Accounting Information Systems Final Study Guide
Processing Controls
1. Data Matching: ~Multiple data values must match before processing occurs. 2. File Labels: ~Ensure correct and most current file is being updated. 3. Batch Total Recalculation: ~Compare calculated batch total after processing to input totals. 4. Cross-Footing and Zero Balance Tests: ~Compute totals using multiple methods to ensure the same results. 5. Write Protection: ~Eliminate possibility of overwriting or erasing existing data. 6. Concurrent Update: ~Locking records or fields when they are being updated so multiple users are not updating at the same time.
Internal Environment: Management's philosophy, operating style, and risk appetite can be assessed by answering questions like:
1. Does management take undue business risks to achieve its objective, or does it assess potential risks and rewards prior to acting? 2. Does management manipulate performance measures, such as net income, so they are seen in more favorable light? 3. Does management pressure employees to achieve results regardless of the methods, or does it demand ethical behavior? Do the ends justify the means?
Control Objectives, Threats, and Procedures
1. All transactions are properly authorized. 2. All recorded transactions are valid. 3. All valid and authorized transactions are recorded. 5. All transactions are recorded accurately. 6. Assets are safeguarded from loss or theft. 7. Business activities are performed efficiently and effectively. 8. The company is in compliance with all applicable laws and regulations. 9. All disclosures are full and fair.
Security Life Cycle
1. Assess threats and select risk response 2. Develop and communicate policy 3. Acquire and implement solutions 4. Monitor performance
Types of computer attacks
1. Botnet-Robot Network: ~Network hijacked computers. ~Hijacked computers carry out processes without users knowledge. ~Zombie-hijacked computer. 2. Denial-of-Service (DoS) Attack: ~Constant stream of requests made to a Web-server (usually via a Botnet) that overwhelms and shuts down a service. 3. Spoofing: ~Making an electronic communication look as if it comes from a trusted official source to lure the recipient into providing information.
Identify the preventive control below:
Approving customer credit prior to approving a sales order.
Information that needs to be stored securely for 10 years or more would most likely be stored in which type of file? a. backup b. archive c. encrypted d. log
Archive
Internal Environment: Authority and Responsibility
Assigned through: ~Formal job descriptions. ~Employee training. ~Operating plans, schedules, and budgets. ~Codes of conduct. ~Written policies and procedures manuals which covers: ~Proper business practices. ~Knowledge and experience needed by key personnel. ~Resources provided to carry out duties. ~Policies and procedures for handling particular transactions. ~The organization's chart of accounts. ~Samples copies of forms and documents.
9) These are used to create digital signatures. A) Asymmetric encryption and hashing B) Hashing and packet filtering C) Packet filtering and encryption D) Symmetric encryption and hashing
Asymmetric encryption and hashing
Authentication Controls
Authentication: Verifying the identity of the person or device attempting to access the system. Three types of credentials can be used to verify a person's identity: 1. Something the person knows, such as a password or personal identification numbers (PINs). 2. Something the person has, such as smart cards or ID badges. 3. Some physical or behavioral characteristic (referred to as a biometric identifier) of the person, such as fingerprints or typing patters.
The control procedure designed to restrict what portions an employee can access and what actions he or she can perform is called a. authentication b. authorization c. intrusion prevention d. intrusion detection
Authorization
To achieve effective segregation of duties, certain functions must be separated. Which of the following is the correct listing of the accounting-related functions that must be segregated? a. control, recording and monitoring b. authorization, recording and custody c. control, custody, and authorization d. monitoring, recording, and planning
Authorization, recording and custody
Control Activities: Proper Authorization of Transactions and Activities
Authorization: ~Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document record. Digital Signature: ~A means of electronically signing a document with data that cannot be forged. Specific Authorization: ~Special approval an employee needs in order to be allowed to handle a transaction. General Authorization: ~The authorization given employees to handle routine transactions without special approval.
Authorization Controls
Authorization: The process of restriction access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
2. Which document often accompanies merchandise shipped to a customer? a. picking ticket b. packing slip c. credit memo d. sales order
B
8. Which of the following provides a means both to improve the efficiency of processing customer payments and also to enhance control over those payments? a. CRM b. lockboxes c. aging accounts receivable d. EDI
B
The basic document created in the billing process is call a ________. A.bill of lading B.sales invoice C.sales order D.packing list
B
Two documents usually accompany goods shipped to a customer. What are the two documents? A.a bill of lading and an invoice B.a packing slip and a bill of lading C.an invoice and a packing slip D.an invoice and a sales order
B
Which of the following statements about obtaining consent to collect and use a customer's personal information is true? a. the default policy in Europe is opt-out, but in the US the default is opt-in. b. the default policy in Europe is opt-in, but in the US the default is opt-out. c. the default policy in both Europe and the US is opt-in. d. the default policy in both Europe and the US is opt-out.
B
Which of the following statements is true? a. encryption and hashing are both reversible (can be decoded). b. encryption is reversible, but hashing is not. c. hashing is reversible, but encryption is not. d. neither hashing nor encryption is reversible
B
Your current system is deemed to be 90% reliable. A major threat has been identified with an impact of $3,000,000. Two control procedures exist to deal with the threat. Implementation of control A would cost $100,000 and reduce likelihood to 6%. Implementation of control B would cost $140,000 and reduce likelihood to 4%. Implementation of both controls would cost $220,000 and reduce the likelihood to 2%. Given the data, what should you do? a. A only b. B only c. A and B d. Neither
B only
5. Which of the following revenue cycle activities can potentially be eliminated by technology? a. sales order entry b. shipping c. billing d. cash collections
Billing
________ is a plan that specifies how to resume not only IT operations but all business processes in the event of a major calamity. A.Disaster recovery plan B.Business continuity plan C.Real-time monitoring plan D.Business contingency plan
Business continuity plan
1. Which activity is part of the sales order entry process? a. setting customer credit limits b. preparing a bill of lading c. checking customer credit d. approving sales returns
C
10. For good internal control over customer remittances, the mailroom clerk should separate the checks from the remittance advices and send the customer payments to which department? a. billing b. accounts receivable c. cashier d. sales
C
Confidentiality focuses on protecting _________________. a. personal information collected from customers. b. a company's annual report stored on its website. c. merger and acquisition plans. d. all of the above.
C
One of the ten Generally Accepted Privacy Principles concerns security. According to GAPP, what is the nature of the relationship between security and privacy? a. Privacy is a necessary, but not sufficient, precondition to effective security. b. privacy is both necessary and sufficient to effective security. c. security is a necessary, but not sufficient, precondition to protect privacy. d. security is both necessary and sufficient to protect privacy.
C
The least effective control for preventing an organization from processing fraudulent credit memo is to _______. A.match each credit memo with a receiving report. B.require approval for each credit memo by the credit manager. C.reconcile total of credit memos to total debits posted to customers' subsidiary ledgers. D.sequentially prenumber all credit memos and perform a sequence check at the end of each day.
C
Digital Signature
A hash encrypted with the hash creator's private key. Hash of a document. Using document creators key. Provides proof: ~that the document has not been altered. ~of the creator of the document. Creating a digital signature: 1. The document creator uses a hashing algorithm to generate a hash of the original document. 2. The document creator uses his/her private key to encrypt the hash created in step 1. 3. The encrypted hash is a legally-binding digital signature.
Bill of Landing
A legal contract that defines responsibility for goods while they are in transit.
Firewall
A special-purpose hardware device or software running a general-purpose computer that controls both inbound and outbound communication between the system behind the firewall and other networks. ~Use more sophisticated techniques than border outers to filter packets. ~Most employ stateful packet filtering. ~Consults table to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer. ~Enables the firewall to reject specially crafted attack packets that would have passed a simple static packet filter.
Access Control Matrix
A table used to implement authorization controls.
Which of the following statements is true? a. Virtualization significantly reduces RTO for hardware problems. b. Cloud computing reduces the risk that a single catastrophe from either a natural disaster or terrorist attack would result in significant downtime and loss of availability. c. Backups still need to be made when using either virtualization or cloud computing. d. All of the above are true.
All of the above are true
Which of the following statements is true? a. "Emergency" changes need to be documented once the problem is resolved. b. Changes should be tested in a system separate from the one used to process transactions. c. Change controls are necessary to maintain adequate segregation of duties. d. All of the above are true.
All of the above are true.
1977 Foreign Corrupt Practices Act
All publicly traded corporations subject to SEC required to keep records that accurately and fairly represent transactions and assets in reasonable detail. Internal control systems must assure: ~Transactions are authorized. ~Transactions are recorded in conformity with GAAP and to maintain accountability. ~Authorized access to assets. ~Accountability for assets.
Penetration Test
An authorized attempt by either an internal audit team or an external security consulting firm to break into the organization's information system.
Cold Site
An empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary equipment within a specified period of time.
Party bits
An extra bit added to every character, used to check transmission accuracy.
Training
An important step of Securing IP. Employees need to know what can or can't be read, written, copied, deleted, or downloaded.
Chapter 12
The Revenue Cycle: Sales to Cash Collections
Which of the following is an example of a preventive control? a. The creation of a "security-aware" culture. b. The creation of a "Log user friendly" culture. c. The creation of a "continuous monitoring" culture. d. The creation of a chief information security officer position.
The creation of a "security-aware" culture.
Voice over Internet Protocol (VoIP)
The increasing use of this means that telephone conversations are now routed as packets over the Internet. VoIP telephone conversations are as vulnerable to interception as any other information sent over the internet. VoIP conversations about sensitive topics should be encrypted.
Recovery Time Objective (RTO)
The maximum tolerable time to restore an organization's information system following a disaster, representing the length of time that the organization is willing to attempt to function without its information system.
Objective Setting
The objectives: ~Need to be easy to understand and measure. ~Should be prioritized. ~Should be aligned with the company's risk appetite. For each set of objectives: ~Critical success factors must be defined. ~Performance measures should be established to determine whether the objectives are met.
Patch Management
The process for regularly applying patches and updates to all of an organization's software. Challenges: ~Patches can have unanticipated side effects that cause problems. ~May be many patches each year for each software program.
Which of the following is an example of the kind of batch total called a hash total? a. the sum of the purchase amount field in a set of purchase orders. b. the sum of the purchase order number field in a set of purchase orders. c. the number of completed documents in a set of purchase orders. d. all of the above
The sum of the purchase order number field in a set of purchase orders.
Public Key Infrastructure
The system for issuing pairs of public and private keys and corresponding digital certificates.
Electronic funds transfer (EFT)
The transfer of funds through use of online banking software.
Electronic Data Interchange (EDI)
The use of computerized communications and a standard coding scheme to submit business documents electronically in format that can be automatically processed by the recipient's information system.
Multimodal Authentication
The use of multiple authentication credentials of the same type to achieve a greater level of security.
Multifactor Authentication
The use of two or more types of authentication credentials in conjunction to achieve a greater level of security.
Internal Environment: Audit committee
They oversee: ~The company's internal control structure. ~Its financial reporting process. ~Its compliance with laws, regulations, and standards. ~Works with the corporation's external and internal auditors. ~Hires, compensates, and oversees the auditors.
Internal Environment: The Board of Directors
They should: ~Oversee management. ~Scrutinize management's plans, performance, and activities. ~Approve company structure. ~Review financial results. ~Annually review the company's security policy. ~Interact with internal and external auditors.
Virtual Private Network (VPN)
Using encryption and authentication to securely transfer information over the internet, thereby creating a "virtual" private network. Basic types of VPNs: ~uses a browser, encrypting the traffic with SSL. ~uses IPSec, a version of the IP protocol that incorporates encryption as part of creating IP packets. Tunnel: accessible only to those with proper encryption and decryption keys. No cost of leased telephone lines, satellites, other communications equipment. Does not work well with firewall - cannot inspect encrypted packets.
A ________ is a data entry control that compares the ID number in transaction data to a master file to verify that the ID number exists. A.reasonableness test B.user review C.data matching D.validity check
Validity check
Which of the following controls would prevent entry of a nonexistent customer number in a sales transaction? a. field check b. completeness check c. validity check d. batch total
Validity check
Security implications of Virtualization and Cloud Computing
Virtualization: ~Unsupervised physical access in a virtualization environment exposes not just one device but also the entire virtual network to the risk of theft or destruction and compromise. Cloud Computing: ~Compromising a cloud provider's system may provide unauthorized access to multiple systems. The authentication process is the primary means of protecting your data stored in the cloud from unauthorized access. ~Also, raise concerns about the other aspects of systems reliability (confidentiality, privacy, processing integrity, and availability) because the organization is outsourcing control of its data and computing resources to a third party.
Which computer fraud technique involves a set of instructions hidden inside a calendar utility that copies itself each time the utility is enabled until the memory is filled and the system crashes?
Virus
A weakness that an attacker can take advantage of to either disable or take control of a system is called a(n) ______ a. exploit b. patch c. vulnerability d. attack
Vulnurability
Which type of computer attack takes place between the time software vulnerability is discovered and the time software developers release a software patch that fixes the problem?
Zero-day attack
Preventive Controls
~Authentication controls (passwords, tokens, biometrics, MAC addresses). ~Authorization controls (access control matrices and compatibility tests). ~Training ~Physical access controls (locks, guards, biometric devices). ~Remote access controls (IP packet filtering by border routers and firewalls using access control lists; intrusion prevention systems; authentication of dial-in users; wireless access controls). ~Host and Application Hardening procedures (firewalls, anti-virus software, disabling of unnecessary features, user account management, software design, e.g., to prevent buffer overflows). ~Encryption
Corrective Controls
~Computer Emergency Response Teams ~Chief Security Officer (CSO) ~Patch Management
Hashing
~Converts information into a "hashed" code of fixed length. ~The code can NOT be converted back to the text. ~If any change is made to the information the hash code will change, thus enabling verification of information.
Important aspects of SOX
~Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. ~New rules for auditors. ~New rules for audit committees. ~New rules for management. ~New internal control requirements.
Internal Environment: External Influences
~FASB (Financial Accounting Standards Board) ~PCAOB ~SEC ~Insurance companies ~Regulatory agencies for banks, utilities, etc.
COSO's 8 interrelated risk and control components of ERM
~Internal Environment ~Objective Setting ~Event Identification ~Risk Assessment ~Risk Response ~Control Activities ~Information and Communication ~Monitoring
Detective Controls
~Log analysis ~Intrusion detection systems ~Managerial reports ~Security testing (vulnerability scanners, penetration tests)
After SOX, the SEC mandated that:
~Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. ~The report must contain a statement identifying the framework used. ~Management must disclose any and all material internal control weaknesses. ~Management cannot conclude that the company has effective internal control if there are any material weaknesses.
Intent of SOX is to:
~Prevent financial statement fraud. ~Make financial reports more transparent. ~Protect investors. ~Strengthen internal controls in publicly-held companies. ~Punish executive who perpetrate fraud.
Encryption
~Preventive control. ~Process of transforming normal content, called plaintext, into unreadable gibberish. ~Decryption reverses this process.
Control Activities: Categories
~Proper authorization of transactions and activities. ~Segregation of duties. ~Project development and acquisition controls. ~Change management controls. ~Design and use of documents and records. ~Safeguard assets, records, and data. ~Independent checks on performance.
Revenue Cycle Business Activities
~Sales Order Entry ~Shipping ~Billing ~Cash Collections
Cloud Controls
~Software ~Data Storage ~Hardware ~Application Environments Takes advantage of bandwidth. Definition: Using a hardware browser to remotely access a software, data storage, hardware, and applications.
COSO ERM Company's units
~Subsidiary ~Business unit ~Division ~Entity-level
Event Identification: Techniques to identify events
~Use comprehensive lists of potential events. ~Perform an internal analysis. ~Monitor leading events and trigger points. ~Conduct workshops and interviews. ~Perform data mining and analysis. ~Analyze processess.
Fraud perpetrators threaten to harm a company if it does not pay a specified amount of money. What is this fraud technique called?
Cyber-extortion
6. The integrated database underlying an ERP system results in which of the following general threats to the revenue cycle? a. inaccurate or invalid master data b. unauthorized disclosure of sensitive information c. loss or destruction of data d. all of the above
D
The revenue cycle's primary objective is to _______. A.maximize the company's profit. B.provide quality product in order to maximize market share. C.lower expenses. D.provide the right product in the right place at the right time for the right price.
D
Which of the following statements is true? a. VPNs protect the confidentiality of information while it is in transit over the internet. b. encryption limits firewalls' ability to filter traffic. c. a digital certificate contains that entity's public key. d. all of the above are true.
D
Which of the following statements is true? a. symmetric encryption is faster than asymmetric encryption and can be used to provide nonrepudiation of contracts. b. symmetric encryption is faster than asymmetric encryption but cannot be used to provide nonrepudiation of contracts. c. asymmetric encryption is faster than symmetric encryption and can be used to provide nonrepudiation of contracts. d. asymmetric encryption is faster than symmetric encryption but cannot be used to provide nonrepudiation of contracts.
D
Able wants to send a file to Baker over the internet and protect the file so that only Baker can read it and can verify that it came from Able. What should Able do? a. encrypt the file using Able's public key, and then encrypt it again using Baker's private key. b. encrypt the file using Able's private key, and then encrypt it again using Baker's private key. c. encrypt the file using Able's public key, and then encrypt it agin using Baker's public key. d. encrypt the file using Able's private key, and then encrypt it agin using Baker's public key.
D.
Which of the following provides detailed procedures to resolve the problems resulting from a flash flood that completely destroys a company's data center? a. backup plan b. disaster recovery plan (DRP) c. business continuity plan (BCP) d. archive plan
Disaster Recovery Plan (DRP)
Digital Certificate
Electronic document that contains an entity's public key. Certifies the identity of the owner of that particular public key. Issued by Certificate Authority.
The most effective method for protecting an organization from social engineering attacks is _______.a. a firewall. b. stateful packet filtering. c. a demilitarized zone. d. employee awareness training.
Employee awareness training
Defense-in-depth
Employing multiple layers of controls to avoid a single point-of-failure.
With regards to systems availability, deploying and using multiple components provides an AIS with _______. A.fault tolerance. B.cost savings. C.enhanced processing speed. D.maximum sales.
Fault tolerance
Which data entry application control would detect and prevent entry of alphabetic characters as the price of an inventory item? a. field check b. limit check c. reasonableness check d. sign check
Field check
Trade-offs among different components of systems reliability
Firewalls function by inspecting contents of packets, but they cannot examine packets that are encrypted. Ways to deal with problem: 1. Configure the firewall to send encrypted packets to a computer in the demilitarized zone (DMZ) that decrypts them; that computer then sends the decrypted packets back through the firewall for filtering before being allowed into the internal network. ~PRO: allows the firewall to screen all incoming packets. ~CON: sensitive info is unencrypted both in the DMZ and within the internal network. 2. Configure the main firewall to allow encrypted packets to enter the internal network and decrypt them only at their final destination. ~PRO: protects the confidentiality of sensitive info until it reaches the appropriate destination. ~CON: creates potential holes in access controls because not all incoming packets are filtered by the firewall. 3. Have the firewall also function as the VPN termination point, decrypting all incoming traffic and then inspecting the content. ~CON: costly, creates a single point of failure (if the firewall goes down, the VPN does also), and that means sensitive info is not encrypted while traveling on the internal corporate network.
Input Controls
Forms design, cancellation and storage of documents, authorization of documents, authorization and segregation of duties controls, visual scanning, and data entry controls. "Garbage in, garbage out": ~If the data entered into a system are inaccurate, incomplete, or invalid, the output will be too. Only personnel acting within their authority should prepare source documents. In addition, forms design, cancellation and storage source documents, and automated data entry controls are needed to verify the validity of input data.
LOLer was chatting online with l33ter. "I can't believe how lame some people are! :) I can get into any system by checking out the company website to see how user names are defined and who is on the employee directory. Then, all it takes is brute force to find the password." LOLer is a ________, and the fraud he is describing is ________.
Hacker; Password cracking
Modifying default configurations to turn off unnecessary programs and features to improve security is called a. user account management b. defense-in-depth c. vulnerability scanning d. hardening
Hardening
Hashing v. Encryption
Hashing: 1. One-way function (cannot reverse, or "unhash" to recover original document). 2. Any size input yields same fixed-size-out-put. For example, SHHA-256 hashing algorithm produces a 256-bit hash for each of the following: ~a one-sentence document. ~a one-page document. ~a 10-page document. Encryption: 1. Reversible (can decrypt ciphertext back to plaintext). 2. Output size approximately the same as input size. For example: ~a one-sentence document becomes a one-sentence encrypted document. ~a one-page document becomes a one-page encrypted document. ~a 10-page document becomes a 10-page encrypted document.
Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Lasalle Investment group _______. A.asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process. B.did not mention to auditors that the company had experienced material weaknesses in the company's internal control systems during the past year. C.selected the company's CEO to chair the audit committee. D.hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.
Hired the manager from the external audit team as company CFO 12 months after the manager had worked on the audit.
Business Continuity Plan (BCP)
How to resume not only IT operations, but all business processes. ~Relocating to new offices. ~Hiring temporary replacements.
Processing Controls in Spreadsheets
ISACA has a separate "IT Control Objectives for Sarbanes Oxley" appendix. Important to check for hardwiring (using the value instead of referencing a cell that contains the current value of the variable). Only 2% of firms use multiple people to examine every spreadsheet cell (reliable way to catch spreadsheet errors).
Real-time Mirroring
Maintaining complete copies of a database at two separate data center and updating both copies in real-time as each transaction occurs.
Identify the corrective control below:
Maintaining frequent backup records to prevent loss of data.
Security as a Management Issue
Management is responsible for the accuracy of various internal reports and financial statements produced by the organization's IS. ~SOX Section 302 ~SOX Section 404 ~Security is a key component of the internal controls and systems reliability. ~Management's philosophy and operating style are critical to an effective control environment (COSO model).
Which of the following statements about the control environment is false? a. Management's attitudes toward internal control and ethical behavior have little impact on employee beliefs or actions b. An overly complex or unclear organizational structure may be indicative of problems that were more serious c. A written policy and procedures manual is an important tool for assigning authority and responsibility d. Supervision is especially important in organizations that cannot afford elaborate responsibility reporting or are too small to have an adequate separation of duties
Management's attitudes toward internal control and ethical behavior have little impact on employee beliefs or actions.
Objective Setting: Operations Objectives and Compliance & Reporting Objectives
Operations Objectives: ~Are a product of management preferences, judgements, and style. ~Vary significantly among entities. ~Are influence by and must be relevant to the industry, economic conditions, and competitive pressures. ~Give clear direction for resource allocation. Compliance and Reporting Objectives: ~Many are imposed by external entities. ~A company's reputation can be impacted significantly by the quality of its compliance.
Trust Services Framework
Organizes IT-related controls into five principles that jointly contribute to systems reliability: 1. Security ~Access (both physical and logical) to the system and its data is controlled and restricted to legitimate users. 2. Confidentiality ~Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from authorized disclosure. 3. Privacy ~Personal information about customers, employees, suppliers, or business partners is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. 4. Processing Integrity ~Data are processed accurately, completely, in a timely manner, and only with proper authorization. 5. Availability ~The system and its information are available to meet operational and contractual obligations. Information security is the foundation of systems reliability and is necessary for achieving each of the other four principles.
Which of the following is a control that can be used to verify the accuracy of information transmitted over a network? a. completeness check b. check digit c. parity bit d. size check
Party bit
Which of the following is a corrective control designed to fix vulnerabilities? a. virtualization b. patch management c. penetration testing d. authorization
Patch Management
________ is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system. a. Log analysis test b. Intrusion test c. Penetration test d. Vulnerability test
Penetration Test
Which of the following is a detective control? a. hardening endpoints b. physical access controls c. penetration testing d. patch management
Penetration Testing
Someone redirects a website's traffic to a bogus website, usually to gain access to personal and confidential information. What is this computer fraud technique called?
Pharming
A hacker who changed the voice mail greeting of a company to say that it is offering free products by asking customers to dial a different phone number to claim their gift is engaging in?
Phreaking
A perpetrator attacks phone systems to obtain free phone line access or uses telephone lines to transmit viruses and to access, steal, and destroy data. What is this computer fraud technique called?
Phreaking
Revenue Cycle Business Activities: Shipping
Pick and Pack the Order: 1. Picking ticket. 2. Record quantity of each item actually picked. 3. Transfer inventory to the shipping department. 4. Technologies: ~RFID, barcodes Ship the goods: 1. Packing slip 2. Bill of landing 3. freight bill
Control Activities
Policies, procedure, and rules that provide reasonable assurance that management's control objectives are met and their risk responses are carried out. ~Management's responsibility to develop a secure and adequately controlled system. ~Management must also establish a set of procedures to ensure control compliance and enforcement.
Revenue Cycle Business Activities: Cash Collections
Possible approaches to collecting cash: 1. Turnaround documents forwarded to accounts receivable. 2. Lockbox arrangements. 3. Electronic lockboxes. 4. Electronic Funds Transfer and bill payment. 5. Financial Electronic data interchange (FEDI). 6. Accept credit cards or procurement cards from customer.
All other things being equal, which of the following is true? a. Detective controls are superior to preventive controls b. Corrective controls are superior to preventive controls c. Preventive controls are equivalent to detective controls d. Preventive controls are superior to detective controls
Preventive controls are superior to detective controls.
Disaster Recovery Plan (DRP)
Procedures to restore an organization's IT function in the event that its data center is destroyed. ~Cold Site ~Hot site ~Second Data-Center
Chapter 10
Processing Integrity and Availability Controls
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
Provides both criminal and civil penalties for violations of the law. Applies to commercial e-mail, which is defined as any e-mail that has the primary purpose of advertising or promotion. ~This covers much of the legitimate e-mail that many organizations sennd to their customers, suppliers, etc. ~Congress passed this Act in 2003.
Cloud Security Ownership
Public Cloud: ~owned by third party Private Cloud: ~owned by company Hybrid: owned by both a third party and company
Which of the following is not an independent check? a. bank reconciliation b. periodic comparison of subsidiary ledger totals to control accounts c. trial balance d. re-adding the total of a batch of invoices and comparing it with your first total
Re-adding the total of a batch of invoices and comparing it with your first total.
Control Activities: Segregation of Accounting Duties
Separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud. 1.Authorization: ~Approving transactions and decisions. 2.Recording: ~Preparing source documents; entering data into computer systems; and maintaining journals, ledgers, files, or databases. 3.Custody: ~Handling cash, tools, inventory or fixed assets; receiving incoming customer checks; writing checks.
Which of the following is a control procedure relating to both the design and the use of documents and records? a. locking blank checks in a drawer b. reconciling the bank statement c. sequentially prenumbering sales invoices d. comparing actual physical quantities with recorded amounts
Sequentially prenumbering sales invoices
Techniques used to obtain confidential information, often by tricking people, are referred to as what?
Social engineering
Information Rights Management (IRM)
Software that offers the capability not only to limit access to specific files or documents but also to specify the actions (read, copy, print, download, etc.) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
Data Loss Prevention (DLP)
Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
Which systems use the same key to encrypt communications and to decrypt communications? A) asymmetric encryption B) symmetric encryption C) hashing encryption D) public key encryption
Symmetric encryption
4. Which of the following techniques is the most efficient way to process customer payments and update accounts receivable? a. EFT b. UPIC c. FEDI d. ACH
FEDI
Types of spoofing
1. E-mail: ~E-mail sender appears as if it comes from a different source. 2. Caller-ID: ~Incorrect number is displayed. 3. IP adress: ~Forged IP address to conceal identity of sender of data over the Internet or to impersonate another computer system. 4. Address Resolution Protocol (ARP): ~Allows a computer on a LAN (local area network) to intercept traffic meant for any other computer on the LAN. 5. SMS: ~Incorrect number or name address appears, similar to caller-ID but for text messaging. 6. Web page: ~Phishing 7. DNS (domain name system): ~Intercepting a request for a Web service and sending the request to a false service.
3 Commonly used batch totals
1. Financial Total: ~A type of batch total that equals the sum of a field that contains monetary values. 2. Hash Total: ~A type of batch total generated by summing values for a field that would not usually be totaled. 3. Record Count: ~A type of batch total that equals the number of records processed at a given time.
Segregated categories of internal controls
1. General controls: ~Make sure an organization's control environment is stable and well managed. ~Examples include security; IT infrastructure; and software acquisition, development, and maintenance control. 2. Application Controls: ~Prevent, detect, and correct transaction errors in fraud in application programs. ~They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported.
Computer attacks and abuse
1. Hacking: ~Unauthorized access, modification, or use of a computer system or other electronic device. 2. Social Engineering: ~Techniques, usually psychological tricks, to gain access to sensitive data or information. ~Used to gain access to secure systems or locations. 3. Malware: ~Any software which can be used to do harm.
Social engineering techniques
1. Identity theft: ~assuming someone else's identity. 2. Pretexting: ~Inventing a scenario that will lull someone into divulging sensitive information. 3. Posing: ~Using a fake business to acquire sensitive information. 4. Phishing: ~Posing as a legitimate company asking for verification type of information: passwords, accounts, usernames. 5. Pharming: ~Redirecting Web site traffic to a spoofed Web site. 6. Typesquatting: ~Typographical errors when entering a Web site name cause an invalid site to be accessed. 7. Tabnapping: ~Changing an already open browser tab. 8. Scavenging: ~Looking for sensitive information in items thrown away. 9. Shoulder Surfing: ~Snooping over someone's shoulder for sensitive information. 10. Lebanese Looping: ~Capturing ATM credit card numbers. 11. Skimming: ~Double-swiping a credit card 12. Chipping: ~Planting a device to read credit card information in a credit card reader. 13. Eavesdropping: ~Listening to private conversations.
Hacking for fraud
1. Internet Misinformation: ~Using the internet to spread false or misleading information. 2. Internet Auction: ~Using an internet auction site to defraud another person. ~~Unfairly drive up bidding. ~~Seller delivers inferior merchandise or fails to deliver at all. ~~Buyer fails to make payment. 3. Internet Pump-and-Dump: ~Using the Internet to pump up the price of a stock and then selling it.
Internal environment consists of:
1. Management's philosophy, operating style, and risk appetite. 2. Commitment to integrity, ethical values, and competence. 3. Internal control oversight by the board of directors (The Board of Directors). 4. Organizational structure. 5. Methods of assigning authority and responsibility. 6. Human resource standards that attract, develop, and retain competent individuals. 7. External influences.
Generally Accepted Privacy Principles
1. Management: ~Procedures and policies. ~Assignment of responsibility. 2. Notice: ~To customers of policies. 3. Choice and Consent: ~Allow customers consent over information provided and stored. 4. Collection: ~Only what is necessary and stated in policy. 5. Use and Retention: ~Based on policy and only for as long as needed for the business. 6. Access: ~Customers should be capable of reviewing, editing, deleting, info. 7. Disclosure to 3rd Parties: ~Based on policy and only if 3rd party has same privacy policy standard. 8. Security: ~Protection of personal info. 9. Quality: ~Allow customer review. ~Info needs to be reasonably accurate. 10. Monitor and Enforce: ~Ensure compliance with policy.
Three important functions internal controls perform
1. Preventive Controls: ~Deter problems before they arise. ~Examples include hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information. 2. Detective Controls: ~Discover problems that are not prevented. ~Examples include duplicate checking of calculations and preparing blank bank reconciliations and monthly trial balances. 3. Corrective Controls: ~Identify and correct problems as well as correct and recover from the resulting errors. ~Examples include maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processinng.
Online Data Entry Controls
1. Prompting: ~An online data entry completeness check that requests each required item of input data then waits for an acceptable response before requesting the next required item. 2. Closed-loop Verification: ~An input validation method that uses data entered into the system to retrieve and display other related info so that they data entry person can verify the accuracy of the input data.
Hacking Embezzlement Schemes
1. Salami Technique: ~Taking small amounts of many different accounts. 2. Economic Espionage: ~Theft of information, trade secrets, and intellectual property. 3. Cyber-Bullying: ~Internet, cell phones, or other communication technologies to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person. 4. Internet Terrorism: ~Act of disrupting electronic commerce and harming computers and communications.
Objective-setting process proceeds as follows
1. Set strategic objectives, the high-level goals that support the company's mission and create value for shareholders. 2. To meet these objectives, identify alternative ways of accomplishing them. 3. For each alternative, identify and assess risks and implications. 4. Formulate a corporate strategy. 5. Then set operations, compliance, and reporting objectives.
Monthly Statement
A document listing all transactions that occurred during the past month and informing customers of their current account balances.
Remittance List
A document listing names and amounts of all customer payments received in the mail.
Packing Slip
A document listing the quantity and description of each item included in a shipment.
Types of malware
1. Spyware: ~Secretly monitors and collects personal information about users and sends it to someone else. ~Adware ~~Pops banner ads on a monitor, collects information about the user's Web-surfing, and spending habits, and forward it to the adware creator. 2. Key logging: ~Records computer activity, such as the user's keystrokes, e-mails sent and receiver, Web-sites visited, and chat session participation. 3. Trojan Horse: ~Malicious computer instructions in an authorized and otherwise property functioning program. ~Time bombs/logic bombs ~~Idle until triggered by a specific date or time, by a change in the system, by a message sent to the system, or by an event that does not occur. 4. Trap Door/Back Door: ~A way into a system that bypasses normal authorization and authentication controls. 5. Packet Sniffers: ~Capture data from information packets as they travel over networks. ~Rootkit ~~Used to hide the presence of trap doors, sniffers, and key loggers; conceal software that originates a denial-of-service or an e-mail spam attack; and access user names and log-in information. 6. Superzapping: ~Unauthorized use of special system programs to bypass regular system controls and perform illegal acts, all without leaving an audit trail.
CAN-SPAM's Guidelines
1. The sender's identity must be clearly displayed in the header of the message. 2. The subject field in the header must clearly identify the message as an advertisement or solicitation. 3. The body of the message must provide recipients with a working link that can be used to opt-out request, organizations have 10 days to implement steps to ensure they do not send any additional unsolicited e-mail to that address. Organizations need to assign someone the responsibility for processing opt-out requests. 4. The body of the message must include the sender's valid postal address. 5. Organizations should not send commercial e-mail to randomly generated addresses, nor should they set up websites designed to "harvest" e-mail addresses of potential customers.
Data Validation Techniques
1. User review of output: ~Examine system output to verify that it is reasonable, complete, and that they are the intended recipients. 2. Reconciliation procedures: ~Periodically, all transactions and other system updates should be reconciled to control mechanisms. In addition, general ledger accounts should be reconciled to subsidiary account totals on a regular basis. 3. External data reconciliation: ~Database totals should periodically be reconciled with data maintained outside the system. 4. Data transmission controls: ~Organizations also need to implement control designed to minimize the risk of data transmission errors. ~Common types of data transmission controls are TCP, checksums, and party bits.
Hacking attacks
1. Zero Day Attack: ~Attacks on vulnerabilities that have not been patched or made public or attacks that take advantage of a security vulnerability on the same day that the vulnerability becomes publicly known. 2. Cross-Site Scripting (XSS): ~Unwanted code is sent via dynamic Web pages disguised as user input. 3. Buffer Overflow: ~Data is sent that exceeds computer capacity causing program instructions to be lost and replaced with attacker instructions. 4. SQL Injection (Insertion): ~Malicious code is inserted in the place of query to a database system. 5. Man-in-the-Middle: ~Hacker places themselves between client and host. 6. Password Cracking: ~Penetrating system security to steal passwords. 7. War Dialing: ~Computer automatically dials phone numbers looking for modems. 8. Phreaking: ~Attacks on phone systems to obtain free phone service. 9. Data Diddling: ~Making changes to data before, during, or after it is entered into a system. 10. Data Leakage: ~Unauthorized copying of company data.
Sales Invoice
A document notifying customers of the amount of a sale and where to send payment.
Picking Ticket
A document that lists the items and quantities ordered and authorizes the inventory control function to release that merchandise to the shipping department.
Credit Memo
A document, approved by the credit manager, authorizing the bill department to credit a customer's account.
Hot Site
A facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities.
3. Which method is most likely used when a company offers customers discounts for prompt payment? a. open-invoice method b. balance-forward method c. accounts receivable aging method d. cycle billing method
A
7. Which document is used to authorize the release of merchandise from inventory control (warehouse) to shipping? a. picking ticket b. packing slip c. shipping order d. sales invoice
A
9. For good internal control, who should approve credit memos? a. credit manager b. sales manager c. billing manager d. controller
A
Stateful Packet Filtering
A firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. Analyzes packets down to the application layer.
Which of the following combinations of credentials is an example of multifactor authentication? a. voice recognition and a fingerprint reader b. a PIN and an ATM card c. a password and a user ID d. all the above
A PIN and an ATM card
Remittance Advice
A copy of the sales invoice returned with a customer's payment that indicates the invoices, statements, or other items being paid.
Checksums
A data transmission control that uses a hash of a file to verify accuracy.
Back Order
A document authorizing the purchase or production of items that is created when there is insufficient inventory to meet customer orders.
Electronic lockbox
A lockbox arrangement in which the bank electronically sends the company information about the customer account number and the amount remitted as soon as it receives payment.
COSO (Committee of Sponsoring Organizations)
A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Deep packet inspection
A process that examines the data in the body of a TCP packet to control traffic, rather than looking only at the information in the IP and TCP headers.
Access Control List (ACL)
A set of IF-THEN rules used to determine what to do with arriving packets. Will normally deny entry to packets with: ~Illegal source addresses ~Organization's IP address as source address Any packets not dropped is forwarded onto the firewall.
Which disaster recovery strategy involves contracting for use of a physical site to which all necessary computing equipment will be delivered within 24 to 36 hours? a. virtualization b. cold site c. hot site d. data mirroring
Cold site
Sensitive and Confidential Information
COBIT 5 management practice stresses the importance of proper disposal of sensitive information. ~Printed reports and microfilm containing confidential info should be shredded before thrown out. ~Safest alternative id to physically destroy magnetic and optical media that have been used to store extremely sensitive data. ~Access controls designed to protect confidentiality must be continuously reviewed and modified to respond to new threats created by technological advances.
Which of the following statements is true? a. COSO's enterprise risk management framework is narrow in scope and is limited to financial controls b. COSO's internal control integrated framework has been widely accepted as the authority on internal controls c. The Foreign Corrupt Practices Act had no impact on internal accounting control systems d. It is easier to add controls to an already designed system than to include them during the initial design stage
COSO's internal control integrated framework has been widely accepted as the authority on internal controls.
Static Packet Filtering
Screens individual packets based on the contents of the source and/or destination fields in the packet header. ~Examine each IP packet in isolation. Only headers of packets are checked so easier for an attacker to get information through the firewall.
Chapter 6:
Computer Fraud and Abuse Techniques
The control that protects records from errors that occur when two or more users attempt to update the same record simultaneously is called _______. A.concurrent update controls. B.cross-footing balance test. C.data conversion controls. D.recalculation of batch totals.
Concurrent update controls
Chapter 9
Confidentiality and Privacy Controls
COBIT Framework
Control Objectives for Information and Related Technology ~Developed by the Information Systems Audit and Control Foundation (ISACF). Allows: ~Management to benchmark security and control practices. ~Users of IT services to be assured that adequate security and control exists. ~Auditors substantiate their opinions on internal control. Framework addresses the issue of control from three vantage points of dimensions: ~Business objectives ~IT resources ~IT processes 5 Key Principles: ~Meeting stakeholder's needs. ~Covering the enterprise end-to-end. ~Applying a single, integrated framework. ~Enabling a holistic approach. ~Separating governance from management. These principles help organizations build an effective governance and management framework that protects stakeholders' investments and produces the best possible information system.
Chapter 7
Control and Accounting Information Systems
Chapter 8
Controls for Information Security
Which of the following statements is true? a. encryption is sufficient to protect confidentiality and privacy. b. cookies are text files that only store information. They cannot perform any actions. c. the controls for protecting confidentiality are not effective for protecting privacy. d. all of the above are true.
Cookies are text files that only store information. They cannot perform any actions.
Differential Backup
Copy of only data that changed from last full backup.
Incremental Backup
Copy only data that changed from last partial backup
A digital signature is _______________. a. created by hashing a document and then encrypting the hash with the signer's private key. b. created by hashing a document and then encrypting the hash with the signer's public key. c. created by hashing a document and then encrypting the hash with the signer's symmetric key. d. none of the above.
Created by hashing a document and then encrypting the hash with the signer's private key.
Which of the following can organizations use to protect the privacy of a customer's personal information when giving programmers a realistic data set with which to test a new application? a. digital signature b. digital watermark c. data loss prevention d. data masking
Data masking
Which of the following techniques is the most effective way for a firewall to use to protect the perimeter? a. deep packet inspection b. packet filtering c. access control list d. All of the above are equally effective
Deep packet inspection
Type 2 SOC (Service Organization Control) Report
Describes the controls used by a service (cloud provider) and a CPAs opinion about the operating effectiveness of those controls.
Which of the following is not a component of the COSO Enterprise Risk Management Integrated Framework (ERM)? A.Monitoring. B.Ethical culture. C.Risk assessment. D.Control environment.
Ethical culture
Event Identification
Events are: ~Incidents or occurrences that emanate from internal or external sources. ~That effect implementation of strategy or achievement of objectives. ~Impact can be positive, negative, or both. ~Can range from obvious to obscure. ~Effects can range from inconsequent to highly significant.
Event Identification: Factors
External Factors: ~Economic ~Natural ~Political ~Social ~Technological Internal Factors: ~Infrastructure ~Personnel ~Process ~Technology
Which of the following is the correct order of the risk assessment steps discussed in the chapter? a. identify threats, estimate risk and exposure, identify controls, and estimate costs and benefits b. identify controls, estimate risk and exposure, identify threats, and estimate costs and benefits c. estimate risk and exposure, identify controls, identify threats, and estimate costs and benefits d. Estimate costs and benefits, identify threats, identify controls, and estimate risk and exposure
Identify threats, eliminate risk and exposure, identify controls, and estimate costs and benefits
Identify the first step in protecting the confidentiality of intellectual property below A)Identifying what controls should be placed around the intellectual property. B)Identifying who has access to the intellectual property. C)Identifying the means necessary to protect the intellectual property. D)Identifying the weaknesses surrounding the creation of the intellectual property.
Identifying who has access to the intellectual property.
Time-based model of information security
Implementing a combination of preventive, detective, and corrective controls that protect information assets long enough to enable an organization to recognize that an attack is occurring and take steps to thwart it before any information is lost or compromised.
Control Activities: Segregation of Systems Duties
Implementing control procedures to clearly divide authority and responsibility within the information system function. 1. Systems Administration: ~Person makes sure all information system components operate smoothly and efficiently. 2. Network Management: ~People that ensure that devices are linked to the organization's internal and external networks and that those networks operate properly. 3. Security Management: ~Person makes sure that systems are secure and protected from internal and external threats. 4. Change Management: ~The process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. 5. Users: ~People who record transactions, authorize data to be processed, and use system output. 6. Systems Analysis: ~People who help users determine their information needs and design systems to meet those needs. 7. Programming: ~People who use the analysts' design and develop, code, and test computer programs. 8. Computer Operations: ~People who run software on the company's computers to ensure that data are input properly, processed correctly, and that needed output is produced. 9. Information System Library: ~Corporate databases, files, and programs stored and managed by the system librarian. 10. Data Control: ~The data control group ensures that source data have been properly approved, monitors the flow of work through the computer, reconciles input and output, maintains a record of input errors to ensure their correction and resubmission, and distributes systems output.
Internal Environment: Organizational Structure
Important Aspects: ~Degree of centralization or decentralization. ~Assignment of responsibility for specific tasks. ~Direct-reporting relationships or matrix structure. ~Organization by industry, product, geographic location, marketing network. ~How the responsibility allocation affects management's information needs. ~Organization of accounting and IS functions. ~Size and nature of company activities.
Which of the following is not one of the five principles of COBIT5? A.meeting stakeholder needs B.covering the enterprise end-to-end C.enabling a holistic approach D.improving organization efficiency
Improving organization efficiency.
Which of the following statements is true? a. Incremental daily backups are faster to perform than differential daily back- ups, but restoration is slower and more complex. b. Incremental daily backups are faster to perform than differential daily backups, and restoration is faster and simpler. c. Differential daily backups are faster to perform than incremental daily back- ups, but restoration is slower and more complex. d. Differential daily backups are faster to perform than incremental daily backups, and restoration is faster and simpler.
Incremental daily backups are faster to perform than differential daily back-ups, but restoration is slower and more complex.
Which of the following statements is true? a. The concept of defense-in-depth reflects the fact that security involves the use of a few sophisticated technical controls. b. Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability of information resources. c. The time-based model of security can be expressed in the following formula: P < D+R. d. Information security is primarily an IT issue, not a managerial concern
Information security is necessary for protecting confidentiality, privacy, integrity of processing, and availability off information resources.
Risk Assessment and Risk Response: Types of Risk
Inherent Risk: ~The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control. Residual Risk: ~The risk that remains after management implements internal controls or some other response to risk.
Sequentially prenumbered forms are an example of a(n) _______. A.data entry control. B.data transmission control. C.processing control. D.input control.
Input Control
Batch Processing Data Entry Controls
Input multiple source documents at once in a group. ~Works more efficiently if the transactions are sorted so that the accounts affected are in the same sequence as records are stored in the master file. 1. Sequence check: ~An edit check that determines if a transaction file is in the proper numerical or alphabetical sequence. 2. An error log that identifies data input errors (date, cause, problem) facilitates timely review and resubmission of transactions that cannot be processed. 3. Batch totals: ~The sum of a numerical item for a batch of documents, calculated prior to processing the batch, when the data are entered, and subsequently compared with computer-generated totals after each processing step to verify that the data was processed correctly.
COSO identified five interrelated components of internal control. Which of the following is NOT one of those five? a. risk assessment b. internal control policies c. monitoring d. information and communication
Internal control policies
Revenue Cycle Business Activities: Billing
Invoicing: 1. Repackages and summarizes information from the sales order entry and shipping activities: ~Shipping: items and quantities. ~Sales: prices and sales terms. Maintaining Accounts Receivable: 1. Open Invoice Method 2. Balance Forward Method 3. Cycle Billing 4. Exceptions
Internal Control
Is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: ~Assets (including data) are safeguarded. ~Records are maintained in sufficient detail to accurately and fairly reflect company assets. ~Accurate and reliable information is provided. ~There is reasonable assurance that financial reports are prepare in accordance with GAAP. ~Operational efficiency is promoted and improved. ~Adherence to prescribes managerial policies is encouraged. ~The organization complies with applicable laws and regulations.
Factors that influence encryption strength
Key Length: ~Number of bits (characters) used to convert text into blocks. ~256 is common. Algorithm: ~Manner in which key and text is combines to create scrambled text. Policies concerning encryption keys: ~Stored securely with strong access codes. ~Passwords on the files that contain the keys are good practice. ~Issuing and Revoking key policies must be followed. ~Notify all who rely on a key when it has been compromised.
Compatibility Test
Matching the user's authentication credentials against the access control matrix to determine whether that employee should be allowed to access that resource and perform the requested action.
Virtualization
Multiple systems on one physical computer. ~Cuts hardware costs. ~Cuts maintenance costs. ~Cuts data center costs/utility costs.
Availability
Objective: 1. To minimize risk of system downtime. ~Key Controls: Preventive maintenance, fault tolerance, data center location and design, training, patch management and antivirus software. 2. Quick and complete recovery and resumption of normal operations. ~Key Controls: Backup procedures, disaster recovery plan (DRP), business continuity plan (BCP).
COSO ERM Objectives
Objectives company must meet to achieve company goals. ~Strategic ~Operations ~Reporting ~Compliance
________ is not a basic activity of the revenue cycle. A.Sales order entry B.Shipping C.Receiving D.Billing
Receiving
Identify the detective control below:
Reconciling the bank statement to the cash control account.
Which of the following measures the amount of data that might be potentially lost as a result of a system failure? a. recovery time objective (RTO) b. recovery point objective (RPO) c. disaster recovery plan (DRP) d. business continuity plan (BCP)
Recovery point objective (RPO)
Intrusion Detection Systems
Represent an attempt to automate part of the monitoring and creates a log of network traffic that was permitted to pass the firewall. ~Analyzes the logs for signs of attempted or successful intrusions. ~E.g., compare logs to a database containing patterns of traffic associated with known attacks.
In the ERM model, COSO specified four types of objectives that management must meet to achieve company goals. Which of the following is not one of these types? a. responsibility objectives b. strategic objectives c. compliance objectives d. reporting objectives e. operations objectives
Responsibility objectives
What type of software conceals processes, files, network connections, memory addresses, systems utility programs, and system data from the operating system and other programs?
Rootkit
Interest calculations are truncated at two decimal places, and the excess decimals are put into an account the perpetrator controls. What is this fraud called?
Round-down fraud
Threats of the revenue cycle
Sales Order Entry Threats: 1. Incomplete or Inaccurate customer orders. 2. Credit sales to customers with poor credit. 3. Legitimacy of orders. 4. Stockouts, carrying costs, and markdowns. Shipping Threats: 5. Shipping errors. 6. Theft of inventory. Billing and Accounts Receivable threats: 7. Failure to bill customers. 8. Billing errors. 9. Errors in maintaining customer accounts. Cash Collections Threat: 10. Theft of cash: ~Segregation of duties: ->Handling cash or checks and posting remittances to customer accounts. ->Handling cash or checks and authorizing credit memos. ->Issuing credit memos and maintaining customer accounts.
Forms Design
Source documents and other forms should be designed to minimize the chances of errors and omissions. Important forms design controls: 1. All source documents should be sequentially prenumbered. Prenumbering improve control by making it possible to verify that no documents are missing. When sequentially prenumbered source data documents are used, the system should be programmed to identify and report missing or duplicate source documents. 2. A turnaround document is a record of company data sent to an external party and then returned by the external party for subsequent input to the system. Turnaround documents are prepared in machine-readable form to facilitate their subsequent processing as input records. Turnaround documents improve accuracy by eliminating the potential for input errors when entering data manually.
Data Entry Controls
Source documents should be scanned for reasonableness and propriety before being entered into the system. This manual control must be supplemented with automated data entry controls such as: 1. Field Check: ~An edit check that tests whether the characters in a field are of the correct field type (e.g., numeric data in numeric fields). 2. Sign Check: ~An edit check that verifies that the data in a field have the appropriate arithmetic sign. 3. Limit Check: ~An edit that tests a numerical amount against a fixed value. 4. Range Check: ~An edit check that tests whether a data item falls within predetermined upper and lower limits. 5. Size check: ~An edit check that ensures that input data will fit into the assigned field. 6. Completeness check: ~An edit check that verifies that all data required have been entered. 7. Validity check: ~An edit test that compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists. 8. Reasonableness test: ~An edit check of the logical correctness of relationships among data items. 9.Check digit verification: ~Recalculating the check digit [ID numbers (such as inventory item number) can contain a check digit computed from the other digits] to identify data entry errors.
What type of software secretly collects personal information about users and sends it to someone else without the user's permission?
Spyware
Internal Environment: Human Resources
Standards: ~Employees are both the company's greatest control weakness. ~Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required. ~Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization's vulnerability. Policies and Procedures are Important for: ~Hiring ~Compensating ~Training ~Evaluating and promoting ~Discharging ~Managing disgruntled employees ~Vacations and rotation of duties ~Confidentiality insurance and fidelity bonds
COSO ERM Objectives
Strategic Objectives: ~High-level goals that are aligned with and support the company's mission and create shareholder value. Operations Objectives: ~Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources. Reporting Objectives: ~Objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance. Compliance Objectives: ~Objectives to help the company comply with all applicable laws and regulations.
Types of Encryption
Symmetric: ~One key. Same key used both to encrypt and decrypt. ~PRO: fast. ~CON: vulnerable, requires a separate key for everyone who wished to communicate protecting the secret key from loss or theft. ~PRIMARY USE: encryption of large amounts of information. Asymmetric: ~Two keys. One key is made public, the other kept private. Either key can encrypt, but only the other matching key can decrypt. ~PRO: very secure, everyone can look up public key to communicate with you, no need to store keys for each party with whom you communicate, can be used for legally binding signatures. ~CON: very slow (1000s of times), requires PKI to validate ownership of keys. ~PRIMARY USE: creation of digital signatures, and secure exchange of symmetric keys via e-mail.
Revenue Cycle Business Activities: Sales Order Entry
Take the customer's order: 1. Orders are received in a number of ways: ~Phone, in person, website, mail. 2. Orders must include: ~Items, quantity, price, salesperson. 3. IT can help by: ~Enabling customers to enter data themselves. ~EDI. ~VMI. ~Choiceboards. Check the customer's credit. 1. Credit limit. 2. Good customers: ~Amount of order and current balance. ~Age off outstanding unpaid invoices. 3. Other customers: ~New customers. ~Good customers in excess of credit limit. ~Customer with outstanding past due balances. Check inventory availability. 1. Information available: ~Quantity on hand, already committed, quantity available. 2. Back order 3. Picking ticket Respond to customer inquiries: 1. CRM: tool to improve level of customer service. ~Efficient and personalized service. ~Retain customers. ~Print target coupons.
Recovery Point Objective (RPO)
The amount of data the organization is willing to reenter or potentially lose.
Fault Tolerance
The capability of a system to keep performing when there is a hardware failure. ~Redundant arrays of independent drives (RAID): A fault tolerance technique that records data on multiple disk drives instead of just one to reduce risk of data.
Financial electronic data interchange (FEDI)
The combination of EFT and EDI that enables both remittance data and funds transfer instructions to be included in one electronic package.
Internal Environment
The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk. ~A weak or deficient internal environment often results in breakdowns inn risk management and control.
Primary objective of the revenue cycle
To provide the right product in the right place at the right time for the right price.
Which of the following is a preventive control? a. training b. log analysis c. CIRT d. virtualization
Training
A set of instructions to increase a programmer's pay rate by 10% is hidden inside an authorized program. It changes the payroll file. What is this computer fraud technique called?
Trojan Horse
Risk Assessment and Risk Response
Two types of risk: ~Inherent ~Residual Companies should: ~Assess inherent risk ~Develop a response ~Then assess residual risk Ways to respond to risk: ~REDUCE the likelihood and impact of risk by implementing an effective system of internal controls. ~ACCEPT the likelihood and impact of the risk. ~SHARE risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions. ~AVOID risk by not engaging in the activity to sell a division, exit a product line, or not expand as anticipated.
Second Data-Center
Used for back-up and site mirroring.
A ______ is similar to a ______, except that it is a program rather than a code segment in a host program.
Worm; virus
