ACC340 Final Exam
Input Controls
"Garbage-in Garbage-out" Threats are data that is invalid, unauthorized, incomplete, or inaccurate. Controls are forms design, cancellation and storage of documents, authorization and segregation of duties controls, visual scanning, and data entry controls. Forms Design- all forms should be sequentially prenumbered to verify whether or not there are missing documents. Use turnaround documents to eliminate input errors. Cancellation and Storage- source docs entered into the system should be cancelled so they cannot be reentered into the system. Original source docs should be stored for as long as necessary. Cancellation does NOT mean disposal. Data Entry Controls: supplement visual scans with automated controls, including: -field check: characters proper type? text, integer, date, etc. -sign check: proper arithmetic sign? -limit check: input checked against a fixed value? -range check: input within low and high range value? -size check: input fits within field? -completeness check: have all required data been entered? -validity check: input compared with master data to confirm existence. -reasonableness check: logical comparisons. -check digit verification: computer from input value to catch typo errors. -prompting: input requested by the system. -close-loop verification: uses input data to retrieve and display related data.
Factors Influencing Encryption Strength
- Key length: number of bits (characters) used to convert the text into blocks. 256 is common, which corresponds to 42 English letters. Longer keys= stronger encryption. -Encryption Algorithm: manner in which key and plaintext is combined to create scrambled text. Secrecy isn't their strength! Better if well tested. Don't make up own secret one, use a well-known one whose strength has been proven. -Policies concerning encryption/cryptographic keys: stored securely with strong access codes. Don't put them in a browser or anything users of the system can access and use a strong/long password.
Privacy Concerns
- SPAM: unsolicited e-mail that contains either advertising or offensive content. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) (2003) creates criminal and civil penalties for spamming. Have to display sender identity, have a subject that identifies it as an ad, have a link in the body with the option to opt out of future email, have a valid postal address in the body, and not send email to random addresses or have sites to harvest emails. -Identity theft: the unauthorized use of someone's personal info for the perpetrator's benefit. Companies have access to and thus must control customer's personal info. -Payment card industry- Data Security Standards (PCI-DSS). Helps organizations handle cardholder info safely. Has a framework for developing a payment card security process, including preventative, detective, and corrective controls.
Management's Role in IS Security
-Create security aware culture -Inventory and value company info resources -Assess risk, select risk response -Develop and communicate security plans policites and procesures -Acquire and deploy IT security resources -Monitor and ealuate effectiveness
Security Approaches
-Defense-in-depth; multiple layers of controls (preventative, detective, and corrective) to avoid a single point of failure. St7uff like firewalls plus paswords and biometrics. -Time based model, security is effective if P>D+C where P is the time is takes an attacker to break through preventative controls, D is the time it takes to detect an attack in progress, and C is the time it takes to respond to the attack and take corrective action. Meant to protect info during an attack- provide time to recognize and fix it before info is lost.
Monitoring
-Evaluate the IC framework -Effective supervision -Responsibility accting systems (mgmt accting system) -Monitor system activities (security) -Track purchased software/mobile devices -Conduct continuous and periodic audits -Employ a security officer and a compliance officer -Engage forensic specialists -Install fraud detection software -Implement a fraud hotline- the most effective detective control for finding fraud!
Privacy Regulatory Acts
-Health Insurance Portability and Accountability Act (HIPAA) -Health Information Technology for Economic and Clinical Health Act (HITECH) -Financial Services Modernization Act (Gramm-Leach-Bliley Act)
Risk Assessment- ERM Model Component
-Identify Risk (likelihood, positive/negative impact, individual/category, effect on organizational units, and inherent/residual) -Types of risk: Inherent is risk that exists before any plans are made to control it. Residual is risk after controls are in place to reduce it. Assess inherent risk, develop a response, then assess residual risk.
Minimizing the Risk of System Downtime
-Preventative maintenance: cleaning and proper storage. -Fault tolerance: ability of a system to continue if a part fails. Promoted by the use of redundant components. Many organizations use Redundant Arrays of Independent Drives (RAID) instead of just one disk drive, so that if one disk drive fails, data can be readily accessed from another. -Data center location/design: minimize the risk of natural and human-created disasters. Raised floors, fire detection/supression, AC, difficult to unplug cables, surge-protectors, Uninterruptible Power Supply (UPS) system that uses battery power to enable the system to back up critical data and shut down if there's a prolonged power outage, and physical access controls. -Training: less likely to make mistakes and will know how to recover, with minimal damage, from errors they do commit. -Patch mgmt: install, run, and keep current antivirus and anti-spyware programs. Also fix vulnerabilities in a timely manner.
Risk Response- ERM Model Component
-Reduce (implement internal controls) -Accept (do nothing and accept the likelihood of risk) -Share (buy insurance, outsource, hedge) -Avoid (do not engage in activity that produces risk) Event/Risk/Response Model: 1. identify threats 2. estimate likelihood of occurrance 3. estimate the impact of the threats 4. ientify controls 5. estimate cost/benefits from instituting controls 6. Is it cost-beneficial to protect the system from a threat? If no avoid, share, or accept risk. If yes resuce risk by implementing controls to guard against the threat. Start over from the beginning after either way. Expected loss= impact x likelihood. Value of a control procedure if the difference between the expected loss with the control procedure and the expected loss without it.
Types of Encryption
-Symmetric: one key used to both encrypt and decrypt. Pro is it is fast, cons are that it's vulnerable, requires separate keys for everyone who wishes to communicate, is necessary to find a secure way to share the secret key with the other party. The shared secret key could be lost or stolen. This is used most for encrypting large amts of info. -Asymmetric: different key used to encrypt than to decrypt. Public key widely distributed, private key secret and only known to one owner. One used to encrypt, one to decrypt. Pros are that it's very secure, everyone can use your public key to communicate with you, no need to store keys for every party you communicate w, can create legally binding digital signatures. Cons are that it's very slow and requires PKI to validate ownership of public keys. Primarily used for the creation of digital signatures and to secure exchange of symmetric keys via email. -Hybrid Solution: use symmetric for encrypting info, use asymmetric for encrypting symmetric key to be sent via email for decryption. If keys are lost encrypted info can't be recovered. Prevent this with encryption software that creates a built-in master key or with key escrow, which makes copies of all encryption keys and stores them securely. If keys are stolen in symmetrical systems, you be screwed. In asymmetrical systems, matters if it is the private key! If it is, the thief can impersonate you and create digital signatures in your name.
Benefits of Databases
-data integration: master files pooled together; available to many application programs. -data sharing -minimal redundancies and inconsistencies -data independence: because data and the programs using it are separate, either can be changed on its own without affecting the other. -cross-functional analysis: look for associations and relationships. Prep management reports with it, etc. -reporting flexibility -central management of data
Database Design Process
-system analysis: planning to determine the need for and feasibility of developing a new system. -conceptual design: developing the different schemas (conceptual, external, and internal) for the new system. Data modeling occurs in the first two. -physical design: translating the internal-level schema into the actual database structures that will be implemented in the new system. New applications developed here too. -implementation and conversion: transferring data from previous systems to the new database AIS, testing the new system, and training employees on how to use it. -operation and maintenance: use it. Eventually as needs change the process starts all over again. Data modeling is used in the latter three. Data modeling is the process of defining an information system so it represents an organization's requirements. This occurs at the system analysis and conceptual design stages of the deign process. The two types of data models are the entity-reationship diagrams (ERD) and REA data models.
Control Frameworks
1. COBIT- Control Objectives for Information and Related Technology. IT control. Preventative. COBIT5 is the current version. Based on the principles of: -meeting stakeholder needs -covering the enterprise end-to-end -applying a single, integrated framework -enabling a holistic approach -separating governance from mgmt Governance evaluates business needs and mgmt feedback, directs mgmt, and monitors mgmt performance. Mgmt plans (APO), builds (BAI), runs (DSS), and monitors (MEA). Gived feedback to governance. APO= align, plan, organize BAI= build, acquire, implement DSS= deliver, service support MEA= monitor, evaluate, assess. 2. COSO- Committee of Sponsoring Organizations. Enterprise internal controls (control-based approach). Broad, any company in any industry. IC- integrated framework. 2013 is current version, updated from the original 1992 framework. Control environment, control activities, risk assessment, info and communication, monitoring. 3. COSO-ERM- expands COSO framework by taking a risk-based approach vs just a control-based approach. Expands existing ICF to encorporate ERM. So IC-IF + setting objectives, event identification, and risk assessment. Basic principles of ERM: -companies formed to add value for owjers -mgmt must decide how much uncertainty it will accept while creating value -uncertainty= risk, something negative happening -uncertainty= opportunity, something positive happening -ERM framework can manage uncertainty while creating and preserving value. Model is a cube, where top is objectives mgmt must meet to achieve goals , right is company units, and horizontal are the 8 interrelated risk and control components of ERM. 3D! Objectives are strategic, operational, reporting, and compliance. We want to use all of them. Components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, info and communication, monitoring. Basically add 3 to the IC model. 4. SOX- The law isn't to use COSO, it is to use an ICF, just most companies use COSO.
Steps in an IS System Attack
1. Conduct reconnaissance-collect info and look for vulnerabilities. 2. Attempt social engineeering- trick an employee into granting them access. Spear phishing is one, send emails from someone the victim supposedly knows. Another is USB drives dropped in a parking lot. 3. Scan and map target- identify potential points of remote entry. 4. Research- find info about the programs on computers that could be used as points of remote entry. Look for vulnerabilities and how to take advantage of them. 5. Execute attack- use vulnerability to get unauthorized access to the system. 6. Cover tracks- create "back doors" to enter the system, in case their initial method of entry is discovered and blocked by new controls.
Basic Requirements of a Relational Database
1. Every column in a row must be single valued- every cell can have one and only one value. Use linking tables to solve this problem. 2. The primary key cannot be null- it uniquely identifies a specific row in the table, so it cannot be null and it must be unique for every record. This is the entity integrity rule. 3. A foreign key must either be null or correspond to the value of a primary key in another table-this is the referential integrity rule. 4. All non-key attributes in a table should describe a characteristic of the object identified by the primary key. This produces a well-structured (normalized) database in which data are consistent and redundancy is minimized/controlled. In a normalized database, attributes appear multiple times only when they function as foreign keys. The referential integrity rule ensures there will be no update anomaly problem with foreign keys. These tables are also free of the insert anomaly, since it is easy to just add a new row in the individual tables. They are free of the delete anomaly as well. There are two basic ways to design well-structured relational databases: 1. Normalization- begin with one large table and decompose into several tables that satisfy the above four conditions (called third normal form- 3NF). 2. Semantic data modeling (chs 17&18). These graphically model a business' resources, events, and agents, then construct a set of relational tables.
Rules for Creating an Integrated REA Diagram
1. Every event must be linked to at least 1 resource. 2. Every event must be linked to two agents who paritcipate in it. 3. Every event that involves the disposition of a resource must be linked to an event that involves the acquisition of a resource. 4. Every resource must be linked to at least one event that increments that resource and at least one event that decrements that resource. 5. If event A can be linked to more than one other event, but cannot be linked simultaneously to all of the other events, the REA diagram should show than event A is linked to a minimum of 0 of each of those other events. 6. If an event can be linked to any one of a set of agents, but cannot be simultaneously lnked to all of those agents, the REA diagram should sow that the event is luked to a minimum of 0 of each of those agents.
Steps in Securing Intellectual Property
1. Identification and classification- where is the info and who has access to it? Classify the value of the info. Classification must be done by the owners, not information security professionals, bc the former knows what the info is used for. 2. Encryption- the process of obscuring info to make it unreadable w/o special knowledge, key files, or passwords. Not foolproof, must be supplemented by other controls. 3. Controlling access- information rights mgmt(IRM): control who can read, write, copy, delete, or download info. Supplement authentication and authorization controls. Data loss prevention (DLP) software works like antivirus programs in reverse. Blocks outgoing messages that have info the organization wants to protect. Should be supplemented by a digital watermark-identifies when confidential info has been disclosed. 4. Training- most important! Need employees to know what can and cant be read written, copied, deleted or downloaded. All of these contribute to the preservation of confidentiality and privacy, two elements in the trust services framework (pillars).
Developing an REA Diagram
1. Identify the events about which mgmt wants to collect info. Always at least two, representing the give-to-get economic exchange in the transaction cycle. give reduces a resource, get increases a resource. There are usually other events mgmt is interested in planning, controlling and monitoring, and these should be included as well. Typical activities in the rev cycle include take customer order, fill order, bill customer, collect payment. Even though AR is an asset in financial reporting, it doesn't go in the REA model because its just the diff between sales and cash collections. The info to calculate it is there. Likewise, events pertaining to entering or repackaging data don't go in the model. They aren't primary value-chain activities. What is modeled is the business events and the facts mgmt want to collect about it, not the data entry process. Would only show take order, sale (fill), receive cash. 2. Identify the resources affected by each event and the agents who participate in those events. - what resource is reduced by a give event? - what resource is acquired by a get event? - what resource is affected by a commitment event? In rev cycle these would be inventory and cash. Should also identify participating agents. Always at least one internal agent (employee), usually one external (customer/supplier) who participates as well. These would be employee and customer in the rev cycle. 3. Determine the cardinalities of each relationship. Cardinalities describe the nature of relationships between entities. How many instances of one entity can be linked to each specific instance of another entity. Minimum can be 0 (if optional) or 1 (if mandatory), maximum can be 1 or many. Choice of cardinalities isn't arbitrary and reflects facts about the organization that are obtained during the requirements definition stage of the database design process. 0 to 1= each instance of entity A may or may not be lnked to instances of entity B, but can be linked to at most one instance of entity B. 1 to 1= each instance of entity A must be linked to an instance of entity B, and can only be linked to at most one instance of entity B. o to many= each instance of entity A may or may not be linked to any instances of entity B, but could be linked to more than one instance of entity B. 1 to many= Each instance of entity A must be linked to at least one instance of entity B, but can be linked to many instances of entity B.
Three Types of Relationships (with cardinalities)
1. One-to-one- maximum cardinality for each entity is 1. (1:1) Can't do installment pmts. 2. One-to-many- maximum cardinality of one entity in the relationship is 1 and the maximum for the other is many. (1:N) Can do installment pmts. 3. Many-t0-many- exists when the maximum cardinality for both entites in the relationship is many. (M:N) Can do installment pmts. Least constrained.
Alternatives for Storing Data
1. Store it all in one uniform table. Example: instead of distinct tables for students and classes, one table with a separate line for each student and class combo. This would mean one student would need several rows, lots of redundancy. -Makes it difficult to update attributes in every record. This is called the update anomaly. -If there were new students or classes to add, before they were matched up to classes or students respectively, there would be partially blank records. This is called the insert anomaly. -If students withdrew from their classes, there might not be a record for them anymore. This is called the delete anomaly. 2. Store each student in one row and create lots of columns to accomodate each class they're taking. Lot of problem to this too- how many classes should be allowed in the table. You could have to allow for a lot of classses. Need more info than just the course number for each class. Wasted space for students taking fewer than the maximum number of classes. Also would have to search multiple attributes for simple things, like finding a list of every student taking one class. 3. Solution- relational database! Each entity is stored in a separate table, and the entities are linked by tables and foreign keys.
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that a. is complete, accurate, and valid. b. is available for operation and use at times set forth by agreement. c. is protected against unauthorized physical and logical access. d. can be maintained as required without affecting system availability, security, and integrity.
A
Concerning virtual private networks (VPN), which of the following is not true? a. It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network. b. Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys. c. The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network. d. VPNs provide the functionality of a privately owned network using the Internet.
A
It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company's server. Using the notation for the time-based model of security, in this case a. D > P b. P > C c. C > P d. P > D
A
One of the objectives of the segregation of duties is to a. make sure that different people handle different parts of the same transaction. b. make sure that different people handle different transactions. c. ensure that no collusion will occur. d. achieve an optimal division of labor for efficient operations.
A
The Director of Information Technology for the city of Bumpkiss, Minnesota, formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from his company. He was later charged with fraud for overcharging the City, but was not convicted. The control issue in this case arose because the Director had both ________ and ________ duties. a. recording; authorization b. custody; recording c. management; custody d. custody; authorization
A
The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n) a. vulnerability scan. b. penetration test. c. intrusion detection system. d. log analysis.
A
Which is probably the most immediate and significant effect of database technology on accounting? a. quicker access to and greater use of accounting information in decision-making b. change in the nature of financial reporting c. elimination of traditional records such as journals and ledgers d. replacement of the double entry-system
A
Which table is most likely to have a concatenated key? Select one: a. customer-sales b. sales c. accounts receivable d. customer
A
Relational Databases
A DBMS is characterized by a logical data model, which is an abstract representation of the database contents. Most DBMS are relational databases, based off of the relational model developed by E.F. Codd in 1970. The relational data model represents conceptual and external level schemas as if data were stored in 2D tables like in access. The data aren't really stored in tables, their actual storage is discussed in the internal level schema. Each row is called a tuple (rhymes with couple) and contains info about a specific item in the table. The columns have info about attributes. A primary key is an attribute or a combination of attributes that uniquely identifies a specific row in the table. Sometimes two or more attributes are joined to form a primary key. A foreign key is an attribute in one table that is a primary key in a different table. Used to link the two. Other non-key attributes have important info about the entity.
Payroll Cycle REA Diagram
A: employee (supervisor), employees, employee (cashier) E: Time worked, disburse cash R: employee time, cash. Relationships between events and agents are almost always 1:N, 1 on the agent side, since each event has to be linked to a specific employee. 0 on event side to accomodate storing data about new employees prior to their beginning work, and because the event entities are empty at the beginning of each new fiscal year. The employee time block represents the resource acquired by the time worked event. It cannot be stored. The necessarily information about employee time is inluded in the time worked box, since the company only cares about that. Employee time is almost never implemented in the actual database (dotted lines around it).
Using an REA Diagram to Create a Relational Database
Advantages: ensures the elimination of the update, insert, and delete anomalies. Steps: 1. Create a table for each distinct entity in the diagram and for each many-to-many relationship 2. Assign attributes to appropriate tables. Identify primary keys. For M:N relationships the primary key consists of two attributes that represent the primary keys of each entity linked in that relationship (linking tables). Identify the remaining attributes for the table. 3. Use foreign keys to implement one-to-one and one-to-many relationships. 4. Tables are linked by either a linking table OR a foreign key, but not both.
Quick Recovery and Resumption of Normal Operations
An organization's backup procedures, DRP, and BCP reflect mgmt's answers to two questions: 1. How much data are we willing to reenter from source docs or lose? Answer to this determines the organization's Recovery Point Objective (RPO)- maximum willing to reenter or lose. The smaller the RPO, the more frequent backups must be. 2. How long can the organization function w/o its info system? How much time to get back up and running. Answer to this determines the organization's Recovery Time Objective (RTO)- maximum tolerable time to restore an IS after a disaster. Length of time willing to function w/o the system. The desired RTO drives the DRP and BCP. Real-time mirroring involves maintaining two copies of the database at two separate data centers at all times an updating both at real-time. Creates resiliency for companies with an RPO and RTO close to 0, like airlines and financial institutions. Back-up: deal with when info isn't available due to hardware failure, software probs, or human error, but the IS is still working. Full backups are an exact copy of the entire database. Time-consuming, so most organizations do weekly full backups and daily partial backups. Types of daily partial backups: -incremental= copy only data that changed from last partial back-up. Quicker to back-up, longer to restore. When restoring add last full backup, then incremental backups for each day since the last full backup. -differential= copy only data that changed from last full back-up. Longer to back-up, quicker to restore. When restoring, add last full backup and last differential backup. Multiple copies should be created. Important to test back-ups! Backups are stored only short-term. Archives are retined indefinetely. Archive files aren't encrypted, so use only physical and logical access controls to protect them. Don't forget to backup and archive important emails. Disaster Recovery Plan (DRP): procedures to restore an organization's IT function in the event that its data center is destroyed by a natural disaster or an act of terrorism. Mitigates more serious problems than backups deal with. -Cold site: an empty building that is prewired for necessary telephone/internet access, plus a contract w/ at least one vendor to provde all necessary equipment w/in a specified time period. Appropriate for organizations with an RTO of a day or more. -Hot site: a facility that is not only prewired for telephone/internet access, but also contains all the computing and office equipment that the organization needs to perform its essential business activities. Good for an RTO of hours. With cold and hot sites, sometimes the site provider oversells its capacity, assuming not many clients will need to use it at once, which is usually true. However if a huge natural disaster affects many businesses, too many might need to use the site at once, potentially rendering some companies SOL. -Second data-center: used for back-up and site mirroring. Great for a very short RTO. Business Continuity Plan (BCP): How to resume not only IT operations, but all business processes. Deals with more serious problems than a backup does. Includes relocating to new offices and hiring temporary replacements. DRPs and BCPs need to be well documented! Documentation should be stored both on-site and off-site. Remember to undergo periodic testing and revision. Virtualization and cloud computing can significantly reduce the RTO from hardware problems. Cloud computing could cause probs if the cloud provider goes out of business- could be difficult or impossible to get any data that was stored in the cloud.
Business Intelligence
Analyzing large amts of data for strategic decision making. Two techniques: -Online Analytical Processing (OLAP): using queries to investigate hypothesized relationships in the data -Data mining: using statistical analysis to discover unhypothesized relationships in the data.
Why is Control Needed?
Any potential adverse occurance or unwanted event that could be injurous to either the AID or the organization is a threat/event. The porential dollar loss from that threat if it were to come to fruition is the exposure/impact. The probability that the threat will happen is the likelihood.
Creating an empty table in a relational database requires use of the ________, and populating that table requires the use of ________. a. DDL; DQL b. DDL; DML c. DML; DDA d. DQL; SQL
B
Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as a. change management. b. patch management. c. defense in depth. d. hardening.
B
Jeff Davis took a call from a client. "Jeff, I need to interact online and real time with our affiliate in India, and I want to make sure that our communications aren't intercepted. What do you suggest?" Jeff responded "The best solution will be to implement a. multifactor authentication. b. a virtual private network. c. a private cloud environment. d. an asymmetric encryption system with digital signatures.
B
The "get" event represents an activity which a. includes a promise to engage in future economic exchanges. b. increases the organization's stock of an economic resource. c. reduces the organization's stock of a resource that has economic value. d. none of the above
B
The audit committee of the board of directors a. does all of the above. b. provides a check and balance on management. c. is usually chaired by the CFO. d. conducts testing of controls on behalf of the external auditors.
B
This network access control determines which IP packets are allowed entry to a network and which are dropped. a. Static packet filtering b. Access control list c. Deep packet inspection d. Stateful packet filtering
B
Which attribute below is not an aspect of the COSO ERM Framework internal environment? a. Holding employees accountable for achieving objectives b. Restricting access to assets c. Enforcing a written code of conduct d. Avoiding unrealistic expectations
B
Which of the following data entry controls would not be useful if you are recording the checkout of library books by members? a. Prompting b. Sequence check c. Concurrent update control d. Validity check
B
Which of the following describes one weakness of encryption? a. Encryption provides for both authentication and non-repudiation. b. Encrypted packets cannot be examined by a firewall. c. Encryption protects the privacy of information during transmission. d. Encryption protects the confidentiality of information while in storage.
B
Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Folding Squid Technologies a. asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process. b. hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit. c. did not mention to auditors that the company had experienced significant losses due to fraud during the past year. d. selected the company's Chief Financial Officer to chair the audit committee.
B
In an integrated REA diagram, every agent must be must be linked to Select one: a. at least two events. b. at least two resources. c. at least one event. d. at least one resource.
C
Which of the statements below is incorrect? Select one: a. Semantic data modeling facilitates communicating with the intended users of the system. b. Semantic data modeling follows the rules of normalization in the design of a database. c. Semantic data modeling facilitates the efficient design of databases. d. Semantic data modeling allows a database designer to use knowledge about business processes to design the database.
B
________ enables a system to continue functioning in the event that a particular component fails. a. An incremental backup procedure b. Fault tolerance c. Preventive maintenance d. A concurrent update control
B
Batch Input Controls
Batch processing is inputting multiple source docs at once in a group. Use a sequence check, since batch processing works best if the transactions are already sorted in the same sequence as the records in the master file. An error log identifies data input errors and facilitates timely review and resubmission of transactions that cannot be processed. Batch totals compare input totals to output totals. -financial sums a field that contains monetary values. -hash sums a nonfinancial numeric field. -record count sums a nonfinancial numeric field, the number of records in a batch.
In developing policies related to personal information about customers, Folding Squid Technologies adhered to the Trust Services framework. The standard applicable to these policies is a. confidentiality. b. availability. c. privacy. d. security.
C
An electronic document that certifies the identity of the owner of a particular public key. a. Digital signature b. Asymmetric encryption c. Digital certificate d. Public key
C
Error logs and review are an example of a. processing controls. b. output controls. c. data entry controls. d. data transmission controls.
C
In which stage(s) of the database design process does data modeling occur? a. only in the systems analysis stage b. only in the design stage c. in both the systems analysis and design stages d. neither the systems analysis nor the design stages
C
The accounting department at Synergy Hydroelectric records an average of 12,500 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 25,000 transactions. If the firm's recovery time objective is 120 minutes, then the worst case recovery time objective is a. 3 hours b. 1 hour c. 4 hours d. 2 hours
C
The delete anomaly a. restricts the addition of new records. b. prevents users from deleting outdated data from records or tables. c. may result in unintentional loss of important data. d. is usually easily detected by users.
C
When comparing REA diagrams used to design an AIS with a traditionally designed AIS, Select one: a. queries are used to input data into the AIS. b. an REA designed AIS cannot recreate a traditional journal. c. similar information is present as in a traditional AIS, but stored in a different format. d. traditional AIS information, such as journals and ledgers no longer exist.
C
Types of Controls- Corrective
COBIT 5 -Computer incident response teams (CIRTs) -Chief Information Security Officer (CISO) (indepedent responsibility for information security assigned to someone at an appropriate senior level) -Patch mgmt (fix unknown vulnerabilities by installing the latest updates- security programs, operating systems, applications programs) For the CIRT, recognize that a prob exists, contain it, recover, and follow up. For the patch mgmt, an exploit is a program designed to take advantage of a vulnerability in the system. Important to test patches before implementing them entirely, sometimes they cause unexpected side affects. Use an IPS to buy more time to test patches- if the IPS is updated it can respond to new vulnerabilities and block new exploits while they are testing patches. A little safer in the meantime, basically.
Types of Controls- Detective
COBIT 5 -Log analysis (examining logs to identify evidence of possible attacks) -Intrusion detection systems (sensors and a central monitoring unit that create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions) -Penetration testing -Continuous monitoring -Managerial reports -Security testing For log analysis think abt failed attempts to access the system. For intrusion detection systems it only produces a warning- up to a human to decide what action to take. An IPS on the other hand automatically stops the attack and issues an alert. For penetration testing, know that is is an authorized attempt by an auditing team or external security consulting firm to break into an organization's info system. For continuous monitoring monitor employee compliance with information security policies as well as the overall performance of the business processes.
Types of Controls- Preventative
COBIT 5 -People (security awareness culture, training) -Processes (user access controls- authentication and authorization) -IT solutions (anti-malware, network access controls-firewalls, instrusion prevention systems, etc., device and software hardening controls- configuration options, encryption) -Physical access controls (locks, guards, etc.) -Change controls and change management For the people, creating a security-aware culture is the most important, and is a tone set at the top w/mgmt. Trining to follow safe computing practices is necessary-never open unsolicited email attachments, use only approved software, do not share passwords, physically protect laptops/cellphones. Protect against social engineering- dont give away info to people who call or email them pretending to be a part of the organization. Don't allow piggybacking-people following them through secured entrances. For the processes, authentication verifies who a person is (something they know or have, like a password or access card, some biometric characteristic, or a combo of all three, which is kown as multifactor authentication. Multimodal is multiple credentials of the same type). Authorization determines what they can access. Authorization controls might be implemented with an access control matrix. System matches the employees authorization credentials against the access control matrix to determine whether the employee should be allowed to access that resource and perform the requested action. For the IT solutions, antimalware controls and network access controls (perimeter defense). Border routers connect an organization's info system to the internet. Firewalls are software or hardware used to filter info. Exist behind the border router. Border routers and firewalls use access control lists to determine what to do with arriving packets. This is called packet filtering. Deep packet inspection is more detailed filtering. Demilitarized Zone (DMZ) is a separate network permitting controlled access from the internet to selected resources. Intrusion Prevention Systems (IPS) monitor patterns in the traffic flow, rather than only looking at individual packets, to identify and automatically block attacks. More for the IT solutions- device and software hardening (internal defense) involves end-point configuration (disabling unnecessary features that may be vulnerable to attack on servers, printers, and workstations)- this is hardening, user acct mgmt (separate accts for administrative duties and day-to-day work), and software design (programmers must be trained to treat all input from external users as untrustworthy and carefully check it before performing futher actions). Encryption protects data in transit and data at rest. For the physical security access controls, limit entry to the building and restrict access to the network and data. For the change controls and change mgmt, formal processes in place regarding changes made to hardware, software, or processes,
Control/Internal Environment-ERM model component
Company culture. Influences how organizations establish strategies and objectives and identify, assess, and respond to risk. -Mgmt's philosophy, operating style, and risk appetite (amt of risk willing to accept). -board of directors -commitment to integrity, ethical values, and competence -organizational structure (centralization/decentralization, direct or matrix reporting relationships, etc.) -methods of assigning authority/responsibility (policy and procedures manual). -HR standards (attract, develop, and retain competent individuals. Background check). -external influences (FASB, PCAOB, SEC).
Hashing
Converts info in plaintext into a "hashed" code of fixed length. Any size imput yields the same size output. This cannot be converted back to the text. If any change is made to the info, the hash code will change, thus enabling verification of info.
Batch totals are an example of a(n) a. data transmission control. b. output control. c. processing control. d. data entry control.
D
Chelsana Washington is a medical equipment sales representative. Her company has provided her with a laptop computer that uses wireless connectivity to access the accounting information system from virtually anywhere in the country. She, and the other sales reps, have access to view customer and product information. They have access that allows them to enter and cancel customer orders. The permissions for the sales reps define a(an) ________ in the company's database management system. a. data dictionary b. conceptual-level schema c. physical view d. external-level schema
D
Integrating separate REA diagrams developed for individual transaction cycles into a single, comprehensive enterprise-wide data model a. is possible. b. requires understanding what the cardinalities in each separate diagram reveal about the organization's business policies and activities. c. provides a single comprehensive enterprise-wide model of the organization. d. All of the above are true.
D
Which of the following is not one of the three steps to implementing an REA diagram in a relational database? Select one: a. Use foreign keys to implement one-to-one and one-to-many relationships. b. Create a table for each distinct entity in the diagram and for each many-to-many relationship. c. Assign attributes to appropriate tables. d. Every event must be linked to at least one resource.
D
Which of the following statements is true about the development of an REA model? Select one: a. REA diagrams model individual transactions and data collections. b. Information retrieval events are modeled as events in the REA model. c. Events that pertain to the entry of data are included in the REA model. d. The objective is to model basic value-chain activities.
D
Processing Integrity Component of the Trust Services Framework
Data are processed accurately, completely, in a timely manner, and only w proper authorization. Input, process, and output controls are essential for processing integrity. Watch out for hardwiring in spreadsheets (formulas have numeric values instead of the number being stored in a separate cell then used in the formula. Makes it difficult to react to changes in the number used in the formula.).
Privacy
Deals with protecting customer info rather than internal company info (which is with confidentiality). Same controls as above. Encryption must occur during transit and during storage. Data masking protects privacy by replacing personal info with fake values- good to give this to programmers who are developing new applications instead of real customer info. Also called tokenization.
Sarbanes Oxley (2002) (SOX)
Designed to prevent F/S fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish fraudulent executives. The Public Company Accounting Oversight Board (PCAOB) is overseeing the auditing profession. 5 people appointed by the SEC. New audit rules: auditing partners must rotate periodically. Auditors are also prohibited from performing certain non-audit services. New audit committee roles: The audit committee must be a part of the board of directors of a company and be independent. One member must be a financial expert. The audit committee oversees external auditors. New mgmt rules: CEO and CFO must certify that F/S and disclosures are fairly presented, were reviewed by mgmt, and aren't misleading. Auditors were told about all material internal control weaknesses and fraud. These base evaluation of internal control on the recognized framework COSO. If material weaknesses are found, it must be concluded that a company doesn't have effective financial reporting ICs. New IC requirements: Mgmt is responsible for establishing and maintaining an adequate IC system. The Foreign Corrupt Practices Act (FCPA) prevents companies from bribing foreign officials to obtain business. Congress passed SOX because of enron, arthur andersen, and worldcom issues.
Trust Services Framework
Developed by the AICPA and the CICA. 1. Security- access to the system and its data is controlled and restricted to legitimate users. 2. Confidentiality- sensitive organizational info is protected from unauthorized disclosure. 3. Privacy- personal info about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements, and is protected from unauthorized disclosure. 4. Processing integrity- data are processed accurately, completely, in a timely manner, and only with proper authorization. 5. Availability- The system and its info are available to meet operational and contractual obligations. Security is the base, confidentiality, privacy, processing integrity, and availability are the pillers, and sytems reliability is the roof.
Resources-Events-Agents Diagram (REA)
Developed for designing AISs. Helps decide which entities should be included in the AIS database. Usually structed as ERDs. Categorizing entities into: Resources- things with economic value Events- business activities (mgmt wants to manage and control) Agents- people/organizations that participate in events Rules: 1. Each event is linked to at least one resource that it affects 2. Each event is linked to at least one other event. Types of links/relationships include: -get events -give events -participation events 3. Each event is linked to at least two participating agents. For external events the internal agent is an employee and the external agent is the outside part to the transaction. For internal events the internal agent is the employee giving up the resource and the external agent is the employee receiving custody of that resource. Relationships that affect the quantity of a resource as sometimes referred to as stockflow relationships, representing and inflow or outflow of that resource. Economic dualities exist between the two event rectangles. This represents that organizations engage in activities that use up resources in the hopes of acquiring some other resource in exchange. Give-to-get. There can also be sequential cause-effect relationships between events if one of the events is a commitment event.
Digital Certificate
Electronic document that contain's an entity's public key. Certifies the identity of the owner of that particular public key. Issued by certificate authority. A Public Key Infrastructure (PKI) is used to issue pairs of public and private keys and the corresponding digital certificates.
Event Identification- ERM Model Component
Event is "... an incident or occurrence emanating from internal/external sources that affects implementation of strategy or achievement of objectives." -Positive/negative impact (or both) -Events may trigger other events -All events should be anticipated
Files v. Databases
Entity= something about which an organization wishes to store data (example- student). Attributes= the columns (example- student id #). Fields= individual info boxes containing attribute info. Record= the rows, all the fields containing data about one entity. File= a set of related records. Database= a set of interrelated, centrally coordinated files. Tries to reduce redundancy. A database management system (DBMS) serves as the interface between the database and application programs that use its data. A database system is the combination of the database, DBMS, and application programs. The database approach makes data an orginzational resource used by many departments, not just the original one. A database administrator is responsible for the database. Data warehouses are huge databases used by larger companies. These are usually used for analysis more than transaction processing. Usually updated periodically. Transaction databases are meant to not be redundant, data warehouses are purposefully redundant to maximize query efficiency. Firms originally maintained separate master files (file approach- such as a diff one for enrollment v financial aid), but this created problems, including: -info stored repeatedly in multiple master files -difficulty integrating data to obtain an organization-wide view of it -inconsistent info between files (changed phone number not updated in every file)
DBMS Languages
Every DBMS must provide a means of performing the three basic funtions of: -creating a database (DDL): Data definition language. Also building a data dictionary, describing logical views, specifying limits/contrains on security of records and fields. -changing a database (DML): Data manipulation language. Update, insert, delete. -Querying a database (DQL): interrogate. Set of commands used to query the database is the data query language (DQL). Interrogates the database by retreiving records, sorting them, ordering them, and presenting subsets of the database. The DQL usually has easy, powerful commands that enable users to satisfy their own informational needs. Users typically have access to both a DQL and report writer (simplifies report writing). Access to DDL and DML are usually restricted to admin and programming employees.
GAAP
GAAP identifies and defines 10 internationally recognized best practices for protecting the privacy of customer info. 1. Mgmt- procedures and policies for protecting privacy, assignment of responsibility for implementing them. 2. Notice- to customers of policies at or before the time info is collected, or ASAP after. What info is collected, why, and what it is used for. 3. Choice and consent- let customers consent over info provided and stored. We use opt-out here. Can collect info unless customer explicitly objects. Opt-in is recommended, where you can't take it unless they say it's okay. 4. Collection- only what is necessary and stated in policy. Cookies are an issue. 5. Use and Retention- based on policy and only for as long as necessary for the business. 6. Access- customers shoud be capable of reviewing, editing, and deleting info. 7. Disclosure to 3rd parties- based on policy and only if the 3rd party has some privacy policy standard. 8. Security- protection of personal info. 9. Quality- Allow customer review. Info needs to be reasonably accurate. 10. Monitor and enforce- ensure compliance with policy.
Digital Signature
Hash of a document using the document creator's key. Combines hashing and asymmetric encryption. Provides proof that the document has not been altered and of the creator of the document. Step 1: document creator uses a hashing algorithm to generate a hash of the original plaintext. Step 2: document creator uses his/her private asymmetric encryption key to encrypt the hash. Result: The encrypted hash is a legally-binding digital signature. Solves the issue of nonrepudiation, or creating a legally binding agreement that cannot be unilaterally repudiated by either party.
Database Systems
Integration of database, DBMS, and application programs. Separate the storage and use of data elements. Two separate views of the data are provided: -logical view: How people conceptually organize and understand relationships among data items. Stuff like view it in a table for understandability. -physical view: The way data are physically arranged and stored in a computer system. In file-oriented systems, programmers must know this. They use a record layout that shows the items stored in a file, including their order and length, etc. The DBMS translates users' logical views into instructions about which data should be retrieved from the database. The operating system then translates the requests into instructions to physically retrieve data from disks. Separating these views facilitates application development, because programmers can focus on coding the logic and not be worried about storage details. Also able to change your logical view without affecting the way the data is stored and vice versa.
Retrieving Info from REA Databases
Journals- info in event tables Ledgers- info in resource tables F/S- info in resources and info on imbalances (A/R and A/P) The REA data model is used to guide the design of an AIS that will efficiently store info abt the organization's business activities. It may appear that trasitional AIS elements such as journals, ledgers, and A/R balances are missing. However, this info is just present in a different format! A sales journal can be produced with a query that displays the appropriate entires in the sales and sales-inventory table for a given period. A purchases journal can be produces from the order and order-inventory table A cash disbursements journal can be produced from the cash disbursement table. Ledgers are master files with cumulative info abt specific accounts. In a relational database designed with the REA mofel, resource and agent entities contain permanent info carried from year to year. This is similar to the info abt assets traditionally recorded in ledgers. Each resource acct is affected by increment and decrement events, like equipment being bought/used, cash rec/paid, inv bought/sold. Queries can display the cumulative balances for these accts by referencing the appropriate table for that resource entity and the event tables that affect it. Many F/S accts are also represented by the resources in the REA model, with the exception of claims. There is no nentity for A/R or A/P, must be calculated. A/R= total sales- total cash receipts. Need customer table to do this. A/P= total inventory received- total cash disbursements. Need the vendor table to create this. Use the expressional builder for such calculations in access. REA model is also great for creating managerial reports, since it has both financial and nonfinancial data.
The Data Dictionary
Key component of a DBMS. Contains info about the structure of the database. For each data element, there is a corresponding record in the data dictionary describing it. Info provided for each element includes: -description of the element -records in which it is contained -its source -length/type of field in which it is stored -programs which use it -outputs in which it is contained -authorized users -other names for it Inputs to the data dictionary are new/deleted elements and changes. Outputs include reports etc.
Segregation of Duties
No single employee should have too much responsibility. Employee should not be in a position to commit and conceal fraud. Separate custodial funtions, recording functions, and authorization functions. Custodial= handling cash, inventories, tools, fixed assets, writing checks, receiving checks. Recording= preparing source docs or entering data, maintaining journals, ledgers, files, databases, preparing reconciliations, preparing performance reports. Authorization= authorization of transactions/decisions. Separation of custodial and recording prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Separation of recording and authorization prevents employees from falsifying records to cover up an inaccurate/false transaction that was inappropriately authorized. Separation of authorization and cutodial prevents the authorization of fictitious or inaccurate transactions as a means of concealing asset thefts. Segregation of Accounting duties: Authorization, recording, custodial. If duties can't be separated, need owner review as a compensating control. Segregation of System Duties: separate programming and design functions that have access to live data. If one person can design or program an application and has access to the live data, then a fraud opportunity is present. Testing programs should NEVER be performed with live data. Same controls for change management as systems development. 1. systems admin- make sure components run smoothly. 2. network mgmt- ensure that devices are linked to th organization's internal/external networks and that the networks operate well. 3. security mgmt- make sure systems are secure 4. change mgmt- make sure changes are smooth and don't negatively affect the systems. 5. users- record transactions, authorize data to the processed, use system output. 6. systems analysis- help users determine their info needs and design systems to meet those needs 7. programming- take analysts' design and develop, code, and test programs 8. computer ops- run the software 9. info system library- separate storage area with custody of databases, files, and programs 10. data control- properly approved source data, monitor workflow, reconcile input/output, record of input errors, distributes system output.
Objective Setting- ERM Model Component
Objectives are: -Strategic (high-level goals aligned with corporate mission) -Operational (effectiveness/efficiency of operations) -Reporting (complete/reliable, improve decision making) -Compliance (laws and regulations are followed) We want to use them all.
Control Activities
Policies and procedures to provide resonable assurance that control objectives are met. Mgmt should ensure that: 1. controls are selected/developed to help reduce risks to an acceptable level 2. Appropriate general controls are selected and developed over technology 3. Control activities are implemented and followed as specified in company policies/procedures. -proper authorization of transactions/activities (Authorization is empowerment of employees. Need signature or code on document to signal authority over a process. Might need specific authorization from mgmt for some things.) -segregation of duties (see separate slide) -project development/acquisition controls (steering committee for oversight, strategic master plan developed and updated yearly, project development plan with milestones, data procesing schedule showing when tasks should be performed, system performance measurements to evaluate the system, postimplementation review). -change mgmt controls -design and use of documents/records -safeguarding assets, records, and data (create/enforce appropriate policies and procedures, maintain accurate records, restrict access to assets, protect records and documents). -independent checks on performance (top level reviews, analytical reviews- analyzing relationships between data sets, reconciliation of independently maintained records, comparison of actual quantities with recorded amts, double-entry accounting- debits=credits, independent review).
Encryption
Preventative control. The process of transforming normal content, called plaintext, into unreadable gibberish, called ciphertext. Decryption reverses this. Plaintext + key are put through an encryption algorithm, which creates ciphertext + key. When that is put through a decryption algorithm, get plaintext again.
Rules for Foreign Keys
Primary-foreign key relations are formed by an attribute that is common to both tables. Assignment of foreign keys: -if 1 to 1 association, either of the tables' primary keys might be the foreign key. Usually the event that occurs firms is the FK in the event that occurs second. -if 1 to many association, the primary key on the one side is embedded as the foreign key on the many side. -if many to many association, create a separate linking table with a concatenated primary key. Must be concatenated bc if separate then not distinct (will be multiples). The combo of the two primary keys in each row is what will be unique.
Virtual Private Networks (VPNs)
Private communication channels, often referred to as tunnels, which are accessible only to the parties possessing the appropriate encryption and decryption keys. This is used to encrypt info during transit. Two types: 1. one that uses a brower and encrypts traffic with SSL. 2. One that uses IPSec, which incorporates encryption in creating IP packets. Problems with firewall, since it won't accept encrypted packets. Configure the firewall to send encrypted packets to a DMZ that decrypts then before sending them through the firewall again OR configure the firewall to allow encrypted packets in and decrypt them at their final destination OR have the firewall also be the termination point for the VPN, decrypting things and inspecting them. Tradeoffs.
Expenditure Cycle REA Diagram
R: inventory, cash E: order inventory, receive inventory, disburse cash A: employee (purch clerk), supplier, employee (rec clerk), employee (cashier). Cardinalities between disburse cash and cash show that each check must be linked to at least one cash account, but that cash account may be linked to many cash disbursements.
Revenue Cycle REA Diagram
R: inventory, cash E: take order, sales, receive cash A: employee, customer
Schemas
Schemas describe the logical structure of a database. There are three levels: 1. conceptual- organization-wide view of the entire database. Lists all data elements and the relationships among them. 2. external- individual user's view of portions of the database, each of which is called a subschema. 3. internal- describes how the data are stored and accessed- record layouts, definitions, addresses, and indexes. The DBMS uses the mappings between these to translate a user/program request in logical form into the indexes and addresses needed to physically access the data.
Security Life Cycle
Security is a mgmt issue, not just a technology issue. 1. Assess threats and select risk response 2. Develop and communicate policy 3. Acquire and implement solutions 4. Monitor performance
REA Redundancies
Separate REA diagrams for an organization will have redundant entities. Resource- each resource entity must be connected to: -event entities in one business cycle and another -one event that increases the resource -one event that decreases the resource -no effect on cardinality. Cardinalities between resources and events remain the same. Events- alter the minimum cardinalities associated with the other events that are related to the merged event. May be linked to either an event that is part of one business cycle or to an event that is part of another cycle, but cannot be linked to both events. The minimum cardinality associated with the other events must be 0 in the integrated REA diagram as a result. Agents- minimum cardinalities could be affected as well. A given check could be written to pay either a supplier or an employee but not both. When a merged event involves different agents in each of the individual business cycles being merged, the minimum cardinalities change from the usual 1 to 0. In an integrated REA diagram, merge resource and event multiple copies of an entity, but not agent copies. Improves readability.
SOC Reports
Service Organization Controls. SOC report 1,2, and 3. 1 is the minimum required for SOX, 2 and 3 are the trust services framework, which was created by the AICPA and is not required under SOX. CSP is a cloud service provider, which must be audited and you get a SOC report as a result.
Availability Component of the Trust Services Framework
System and its info are available to meet operational and contractual obligations. Systems or info need to be available 24/7. It isn't possible to ensure this so: 1. Minimize the risk of system downtime with preventative maintenance, fault tolerance, data center location and design, and training. 2. Ensure quick and complete recovery and resumption of normal operations with backup procedures, disaster recovery plan (DRP), and business continuity plan (BCP).
Internal Control
System to provide reasonable assurance that objectives are met, such as: -safeguarding assets -maintaining records in enough detail to report company assets accurately and fairly -providing accurate/reliable info -prepating financial reports in accordance with established criteria -promote/improve operational efficiency -encourage adherence to prescribed managerial policies -comply with applicable laws/regulations Functions include: preventitive (deter problems. Hire good ppl, SOD, and restriction of physical access), detective (discover problems. Duplicate checking of calculations, prepping bank reconciliation and bontly trial balances), and corrective (correct problems. Have backups, correct data entry errors, and resubmit transactions for subsequent processing). Categories include general (overall IC system/processes. Stable, well managed environment- IT infrastructure, software acquisition, development, maintenance controls) and application (transactions are processed correctly). Simons four levels of control: 1. belief system- employees understand mgmts visions and live by company values. 2. boundary system- set boundaries on employee behavior. 3. diagnostic control system- compare company progress to budgets and performance goals. 4. interactive control system- helps managers focus employee attention on key issues and being involved in decision making.
Ch 18 Table
Table/PK/FK/OA -Order inventory/PO#/supplier#,employee#/date,time,reason -Receive inventory/receiving report#/supplier#,employee#,PO#,check#/date, time, remarks, vendor invoice #. -Disburse cash/check#/supplier#,employee# for payee and signer, acct #/ amt, description, date. -Take order/sales order #/customer#, employee#/date, time, remarks -Sales/invoice#/customer#, employee#, sales order #/date,time, invoice sent (yes or no?) -Receive cash/remittance#/customer#,employee#,sales order#/date, time, method of pmt -Time worked/timecard#/employee#, supervisor#, paycheck#/date, time in, time out. -Inventory/product#/null/description, list price, standard cost, begin QOH, begin quantity available, reorder quantity, reorder point. -Cash/acct#/null/BB, acct type -Employees/employee#/null/name, hire date, DOB, pay rate, job title -Customers/customer#/null/name, address, BB, credit limit -Suppliers/supplier#/null/ name, address, BB, performance rating -Order inv-inv/PO#, product#/null/ quantity ordered, actual unit cost -Receive inv-inv/rec report #, product#/null/quantity received, condition -Take customer order-inv/sales order#, product #/null/quantity ordered -Sales-inventory/invoice#, product#/null/quantity sold, actual sales price -sales-receive cash/invoice#, remittance #/null/amt applied to invoice
Information and Communication
The primary purpose of an AIS. Gather, record, process, summarize, and communicate. AIS has several subsystems (revs, expenditures, etc.) in which info is gathered, processed, and stores. IC are built around the system (ITGC) and built into the business processes (application controls). Info should be communicated effectively throughout the organization (up/down the chain of command).
Processing Controls
Threats are errors in output and stored data. Controls are: -Data matching: multiple data values must match before processing occurs. -File labels: ensure correct and most current file is being updated. Use both external labels for humans and internal labels for machines. Most important internal labes are header records (found at the beginning of the file and contain name, expiration date etc.) and trailer records (found at the end of the file and contain batch totals). Read header record prior to processing to ensure the correct file is being updated and read trailer record after processing to verify that al input records have been correctly processed. -Batch total recalculation: compare calculated batch totals after processing to input totals. A transposition error occurs when two adjacent digits are reversed, and is usually divisible by 9. -Cross-footing and Zero-balance tests: compute totals using multiple methods to ensure the same results. Cross-footing compares the results of each method to verify accuracy. Zero-balance applies this logic to verify the accuracy of processing that involves control accts. Do a dr and a cr to make a 0 balance. If not 0, processing error. -Write-protection mechanisms: eliminate possibility of overwriting or erasing existing data. -Concurrent update controls: locking records or fields when they are being updated so multiple users aren't updating at the same time.
Output Controls
Threats are the use of inaccurate or incomplete reports, unauthorized disclosure of sensitive info, and the loss, alteration, or disclosure of info in transit. Controls are reviews/reconciliations, encryption and access controls, parity checks, and message acknowledgement techniques. -User review: verify reasonableness, completeness, and routed to intended recipient. -Reconciliations: transactions reconciled to reports, etc. Reconcile GL to subsidiary accts and ledgers. Especially important for control accts like A/R and A/P. Also do external data reconciliation between database totals and data maintained outside of the system, like # employee records in payroll file vs # employees HR database to check for false employees added to the payroll file. -Data transmission controls: Checksums (hash of file transmitted, called a checksum, comparison made of hash before/after transmission). Parity checking (bit added to each character transmitted. The characters can then be checked for accuracy. There are even and odd parities.).
Entity-Relationship Diagrams (ERDs)
Used graphically to represent a database schema. Depict entities and the relationships between them. Entities are always depicted by rectangles. However no industry standards so some things vary... Variations include: A: relationships depicted by diamonds B: relationships depicted without diamonds C: Attributes attached to entities (as ovals connected to the rectanges by lines). D: attributes listen in a separate table
New Considerations
Virtualization- multiple systems are run on one computer. Lowers hardware costs and maintenance costs, as well as data center costs and utility costs. Cloud computing- remotely accessed resources- software applications, data storage, hardware. Cheaper and more flexibility. Risks- increased exposure if breach occurs and reduced authentication standards. Opportunities- implementing strong access controls in the cloud or over the server that hosts a virtual network provides good security over all the systems contained therein. All the other controls must still be present (preventative, detective, and corrective)!