rather than just a small sample. - Allow software vendors to produce data extraction programs for given enterprise systems to help facilitate fraud detection/prevention.
Information and Communication (5 Components - COSO 2013):
- Supports all other control components by communicating effectively. - Ensure proper information flow within firm.
Monitoring Activities (5 Components - COSO 2013):
- The design and effectiveness of internal controls should be monitored by management on an ongoing basis. - Findings should be evaluated and deficiencies must be communicated in a timely manner.
AI Tasks
- Thinking logically - Acting rationally - Visual perception - Speech recognition - Language translation
Advantages of Blockchain
- Transactions done without middleman - Much faster transaction time (minutes vs days) - Lower service fee.
AMPS Model
1. Ask the Question 2. Master the Data 3. Perform the Analysis 4. Share the Story
5 Components of Internal Control (COSO 2013):
1. Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring Activities
Computerized Environment Controls
1. General Controls 2. Application Controls
Preparing the Visualization Steps
1. Get Data 2. Set Relationships Among Tables 3. Select Attributes for the Visualization 4. Select and Modify the Visualization
An effective Internal Control should consist of 3 Objectives (COSO 2013):
1. Operations: effectiveness and efficiency of a firm's operations 2. Reporting: reliability of reporting 3. Compliance: adherence to applicable laws/regulations
3 Main Functions of Internal Control
1. Preventative Controls 2. Detective Controls 3. Corrective Controls
COSO ERM - Integrated Framework - 4 Objectives:
1. Strategic: high-level goals, aligned with and supporting the firm's mission and vision. 2. Operations: effectiveness and efficiency of operations. 3. Reporting: reliability of internal and external reporting. 4. Compliance: compliance with applicable laws/regulations.
Data Visualization Process
1. Understand the Data 2. Select the Data Visualization Tool (excel, tableau, power BI, etc.) 3. Develop and Present the Visualization
Extract, Transform, and Load (ETL)
A common strategy for drawing information from multiple sources by extracting data from its home database, transforming and cleansing it to adhere to common data definitions, and then loading it into the data warehouse.
Corporate Governance
A set of processes and policies in managing an organization with sound ethics, internal and external control mechanisms to safeguard the interests of its stakeholders. Promote accountability, fairness, and transparency.
AI vs Machine Learning vs Deep Learning
AI -> ML -> DL - Machine Learning is a type of AI. - Deep Learning is a type of Machine Learning.
Consensus (Key Component of Blockchain)
All parties will be aware of transactions that take place on the network and agree to the transactions being written to the blockchain.
Information Security Management (AICPA)
An integrated, systematic approach that coordinates people, policies, standards, processes, and controls used to safeguard critical systems and information from internal and external security threats.
Descriptive Analysis
Analysis performed that characterizes, summarizes and organizes past performance.
Diagnostic Analysis
Analysis performed to investigate the underlying cause of a phenomenon.
Predictive Analysis
Analysis performed to provide foresight by identifying patterns in historical data.
Prescriptive Analysis
Analysis performed which identifies the best possible options given constraints or changing conditions.
AMPS: Ask the Question
Ask questions that can be addressed with data and that lead to better decision making.
Share Risks (COSO ERM - Risk Response)
Buy insurance, outsource, or hedge
Botnet (Bot) (Information Security Risk)
Collection of software robots that overruns computers to act automatically in response to the bot-herder's control through internet.
ITIL
Control framework for IT service management. Information Technology Infrastructure Library
COSO Internal Control Framework
Control framework for evaluating, reporting, and improving internal controls — widely accepted.
COBIT
Control framework for the governance and management of enterprise IT. Control Objective for Information & Related Technology
ISO
Control framework that addresses information security issues. International Organization for Standardization 27000 Series
COSO ERM Framework
Control framework that expands on the COSO Internal Control Framework taking a risk-based approach to internal control.
Application Controls
Controls that are specific to a subsystem or an application to ensure the validity, completeness, and accuracy of transactions.
Corrective Controls
Controls that correct and recover from the problems that have been identified (backup files to recover corrupted data)
Preventative Controls
Controls that deter problems from occurring (authorization)
Detective Controls
Controls that discover problems that are not prevented (bank recons and monthly trial balances)
General Controls
Controls that pertain to enterprise-wide issues (controls over accessing the network, developing and maintaining applications, etc.)
Risk Assessment (COSO ERM)
Cost and benefit analysis is important in determining whether to implement an internal control.
AMPS: Master the Data
Data Accessibility: can we get the needed data to answer the question posed? Data Reliability: is the data clean? Data Integrity: is the data accurate, valid and consistent over time? Data Type: is the data structured? is the data internal? are there privacy concerns with the data?
Velocity (Four Vs)
Data comes in at quick speeds or in real time, such as streaming and news feeds.
Big Data
Datasets that are too large/complex for existing business systems to handle using their traditional capabilities to capture, store, manage, and analyze these data sets.
Avoid Risks (COSO ERM - Risk Response)
Do not engage in the activity
Accept Risks (COSO ERM - Risk Response)
Do nothing, accept likelihood and impact of risk
Cognitive Technologies
Employ self-learning algorithms that allow computers to examine connections and notice patterns without human intervention.
Artificial Neural Networks
Engines of machine learning.
Inherent Risk (COSO ERM - Risk Assessment)
Exists already before plans are made to address it
Event Identification (COSO ERM)
Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives. Opportunities channeled back to strategy or objective-setting process, identified risks should be forwarded to next stage.
Reduce Risks (COSO ERM - Risk Response)
Implement effective internal control
Availability (AICPA - Info Security Management)
Information and systems are accessible on demand.
Integrity (AICPA - Info Security Management)
Information is accurate and complete.
Confidentiality (AICPA - Info Security Management)
Information is not accessible to unauthorized individuals or processes.
Artificial Intelligence (AI)
Intelligence exhibited by machines rather than humans. Also called Cognitive Technologies.
Machine Learning
Involved the computer's ability to learn from experience rather than from specific instructions.
Physical Controls (COSO ERM - Control Activities)
Mainly manual but could involve the physical use of computing technology.
Risk Response (COSO ERM)
Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances, its risk appetite, and cost versus benefit of potential risk responses.
Social Engineering (Information Security Risk)
Manipulating people to take certain action such as revealing confidential information, or granting access to physical assets, networks, or information.
Storage (Limiting Factor)
Many companies choose to use a cloud platform to lower the cost of data storage.
Volume (Four Vs)
Massive amount of data involved.
Neural Network
Mathematical models that convert inputs into outputs/predictions, can be nested together.
Types of Learning
Most machine learning applications are designed to perform either: classification or regression
Feed-Forward Neural Netorks
Neural network where information moves in one direction.
Recurrent Neural Networks
Neural network where the connections between neurons include loops.
Trojan Horse (Information Security Risk)
Non-self replicating program that has a useful purpose in appearance, but in fact has a different, malicious purpose.
Objective Setting (COSO ERM)
Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance.
Immutability (Key Component of Blockchain)
Once transactions are confirmed on the blockchain, they are tamperproof and cannot be altered.
Denial-of-Service (Dos) (Information Security Risk)
Prevention of authorized access to resources or delaying of time-critical operations.
Data Visualization
Process of presenting information graphically (one way of sharing the story and turning data into information)
Processing Power (Limiting Factor)
Processing power required to obtain information valuable to the company could be enormous or even impossible.
IT Controls (COSO ERM - Control Activities)
Provide assurance for information and help to mitigate risks associated with the use of technology.
Proportional Data
Purpose: Comparison of parts to a whole Charts: Pie charts, doughnut charts, treemaps
Time Trends Data
Purpose: Comparisons over time Charts: Line Charts
Univariate Data
Purpose: Frequencies, range of values, most likely values. Charts: Histograms
Multivariate Relationships Data
Purpose: Relationships, correlations Charts: Scatter Plots
Categorical Data
Purpose: comparisons of performance metrics Charts: Vertical bar, horizontal bar, treemaps, bubble charts.
Veracity (Four Vs)
Quality of data including extent of cleanliness (without errors/integrity issues), reliability, and faithfully represented.
Sarbanes-Oxley Act of 2002 (SOX)
Requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting. Established the PCAOB.
Data Analytics
Science of examining raw data, removing excess noise, and organizing the data with the purpose of drawing conclusions for decision making.
Classification (ML)
Seeks to assign labels, dividing the input into output groups such as: - Yes or No - Spam or Not Spam
Regression (ML)
Seeks to predict real numbers such as - The price of a house - The revenue in next quarter
Virus (Information Security Risk)
Self-replicating program that runs and spreads by modifying other programs/files.
Worm (Information Security Risk)
Self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
Spoofing (Information Security Risk)
Sending a network packet that appears to come from a source other than its actual source.
Spam (Information Security Risk)
Sending unsolicited bulk information.
Audit Data Standards (ADS)
Set of standards for data files and fields typically needed to support an external audit in a given financial business process area.
Spyware (Information Security Risk)
Software secretly installed into an info system to gather info on individuals or organizations without their knowledge.
2 Limiting Factors in Business Systems
Storage and Processing Power
Distributed and Decentralized (Key Component of Blockchain)
The data that are distributed and synchronized among all the participants in the network.
Four Vs
The defining features of big data. Volume, Velocity, Variety, Veracity
Residual Risk (COSO ERM - Risk Assessment)
The product of inherent risk and control risk (risks that are left over after controlling it).
Control Risk (COSO ERM - Risk Assessment)
The threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system.
Variety (Four Vs)
Unstructured and unprocessed data, such as comments in social media, emails, GPS measurements, etc.
AMPS: Perform the Analysis
What happened? - Descriptive Analysis Why did it happen? - Diagnostic Analysis Will it happen in the future? - Predictive Analysis What should we do, based on what we expect to happen? - Prescriptive Analysis