AIS Exam #3 (CH. 11/12)
definitions of examples of security risks and attacks
**** spywayre, spoofing, etc
COSO stands for Committee of Sponsoring Organizations. It composes of 5 organizations: ________, ________, _______, IMA and AICPA
IIA, AAA, FEI
what is an example of IT general controls? (ITGC)
IT control environment
COBIT defines the overall IT control frame work, and _________ provides the details for IT service management which is released by the UK office of government commerce (OGC) and is the most widely accepted models for IT service management`
ITIL
relevant technologies in performing continuous auditing
XML and XBRL, data analytics/data mining, CAATs
given your understanding of COSO ERM, what are factors regarding internal environment
a firm's organizational structure, board of directors, and the audit committee a firm's risk management philosophy and risk appetite a firms human resource policies/practices and development of personnel a firm's integrity and ethical values
what is a message digest?
a result of a hashing procsss such as using the SHA-256 algorithm
visualization and cloud computing
a virtual machine containing system applications and data backups is often resides in the cloud off-side or at various locations
VPN
access points stations
ISO 27000 series
address information security issues
asymmetric-key encryption methods
also called two key encryption also called public key encryption slow and is not appropriate for encrypting large data sets
common computer frauds include:
altering computer-readable records and files misuse of computer hardware altering the logic of computer software
management selects risk responses according to the entity's risk tolerances and risk ________
appetite
parallel simulation
attempts to simulate the firm's key features or processes
management is responsible for fraud risk assessments, while the ________ ____________ typically has an oversight role in the process
audit committee
authentication process
authentication can prevent repudiation while conducting transactions online
what is the common practice in using symmetric key encryption and asymmetric key encryption methods in conducting e-business?
both parties use the asymmetric key encryption method to distribute the symmetric key securely both parties use the asymmetric key encryption method to authenticate each other
when using asymmetric key encryption method in ebuisness, a _______ authority (CA) is a trusted entity that issues and revokes digital certificates. a digital certificate indicates the subscriber identified in the certificate with sole control and access to the private key, an binds the name of a subscriber to a public key
certificate
control environment
managment establishes with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
to create a digital signature, the document creator must use his or her own private key to encrypt the ___________ ________ (MD), so the digital signature also authenticates the document creator
message digest
data ________ is the process of searching for patterns in the data and analyzing these patterns for decision making
mining
Per COBIT 5, IT management includes, planning, building, running and __________, activities in alignment with the direction necessary to achieve the firm's objectives
monitoring
to support a firm in its efforts to achieve internal control objectives, COSO 2013 suggests 5 components of internal control including
monitoring information & communication control activities control environment risk assessment
examples of detective controls
monthly bank reconciliations, monthly trial balances
why do we need to use digital signature in conducting e-business?
obtain data integrity
continual service improvement
ongoing improvement of the service and the measurement of process performance required for the service
using the two key encryption method for authentication, we need to be careful about how the keys are used.
only the pair of one users two keys is used to encryption and decryption public key management is very important because we use public keys to authenticate others in conducting business
the ___________ system is the most important system software because it performs the tasks that enable a computer to operate
operating
the COSO ERM framework indicates that an effective internal control system should consist of four categories of objectives:
operation objectives strategic objectives reporting objectives compliance objectives
required a signed source document before recording a transaction is a _________ control
preventive
to authenticate the receiver(B), the sender(A) emails a challenge message to B. B will use her ________ key to encrypt the challenge message and send it to A. if A is able to use B's ________ key to decrypt and get the plaintext of the challenge message, A has authenticated B successfully
private, public
during the objective setting stage, management should have a _________ in place to set strategic, operations, reporting, and compliance objectives.
process
since 2003, information security management has been ranked as the top one technology issues for CPA's. according to AICPA information security management is "an integrated, systematic approach that coordinates people, policies, standards, __________, and ___________ used to safeguard critical systems and information from internal and external security threats"
processes, controls
COBIT
provides the best IT security and control practices for IT management
ITIL
provides the concepts and practice for IT service management
disaster _________ planning (DRP) is a process that identifies significant events that may threaten a firm's operations and outlines the procedures to ensure that the firm will resume operations when the events occur
recovery
according to the COSO 2.0 framework, reporting objectives are about the ________ of a firm's internal and external financial reporting
reliability
cloud computing refers to a service model were third-party service providers offers computing _____________ including hardware and software applications to cloud users over the internet, and the service provider charges a per-user basis
resources
vulnerability management and risk management have the same objective: to reduce the probability of the occurrence of detrimental events. what are the differences between them?
risk management is often a most complex and strategic process that should be a long-term process
internal and external events affecting achievement of a firm's objectives must be identified. when using COSO ERM framework, management must distinguish between ________ and ________ after identifying all possible events
risks, opportunities
information technology controls involve processes that provide assurance for information and help to mitigate _____ associated with the use of ______. firms need such controls to protect information assets, remain competitive, and control costs in implementing IT projects
risks, technology
monitoring component of the COSO ERM framework
the ERM components and internal control process should be monitored continuously and modified as necessary it is the process of evaluating the quality of internal control design and operation and the effectiveness
what are the main purposes of corporate governance?
to protect the interests of a firm's stakeholders to promote accountability and transparency in a firm's operations to encourage the efficient use of the resources a firm has
firms continue to monitor system availability. fault _________ uses redundant units to provide a system with the ability to continue to function when part of the system fails. many firms implement a redundant array of independent drive (RAID) so tha`t if one disk drive fails, important data can still be accessed from another disk
tolerance
true or false: the internal environment of the COSO ERM framework provides the discipline and structure for all other components of enterprise risk management. it is the most critical component in the framework
true
test data technique
uses a set of input data to validate system integrity
we often define ______ as weaknesses or exposure in IT assets or process that may lead to a business risk, compliance risk, security risk
vulnerability
digital signature
we use it to ensure data integrity we need to use a hashing process and encryption technology to get a digital signature we use it to authenticate the data/document sender
define vulnerability
weaknesses or exposures in IT processes that may lead to a business risk, compliance risk, or security risk characteristics of IT resources that can be exploited by a threat to cause harm to a firm
what are the main concerns of cloud user companies on the cloud service providers?
whether the cloud service providers internal controls are properly designed and effective the security of the cloud computing systems and networks the cloud service providers financial viability
What is the impact of Sarbanes-Oxley Act 2002 (SOX) on the accounting profession?
SOX established the PCAOB to regulate and audit public accounting firms. Under SOX, the PCAOB replaces AICPA to issue audit standards.
integrated test facility
enables test data to be continually evaluated during the normal operation of a system
the main factors in encryption are key length, encryption algorithm, and key management. what is the correct statement regarding encryption?
establishing a policy on key management is essential for information security
organizations derive their code of __________ from cultural values, societal traditions, and personal attitudes on issues of right and wrong
ethics
given the popularity of the internet, mobile devices, and the complexity of computer technologies, business information and IT assets are exposed to risks and attacks from ___________ parties such as hackers and _________ parties such as disgruntled employees
external, internal
true or false: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management.
false
true or false: each company should use only one of the control/governance frameworks in corporate an IT governance
false
true or false: given the popularity of the internet, mobile devices, and the complexity of computer technologies, important business information and IT assets are exposed to risks and attacks from external parties such as hackers, foreigners, competitors, etc. today's employees are well trained and always support the firm to prevent the attacks
false
true or false: the control objectives for information and related technology (COBIT) framework is an internationally accepted set of best IT security and control practices and is required by PCAOB to be used for SOX section 404 audit
false
true or false: vulnerability assessment and management are often required by laws. hence, managements commitment and support are not as critical as in enterprise risk assessment and management
false
WAN
firewalls routers
what is fraud?
frauds are perpetrated by organizations to avoid payment or loss of services frauds are perpetrated by parties to obtain money, property, or services frauds are perpetrated by parties to secure personal or business advantage
LAN
hubs switches
accounting documents and records
to maintain audit trails and accuracy of the financial data
segregation of duties
to prevent fraud and mistakes
the IT infrastructure library is a de facto standard in europe for the best practices in IT infrastructure management and service delivery. ITIL adopts a ________ ______ approach to IT services
life cycle
to authenticate the reciever (B), the sender (A), emails a challenge message to B. B will use ___________ private key to encrypt the challenge message and send it to A. if A is able to use ________ public key to decrypt and get the plain text of the challenge message, A has authenticated B successfully
B's, B"s
correct statements about COBIT
COBIT is a generally accepted framework for IT governance and management COBIT 5 integrates other frameworks and standards such as ITIL an ISO 27000 series COBIT 5 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders
CIA
Confidentiality, Integrity, Availability
COSO ERM framework indicates that:
ERM provides reasonable assurance regarding the achievement of the firms objectives ERM manages risk to be within the firms risk appetite
PCAOB
Public Company Accounting Oversight Board
information and communication
The organization obtains or generates and uses relevant, quality information to support the functioning of internal control
control activities
The organization selects and develops general control activities over technology to support the achievement of objectives
both disaster recovery planning (DRP) and business continuity management (BCM) are the most critical _________ controls, and DRP is a key component of BCM
corrective
____________ controls find problems when they arise
detective
a computer fraud risk assessment focuses on fraud schemes and scenarios to determine whether the controls exist and how the controls can be circumvented. list computer fraud risk assessments in sequence
identifying relevant IT fraud risk factors identifying and prioritizing potential IT fraud schemes mapping existing controls to potential fraud schemes and identifying gaps testing operating effectiveness of fraud prevention and detect controls assessing the likelihood and impact of a control failure and/or fraud incident
authentication is a process that establishes the origin of information or determines the ________ of a use, process, or device. it is critical in e-business because it can prevent _________ while conducting transactions online
identity, repudiation
according to the fraud triangle, 3 conditions exist for a fraud to be perpetrated:
incentive or pressure, opportunity, rationalize
the AICPA has indicated that issues on information security are critical to certified public accountants as one of the top 10 technologies that accounting professionals must learn. international organization for standardization 27000 series is designed to address ____________ __________ issues
information security
IT vulnerabilities can be categorized depending on whether they exist in the physical IT environment, within an __________ _______, or within the processes of IT operations
information system
IT application controls are activities specific to a subsystem's or an application's ________, processing, and output
input
Concepts on internal control defined under COSO 2.0
internal control is a process consisting of ongoing tasks and activities internal control is affect by people. it is not merely about policy manuals, systems, and forms. internal control can provide reasonable assurance, not absolute assurance to an entitys management and board internal control is geared toward the achievement of objectives in one or more separate but overlapping categories internal control is adaptable to the entity structure
black box approach in auditing systems
it is also called auditing around the computer
what are the purposes of the standards of ISO 27000 series?
it is designed to address information security issues
what is a digital signature?
it is encrypted using the private key of the creator of document or data file it is a message digest (MD) of a document or data file the process of getting a message digest (MD) is called hashing
computer frauds also happen during the systems development _______ cycle (SDLC)
life
A fraud prevention and detection program starts with a fraud risk assessment across the entire firm. What are the correct statements on the roles of the audit committee on fraud risk assessment?
the audit committee works with the internal audit group to ensure that the fraud prevention/detection program remains an ongoing effort the audit committee interacts with external auditor to ensure that fraud assessment results are properly communicated the audit committee has an oversight role in the fraud risk assessment process
service design
the design and development of IT services and service management processes
service operation
the effective and efficient delivery and support of services, with a benchmarked approach for event, problem, and access management
monitoring
the organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate
risk assessment
the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
residual risk
the product of inherent risk and control risk
inherent risk
the risk related to the nature of the business activity itself
service strategy
the strategic planning of IT service management capabilities and the alignment of IT service and business strategies
control risk
the threat that errors or irregularities in the underlying transactions will not be prevented, detected, and corrected by the internal control system
service transition
the transition from strategy to design, and maintaining capabilities for the ongoing delivery of a service
supervision
to compensate imperfect segregation of duties
independent verification
to double check for errors and misrepresentions
access control
to ensure only authorized personnel have access to physical assets and information
authorization
to ensure transactions are valid