IS 414 Midterm #1
Border Router
A device that connects an organization's information system to the Internet.
Hot Site
A disaster recovery option that relies on access to a completely operational alternative data center that is not only prewired but also contains all necessary hardware and software.
Cold Site
A disaster recovery option that relies on access to an alternative facility that is prewired for necessary telephone and Internet access, but does not contain any computing equipment.
Policy and Procedures Manual
A document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.
Project Development Plan
A document that shows how a project will be completed.
Redundant Arrays of Independent Drives (RAID)
A fault tolerance technique that records data on multiple disk drives instead of just one to reduce the risk of data loss.
Audit Log
A file containing transactions that have audit significance.
Transaction File
A file that contains the individual business transactions that occur during a specific fiscal period. A transaction file is conceptually similar to a journal in a manual AIS.
Data Flow Diagram
A graphical description of the flow of data within an organi-zation, including data sources/destinations, data flows, transformation processes, and data storage.
Man-in-the-Middle (MITM) attack
A hacker placing himself between a client and a host to intercept communications between them.
Digital Signature
A hash encrypted with the hash creator's private key.
Specialized Journal
A journal used to record a large number of repetitive transactions such as credit sales, cash receipts, purchases, and cash disbursements.
General Journal
A journal used to record infrequent or nonroutine transactions, such as loan payments and end-of-period adjusting and closing entries.
General Ledger
A ledger that contains summary-level data for every asset, liability, equity, revenue, and expense account of the organization.
Subsidiary Ledger
A ledger used to record detailed data for a general ledger account with many individual subaccounts, such as accounts receivable, inventory, and accounts payable.
Chart of Accounts
A listing of all the numbers assigned to balance sheet and income statement accounts. The account numbers allow transaction data to be coded, classified, and entered into the proper accounts. They also facilitate financial statement and report preparation.
Input Controls Matrix
A matrix that shows control procedures applied to each input record field; used to document the review of source data controls.
Rootkit
A means of concealing system components and malware from the operating system and other programs; can also modify the operating system.
Digital Signature
A means of electronically signing a document with data that cannot be forged.
Strategy Master Plan
A multiple-year plan of the projects the company must complete to achieve its long-range goals.
Enterprise Resource Planning (ERP) System
A system that integrates all aspects of an organization's activities—such as accounting, finance, marketing, human resources, manufacturing, inventory management—into one system. An ERP system is modularized; companies can purchase the individual modules that meet their specific needs. An ERP facilitates information flow among the company's various business functions and manages communications with outside stakeholders.
Certificate Authority
An organization that issues public and private keys and records the public key in a digital certificate.
Systems Integrator
An outside party hired to manage a company's systems development effort.
Fraud
Any and all means a person uses to gain an unfair advantage over another person.
Malware
Any software that is used to do harm.
Computer Fraud
Any type of fraud that requires computer technology to perpetrate.
Database
A set of interrelated, centrally controlled data files that are stored with as little data redundancy as possible. A database consolidates records previously stored in separate files into a common pool and serves a variety of users and data processing applications.
File
A set of logically related records, such as the payroll records of all employees.
business process
A set of related, coordinated, and structured activities and tasks, performed by a person, a computer, or a machine, that help accomplish a specific organizational goal.
Trojan Horse
A set of unauthorized computer instructions in an authorized and otherwise properly functioning program.
Firewall
A special-purpose hardware device or software running a general-purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks.
Accounting Information System
A system that collects, records, stores, and processes data to produce information for decision makers. It includes people, procedures and instructions, data, software, information technology infrastructure, and internal controls and security measures.
Intrusion Detection Systems (IDS)
A system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
System Flowchart
Depicts the relationships among system input, processing, storage, and output.
Asymmetric Encryption Systems
Encryption systems that use two keys (one public, the other private); either key can encrypt, but only the other matching key can decrypt.
Vulnerabilities
Flaws in programs that can be exploited to either crash the system or take control of it.
General Ledger and Reporting System
Information-processing operations involved in updating the general ledger and preparing reports for both management and external parties.
Integrated Test Facility (ITF)
Inserting a dummy entity in a company's system; processing test transactions to update them will not affect actual records.
SQL Injection
Inserting a malicious SQL query in input such that it is passed to and executed by an application program. This allows a hacker to convince the application to run SQL code that it was not intended to execute.
Fraudulent Financial Reporting
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements.
Private Key
One of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys.
Public Key
One of the keys used in asymmetric encryption systems. It is widely distributed and available to everyone.
Post-implementation Review
Review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives.
Control Risk
Risk that a material misstatement will get through the internal control structure and into the financial statements.
Detection Risk
Risk that auditors and their audit procedures will fail to detect a material error or misstatement.
Automated Flowcharting Programs
Software that interprets a program's source code and generates a flowchart of the program's logic.
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
Batch Totals
The sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly.
Inherent Risk
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
Public Key Infrastructure (PKI)
The system for issuing pairs of public and private keys and corresponding digital certificates.
Coding
The systematic assignment of numbers or letters to items to classify and organize them.
Social Engineering
The techniques or psychological tricks used to get people to comply with the perpetrator's wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data.
Give-Get Exchange
Transactions that happen a great many times, such as giving up cash to get inventory from a supplier and giving employees a paycheck in exchange for their labor.
Decryption
Transforming ciphertext back into plaintext.
Hashing
Transforming plaintext of any length into a short code called a hash.
System
Two or more interrelated components that interact to achieve a goal, often composed of subsystems that support the larger system.
Group Codes
Two or more subgroups of digits that are used to code an item. A group code is often used in conjunction with a block code.
Header Record
Type of internal label that appears at the beginning of each file and contains the file name, expiration date, and other file identification information.
Trailer Record
Type of internal label that appears at the end of a file; in transaction files, the trailer record contains the batch totals calculated during input.
Cloud Computing
Using a browser to remotely access software, data storage, hardware, and applications.
Pretexting
Using an invented scenario (the pretext) that creates legitimacy in the target's mind in order to increase the likelihood that a victim will divulge information or do something. (Very similar to social engineering)
Parallel Simulation
Using auditor-written software to process data and comparing the output with the company's output; discrepancies are investigated to see if unauthorized program changes were made.
System Control Audit Review File (SCARF)
Using embedded audit modules to continuously monitor transactions, collect data on transactions with special audit significance, and store the data to later identify and investigate questionable transactions.
Virtual Private Network (VPN)
Using encryption and authentication to securely transfer information over the Internet, thereby creating a "virtual" private network.
Reprocessing
Using source code to reprocess data and comparing the output with the company's output; discrepancies are investigated to see if unauthorized program changes were made.
Support Activities
Value chain activities such as firm infrastructure, technology, purchasing, and human resources that enable primary activities to be performed efficiently and effectively.
Primary Activities
Value chain activities that produce, market, and deliver products and services to customers and provide post-delivery service and support.
Authentication
Verifying the identity of the person or device attempting to access the system.
Password Cracking
When an intruder penetrates a system's defenses, steals the file containing valid passwords, decrypts them, and uses them to gain access to programs, files, and data.
Symmetric Encryption Systems
Encryption systems that use the same key both to encrypt and to decrypt.
Documentation
Narratives, flowcharts, diagrams, and other written materials that explain how a system works.
Defense-in-Depth
Employing multiple layers of controls to avoid a single point-of-failure.
Enterprise Risk Management - Integrated Framework (ERM)
A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO's Internal Control—Integrated.
Internal Control - Integrated Framework (IC)
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
Public Company Accounting Oversight Board (PCAOB)
A board created by SOX that regulates the auditing profession; created as part of SOX.
Denial of Service (DoS) Attack
A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the Internet service provider's e-mail server or the web server is overloaded and shuts down.
Archive
A copy of a database, master file, or software that is retained indefinitely as a historical record, usually to satisfy legal and regulatory requirements.
Parity Checking
A data transmission control in which the receiving device recalculates the parity bit to verify accuracy of transmitted data.
Checksum
A data transmission control that uses a hash of a file to verify accuracy.
Audit Trail
A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin. It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
Master File
A permanent file of records that stores cumulative data about an organization. As transactions take place, individual records within a master file are updated to keep them current.
Pressure
A person's incentive or motivation for committing fraud.
Fraud Hotline
A phone number employees can call to anonymously report fraud and abuse.
Biometric Identifier
A physical or behavioral characteristic that is used as an authentication credential.
Business Continuity Plan (BCP)
A plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity.
Disaster Recovery Plan (DRP)
A plan to restore an organization's IT capability in the event that its data center is destroyed.
Event
A positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.
Committee of Sponsoring Organizations (COSO)
A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Deep Packet Inspection
A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers.
Packet Filtering
A process that uses various fields in a packet's IP and TCP headers to decide what to do with the packet.
Cross-footing Balance Test
A processing control that verifies accuracy by comparing two alternative ways of calculating the same total.
Zero-Balance Test
A processing control that verifies that the balance of a control account equals zero after all entries to it have been made.
Exploit
A program designed to take advantage of a known vulnerability.
Stenography Program
A program that can merge confidential information with a seemingly harmless file, password protect the file, and send it anywhere in the world, where the file is unlocked and the confidential information is reassembled. The host file can still be heard or viewed because humans are not sensitive enough to pick up the slight decrease in image or sound quality.
Time Bomb/Logic Bomb
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
Document
A record of a transaction or other company data. Examples include checks, invoices, receiving reports, and purchase requisitions.
Turnaround Document
A record of company data sent to an external party and then returned by the external party for subsequent input to the system.
Query
A request for the database to provide the information needed to deal with a problem or answer a question. The information is retrieved, displayed or printed, and/or analyzed as requested.
Data Processing Schedule
A schedule that shows when each data processing task should be performed.
Control Objectives for Information and Related Technology (COBIT)
A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Virus
A segment of executable code that attaches itself to a file, program, or some other executable system component. When the hidden program is triggered, it makes unauthorized alterations to the way a system operates.
Demilitarized Zone (DMZ)
A separate network located outside the organization's internal information system that permits controlled access from the Internet.
Access Control List (ACL)
A set of IF-THEN rules used to determine what to do with arriving packets.
Trap Door/Back Door
A set of computer instructions that allows a user to bypass the system's normal controls.
Record
A set of fields whose data values describe specific attributes of an entity, such as all payroll data relating to a single employee. An example is a row in a spreadsheet.
Access Control Matrix
A table used to implement authorization controls.
computer incident response team (CIRT)
A team that is responsible for dealing with major security incidents.
Cookie
A text file created by a Web site and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site.
Cookie
A text file created by a website and stored on a visitor's hard drive. Cookies store information about who the user is and what the user has done on the site.
Control Account
A title given to a general ledger account that summarizes the total amounts recorded in a subsidiary ledger. For example, the accounts receivable control account in the general ledger represents the total amount owed by all customers. The balances in the accounts receivable subsidiary ledger indicate the amount owed by each specific customer.
Hash Total
A type of batch total generated by summing values for a field that would not usually be totaled.
Record Count
A type of batch total that equals the number of records processed at a given time.
Financial Total
A type of batch total that equals the sum of a field that contains monetary values.
Differential Backup
A type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup.
Incremental Backup
A type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day's transactions.
Business Process Diagram
A visual way to describe the different steps or activities in a business process.
Cross-Site Scripting (XSS)
A vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website.
Evil Twin
A wireless network with the same name (Service Set Identifier) as a legitimate wireless access point. Users are connected to the twin because it has a stronger wireless signal or the twin disrupts or disables the legitimate access point. Users are unaware that they connect to the evil twin and the perpetrator monitors the traffic looking for confidential information.
Batch Processing
Accumulating transaction records into groups or batches for processing at a regular interval such as daily or weekly. The records are usually sorted into some sequence (such as numerically or alphabetically) before processing.
Human Resources/Payroll Cycle
Activities associated with hiring, training, compensating, evaluating, promoting, and terminating employees.
Expenditure Cycle
Activities associated with purchasing inventory for resale or raw materials in exchange for cash or a future promise to pay cash.
Financing Cycle
Activities associated with raising money by selling shares in the company to investors and borrowing money as well as paying dividends and interest.
Revenue Cycle
Activities associated with selling goods and services in exchange for cash or a future promise to receive cash.
Production or Conversion Cycle
Activities associated with using labor, raw materials, and equipment to produce finished goods.
Materiality
Amount of an error, fraud, or omission that would affect the decision of a prudent user of financial information.
Transaction
An agreement between two entities to exchange goods or services, such as selling inventory in exchange for cash; any other event that can be measured in economic terms by an organization.
Uninterruptible Power Supply (UPS)
An alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down.
Flowchart
An analytical technique that uses a standard set of symbols to describe pictorially some aspect of an IS in a clear, concise, and logical manner.
Penetration Testing
An authorized attempt to break into the organization's information system.
Reasonableness Test
An edit check of the logical correctness of relationships among data items.
Sequence Check
An edit check that determines if a transaction file is in the proper numerical or alphabetical sequence.
Size Check
An edit check that ensures the input data will fit into the assigned field.
Limit Check
An edit check that tests a numerical amount against a fixed value.
Field Check
An edit check that tests whether the characters in a field are of the correct field type (e.g., numeric data in numeric fields).
Completeness Check (or test)
An edit check that verifies that all data required have been entered.
Sign Check
An edit check that verifies that the data in a field have the appropriate arithmetic sign.
Validity Check
An edit test that compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists.
Digital Certificate
An electronic document that certifies the identity of the owner of a particular public key and contains that party's public key.
Computer Security Officer (CSO)
An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
Chief Compliance Officer (CCO)
An employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings.
Transposition Error
An error that results when numbers in two adjacent columns are inadvertently exchanged (for example, 64 is written as 46).
Steering Committee
An executive-level committee to plan and oversee the information systems function.
Supply Chain
An extended system that includes an organization's value chain as well as its suppliers, distributors, and customers.
Parity Bit
An extra bit added to every character; used to check transmission accuracy.
Closed-Loop Verification
An input validation method that uses data entered into the system to retrieve and display other related information so that the data entry person can verify the accuracy of the input data.
Sabotage
An intentional act where the intent is to destroy a system or some of its components.
Systems Review
An internal control evaluation step that determines if necessary control procedures are actually in place.
Background Check
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
Prompting
An online data entry completeness check that requests each required item of input data and then waits for an acceptable response before requesting the next required item.
Indentity Theft
Assuming someone's identity, usually for economic gain.
Internal Auditing
Assurance and consulting activity designed to add value, improve organizational effectiveness and efficiency, and accomplish organization objectives.
Phreaking
Attacking phone systems to obtain free phone line access; use phone lines to transmit malware; and to access, steal, and destroy data.
Audit Hooks
Audit routines that notify auditors of questionable transactions, often as they occur.
Computer-Assisted Audit Techniques (CAATS)
Audit software that uses auditor-supplied specifications to generate a program that performs audit functions.
Generalized Audit Software (GAS)
Audit software that uses auditor-supplied specifications to generate a program that performs audit functions.
Vulnerability Scanners
Automated tools designed to identify whether a given system possesses any unused and unnecessary programs that represent potential security threats.
Block Code
Blocks of numbers that are reserved for specific categories of data, thereby helping to organize the data. An example is a chart of accounts.
Digital Watermark
Code embedded in documents that enables an organization to identify confidential information that has been disclosed.
Patch
Code released by software developers that fixes a particular vulnerability.
Endpoints
Collective term for the workstations, servers, printers, and other devices that comprise an organization's network.
Vouching
Comparing accounting journal and ledger entries with documentary evidence to verify that a transaction is valid, accurate, properly authorized, and correctly recorded.
Computer Forensics Specialists
Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
Neural Networks
Computing systems that imitate the brain's learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically.
Lapping
Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable.
Compensating Controls
Control procedures that compensate for the deficiency in other controls.
Detective Controls
Controls designed to discover control problems that were not prevented.
General Controls
Controls designed to make sure an organization's information system and control environment is stable and well managed.
Preventative Controls
Controls that deter problems before they arise.
Corrective Controls
Controls that identify and correct problems as well as correct and recover from the resulting errors.
Concurrent Update Controls
Controls that lock out users to protect individual records from errors that could occur if multiple users attempted to update the same record simultaneously.
Application Controls
Controls that prevent, detect, and correct transaction errors and fraud in application programs.
Collusion
Cooperation between two or more people in an effort to thwart internal controls.
Information System Library
Corporate databases, files, and programs stored and managed by the system librarian.
Check Kiting
Creating cash using the lag between the time a check is deposited and the time it clears the bank.
Nonrepudiation
Creating legally binding agreements that cannot be unilaterally repudiated by either party.
Information
Data that have been organized and processed to provide meaning and improve decision making.
Corruption
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
Source Documents
Documents used to capture transaction data at its source - when the transaction takes place. Examples include sales orders, purchase orders, and employee time cards.
Skimming
Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.
Continuous and intermittent Simulation (CIS)
Embedding an audit module in a DBMS that uses specified criteria to examine all transactions that update the database.
Authorization (paper)
Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.
Full Backup
Exact copy of an entire database.
Investigative Audit
Examination of incidents of possible fraud, misappropriation of assets, waste and abuse, or improper governmental activities.
Compliance Audit
Examination of organizational compliance with applicable laws, regulations, policies, and procedures.
Operational Audit
Examination of the economical and efficient use of resources and the accomplishment of established goals and objectives.
Information Systems (Internal Control) Audit
Examination of the general and application controls of an IS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets.
Analytical Review
Examination of the relationships between different sets of data; abnormal or unusual relationships and trends are investigated.
Financial Audit
Examination of the reliability and integrity of financial transactions, accounting records, and financial statements.
Information Overload
Exceeding the amount of information a human mind can absorb and process, resulting in a decline in decision-making quality and an increase in the cost of providing information.
Data
Facts that are collected, recorded, stored, and processed by an information system.
Hijacking
Gaining control of someone else's computer to carry out illicit activities, such as sending spam without the computer user's knowledge.
Strategic Objectives
High-level goals that are aligned with and support the company's mission and create shareholder value.
Context Diagram
Highest-level DFD; a summary-level view of a system, showing the data processing system, its input(s) and output(s), and their sources and destinations.
Response Time
How long it takes for a system to respond.
Check Digit
ID numbers (such as inventory item number) can contain a check digit computed from the other digits.
Document Flowchart
Illustrates the flow of documents and data among areas of responsibility within an organization.
Program Flowchart
Illustrates the sequence of logical operations performed by a computer in executing a program.
Time-Based Model of Security
Implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Segregation of Systems Duties
Implementing control procedures to clearly divide authority and responsibility within the information system function.
Forensic Investigators
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
Sequence Codes
Items are numbered consecutively so that gaps in the sequence code indicate missing items that should be investigated. Examples include prenumbered checks, invoices, and purchase orders.
Sarbanes-Oxley Act (SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.
Foreign Corrupt Practices Act (FCPA)
Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.
Mnemonic Code
Letters and numbers that are interspersed to identify an item. The mnemonic code is derived from the description of the item and is usually easy to memorize.
Man-in-the-Mirror attack
Like a man-in-the-middle attack, but the attacker is Michael Jackson.
Hackerman
Like, the best hacker.
Value Chain
Linking together of all the primary and support activities in a business. Value is added as a product passes through the chain.
Real-Time Mirroring
Maintaining complete copies of a database at two separate data centers and updating both copies in real-time as each transaction occurs.
Snapshot Technique
Marking transactions with a special code, recording them and their master file records before and after processing, and storing the data to later verify that all processing steps were properly executed.
Compatibility Test
Matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
Investment Fraud
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
Plaintext
Normal text that has not been encrypted.
Auditing
Objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria.
Operations Objectives
Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources.
Reporting Objectives
Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources.
Compliance Objectives
Objectives to help the company comply with all applicable laws and regulations.
Reasonable Assurance
Obtaining complete assurance that information is correct is prohibitively expensive, so auditors accept a reasonable degree of risk that the audit conclusion is incorrect.
Security Management
People that make sure systems are secure and protected from internal and external threats.
Data Control Group
People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output.
Systems Analysts
People who help users determine their information needs and design systems to meet those needs.
Computer Operators
People who operate the company's computers.
Users
People who record transactions, authorize data processing, and use system output.
Programmers
People who use the analysts' design to create and test computer programs.
Reperformance
Performing calculations again to verify quantitative information.
Systems Administrator
Person responsible for making sure a system operates smoothly and efficiently.
Network Manager
Person who ensures that the organization's networks operate properly.
Hash
Plaintext that has been transformed into short code.
Ciphertext
Plaintext that was transformed into unreadable gibberish using encryption.
Project Milestones
Points where progress is reviewed and actual and estimated completion times are compared.
Control Activities
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Transaction Processing
Process of capturing transaction data, processing it, storing it for later use, and producing information output, such as a managerial report or a financial statement.
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Embedded Audit Modules
Program code segments that perform audit functions, report test results, and store the evidence collected for auditor review.
Packet Sniffers
Programs that capture data from information packets as they travel over the Internet or company networks. Captured data is sifted to find confidential or proprietary information.
Data masking
Protecting privacy by replacing sensitive personal information with fake data. Also called tokenization.
Check Digit Verification
Recalculating a check digit to verify that a data entry error has not been made.
Turnaround Documents
Records of company data sent to an external party and then returned to the system as input. Turnaround documents are in machine-readable form to facilitate their subsequent processing as input records. An example is a utility bill.
Pharming
Redirecting website traffic to a spoofed website.
Virtualization
Running multiple systems simultaneously on one physical computer.
Phishing
Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim's account.
Segregation of Accounting Duties
Separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud.
Program Tracing
Sequentially printing all executed program steps, intermingled with output, so a program's execution sequence can be observed.
Typosquatting
Setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.
Threat/Event
Similar to a virus, except that it is a program rather than a code segment hidden in a host program. A worm also copies itself automatically and actively transmits itself directly to other systems.
Worm
Similar to a virus, except that it is a program rather than a code segment hidden in a host program. A worm also copies itself automatically and actively transmits itself directly to other systems.
Intrusion Prevention Systems (IPS)
Software or hardware that monitors patterns in the traffic flow to identify and automatically block attacks.
Source Code Comparison Program
Software that compares the current version of a program with its source code; differences should have been properly authorized and correctly incorporated.
Concurrent Audit Techniques
Software that continuously monitors a system as it processes live data and collects, evaluates, and reports information about system reliability.
Mapping Programs
Software that identifies unexecuted program code.
Automated Decision Table Programs
Software that interprets a program's source code and generates a decision table of the program's logic.
Scanning Routines
Software that searches a program for the occurrence of specified items.
Spyware
Software that secretly monitors computer usage, collects personal information about users, and sends it to someone else, often without the computer user's permission.
Test Data Generator
Software that, based on program specifications, generates a set of data used to test program logic.
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
Specific Authorization
Special approval an employee needs in order to be allowed to handle a transaction.
Routers
Special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next.
Inherent Risk (Audit)
Susceptibility to significant control problems in the absence of internal control.
Reports
System output, organized in a meaningful fashion, that is used by employees to control operational activities, by managers to make decisions and design strategies, and by investors and creditors to understand a company's business activities.
Belief System
System that describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values.
Boundary System
System that helps employees act ethically by setting boundaries on employee behavior.
Interactive Control System
System that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions.
Diagnostic Control System
System that measures, monitors, and compares actual company progress to budgets and performance goals.
Risk Appetite
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Throughput
The amount of work performed by a system during a given period of time.
Test of Controls
Tests to determine whether existing controls work as intended.
Process
The action that transforms data into other data or information.
Data Value
The actual value stored in a field. It describes a particular attribute of an entity. For example, the customer name field would contain "ZYX Company" if that company was a customer.
Recovery Point Objective (RPO)
The amount of data the organization is willing to reenter or potentially lose.
General Authorization
The authorization given employees to handle routine transactions without special approval.
value of information
The benefit provided by information less the cost of producing it.
Utilization
The percentage of time a system is used.
Fault Tolerance
The capability of a system to continue performing when there is a hardware failure.
Source Data Automation
The collection of transaction data in machine-readable form at the time and place of origin. Examples are point-of-sale terminals and ATMs.
Internal Environment
The company culture that is the foundation for all other ERM components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Online, Real-Time Processing
The computer system processes data immediately after capture and provides updated information to users on a timely basis.
Information technology (IT)
The computers and other electronic devices used to store, retrieve, transmit, and manipulate data.
Opportunity
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain.
Data Source
The entity that produces or sends the data that is entered into a system.
Data Destination
The entity that receives data produced by a system.
Analytical Review
The examination of the relationships between different sets of data.
Rationalization
The excuse that fraud perpetrators use to justify their illegal behavior.
Change Control and Change Management
The formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability.
Data Processing Cycle
The four operations (data input, data storage, data processing, and information output) performed on data to generate meaningful and relevant information.
Entity
The item about which information is stored in a record. Examples include an employee, an inventory item, and a customer.
Business Processes or Transaction Cycles
The major give-get exchanges that occur frequently in most companies.
Expected Loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood ).
Recovery Time Objective (RTO)
The maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system.
Data Flow
The movement of data among processes, stores, sources, and destinations.
Audit Committee
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.
Data Store
The place or medium where system data is stored.
Field
The portion of a data record where the data value for a particular attribute is stored. For example, in a spreadsheet each row might represent a customer and each column is an attribute of the customer. Each cell in a spreadsheet is a field.
Exposure/Impact
The potential dollar loss should a particular threat become a reality.
Likelihood/Risk
The probability that a threat will come to pass.
Log Analysis
The process of examining logs to identify evidence of possible attacks.
Hardening
The process of modifying the default configuration of endpoints to eliminate unnecessary settings and services.
Patch Management
The process of regularly applying patches and updates to software.
Authorization (digital)
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
Key Escrow
The process of storing a copy of an encryption key in a secure location.
Encryption
The process of transforming normal text, called plaintext, into unreadable gibberish, called ciphertext.
Internal Controls
The processes and procedures implemented to provide reasonable assurance that control objectives are met.
Attributes
The properties, identifying numbers, and characteristics of interest of an entity that is stored in a database. Examples are employee number, pay rate, name, and address.
Residual Risk
The risk that remains after management implements internal controls or some other response to risk.
Predictive Analysis
The use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities.
Multimodal Authentication
The use of multiple authentication credentials of the same type to achieve a greater level of security.
Multifactor Authentication
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
Misappropriation of Assets
Theft of company assets by employees.
Internal Control Flowchart
Used to describe, analyze, and evaluate internal controls, including identifying system strengths, weaknesses, and inefficiencies.
White-Collar Criminals
Typically, businesspeople who commit fraud. White-collar criminals usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
Hacking
Unauthorized access, modification, or use of an electronic device or some element of a computer system.
Spam
Unsolicited e-mail that contains either advertising or offensive content.
Vishing
Voice phishing; it is like phishing except that the victim enters confidential data by phone.
System Performance Measurements
Ways to evaluate and assess a system.
Goal Congruence
When a subsystem achieves its goals while contributing to the organization's overall goal.
Goal Conflict
When a subsystem's goals are inconsistent with the goals of another subsystem or the system as a whole.
Buffer Overflow Attack
When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system.
Confirmation
Written communication with independent third parties to confirm the accuracy of information, such as customer account balances.
Narrative Description
Written, step-by-step explanation of system components and how they interact.