CMA Part 1 Section F
custom code injection
- Attackers can inject custom code into the website for subsequent browsers to process via cross-site scripting (XSS) software. - Subtle changes introduced into the web server can radically change the server's behavior (e.g., turning a trusted entity into malicious one), the accuracy of the computation (e.g., changing computational algorithms to yield incorrect results), or the confidentiality of the information (e.g., disclosing collected information).
Big Data vs Traditional Operational Data
- Big Data sources include a variety of formats and organization - traditional operational data is generally stored on more formal structures
What primary characteristic of a relational database has made it the common enterprise database model for the last 40 years?
- Common English-like query language - SQL made it easy for application developers to make data available to end users
What is the main difference between a database and a data warehouse?
- Databases store current transaction data while data warehouses store historical summary data.
Linear regression benefit
- It indicates impact of independent variables. - enables analysts to compare the effects of independent variables measured on different scales - help data scientists to eliminate and evaluate the best set of variables to be used for building predictive models.
Financial and non-financial systems
- SHOULD be logically separated either by network segmentation or firewalls - if not logically separated, accesser can tell if non-financial info can impact financial data system
dual-homed gateway firewall
- a firewall consisting of a bastion host with two network interfaces, one of which is connected to the protected network, the other of which is connected to the Internet. - Internet Protocol (IP) traffic forwarding is usually disabled, restricting all traffic between the two networks to whatever passes through some kind of application proxy
Gantt chart
- a graphical illustration of a scheduling technique - shows output plotted against units of time - does NOT include cost information - highlights activities over the life of a project and contrasts actual times with projected times using a horizontal (bar) chart. - gives a quick picture of a project's progress in terms of actual time lines and projected time lines - used for milestone scheduling where each milestone has start and completion dates. - A milestone represents a major activity or task to be accomplished (e.g., design phase in a computer system development project).
Online analytical processing (OLAP)
- a query tool applicable to performing multidimensional (i.e., more than two dimensions) and complex queries. - OLAP can perform complex data comparisons that SQL cannot. - Retail companies use the OLAP query tool to perform data mining applications using the big data.
zero day exploit
- actual computer code that can use a security vulnerability to carry out an attack - used or shared by attackers before the software vendor knows about the vulnerability - no known software patch
data synthesis phase of data life cycle
- adding attributes based on derivations of sampled data - derived data, including aggregate calculations occurs
Biometrics
"what you are" or "what you do" access control - 2 factor authentication
masquerading attack
(1) impersonating an authorized user and gaining unauthorized privileges; (2) an unauthorized agent claiming the identity of another agent; (3) an attempt to gain access to a computer system by posing as an authorized user; and (4) the pretense by which an entity pretends to be a different entity
economies of scale
(or size); ability of firm to lower average unit cost by increasing output level
pharming attack
- An attacker may modify the domain name system (DNS) mechanism to direct it to a false website. - These techniques are often used to perform pharming attacks, where users may divulge sensitive information. - - Note that pharming attacks can also be initiated by subverting the victim's host computer files.
Which of the following data visualization tools can be used as a milestone scheduling technique?
Gantt chart
What result is the most common direct result of a lack of a clear record retention policy?
Growing data repositories with data kept past its useful lifetime
Which of the following regulations include specific requirements for data retention?
HIPAA PCI-DSS GDPR
After completing your data analytics project and delivering your final report, the project sponsor asks you to deliver an executive summary presentation of the results. What deliverables should you include in such a presentation?
High-level summary that includes goals, risk, and ROI
Implementing an Enterprise Resource Planning (ERP) system impacts every aspect of an organization, from day-to-day operations to long-range strategic planning. What desired benefit of an ERP system, when realized, aligns most closely with enterprise strategy?
Higher business outcomes
Enterprise Resource Planning (ERP) systems impact an enterprise's operations at all levels. How will enterprise customers realize the impact of a well-implemented ERP system?
Higher customer satisfaction and retention
Regarding the business planning and performance management aspect of enterprise performance management (EPM), which of the following is required to transform hindsight vision into foresight vision?
Historical results Metrics and key performance indicators What-if analysis Simulation models - past historical results show hindsight vision - metrics and KPIs give insights - what-if and simulation analysis give foresight vision to the insights - ad hoc (on-the-fly) forecast updates can also be added to the insights to give foresight vision
COSO Risk Assessment
ID and prioritize organizational risk - necessary prior to selecting control activities for each risk
Data cleansing
ID missing or erroneous data
dynamic analysis
IS executed while a program is in operation
How would an analyst determine that linear regression would be a better model to use than logistic regression in a specific situation?
Identify that the desired output is quantitative, as opposed to categorical.
What purpose does the R-squared (coefficient of determination) calculation serve?
Indicates how well the model describes variances in the outcome, or dependent variable - measures how well a model predicts outcomes
Why are regression and time series analyses never 100% accurate?
Influencers always exist that are not considered in any model.
Which of the following best describes an enterprise resource planning (ERP) system?
Integrated business process management software that manages all aspects of business activities
Which of the following is best to replace the use of personal identification numbers (PINs) in the world of automated teller machines (ATMs)?
Iris-detection technology -NOT finger print bc finger print may require a PIN if print changes due to cuts and bruises
Robotics Process Automation (RPA)
Is not just about swapping out humans for machines. It provides the "glue" that integrate multiple systems dedicated to order taking and fulfillment. This goes beyond physical systems to embrace the underlying software, with the help of AI. Even where people are still present _________ can perform a valuable service. Ripe areas for ___ include procurement transaction processing, order management, and data quality assurance.--- requires little or no modification to pre-existing software - use AI to learn from users then automatically perform repetitive software actions on behalf of the user instead of requiring user to manually repeat actions - provide answers to customers and employees in natural language not predefined responses
Enterprise Performance Management (EPM) typically includes monitoring what type of metrics?
Key performance indicators (KPI)
Once an organization makes the decision to implement an enterprise resource planning (ERP) system, what tends to be the biggest implementation obstacle?
Maintaining personnel support throughout the implementation process
Primary goals of Data Governance Framework
Managing data leveraging its value minimizing risk maintaining compliance
In what ways can cloud computing make data analysis of large datasets more accessible?
Many cloud computing vendors offer toolsets and libraries to carry out advanced analysis of cloud-stored data.
Which of the following activities would be part of the data analytics phase of the data life cycle?
Modeling Interpreting Visualization (NOT cleansing)
Which of the following databases are best suited to support big data volumes containing unstructured data (i.e., data lakes)?
MongoDB
What benefit of implementing a data warehouse has the greatest impact on production relational database systems?
Moving the performance impact of reporting and analysis processes from production database systems to the data warehouse system. - bc reduced performance demand for reporting and analysis queries can increase production systems performance substantially
Data alignment
NOT part of data governance - ensure data practices align with organizational goals
Types of classification algorithms
Naive Bayes Logistic regression Decision tree
exponential smoothing technique formula
New forecast = [Smoothing constant × (actual demand - forecasted demand)] + (Previous forecast)
OAI is considering migrating its primary bidding tracking app to blockchain technology to provide an audit trail of each auction's bids and handle the high volume of bids that occur as auctions are ending. Would a bid tracking app be a good fit for blockchain technology?
No, because each bid added to the blockchain comes with a cost which would reduce the true bid amount.
Assume your organization offers payment terms of net 30 days to all customers. Your accounting information system (AIS) reports that your average time to pay across all customers is 33.5 days. Does this result indicate a problem in your expenditures cycle?
No, this metric does not indicate any problems in the expenditures cycle. - relates to revenue to cash cycle
System Development Life Cycle (SDLC) - Software Flaws
Operations & Maintenance - ID and report software flaws Implementation & Conversion - add or modify software to fix software flaws Conceptual & Physical Design - address flaw by revisiting design phase
Business intelligence software can be used to create which of the following to turn raw data into actionable information?
Pivot Table and Contingency Table
Suppose you have a sales dataset that consists of item number, price, quantity, and sales date-time. Based on past sales, you want to estimate what price you need to set for a group of items to achieve the desired sales targets for those items. What type of analytics are you carrying out?
Prescriptive
The data analytics phase of the data life cycle has the potential to provide the most value derived from data to an organization. Why is one specific type of analytics, prescriptive analytics, often considered to potentially yield the greatest value from data?
Prescriptive analytics gives organizations tools to control desired outcomes. - can alter behavior to achieve desired goals
Security controls mitigate a wide variety of information security risks. Security Awareness Training would best fall under which of the following controls?
Preventive and Deterrent -As a Preventive control it stops unauthorized or unwanted activity from occurring, and as a Deterrent control it discourages the same type of activities
Porter's Value Chain
Primary: inbound logistics, operations, outbound logistics, marketing and sales, service Support: firm infrastructure, human resource mgmt, technology development (incl. AIS), procurement -primary activities generate revenues
Which of the following most closely describes the automation of invoice pre-processing?
Processing systems can incorporate invoices that originated in an assortment of formats: by scanning a physical document, by reading contents of an email or electronic fax, or by translating data from a portal upload.
Sports Clothing, Inc. (SCI) recently installed automated conveyor systems in its primary warehouse. How could implementing automated robotics components reduce labor costs associated with loss of misplaced goods?
Providing an audit trail of last known product location and path - Knowing where a package was last seen can materially reduce labor costs associated with searching for lost packages.
--- is the most effective method to ensure that resulting application software meets its original goals.
Providing developers with a clear understanding of the business needsq
SDLC - Physical Design
Purpose- develop technology and organizational specifications. - define database to DBMS, physical data organization, database processing programs - define data schema objects; specific low-level data storage issues defined and specified
What major philosophical change did blockchain technology introduce that allows blockchain to support value exchanges between parties that do not trust one another?
Replacing trust in individuals with a trust in technology
database replication
Replicating mission critical databases provide alternative data repositories that are immediately available after a failure of the primary copy.
SQL: to return all fields for all rows in the customer table for customers that live in the state of Georgia
SELECT * FROM customer WHERE state = "GA"
types of relational database management system
SQL Oracle DB v11 DB2
What is the most common difference between on-premises applications and Software as a Service (SaaS) applications?
SaaS applications are web-based applications delivered over the Internet and on-premises applications require access to an enterprise network.
Reliable Refrigerated Shipping (RRS) provides refrigerated containers and vehicles to ship items that require refrigeration en route. Each RRS container vehicle reports its internal current temperature at predefined intervals. How could the RRS automated sensors provide RRS with more manageable cash flow?
Sensors could indicate failing refrigeration units before loss, and trigger immediate insurance claims for loss resulting from refrigeration failure.
How can organizations that utilize cloud service providers guarantee performance minimums to their customers?
Service level agreements (SLA) include guarantees of service uptime.
Why does the practice of using simulation models, such as the Monte Carlo technique, improve a model's accuracy?
Simulation models allow analysts to consider potential inputs that are not distinctly represented in input datasets.
Which of the following best describes a software application that is hosted by a cloud service provider accessible over a secure Internet connection?
Software as a Service (SaaS)
Which cloud computing service model provides access to one or more programming languages with necessary libraries and development tools, along with the cloud service provider's applications running in the virtual instance?
Software as a Service (SaaS) The SaaS model provides access to running instances of a provider's software application running in a virtualized environment, and may include additional components, such as programming languages.
Which definition best describes a data warehouse?
System used to collect, aggregate, and store data in a central location to support reporting and analysis
Infrastructure as a Service (IaaS)
The IaaS service model provides a basic virtual machine, with necessary connectivity and storage support.
What does the word "relational" refer to in the term "relational database"?
The ability to relate multiple tables through the intersection of common fields (columns)
Extract, Transform, Load (ETL)
The common process for importing data into a data warehouse is to extract from the source, transform into the proper input format, and then load the transformed data into the data warehouse
A business brings in a new application that performs valuation modeling. Which of the following best describes this innovative capability?
The model can quickly calculate the valuation of an asset using data points around the asset and historical examples.
Software Development Life Cycle
The process that a program goes through. It consists of the development, maintenance, and demise of a software system. The phases include analysis, design, coding, testing/verification, maintenance, and obsolescence
Resource pooling
The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
What is the ultimate goal of a data governance framework?
To enable an enterprise's upper management to make informed decisions about how to manage data, realize value from it, minimize cost and complexity, manage risk, and ensure compliance
Business process analysis
- examines every part of a process to determine overall process effectiveness and efficiency - IDs the process, its structure, its users, its information exchange
Technology for acct and finance dept
- first step in the process would be to integrate as many of the accounting and finance systems as possible to be able to send info to other depts - An example of integration is how data from purchasing can be captured at the invoice level. - Information from the invoice can then be shared electronically with other departments, without the need for human data entry or intervention. - Quantity and price information can be sent to operations for cost and inventory control. - The amount, terms, and due date can be sent to accounts payable for collections management and cash control.
Limitations of time series analysis
- framing - over-specification - reliance on mechanical extrapolation
Blockchain
- fully distributed and decentralized ledger synchronized through consensus between parties - decentralized operations for peer-to-peer transactions - uses cryptographic hash function = secure hash function - uses digital signature algorithm
What does the magnitude of any coefficient in a linear regression equation tell you about that coefficient's variable?
Value changes for variables with coefficients of large magnitude have large effects on the outcome.
What is the greatest limitation of data analytics visualization, which can undermine the value of analysis work?
Visualizations can overly simplify analysis results and lead to reliance on the visual, as opposed to the true meaning of the output.
RDMS example of using primary and foreign keys
- use of a vendor number as an identifier. - Rachel can use the vendor number to tie together individual reports downloaded from her bookkeeping system, converted from pdfs and from her Excel spreadsheets, to create specialized management reports such as purchases by vendor, accounts payable analysis, and purchases by vendor by time period.
BPA
- used to analyze a dept to see which processes would benefit most from technology like AI or RPA - also to analyze communication flows between depts to see where cloud computing would be useful
Bitcoin
- uses Blockchain and Hash chain - does NOT use investment chain or incident chain - mutually distrusting entities without intermediary (aka no central bank)
Blcokchain - Advantages
- uses protected encryptography to secure data ledgers - current ledger dependent on its adjacent completed block to complete cryptography processes - transparent transactions --> individuals who have authority can view the transaction - decentralized bc stored millions of participating computers for transactions stored in blocks - data is "append only" - only added to end no insert; data can't be altered or deleted
Present existing data in a manner that helps in making business decisions.
What is the primary purpose of business intelligence?
Quasi-structured data
Which type of digital data consists of textual data with inconsistent formats but can be formatted with the use of software tools?
Regarding enterprise performance management (EPM), which of the following can facilitate business planning and performance management functions?
Workflow software Online analytical processing technology Structured query language software
At what point do many organizations encounter obstacles when implementing data governance?
Working collaboratively across business units
JPM Manufacturing Corporation's sales forecast for January was 120 units and actual demand was 135 units. Using the exponential smoothing technique as a part of time series analysis, what would be the forecast for February if the smoothing constant is 0.10?
121.5 units
PINs
3 factor authentication
COBIT (Control Objectives for Information and related Technology) Framework
40 objectives, 5 domains, 3 principles
You have developed a linear regression equation, y = −58.2 + 1.5467x, that models the expected grade in Calculus II (y), based on the earned grade in Calculus I (x). If a student earns the grade of 90 in Calculus I, what is the expected grade for that student in Calculus II? (Round to the nearest whole number.)
81
Physical layer
= 1, lower level - simple firewalls operate on level 2 or 3
Application layer
= 7, higher level - advanced firewalls operate on level 7
Ransomware attack
= data hijacking - send emails that look like legit courtesy messages to spread malware (ransomware botnet) - encrypts all files saved on hard drive so only can be opened with decryption key - hold the files hostage and demand payment
Narrowest confidence interval
= lowest confidence level
Platform as a Service (PaaS)
A cloud service in which consumers can install and run their own specialized applications on the cloud computing network. - The PaaS service model provides platform components, including programming languages and supporting libraries and tools, but does not include application software.
Data
A collection of unprocessed items, which can include text, numbers, images, audio, and video. ex. person in front of an object
On-demand self-service
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Which statement best describes how a data governance framework aligns with managing data?
A data governance framework does more than just manage data. It provides a governance system that sets the rules of engagement for management activities. - addresses all aspects of managing data beyond just regulatory compliance
Quantum computing
A field of computer design using the principles of quantum mechanics in which a single bit of information can be not just a 0 or a 1 but in both states at the same time - computers with large word sizes with vast amounts of memory power and great speed
Database Schema
A graphic that documents the data model and shows the tables, attributes, keys, and logical relationships for a database. - definitions attributes that govern how database stores each piece of data - includes entity names, data sets, data groups, sort sequences, access keys, and security locks
Linear regression
A quantitative statistical technique often used for forecasting, but based on the assumption that the future will be just like the past . To the extent that historical relationships are unstable, linear regression is less accurate. - quantitative input relationship to quantitative output
artificial intelligence (AI)
A scientific field that focuses on creating machines capable of performing activities that require intelligence when they are done by people. - extension of functionality of existing applications; little or no additional license cost
Access control
A security measure that defines who can access a computer, device, or network, when they can access it, and what actions they can take while accessing it. - authentication and authorization
Check sum
A sum generated using individual digits of a number and employed as an error-detecting device.
How many rows does a Structured Query Language (SQL) SELECT query with a WHERE clause return?
All the rows that match the WHERE clause
Why is an accounting information system (AIS) insufficient to enforce compliance with production cost budgetary limits?
An AIS imposes controls based on the organization's policies and is subject to the organization's tolerance to control exceptions.
Which of the following would be the best answer that describes a business reason to utilize Data Analytics?
An organization wishes to assess a large volume of data for trends, filtering, and visualization in order to make the information easier to comprehend. - Data analytics will empower the business to intake a large amount of data to make intelligent decisions based on the trends identified.
General Retailers (GR) is a chain of 75 general merchandise stores and a central online fulfillment warehouse. Is has seen its overall sales and repeat customer base steadily decreasing over the last 2 years. GR management recently adopted a top priority strategic objective to increase its customer base and sales. How can GR's existing IT assets support this objective?
Analyze existing data to discover reasons for customer turnover.
If blockchains are not technically immutable, how can rogue changes to any block be detected?
Any data change invalidates the current block and all subsequent blocks. - Any changes to data after a block is added to the blockchain causes the stored cryptographic to no longer match what is stored in the previous block, which invalidates the current block and all subsequent blocks
Automated sensors can detect physical or logical attributes. Which of the following logical automated sensors could reduce billing cycles for project-related activities?
Application triggers to automatically bill for work as tasks are completed in workflow management software
What primary characteristics identify data as a likely candidate for capture?
At least one data value differs from previously stored data and the remaining values align with current or planned analysis requirements.
How can artificial intelligence (AI) reduce accounts receivable cycles?
Automatically learn to recognize signs of potential slow or late payments - AI can learn to identify events that likely preceded slow or late payments and create early alerts, or even automatically take action to reduce the possibility of slow or late payments.
An operational efficiency review of the XYZ organization resulted in a finding that multiple business functions are duplicated across business units and locations. In what way could an enterprise resource planning (ERP) system address this finding and make XYZ more efficient?
Better resource utilization
Why are biometric controls generally considered to be more secure than passwords or tokens?
Biometric controls depend on a physical characteristic, which is more difficult to transfer to an unauthorized individual than a password or other physical device.
What are the implications and possible effects of blockchain technology on network controls and the internal audit process, if any?
Blockchain will have an impact on information storage, transmission, and analysis, which in turn will certainly change internal audit processes.
one version of the truth
Both financial data and nonfinancial data (operational data) are automatically recorded or captured in the CPM software. Later, these two types of data are reconciled to each other to achieve the goal of one version of the truth
To design the most efficient and effective software application components, application designers need the results, or output, from what process to provide the scope and requirements of a solution?
Business process analysis, to understand the business problem that needs a solution
Trident Manufacturing is currently pursuing data governance initiatives as part of its current fiscal year goals. Who most likely is driving these initiatives, and what is their likely motivation?
C-suite level executives responding to external regulations
With multiple frameworks available that include data governance, what feature of the Control Objectives for Information and Related Technologies (COBIT) make it a good fit for organizations primarily interested in establishing links between business and IT goals for data management?
COBIT primarily focuses on security, risk management, and information governance.
---- is a stratification model where items in a population are first classified or divided into separate subgroups or strata with similar characteristics. ---- can be used to focus procedures on risk areas or to reduce variability in sampling populations. Then a simple random or systematic sample is taken separately from each stratum. ---- uses random sampling methods and has nothing to do with time-series data.
Classification model
In what way can cloud computing best increase efficiency among geographically dispersed workers?
Cloud computing and storage supports easy collaboration and document sharing.
---- is a type of random sampling in which the population items occur naturally in subgroups. Entire subgroups or clusters are then randomly sampled for observation and evaluation. ---- uses random sampling methods and has nothing to do with time-series data.
Clustering model
a relational database
Collection of data that is stored logically as a collection of tables, along with a query language that makes it easy to find related data stored in separate tables
You have been asked to classify objects in a large dataset using a predefined set of labels. The data in the dataset includes discontinuous age data that should not affect the model's output. Which classification algorithm would be a likely good fit for your analysis?
Decision tree
What is the most common noticeable impact of separate financial and nonfinancial systems to workflow when creating expenditure transactions for matching production activities.
Delays—increased processing time
Enterprise Performance Management (EPM) is also known by what other names?
EPM aka Business Performance Management, Corporate Performance Management
How do enterprise performance management (EPM) and enterprise resource planning (ERP) relate to one another?
ERP is a subset of EPM
An application or suite of applications that automate, track, and support a range of administrative and operational business processes, such as the supply chain, across multiple industries can best be described as a(n):
ERP solution
After examining the challenges in maintaining separate financial and non-financial systems, what is the most powerful argument for funding the effort to move to an integrated information system?
Easier auditability of full transaction life cycle
What enterprise system includes e-commerce systems, front-office and back-office applications, data warehouses and external data sources, and consists of the processes of monitoring performance across the enterprise with the goal of improving business performance?
Enterprise Performance Management (EPM)
What is EPM?
Enterprise Performance Management—This process and software system are designed to help companies link their strategic goals and objectives, communicate them to management, and align them with their budgets and corporate plans.
What common process must occur periodically to update a data warehouse?
Extract, Transform, Load (ETL)
Overfitting
Fitting a model too closely to sample data, resulting in a model that does not accurately reflect the population.
Global Package Service (GPS) is a worldwide package delivery service that specializes in expediting shipments through international channels to minimize regulatory obstacles. GPS is planning to develop a public blockchain app to record packages at each step in the shipping and delivery process. Would a package tracking app be a good fit for blockchain technology?
Yes, because it would give shippers, recipients, and any other interested parties easy access to a package's location and status.
Could blockchain technology provide identity management for individuals to prove their real-life identification without papers?
Yes, refugees and disaster survivors could prove their true identities.
zero day attack
a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available - no known software patch
decision tree
a graphical representation of possible alternative decisions, events, or states of nature resulting from each decision with its associated probabilities, and the outcomes of the events or states of nature. - has nodes, branches, and circles to represent junction boxes, connectors between the nodes, and states-of-nature nodes
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), how is internal control best described?
a process - COSO framework defines internal control as a process that is effected by an organization's management to achieve goals in operations, financial reporting, and compliance.
Data warehouse
a repository of historical, pre-computed, descriptive, and numerical data that are organized by subject to support decision makers in the organization - central location for transactional data that has been transformed into operational informational data - stores summary data, less granular, aggregated
Enterprise Resource Planning (ERP)
a suite of applications called modules, a database, and a set of inherent processes for consolidating business operations into a single, consistent, computing platform - most valuable for managing of standardized products and customer management = quality control -analyze current customer feedback on product quality for recent purchases
EPM solution
a suite of applications that is used to monitor, analyze, and manage the performance of an organization possibly reporting from multiple ERP solutions - mostly driven by finance dept
Utility computing
a technology whereby a service provider makes computing resources and infrastructure management available to a customer as needed - allows end users to access technical services to perform simple tasks without needing technical knowledge
Line chart
a visual aid consisting of a grid that maps out the direction of a trend by plotting a series of points ex. visualization of returns of individual products at various time intervals
Advanced Firewall
ability to examine contents of a packet as opposed to just its address and destination port
What critical auditing capability is compromised when financial and nonfinancial transactions are handled by separate systems?
ability to trace a transaction through its entire life cycle
Application filtering
able to determine if application being used through the firewall is in fact that application
If chi-square is > than the critical value...
accept the null
Firewall Actions on Packets
accept, deny, and discard 1. examine network packet's source and destination addresses and ports to determine what protocol in use 2. start at top of rule base and work down through rules until it finds a rule that accepts or denies the packet 3. drops the packet and does not return a error message to source system (discards it)
Supply chain
accepting input from and providing output to other organizations
End users of integration testing
accounting and finance staff
Cyber Threat intelligence
acquire and analyze info to ID, track, and prevent cyber attacks
When data physically comingled for multiple subscribers:
affects data to recover due to data sanitization
From a software testing viewpoint, when does a formal change control mechanism start in a system development project?
after integration testing
Business intelligence
aggregates data and presents it visually in a manner that enables users to sort and filter through volumes of different data types with ease.
Enterprise Performance Management (EPM)
aka Business Performance Management - Plan, Do, Check, Act (PDCA) - helps organizations link strategies to their plans and execution - provides analysis and correlation of how well execution aligns with plans - ensure strategic goals and objectives clearly communicated and understood by managers and reflected in plans and budgets - does NOT include auditing or compliance gap ID systems
gray-box testing
aka focused-testing - anything not tested in white or black box testing - assumes some knowledge of the internal structure and implementation detail of the assessment object
black-box testing
aka functional testing - executes part or all of the system to validate that the user requirements and system requirements are satisfied
Unit testing
aka module testing - boundaries (beginning and end) well defined - deals with specific inputs and outputs - detailed design documentation - first test conducted - should be comprehensive enough to include black-box testing and white-box testing
white-box testing
aka structural testing and comprehensive testing - examines the logic of the program units and may be used to support software requirements for test coverage
trivial linear regression
all data points lie exactly on a single line; r square = 100
Which of the following are the intuitive conclusions about the high sales in the fourth quarter for the QTV Corporation? 1. Sales increased 14% above the average quarterly value 2. Television interest has increased 3. Television purchase pattern is increased 4. The total of the four seasonal indexes must be 4.0
all four
Software Development Life Cycle - Planning
allocation of resource requirements, budgeting, agreement on timeline, and the definition of key milestones for the software development project
False non-match rate
alternative to false rejection rate - used to avoid confusion in applications that reject claimants if their biometric data matches with that of an application
Service level agreements (SLA)
an agreement between service consumers and cloud service providers (CSP) that details all aspects of service the CSP provides, including uptime guarantees and consequences of violating uptime guarantees.
economies of technology
as number of technical innovations increases, cost of producing a product-unit decreases (can be IT and non-IT)
Structured Query Language (SQL)
asks users to write lines of code to answer questions against a database - international standard language to create, process, and manipulate a database
Ex. separate financial and non-financial systems, some shipments are never billed
audit both systems and match transactions
Blaockchain for Supply Chain Management
bc ownership status and reverse tracking
The CFO and Controller want to see daily reports in the form of dashboards outlining cash flow, accounts receivable, accounts payable, etc.
benefit of business intelligence
Internal investigations requests to have the capability to forensically assess data to determine if fraud or corrupt practices are being carried out.
benefit of data mining
Augmented Reality Customer Management
beyond traditional displays of monitor and keyboard
framing
bias where people decide on options based on if the options are presented with positive or negative semantics (e.g., as a loss or as a gain). People tend to avoid risk when a positive frame is presented but seek risks when a negative frame is presented.
In a system development life cycle (SDLC), which of the following tests is driven by system requirements?
black-box testing
Masquerading attack is an example of
browser based attack
What term refers to the collection of applications, tools, and best practices that transform data into actionable information in order to make better decisions and optimize performance?
business intelligence
Which single type of analysis often increases overall system performance by allowing application software developers to understand how users operate and to create software that helps users complete their job role requirements?
business process analysis
ERP (Enterprise Resource Planning)
business process management software that allows an organization to use a system of integrated applications to manage the business and automate many back office functions related to technology, services and human resources
check digit
calculation to ensure primary key or data are entered correctly
glass-box testing
called white-box testing bc tester can see inside the system as seen through glass
Rapid elasticity (scalability)
can expand or restrict cloud provider's capabilities and resources based on user demand
All of the following items can help in database system recovery efforts
checkpoint feature rollback feature rollforward feature
Chi-square test for Goodness of Fit
chi-square closer to zero when observed frequencies close to expected
What is the most time consuming and labor-intensive phase of a data analytics project life-cycle?
cleaning and preparing data (Collecting suitable data from multiple sources and transforming it into a format suitable for analysis)
COBIT (Control Objectives for Information and related Technology) Framework
clear distinction between 2 enterprise disciplines: governance and management
Which of the following defines a model for enabling a convenient and on-demand network access to a shared pool of configurable computing resources?
cloud computing
Dynamic Provisioning
cloud computing only pay for what IT you need at a point in time; scalability
Software Development Life Cycle - Maintenance
code is updated to support enhancements or feature upgrades of dependent software
Goodness of fit =
coefficient of determination
Active user interface analytics
collect input from multiple users used to determine trends, classify behavior, and predict future actions - may be one part of RPA
screened host firewall
combines a packet-filtering router with an application gateway located on the protected subnet side of the router
SaaS Applicaiton Growth: key driver is
competitive SaaS pricing model when compared to on-premise application - subscription based pricing
What data analytics term refers to the probability that an observed data value lies in a specified range?
confidence interval
Which two security properties are most commonly addressed using access controls?
confidentiality & integrity
least functionality
configuring an information system to provide only essential capabilities and specifically prohibiting or restricting the use of risky (by default) and unnecessary functions, ports, protocols, and/or services
Robotic Process Automation (RPA)
configuring virtual robots using software and tools - these bots use preexisting systems to perform tasks based on predesigned rules
What type of blockchain implementation would be best for a supply chain app with independent parts manufacturers, shippers, and assemblers of airplane components for a major aviation manufacturer?
consortium blockchain
Which of the following components exist in both of COSO's Internal Control and Enterprise Risk Management frameworks?
control activities
Data collection
convert real-world observations of attributes and events into digital representations
What is the biggest obstacle to deciding to implement an enterprise resource planning (ERP) system?
cost of implementation process
A database query language
creates the ability to join tables
example of financial administrative activity currently manual but candidate for process customization
creation of P&L reports traditionally is manual bots could automate entire report creation process
ERP Advantages
customization, cost savings, customer service
adware
cyber attack malvertizing attack (malicious ads on legit websites)
Data management techniques that empower an organization to protect high data quality standards throughout the data's life cycle
data governance
What IT and business collaboration results in improved trustworthiness and quality of an enterprise's data?
data governance
What enterprise endeavor is best described as a holistic approach to managing, improving, and leveraging information to help an enterprise's overall data management efficiency?
data governance
Online Analytical Processing (OLAP)
data is divided into cubes to make creating and viewing reports easier
Suppose your organization collects and analyzes water and air temperature readings, as well as relative humidity measurements, at all of your manufacturing and distribution facilities to understand seasonal trends and better predict energy use to maintain a consistent facility environment. During which data life cycle phase would measurements be normalized to make it easier to compare data sampled by sensors using different units of measure?
data maintenance
All of the following facilitates information retrieval and data analytics as they store historical data
data marts virtual databases data warehouses (NOT distributed database systems)
Data mining: an art and a science
data models can all produce numbers, but takes time to find the best model for your data
Most U.S. organizations are required to provide access to employment tax records for up to four years after the tax is due or is paid (whichever is later). What policy should an organization have in place to ensure needed tax records are available on demand?
data retention policy
Predictive Analytics
extracts information from data and uses it to predict future trends and identify behavioral patterns
Type II error (beta)
false acceptance rate - imposters are accepted as genuine users
Type I error (alpha)
false rejection rate - genuine users rejected as imposters
In any organization, the completion of the first iteration of the human resources and payroll accounting information system (AIS) cycle implies that at least which other cycles have completed?
financing or revenue (must have $ to pay out)
Which of the following statements is true about a firewall and an intrusion detection system (IDS)?
firewalls are a complement to an intrusion detection system (IDS)
Security should always be included in software development projects when?
from the very beginning aka systems analysis stage
economies of scope
gaining efficiencies with the integration of the number of products, services, systems, functions, and activities in an organization ability of firm to produce multiple products or services more inexpensively in combo than separately
Depreciation amount is calculated separately and is then reconciled to which of the following accounting information system (AIS) cycles?
general ledger system (initially recorded in PPE account then reconciled in Gl)
usage metering for cloud computing
gives teams real-time visibility into how much computing resources are being utilized (does NOT improve efficiency)
Process automation
gives the organizations the capability to eliminate or reduce administrative processes that were traditionally manual in nature.
"What-if" questions can be applied to all of the following
goal seeking sensitivity analysis simulation techniques
Box Plot
graphs distribution of a dataset, measuring data variability at quartiles and interquartile range - main technique of exploratory data analytics (EDA) ex. distribution of patient treatment length in time for each type of treatment category
In blockchain technology, core smart contract features provide which of the following?
guaranteed execution results for all network nodes (each node can locally verify that transactions are valid)
Decision tree classifiers
handle nonlinear and discontinuous data without negatively affecting the output
common applications of bitcoin currency
handling AR and AP transactions raising new capital in the primary market trading precious metals in the secondary market (NOT trading securities in the secondary market)
Intrusion detection system (IDS)
hardware or software product that gathers and analyzes info from various areas within a computer or network to ID possible security breaches, including intrusion by external hackers or misuse by employee
AIS should
help organization adopt and maintain its strategic position
predictive analytics
helps organizations to prepare for likely outcomes before they occur
Executive summaries should only include
high-level overviews that directly address the issues that executives value most—the impact to the business
Enterprises that implement autonomous operations most likely will realize which benefit first?
higher production consistency
Which of the following confidence levels would result in the lowest sampling error?
highest confidence level
Diagnostic analytics
historical data to determine "why" - risk, performance, and problem indicators
Data owner
holds legal rights and complete control over data elements. Possess the ability to define distribution and associated polices. - ultimate responsibility for data
Which of the following phases of the System Development Lifecycle can be best described as the project plan is put into motion and the work of the project is performed?
implementation
Because the unit test is the first test conducted, its scope should
include both white-box and black-box testing
Next Generation Firewalls (NGFW)
incorporate traditional firewall and advanced features like application filtering
SDLC - Conceptual Design
issues like data storage technology must be resolved (ex. Blockchain vs. traditional database)
Most common negative impacts of under-retaining and over-retaining records:
lack of evidence for investigations and excessive storage space use
Autonomous operations
leverage quicker anomalous activity recognition with faster response to problems, resulting in lower downtime loss and better production quality.
coefficient of determination
linear relationship of variables
EPM
link execution to plans
Supply Chain and Value Chain relationship:
linking output of one organization's value chain to input of another organization's value chain = a single link in a supply chain
Support Desk Intelligence
locate best response to a query
All of the following are defining characteristics of cloud computing that support the business rationale of improving efficiency
on-demand resources connectivity from anywhere rapid elasticity
How does the Control Objectives for Information and Related Technologies (COBIT) relate objectives to processes and related components to achieve that objective?
one governance or management objective always relates to one process and one or more components of other types to help achieve the objective
Corporate performance management (CPM) software is embedded in which of the following to improve performance reporting quality?
one version of the truth
During which phase of the systems development life cycle (SDLC) are access control lists (ACLs) for application users added after initial installation typically defined?
operations and maintenance
EPM - Do
orders and sales
Pareto charts are used to
organize errors, problems, or defects
Healthy Life, Inc. (HLI), is a health services company that specializes in managing health services scheduling. To ensure HIPAA compliance, HLI has engaged White Hat Security Group (WHSG) to evaluate the strength of its security controls. HLI wants WHSG to attempt to "break in" to its information systems to see how resilient it is to attacks. What type of engagement is HLI requesting?
pen testing
What technique to identify security vulnerabilities allows security professionals to act as attackers to identify potential system security weaknesses?
pen testing
Difference between pen testing and cyber attack
permission
Subject
person using a computer system
A strong data retention policy can help organizations maintain compliance with data retention regulatory requirements. Once a policy is approved and in place, what else is necessary to provide the greatest assurance that the policy will be effective?
personnel education
physical design phase of SDLC
physical attributes of the application system are defined to meet the application's functional requirements
Which method should ABC choose to remove archived database copies from solid state disk (SSD) devices to provide the highest assurance that all PHI is purged?
physical device destruction
First line of defense
physical security, network monitors, and quality assurance
checkpoint
point taken at regular internals where intermediary results are dumped to a secondary storage to minimize risk of work loss
Which enterprise performance management (EPM) feature best positions an organization to react quickly to changing business needs?
predictive analytics
Exploratory Data Analysis (EDA)
preliminary/initial analysis; patterns and relationships - box plots, stem and leaf diagram - primary purpose to present set data using a variety of visualizations to organically reveal interesting aspects of the data
what if and goal seeking
prescriptive analytics
Regarding cyberattacks, what do fundamental goals or elements of the defense-in-depth strategy include?
prevent and detect-and-respond
Penetration and vulnerability scanning are forms of what type of control?
preventative
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework is built on 17 building blocks that support effective internal control. The building blocks are stated as explicit goals necessary to implement effective internal controls across 5 components. What does COSO call these 17 building blocks?
principles COSO framework maps 17 principles to 5 components
What type of blockchain implementation would be best for managing the manufacturing process of automobiles from parts receipt to the rollout of final products?
private - private blockchain is a good fit for organizations that want to manage a progression of data within a controlled access environment, such as within a single organization
An organization wishes to automate processes such as repetitive data entry that are entered via OCR scanning of documents and input into the respective fields.
problem that Robotic Process Automation (RPA) could solve
data reduction
process of simplifying data, not database design
In-transit encryption
protects data as it is being transmitted - use sniffers to monitor network traffic
Volume encryption
protects stored data from physical theft
What relational database management system feature provides the ability to "join" tables together, returning data that share a common value among the source tables? (Normally resolved by matching data in a common field or column among tables.)
query language
What is the most achievable common goal of implementing autonomous operations?
reduce costs by enhancing operational stability for more uptime and higher quality
zero day warez
refers to software, games, videos, music, or data unlawfully released or obtained on the day of public release
Which of the following can be used when time-series data is unavailable?
regression model - Time series analysis involves breaking down data measured over time into one or more components of trend, cyclical, seasonal, and irregular. Time-series analysis is similar to regression analysis in that both techniques help to explain the variability in data as much as possible. Regression model is a causal forecasting method that can be used to develop forecasts when time-series data are not available.
Which analytical model would be the best choice if a company wishes to test the prediction that is in the form of a quantity?
regression modeling
Which of the following items is an advantage of an ERP (Enterprise Resource Planning) System?
regulatory compliance
If chi squared value is less than critical value
reject the null
Structured query language (SQL) and query-by-example (QBE) are heavily used as query tools in which of the following database models?
relational data model
Data warehouse: most common purpose
reporting and analysis
Column-based encryption
required different encryption key for each column
Data steward
responsible for ensuring data governance processes are followed, guidelines enforced, and recommends improvements to data governance processes
rollforward
restores a database from a point in time when it is known to be correct to a later time
rollback
restores database from one point in time to an earlier point in time
Identifying discrepancies between product shipping records and customer sales invoices by line item can affect which of the following accounting information system (AIS) cycles?
revenue to cash cycle
Prior to participating in a bitcoin's initial coin offering (ICO), a potential investor should assess and evaluate which of the following most?
right to recover
right to recover
right to recover the invested money in the event of investment fraud or financial crime is the most important thing to assess and evaluate during an ICO offering
EPM - Act
rolling forecasts
dumpster diving
rummaging through personal trash, a business's trash, or public trash dumps
relational database management system
schema-oriented, which means the structure of the data should be known in advance to ensure that the data adheres to the schema
Which one of the following advanced firewalls is mostsecure?
screened subnet firewall
Firewalls aka...
secure gateways
All of the following are characteristics of smart contracts
self verifying self enforcing tamper-proof (NO third party authorization)
Logistic regression classifiers
sensitive to any input data that is nonlinear or discontinuous
Naive Bayes classifiers
sensitive to any input data that is nonlinear or discontinuous
network intrusion detection system (NIDS) logs
sensors that can detect that an attack was launched against a particular host computer
Custom code injection is an example of
server-based attack
Logistic Regression Algorithms
show relationship between quantitative input and categorical output
Descriptive analytics
show trends
Part to a Whole Chart
shows percent of part in relation to the whole ex. demographics
normalization
simplifies database design to remove redundancy and increase integrity
Last line of defense
software testing (bc last step to ensure proper functioning)
Why is understanding the completeness of your data important when choosing a data model?
some models handle missing data poorly
Regarding enterprise performance management (EPM), which of the following cannot facilitate business planning and performance management functions?
spreadsheet software - because the data in the spreadsheet is presented in two dimensions which cannot be updated constantly and automatically due to the limitation of the spreadsheet design principles.
GUI Automation
static response to repetitive actions by aggregating multiple actions into macros that users can invoke at will - does NOT learn from users
skimming
stealing credit card or debit card numbers by capturing the information in a data storage device
pretexting
stealing information by phone by posing as legitimate companies and claiming that you have a problem with your account - type of social engineering
phishing
stealing information through email by posing as legitimate companies and claiming that you have a problem with your account. (online)
Object oriented database
stores data as collection of objects not tables with instructions for how to use the data ex. PDF reader
Database
stores more detailed, transaction oriented data than a data warehouse
Which of the following can act both as a database query tool and an attacker's tool?
structured query language (SQL)
Data compliance
subset of data governance; make sure data practices comply with regulations
Data management
superset of data governance; all aspects of managing data
Decision tree
support predictive queries based on known categories, but can be susceptible to over fitting
Why vulnerability testing before pen testing?
vulnerability assessment provides prioritized list of vulnerabilities that provide pen testers likely attack vectors to exploit
Regarding cyberattacks, which of the following identifies a flaw in hardware, firmware, or software that leaves an information system open to potential exploitation by hackers and others?
vulnerability testing
economies of skill
whether employees are more skilled or less skilled increased skill level means increased quantity of output from given amount of inputs
Regression
y = a + bx + c c = residual aka difference between observed and estimated outcomes
From a software vulnerability point of view, which three items go together?
zero day attacks zero day exploits zero day incidents (NOT zero day warez)
Unstructured data
Data does not exist in a fixed location and can include text documents, PDFs, voice messages, emails, media files - no discernible structure
Hierarchical database
Data is arranged in a tree structure, with parent records at the top, and a hierarchy of child records in successive layers - does NOT combine multiple tables from multiple sources
Structured data
Data that (1) are typically numeric or categorical; (2) can be organized and formatted in a way that is easy for computers to read, organize, and understand; and (3) can be inserted into a database in a seamless fashion. - repeating groups or records of data all in same format - schema definition limits data value storage formats
Objects
Database elements, such as tables, queries, forms, and reports. - records, blocks, files, programs - passive entity that contains or receives info
screened subnet firewall
- adds an extra layer of security by creating a network where the bastion host resides. - Often called a perimeter network, the screened subnet firewall separates the internal network from the external network. - attacker is restricted to the perimeter (external) network and therefore is not attacking the internal network. This leads to a stronger security. - Conceptually, the screened subnet firewall is similar to a dual-homed gateway firewall, except that an entire network, rather than a single host, is reachable from the outside. It can be used to locate each component of the firewall on a separate system, thereby increasing throughput and flexibility.
AI benefits for accounting and finance information
- allow users to retrieve data easily and quickly, sometimes even using voice commands (instead of loading data into databases then constructing queries) - identify patterns and potentially reduce the incidence of fraud - streamline reporting and data analysis - help the company capture and process unstructured data, such as that from receipts, pdf forms, and external systems such as those of customers, vendors, and the government
spear phishing
- an attack targeting a specific user or group of users that attempts to deceive the user into performing an action that launches an attack. - Examples of these actions include opening a document or clicking a link. - rely on knowing some personal piece of information about their target beforehand, such as a specific event, special interest, specific travel plans, or current issues as a basis for their attacks
confirmatory data analysis
- analysis of data for the purpose of testing hypotheses - after EDA to provide final conclusions on the patternd
limitations in linear regression analysis
- assessed at the mean of the dependent variable. - responsive to outliers. - assumes data is independent
Phishing attack
- attackers try to trick users into accessing a fake website and divulging personal information. - Social engineering methods are employed
zero day incident
- attacks through previously unknown weaknesses in computer networks - no known software patch
Data analytics - Use
- automate risk management: calculate vulnerability, likelihood of exploitation, and potential impact - manage customer data - fraud detection: correlate past fraud data and map to current activities - data classification NOT a use of data analytics
Examples of RPA in acct and finance dept
- automating the closing process - producing financial statements and other specialized reports
Security alerts
- brief, human-readable technical notifications - tell about current vulnerabilities, exploits, and other security issues - aka advisories, bulletins, and vulnerability notes
Internet firewalls...
- can enforce security policy - can log internet activity - can limit an organization's security exposure (can NOT protect against computer virus in personal computer)
Firewall logs
- can record events about any traffic that reaches a firewall -commonly log source/destination IP (internet protocol), source/destination ports, but not the packet contents
Consortium Blockchain
- consist of members that are approved by other members and agree to protect intellectual property of one another - These blockchains may be considered "partially decentralized".
Challenges of separate systems
- coordination of sales and purchasing. - Purchasing is particularly difficult for a restaurant as most of the inventory is highly perishable, customers demand fresh ingredients, and running out of ingredients is highly undesirable. - With separate systems, it is very difficult for Rachel to identify trends in sales of menu items and apply those trends to purchasing and inventory management.
ERP disadvantages
- costly implementation - depends largely on the skill and willingness of employees who use it - resistance in info sharing across depts - benefits don't usually appear immediately after implementation
SDLC - Design
- create algorithms to satisfy stated problem(s) - most efficient algorithms to address the problem in scope - conceptual and physical
Confidence interval
- deals with sampling risk - measures data reliability
system testing
- derived from requirements specification document - better understood than integration testing - system based on functional knowledge
MongoDB
- designed to support humongous databases - a NoSQL database with document-oriented storage, full index support, replication, and high availability
Public blockchain
- easy access to publicly available data from variety of sources - confidential data could be placed on the blockchain after being encrypted to protect confidentiality - As a substitute for centralized or quasi-centralized trust, public blockchains are secured by cryptoeconomics - the combination of economic incentives and cryptographic verification using mechanisms such as proof of work or proof of stake, following a general principle that the degree to which someone can have an influence in the consensus process is proportional to the quantity of economic resources that they can bring to bear. These blockchains are generally considered to be "fully decentralized".
Enterprise Resource Planning (ERP) Systems - Advantages
- eliminate legacy systems - improve workflow processes - increased access to data bc centralized database - standardized IT infrastructure - visibility of entire organization's operations - integrated financial management throughout organization --> additional control - improved reporting bc of integration - standardized bus. processes --> usually from best practices with automated processes, decreases errors and costs
Cloud computing: accounting efficiencies
- ensure you are always using the latest version, so more efficient updates - eliminates the need for an IT department to constantly install or upgrade applications on individual computers or the network - facilitates communication as it eliminates the need for emailing multiple versions of a spreadsheet or pdf back and forth and keeping track of corrections - makes data instantly available to authorized users, as opposed to waiting for another department to pull and transmit the data
root causes
- fundamental deficiencies or problems that result in a nonconformance, which must be corrected to prevent recurrence - link undesirable events or problems to their sources. - Examples of computer system's performance-related problems include system downtime, website crashes, software glitches, slow response time for online transactions and queries, system outages, and system reboots. - Measuring a problem's root causes involves determining the sources of identified risks (known risks) and understanding the positive and negative impacts of those known risks on other areas of a computer system. - Corrective controls must address and reduce the root causes of problems at their source, not symptoms
Data governance requires initial upper management commitment as an ongoing endeavor which includes
- funding - staffing requirements - authorization (no need for re-authorization later)
Pareto charts
- graphical way of identifying the few critical items from the many less important ones. - 80/20 rule: 80% of problems are due to 20% of items - looks like a pie chart but not the same
Data sanitization
- impacts data security and recovery in cloud - removal of sensitive data from a storage device - when storage device is removed from service or moved elsewhere to be stored - when residual data remains upon termination of a service - when back-up copies are made for recovery and restoration of service
AIS adds value to an organization by:
- improving efficiency, sharing knowledge and, improving the internal control structure - providing accurate and timely info to support primary activities - collect, analyze, and present pertinent info for primary functions
Technology for Accounting and Finance Information
- increase speed and accuracy of capturing data into the system (from POs and invoices) - automate processing of accounting data (making producing reports and data queries more accurate)`
ERP
- integrate functions to lower operating costs bc decreases redundancy with a single integrated workflow
static code analysis
- is performed in a non-runtime environment - will inspect program code for all possible runtime behaviors - done after coding and before executing unit tests - NOT executed while a program is in operation
Red team
- lab-based penetration testing - authorized and organized to emulate potential adversary's attack or exploitation capabilities against security posture through penetration testing
Regarding cybersecurity, which of the following is a core part of defense-in-depth strategy?
- layered protections - system partitioning - lines of defense
Initial Coin Offering (ICO): Major risks
- no central bank to trace money flows - no 3rd party custodian holding the virtual currency - no central authority for collecting user info - no easy access to 3rd party business partners
exponential smoothing technique
- part of time series analysis - smoothing constant called alpha with value between 0 and 1 - uses weighted average - high alpha if more weight given to recent data - low alpha if more weight given to past data
Association rules analysis = market basket analysis
- popular with retailers to increase sales with customer insights - ID products frequently bought together to design better store layouts
Passwords
- private phrases or words that give a particular user a unique access to a particular program or network - most common security tool to restrict access to computer systems - 1 factor authentication
RPA benefits
- reduces error rates as the robot will process the information in the same way each time - streamline the audit process, reducing the need for extensive testing - ensures the quality of the process, as instructions will be followed exactly and in the correct order - ensure that the information provided is current, such as tax rates
Types of Database management systems
- relational DBMS - hierarchical DBMS - object oriented DBMS - OLAP - online analytical processing
Data warehouses
- require LT/continued investment in budget and resources - require ongoing effort to maintain normal operation, adjust sealing for operational changes, and modify processes as data sources and availability changes - require central collection and authority and sufficient budget and IT staff to build and maintain - only contain historical data (not real-time) bc requires data transformation processing - supports periodic analysis of historical data
ERP advantages
- scalability as business grows in complexity over time - improved data quality due to near elimination of duplicate records - fewer delays in producing specialized reports - improve supply chain and inventory management
Database Management System (DBMS)
- should have security controls to prevent unauthorized access
Semi-structured data
- some structure to support parsing but it is informal and extensible ex. XML (Extensible Markup Language), a self describing format
logistic regression
- supports predictive queries and is less susceptible to over fitting - also can be used for prescriptive analytics
SDLC - Analysis
- system requirements are studied and structured - discover scope of specific problem or group of problems and examine potential solutions - bus. problems explored and potential solutions compared
Root cause analysis
- technique used to identify the conditions that initiate the occurrence of an undesirable activity, state, or an event. - It identifies relevant causes and effects of problems. - Root cause analysis is a part of risk management techniques and can help in improving a computer system's performance. - moves past events to current events to future events.
integration testing is...
- the cutoff point for the development project, and, after integration, it is labeled as the back-end testing - The product is under formal change control after completion of integration testing
Integration testing: approaches
- top down - bottom up - both top down and bottom up (sandwich) - all-at-once (big bang)
From the perspective of upper management of an international manufacturing organization with dozens of subsidiaries, arrange the benefits of implementing an Enterprise Resource Planning (ERP) system in order of value, with the most valuable benefit listed first: A. Comprehensive, real-time reporting B. Reduced financial transaction settlement time C. Lower operational costs D. Operational transparency
1. Comprehensive, real-time reporting 2. Lower operational costs 3. Operational transparency 4. Reduced financial transaction settlement time
Internet-related threats are broken down into three categories:
1. browser-based 2. server-based 3. network-based attacks
EPM business goals are
1. business strategy transparency to all employees 2. improved scalability 3. increased focus on core business
How do AI and machine-learning increase efficiency and effectiveness of accounting and financial tasks?
1. flagging transactions that are not compliant with GAAP or the organization's policies&procedures 2. detect suspicious transactions to reduce fraud risk 3. predictive analytics that will improve overall ROI 4. decision making based on real-time data insights
COSO Enterprise Risk Management (ERM) Framework: Components (8)
1. internal environment 2. objective setting 3. event identification 4. risk assessment 5. risk response 6. control activities 7. information and communication 8. monitoring
PDF files are useful for
1. providing reports in standard format for human consumption 2. to be parsed with special tools to extract text and match images for order history analysis
AICPA Trust Services Principles categorizes IT controls and risks into five categories:
1. security 2. confidentiality 3. processing integrity 4. availability 5. privacy
COSO Enterprise Risk Management Framework: Objectives
1. strategic 2. operations 3. reporting 4. compliance
What is the correct sequence of application software testing in a system development project?
1. unit test 2. integration test 3. systems test 4. acceptance test
systems testing order
1. unit testing 2. integration testing 3. system testing
Why is integration testing difficult to understand?
1. variety of approaches to conducting integration testing 2. no base document with specifications for testing
ERP for a growing business
1. will need more financing as looks to expand with more locations 1b. ERP enables the efficient creation of specialized reports to show potential investors 2. will integrate the separate business functions more effectively by linking accounting, payroll, HR, inventory mgmt, purchasing and scheduling information 2b. reduce the time needed to manually convert data into spreadsheets to generate reports for analysis 2c. eliminates duplicate information which enhances data quality 3. better integrate financial and nonfinancial systems to track patterns and perform effective analysis to improve the business 4. enhances collaboration and communication with external vendors and customers to improve the supply chain 5. saves considerable time and effort converting reports from variety of systems and maintaining separate legacy Excel spreadsheets
The formula for calculating the standard error of the estimate is: SQRT(SSE ÷ (N − 2)), where SSE is the sum of squared errors. If SSE = 163.44 for a dataset of 100 samples, what is the standard error of the estimate for this dataset, rounded to the nearest thousandth (i.e., 3 decimal places), and does this value indicate that the model is accurate?
1.292. Without knowing what the underlying data is, we cannot tell if a standard error of this magnitude is big or small. Therefore, it is not possible to determine if this value is good or bad.
cloud computing
A system in which all computer programs and data is stored on a central server owned by a company (e.g. Google) and accessed virtually - decreases an organization's investment in fault tolerance and recovery capabilities - virtualization provides the ability to easily replicate processing and data among multiple locations - cloud recovery models rely on cloned version of data easily accessed at multiple data centers - dynamic provisioning scales cost to customer demand - NOT a secondary site to on-premises data center --> replaces on-premises data center - core to CC success is virtualization, run multiple virtual machines
Accounting Information System (AIS)
A system that collects, records, stores, and processes data to produce information for decision makers. It includes people, procedures and instructions, data, software, information technology infrastructure, and internal controls and security measures. - can aggregate functionality and data - inputs and outputs provide ability for organizations to link their value chains - supporting activity in the value chain bc AIS an integral part of technology
Intrusion Prevention System (IPS)
A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity - responds to suspicious traffic
Blockchain
A type of distributed ledger technology consisting of data structure blocks that may contain data or programs, with each block holding batches of individual transactions and the results of any executables. Each block contains a time stamp and a link to a previous block. - good audit trail bc tamper resistant and tamper evident
What is the primary difference between a pen test and a vulnerability assessment?
A vulnerability assessment attempts to only identify vulnerabilities that exist in a system, while a pen test attempts to exploit vulnerabilities.
Since enterprise resource planning (ERP) systems provide integrated enterprise activity management, how can artificial intelligence (AI) and machine learning help to add more value to ERP?
AI and machine learning can aid in automating processes and supporting real-time decision-making.
What single characteristic makes artificial intelligence (AI) different from other technology advances?
AI gives programs the ability to learn without having to be reprogrammed with new rules
What implications and applications are most important for the integration of artificial intelligence (AI) over the internal audit and examination processes?
AI will be a part of the data analysis, reporting, and review process for all sorts of information across industry lines and geographic boundaries.
Effective controls during the application software-testing activities in a system development project include which of the following?
Activity logs, incident reports, and software versioning
Integration Testing
After unit testing, integration testing is done to see that the modules communicate the necessary data between and among themselves and that all modules work together smoothly. - check how software units interact with other software and hardware - test interfaces among separately tested program units
How do application designers validate that their solution aligns with, and solves, the stated problem?
Aligning application design documents with business process analysis documents to ensure the design solves the stated problems and satisfies business requirements (NOT testing)
Solid Retirement Plans, Inc. (SRPI), recently acquired a smaller competitor, Grow Your Money (GYM). SRPI recently passed a complete security evaluation and included an independent attestation of security readiness in its annual report. SRPI stockholders are concerned that GYM's information systems may not be as secure as SRPI's information systems, and could pose a security risk. What recommendations would you make to SRPI to provide assurance to its stockholders that GYM's information system security controls are just as effective as SRPI's information system security controls?
Conduct a security control gap analysis between SRPI and GYM, followed by a pen test of GYM with the same scope used for the SRPI pen test.
confidence interval formula
Confidence interval = Point estimate +/- Precision
What is the best description and summarization of how blockchain technology will change the auditing process, specifically the confirmations that occur during an integrated audit?
Confirmations will be changed and virtually eliminated by the utilization of blockchain technology since this information is available in real time and is already secured via the platform. - blockchain will eliminate need for confirmations
Which of the following would best describe a Pentest (Penetration Test)?
Contract with an external company to essentially gain access to potentially high-valued systems within your company.
TireMax Distributors provides over 250 retail automobile tire stores with products. Its order fulfillment software takes orders and manages the process of shipping products to each store. The software creates PDF files for each order to accompany the physical products. How can TireMax derive value from unstructured PDF files?
Create standard report output and carry out text/image extraction for frequency analysis
Staying Healthy, Inc. (SHI), is an online health services broker that helps members find healthy activities near them that help them to quality for health insurance premium discounts and perks. SHI uses member data to recommend events and activities, but is careful to avoid violating its members' privacy. One technique to maintain privacy is to reduce the granularity of identifying data, such as classifying members as residing in an area consisting of several postal codes, instead of identifying a single postal code. In which phase of the data life cycle would SHI members be associated with a larger physical area to reduce privacy leakage?
data synthesis
Which phase of the data life cycle presents the most governance and compliance challenges?
data usage
XYZ Tire Distributors engaged Advance Consulting to carry out data governance gap analysis and provide the results to XYZ's upper management. During Advance's executive presentation of the analysis results, consultants reported that current IT infrastructure was insufficient to satisfy data availability for continuous business operation. Which of the following recommendation would Advance Consulting likely make to best address this gap?
database replication
A ----- is designed to optimize transaction processing, while a ----- best supports reporting and analysis queries.
database; data warehouse
Prospective analysis
deals with assumptions, actions, and responses that relate to future events. - This analysis projects current events into future events with the ability to handle future events based on current information and events. - However, prospective analysis cannot help in improving a computer system's performance.
Discrete data analysis
deals with whole numbers (integers)
Which of the following data visualization tools is used in evaluating capital investment decisions?
decision tree
data retention policy
defines when and how stored data is removed from data repositories
What is the most important step when developing a predictive analytics model to ensure that the model provides actionable results?
defining business objectives
Threat reports
describe tactics, techniques, and procedures; actors; types of systems and info being targeted; other info for situational awareness
Systems Development Life Cycle (SDLC)
design (conceptual and physical), implementation + conversion, maintenance, planning, analysis
File integrity checking software logs
detect changes to important files using a checksum software that counts the total number of bits in a file to determine whether a file's size was changed
prescriptive analytics
determine what inputs needed in order to achieve desired output - what if analysis and goal seeking - like determine what meds needed to get better
SDLC - Implementation + Conversion
develop initial proof of concept solution and determine best fit solution - writing software most timely - converting legacy and external data to conform to new data repository formats at end of this phase --> installing and configuring software and data repositories; conducting unit tests during software writing
HD Aircraft manufactures airplane engines. One of its latest turbine models, the EG-1000, recently failed in-flight while the airplane it was powering was 20 miles off the Southern California coast. The engine failure resulted in a catastrophic event in which the engine departed the airplane and dropped into the sea. The aircraft crew was able to maintain control and make an emergency landing at a coastal airport. Since the physical engine was lost, HD Aircraft turned to its data analysts to help determine the possible cause of the failure. They downloaded engine performance data from the airplane and compared it to their testing datasets to identify failure characteristics. What type of analytics are these analysts using?
diagnostic
sum of squared errors
difference between data and the model's prediction
variability
different ways in which a Big Data dataset may be interpreted
Application software logs
documents changes that occurred to a specific application software
Regarding cyberattacks, identity thieves can get personal information through which of the following means?
dumpster diving phishing skimming pretexting
Economic Principles
economies of technology economies of scope economies of scale economies of skill
What impact does implementing enterprise performance management (EPM) have on how legacy spreadsheets are used to track performance?
eliminates, or at least augments, legacy spreadsheets
Defense in depth
employ multiple layers of controls in order to avoid having a single point of failure - an information security strategy integrating people, technology, and operations capabilities to establish variable barriers
IT role in ERP
enabler, challenger, and facilitator (NOT inhibitor)
Total Data Encryption (TDE)
encrypts entire database with a single key
formal change control
every software change must have a specific reason, must be documented and tracked
Data governance
exercise of decision-making and authority for data related matters - empowers organization to protect high data quality standards throughout data's life cycle - people, processes, and IT required for consistent and proper handling of data across the business
Information
expanded related data beyond the facts ex. recognize your friend and the Eiffel Tower
Spend analysis is conducted in which of the following accounting information system (AIS) cycles?
expenditures cycle
Suppose Dana Sunderson works as a data analyst for Ellen Votemein, who is running for a state office. Ms. Votemein has asked Ms. Sunderson to take statewide voter demographic information and predict whether any voter will vote for one of two political parties (and which one), or will not vote for either party. The model should also provide information on which features would most likely influence a voter to vote for Ms. Votemein, without being concerned about model overfitting. Ms. Sunderson is using a voter dataset with 34 features for each record. Which analytic model is she likely to select in order to provide the requested results?
logistic regression
Larger input domain mapped to more limited output options =
lose precision and granularity
ABC Manufacturing realized that current operations were not in compliance with several regulations, including the European Union's GDPR. Governance, Risk, and Compliance (GRC) consultants recommend that ABC implement a new Enterprise Resource Planning (ERP) system. In what way can an ERP system best help ABC Manufacturing address its concerns?
lower cost of compliance
desired standard error of estimate
lowest = most reliable and valid dataset
After considering the Mean Absolute Deviation and Mean Square Error values from the table shown here and after computing the forecast error, which of the following models is accurate and fits the sales data?
lowest MAD and lowest MSE and y-variable closest to actual (aka lowest forecast error)
confidence level with highest tolerable error and narrowest confidence interval?
lowest confidence level, i.e. 90% if options are 90, 95, 98, and 99%
Enterprise Resource Planning (ERP) systems can implement which of the following technologies to increase the efficiency and effectiveness of accounting and financial tasks?
machine learning & artificial intelligence
Supervised learning algorithms
machine learning techniques to determine how input maps to output values
Unsupervised learning algorithms
machine learning techniques to help describe structure of unlabeled data
insight
make interpretations beyond knowledge ex. understanding what your friend wants to do next
PHI requirements
make mining health data more challenging
knowledge
maps info to the real-world and associates meaning ex. your friend is in Paris
EPM - Plan
market and financial projections
EPM - Check
metrics and KPIs
Which of the following models would be the most reliable in increasing sales for the WMT Retail Corporation?
model with the highest coefficient of determination (r square)
forecast error
model y-variable minus actual y-variable
Reliable Cash Flow (RCF) is a service organization that helps its customers manage their billing and receipts. RCF's IT staff aggressively updates their main customer and billing management application, AccuPay, to take advantage of the latest features and stay up to date with security patches. To get updates as soon as they are released, RCF maintains a Platinum support agreement with AccuPay's application provider. RCF is considering switching to AccuPay's new SaaS offering. Which SaaS advantage would likely be the most beneficial to RCF?
more efficient software upgrades
Sports Clothing, Inc. (SCI) recently installed automated conveyor systems in its primary warehouse. It now has over 2 miles of conveyors that run from loading docks, to storage bins, and then to shipping docks. These conveyors are automatically managed by robotic components to ensure that products are automatically routed from incoming trucks to intermediate storage bins, and then to outbound shipments as needed. In what way is SCI likely to see accounting data processing efficiency increase due to this type of robotics?
more timely transfer of ownership to recipients
Regarding cyberattacks, pharming attacks are an example of which of the following?
network based attack
Which of the following challenges are most likely to occur in common data mining projects to degrade output quality?
noisy and incomplete data
What term refers to iteratively decomposing database table design into its simplest form
normalization
nontrivial linear regression
not all data points lie on exactly a single line; r square < 100
Valuation modeling enables an organization to
obtain near-accurate valuations based on historical data and industry trends
ABC Manufacturing has decided to develop a new application that interfaces with its enterprise resource planning (ERP) system. This new software will allow customers to design and order custom products that the ABC's automated manufacturing line will produce without any human interaction. ABC's CIO raises concerns about security and privacy, both in the context of ABC's intellectual property and customer private data. At which phase in the systems development life cycle (SDLC) should the CIO's security concerns first be addressed?
systems analysis
Relational Database
table format, which is easy to relate to, visualize, understand, and work with)
Hash functions
take variable length data input and output a fixed length result, which is used as evidence to represent the original data - if hash of two messages is identical, can reasonably assume the two messages are identical
Data lake
takes a "store everything" approach to big data, saving all the data in its raw and unaltered form
Software Development Life Cycle - Development
teams actually construct the code for the software
Threat indicators
technical artifacts or objects that indicate threat may have already occurred, may be in progress, or an attack is about to happen
Audit team
tests internal controls
data mining
the application of statistical techniques to find patterns and relationships among data for classification and prediction
operations and maintenance phase of SDLC
the phase in which the organization addresses all ongoing operations issues, including adding and authorizing users after the initial installation process
Cross over error rate (in biometrics)
the point where false rejection rates = false acceptance rates - goal is to obtain low crossover error rate bc represents high accuracy
AIS impact is influenced by
the quality of accounting info the AIS manages (accuracy and completeness)
Software Development Life Cycle - Testing
the software code will be tested for vulnerabilities and defects. - also User acceptance testing (UAT)
Cloud computing
the use of tools such as software and applications, data storage, servers, networking, and databases over the Internet, instead of using individual hard drives or local storage devices
Threat Tactics
to understand behavior of threat actors (i.e. hackers)
Blockchain general goal it handles well:
transferring ownership for items of value
Which testing is best understood by system developers and end users?
unit (aka module) testing
Big Idea Distributing (BID) provides shipping and warehousing for over 900 customers in 43 states. BID's executives committed to implementing the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework two years ago to better manage their operations, financial reporting, and compliance goals. After completing the implementation and full auditing cycle, BID executives are disappointed with the results and why some of BID's objectives are not being met, in spite of the enormous investment in COSO. A COSO review revealed that the COSO implementation was carried out well and results are consistent with COSO objectives. What is the most likely reason for the executives' disappointment?
unrealistic expectations (COSO's goal is reasonable assurance not absolute assurance)
Corporate Performance Management solution
used mainly to manage and monitor performance based on return on investment, key performance indicators (KPIs), and operational costs
Time Series Analysis
useful to predict capacity or network traffic on a particular day, like a holiday
Phishing attack is which kind of cyber attack
user based attack
Continuous Data analysis
uses fractional values (not whole numbers)
Which of the following is created after automating the accounting and finance functions?
value chain
Standard error of estimate
variation of an observation from the regression line
Which of the Big Data Four Vs refers to the complexity of data, including both structured and unstructured data?
variety
Big Data 4 Vs
velocity, variety, variability, volume
Radar Chart
visual method to show size of gaps in a number of areas ex. budget: current vs previous ex. current performance vs ideal (expected) performance